information confidentiality: business risks and regulations
DESCRIPTION
Implementing the right privacy measures isn’t just a good idea, it’s a critical aspect of safeguarding your intellectual property and complying with legal requirements. It’s not enough to control access to information at the application or administrative level. Data must also be protected during routine activities such as part replacements, upgrades and asset refreshes. Recent changes in HIPAA regulations drive the issue more than ever before. In this session, we will examine privacy needs and risks and discuss effective measures to prevent the unintended sharing of private information, whichcan compromise intellectual property, expose your company to litigation, or damage your company’s market reputation. We will also discuss the alternatives available and HP’s data privacy offerings in data sanitization, asset recovery and defective media and material retention.TRANSCRIPT
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Information confidentiality: business risks and regulations Mike Ryan
Keeley Collins
June 10, 2013
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Agenda
• Data privacy needs and risks
• Recent regulations (HIPAA)
• Options and alternatives
• HP offers in this area
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Data privacy and risks
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Risks to data – risk to your business
Data privacy more important than ever
“Everyone” now needs to protect data from access by unauthorized parties:
• Government & financial
• Health care
• Insurance
• Research/universities
• Technology
• Other
Risks and consequences
• Regulatory fines & penalties
• Litigation
• Intellectual property loss
• Brand and reputation
What data is being protected? • Intellectual property
• Client data
• Financial data
• Research
• Networks
• PII – Personally Identifiable Info
• PHI – Protected Health Info
Overview
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Increasing governance means costs to most companies
Data privacy regulations
• HIPAA/HITECH
• Graham Leach Bliley (GLB)
• Family Education Rights and Privacy Act (FERPA & FISMA)
• Payment card industry data security standards (PCI- DSS)
• Safe Harbor – European Union and the United States
• Cookie & web beacon laws
“In 2010, 69 percent of the 964 IT and business leaders surveyed said compliance is their primary driver for encryption, an increase of five percentage points from last year. Mitigating data breaches falls to second place, with 63 percent saying it was a top driver for encryption adoption.” Ponemon Institute’s annual U.S. Enterprise Encryption Trends report
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Recent data privacy updates & news
• Cookie & web beacon legislation footprint expanding
– UK (2012)
– Mexico (effective April 2013)
• EU data privacy regulatory updates (expected mid-2014)
• Google fined for privacy violations by German Privacy Commission (Johannes Caspar)
• US Dept of Commerce draft privacy legislation
• US HIPAA/HITECH final omnibus – January 2013
The only thing constant is… change
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Recent regulation (HIPAA)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
HIPAA defined
HIPAA overview
Health Insurance Portability and Accountability Act (HIPAA) passed by congress in 1996: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and
their families when they change or lose their jobs
• Reduces health care fraud and abuse
• Mandates industry-wide standards for health care information on electronic billing and other processes
• Requires the protection and confidential handling of protected health information
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
HIPAA – U.S. federal medical privacy law Historical timeline and basic facts
1996 - HIPAA 2009 – HITECH Act 2013 - Omnibus final
rule to HIPAA/HITECH
Sets baseline for medical privacy: privacy rule, security rule and enforcement rule Covered entities: Health plans, Health care providers Health care clearing houses Business associates are “indirectly regulated” via BAA
Designed to encourage electronic recording keeping • Extended HIPAA to business
associates • Imposed breach notification
requirements to CE and BA • Increased vigilance around PHI • Increased enforcement
/penalties
Regulations and rules to implement requirements of HITECH Act
• Heightened concern of HP customers regarding data privacy
• Statutory obligations for BAs • Mandatory flow downs to sub-
contractors • Necessitate BAA modifications • Modifies breach notification
rules
Courtesy Suzanne Miller, HP Senior Legal Counsel
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Who’s impacted
• Health care providers
Doctors offices, hospitals, universities, VA
• Insurers
HMOs
• Self-insured companies
• Retail (in-store pharmacy)
• Health care processors
• Health care IT integrators/OEMS
• Pharmaceutical
An extended group
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
HP ... Has more than 45 years of experience in the health and life sciences industry Performs 2.4 billion healthcare transactions annually, including 1 billion in
healthcare claims Serves 13 of the top 15 pharmaceutical companies, ranked by revenue Provides services to health and human services programs in 35 states and
supports Medicaid systems in 20 states Is the largest provider of Medicaid services in the U.S., supporting programs that
administer $140 billion USD in Medicaid benefits annually
* Health & Life Sciences Industry overview, HP, April 2013 http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA1-0181ENW&cc=us&lc=en
HIPAA/HITECH – who can you trust? HP in healthcare-by the numbers *
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
”Covered Entities” – Refers to health plans, health care clearinghouses and health care providers who submit electronic transactions or store information electronically.
HIPAA overview
Privacy
The HIPAA privacy rule establishes national standards to protect individuals’ medical records and other personal health information. Applies to “covered entities”. The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization
Security
The HIPAA security rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The security rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
HIPAA rules regarding protected health information (PHI)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information. . .”
Georgina Verdugo, OCR Director, 2011
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
HIPAA/HITECH front runners in enforcement activities
HIPAA/HITECH and enforcement • Covered entities and business associates directly responsible/accountable to HHS & State
Attorneys General
• Stringent breach notification requirements
• Required compliance with privacy and security rule safeguards
• Penalties for failing to implement safeguards
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
HIPAA Omnibus – January 2013 updates
HHS announced final Omnibus rules amending HIPAA (1996) and HITECH Act (2009)
• Effective on March 26, 2013
• Supplement and modify the HIPAA privacy, security, breach reporting and enforcement rules
• Significant changes include:
– Expanded definitions – business associates, unsecured PHI, breach conditions
– Breach notification standards for data-protection are different from the security & privacy rule
– Even “secured” PHI – if disclosed impermissibly – can be considered a breach
– Breaches no longer have to prove significant risk of harm (financial, reputation, etc.)
– Provides assessment specifications
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Data breach examples
Penalty/cost impact
Ponemon Institute estimates the cost of a data breach at $214 per compromised record
Military hospital/clinic (9/14/2011)
4.9 million military patients may be affected by loss computer tapes containing their health information
Commercial health plan (1/21/2011)
1.9 million health plan members notified that hard-drives containing their PHI were missing
Health care network (12/23/2010)
1.7 million impacted due to computer back-up tapes stolen from vehicle
Hospice (6/1/2010)
441 patients impacted due to stolen laptop
Fined $50K by HHS in 2013
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Costs of compliance vs. non-compliance Ponemon Institute, 2011
Costs of compliance vs. non-compliance
Higher security score = lower costs of non-compliance
Security effectiveness score
25 best practices
40 studies
Top security attributes: 1. Monitor & enforce security policy
2. Conduct ongoing audits
3. Attract & retain security professionals
4. Ensure minimal system downtime due to security violations
5. Prevent or curtail viruses, malware and spyware infections
Ponemon Institute, 2011
Cindy Valladares, Tripwire. “Understanding the Cost of Compliance – Part III. March 28, 2011. URL: http://www.tripwire.com/state-of-security/it-security-data-protection/understanding-the-cost-of-compliance-part-iii/
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
An ounce of prevention is worth a pound of cure
Recommendations & next steps
Identify PHI and PII touch points – and implement security provisions
• Assess your environment including mobile devices, servers and networks against the security rule.
• Review your security policies & procedures. Update your training.
• Evaluate your data security, destruction and transmission practices.
• Implement encryption technology and access control mechanisms (passwords, ACL’s)
• Ensure your records meet standards – review new breach and assessment guidelines.
Review vendor contracts
• Be sure they can protect your information and that you have purchased the right products and services to enable compliance.
• Evaluate where vendors have access to PHI, and what scope. Restrict it where feasible.
• Update business associate agreements by September 2014.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
An ounce of prevention is worth a pound of cure
Recommendations & next steps, cont’d.
Assess your organization’s use and disclosure of PII and PHI
• Clearly classify systems and data
• Control your use, disclosure and retention to the minimum necessary
• Develop a security incident response plan —
– Assemble a response team
– Review & understand how the Omnibus changed breach notification
– Assess using the 4-part assessment criteria
– Create breach notification policies and procedures to help guide your organization through identifying and handling breaches
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Options & alternatives
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Hardware, services options and alternatives
Strategies to protect your data
Hardware • Invest in encryption technologies
• Reduces burden and risk around disk media
Media handling • Implement policies and procedures around handling media removed from IT assets
• Consider disk retention or processing alternatives
Asset lifecycle management • Implement policies around assets retired from service
• Sanitize media contained in assets before reuse or resale
• Remove other identifying information before disposal
Security assessment & governance Governance risk & compliance, operations, applications, endpoint, network & data center
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP offers
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
Offers from HP
Protection within HP products
Protect your data at rest • Self Encrypting Drives (SED) for the 3PAR StoreServ 10000 and StoreServ 7000 storage arrays
• HP XP P9000 DKA Encryption Software enables controller based encryption of hard drives
Optional on P9000 storage arrays
• HP Encryption SAN Switch and blades
• HP 1/8 G2 Autoloader and ESL/EML/MSL Tape Libraries
Erase your data when “done” • HP disk sanitizer
– Free tool for HP desktops and towers erases to DOD (D5220 22-M) standards
– Located at HP.com (http://www8.hp.com/us/en/support-drivers/privacy-dataprotection/index.html)
• HP volume shredder for P9000, XP24000, and XP12000 arrays
– Performs repetitive overwrites up to 8 passes (exceeds DOD 5220)
– Included with array manager software on P9000/XP24000 (optional on XP12000)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
Offers from HP
Defective media retention
Keep your media • All hard drives and eligible SSD/flash drives retained by the customer when replaced as part of a service
event
• Customer free to handle, process or dispose of media to accommodate policies, procedures, or regulations
• Available for most HP products such as storage arrays, enclosures, servers, desktops, and workstations
• Offered as HP care pack or as support contract as option to all coverage level and agreement durations
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
Offers from HP
Comprehensive defective material retention
Keep all data-retentive parts • Also includes all hard drives and eligible SSD/flash drives retained by the customer when replaced as part of
a service event
• Extends scope to other parts, such as systems boards containing RAM, controllers, cache, and more
• Not a requirement for HIPAA but of high interest to government and financial sectors
Assures lower level identifiable information such as contacts, node names, and IP addresses are protected Note: PHI not likely contained in these components
• Customer free to handle, process, or dispose of materials to accommodate policies, procedures, or regulations
• Available for most HP products such as storage arrays, enclosures, servers, desktops, and workstations
• Offered as HP care pack or as support contract as option to all coverage level and agreement durations
Announcement: June 10, 2013 with availability July 1, 2013
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
Offers from HP
HP data sanitization service
Remove data from your storage assets
• Removes data from most HP and third party storage arrays and enclosures
• Allows re-use, sale, or disposal of the asset
• Facilitates compliance with policies and regulations
• Erases data to DOD (D5220 22-M) and NIST 800-88 “clear” standards
• Detailed documentation/confirmation of operations and status provided by serial number
• On-site or off-site delivery choices provided; destruction optionally available
• Offered as HP care packs or custom scope of work
Service brief and datasheet available
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29
Offers from HP
HP asset recovery service
Your retired assets: recover market value and responsible disposal • Turnkey solution to removes retired IT assets from inventory
• Recovers value of surplus IT assets
Assets with market value processed and sold – proceeds returned to customer less fees
• Assets with no value recycled and disposed of responsibly
• Available for most HP or non-HP IT assets including arrays, servers, desktops, printers, networks, and mobile devices
• De-install, inventory, sorting, and processing of products included
• All media sanitized, identification information removed; cleaning/testing if intended for resale
• On-site or off-site delivery choices provided; destruction optionally available
Service brief and datasheet available
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30
Offers from HP
HP custom services
Flexible management of media removed from service • Provides options in handling media removed as part of a service event
• Alternative to Defective Material Retention (DMR)
• Eliminates unwanted accumulation of defective media
• Options offered:
– On-site sanitization of hard drives to DOD or NIST standards
Media passing sanitization process returned to HP
– On-site destruction of hard drives meeting NIST “purge” and “destroy” standards
– Off-site media processing using secure transportation
– Responsible recycling of scrap items
• Available via custom quote; standardized services under evaluation
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31
HP security portfolio: six key areas
HP security and risk management
Security governance, risk, and compliance: protect your reputation, manage risk, and achieve regulatory compliance by replacing disparate governance functions with an integrated set of services
Operations security: integrate information from various security disciplines. Connect your security processes with your business processes
Application security: build enterprise security into your applications. Automate detection and response to vulnerabilities, and enable business agility through secure web applications
Endpoint security: protect all your endpoint devices and minimize risk inherent in a mobile workforce while centralizing and consolidating management tools to reduce costs
Network security: prevent network intrusions while making applications available. Avoid zero-day attacks and automate policy enforcement
Data Center Security: embed security holistically across networking, virtualization, mobility, and cloud in your data center
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 32
For more information
Privacy/data protection & disk sanitization website • HP disk sanitizer tool (desktops/towers)
• HP’s media handling policy for healthcare customers
• HP’s media sanitization policy for returned drives
Enterprise security & risk management website: HP products and services for risk management & security
HIPAA regulations : • Health & human services, health info & privacy - http://www.hhs.gov/ocr/privacy/index.html
• Federal register (final rule) - http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Q & A
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34
Learn more about this topic
Use HP Autonomy’s Augmented Reality (AR) to access more content
1. Launch the HP Autonomy AR app*
2. View this slide through the app
3. Unlock additional information!
*Available on the App Store and Google Play
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you