protecting phi and pii - hipaa challenges and solutions - privacy vs cost
DESCRIPTION
In January of this year, the HIPAA Omnibus Final Rule was published, implementing more specific requirements for protecting PHI data and steeper penalties for failing to comply. With a final deadline of September 25, 2013, many organizations that create or handle PHI are scrambling to find a solution. It should not be surprising that there has been an increased focus on PHI regulations, as the percentage of healthcare organizations reporting a data breach is skyrocketing. 94% of healthcare organizations have had at least one data breach in the past two years, and the annual cost to the healthcare industry could soon reach an estimated $7 billion, according to research from the Ponemon Institute. Healthcare is one of the US’s worst industries in security effectiveness and preventing breaches. Since the PCI industry has instituted sweeping protection requirements of payment card data, it has left unprotected PHI data, including insurance information, prescription details and medical files, prime targets for commoditized insurance fraud. The 2013 Data-breach-investigations-report from Verizon disclosed that over 90% of breaches go unnoticed by internal resources. The Omnibus legislation can institute penalties of up to $1.5 million per breach. The most effective form of PCI data security, tokenization, is steadily increasing in use over encryption. The high levels of security, flexibility and transparency provided by tokenization have proven results. PCI audit scope and length can be dramatically reduced, applications require few changes to process data, and over the last year, tokenization users had 50% fewer security-related incidents than non-users according a recent Aberdeen study. Due to its inherent advantages, tokenization has also recently seen a surge in organizations using it for information other than card holder data. Nearly 47% of respondents to a recent Aberdeen study are using tokenization for something other than cardholder data. As tokenization can be applied to any structured data, it follows naturally that organizations looking to protect PHI data could benefit greatly by implementing a tokenization solution. In conjunction with best practices such as file encryption, policy-based access controls, and central monitoring and auditing, the healthcare industry could see the same effective results that the payment card industry is realizing today. With more stringent data security requirements and regular audits on the horizon, in addition to increasing attacks on PHI data, organizations should act now to protect their data, before it’s too late.TRANSCRIPT
Protecting PHI across the organization: Challenges and
SolutionsUlf Mattsson
CTOProtegrity
2
ISSA Article
4
New Healthcare Security SIG
Information Systems Security Association
New Healthcare Security Special Interest Group
5
http://www.bankinfosecurity.com/interviews/ira-winkler-on-issas-future-i-1685
6
The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
Study on Patient Privacy & Data Security
The percentage of healthcare organizations reporting a data breach has increased and not declined
94 % of healthcare organizations had at least one data breach in the past two years
Breaches can have severe consequences and effect patient treatment
Technologies that promise greater productivity and convenience such as mobile devices, file-sharing applications and cloud-based services are difficult to secure
Sophisticated and stealthy attacks by criminals have been steadily increasing
Estimated average annual cost to the healthcare industry could potentially be as high as $7 billion
7
The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
Type of Data that was Lost or Stolen
8
The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
9
Targeting Medical Info – Not Credit Cards
http://www.scmagazine.com/medical-identity-theft-to-be-explored-at-ftc-hearing/article/291780/
Harms Patients Suffer if Records are Lost or Stolen
10
The Ponemon Institute study “Third Annual Benchmark Study on Patient Privacy & Data Security”, December 2012
IdentityTheft
11
12http://news.yahoo.com/woman-gets-prison-time-total-identity-theft-202030353.html
On Monday, the real Candida L. Gutierrez saw her identity thief, Benita Cardona-Gonzalez, for the first time. Their encounter came inside a federal courtroom in Wichita, where Cardona-Gonzalez, a Mexican national, was sentenced to 18 months in prison for possessing fraudulent identification documents.Cardona-Gonzalez assumed Gutierrez's persona completely, using it to get a job, a driver's license, a mortgage and medical care for her children.
Woman gets Prison Time in Identity Theft
Why changing your Password won’t help
13
http://www.pcworld.com/article/2036610/why-changing-your-livingsocial-password-won-t-save-you.html
“The bigger concern is what an attacker can do with your personals information”
"That's enough information to get them started down the path of stealing your identity”
HIPAA Omnibus - Penalties if PHI isn’t encrypted
14
http://www.diagnosticimaging.com/physicians-experts-make-case-secure-data-exchange-himss13
15
http://healthitsecurity.com/2013/05/03/patients-sue-dorn-va-medical-center-for-data-breach/#comment-23
"The suit argues that the VA failed to implement even the most rudimentary of technical safeguards”
“How the suit plays out will be interesting because it’s not very often a government organization is facing civil and potential Department of Health and Human Services (HHS) penalties"
Lost PHI was Not Protected - Lawsuit
How are Data Breaches
Detected?
16
17
Breach Discovery Methods
Verizon 2013 Data-breach-investigations-report
HIPAA & PHI
18
HIPAA PHI: List of 18 Identifiers
1. Names
2. All geographical subdivisions smaller than a State
3. All elements of dates (except year) related to individual
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
19
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger prints
17. Full face photographic images
18. Any other unique identifying number
Identifiable Sensitive InformationField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 937-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare Data – Primary Care Data
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.
Protection methods can be equally applied to the actual healthcare data, but not needed with de-identification
20
De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare Data – Primary Care Data
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.
Protection methods can be equally applied to the actual healthcare data, but not needed with de-identification
21
What can We Learn from
Financial Services?
22
Security Effectiveness per Industry Segment
23
The Ponemon Institute study, 2011
Positioningof
Solutions
24
Reduction of Pain with New Protection Techniques
25
1970 2000 2005 2010
High
Low
Pain& TCO
Strong EncryptionAES, 3DES
Format Preserving EncryptionDTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault
8278 2789 2990 2789
Tokenization with or without Vault
26
Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Static.
High Availability, Disaster Recovery
Complex, expensive replication required.
No replication required.
Distribution Practically impossible to distribute geographically.
Easy to deploy at different geographically distributed locations.
Reliability Prone to collisions. No collisions.
Performance, Latency, and
Scalability
Will adversely impact performance & scalability.
Little or no latency. Fastest industry tokenization.
Research Brief
“Tokenization Gets Traction”Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption
Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data
Over the last 12 months, tokenization users had 50% fewer security-related incidents than tokenization non-users
27 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC
HIPAA Case Study
Violation of HIPAA - $17 million
Blue Cross Blue Shield
Theft of one million unsecured patient records
Violations in the HIPAA Privacy and Security Rules
Enforced by the Breach Notification Rule
Fined $1.5 million dollars
Total incident cost more than $17 million dollars
Now protecting stored health data
28
Summary
29
Proactive Data Protection
Know your data flow• Protect the data flow
Protecting your data now could save big time and $ in retroactive security later
• Breaches and audits are on the rise
• Organizations that fail to act now risk losing their hard earned investments
Granular data protection is cost effective • Addressing regulations and data breaches
• Data available for analytics and other usage
• Provide separation of duties for administrative functions
Catch abnormal access to data• Including (compromised) insider accounts
30
About Protegrity
Proven enterprise data security software and innovation leader
• Sole focus on the protection of data
• Patented Technology, Continuing to Drive Innovation
Cross-industry applicability• Retail, Hospitality, Travel
and Transportation
• Financial Services, Insurance, Banking
• Healthcare
• Telecommunications, Media and Entertainment
• Manufacturing and Government
31
Questions