hipaa – five security strategies to protect ephi
TRANSCRIPT
Join the conversation: #hipaa2011
HIPAA 2011: Five
Security Strategies to
Protect ePHI
Join the conversation: #hipaa2011
HIPAA 2011 – Five Security Strategies to Protect ePHIChris Konrad, Fortrex TechnologiesCindy Valladares, Tripwire Inc.
Join the conversation: #hipaa2011
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Today’s Speakers
Chris Konrad
SVP Client Services
Fortrex Technologies
@cjkonrad
Cindy Valladares
Product Marketing Manager
Tripwire, Inc.
@cindyv
Join the conversation: #hipaa2011
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
• 2010 in review• Five Security Strategies to
Protect ePHI• Recommendations• Q&A
Agenda
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
HIPAA expands to business associates
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
HIPAA expands to business associates
Modifications to HIPAA Privacy, Security and Enforcement Rules
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
HIPAA expands to business associates
Modifications to HIPAA Privacy, Security and Enforcement Rules
PHI breaches affecting over 500 individuals = 3,608,753
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
HIPAA expands to business associates
Modifications to HIPAA Privacy, Security and Enforcement Rules
PHI breaches affecting over 500 individuals = 3,608,753
Tiger Team
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
HIPAA expands to business associates
Modifications to HIPAA Privacy, Security and Enforcement Rules
PHI breaches affecting over 500 individuals = 3,608,753
Tiger Team
Health Net suit
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
HIPAA expands to business associates
Modifications to HIPAA Privacy, Security and Enforcement Rules
PHI breaches affecting over 500 individuals = 3,608,753
Tiger Team
Health Net suit
31% of healthcare providers had breach
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
HIPAA expands to business associates
Modifications to HIPAA Privacy, Security and Enforcement Rules
PHI breaches affecting over 500 individuals = 3,608,753
Tiger Team
Health Net suit
31% of healthcare providers had breach
10 in 600 could meet meaningful-use requirements
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
2010 In Review
Healthcare Reform
HIPAA expands to business associates
Modifications to HIPAA Privacy, Security and Enforcement Rules
PHI breaches affecting over 500 individuals = 3,608,753
Tiger Team
Health Net suit
31% of healthcare providers had breach
10 in 600 could meet meaningful-use requirements
$6B/year loss for hospitals b/c breaches
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Risk Assessments
Healthcare organizations face multiple challenges relating to information security: • Redundant and inconsistent requirements and standards.
• Confusion surrounding implementation and acceptable minimum controls.
• Inefficiencies associated with varying interpretations of control objectives and safeguards.
• Increasing scrutiny from regulators, auditors, underwriters, customers and business partners.
• Growing risk and liability, including data breaches, regulatory violations and extortion.
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Secure configs and manage change
Business as usualChange windowsUser IDMultiple conditions
Auto-retest to policyClose breach-to-discovery time gapImmediate time-to-valueExclusive to Tripwire!
Raw Log Data
Dynamic Policy Testing
Change Process Analysis
Reconcile to Authorization
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Activity monitoring and logging
Raw Log Data
• High Speed Log Archival• Google like Index• Fast Search • Intelligent Reporting
• Events of Interest• Structured Data • Complex Reporting• Data visualization
Normalization
& Correlation
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Continuous compliance program
Assess & Achieve
Maintain
Non-stop monitoring & collectionDynamic analysis to find suspicious activitiesAlert on impact to policyRemediate options to speed remedy
Des
ired
Sta
te
Time
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Incident detection and response
Correlate to Bad Changes
Correlate to Suspicious Events
Policy EngineEvent Database
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Correlating Log & Change Events
5 failed logins
Logging turned off
Host not generating events
Windows event log cleared
Login successful
Policy test fails
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
Increased Data Breach Costs
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
Increased Data Breach Costs
Increased Media Attention
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
Increased Data Breach Costs
Increased Media Attention
Increased Patient Awareness
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
Increased Data Breach Costs
Increased Media Attention
Increased Patient Awareness
Health Information Exchanges will Identify Privacy and Security Need
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
Increased Data Breach Costs
Increased Media Attention
Increased Patient Awareness
Health Information Exchanges will Identify Privacy and Security Need
Meaningful Use Stage 2 Preparation Challenges
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
Increased Data Breach Costs
Increased Media Attention
Increased Patient Awareness
Health Information Exchanges will Identify Privacy and Security Need
Meaningful Use Stage 2 Preparation Challenges
HHS Breach Notification Rules Finalization
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
Increased Data Breach Costs
Increased Media Attention
Increased Patient Awareness
Health Information Exchanges will Identify Privacy and Security Need
Meaningful Use Stage 2 Preparation Challenges
HHS Breach Notification Rules Finalization
HIPAA Privacy, Security, and Enforcement Rule Update
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Why Now?
Increased Internal Governance
Increased State Attorney General Activity
Increased Data Breach Costs
Increased Media Attention
Increased Patient Awareness
Health Information Exchanges will Identify Privacy and Security Need
Meaningful Use Stage 2 Preparation Challenges
HHS Breach Notification Rules Finalization
HIPAA Privacy, Security, and Enforcement Rule Update
OCR Audits will Begin
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Recommendations
Review organizational policies and procedures to support best practices and adhere to regulatory requirements• Ensure annual review
• Implement periodic auditing for compliance
Complete annual risk assessments• Define actionable remediation plans
• Identify milestone completion dates
• Ensure accountability
IT SECURITY & COMPLIANCE AUTOMATION
Join the conversation: #hipaa2011
Recommendations (cont.)
Develop program to identify, monitor, and manage threats and vulnerabilities• Daily security operational tasks
• Alert monitoring and exception follow-up
• Quarterly internal and external vulnerability scanning
• Web application scanning
• Annual Penetration testing
Implement or strengthen commitment to security awareness program• User understanding and support of security requirements are critical to
success
Questions?
• Chris Konrad
Fortrex Technologies
Website: www.fortrex.com
Email: [email protected]
Phone: 877-FORTREX
LinkedIn: Fortrex SME Club
Twitter: @cjkonrad & @FORTREXTECH
• Cindy ValladaresTripwire, Inc.
Website: www.tripwire.com
Email: [email protected]
Twitter: @cindyv & @tripwireinc
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980
THANK YOU!
Chris KonradFortrex TechnologiesWebsite: www.fortrex.comEmail: [email protected]: 877-FORTREXLinkedIn: Fortrex SME ClubTwitter: @cjkonrad @FORTREXTECH
Cindy ValladaresTripwire, Inc.
Email: [email protected]: @cindyv and
@tripwireinc