5 steps to protect phi and pass hipaa audits with less effort · 2017-03-29 · 5 steps to protect...
TRANSCRIPT
Jim SmithIT security expertNetwrix Corporation
5 Steps to Protect PHI and Pass HIPAA Audits
with Less Effort
Jeff MelnickSystems EngineerNetwrix Corporation
David GinsbergPresidentPrivaPlan Associates, Inc
Agenda
Why you need to worry?
Notorious data breaches
HIPAA compliance: panacea or pain point?
Key vulnerabilities
5 steps to protect PHI
Case study: Henry County Hospital
Questions and answers
Prize drawing
*The presentation shouldn’t be considered as a legal advice
Why you need to worry?
Breaches happen against all the odds: 70 healthcare breaches this year
PHI and PII command a high value on the shadow markets
Organizations invest too much in wrong solutions
Too much data: no understanding of what’s going on
Notorious Healthcare Data Breaches
2017
Commonwealth Health Corporation — 697,800 individuals affected
2016
Banner Health — 3,620, 000 individuals affected
Newkirk Products, Inc. — 3,466,120 individuals affected
2016 statistics:
376 16m 34% 44%
breaches records exposed
of all breaches of all records exposed
Perimeter is not helping
BYOD;
IoT;
Interconnectivity;
More data;
Cloud – scary move?!
Insecure devices;
Vulnerabilities in applications and systems;
More hackers!
Ransomware-as-a-service and other easy-to-use hacking tools;
Intrusion tactics are smarter;
State-sponsored attacks.
HIPAA Сompliance
You are obliged to implement controls
Identity management and access control: to ensure that data is only
accessible by personnel that have a business need.
System configuration control: tracking configuration changes and
administrative activities.
Monitoring of access to data: knowledge of who accessed what data and
when and review on a regular basis.
Data handling and encryption control: protection of data in storage and
during transfers.
But does it really help protect the data?
HIPAA Compliance: Panacea or Pain Point?
A very brief review:
HIPAA safeguards ”protected health information”
Creates rights for patients and health plan members
Requires notification in the event of a breach
Is similar to State by State identity theft laws
Patient privacy laws in California are stricter than HIPAA
HIPAA Compliance: Panacea or Pain Point?
HIPAA is enforced!
Enforcement is by the OCR and State Attorney Generals
Enforcement is real
Enforcement has evolved since 2003!
Discussion about the need of ”endpoint vulnerability”
Key Vulnerabilities
A strong correlation to long term Information Security principles -
conducting a Risk Analysis
Principles have been in effect for many years
HIPAA requires a security risk analysis AND risk management
(45 CFR 164.308)
Failure to conduct a risk analysis or conducting a deficient risk analysis
Information system activity review, access controls, and technical audits
Key Vulnerabilities
Common gaps identified during the risk analysis:
Weak auditing and control of user accounts in AD
Scope creep in application permission levels for critical applications like the eHR
Inconsistent and incomplete patch management
Lack of monitoring of transactions
Ransomware and phishing
Infiltration, reconnaissance and exfiltration
The need for awareness, monitoring, and training and vigilance
PrivaPlan Associates, Inc.
www.privaplan.com
877-218-7707
HIPAA compliance, Cybersecurity, risk analysis and vulnerability testing
5 steps to protect PHI
Conduct risk analysis
Consider threats from insiders and business partners
Enforce security policies and controls; make sure they work properly
Train your employees
Adopt best practices
Case Study: Best Practices
Increase accountability of privileged users:
Review the reports on all changes across Active Directory
Enable alerts on the most critical changes
Record the activity of admins on Windows Server
Complete control over file access permissions
Detect excessive user permissions
Record the activity of admins on Windows Server
Carefully prepare for HIPAA audits
Automate data collection
Case Study: Best Practices
Key Benefits
Mitigated the risk of insider threats
Ensured PHI security
Streamlined HIPAA compliance
Saved at least $40,000 per year
About Netwrix Auditor
Netwrix Auditor
A visibility and governance platform that enables control over
changes, configurations, and access in hybrid cloud IT environments by
providing security analytics to detect anomalies in user behavior and
investigate threat pattern before a data breach occurs.
Netwrix Auditor Applications
Netwrix Auditor for Active Directory
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Oracle Database
Netwrix Auditor for Azure AD
Netwrix Auditor for EMC
Netwrix Auditor for SQL Server
Netwrix Auditor for Exchange
Netwrix Auditor for NetApp
Netwrix Auditor for Windows Server
Netwrix Auditor for Office 365
Netwrix Auditor for SharePoint
Netwrix Auditor for VMware
About Netwrix Corporation
Year of foundation: 2006
Headquarters location: Irvine, California
Global customer base: over 8,000
Recognition: Among the fastest growing
software companies in the US with 105
industry awards from Redmond
Magazine, SC Magazine, WindowsIT Pro
and others
Customer support: global 24/5 support
with 97% customer satisfaction
Netwrix Customers
GA
Healthcare & Pharmaceutical
Free Trial: setup in your own test environment:
On-premises: netwrix.com/freetrial
Virtual: netwrix.com/go/appliance
Cloud: netwrix.com/go/cloud
Test Drive: virtual POC, try in a Netwrix-hosted test lab netwrix.com/testdrive
Live Demo: product tour with Netwrix expert netwrix.com/livedemo
Contact Sales to obtain more information netwrix.com/contactsales
Webinars: join our upcoming webinars and watch the recorded sessions
netwrix.com/webinars
netwrix.com/webinars#featured
Next Steps