the state of patient privacy monitoring and its future part 2€¦ · identity management and...
TRANSCRIPT
20
14
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
An Information Technology and Information Security Perspective
December 11, 2014
The State of Patient Privacy Monitoring and its Future – Part 2
Watch the Replay
20
14
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Today’s FairWarning® Moderators
Kurt J. Long
Founder
FairWarning, Inc.
Shane Whitlatch
Executive Vice President, Customer Value Creation
FairWarning, Inc.
Chris Arnold
Vice President of Product Management & Engineering
FairWarning, Inc.
Mike Lyons
Director Product Development
FairWarning, Inc.
Agenda
• Emerging Threats
• FairWarning Ready®
– Audit data availability and use
– Identity management and privacy monitoring
– Cloud Security
• Ethics & Integrity
• Privacy Excellence Awards
Guest Panelists
Dena Boggan
HIPAA Privacy & Security Officer
St. Dominic’s Jackson Memorial Hospital
Doug Clarkston
Privacy Officer
Beaumont Health System
Charles Fletcher
Chief Compliance Officer
Maury Regional Medical Center
Patricia Henrikson
Chief Privacy Officer
Banner Health
Tara McKibben
Privacy Officer
Susquehanna Health System
Deborah Reif
Corporate Responsibility Officer & Privacy Officer
Mercy Health – Springfield
Tina Tolliver
Corporate Compliance Director, Privacy Officer
Cookeville Regional Medical
Dena Boggan
HIPAA Privacy & Security Officer
St. Dominic’s Jackson Memorial Hospital
Jerry Burgess
Vice President of Corporate Responsibility
Alexian Brothers Health System
John Houston
Vice President, Information Security and Privacy, Associate Counsel
UPMC
Christopher Paidhrin
IST Security Administration Manager
PeaceHealth
Deborah Reif
Corporate Responsibility Officer & Privacy Officer
Mercy Health – Springfield
December 10th, 2014Compliance & Privacy
December 11th, 2014Information & Security
20
14
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Emerging Threats
20
14
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Emerging Threats
´1
Lost laptops, media, paper records
Patient Complaints
Snooping
Medical & Financial ID Theft
201420122010
IRS Tax Fraud
2011 2013Pre-2010
Sale of Patient Data
to Crime Rings
Sale of Physician Data
to Crime Rings
Sale of Employee Data
to Crime Rings
• Stolen Medical Identity with sensitive & confidential information increased from $188 to $201.
• Source: Ponemon Institute, May 2014 www.ibm.com/services/costofbreach
• The FBI and DHS assess that disgruntled and former employees pose a significant cyber threat to US
businesses• Source: FBI & DHS Report September 23, 2014
http://www.ic3.gov/media/2014/140923.aspx
Emerging Threats
The Insider Threat – Reality and Response
• Unauthorized access by authorized users – 87% On-site, not IT, snooping or money motivated
• Expanding landscape for misuse, abuse, fraud, - Trends – Mobile, Cloud, Social Media, Disruptive Change
• Behavior driven challenges, difficult to detect – 32 months – Minimal collusion, Leadership losses are double
• Audits, Monitoring, Awareness – Benevolent monitoring, automated alerts – eyes on Christopher Paidhrin
IST Security Administration Manager
PeaceHealth
20
14
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
FairWarning Ready®
20
14
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
FairWarning Ready®
• All major EHR and 250+ Healthcare Applications
• Enterprise security
• Industry benefits– Data consistency
– Cost & complexity reduction
– Speed to value increase
Audit data availability and use
• Leveraged system upgrade and incompatibility of existing tool with new system
• FairWarning® was positioned to meet our compliance needs of monitoring all key systems
• Experienced barriers getting vendors to produce access data with the desired fields
• Leveraged the financial interests of other initiatives to engage with application vendors to dedicate resources
• Recommend educating key stakeholders early and consistently about risks and regulations Jerry Burgess
Vice President of Corporate Responsibility
Alexian Brothers Health System
20
14
© F
airW
arn
ing,
Inc.
–P
riva
te a
nd
Co
nfi
den
tial
Identity Management
Power of Identity on Patient Privacy Monitoring
Application 1 Audit Log
Application N Audit Log
FairWarning® Patient Privacy Monitoring
FairWarning® for Identity Access Management
CERNER
MEDITECH
1 … through 250+
Private Service Cloud
Automate HIPAA Access Control Reviewwith FairWarning® for IAM
Fill gaps in existing HIPAA Access Control Processes• Help to meet §164.312(a)(1)• Review and update user access
Benefits• Detection of access after termination• Discovery of unknown users• Discovery of orphaned accounts• Centralized Identity Report
Discover Identities
Correlate Identities
Cleanse Identities
Centralize Identities
Audit Identity
Processes
Identity management and privacy monitoring
John Houston
Vice President, Information Security and Privacy, Associate Counsel
UPMC
Identity management (IdM) is the task of controlling information about
users on computers. Such information includes information that
authenticates the identity of a user, information that describes
information and actions they are authorized to access and/or perform.
It also includes the management of descriptive information about the
user and how and by whom that information can be accessed and
modified. Managed entities typically include users, hardware and
network resources and even applications.From:
2014 Privacy Excellence Award Winner
Identity management and privacy monitoring
Automated
• Enables regulatory compliance
• Supports meaningful use
• Improves organizational efficiency
• Improves access controls, resulting in a
reduced risk “footprint”
• Supports emerging requirements /
technologies, including the accelerating
adoption of smartphones & tablet devices
• Improves controls over cloud-based
services
Manual
• Hospitals struggle to adequately manage user account or demonstrate HIPAA compliance
• Hospitals that attest to meaningful use are at risk of having incentive payments questioned due to lack of HIPAA compliance
• OCR reported that 2 of the top 5 most prevalent security issues identified through its audits were “grant, modify user access” and “authentication /integrity”
• Internal auditors are concerned about inappropriate access to information
MGR
HR
PO
MGR
HR
PO
MGR
HR
PO
MGR
HR
PO
· Delegating the review ofpotential privacy incidents basedon the user’s manager, campus,facility, or other criteria
· Escalating only inappropriateaccess incidents to corporate
compliance team
… Dozens ofHospitals
….……Hundreds ofClinics & PhysicianPractices
Identity management and privacy monitoring
Monitoring your cloud applications
New Tools in 2015
FairWarning®For Your Healthcare Applications and Cloud Security
User Activity Reports
Proactive Breach Detection Analytics and Alerts
Investigationsand Legal Defense
Automated Monthly
Effectiveness Reports
Governance & Compliance Effectiveness
Risk and Audit Dashboards
Drivers
– Protection against data theft
– Utilize highly sensitive information in Salesforce
– HIPAA, EU Data Protection Act,
UK Data Protection Act, SOX 404 IT controls,
PCI, PIPEDA, FFIEC
– User adoption
Fills an important gap in Salesforce Data Protection
Where FairWarning® Fits In
The Basics of How it Works
28 Event Monitoring
Log Files
Example Use Cases
• Forensic investigation of a user’s activities
• Monitoring & alerting on a departing
employee’s exports
• Monitoring of access to sensitive accounts
& contacts
• User access after termination
• User access trends & visualization
• Easy-to-interpret for a business user
• Ad-hoc reporting, monitoring & alerting
• Multi-criteria filtering
• Visualization, trending, graphing
• Standard and Custom Objects
• Multi-org support
Ethics and Integrity
Ethics and Integrity
• Ethical responsibility in using the FairWarning® data in a manner consistent with the intended purpose
• Ethical responsibility to scale for organizational size and risk analysis, in accordance with the regulations
• Clear and consistent in handling inappropriate uses/disclosures of PHI
Deborah Reif
Corporate Responsibility Officer & Privacy OfficerMercy Health – Springfield
Privacy Excellence Awards
2015 Privacy Excellence Awards
Pathway to Excellence• Recognition for privacy heroes
• Judged by a panel of experts
• Ultimate benchmark for patient privacy monitoring
• Winner recognized at 2015 HCCA Compliance Institute
2015 Privacy Excellence Awards
• 2014 Winners’ Profiles– Best Overall & Best Medium - Small Healthcare
Provider, Eastern United States: St. Dominic’s Hospital
– Visionary of the Year & Best Large Healthcare Provider, Eastern United States: UPMC
– Best Large Healthcare Provider, Western United States: Banner Health
– Best Medium - Small Healthcare Provider, Western United States: The Everett Clinic
– Best Healthcare Provider, Canada: Health Information Technology Services – Nova Scotia
– Best Healthcare Provider, United Kingdom & Europe: NHS Lothian
2015 Privacy Excellence Awards
Feb 1st Mar 1st Apr 20th
Application Begins Applications Due Winners Announced at HCCA Compliance
Institute
See you in Orlando for the 2015 HCCA Compliance Institute
Questions