protect your patient data: learn how to avoid costly privacy & security breaches within your...

Protect your Patient Data: Learn How to Avoid Costly

Privacy & Security Breaches within your Organization

Tuesday, June 21, 2011

Sponsored by:

ModeratorMike MiliardManaging Editor Healthcare IT News

Valerie Hamilton Marketing Manager Healthcare/Life SciencesCertified Senior IT SpecialistIBM Rational Software

Guest Speakers

© 2011 IBM Corporation© 2011 IBM Corporation

Protect your Patient Data

Learn How to Avoid Costly Privacy & Security Breaches within your Organization

Valerie [email protected]

© 2011 IBM Corporation

Security and compliance risks in the healthcare industry

Data breach affects 1.9 million individuals - includes medical

information, Social Security numbers and other sensitive information

- Health IT Law Blog, March 2011

Hackers Break Into Virginia Health Website - deleting records on more than 8 million patients

- Washington Post, May 2009

Data Breach Affects 2,777 Patients

- eWeek.com, March 2011

Healthcare Suffers More Data Breaches Than Financial Services -

more than three times!

- Darkreading.com, August 2010

Survey shows that data breaches and unauthorized access to their clinical

applications are Hospitals biggest worry.

- Darkreading.com, August 2010

Provider reports potential theft of data on 84,000 patients

- HealthImaging.com, February 2011

Data breaches of patient information cost healthcare organizations in the U.S. nearly $6 billion annually, and many breaches go undetected!

- HealthImaging.com, November 2010


What are some of the drivers? Why are risks on the rise?

Regulatory Compliance The Health Insurance Portability and Accountability Act (HIPAA) - regulations for protecting the

privacy and security of health information

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information.

Increase in vulnerability disclosure

Cost cutting in current economic climate Increased demands decreases efficiencies

Enterprise Modernization Traditional applications are being driven to the online

world - increasing corporate risk

User demand The public is demanding rich applications requiring

advanced coding techniques; which introduces more risk and threats

Risks


The changing landscape…The healthcare industry is becoming more interconnected

The Opportunity – smarter planet

Researchers

Providers

Medical RecordsPhysicians

Pharmaceuticals

Device Makers

Health Plans

And more…

Medical Products


The healthcare industry relies on Web-enabled software

Increased data availability are increasing the attack surface

and

Network security does little once an organization enables a web application

WebApplications

Web 2.0and SOA

Databases

Intuitive interfaces for access to relevant client

information (history, billing, diagnosis, results, etc), client

interaction, and integration with health

care partners

Collaboration among peers and partners

Backend of every Web application


The risk to sensitive information and compliance

Risks and ThreatsCosts of Security

BreachesCompliance

Demands

Stealing Sensitive Information is the 2nd highest motivation for Web application attacks

Source: Ponemon Institute, Cost of a Data Breach, 2010

Average cost of a security breach is $7.25 million

Client notification ($214 per compromised record)

Fines (HIPAA annual maximum as high as $1.5 million)

Brand loss and lawsuits Disruption to

business operations

Failure to Comply - HIPAA allows both civil and criminal penalties, including fines and possible time in jail

Failure is not an option!


Source: 121st Annual HIMSS Leadership Survey, March 2010

Top Concern — Security of computerized medical information

Security concerns are keeping CIOs in healthcare organizations awake at night

Approximately 23% noted that their organization had a security breach in the past year

30% surveyed indicated compliance with HIPAA security regulations/CMS security audits was a concern

Only 4% of respondents indicated that they don’t have any concerns about their security


11

Web application vulnerabilities represented the largest category in vulnerability disclosures

According to IBM X-Force Trend & Risk Report, 49% of all vulnerabilities are Web application

SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot

Source: IBM Internet Security Systems 2010 X-Force® Year End Trend & Risk Report

As more information is available ‘online’ – the threat increases

Hackers continue to focus on Web applications…they are easy points of entry and there is valuable personal data exchanged

© 2011 IBM Corporation12

DATA AND INFORMATIONUnderstand, deploy, and properly test controls for access to and usage of sensitive data

PEOPLE AND IDENTITYMitigate the risks associated with user access to corporate resources

APPLICATION AND PROCESSKeep applications secure, protected from malicious or fraudulent use, and hardened against failure

NETWORK, SERVER AND END POINTOptimize service availability by mitigating risks to network components

PHYSICAL INFRASTRUCTUREProvide actionable intelligence on the desired state of physical infrastructure security and make improvements

A complete security frameworkSecurity governance, risk management and compliance


Web application securityApplications and process

• Assess security needs and risks– Identify security gaps

– Build secure processes

– Integrate Web application security into holistic security strategy

• Implement processes and solutions

– Identify vulnerabilities and develop secure code

– Protect web applications and web services from attack

– Secure databases associated with applications

• Utilize security experts– Reduce the cost and complexity of

security operations


Deploying secure web applications

Op

erat

ion

al R

isk

Mg

mt

Application & resource protection in operationApplication & resource protection in operation

Secure application development across design,

code, build, test phases

Secure application development across design,

code, build, test phases Assessment of Source CodeAssessment of Source Code

Identity & Access ManagementIdentity & Access Management

Web Application ProtectionWeb Application Protection

Secure Web ServicesSecure Web Services

Assessment Functioning ApplicationAssessment Functioning Application

Final Security AuditFinal Security Audit

Production-Site MonitoringProduction-Site Monitoring

Risk AssessmentRisk Assessment

Policy & Requirements DefinitionPolicy & Requirements Definition

14

Pro

acti

ve R

isk

Mit

igat

ion

Deploy Web ApplicationDeploy Web Application


Reduce the possibility and impact of security vulnerabilities

Automate2 Embed3

Identify and mitigate security and compliance risks before they become an issue

Centralize security and compliance scanning for the enterprise

Automate web application security testing and compliance analysis

Embed security and compliance across the software/systems development lifecycle

Centralize1

Protect and secure sensitive information


Manage security and compliance of web applications

Anticipate and prevent – not just respond to – security and compliance breaches

Centralize and automate web application security and compliance analysis Enable security testing to identify vulnerabilities and

accessibility issues Utilize web site content scanning and analysis to

help ensure compliance with privacy, accessibility, and key industry regulations (e.g., HIPAA)

Embed security and compliance across the development lifecycle Demonstrate compliance by ensuring full

traceability of requirements Deploy change management with access control,

electronic signatures (21 CFR Part 11), repeatable processes and audit trails

Enable collaborative test management to mitigate business risk and increase quality

Incorporate security/compliance testing during development

“The issues we find…help our site owners to identify and address certain areas of

noncompliance and improve the sites. This helps improve the environment of trust and

helps prolong customer relationships.”

- Compliance manager Large Health products company


Centralize and automate web application security and compliance

Address vulnerabilities in networked applications and critical Web sites

Improve the accuracy and reliability of your

online applications

Increase productivity savings over manual

security and compliance testing

Support compliance with privacy and

accessibility mandates and key regulations

Streamline compliance reporting

Prioritize findings and generate actionable

information to assist with remediation

Track risk reduction over time


Reduce security and compliance risks during development

Root Cause:

Secure coding practices are typically not part of core development objectives

In general, development is lacking tools to automate, mitigate risk and test security

Vulnerabilities are continually introduced into application code

BuildCoding QA Security Production

Most security and compliance issues are found

just prior to going live

Most security and compliance issues are found

just prior to going live

Desired ProfileDesired Profile


During the coding phase $80/defect

During the build phase $240/defect

Once released as a product $7,600/defectPlusLaw suits, loss of customer trust,damage to brand

During the QA/Testing phase$960/defect

The increasing costs of fixing a defect….

80% of development costs are spent identifying and correcting defects!*

*National Institute of Standards & Technology Source: GBS Industry standard studyDefect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.

19

What is the cost of a fixing a security or compliance vulnerability?…the same as the cost of a defect but with greater implications


Embed security and compliance across the development lifecycle

REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD TESTTEST

Demonstrate compliance by ensuring full lifecycle traceability of requirements

Change Management with access control, e-signatures, repeatable processes and audit trails

Collaborative test management to mitigate risk and increase quality

Automate security/compliance testing into the IDE, build process, and QA


What is the ROI of application security testing?

Cost Savings – Testing Early in Dev

Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense

Cost Savings – Automated Testing

Automated testing provides productivity savings over manual testing

Cost Avoidance – Of A Security Breach

Costs of a security breach can include audit fees, legal fees, regulatory fines, lost customer revenue & brand damage

80% of development costs are spent identifying and correcting defects

Code stage is $80/defect, QA/Testing is $960/defect

50 applications annually w/ 25 issues per application, testing at code stage saves $1.1M over testing at QA stage Source: GBS Industry standard study

Outsourced audits can cost $10,000 to $50,000 per application

At $20,000 an app, 50 audits will cost $1M.

With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)

The cost to companies is $214 per compromised record

The average cost per data breach is $7.25 Million

Source: Ponemon Institute, Cost of a Data Breach, 2010


Summary: Security and compliance for the health care industry

Centralize and automate web application security and compliance analysis

• Avoid the risk of a data breach, exposing unsuspecting visitors to malware attacks, and falling out of compliance with security, privacy, or accessibility requirements

Embed and drive security and compliance into the software development life cycle

• Ensure full traceability of requirements from definition to testing

• Manage change request using repeatable processes, secure access, e-signatures and audit trails

• Increase quality through collaborative test management and continual security testing

Meet stringent and constantly changing compliance and regulatory requirements

Anticipate and prevent

Secure and protect sensitive patient data Ensure trusted transactions between

health care partners

© 2011 IBM Corporation23

© Copyright IBM Corporation 2011. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

For more information please visit…

IBM Rational Solutions for Healthcare and Life Sciences at:

http://www.ibm.com/software/rational/solutions/healthcare/

QUESTIONS?Submit your question to today’s speakers by typing your

question into the box on the left side of your screen and then hitting ‘submit.’

If you have news or comments on this topic for the editors of Healthcare IT News,please email [email protected]

Sponsored by:

protect your patient data: learn how to avoid costly privacy & security breaches within your...

Documents