boston.healthprivacyforum.com | #hitprivacy
December 5-7, 2016 Westin Boston Waterfront
Healthcare Organizations Under Attack: Protecting PHI and PII
Jonathan Cohen | Synchronoss Technologies
AGENDA
1. PHI and PII Overview
2. Why PHI is an Appealing Target
3. Platform Overview
4. Use Cases
5. Next Steps
PHI AND PII OVERVIEW
Types of PHI and other Patient PII that must be protected by Providers and Clinicians, e.g.
Pa#entEncounterForms
Con#nuityofCareDocumentElectronicMedicalRecord
THREATS TO PATIENT INFORMATION
Source:FireEye&SynchronossAnalysis
Rich set of personal data extremely valuable to cybercriminals for Identity Theft
Often contains payment card information and bank account data that can be used for theft and fraud
Perhaps the most valuable records to steal (street value >$300 per record)
This information is often inadequately protected on mobile devices
Yet, for productivity and improved patient care, clinicians need to embrace mobility
TO FUTHER COMPLICATE THINGS…
61% Users Reuse Passwords Among
Websites
26 Accounts That Require
Username & Password
63% Confirmed Breaches Involved Weak Or Stolen Credentials
Of the 5,000+ largest successful attacks in the last 10 years, 82% exploited weak or stolen passwords
Only TWO involved 2-factor authentication!
How do we meet the needs?
Key Elements of a Secure Enterprise Platform
KEY ELEMENTS OF A SECURE ENTERPRISE PLATFORM
MOBILITY
ANALYTICS IDENTITY
COLLABORATION
SECURE EXTERNAL COLLABORATION
DESCRIPTIVE, PREDICTIVE & PRESCRIPTIVE ANALYTICS
SERVICES
SECURE MOBILE CONTAINER +
PRODUCTIVITY APPS
MULTI FACTOR AUTHENTICATION,
PROOFING & CERTIFICATES
VERIFIES IDENTITIES
ISSUES CREDENTIALS
AUTHENTICATES USERS
MANAGED ATTRIBUTES
FOCUS ON IDENTITY MANAGEMENT AND AUTHENTICATION
REPRESENTATIVE USE CASES
PRACTICAL APPLICATIONS – USE CASES
LIFE SCIENCES
HEALTHCARE
MOBILITY
FieldaccesstoCTMS&EDCappsonBYOD
SecureEMRaccessonclinicianBYOD
IDENTITY & ANALYTICS
Dynamicprovisioning/de-provisioningaccesstoregulatorysubmission
content
PrescriberverificaDonforcontrolledsubstances
COLLABORATION
R&DCollaboraDonWorkspacefor
Pharma,Biotech&Academia
CollaboraDvecareworkspacefor
distributedmedicalteams
Collaboration Gateway
DATA CONNECTORS
LIMS, ELN, KB
DCTM, SharePoint
Box, O365 eCTD, CMC, EHR
BRINGING IT ALL TOGETHER – SECURE ENTERPRISE PLATFORM FOR HEALTHCARE
Mo
bili
ty
LAGOON & ORBIT Orbit Suite in Container on
Devices
SEC
URE
PR
OD
UC
TIV
ITY
Basic Research • Chemical registration • Compound management and
analysis
Pre Clinical Science • Early stage analysis and
performance • Innovative research (e.g.
Biomarkers, Genomics)
Clinical Trials • Trials management with CROs • Electronic data capture & submission
management • Monitoring & auditing
CO
NTEX
TUA
L A
UTH
ORIZA
TION
Commercialization • Manufacturing quality & process
controls • Supply chain & logistics
management
Frictionless Access
+
UNIFIED IDENTITY
ID UNIVERSAL
Polic
y &
Co
ntrols
Collaboration Workspace
FROM STATIC MOBILE APPS THAT PROVIDE MINIMAL VALUE…
Clinical investigator (CI) opens Patient
Encounter Form mobile app on BYO
tablet
CI completes capture of patient
info, including mobile contact info
and saves work
Next day the CI is reviewing the CRFs from prior day and
notices a concerning test
result
The CI opens native messaging app on
her tablet and connects with the
patient
Additional clarifying information is
captured and then appended to the
CRF
LegendWorkflow
interruption
Compliance violation
PHI not secured on personal device
Record of chat session with patent manually transcribed to Patient Encounter Form
Patient Encounter Form (ePEF) app may not be available on BYO device or adequately secured
…TO MOBILE APPS SECURELY ENABLED WITH WORKFLOWS
Clinical investigator (CI) opens ePEF
mobile app on BYO tablet
CI completes capture of patient
info, including mobile contact info and
saves work
Next day the CI is reviewing the CRFs from prior day and
notices a concerning test result
The CI opens native messaging app on
her tablet and connects with the
patient
Additional clarifying information is
captured and then appended to the
ePEF
HIPAA compliant messaging app launched from ePEF mobile app
Conversation recorded and securely appended to ePEF
Conversation recorded and securely appended to ePEF
GATEWAY CONTAINER
ANALYTICS IDENTITY DATA
Private and Public Cloud Plugins
Integrate with any API
PUBLICAPIPRIVATEAPI
PLUGINS
POLICY
© Synchronoss. All Rights Reserved. 2016
MEDICALDEVICE
DRONE
SENSOR
• Sensitive IoT data secured within the container • Mobile apps secured in container interact with IoT devices • Gateway secures transmission, placed as cloud service or on-customer
premises • Plugin architecture enables interaction with back-end services
INNOVATIVE APPLICATION FOR INTERNET OF THINGS
KEY TAKEAWAYS
Strong mobile security framework and authentication is required to enable secure external collaboration, to secure PHI and PII
Container-based security is best to secure mobile apps on BYO devices that contain and/or transmit PHI or PII
IoT transmitting PHI or PII is no different and requires that data must be protected at rest and in motion
Jonathan Cohen Synchronoss Technologies