RSA Solution Brief

Information Risk Managementfor Protected HealthInformation (PHI)

RSA Solution Brief

2 RSA Solution Brief

As the adoption rate of the electronic health record continues to accelerate, the need to

enhance information risk management strategies becomes more critical to create a secure,

compliant healthcare environment. Healthcare providers and payers are increasingly turning

to automation tools to improve operations and efficiency while ensuring the safety and

quality of patient care.

While automation can lead to improved patient care workflow and reduced costs, it can also

create new challenges. The high volume of patient information being created, transmitted,

accessed, managed, and stored within the healthcare organization has led to a complex IT

environment with an expanded user community—and new security risks to be addressed.

How can a healthcare organization adopt an InformationRisk Management strategy to best address their specificinformation security challenges? And how can anInformation Risk Management strategy meet businessobjectives while enhancing the quality of care deliveredto patients?

A Dispersed Information Ecosystem

To effectively manage a patient care episode,caregivers need access to related protected healthinformation (PHI) and personally identifiableinformation (PII) across a complex and dispersedinformation infrastructure that requires effective riskmanagement. Several factors that may contribute tothe complexity of the IT infrastructure include:

Existing silos. For optimum patient care delivery,healthcare organizations rely on hundreds, if notthousands, of different applications, somedepartmental, yet have limited central controlover the systems where patient data is stored.

Multiple users. Collaborative patient care involvesthe sharing of patient care data between patients,physicians, consultants, clinical staff members andclaims processors—all who have access toconfidential information.

Multiple locations and access points. Confidential patienthealth information is prevalent through the healthcareenvironment—on laptops, clinical workstations, USBdrives, networks, clinical applications, patient portals,and mobile devices and is being accessed from insideand outside the corporate firewall.

The Need to Protect PHI

The volume of confidential, electronic patientinformation is increasing and national e-Healthinitiatives are encouraging countries to drive towardsintegrated, collaborative care. For example, theUnited States Congress has called for all residents

to have their patient records available in an EMR by2014, and the European Union hopes to achieveEuropean e-health interoperability throughout theregion by the end of 2015.

As the quantity of data, users and access pointsincreases, the number of security breaches is alsorising. Increasing media visibility of patient healthinformation device thefts, unencrypted data loss,unauthorized access and poor internal security controlsis further driving the demand from governments,regulators and citizens for healthcare organizations torefine and implement security strategies that protectthe confidentiality of information.

HIPAA, Joint Commission, and EU Data Directivesprivacy requirements are creating greater patientawareness regarding the need to secure and protect theconfidentiality of their personal information. Accordingto the 19th Annual HIMSS Leadership Survey, nearly oneout of four healthcare organizations reported a securitybreach in the last year. In addition, 97% of healthcareCIOs are concerned about data security – and rightfullyso. High-profile breaches are occurring almost daily andon a global scale, such as:

– U.S. – Theft of a backup tape for a healthcareorganization in Utah put the personal health datafor 2.2 million patients at risk.

– U.S. – Unauthorized access to a database at aregional medical center in Nevada exposed thepersonal information of 128,000 patients.

– U.K. – A national health trust loses the details on168,000 patients, most of which were children,after a computer disk was lost.

– Finland – The European Court of Human Rightsfines the Finnish government for failing to secureand protect a patient’s confidential record.

– U.S. – Healthcare records of more than 386,000patients were stolen from unsecured laptops, disksand tapes. A $100k fine was posed on the health-care organization for being in violation of HIPAAregulations.

3RSA Solution Brief

Information Risk Managementfor Protected Health Information

The Information Risk Management for Protected HealthInformation (PHI) solution from RSA and EMC offers aninformation-centric approach to security that empowershealthcare organizations to meet the demanding needsof patients, physicians, contractors and other healthcarestaff by mitigating risks to sensitive information thatdirectly contribute to the quality of patient care.

This framework approach, based on industry standardsand best practices, such as ISO 27002 and ISO 27799for information security management in health, can helphealthcare organizations follow the path that sensitiveinformation takes as it is created, distributed, stored,copied, transformed and accessed throughout itslifecycle. By adopting a holistic view of informationsecurity, healthcare organizations can mitigate risks toPHI and PII, control costs, build trust with patients, andsatisfy regulatory requirements. And most importantlycontinue delivering high quality, safer patient care.

The Information Risk Management for PHI solution isbased on three core principles:

1. Information-centric. With sensitive information,such as PHI and PII being the most critically impor-tant asset within a healthcare organization, thefocus on information helps to clarify operationalcontext and reveals potential vulnerabilities acrossthe IT infrastructure.

2. Risk-based. Helps healthcare organizations toestablish clear priorities for making security invest-ments so that the most critical security challengesare addressed first.

3. Repeatable. Leverages industry standards andsecurity best practices to manage multiple securityand compliance initiatives in a cost-effective andtime efficient way.

Building A Security Framework for PHI

Taking a strategic approach to Information RiskManagement and managing the potential risks asconfidential patient and clinical data passes throughits information lifecycle involves a four-step process.By adopting this best practices approach, healthcareorganizations can continue to acquire informationtechnologies to improve patient care and clinical

Key Statistics

– Healthcare organizations rank third among allindustries in the number of data breaches thatcould lead to identity theft, representing 16% ofall breaches.Source: Symantec Global Internet Security Threat Report

– The impact of a lost or stolen device with patientdata costs an average of $90 per patient accountif no encryption solution is in place.Source: Gartner

– Healthcare IT professionals identified an internalbreach of security as their primary concern regard-ing data security.

– 97% indicated that they have concerns aboutthe security of the data at the organizations atwhich they work

– 51% reported that an internal breach of securityis their top data security concern

– 24% reported that their organization has experi-enced a security breach in the past six monthsSource: 19th Annual HIMSS 2008 Leadership Survey

– In the period from 2006-2007, over 1.5 millionnames were exposed during data breaches thatoccurred in hospitals alone.Source: attrition.org

workflow and satisfy the regulatory requirements toprotect the security, privacy and confidentiality ofsensitive patient data:

– Discover and classify. Understand and classifywhich data is most sensitive – such as PHI and PII.

– Define policies. Determine how this data shouldbe protected – Who can access it? Where can theyaccess it from? What can they do with it?

– Select and enforce controls. Establish a controlframework and implement data and access controlsto enforce policy.

– Monitor, report and audit. Document and ensurecompliance with policy and industry regulations.

Discover sensitive data

The first step in deploying this approach is to discoverwhere sensitive data resides. The answer may seemobvious – “In databases, of course!” But databases arereally just the tip of the iceberg, especially in today’smobile, highly collaborative healthcare environment.

4 RSA Solution Brief

If data is stored in a database, then it is also stored ona disk, which is likely backed up by other disks or tapemedia. Additionally, data is likely accessed through avariety of clinical applications and from a wide array ofdevices, transformed on clinical workstations, physicianlaptops, and wireless handheld devices, e-mailed toother users, and then stored on even more file serversor collaboration portals.

To prevent the healthcare organization from data lossand strike the necessary balance between cost and riskinvolves more than simply determining which databaseshouse critical data. Rather, it entails a comprehensive datadiscovery process which requires answers to some basicquestions about the information infrastructure including:

– Is PHI and PII available in databases? If so, inwhich database tables? In which columns or fields?

– Is there sensitive data in file shares? If so, in whichfolders? In which files?

– Is there high-risk data on clinical workstations orlaptops? If so, on what laptops?

Next, it is important to answer data type and usagequestions such as:

– Is any clinical research intellectual property unwit-tingly exposed through custom-built applications?

– Is the billing and insurance information of patientsbeing transferred from databases to insecure fileservers so that users can create spreadsheets andreports?

– Are back-up tapes containing patient informationguaranteed to arrive at their final location withoutinterruption or tampering?

Through the data discovery process, healthcareorganizations can create a map of its critical andsensitive data which serves as a foundation for securitypolicy and control strategy. But PHI is dynamic andconstantly changing so data discovery must beembraced as a continuous process.

Classify sensitive data

After the discovery process is complete, healthcareorganizations must classify patient care data in termsof what is most sensitive and at highest risk. Then,healthcare organizations can prioritize their effortsand define appropriate polices. But which patientcare data is the most sensitive?

To answer the question, healthcare organizationsneed to understand their organizational structure,examine the various clinical departments and supportdepartments across the organization, and identifyboth the regulatory and non-regulatory securitydrivers for each department.

For example, a healthcare finance department in theUnited States may need to comply with Sarbanes-Oxley and Gramm-Leach-Bliley Acts as well as SAS70, while clinical departments need to focus on theJoint Commission standards. Or depending on an

ER admission

Retrievepatient history

Diagnostictests

Surgery

Post-opmonitoring

Intensivecare unit

Post-acutecare unit

Discharge

Follow-upconsultation

Archivepatient record

Changing information value ofa patient’s medical record

5RSA Solution Brief

organization’s location, they may need to complywith the European Union Data Directives or country-specific regulations, such as the Japan Privacy Act,Canada’s PIPEDA, and the Australia Privacy Act, toname just a few.

Once the regulatory and corporate complianceuniverse is understood, the next step is to prioritizepatient care data by grouping information into various‘classes’. For example, three classes of informationcould be created—from the most restricted andsensitive (e.g., clinical patient care data) to the leastsensitive (e.g., data pertaining to medical suppliesand inventory rates).

The next step is to determine the data categories andusers for each type of information. For example,a healthcare organization may choose to classifycertain healthcare data as ‘ restricted’ and thendetermine which elements of the information aremost critical and which department or businessunit within the health system owns this data.

Define policy

Once sensitive data is classified, healthcareorganizations must define the policies – the rules forappropriate handling of the data – including whichemployees, clinicians, patients and other users andapplications are authorized to access this data andhow, when, and from where they are allowed toaccess it. For example, physicians might be providedaccess to the entire patient record at all times andfrom all locations, but other employees may only beable to access specific lab data or selected clinicaldepartment data on a patient – and only duringspecific hours and from within the firewall.

Select and enforce controls

Once a healthcare organization has discovered andclassified sensitive data and defined policies forhandling of the data, the next step is to develop anappropriate control strategy that includes bothprocesses and technology.

The physical control strategy is comprised of twocomponents: the control mechanisms (i.e., the typesof controls) and control points (i.e., where in theinfrastructure they are placed; at the storage, database,file server, application, network, or end point). Acomprehensive control strategy will include a combinationof controls from all three categories described below,implemented at various layers in the IT stack:

– Data controls control the data itself and is espe-cially effective in collaborative environments wheredata is always being created, shared and trans-formed. Data controls include products and tech-nologies such as encryption and key management,data loss prevention (DLP) and information rightsmanagement (IRM).

– Access controls include both authentication (i.e., isthe user who he or she claims to be?) and authori-zation (i.e., what can the user do once he or shegains access?). Access controls are especiallyimportant in the healthcare industry as there area large number of heterogeneous user groupsaccessing patient data.

– Audit controls provide the feedback mechanismsto ensure the policies and controls are working asthey should. Often called security information andevent management (SIEM), audit control productsprovide the means to prove compliance as well asrefine policies and controls.

Due to the increasing number of data breaches andgrowing regulatory scrutiny of data privacy and integrityissues, encryption, data loss prevention and securityevent monitoring are becoming increasingly more popularin healthcare organizations. Encryption and DLP solutionsrepresent the notion of ‘self-defending data’; they enabledata to defend itself. For example, if an individual is ableto circumvent access controls and steal encrypted data,the data is useless to them. Likewise, if highly sensitivedata subject to privacy regulations is transformed ande-mailed out of an organization, a DLP system can reactand protect the data.

Report and audit

As with any process, a security program should have afeedback mechanism that enables the organization toassess its compliance with policy and provide feedbackon the effectiveness of data controls. Because ofthe 24x7 nature of patient care delivery, healthcareorganizations need real-time tracking and correlation ofsecurity events in order to respond quickly to change.

SIEM (Security Information and Event Management)systems enable healthcare organizations to analyzeand report on security logs and real-time eventsthroughout the organization. To enable properauditing of data security infrastructure, an SIEMsystem is needed that automatically collects,manages and analyzes the event logs produced byeach of the security systems, networking devices,operating systems, applications, and storage

6 RSA Solution Brief

platforms deployed throughout the organization.These logs monitor systems and keep a record ofsecurity events, information access, and useractivities both in real-time and for forensic analysis.

Correlating events in the data control systems –such as encryption and loss prevention – in real-timeallows organizations to quickly respond to incidents asthey occur, recovering any potential losses. Proactivelog management provides the foundation for acomprehensive auditing strategy. An SIEM systemenables organizations to regularly review the securityinfrastructure for:

– Incident investigation and forensics

– Incident response and remediation

– Compliance to regulations and standards

– Evidence for legal cases

– Auditing and enforcing data security policy

Establishing auditing best practices and implementing aneffective SIEM system can help reduce costs and increasethe efficiency of compliance, risk management, andforensics. Equally important, auditing provides anopportunity for continuous improvement. Security shouldalways be viewed as a process rather than an event.

The Information Risk Management Solution

RSA, The Security Division of EMC, and EMC providea comprehensive portfolio of solutions includingsoftware, hardware and services to help healthcareorganizations secure their PHI and PII at every level whileensuring compliance with regulations. The following RSAand EMC solutions provide healthcare organizations withthe foundation to build a solid security framework.

Discover and Classify Sensitive Data

The following RSA products and services are relevant tothe discovery and classification of sensitive patient data:

RSA® Risk Assessment Service

Provide a systematic overview of an organization’sinformation security capabilities and a roadmap forrisk remediation.

RSA® Classification for Information Security Service

Discover sensitive information and systems andsecure large volumes of data through a structuredprocess for understanding how to protect informationbased on its business value and level of sensitivity.

RSA® RiskAdvisor Service

Risk assessment service that determines wheresensitive data resides across enterprise systemsand how it got there. Identifies relevant policies,procedures, and controls to address those risks.

RSA® Data Loss Prevention (DLP) Suite

Discovers, monitors and protects your sensitive datafrom loss or misuse whether in a datacenter, on thenetwork, or out at the endpoints. The suite includes:

RSA® DLP Datacenter locates sensitive data in theDatacenter – whether in file systems, databases,email systems or large SAN/NAS environments.

RSA® DLP Network monitors and controls sensitivedata leaving your network, and blocks or encryptssuch transmissions including email, instantmessaging, and web-based tools (HTTP or HTTP)should they violate a defined security policy

RSA® DLP Endpoint discovers, monitors and controlssensitive data on endpoints such as clinicalworkstations and laptops and blocks or logs anysuch violations of security policy.

Define Policy

The following RSA service helps healthcareorganizations to define a security policy to effectivelymanage their information risks:

RSA® Information Security Policy Development Service

The Information Security Policy Development servicehelps organizations define and map policies to bestpractices, individual business requirements, andapplicable regulations. The result is the creation andimplementation of effective data security policies inorder to establish a consistent and repeatable way tomanage information security risk.

Select and Enforce Controls

RSA offers a number of solutions to enforce both dataand access controls. For data control, RSA provides:

RSA® Data Loss Prevention (DLP) Suite

The RSA Data Loss Prevention (DLP) Suite is anintegrated suite of data security products that enableorganizations to manage business risks associatedwith enterprise data loss. Combining the RSA DLPDatacenter, RSA DLP Network and RSA DLP Endpointmodules, the RSA DLP Suite helps organizations todiscover, monitor and protect sensitive data fromloss, leakage, or misuse whether in a datacenter,on the network, or out at the endpoints.

7RSA Solution Brief

their activities based on risk levels, institutional policiesand user segmentation.

RSA SecurID®

Strong two-factor authentication to identify legitimateusers for secure access to corporate resources.Available in both hardware and software formats.

Report and Audit

RSA enVision™

Collects and protects All the Data™ from any IP device,in computing environments of any size, without filteringand without the need to deploy agents, and reports backon actionable security and compliance intelligence.

EMC Storage Platforms

To further protect and secure the informationinfrastructure, EMC provides storage hardware,software, and services to deliver highly availableapplications to healthcare organizations of all sizes.

EMC Symmetrix helps to consolidate data frommultiple systems to support the largest capacitieswithout sacrificing high-end functionality.

EMC CLARiiON enables healthcare organizations toleverage secure management tools with safeguardsto ensure continuous data availability and integrity,advanced array-based information replicationfunctionality, virtual LUN technology, and datamobility within and between systems.

EMC Centera provides an active archiving and affordableWORM compliant storage for archived informationincluding e-mail, images, and electronic documents.

RSA® Encryption and Key Management Suite

The RSA Encryption and Key Management Suite is anintegrated suite of products that enable organizationsto classify their sensitive data, discover that dataacross the enterprise, enforce controls, and reportand audit to ensure compliance with policy. The RSAEncryption and Key Management Suite is comprised of:

RSA® File Security Manager protects sensitive data onWindows and Linux servers by providing transparentencryption and access control capabilities.

RSA® Key Manager with Application Encryptionprevents the loss of sensitive data by encryptingdata within the application at point of capture andsimplifies the provisioning, distribution, andmanagement of encryption keys for applications.

RSA® Key Manager (RKM) for the Datacenter provideskey management for encryption solutions at thedatabase, file server, and storage layer.

RSA BSAFE® provides a portfolio of solutions fordevelopers to meet the wide ranging security goalsof their applications.

For access control, RSA provides:

RSA® Access Manager

Web-access management solution that enablesorganizations to cost-effectively provide secureaccess to web applications, such as patient portals –controlling authentication and authorisation of “ whohas access to what”.

RSA® Adaptive Authentication

A comprehensive authentication and risk managementplatform that monitors and authenticates all users and

Discover and ClassifySensitive Data

RSA Risk AssessmentService

RSA Classification forInformation SecurityService

RSA Risk Advisor Service

RSA Data LossPrevention (DLP) Suite

Define Policy

RSA Information SecurityPolicy Service

Select andEnforce Controls

Data Controls:

RSA Data LossPrevention (DLP) Suite

RSA Encryption & KeyManagement Suite

Access Controls:

RSA Access Manager

RSA AdaptiveAuthentication

RSA SecurID

Report and Audit

RSA enVision

RSA is your trusted partner

RSA, The Security Division of EMC, is the expert ininformation-centric security, enabling the protectionof information throughout its lifecycle. RSA enablescustomers to cost-effectively secure criticalinformation assets and online identities whereverthey live and at every step of the way, and managesecurity information and events to ease the burden ofcompliance.

RSA offers industry-leading solutions in identityassurance & access control, encryption & keymanagement, compliance & security informationmanagement and fraud protection. These solutionsbring trust to millions of user identities, thetransactions that they perform, and the data that isgenerated. For more information, please visitwww.RSA.com and www.EMC.com.

©2008 RSA Security Inc. All Rights Reserved.RSA, RSA Security, enVision, SecurID and the RSA logo are eitherregistered trademarks or trademarks of RSA Security Inc. in the UnitedStates and/or other countries. EMC is a registered trademark of EMCCorporation. All other products and services mentioned are trademarksof their respective companies.

IRMPHI SB 0808