Privacy and Security in the Age of Meaningful Use

Transcription

1 Privacy and Security in the Age of Meaningful Use David S. Finn Health IT Officer Lewis Etheridge Principal Systems Engineer, Symantec Healthcare Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

2 HIPAA and HITECH Securing Patient Information and Protecting Privacy since... NOW! Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

3 1 By way of Introduction 2 We Don t Really Do a Very Good Job at This 3 What s Different and Why the Paradigm Shift 4 Cloud and Mobile Security - - Best Practices 5 Q & A Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

4 Who is that man and why is he talking? Recovering healthcare CIO Unable to hold a job (treasurer for theatrical production company; real estate controller; world s oldest entry level programmer; systems audit; IS manager; audit director; healthcare IT consultant; operational/system risk consultant; EVP Operations - healthcare consultancy; privacy & information security officer; VP-IS; CIO; Health IT Officer) CISA, CISM, CRISC 2 degrees in Theatre Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

5 Top Ten Things that Would be Different if We Actually Did Privacy and Security Right Wiki Leaks wouldn t. 9. A hacker would just be someone who had a bad cough. 8. The HHS Wall of Shame website could be leased out for advertising. 7. A bot net would be a net for catching runaway robots instead of a term used to describe millions of runaway computers. 6. A worm would be used for fishing bait rather than infiltrate computer systems. Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

6 Top Ten Things that Would be Different if We Actually Did Privacy and Security Right We wouldn t have to see or hear the word cyber crime 300 times/day in every book, magazine, newspaper or newscast. 4. A cloud would be a soft, fluffy thing, even to IT people... not a place of terror. 3. The word virus could be returned to the medical world - - where it came from. 2. I could be talking about core business functions rather than the security you need to have in place just to conduct your core business functions. 1. If it happened in Vegas... It would actually stay in Vegas. Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

7 Seriously, though, if we actually did this right Security would be designed into systems, not added after the fact 2. Security would not be the first thing cut as scope creep began because it is easier to cut than explain cutting functionality (no matter how obscure or arcane) 3. Security and Privacy would be part of the business mission, not a compliance requirement that you do everything you can do to minimize 4. Security wouldn t be a small group in IT, it would be embedded in all the operational functions of IT 5. Security and Privacy would part of every employees job description (not just in IT) 6. Security would mean something and not be another card IT played to get head count, OpEx or CapEx budget Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

8 Healthcare is changing but so has IT and IT Security Security Intelligent devices with embedded and downloadable software The Threat Landscape More automation, more data, more access Resulting in: More dependency on highly complex IT systems and infrastructures Highly valuable data How we deliver IT Mobile Anytime, any where, any device Separation between IT infrastructure and consumer devices is fading Infrastructures as well as data are merging Cloud for internal IT service delivery and delivery of IT services Legislation & Regulation are raising the Security & Privacy bar Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

9 Key Security Trends CHALLENGING THREAT LANDSCAPE TARGETED ATTACKS WELL_MEANING & MALICIOUS INSIDERS EVOLVING INFRASTRUCTURE INCREASING FINANCIAL AND COMPLIANCE RISK INCREASING COMPLEXITY MOBILE VIRTUALIZATION MORE DATA: HIGHER RISK & SWEETER TARGET COMPLIANCE REQUIREMENTS VENDOR COMPLEXITY CLOUD Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

10 The Information-Centric Model It s about the data. Policy Compliance Identity Remediation Reporting Classification Threats Encryption Ownership Discovery Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

11 Addressing Security Challenges at Each Layer GOVERNANCE Policy Driven and Risk Based INTELLIGENCE Information and Identity Centric INFRASTRUCTURE Well Managed and Secure Develop and enforce policies Identify and authenticate Assess against policies Prioritize remediation based on risk Classify critical data Discover where data is Apply encryption Monitor threats to data Protect against customized targeted attacks Secure virtual and cloudbased environments Manage and secure data on mobile devices Deliver multi-level reports to manage IT risks Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

12 Compliance and Security Solutions GOVERNANCE Develop Policies, Manage Risk Authenticate Identities Policy & Procedure; On-going Risk Management Domains; 2FA INTELLIGENCE Protect the Information Identity Threats Data Loss Prevention & Encryption Managed Security Services INFRASTRUCTURE Manage Systems Protect the Infrastructure Cloud IT Life Cycle Management Layered Protection Cloud (SLA, network performance, processes) Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

13 Meaningful Use and Provider Business Impacts 1) HITECH Requirements Business Impact Data Breach Notification for breach of unencrypted information: penalties, patient notification, self-reporting to media and HHS (if >500 records). Expansion of HIPAA applicability (e.g. now includes Business Associates). Reputation Referrals Penalties Increased fines for HIPAA violations. Revenue Increased legal exposure (criminal and civil penalties, State AG can sue). Tighter control of PHI exchange Contract management Legal defense efforts Revenue 2) HITECH Indirect Impact Business Impact Increased adoption of Electronic Record Systems Increasing integration with physicians, patients, other hospitals, clinical and business partners. Greater dependency on System and Data availability Opportunity to deliver value and promote services. But increasing security and privacy risks. Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

14 Meaningful Use and Provider IT Impacts MU Requirements IT Business Impact Maintenance of audit logs Additional data gathering and maintenance requirements across multiple systems. Data encryption preferred Tighter endpoint and process controls. Recording of PHI disclosures Additional data gathering and maintenance requirements across multiple systems. Security risk analysis Formal risk management process in place and executed. Implement security updates Tracking of security risk analysis deficiencies and documentation of remediation. Increasing integration with outside parties increases risk: patients, providers, payors, registries, health agencies, labs, pharmacies IT system complexity and reliability Increased attack surface Proof of meeting Meaningful Use clinical and technical criteria. Collect Measures and Metrics across all IT systems and report to HHS / agencies. Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

15 Presentation Identifier Goes Here SYMANTEC VISION

16 Cloud and Mobile Security Best Practices Lewis Etheridge Principal Systems Engineer, Symantec Healthcare Practice 16

17 Cloud Security Top Goal and Top Concern Improving security is a top goal of organizations implementing cloud Most (91%) believe cloud will not impact or will actually improve their security posture Yet, they rate security as their #1 concern. Top threat models? Mass malware outbreak at your cloud provider Data spillage in a multi-hosted environment Sharing sensitive data insecurely via the cloud Hacker-based data theft from your cloud provider Complete loss of data relevant to court case DDoS attacks against your cloud provider Source: Symantec State of Cloud Survey, 2011 Cloud and Mobile Security Best Practices SYMANTEC VISION

18 Terms Cloud Service Models SaaS Software as a Service: Provides ability to run provider s applications or consume provider s services PaaS Platform as a Service: Provides ability to deploy and operate customer-created applications to cloud-based infrastructure IaaS Infrastructure as a Service: Provides compute, storage, networking or other basic computing resources Source: NIST SP , The NIST Definition of Cloud Computing Cloud and Mobile Security Best Practices SYMANTEC VISION

19 PaaS IaaS SaaS IaaS SaaS PaaS Who provides security? Cloud Consumer Application Middleware Operating System Hardware Premises Cloud Provider Reference: NIST SP , NIST Cloud Computing Reference Architecture Note: Zones of control not to scale Cloud and Mobile Security Best Practices SYMANTEC VISION

20 Traditional IT Security and the Cloud Security Perimeters are still an effective tool e.g., Host-based firewalls on PaaS servers, VPN requirements for client access, service levels firewalls Other security tools may not fit the cloud model well Your SaaS provider will probably not appreciate a deep vulnerability scan Cloud and Mobile Security Best Practices SYMANTEC VISION

21 Managing security with your provider contract If you cannot do it yourself, it must be controlled by the contract! Service availability agreements (availability, performance) Logging and auditing Alert generation Notification processes Encryption and key management Provider security certifications External audits / vulnerability scans Patch and change management Licensing Provider staff accreditation / background checks Controlling geographic location of data Data disposition Data recovery Cloud and Mobile Security Best Practices SYMANTEC VISION

22 To repeat: It s about the data. Policy Compliance Identity Remediation Reporting Classification Threats Encryption Ownership Discovery Cloud and Mobile Security Best Practices SYMANTEC VISION

23 The coming Bring Your Own Device wave Cloud and Mobile Security Best Practices SYMANTEC VISION

24 Complications arising from BYOD Explosion of New Devices New Apps Must Be Supported Increased Risk of Data Loss Inconsistent Policies How do I enterprise-activate these devices? How do I manage application deployment and associated costs? How do I protect patient info, protect the brand, and comply with regulations? How do I employ and enforce policies across devices, data usage, and application access? Mobile platforms in enterprises 1B+ SmartPhones / Tablets by 2014 Multiple platform support in future 10% Single OS 37% Multiple platform support 53% Cloud and Mobile Security Best Practices SYMANTEC VISION

25 To repeat: It s about the data. Policy Compliance Identity Remediation Reporting Classification Threats Encryption Ownership Discovery Cloud and Mobile Security Best Practices SYMANTEC VISION

26 Healthcare Pod Privacy & Security in the Age of Meaningful Use SYMANTEC VISION

27 Thank You! David S. Finn Lewis Etheridge A false sense of security is worse than a true sense of insecurity. Concentrate on known, probable threats. Privacy & Security in the Age of Meaningful Use SYMANTEC VISION