boston.healthprivacyforum.com | #hitprivacy

December 5-7, 2016 Westin Boston Waterfront

Healthcare Organizations Under Attack: Protecting PHI and PII

Jonathan Cohen | Synchronoss Technologies

AGENDA

1.  PHI and PII Overview

2.  Why PHI is an Appealing Target

3.  Platform Overview

4.  Use Cases

5.  Next Steps

PHI AND PII OVERVIEW

Types of PHI and other Patient PII that must be protected by Providers and Clinicians, e.g.

Pa#entEncounterForms

Con#nuityofCareDocumentElectronicMedicalRecord

THREATS TO PATIENT INFORMATION

Source:FireEye&SynchronossAnalysis

Rich set of personal data extremely valuable to cybercriminals for Identity Theft

Often contains payment card information and bank account data that can be used for theft and fraud

Perhaps the most valuable records to steal (street value >$300 per record)

This information is often inadequately protected on mobile devices

Yet, for productivity and improved patient care, clinicians need to embrace mobility

TO FUTHER COMPLICATE THINGS…

61% Users Reuse Passwords Among

Websites

26 Accounts That Require

Username & Password

63% Confirmed Breaches Involved Weak Or Stolen Credentials

Of the 5,000+ largest successful attacks in the last 10 years, 82% exploited weak or stolen passwords

Only TWO involved 2-factor authentication!

How do we meet the needs?

Key Elements of a Secure Enterprise Platform

KEY ELEMENTS OF A SECURE ENTERPRISE PLATFORM

MOBILITY

ANALYTICS IDENTITY

COLLABORATION

SECURE EXTERNAL COLLABORATION

DESCRIPTIVE, PREDICTIVE & PRESCRIPTIVE ANALYTICS

SERVICES

SECURE MOBILE CONTAINER +

PRODUCTIVITY APPS

MULTI FACTOR AUTHENTICATION,

PROOFING & CERTIFICATES

VERIFIES IDENTITIES

ISSUES CREDENTIALS

AUTHENTICATES USERS

MANAGED ATTRIBUTES

FOCUS ON IDENTITY MANAGEMENT AND AUTHENTICATION

REPRESENTATIVE USE CASES

PRACTICAL APPLICATIONS – USE CASES

LIFE SCIENCES

HEALTHCARE

MOBILITY

FieldaccesstoCTMS&EDCappsonBYOD

SecureEMRaccessonclinicianBYOD

IDENTITY & ANALYTICS

Dynamicprovisioning/de-provisioningaccesstoregulatorysubmission

content

PrescriberverificaDonforcontrolledsubstances

COLLABORATION

R&DCollaboraDonWorkspacefor

Pharma,Biotech&Academia

CollaboraDvecareworkspacefor

distributedmedicalteams

Collaboration Gateway

DATA CONNECTORS

LIMS, ELN, KB

DCTM, SharePoint

Box, O365 eCTD, CMC, EHR

BRINGING IT ALL TOGETHER – SECURE ENTERPRISE PLATFORM FOR HEALTHCARE

Mo

bili

ty

LAGOON & ORBIT Orbit Suite in Container on

Devices

SEC

URE

PR

OD

UC

TIV

ITY

Basic Research •  Chemical registration •  Compound management and

analysis

Pre Clinical Science •  Early stage analysis and

performance •  Innovative research (e.g.

Biomarkers, Genomics)

Clinical Trials •  Trials management with CROs •  Electronic data capture & submission

management •  Monitoring & auditing

CO

NTEX

TUA

L A

UTH

ORIZA

TION

Commercialization •  Manufacturing quality & process

controls •  Supply chain & logistics

management

Frictionless Access

+

UNIFIED IDENTITY

ID UNIVERSAL

Polic

y &

Co

ntrols

Collaboration Workspace

FROM STATIC MOBILE APPS THAT PROVIDE MINIMAL VALUE…

Clinical investigator (CI) opens Patient

Encounter Form mobile app on BYO

tablet

CI completes capture of patient

info, including mobile contact info

and saves work

Next day the CI is reviewing the CRFs from prior day and

notices a concerning test

result

The CI opens native messaging app on

her tablet and connects with the

patient

Additional clarifying information is

captured and then appended to the

CRF

LegendWorkflow

interruption

Compliance violation

PHI not secured on personal device

Record of chat session with patent manually transcribed to Patient Encounter Form

Patient Encounter Form (ePEF) app may not be available on BYO device or adequately secured

…TO MOBILE APPS SECURELY ENABLED WITH WORKFLOWS

Clinical investigator (CI) opens ePEF

mobile app on BYO tablet

CI completes capture of patient

info, including mobile contact info and

saves work

Next day the CI is reviewing the CRFs from prior day and

notices a concerning test result

The CI opens native messaging app on

her tablet and connects with the

patient

Additional clarifying information is

captured and then appended to the

ePEF

HIPAA compliant messaging app launched from ePEF mobile app

Conversation recorded and securely appended to ePEF

Conversation recorded and securely appended to ePEF

GATEWAY CONTAINER

ANALYTICS IDENTITY DATA

Private and Public Cloud Plugins

Integrate with any API

PUBLICAPIPRIVATEAPI

PLUGINS

POLICY

© Synchronoss. All Rights Reserved. 2016

MEDICALDEVICE

DRONE

SENSOR

•  Sensitive IoT data secured within the container •  Mobile apps secured in container interact with IoT devices •  Gateway secures transmission, placed as cloud service or on-customer

premises •  Plugin architecture enables interaction with back-end services

INNOVATIVE APPLICATION FOR INTERNET OF THINGS

KEY TAKEAWAYS

Strong mobile security framework and authentication is required to enable secure external collaboration, to secure PHI and PII

Container-based security is best to secure mobile apps on BYO devices that contain and/or transmit PHI or PII

IoT transmitting PHI or PII is no different and requires that data must be protected at rest and in motion

Jonathan Cohen Synchronoss Technologies