Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Similar documents
Securing Health Data in a BYOD World

Horizon Health Care, Inc.

Healthcare in the Public Cloud DIY vs. Managed Services

Anatomy of a Healthcare Data Breach

mhealth SECURITY: STATS AND SOLUTIONS

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Best Practices in Securing a Multicloud World

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Compliant. Secure. Dependable.

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Combating Cyber Risk in the Supply Chain

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Securing Office 365 with SecureCloud

Cybersecurity and Hospitals: A Board Perspective

The simplified guide to. HIPAA compliance

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Cybersecurity The Evolving Landscape

PCI DSS Compliance for Healthcare

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

HIPAA Compliance Assessment Module

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

Teradata and Protegrity High-Value Protection for High-Value Data

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Internet of Things Toolkit for Small and Medium Businesses

Why you MUST protect your customer data

The Data Breach: How to Stay Defensible Before, During & After the Incident

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE

Secure HIPAA Compliant Cloud Computing

HIPAA Regulatory Compliance

Security in India: Enabling a New Connected Era

Cloud Communications for Healthcare

CipherCloud CASB+ Connector for ServiceNow

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

UNLOCKED DOORS RESEARCH SHOWS PRINTERS ARE BEING LEFT VULNERABLE TO CYBER ATTACKS

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

PCI Compliance. What is it? Who uses it? Why is it important?

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

What It Takes to be a CISO in 2017

CYBERSECURITY PREPAREDNESS AND RESPONSE

SECURITY & PRIVACY DOCUMENTATION

Secure Access for Microsoft Office 365 & SaaS Applications

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

10 FOCUS AREAS FOR BREACH PREVENTION

Protect Your Organization from Cyber Attacks

Encrypting PHI for HIPAA Compliance on IBM i. All trademarks and registered trademarks are the property of their respective owners.

THALES DATA THREAT REPORT

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Chapter 12. Information Security Management

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Security Audit What Why

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

SECURING DEVICES IN THE INTERNET OF THINGS

Defense in Depth Security in the Enterprise

Cyber Security. Our part of the journey

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Compliance Audit Readiness. Bob Kral Tenable Network Security

Sage Data Security Services Directory

Policy and Procedure: SDM Guidance for HIPAA Business Associates

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Cyber Risks in the Boardroom Conference

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

Putting It All Together:

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Customer Success Story. ZeOmega. ZeOmega and ClearDATA partner to help a large IDN achieve Meaningful Use

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI)

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Avanade s Approach to Client Data Protection

The Cyber War on Small Business

Cybersecurity 2016 Survey Summary Report of Survey Results

A practical guide to IT security

Getting Started with Cybersecurity

Privacy & Information Security Protocol: Breach Notification & Mitigation

Security Architecture

What to do if your business is the victim of a data or security breach?

Altitude Software. Data Protection Heading 2018

HIPAA Compliance & Privacy What You Need to Know Now

Overview of Presentation

Keys to a more secure data environment

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Keep the Door Open for Users and Closed to Hackers

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

Cloud & Managed Server Hosting for Healthcare Professionals

SIEMLESS THREAT DETECTION FOR AWS

Create the ideal conditions for your network to grow.

Transcription:

Business White Paper Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Page 2 of 7 Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data Table of Contents Page 2 Introduction Page 2 Breach Avoidance: The Motivation For Protection Page 3 Where Are The Threats, How Are They Mitigated? Page 5 Data Security In The Cloud Page 6 Future-Proofing For HIT Security Evolving criminal and unscrupulous internal threats to healthcare data networks continue to plant seeds of fear and uncertainty in the minds of healthcare IT professionals. Those fears are wellfounded; a recent Information Week survey found that 91 percent of small healthcare practices in North America say they have suffered a data breach. Equally disturbing is the finding that 70 percent of respondents aren t confident that their budget meets risk management, compliance, and governance requirements. The Ponemon Institute s third annual Benchmark Study of Patient Privacy and Data Security found that six out of 10 healthcare organizations security systems aren t mature enough to detect or react to data breaches. Breach Avoidance: The Motivation For Protection The figures don t present healthcare providers with very good odds of avoiding a breach, and breaches don t often come without significant cost. If state and federal investigations conclude that the organization has in fact violated the laws governing PHI (protected health information), the provider must deal with corrective action plans, formal resolutions, or both. Information Week reports that 80 percent of federal investigations end up generating some type of corrective action plan. These corrective action plans and formal resolutions can run well into the millions of dollars. According to the aforementioned Information Week study, the average cost is around $7 million. What s more, data breaches are rarely isolated incidents. According to the Ponemon report cited above, 94 percent of respondents had at least one data breach in the last two years, and nearly half of the respondents have experienced more than five data breaches. It s healthcare s own epidemic to cure.

Page 3 of 7 Where Are The Threats, How Are They Mitigated? To know where healthcare IT security is going - and what it needs to protect in 2016 and beyond - it s instructive to take a look at where we ve been. In general, compromised credentials remain the leading source of intrusion across industries, according to Verizon s 2015 Data Breach Investigations Report. While the volume of spyware/keylogger attacks are dwindling, phishing and RAM scraping incidents are expanding at a rapid pace. Specific to healthcare, the top three sources of unauthorized data access are: Miscellaneous errors. Within healthcare, the largest source of unauthorized data disclosure - accounting for 32 percent of incidents - is attributed to miscellaneous errors. Chief among them are misdelivery of information, capacity shortages, and publishing errors committed by administrative personnel. While these mistakes are often innocuous and hard to control, there are protocols for dealing with them. Providers should have a VERIS (Vocabulary for Event Recording and Incident Sharing) system in place for the recording of incidents that could expose them to risk. It s important to track how often human error creates data risk exposure and create controls and management processes aimed at avoiding such errors. That tracking should be granular enough to identify root causes of systemic issues, such as training, poor process control, or the unintended consequences of automation. Insider misuse. Insider misuse caused 26 percent of the healthcare industry s 2014 data breach incidents, placing it firmly in the top three industries affected by individuals abusing the access with which they have been entrusted. This is a difficult issue to address, as it requires a combination of process and access control, and its detection is usually reactive. Providers should identify core areas of protection and specific activities to track, then deploy password protection and identity verification, fraud detection capabilities, and auditing activities at a regular cadence. Standard practice should involve forensic examination of suspect user devices and server access,

Page 4 of 7 especially upon the departure of employees, which will help inform best practices for avoidance of the insider misuse threat. Physical theft and loss. The good news is that the healthcare industry is proving progress on what the report identified at its biggest weakness in 2014, when a whopping 46 percent of data loss was attributed to physical theft and loss. This year, that figure stands at 16 percent. Most of this theft occurred within the victim s work area (55 percent of incidents), and employeeowned vehicles (22 percent of incidents). To minimize the risk of physical device theft and loss in healthcare, security leaders should work with their procurement departments to log device access and usage, and track the volume and type of devices lost. With these metrics in hand, data security professionals can effectively analyze the threat presented by the theft of a specific device and take corrective action. When devices are lost or stolen, time to reporting is of the essence to safeguarding data. Policy should dictate immediate reporting of missing provider property. Further, security providers should employ full-disk encryption, password protection, USB port lockdown, and remote wiping to as countermeasures to lost or stolen property. As a matter of best practice, we ve compiled a list of important steps toward ensuring the security of data in healthcare, steps that are critical regardless of whether providers are handling data onpremise, in the cloud, or both. Limit employees Internet activity to job-specific tasks, and train thoroughly on safe use of Internet resources. Keep anti-virus software up-to-date on all end user devices and servers handling business data, whether company or employeeowned. Perform frequent and granular vulnerability assessments of applications, networks, data centers, devices, access points, and third-party/supplier/partner integration points. Mandate strong authentication protocols for every end user, including two-factor authentication via a combination of passwords, tokens, or PINs.

Page 5 of 7 Employ firewalls at every point of data access. Encrypt and certify every piece of sensitive information, especially that on mobile devices. According to the Ponemon Institute, more than 43 percent of employees admit to having lost a portable device. Data Security In The Cloud These baseline risks and the guidance offered to avoid them are inherent in any healthcare IT infrastructure, whether or not that infrastructure involves cloud services. As it relates specifically to the recent adoption of cloud services for healthcare data storage and retrieval, we ve witnessed and acknowledged a fair amount of skepticism of cloud security. We ve also ascertained that this skepticism is unfounded. Mark Kadrich, Chief Information Security and Privacy Officer at San Diego Health Connect and author of Endpoint Security, puts it plainly. I can think of ten really significant breaches within last six months, and none of them had anything to do with the cloud, he says. As is the case with on-premise server, device, and network security, cloud security is dependent on who s implementing it. Kadrich says the mechanics of data security are the same regardless of the storage and retrieval medium; demonstrable software insurance and protocols including key management and encryption are critical in any sensitive data storage and retrieval infrastructure. When these tools are wielded by individuals who are specialized in their knowledge and focused on it, the tendency is to be more secure, says Kadrich. If the OS has holes and the apps have holes and the network has holes, the notion that they will be more secure when the data is held on premise is false. In fact, asserts Kadrich, many cloud data solution providers are more security-centric than their on-premise counterparts, as the leading among them have invested heavily in security specialists assigned to deal with end users security concerns.

Page 6 of 7 Future-Proofing For HIT Security Preparing for future data security threats begins with awareness. The aforementioned Verizon report found that 99.9% of the known vulnerabilities exploited by hackers in 2014 had been compromised more than a year after the associated CVE (common vulnerabilities and exposures) was published. In other words, the weakness was known, but left unaddressed. As we look to the future, it becomes clear that unaddressed known threats are more a management and policy issue than they are a technology issue. That s why so many providers are hiring chief security officers, or outsourcing the role to their network and IT partners. Only when a designated point entity is tasked with addressing and obviating for known vulnerabilities can a concerted effort be made to deploy and maintain the patches, updates, and policies that protect healthcare data - whether that data resides on premise or in the cloud. For more information, call (800) 804-6052 or visit www.cleardata.com

About Us ClearDATA is the nation s fastest growing healthcare cloud computing company. More than 310,000 healthcare professionals rely on ClearDATA s HIPAA compliant cloud computing HealthDATA platform and infrastructure to store, manage, protect and share their patient data and critical applications. For more information 1600 W. Broadway Road, Tempe AZ (800) 804-6052 www.cleardata.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback