Learn how data encryption and encryption key management address compliance for healthcare providers and payers. Join Derek Tumulak, VP Product Management at Vormetric, and Tricia Pattee, HOSTING Product Manager as they discuss how HIPAA/HITECH regulations impact electronic protected health information (PHI) and best practices to safeguard sensitive patient data.
Discover how:
• HIPAA and HITECH regulatory mandates impact data security for healthcare institutions
• Strong encryption and policy-based access controls provide a separation of duties between data security and system administrators
• Secure key management and policy management ensure consistency in applying policies and encryption keys to both structured and unstructured data
• Rapid implementation is achieved because encryption is transparent to users, applications, databases and storage systems
• The HOSTING and Vormetric cloud solution can satisfy HIPAA and HITECH compliance requirements in the cloud
2. • This webinar is being recorded and an on-demand
version will be available at the same URL at the
conclusion of the webinar
• Please submit questions via the button on the upper left
of the viewer
• If we don’t get to your question during the webinar,
we will follow up with you via email
• Download related resources via the “Attachments”
button above the viewing panel
• On Twitter? Join the conversation: @HOSTINGdotcom,
@Vormetric
2
Housekeeping
4. Vormetric – Data Security
• Vision
• To Secure the World’s Information
• Industry Leading Data Security Company
• Based in San Jose, CA since 2001
• Customers Protected
• 17 of Fortune 30 customers
• 1500+ customers in 22 countries
• 155 petabytes+, 500K+ servers
• Cloud Service Providers Partnerships
• To enable data security protection with our cloud partners
Best
Encryption
Best
Security &
Compliance
Virtualized
Environments
5. March 2014
Security is the leading cloud adoption concern
Need to establish trust and controls in the cloud
8. • Notify individuals of breach of unsecured health information
• Information is only secured if it is encrypted or destroyed
• Encryption must meet NIST 800-111 encryption requirements
• Keys must be kept on a separate device than the data
• Only FIPS encryption algorithms can be used
• Omnibus Rule - Expands HIPAA requirements to business
partners of payers, providers and clearinghouses
HIPAA/HITECH Act
Key requirements to think about
9. • HITECH Act included provisions for increased enforcement of
HIPAA Privacy and Security Rules:
• Requires HHS to formally investigate any complaint of a
violation of HIPAA if a preliminary investigation indicates a
possible violation due to willful neglect, and to impose civil
penalties for these violations.
• Allows state Attorneys General to bring civil actions in federal
court on behalf of state residents if there is reason to believe
that the interest of one or more residents has been threatened
or adversely affected by a person who violates HIPAA.
9
Potential Consequences of Non-Compliance
Increased enforcement and penalties (fines)
10. • The security requirements, taken independently of one another, can
prove costly and time-consuming to implement adequately.
• Typically, various solutions may have to be integrated to provide adequate protection for
dispersed data and implementations can prove to be very complex.
• Protecting unstructured data.
• While some types of data, such as credit card data or social security numbers, can be
readily located and protected, unstructured data frequently found in EMRs can be more
difficult to protect.
• The data may consist of a variety of file types.
• Patient record forms, medical imagery files, and other file types that are not easily protected
due to being highly distributed environments.
• Controlling access to ePHI
• While encryption protects data, robust policy and encryption key management is required to
prevent unauthorized access or disclosure of PHI.
10
Complying with HIPAA/HITECH
Some of the top challenges
11. • Comprehensive solution for protecting ePHI in any environment
• For example, applications, file types, and even operating systems.
• Structured and unstructured data, including big data and databases (DB2, Oracle, SQL,
Informix etc.)
• Private, Public and Hybrid Clouds
• Vormetric Transparent Encryption offers:
• Strong data security controls, leveraging both encryption and policy-based access controls
• Separation of duties
• Auditing capabilities
• Heterogeneous systems support
• Management via a centralized policy and key management console
11
Vormetric Data Security
Achieving compliance with ease
12. FIPS Encryption
Secure Key Management
Meets NIST 800-111
Proven Performance
Encryption + Access Control
Audit
Separation of Duties
Low TCO
Rapidly Deployable
Vormetric Data Security for HIPAA/HITECH
“Vormetric
encrypts in a
way to
minimize
performance
overhead. It
also offers
separation of
duties,
centralized key
management
and policy
management”
Noel Yuhanna
Forrester
Research
13. 13
HIPAA security rule, which states data at
rest should be encrypted unless it's not
"reasonable and appropriate."
With version 3.0, PCI DSS is more mature than ever,
and covers a broad base of technologies and processes
such as encryption, access control, and vulnerability
scanning to offer a sound baseline of security.
When doing business with the federal government we have
seen increasing references to compliance with NIST 800-53
as setting a contractual baseline for security.
Extensible Controls for Compliance
Encryption, access control, and audit logs
16. Stored Data Protection for HIPAA/HITECH
Data-at-Rest Encryption and Key Management
Secure VPN
Vormetric Data Security Manager
(virtual or hosted physical appliances)
Deployed in cloud example
DSM
Key management:
• Virtual appliance in cloud
• Appliance hosted by provider
17. Stored Data Protection for HIPAA/HITECH
Data-at-Rest Encryption and Key Management
Secure VPN
Vormetric Data Security Manager
(virtual or physical appliances)
Deployed on premise example
DSM
Key management:
• Appliance on premise
• Virtual appliance on premise
18. Access Control for HIPAA/HITECH
Assuring least privileged access
Data
Access Policy #1
User: AccountsPayable
App: ERP
Opp: Read Only
Time: Any
Resources: Any
HR ERP Directory
User:
AccountsPayable
App: ERP
What: Read File
Time: 2PM
11/14/2013
Where: ERP
Directory
Vormetric Transparent Encryption Accounts Payable Directory
19. Block access and log attempt
Access Control for HIPAA/HITECH
Assuring least privileged access
Access Policy #1
User: AccountsPayable
App: ERP
Opp: Read Only
Time: Any
Resources: Any
HR ERP Directory
User: SystemAdmin-
Group
Process: Cat
command
What: Read File
Time: 2PM
11/14/2013
Where: HR ERP
Directory
Vormetric Transparent Encryption Accounts Payable Directory
20. Security Intelligence For HIPAA/HITECH
File access audit trail to demonstrate compliance
of breaches took months,
or even years, to discover.66%
Verizon 2013 data breach investigations report
Log and audit data access, in support:
Alarm abnormal access patterns
Identify compromised users,
administrators and applications
Accelerate APT and malicious insider
recognition
Supports compliance and contractual
mandate reporting
of breaches were spotted
by an external party – 9%
were spotted by customers.
69%
23. attempted to read
Access was denied
Amin Dirk Snowman imitated user steve and
a protected file. because he violated a policy.
Vormetric enables you to
identify and track
unauthorized attempts at
protected data.
24. Data source Analytics
Reports
Dashboards
What if queries
UnstructuredStructuredData
Financial Data
Healthcare Data
Credit cards
Logs
PII
Big Data
Error logsDisk cacheConfiguratio
n
System logs
Database
Data
warehouse
ERP
CRM
Audio video
Excel, CSV
Social media
Logs
Vormetric Transparent Encryption
or
Vormetric Application Encryption
Vormetric Transparent Encryption
Vormetric Transparent Encryption
or
Vormetric Application Encryption
End to End Big Data Security and Compliance
25. Guidance provided in the HIPAA FAQ, published
by HHS, makes it clear that encryption is
essentially mandatory. How? Because it would be
difficult to determine that it’s not a “reasonable and
appropriate” control based on an assessment of
risk regarding protecting the confidentiality of ePHI.
Also, because of what encryption does to data,
finding a reasonable and appropriate “equivalent
alternative measure” is essentially impossible.
- Healthcare IT News
The Last Thing You Want To Hear…
Doctor, is my data safe?
27. Implement with Confidence
“It’s very apparent that Vormetric is major steps
in front of the competition.”
– Sabastian High, senior manager for Product Development
Standards and Innovation, McKesson, Inc.
“My concern with encryption was the overhead
on user and application performance. With
Vormetric, people have no idea it’s even
running.” – Karl Mudra, CIO, Delta Dental of Missouri
9/25/15 – Per Andy, Forrester and Gov awards are not issued yet.
If the frequency of attacks doesn’t push you to make security a top priority, take a look at what it could cost if you are subjected to a data breach.
As revealed in the 2014 Ponemon Institute Cost of Data Breach Study,
the total average organizational cost of a data breach for U.S. companies is $5.85 million (up 15% from 2013)
$417,000 for detection costs (including forensic and investigative activities and crisis team management)
$509,237 for breach notification costs
$1,599,996 for post-breach remediation costs (including help desk activities, product discounts, identity theft protection services, and dealing with regulators)
$3,324,959 in lost business costs (including reputational injury, diminished goodwill, and loss of business).
It is important to note that Ponemon’s survey is limited to data breaches affecting fewer than 100,000 records. For that reason, these figures can be dramatically higher for large data breaches. This study doesn’t include all of the stories we have all heard involving Home Depot, Sony, Staples, etc. and the average costs are still that high! In fact, Target’s breach around the 2013 holiday season incurred $88 million in costs and affected more than 100 million customer records, including stolen credit and debit card information.
The average costs per record also vary by industry. Heavily regulated industries such as healthcare, education, pharmaceutical and financial services had a per capita data breach cost substantially above the overall mean of $145. Public sector organizations and retail companies had a per capita cost well below the overall mean value.
The average number of records breached in the US is just under 30,000 while the average per capita cost of the breach is $201, up from $188 in 2013.
To put that into perspective, a healthcare company with the average number of records would have fees of $10.7M. A company in the finance industry with that number of records would pay over $6M.
So you can see how much costs will vary based on industry, size of company, amount of data, and other factors. Now let’s take a look on what you can do to reduce these costs in the unfortunate instance of a data breach.