© Copyright 2011 Axis Technology, LLC

The Most Wonderful Time of the Year for

Health IT........ NOT

know your data • protect your data • share your data

Agenda

Attacks are on the Rise

Legislation is Changing

Lessons from Healthcare.gov

Come in from the Cold

… a word from our sponsors

2

ATTACKS ARE ON THE RISE

Internal and External Vulnerabilities

Non-Standard

SSL Traffic

4

Drive By Attacks

Watering

Hole Attacks

Bot Nets

Social Engineering

Attacks

Spear Phishing

Breaches South Shore Physicians, P.C. - Dishonest nurse and

three co-conspirators were linked to identity fraud.

NY Office of the Medicaid Inspector General (OMIG) – Employee sent an email that contained sensitive records to their own email account

Cedars-Sinai Medical Center - Medical workers were fired for their hacking effort

Long Beach Memorial Medical Center - Patients had information exposed an employee.

5

Breaches Happen

In the event of a breach, full cost to an organization

can include one or more of the following: Notifying customers / patients,

Investigating and controlling the breach,

Potential litigation and fines,

Intangible costs associated with:

Damage to your brand,

Loss of customers,

Decline in value, and

Reputation Management

FULL

COST

of a

Breach

6

LEGISLATION IS CHANGING

PCI – PCI Data Security Standard An industry security standard that applies to companies

that process & store credit/debit card data.

12 requirements: 1. Firewall to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data to those that “need to know” 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain an information security policy for all personnel

Larger companies must undergo annual PCI audits. Non-compliance can result in revocation of services and/or fines up to $100,000 per month. 8

PCI – eCommerce Standards

A merchant’s PCI DSS responsibilities remain regardless of their e-commerce implementation.

If development or processing is outsourced to third parties, the merchant retains responsibility for ensuring that payment card data is protected.

In-house developed applications should use PA-DSS as a best practice during development.

Minimize the staff who can view account data.

Where a merchant has outsourced cardholder data to a third party, that data may still be at risk.

9

PCI – Cloud Standards

A merchant’s PCI DSS responsibilities remain regardless of their cloud implementation.

Are the service being used the one that was validated.

Identify and minimize the payment card data in the cloud.

Identification and authentication is essential

Governance, risk and compliance are shared.

Data ownership and cross-border regulatory laws.

Data present in other cloud systems such as VM images, backups, monitoring logs, and so on.

When existing, leaving potentially unknown quantities of encrypted data .

10

The Cloud

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA)

Covered entities must implement technical policies and procedures to allow access only to those persons and business associates that absolutely require access to Personal Health Information (“PHI”).

However, it also provides for the uses and disclosures of de-identified information (aka Masked, Obfuscated, Redacted). PHI that meets the requirements for de-identification is considered not to be individually identifiable health information.

The Office of Civil Rights ("OCR") is required to impose penalties if the covered entity or its business associate act with neglect.

11

HIPAA – Recent Changes

The changes greatly increase privacy protections for PHI while also strengthening enforcement.

Penalties are increased for noncompliance with possible penalties of $1.5 million per occurrence.

The focus of OCR Audits and Assessments will be on whether PHI has been compromised and then the covered entity must clearly prove that there is a low probability the information has been compromised.

The changes expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors.

12

State Laws

46 states have enacted laws requiring notice of security breaches of personal data.

Some states have reportedly considered legislation to hold retailers liable for third-party companies’ costs arising from data breaches.

The Massachusetts law is considered to have one of the most comprehensive sets of security regulations at the state level.

13

State Laws - Texas

When the Texas Breach Notification law went into effect in September 2012, breach notification obligations will exist in all states because Texas will then require entities doing business within the state to provide notification of data breaches to residents of states that have not enacted their own breach notification law.

14

LESSONS FROM HEALTHCARE.GOV

According to the research firm

the Standish Group, 94% of

large federal information

technology projects over the

past 10 years were

unsuccessful

Getting Technology Right

16 http://www.nytimes.com/2013/10/25/opinion/getting-to-the-bottom-of-healthcaregovs-flop.html?_r=3&

1,800 pages

Companies that win contracts

are those that can navigate the

regulations best.

Federal Acquisition Regulation

17

Who’s in Charge ?

18

CMS

QSSI

CGI

3 Years in the Making…..

2 Weeks of Testing ?????

An Epic

19

COME IN FROM THE COLD – TEST !

Issues

Participants can prepare all they want, but bad data can snarl the exchange.

Normalization of data across multiple independent organizations leaves data more vulnerable to contamination, duplication and mix-ups.

Aggregating, analyzing and managing of

extensive data raises privacy concerns and costs.

Ownership

Each participant must concede a certain amount of ownership of resources and timelines for projects to the “Greater Good”.

Interplay of Changing Technology

23

The Cloud

Social Media

Increased Outsourcing

Understanding Ourselves

24

Do we:

Understand where we are?

Where are our risks?

Have compensating controls?

Have a plan?

Enterprise Governance Risk and

Compliance (“eGRC”) is an

enterprise initiative that reaches from

strategy through architecture to the

operations of the organization.

Review Access to Sensitive Data

Who has access?

Perform meaningful entitlements reviews .

Flag entitlements that do not conform to security policies.

Enterprise Entitlement Solutions typically include separate mainframe, application specific and LDAP based solutions. Review for Toxic Combinations.

25

25

Internal users Privileged users

ERP Web

server

Backups

App

server

Load

balancer Databases

File

server Fir

ew

all

File

server

External

users 1

2

4

3

5

6

QA Testing

Internal users Privileged users

ERP Web

server

Backups

App

server

Load

balancer Databases

File

server Fir

ew

all

File

server

External

users 1

2

4

3

5

6

Live Data

Data … Data Everywhere

Copies of Data may exist in multiple locations in your environment.

Each of these locations is a potential target from external sources and needs to be protected.

Verizon Data Breach Report suggests eliminating unnecessary copies of data.

Data De-Identification (aka Data Masking) eliminates multiple copies of data Outsourcers / Business Associates

Test Data in the Cloud

Stratification of Big Data

Taking Data Home

Internal users Privileged users

ERP Web

server

Backups

App

server

Load

balancer Databases

File

server Fir

ew

all

File

server

External

users 1

2

4

3

5

6

QA Testing

26

…. A WORD FROM OUR SPONSOR

To find out more or start a FREE 30 Day

evaluation

Visit www.compliancy-group.com

(855) 85 HIPAA or (855) 854-4722

Compliance is important but expensive…Until Now

The Guard Compliance Tracking Solution

• EASY Self Audit Questionnaires

• Gap Identification Reporting

• Remediation Management

• Policy and Procedure Templates

• Unlimited Number of Patients, Employees and

Associates

• Document and Version Control Management

• Highly Secure

• No IT integration - Web Based Solution Become Compliant in 60 Days!

Attest for HITECH, and Satisfy Meaningful Use Core Measure 15

Clients

Data De-Identification- DMsuiteTM

DMsuite™ - A robust,

proprietary tool that has been

deployed at clients for over

9 years with:

Sensitive Data Discovery,

Data De-Identification and

Auditing functionality.

30

Applications

XML, CSV, Multi-

Record, etc.

QSAM,

VSAM

Databases

Big Data

Files

Unstructured

Text: Social,

RSS

IMS

Questions or Further Discussions

31

Questions or Further Discussions

Contact: Joe Santangelo

Email: jsantangelo@axisdmsuite.com

Phone: (646) 596-2670

Twitter: @DataPrivacyDude

© Copyright 2011 Axis Technology, LLC

www.AxisTechnologyLLC.com

Thank You!

70 Federal Street

Boston, MA 02110

(646) 596-2670

know your data • protect your data • share your data