SlideShare ist ein Scribd-Unternehmen logo

Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security

Envision Technology Advisors
Envision Technology Advisors

Healthcare organizations (HCOs) are facing three major IT security and compliance challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions are becoming more common and costly....

TechnologieBusiness
1 von 9
WHITE PAPERthreat protection | compliance | archiving & governance | secure communication A Proofpoint White Paper Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security
WHITE PAPER2 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security Contents Healthcare IT Challenges.............................................................................................3 HIPAA and Healthcare IT Regulations.....................................................................3 HIPAA: Broader and Tougher than Ever........................................................................................................3 Other Regulations.................................................................................................................................................5 Inbound Threats: Low Volume and High Risk...................................................... 6 The Mobile Revolution and the Consumerization of IT......................................7 Putting It All Together: Proofpoint Security-as-a-Service Solutions......................................................... 8
WHITE PAPER3 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security Healthcare IT Challenges Healthcare organizations (HCOs) are facing three major IT security and compliance challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions are becoming more common and costly. Second, hackers and criminal syndicates are attacking HCOs with new forms of intrusive IT attacks that steal valuable data such as login credentials, customer records, proprietary research data, and other forms of intellectual property. Third, like other industries, healthcare is undergoing an IT revolution enabled by consumer-class mobile devices like iPads and Android phones. Smartphones and tablets are giving healthcare workers unprecedented access to patient records and other medical data on the go. But this new decentralized infrastructure often makes it more difficult for HCOs to protect confidential data. This so-called Bring Your Own Device (BYOD) trend potentially puts HCOs at greater risk of violating industry regulations and succumbing to inbound security threats. Let’s examine each of these challenges—stricter regulations, inbound threats, and mobile IT— in turn. HIPAA and Healthcare IT Regulations HIPAA: Broader and Tougher than Ever The most important healthcare IT regulation in the United States is HIPAA1 . In addition to establishing guidelines for how HCOs continue insurance coverage for employees changing jobs, HIPAA put in place three big rules that govern healthcare IT: • The EDI Rule (162.1000), which establishes standard health information terminology and electronic code sets • The Security Rule (164.306), which establishes safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (PHI) • The Privacy Rule (164.502), which orders HCOs to protect PHI and defines the allowable uses and disclosures of PHI, in contrast to “de-identified” health information2 In recent years, all three of these rules have been updated, and another major update to the Privacy Rule is pending3 . In addition, the federal government has become much more aggressive about enforcing HIPAA regulations and imposing financial penalties on organizations it decides have violated HIPAA rules.4 In a sense, the pressure on HCOs has been building since the original HIPAA legislation passed. HIPAA regulations went into effect in April 2003. For the next five years, regulators investigated and closed about 8,000 cases of HIPAA violations without imposing any significant financial penalties or sentencing any violators to jail. But in 2009, the FTC imposed a $2.25 million fine on CVS Caremark for violating HIPAA privacy regulations. 1 For a detailed look at HIPAA, the HITECH Act, and new data privacy regulations, see the Proofpoint white paper HIPAA Update: Staying Compliant with the Latest Healthcare Email Security Regulations. 2 “De-identified” information is information that excludes any details, such as a complete Social Security Number, that could be used to identify a specific person. 3 http://healthitlawblog.wordpress.com/2012/07/10/omb-delays-final-hipaa-rule-indefinitely-while-gao-urges-hhs-to- issue-additional-hipaa-security-and-privacy-guidance/ 4 Resolution agreements and civil monetary penalities for the most serious HIPAA violations to date can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
WHITE PAPER4 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security The case originated in 2006 when pharmacy employees discarded patients’ prescription information in public dumpsters—clearly a violation of HIPAA mandates to ensure that PHI is always private. The CVS Caremark penalty proved to be the first of many multi-million dollar penalties against HIPAA violators. Even government agencies are not immune to regulatory scrutiny and financial penalties. The Office of Civil Rights announced a $1.7 million penalty for Alaska’s Medicaid agency, the Alaska Department of Health and Social Services. The original violation was the loss of a hard drive containing PHI for 501 patients. But regulators upped the penalty when they discovered that the department had failed to conduct a risk analysis exercise as required by the Security Rule, had not adequately trained its workforce on regulations and data security practices, and had not implemented adequate encryption and other security controls for data and media.5 Regulators are penalizing small organizations as well. In April 2012, regulators fined Phoenix Cardiac Surgery $100,000 for posting PHI on a publically accessible cloud-based calendar program and for transmitting PHI through personal, inadequately secured email programs.6 We expect penalties against HCOs for HIPAA violations to continue for three reasons. First, HIPAA violations, especially data breaches, continue, and PHI continues to be leaked or lost.7 The numbers are often dishearteningly big: 228,000 South Carolina Medicaid records were recently leaked through email.8 Over the past 3 years, more than 20 million patient records have been compromised in data breaches large enough to require reporting to the federal government.9 Second, the government recently expanded the scope of HIPAA and added requirements for data breach notifications and timely responses to patient inquiries. The scope of HIPAA broadened considerably with the passage of the American Recovery and Reinvestment Act (ARRA) of 2009. In addition to enacting a financial stimulus for the U.S. economy, the ARRA included another piece of legislation called the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act extended the scope of HIPAA data privacy laws to cover the partners of HCOs. Accounting firms, IT consultancies, and other organizations who work with HCOs are now legally responsible for protecting the privacy of PHI. The HITECH Act also introduced a strict data breach notification rule. If an employee discovers a PHI security breach, the employee’s organization has only 60 days in which to notify each patient whose privacy has been compromised. If an HCO is unable to contact ten or more of the affected individuals, it must either disclose the security breach on its Web site or issue a press release about the breach to broadcast and print media. If the breach affects 500 or more individuals, the organization must additionally notify the Secretary of the Department of Health and Human Services (HHS), along with major media outlets. The HHS will then report the breach on its own Web site. Failure to comply with these new data breach guidelines can result in penalties. 5 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html/ 6 http://www.hhs.gov/news/press/2012pres/04/20120417a.html. See also: http://www.dwt.com/Double-Check-Your- Vendors-HIPAA-Settlement-for-Small-Provider-Over-Improper-Use-of-Internet-Software-as-a-Service-Provid- ers-04-24-2012/ 7 http://www.chicagotribune.com/news/local/ct-met-health-data-breaches-20120423,0,6156975.story 8 http://www.postandcourier.com/article/20120419/PC16/120419166&slId=2 9 http://www.computerworld.com/s/article/9230028/_Wall_of_Shame_exposes_21M_medical_record_breaches
WHITE PAPER5 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security The HITECH Act also strengthened patients’ rights to know who has accessed their PHI. Patients can now ask their HCOs to provide detailed accounts of how they have shared their PHI. HCOs must comply with these requests within 60 days. To have any chance of processing these requests on time, HCOs must be systematically tracking all PHI communications and be able to sort them by patient. Fulfilling this requirement will also entail the centralized storage, search, and retrieval of large volumes of information—services provided by email archiving systems. The sender, recipient, content, and timestamp of all email carrying PHI must be logged so they can be listed in responses to patients. Regulators have already shown that they take these new requirements seriously. When Cignet Health of Prince George’s County in Maryland failed to respond in a timely manner to requests from 13 patients for their PHI records, regulators imposed a $1.3 million fine and opened an investigation into other possible HIPAA violations. By the time the investigation had finished, the penalty had grown to $4.3 million. Third, the government has re-organized its enforcement of HIPAA. HIPAA is now enforced by the Office of Civil Rights, and financial penalties accrue directly to the department. In other words, HIPAA penalties now help fund the enforcement of HIPAA regulations. As these developments show, HCOs and their partners have more impetus than ever before to take HIPAA security regulations seriously. Other Regulations HIPAA is not the only set of data security and data privacy regulations that affect HCOs. The list of laws and regulations calling for HCOs and other businesses to protect private data is long and getting longer. • Federal Trade Commission (FTC) The FTC has its own data privacy regulations that apply to companies like WebMD and Google that sell healthcare information online. The FTC rules include a data breach notification rule. • Department of Health and Human Services (HHS) As part of the HITECH Act, the HHS introduced new data security regulations that provide safe harbor for HCOs who encrypt PHI. These rules build on the HIPAA data security and data privacy rules but impose additional requirements on organizations that collect and store PHI.10 Like the new FTC rules, the new HHS rules require companies to notify the public of data breaches. • State Laws States are passing their own data security and data breach notification laws, which are becoming increasingly broad. California SB 1386 requires any business, regardless of its location, to publicly disclose the compromise of the private information involving a California resident. The original focus of SB 1386 was on private data such as a resident’s name, driver’s license number, and credit card number. In 2007, California legislature passed AB 1298, which extends the scope of SB 1386 to cover medical information and health insurance information as well. The Massachusetts Data Privacy Law (201 CMR 17), which took effect in 2010, requires that personal information about any Massachusetts resident be encrypted when stored or transmitted. Businesses must disclose data breaches affecting the privacy of even a single Massachusetts resident. That same year, Nevada strengthened its own data 10 http://www.hhs.gov/news/press/2009pres/04/20090417a.html
WHITE PAPER6 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security privacy laws and now requires all businesses storing or transmitting private data in the state to comply with the Payment Card Industry Data Security Standard (PCI DSS), a data security standard developed and adopted by the credit card industry. Forty-six states have now passed data breach notification laws. • Canadian Laws In 2002, the coverage of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was extended to the healthcare industry. Since then, four Canadian provinces have also passed privacy laws that are similar to PIPEDA.11 As of January 2012, Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) has been extended to hospitals, requiring them to protect confidential data in email and to service public requests for records. • Other National Laws Other nations have passed their own data privacy laws that apply to HCOs as well as other types of organizations. In Japan, the nation’s Privacy Law requires HCOs and other organizations that store records of 5,000 or more people to secure all personal information (including information as “public” as names and phone numbers) and release it only with the express permission of the individuals affected. Compliance failures can result in financial penalties and prison sentences.12 Since 1995, European companies have been required to abide by the European Data Protection Law, which gives individuals control over how their personal information, including healthcare information, is collected, stored, and distributed. A new European Data Protection Regulation draft from January 2012 would, among other things, extend Data Protection Law rules to all organizations, including HCOs based in the U.S. and Canada, that process the personal data of European residents.13 As these draft European regulations show, data privacy and data security laws worldwide are becoming increasingly strict and comprehensive. Bottom line: HCOs and their business partners need to continue monitoring PHI and ensuring they have security infrastructure in place to protect PHI at all times. Inbound Threats: Low Volume and High Risk While regulations about data security are getting stricter, inbound threats that attempt to steal confidential data are becoming more stealthy and effective. Email remains the number one vector for initiating such attacks. Five years ago, email threats came mainly in the form of high volume spam, malware attachments, and phishing attacks that attempted to lure large numbers of email recipients into logging into fake banking portals or other fraudulent Web sites. Over time, email security systems reduced the effectiveness of these attacks. In response, hackers and criminal syndicates changed their strategy. Why hawk cheap pharmaceuticals and counterfeit goods when they could steal data that can be monetized on the black market? That stolen data might be customer records with credit card information, addresses, and Social Security Numbers; or it might be confidential research, patent descriptions, chemical formulas, business plans, or other data that might give one company a significant competitive edge in the marketplace. 11 http://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Act 12 http://www.frostbrowntodd.com/media/publication/515_Privacy_20Newsletter-July_202005.pdf 13 http://www.mlawgroup.de/news/publications/detail.php?we_objectID=227
WHITE PAPER7 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security To steal well-guarded data requires an attack far more subtle and sophisticated than a botnet blasting out spam. The attack of choice is a low-volume email phishing attack in which a small number of personal email messages are sent to a small number of individuals, such as members of the executive team. The messages include links to Web sites or, occasionally, to booby-trapped attachments. Once clicked, those links install keyloggers or some other form of malware that enables remote parties to monitor the desktop system or server that has been compromised. Eventually hackers learn to navigate the internal network and find their way to valuable data. They then “exfiltrate” that data; they copy it in a slow trickle that is too subtle to be noticed by most network monitoring tools. Exfiltration might last for days, weeks, months, or even years. The sophistication and duration of these attacks has earned them the name Advanced Persistent Threats (or “Advanced Targeted Attacks”). Advanced Persistent Threats pose a new challenge for HCOs. The attacks are notoriously difficult to detect. Each attack is custom-tailored for its target. To lure recipients into clicking on a link, the phishing messages often include personal data gleaned from social networks or other public sources—data that the recipients might assume is known only to friends or colleagues. Because the message contents are unique, they lack virus signatures and don’t appear on AV blacklists. Because their danger lies in email links rather than in malware attachments, the messages can slip past firewalls that scan email for malware. And the links themselves might be benign most of the time. Attackers might load them with rootkits or keyloggers only intermittently to avoid detection by IT systems that evaluate Web links for hidden threats. Even after the attack has begun and valuable research or customer data is flowing out through a surreptitious, encrypted network tunnel, email recipients often have no idea that they’ve been attacked. Ironically, at the same time that regulations are requiring even tighter control over confidential data, HCOs find themselves battling the most sophisticated attacks yet on data security. They need to detect and defeat those attacks, while continuing to defend against all the traditional attacks, such as spam, malware, and more conventional forms of data leaks. The Mobile Revolution and the Consumerization of IT Adding to the complexity of stricter regulations and stealthier forms of inbound attacks is the revolution taking place in mobile computing. Like their peers in other industries, healthcare workers are bringing their own mobile devices to work. HCO IT networks are now busy with traffic from “non-business” devices such as iPhones, iPads, and Android phones. Roughly 22% of physicians in the U.S. now use iPads in their practices.14 Mobile devices become even more practical as HCOs, at the government’s urging, adopt EHRs for everyday work.15 16 14 http://www.tuaw.com/2011/03/30/ipads-are-becoming-as-important-to-doctors-as-their-stethoscope/ 15 http://americanmedical.com/ehr-stimulus-center/meaningful-use/ 16 http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.html?redirect=/ehrincentive- programs/
WHITE PAPER8 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security The proliferation of consumer mobile devices, their lack of rigorous security controls, and new exploits against mobile devices are combining to new create new security risks for HCOs. These security risks take several forms: • Higher incidence of data breaches When mobile devices become more popular in an organization, data breaches increase. For example, a study by Manhattan Research found that when doctors’ use of smartphones rose by 9%, data breaches rose 32%.17 • Lost devices The average cell phone user loses a phone each year.18 When that phone is a smartphone carrying PHI, data privacy, data security, and regulatory compliance are jeopardized. • Loss of perimeter protection Many HCOs have installed firewalls and Web gateways that monitor inbound and outbound traffic on enterprise networks. When users access email and other services from remote locations such as home networks and Wi-Fi hotspots such as hotel lobbies and cafes, those perimeter defenses become useless. There’s no longer an IT filter between the employees device and a phishing site or malware payload. When infected devices return to the internal network, they become a new unchecked vector for attack. HCOs need security services that extend to cover mobile devices and that assess threats— such as URLs in email messages—even when users encounter them in remote locations far beyond the security of the organization’s firewall. Putting It All Together: Proofpoint Security-as-a-Service Solutions HCOs need to protect PHI and other confidential data, even while they’re under attack from sophisticated hackers and criminal syndicates, and even while their employees are carrying more mobile devices and communicating over more channels—email, IM, SMS, etc.—than ever before. Proofpoint offers security and compliance solutions that enable HCOs to embrace new technology such as mobile computing while defending against new forms of security attacks. Email remains the top IT attack vector for enterprises such as HCOs. Proofpoint Enterprise Protection provides the industry’s most comprehensive email security threat classification and email security management solution against phish, virus, spam, and other email borne malware. Proofpoint Enterprise Protection minimizes spam, while ensuring that malware and phishing attacks never reach employee mailboxes. Proofpoint Targeted Attack Protection applies advanced Big Data analytics techniques to detect new forms of attack, including low-volume phishing attacks, before they strike. Proofpoint Targeted Attack Protection features Proofpoint Anomalytics, a service that examines hundreds of variables in real time—including email message characteristics, but also the email traffic history of the message recipient—to identify anomalies that indicate 17 http://www.ama-assn.org/amednews/2011/12/19/bil21219.htm 18 http://usatoday30.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1
WHITE PAPER9 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Proofpoint, Inc. 892 Ross Drive, Sunnyvale, CA 94089 Tel: +1 408 517 4710 www.proofpoint.com Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security a potential threat. Another component of Proofpoint Targeted Attack Protection, URL Clicktime Defense Service, examines URLs at clicktime to ensure that Web destinations are safe and not infected with malware. The URL Clicktime Defense Service protects employees and their devices even when their accessing email at remote locations, such as at home or at Wi-Fi hotspots, outside the network perimeter. Finally, to track PHI communication and be able to comply with patient requests for records of PHI distribution, HCOs can rely on Proofpoint Enterprise Privacy and Proofpoint Enterprise Archive. Proofpoint Enterprise Privacy inspects outbound communications for PHI and other forms of regulated, sensitive and confidential data and then automatically applies policies — such as blocking or encrypting email messages that contain PHI, ensuring that sensitive healthcare data is transmitted in compliance with HIPAA rules. Proofpoint Enterprise Archive provides rule-based archiving for HCOs, and offers lightning fast search responses, enabling email administrators and compliance officers to respond quickly to content requests from individuals through regulatory inquiry. To ensure that archived email remains private and secure, Proofpoint Enterprise Archive applies DoubleBlind Key Architecture, ensuring that only authorized users within the HCO can decrypt archived content. Proofpoint Enterprise Archive combines rigorous security with a high performance Discovery service that saves HCOs valuable time and money when retrieving archived content. For more information about Proofpoint solutions for HCO security and compliance, please visit www.proofpoint.com or call +1 (877) 634-7660.

Empfohlen

Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber ThreatsEnvision Technology Advisors
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Enterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEnterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEchoworx
 
Secure Multimedia Content Protection and Sharing
Secure Multimedia Content Protection and SharingSecure Multimedia Content Protection and Sharing
Secure Multimedia Content Protection and SharingIRJET Journal
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsPYA, P.C.
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010DataMotion
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 

Empfohlen

Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber ThreatsEnvision Technology Advisors
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Enterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEnterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEchoworx
 
Secure Multimedia Content Protection and Sharing
Secure Multimedia Content Protection and SharingSecure Multimedia Content Protection and Sharing
Secure Multimedia Content Protection and SharingIRJET Journal
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsPYA, P.C.
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010DataMotion
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
Establishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsEstablishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsAppsian
 
Securing sensitive data for the health care industry
Securing sensitive data for the health care industrySecuring sensitive data for the health care industry
Securing sensitive data for the health care industryCloudMask inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Dan L. Dodson
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving servicesCloudMask inc.
 
Conference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormConference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormEricsson
 
4. data security eb__1_
4. data security eb__1_4. data security eb__1_
4. data security eb__1_Appsian
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEIJNSA Journal
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Steven Meister
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
 
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...David Sweigert
 
Personal Data Breach Notification
Personal Data Breach Notification Personal Data Breach Notification
Personal Data Breach Notification TALOSCommunications
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBMeHealthCareSolutions
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 
AB CV FULL
AB CV FULLAB CV FULL
AB CV FULLAmit Bose
 
How students designed RC's 50th Anniversary Logo
How students designed RC's 50th Anniversary LogoHow students designed RC's 50th Anniversary Logo
How students designed RC's 50th Anniversary LogoManuel Powell Rodriguez
 
Diacritice romanesti in Y.M by Prajescu Ioana
Diacritice romanesti in Y.M by Prajescu IoanaDiacritice romanesti in Y.M by Prajescu Ioana
Diacritice romanesti in Y.M by Prajescu Ioanaprajescuioana
 
Ppt
PptPpt
Pptuginofianto
 

Weitere ähnliche Inhalte

Was ist angesagt?

Establishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsEstablishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsAppsian
 
Securing sensitive data for the health care industry
Securing sensitive data for the health care industrySecuring sensitive data for the health care industry
Securing sensitive data for the health care industryCloudMask inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Dan L. Dodson
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving servicesCloudMask inc.
 
Conference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormConference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormEricsson
 
4. data security eb__1_
4. data security eb__1_4. data security eb__1_
4. data security eb__1_Appsian
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEIJNSA Journal
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Steven Meister
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
 
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...David Sweigert
 
Personal Data Breach Notification
Personal Data Breach Notification Personal Data Breach Notification
Personal Data Breach Notification TALOSCommunications
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBMeHealthCareSolutions
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 

Was ist angesagt? (18)

Establishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft SystemsEstablishing CCPA Compliance in Legacy PeopleSoft Systems
Establishing CCPA Compliance in Legacy PeopleSoft Systems
 
Securing sensitive data for the health care industry
Securing sensitive data for the health care industrySecuring sensitive data for the health care industry
Securing sensitive data for the health care industry
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving services
 
Conference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormConference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache Storm
 
4. data security eb__1_
4. data security eb__1_4. data security eb__1_
4. data security eb__1_
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
Gdpr ccpa steps to near as close to compliancy as possible with low risk of f...
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
 
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...
Understanding the Computer Abuse and Data Recovery Act, Fla.Stat. §668.801 (“...
 
Personal Data Breach Notification
Personal Data Breach Notification Personal Data Breach Notification
Personal Data Breach Notification
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance Whitepaper
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
 

Andere mochten auch

How students designed RC's 50th Anniversary Logo
How students designed RC's 50th Anniversary LogoHow students designed RC's 50th Anniversary Logo
How students designed RC's 50th Anniversary LogoManuel Powell Rodriguez
 
Diacritice romanesti in Y.M by Prajescu Ioana
Diacritice romanesti in Y.M by Prajescu IoanaDiacritice romanesti in Y.M by Prajescu Ioana
Diacritice romanesti in Y.M by Prajescu Ioanaprajescuioana
 
Hampton Court
Hampton CourtHampton Court
Hampton Courtdrialog
 
Diy(finished)
Diy(finished)Diy(finished)
Diy(finished)RandyBett
 
PPACA: What You Need to Know (June 2013)
PPACA: What You Need to Know (June 2013)PPACA: What You Need to Know (June 2013)
PPACA: What You Need to Know (June 2013)Travis Sinquefield
 
02 pauta y_tabla_de_notacion_interna0
02 pauta y_tabla_de_notacion_interna002 pauta y_tabla_de_notacion_interna0
02 pauta y_tabla_de_notacion_interna0joseph quenaya neyra
 
Comparison of Interpolation Methods in Prediction the Pattern of Basal Stem R...
Comparison of Interpolation Methods in Prediction the Pattern of Basal Stem R...Comparison of Interpolation Methods in Prediction the Pattern of Basal Stem R...
Comparison of Interpolation Methods in Prediction the Pattern of Basal Stem R...Waqas Tariq
 
Job Matching in 2016
Job Matching in 2016Job Matching in 2016
Job Matching in 2016AppVault
 
Really simple investing DRiPs
Really simple investing DRiPsReally simple investing DRiPs
Really simple investing DRiPsFloyd Saunders
 
Linking environmental models together to make the world a better place: the G...
Linking environmental models together to make the world a better place: the G...Linking environmental models together to make the world a better place: the G...
Linking environmental models together to make the world a better place: the G...Andrea Antonello
 
Pidato bahasa inggris
Pidato bahasa inggrisPidato bahasa inggris
Pidato bahasa inggrisWarnet Raha
 
MINICEREBROS
MINICEREBROSMINICEREBROS
MINICEREBROStropeda
 
Zvornicko jezero, Iva Bajin
Zvornicko jezero, Iva BajinZvornicko jezero, Iva Bajin
Zvornicko jezero, Iva Bajindvucen
 
Atmospheric Water Generator
Atmospheric Water GeneratorAtmospheric Water Generator
Atmospheric Water GeneratorAnjana Mani
 

Andere mochten auch (20)

AB CV FULL
AB CV FULLAB CV FULL
AB CV FULL
 
How students designed RC's 50th Anniversary Logo
How students designed RC's 50th Anniversary LogoHow students designed RC's 50th Anniversary Logo
How students designed RC's 50th Anniversary Logo
 
Diacritice romanesti in Y.M by Prajescu Ioana
Diacritice romanesti in Y.M by Prajescu IoanaDiacritice romanesti in Y.M by Prajescu Ioana
Diacritice romanesti in Y.M by Prajescu Ioana
 
Ppt
PptPpt
Ppt
 
Hampton Court
Hampton CourtHampton Court
Hampton Court
 
formulare web
formulare webformulare web
formulare web
 
Diy(finished)
Diy(finished)Diy(finished)
Diy(finished)
 
Shakespeare
ShakespeareShakespeare
Shakespeare
 
EcommerceCamp Toronto -- Moneris
EcommerceCamp Toronto -- MonerisEcommerceCamp Toronto -- Moneris
EcommerceCamp Toronto -- Moneris
 
PPACA: What You Need to Know (June 2013)
PPACA: What You Need to Know (June 2013)PPACA: What You Need to Know (June 2013)
PPACA: What You Need to Know (June 2013)
 
02 pauta y_tabla_de_notacion_interna0
02 pauta y_tabla_de_notacion_interna002 pauta y_tabla_de_notacion_interna0
02 pauta y_tabla_de_notacion_interna0
 
Comparison of Interpolation Methods in Prediction the Pattern of Basal Stem R...
Comparison of Interpolation Methods in Prediction the Pattern of Basal Stem R...Comparison of Interpolation Methods in Prediction the Pattern of Basal Stem R...
Comparison of Interpolation Methods in Prediction the Pattern of Basal Stem R...
 
Job Matching in 2016
Job Matching in 2016Job Matching in 2016
Job Matching in 2016
 
Really simple investing DRiPs
Really simple investing DRiPsReally simple investing DRiPs
Really simple investing DRiPs
 
Linking environmental models together to make the world a better place: the G...
Linking environmental models together to make the world a better place: the G...Linking environmental models together to make the world a better place: the G...
Linking environmental models together to make the world a better place: the G...
 
Pidato bahasa inggris
Pidato bahasa inggrisPidato bahasa inggris
Pidato bahasa inggris
 
Practical Auditing
Practical AuditingPractical Auditing
Practical Auditing
 
MINICEREBROS
MINICEREBROSMINICEREBROS
MINICEREBROS
 
Zvornicko jezero, Iva Bajin
Zvornicko jezero, Iva BajinZvornicko jezero, Iva Bajin
Zvornicko jezero, Iva Bajin
 
Atmospheric Water Generator
Atmospheric Water GeneratorAtmospheric Water Generator
Atmospheric Water Generator
 

Ähnlich wie Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security

HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowNetwork 1 Consulting
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunityguest7042c6
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceTodd Merrill
 
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!Shelly Megan
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare softwareConcetto Labs
 
Hipaa it risk analysis and risk analysis
Hipaa it risk analysis and risk analysisHipaa it risk analysis and risk analysis
Hipaa it risk analysis and risk analysisJohn_mith
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfSuccessiveDigital
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxcravennichole326
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfShelly Megan
 

Ähnlich wie Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security (20)

HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunity
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA compliance
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAA
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
 
Hipaa it risk analysis and risk analysis
Hipaa it risk analysis and risk analysisHipaa it risk analysis and risk analysis
Hipaa it risk analysis and risk analysis
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdf
 

Mehr von Envision Technology Advisors

Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Envision Technology Advisors
 

Mehr von Envision Technology Advisors (20)

How to Migrate Without Downtime
How to Migrate Without DowntimeHow to Migrate Without Downtime
How to Migrate Without Downtime
 
The Ultimate Guide To Business Continuity
The Ultimate Guide To Business ContinuityThe Ultimate Guide To Business Continuity
The Ultimate Guide To Business Continuity
 
Cloud Based Email
Cloud Based EmailCloud Based Email
Cloud Based Email
 
Survivors Guide To The Cloud
Survivors Guide To The CloudSurvivors Guide To The Cloud
Survivors Guide To The Cloud
 
Ten Myths About Deleted Files
Ten Myths About Deleted FilesTen Myths About Deleted Files
Ten Myths About Deleted Files
 
Disaster Recovery - Deep Dive
Disaster Recovery - Deep DiveDisaster Recovery - Deep Dive
Disaster Recovery - Deep Dive
 
The State of Global Markets 2013
The State of Global Markets 2013The State of Global Markets 2013
The State of Global Markets 2013
 
Ten Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesTen Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted Files
 
Detecting Stopping Advanced Attacks
Detecting Stopping Advanced AttacksDetecting Stopping Advanced Attacks
Detecting Stopping Advanced Attacks
 
8 Strategies For Building A Modern DataCenter
8 Strategies For Building A Modern DataCenter8 Strategies For Building A Modern DataCenter
8 Strategies For Building A Modern DataCenter
 
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
Unleashing IT: Seize Innovation, Accelerate Business, Drive Outcomes. All thr...
 
7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
Cloud or Onsite BDR?
Cloud or Onsite BDR?Cloud or Onsite BDR?
Cloud or Onsite BDR?
 
Forrester Emerging MSSP Wave
Forrester Emerging MSSP WaveForrester Emerging MSSP Wave
Forrester Emerging MSSP Wave
 
RetroFit's Network Monitoring Solution
RetroFit's Network Monitoring SolutionRetroFit's Network Monitoring Solution
RetroFit's Network Monitoring Solution
 
Network Latency
Network LatencyNetwork Latency
Network Latency
 
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
 
Termination of Windows XP
Termination of Windows XPTermination of Windows XP
Termination of Windows XP
 
WhenThe Going Gets Tough
WhenThe Going Gets ToughWhenThe Going Gets Tough
WhenThe Going Gets Tough
 

Kürzlich hochgeladen

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Kürzlich hochgeladen (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security

  • 1. WHITE PAPERthreat protection | compliance | archiving & governance | secure communication A Proofpoint White Paper Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security
  • 2. WHITE PAPER2 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security Contents Healthcare IT Challenges.............................................................................................3 HIPAA and Healthcare IT Regulations.....................................................................3 HIPAA: Broader and Tougher than Ever........................................................................................................3 Other Regulations.................................................................................................................................................5 Inbound Threats: Low Volume and High Risk...................................................... 6 The Mobile Revolution and the Consumerization of IT......................................7 Putting It All Together: Proofpoint Security-as-a-Service Solutions......................................................... 8
  • 3. WHITE PAPER3 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security Healthcare IT Challenges Healthcare organizations (HCOs) are facing three major IT security and compliance challenges. First, IT regulations such as HIPAA are getting stricter and enforcement actions are becoming more common and costly. Second, hackers and criminal syndicates are attacking HCOs with new forms of intrusive IT attacks that steal valuable data such as login credentials, customer records, proprietary research data, and other forms of intellectual property. Third, like other industries, healthcare is undergoing an IT revolution enabled by consumer-class mobile devices like iPads and Android phones. Smartphones and tablets are giving healthcare workers unprecedented access to patient records and other medical data on the go. But this new decentralized infrastructure often makes it more difficult for HCOs to protect confidential data. This so-called Bring Your Own Device (BYOD) trend potentially puts HCOs at greater risk of violating industry regulations and succumbing to inbound security threats. Let’s examine each of these challenges—stricter regulations, inbound threats, and mobile IT— in turn. HIPAA and Healthcare IT Regulations HIPAA: Broader and Tougher than Ever The most important healthcare IT regulation in the United States is HIPAA1 . In addition to establishing guidelines for how HCOs continue insurance coverage for employees changing jobs, HIPAA put in place three big rules that govern healthcare IT: • The EDI Rule (162.1000), which establishes standard health information terminology and electronic code sets • The Security Rule (164.306), which establishes safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (PHI) • The Privacy Rule (164.502), which orders HCOs to protect PHI and defines the allowable uses and disclosures of PHI, in contrast to “de-identified” health information2 In recent years, all three of these rules have been updated, and another major update to the Privacy Rule is pending3 . In addition, the federal government has become much more aggressive about enforcing HIPAA regulations and imposing financial penalties on organizations it decides have violated HIPAA rules.4 In a sense, the pressure on HCOs has been building since the original HIPAA legislation passed. HIPAA regulations went into effect in April 2003. For the next five years, regulators investigated and closed about 8,000 cases of HIPAA violations without imposing any significant financial penalties or sentencing any violators to jail. But in 2009, the FTC imposed a $2.25 million fine on CVS Caremark for violating HIPAA privacy regulations. 1 For a detailed look at HIPAA, the HITECH Act, and new data privacy regulations, see the Proofpoint white paper HIPAA Update: Staying Compliant with the Latest Healthcare Email Security Regulations. 2 “De-identified” information is information that excludes any details, such as a complete Social Security Number, that could be used to identify a specific person. 3 http://healthitlawblog.wordpress.com/2012/07/10/omb-delays-final-hipaa-rule-indefinitely-while-gao-urges-hhs-to- issue-additional-hipaa-security-and-privacy-guidance/ 4 Resolution agreements and civil monetary penalities for the most serious HIPAA violations to date can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
  • 4. WHITE PAPER4 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security The case originated in 2006 when pharmacy employees discarded patients’ prescription information in public dumpsters—clearly a violation of HIPAA mandates to ensure that PHI is always private. The CVS Caremark penalty proved to be the first of many multi-million dollar penalties against HIPAA violators. Even government agencies are not immune to regulatory scrutiny and financial penalties. The Office of Civil Rights announced a $1.7 million penalty for Alaska’s Medicaid agency, the Alaska Department of Health and Social Services. The original violation was the loss of a hard drive containing PHI for 501 patients. But regulators upped the penalty when they discovered that the department had failed to conduct a risk analysis exercise as required by the Security Rule, had not adequately trained its workforce on regulations and data security practices, and had not implemented adequate encryption and other security controls for data and media.5 Regulators are penalizing small organizations as well. In April 2012, regulators fined Phoenix Cardiac Surgery $100,000 for posting PHI on a publically accessible cloud-based calendar program and for transmitting PHI through personal, inadequately secured email programs.6 We expect penalties against HCOs for HIPAA violations to continue for three reasons. First, HIPAA violations, especially data breaches, continue, and PHI continues to be leaked or lost.7 The numbers are often dishearteningly big: 228,000 South Carolina Medicaid records were recently leaked through email.8 Over the past 3 years, more than 20 million patient records have been compromised in data breaches large enough to require reporting to the federal government.9 Second, the government recently expanded the scope of HIPAA and added requirements for data breach notifications and timely responses to patient inquiries. The scope of HIPAA broadened considerably with the passage of the American Recovery and Reinvestment Act (ARRA) of 2009. In addition to enacting a financial stimulus for the U.S. economy, the ARRA included another piece of legislation called the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act extended the scope of HIPAA data privacy laws to cover the partners of HCOs. Accounting firms, IT consultancies, and other organizations who work with HCOs are now legally responsible for protecting the privacy of PHI. The HITECH Act also introduced a strict data breach notification rule. If an employee discovers a PHI security breach, the employee’s organization has only 60 days in which to notify each patient whose privacy has been compromised. If an HCO is unable to contact ten or more of the affected individuals, it must either disclose the security breach on its Web site or issue a press release about the breach to broadcast and print media. If the breach affects 500 or more individuals, the organization must additionally notify the Secretary of the Department of Health and Human Services (HHS), along with major media outlets. The HHS will then report the breach on its own Web site. Failure to comply with these new data breach guidelines can result in penalties. 5 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html/ 6 http://www.hhs.gov/news/press/2012pres/04/20120417a.html. See also: http://www.dwt.com/Double-Check-Your- Vendors-HIPAA-Settlement-for-Small-Provider-Over-Improper-Use-of-Internet-Software-as-a-Service-Provid- ers-04-24-2012/ 7 http://www.chicagotribune.com/news/local/ct-met-health-data-breaches-20120423,0,6156975.story 8 http://www.postandcourier.com/article/20120419/PC16/120419166&slId=2 9 http://www.computerworld.com/s/article/9230028/_Wall_of_Shame_exposes_21M_medical_record_breaches
  • 5. WHITE PAPER5 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security The HITECH Act also strengthened patients’ rights to know who has accessed their PHI. Patients can now ask their HCOs to provide detailed accounts of how they have shared their PHI. HCOs must comply with these requests within 60 days. To have any chance of processing these requests on time, HCOs must be systematically tracking all PHI communications and be able to sort them by patient. Fulfilling this requirement will also entail the centralized storage, search, and retrieval of large volumes of information—services provided by email archiving systems. The sender, recipient, content, and timestamp of all email carrying PHI must be logged so they can be listed in responses to patients. Regulators have already shown that they take these new requirements seriously. When Cignet Health of Prince George’s County in Maryland failed to respond in a timely manner to requests from 13 patients for their PHI records, regulators imposed a $1.3 million fine and opened an investigation into other possible HIPAA violations. By the time the investigation had finished, the penalty had grown to $4.3 million. Third, the government has re-organized its enforcement of HIPAA. HIPAA is now enforced by the Office of Civil Rights, and financial penalties accrue directly to the department. In other words, HIPAA penalties now help fund the enforcement of HIPAA regulations. As these developments show, HCOs and their partners have more impetus than ever before to take HIPAA security regulations seriously. Other Regulations HIPAA is not the only set of data security and data privacy regulations that affect HCOs. The list of laws and regulations calling for HCOs and other businesses to protect private data is long and getting longer. • Federal Trade Commission (FTC) The FTC has its own data privacy regulations that apply to companies like WebMD and Google that sell healthcare information online. The FTC rules include a data breach notification rule. • Department of Health and Human Services (HHS) As part of the HITECH Act, the HHS introduced new data security regulations that provide safe harbor for HCOs who encrypt PHI. These rules build on the HIPAA data security and data privacy rules but impose additional requirements on organizations that collect and store PHI.10 Like the new FTC rules, the new HHS rules require companies to notify the public of data breaches. • State Laws States are passing their own data security and data breach notification laws, which are becoming increasingly broad. California SB 1386 requires any business, regardless of its location, to publicly disclose the compromise of the private information involving a California resident. The original focus of SB 1386 was on private data such as a resident’s name, driver’s license number, and credit card number. In 2007, California legislature passed AB 1298, which extends the scope of SB 1386 to cover medical information and health insurance information as well. The Massachusetts Data Privacy Law (201 CMR 17), which took effect in 2010, requires that personal information about any Massachusetts resident be encrypted when stored or transmitted. Businesses must disclose data breaches affecting the privacy of even a single Massachusetts resident. That same year, Nevada strengthened its own data 10 http://www.hhs.gov/news/press/2009pres/04/20090417a.html
  • 6. WHITE PAPER6 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security privacy laws and now requires all businesses storing or transmitting private data in the state to comply with the Payment Card Industry Data Security Standard (PCI DSS), a data security standard developed and adopted by the credit card industry. Forty-six states have now passed data breach notification laws. • Canadian Laws In 2002, the coverage of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was extended to the healthcare industry. Since then, four Canadian provinces have also passed privacy laws that are similar to PIPEDA.11 As of January 2012, Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) has been extended to hospitals, requiring them to protect confidential data in email and to service public requests for records. • Other National Laws Other nations have passed their own data privacy laws that apply to HCOs as well as other types of organizations. In Japan, the nation’s Privacy Law requires HCOs and other organizations that store records of 5,000 or more people to secure all personal information (including information as “public” as names and phone numbers) and release it only with the express permission of the individuals affected. Compliance failures can result in financial penalties and prison sentences.12 Since 1995, European companies have been required to abide by the European Data Protection Law, which gives individuals control over how their personal information, including healthcare information, is collected, stored, and distributed. A new European Data Protection Regulation draft from January 2012 would, among other things, extend Data Protection Law rules to all organizations, including HCOs based in the U.S. and Canada, that process the personal data of European residents.13 As these draft European regulations show, data privacy and data security laws worldwide are becoming increasingly strict and comprehensive. Bottom line: HCOs and their business partners need to continue monitoring PHI and ensuring they have security infrastructure in place to protect PHI at all times. Inbound Threats: Low Volume and High Risk While regulations about data security are getting stricter, inbound threats that attempt to steal confidential data are becoming more stealthy and effective. Email remains the number one vector for initiating such attacks. Five years ago, email threats came mainly in the form of high volume spam, malware attachments, and phishing attacks that attempted to lure large numbers of email recipients into logging into fake banking portals or other fraudulent Web sites. Over time, email security systems reduced the effectiveness of these attacks. In response, hackers and criminal syndicates changed their strategy. Why hawk cheap pharmaceuticals and counterfeit goods when they could steal data that can be monetized on the black market? That stolen data might be customer records with credit card information, addresses, and Social Security Numbers; or it might be confidential research, patent descriptions, chemical formulas, business plans, or other data that might give one company a significant competitive edge in the marketplace. 11 http://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Act 12 http://www.frostbrowntodd.com/media/publication/515_Privacy_20Newsletter-July_202005.pdf 13 http://www.mlawgroup.de/news/publications/detail.php?we_objectID=227
  • 7. WHITE PAPER7 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security To steal well-guarded data requires an attack far more subtle and sophisticated than a botnet blasting out spam. The attack of choice is a low-volume email phishing attack in which a small number of personal email messages are sent to a small number of individuals, such as members of the executive team. The messages include links to Web sites or, occasionally, to booby-trapped attachments. Once clicked, those links install keyloggers or some other form of malware that enables remote parties to monitor the desktop system or server that has been compromised. Eventually hackers learn to navigate the internal network and find their way to valuable data. They then “exfiltrate” that data; they copy it in a slow trickle that is too subtle to be noticed by most network monitoring tools. Exfiltration might last for days, weeks, months, or even years. The sophistication and duration of these attacks has earned them the name Advanced Persistent Threats (or “Advanced Targeted Attacks”). Advanced Persistent Threats pose a new challenge for HCOs. The attacks are notoriously difficult to detect. Each attack is custom-tailored for its target. To lure recipients into clicking on a link, the phishing messages often include personal data gleaned from social networks or other public sources—data that the recipients might assume is known only to friends or colleagues. Because the message contents are unique, they lack virus signatures and don’t appear on AV blacklists. Because their danger lies in email links rather than in malware attachments, the messages can slip past firewalls that scan email for malware. And the links themselves might be benign most of the time. Attackers might load them with rootkits or keyloggers only intermittently to avoid detection by IT systems that evaluate Web links for hidden threats. Even after the attack has begun and valuable research or customer data is flowing out through a surreptitious, encrypted network tunnel, email recipients often have no idea that they’ve been attacked. Ironically, at the same time that regulations are requiring even tighter control over confidential data, HCOs find themselves battling the most sophisticated attacks yet on data security. They need to detect and defeat those attacks, while continuing to defend against all the traditional attacks, such as spam, malware, and more conventional forms of data leaks. The Mobile Revolution and the Consumerization of IT Adding to the complexity of stricter regulations and stealthier forms of inbound attacks is the revolution taking place in mobile computing. Like their peers in other industries, healthcare workers are bringing their own mobile devices to work. HCO IT networks are now busy with traffic from “non-business” devices such as iPhones, iPads, and Android phones. Roughly 22% of physicians in the U.S. now use iPads in their practices.14 Mobile devices become even more practical as HCOs, at the government’s urging, adopt EHRs for everyday work.15 16 14 http://www.tuaw.com/2011/03/30/ipads-are-becoming-as-important-to-doctors-as-their-stethoscope/ 15 http://americanmedical.com/ehr-stimulus-center/meaningful-use/ 16 http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.html?redirect=/ehrincentive- programs/
  • 8. WHITE PAPER8 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security The proliferation of consumer mobile devices, their lack of rigorous security controls, and new exploits against mobile devices are combining to new create new security risks for HCOs. These security risks take several forms: • Higher incidence of data breaches When mobile devices become more popular in an organization, data breaches increase. For example, a study by Manhattan Research found that when doctors’ use of smartphones rose by 9%, data breaches rose 32%.17 • Lost devices The average cell phone user loses a phone each year.18 When that phone is a smartphone carrying PHI, data privacy, data security, and regulatory compliance are jeopardized. • Loss of perimeter protection Many HCOs have installed firewalls and Web gateways that monitor inbound and outbound traffic on enterprise networks. When users access email and other services from remote locations such as home networks and Wi-Fi hotspots such as hotel lobbies and cafes, those perimeter defenses become useless. There’s no longer an IT filter between the employees device and a phishing site or malware payload. When infected devices return to the internal network, they become a new unchecked vector for attack. HCOs need security services that extend to cover mobile devices and that assess threats— such as URLs in email messages—even when users encounter them in remote locations far beyond the security of the organization’s firewall. Putting It All Together: Proofpoint Security-as-a-Service Solutions HCOs need to protect PHI and other confidential data, even while they’re under attack from sophisticated hackers and criminal syndicates, and even while their employees are carrying more mobile devices and communicating over more channels—email, IM, SMS, etc.—than ever before. Proofpoint offers security and compliance solutions that enable HCOs to embrace new technology such as mobile computing while defending against new forms of security attacks. Email remains the top IT attack vector for enterprises such as HCOs. Proofpoint Enterprise Protection provides the industry’s most comprehensive email security threat classification and email security management solution against phish, virus, spam, and other email borne malware. Proofpoint Enterprise Protection minimizes spam, while ensuring that malware and phishing attacks never reach employee mailboxes. Proofpoint Targeted Attack Protection applies advanced Big Data analytics techniques to detect new forms of attack, including low-volume phishing attacks, before they strike. Proofpoint Targeted Attack Protection features Proofpoint Anomalytics, a service that examines hundreds of variables in real time—including email message characteristics, but also the email traffic history of the message recipient—to identify anomalies that indicate 17 http://www.ama-assn.org/amednews/2011/12/19/bil21219.htm 18 http://usatoday30.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1
  • 9. WHITE PAPER9 / 9 ©2012Proofpoint,Inc.ProofpointisatrademarkofProofpoint,Inc.intheUnitedStatesandothercountries.Allothertrademarkscontainedhereinarepropertyoftheirrespectiveowners.12/12 Proofpoint, Inc. 892 Ross Drive, Sunnyvale, CA 94089 Tel: +1 408 517 4710 www.proofpoint.com Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Security a potential threat. Another component of Proofpoint Targeted Attack Protection, URL Clicktime Defense Service, examines URLs at clicktime to ensure that Web destinations are safe and not infected with malware. The URL Clicktime Defense Service protects employees and their devices even when their accessing email at remote locations, such as at home or at Wi-Fi hotspots, outside the network perimeter. Finally, to track PHI communication and be able to comply with patient requests for records of PHI distribution, HCOs can rely on Proofpoint Enterprise Privacy and Proofpoint Enterprise Archive. Proofpoint Enterprise Privacy inspects outbound communications for PHI and other forms of regulated, sensitive and confidential data and then automatically applies policies — such as blocking or encrypting email messages that contain PHI, ensuring that sensitive healthcare data is transmitted in compliance with HIPAA rules. Proofpoint Enterprise Archive provides rule-based archiving for HCOs, and offers lightning fast search responses, enabling email administrators and compliance officers to respond quickly to content requests from individuals through regulatory inquiry. To ensure that archived email remains private and secure, Proofpoint Enterprise Archive applies DoubleBlind Key Architecture, ensuring that only authorized users within the HCO can decrypt archived content. Proofpoint Enterprise Archive combines rigorous security with a high performance Discovery service that saves HCOs valuable time and money when retrieving archived content. For more information about Proofpoint solutions for HCO security and compliance, please visit www.proofpoint.com or call +1 (877) 634-7660.