SlideShare ist ein Scribd-Unternehmen logo

Assuring regulatory compliance, ePHI protection, and secure healthcare delivery

Trend Micro
Trend Micro
1 von 12
Downloaden Sie, um offline zu lesen
Trend Micro Enterprise Security For the Healthcare Industry A Trend Micro White Paper Assuring regulatory compliance, ePHI protection, and secure healthcare delivery July 2010
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY I. HEALTHCARE REQUIREMENTS AND TREND MICRO ENTERPRISE SECURITY The healthcare industry is in a time of great transition, with a government mandate for EHR/EMR systems, increasing security regulations, and greater compliance scrutiny and punitive actions. While EHR systems will ultimately lead to more efficient and effective patient care, they also increase the criminal appeal of attack and an institution’s vulnerability to large-scale ePHI breach. Moreover, increased reliance on IT and EHR systems for mission-critical operations means that any attack or infiltration has the potential to be catastrophic. Compliance with security regulations will guide providers of all types to mitigate their risk, but maximizing protection of these complex operations requires a broader strategy. Trend Micro Enterprise Security provides unique and cost-effective solutions that ensure compliance, maximize protection, and enable your strategic business and IT initiatives. With Trend Micro you can: Comply with HIPAA, HITECH, and PCI regulations Maximize ePHI protection and your reputation Confidently implement EHR modernization Adopt virtualization and cloud computing strategies Consolidate and simplify your security infrastructure Trend Micro Enterprise Security Vulnerability US Healthcare Regulation Endpoint Web Messaging Data and Threat Security Security Security Protection Management HITECH Act Breach notification for unsecured ePHI Encryption (“safe harbor” from breach notification) Extend HIPAA requirements to business associates HIPAA (Health Insurance Portability and Accountability Act) Protection of ePHI confidentiality, availability, and integrity Minimize data collection and use Transmission security Integrity Access control and authentication Device and media controls Security awareness, training, incident procedures Security management process Protection from malicious software PCI DSS (Payment Card Industry Data Security Standard) PCI compliance (see appendix) Trend Micro Solutions for HIPAA, HITECH, and PCI Requirements 1 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY II. THE HEALTHCARE COMPLIANCE LANDSCAPE Patient data privacy and security regulations along with compliance Regulatory Compliance Applies to: enforcement have evolved for over a decade, but new, more stringent Covered entities including health guidelines, mandates for electronic record modernization, and government plans, health care clearinghouses, and health care providers funding are compelling the industry to make significant investments in Business associates of modernizing and securing their operations. these entities. THE HIPAA RULES – PROTECT ePHI The Health Insurance Portability and Accountability Act (HIPAA) of 1996 states that “covered entities” are required to employ safeguards that “ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI)”i under their controlii. However, the industry has struggled with the choice of specific technologies solutions in the absence of implementation guidelines. Penalties for non- compliance or actual ePHI breach have been minimal as compared with other regulations (e.g., PCI), causing many organizations to delay or insufficiently secure ePHI systems. ELECTRONIC MEDICAL/HEALTH RECORDS (EMR/EHR) – MORE REWARD, MORE RISK A 2004 presidential mandate called for all health records to be electronic by 2014, in hopes of driving improved efficiency and lower costs in healthcare delivery and information management. However resistance to EHR modernization has been considerable due in part to costs, practitioner resistance to change, and the heighted security risks of large-scale breach of digital records. NIST 800-66 – IMPLEMENTATION GUIDELINES FOR HIPAA SECURITY RULE More recently in 2008, the National Institutes of Standards and Technology (NIST) authored “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”, as a framework for federal agencies to achieve HIPAA compliance. Though NIST guidelines do not claim to supersede HIPAA Security or other related rules, the HHS interim final regulations specifically call out NIST and its various publications as trusted resources for technology implementation guidance in key areas such as encryption. As a result, many non-government agencies can also benefit from the technical specifications highlighted in this guide. HITECH ACT OF 2009 – THE NECESSARY INCENTIVES Title XIII of the American Recovery and Reinvestment Act of 2009 is also HITECH Act Highlights known as the Health Information Technology for Economic and Clinical EHR Funding Health Act (HITECH Act). The HITECH Act further reinforces the 2014 EHR Business Partner Compliance mandate and provides the necessary incentives to accelerate EHR adoption Risk assessments and clarify key HIPAA security requirements. Breach notification Safe harbor through encryption Funding: Most significant in the Act is actual funding support for EHR conversion via ARRA funds. While specific amounts and qualification criteria continue to be determined, there is clear government support for migration to EHR, including the implementation of appropriate security systems. 2 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY Risk Assessments: Risk Assessments can be used in both proactive and reactive ways. The Act specifically identifies risk assessments as necessary in determining, after the fact, whether an incident is indeed a breach of unsecured ePHI and whether even the leak of a subset of an individual’s ePHI could be used to identify the individual. These nuances point to the need for visibility into data and some level of forensics to determine the nature and extent of potential data breaches. Breach Notification Requirements: The HITECH Actiii address the topic of breach notification of unsecured ePHI,iv or ePHI that is ‘not secured through technology or methodology’ for covered entities and for the first time, business associates. Not only do the disclosure requirements subject the organization to public scrutiny on the data breach, but also the costs associated with notifying affected individuals can be significant. Any breach of unsecured ePHI must be disclosed and acted upon as follows: Covered Entity: Notification to affected individuals and Secretary of HHS Business Associates: Notification to affected Covered Entities Secretary of HHS: Post on HHS website if >500 individuals are affected “Safe Harbor” Through Encryption: The Act defines ‘secured’ ePHI as data that is either encrypted or destroyed. It goes further to state that if secured ePHI is involved in a data breach, notification requirements do not apply. This is a significant directive, specifically prescribing encryption as both a preferred means to enforce confidentiality and as a relief from breach notification requirements. The Act also highlights NIST guidelinesv on end user device encryption as a resource for implementation strategy. The ultimate benefit of these specifications to the healthcare organization is specific guidance on how best to protect both patient privacy and the institution’s reputation. STATE PRIVACY LAWSvi Although the HITECH Act asserts precedence over state laws, it also acknowledges the importance of alignment with state laws by specifyingvii a ‘harm’ threshold’, which would notify the affected individual if a specific level of breach has occurred. The ultimate benefit of this consistency is simpler implementation of security controls and fewer notifications. Some laws have extended requirements to encryption of confidential data, bringing Federal and State laws closer and simplifying compliance efforts. PCI ENFORCEMENT LOOMS Healthcare institutions that accept credit card payments are obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS) viii. Health insurance premiums, medical services, and even retail shops located on hospital premises are examples of scenarios where the security of cardholder data is required. PCI enforcement continues to increase and healthcare institutions are well advised to design and implement a security framework that addresses both HIPAA and PCI DSS. 3 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY III. HEALTHCARE SECURITY & COMPLIANCE CHALLENGES Maintaining regulatory compliance and maximizing security is especially demanding in today’s evolving healthcare industry. Trend Micro understands the challenges and offers solutions that enable you to confidently secure the business and IT initiatives that support your strategic business goals. PROTECT ePHI – AND YOUR REPUTATION While perimeter and content security provide important safeguards, HIPAA and HITECH make it clear that encryption is the only way to ensure the ultimate protection of ePHI and avoid costly disclosures. Effective encryption deployment also requires a data loss prevention (DLP) solution to discover where ePHI is stored and ensure its encryption when transmitted. However, conventional encryption and DLP solutions suffer from major drawbacks that impede their success and widespread adoption by employees: PKI-based email encryption is burdensome and complex to administer and use Endpoint DLP solutions typically have a negative performance and usability impact Trend Micro secures sensitive data with endpoint DLP, email encryption and content filtering solutions that emphasize both security and ease-of-use. Identity-based, universal-reach encryption will ensure adoption of secure data policies across your entire medical ecosystem. SECURE LAPTOPS, PDAS, AND SMART PHONES Mobile laptops, PDAs, and other devices are quickly becoming mainstays of EHR-based care systems and essential to the daily tasks of nurses, physicians and other healthcare professionals. These devices are at extreme risk for attack and ePHI loss, but cannot be adequately protected by network-based solutions. Trend Micro OfficeScan and the Smart Protection Network keep wireless, mobile, and fixed devices of all kinds protected from malware both on and off network. Trend Micro Data Encryption and DLP solutions continuously protect endpoint data while allowing secure communication from any location. PROTECT HEALTHCARE WEBSITES AND PORTALS EHR promises efficient patient and partner data access, however websites have proven to be extremely vulnerable to attack and hijacking, using SQL injection and other techniques. Inadequate website security puts your reputation at risk by exposing patients, their data, and entire databases to attack. Trend Micro Deep Security and Vulnerability Management Services secure patient/partner communication by protecting websites and portals from infection, day-zero threats, and the vulnerabilities introduced by ever-changing web content. SECURE CRITICAL MEDICAL DEVICES Medical devices for patient evaluation and diagnosis are increasingly network-connected and run on general-purpose operating systems such as Microsoft Windows. While greatly improving patient care, these devices are now at risk for compromise and failure due to malware infections or external hacks. Trend Micro Deep Security and OfficeScan minimize the risk of compromise on medical device systems that run on general-purpose operating systems. And for networked devices that cannot be directly secured, Trend Micro Threat Management Services identifies compromises and aids in remediation. 4 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY CONFIDENTLY IMPLEMENT EHR/EMR INITIATIVES Implementing an EHR system provides a strategic opportunity to improve care while fostering loyalty in a wide network of independent physicians and practices. Securely operating this extended infrastructure requires a security partner capable of protecting operations from hospital floor to cloud-based data centers. Trend Micro Enterprise Security provides comprehensive content and data security for the entire provider ecosystem—across physical, virtual and cloud-based environments. With Trend Micro you can confidently go digital and adopt the latest workplace and technology innovations to support your business initiatives. ADOPT VIRTUALIZATION & CLOUD COMPUTING EHR modernization and “green IT” practices are driving the healthcare industry to adopt server virtualization to enable cost efficient and flexible datacenters and to pave a path toward integrated cloud computing. And desktop virtualization promises new economies and tighter security and policy control. But the complexity and fluidity of virtual environments pose special challenges, rendering traditional IPS, firewall, and antivirus protection insufficient to prevent attacks on virtual servers that process or host ePHI/PCI data. Trend Micro Deep Security provides advanced software-based security that protects physical, virtual, and cloud-based servers with agentless anti-malware, integrated IPS, firewall, integrity monitoring, and more. Along with supplemental malware protection from Trend Micro Core Protection for Virtual Machines, Trend Micro provides a comprehensive software solution for securing complex virtual and cloud environments. CONSOLIDATE AND SIMPLIFY SECURITY INFRASTRUCTURE Over the years, healthcare and benefits providers have built a patchwork of security products in an effort to deal with evolving threats and regulations. The government’s EHR mandate and funding efforts along with the clarity of the HITECH act provide the opportunity for institutions to build a consolidated and simplified security infrastructure in conjunction with their IT new modernization initiatives. Trend Micro solutions are designed to provide comprehensive and consolidated content and security that minimizes the number of products and vendors you must deploy. And with Trend Micro Endpoint Security Platform, you can manage both security and systems using a single integrated application. AUTOMATE IT RISK MANAGEMENT PROCEDURES While the HITECH Act identifies risk assessment as a reactive measure to identify the nature of a breach, most IT organizations recognize the need to proactively avoid data breaches and hacks. Both for corporate governance and HIPAA compliance, organizations should employ risk management practices to identify and assess the vulnerability of critical assets, evaluate infiltrations, and apply additional preventative measures. Trend Micro Vulnerability Management and Threat Management Services support Healthcare IT Risk Management by utilizing cutting-edge analysis of malware behavior and advanced threat correlation to uncover, contain and remediate network infiltrations undetected by perimeter and content security. Going further, Threat Management Services provide root-cause analysis and consultative planning to strengthen your security posture. 5 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY IV. TREND MICRO ENTERPRISE SECURITY Trend Micro Enterprise Security is a tightly integrated offering of content and data security solutions and services, powered by the Trend Micro Smart Protection Network™. Together they deliver maximum protection from emerging threats while minimizing the cost and complexity of security management. Trend Micro enables you to go beyond addressing fundamental HIPAA and HITECH compliance with practical solutions that truly safeguard your critical operations and infrastructure and enable your strategic business and IT initiatives. Trend Micro Enterprise Security Solutions Description Smart Protection Network Trend Micro Enterprise Security products and services are powered by Smart Trend Micro Smart Protection Protection Network—a next-generation cloud-client infrastructure that combines Network sophisticated cloud-based technology, feedback loops, and the expertise of TrendLabs researchers to deliver real-time protection from emerging threats. Data Protection Provides data loss prevention with extremely accurate and effective detection and protection of sensitive data on the endpoint. Sophisticated fingerprinting, Trend Micro Data Loss statistical algorithms and small footprint ensure high scalability, while HIPAA and Prevention PCI templates and reports simplify tracking and protection of ePHI and cardholder data. Advanced identity-based encryption allows universal reach without pre- registration. Unlike conventional PKI encryption, Trend Micro email encryption uses cloud-based key management to generate keys on demand without the Trend Micro Email Encryption need for certificates and per pair pre-registration. End-user encryption as well as policy-based, automated gateway encryption ensure that all sensitive data is protected and your communications are compliant. Messaging Security Smart Protection Network provides antispam, anti-phishing and anti-malware Trend Micro InterScan protection as well as outbound content filtering and automated encryption for Messaging Security enterprise email. Multiple deployment modes include virtual appliance. Trend Micro Communication Provides dedicated anti-malware protection for Microsoft Exchange, Office & Collaboration Security Communication Server (IM), SharePoint and Lotus Domino. Endpoint Security Trend Micro OfficeScan Provides superior defense against threats—both on and off the corporate network—combining top rated anti-malware with innovative in-the-cloud protection from the Smart Protection Network. File Reputation moves the burden of signature management into the cloud, freeing endpoint resources. Web Reputation protects endpoints by blocking access to malicious sites. OfficeScan offers a single compliance solution to protect desktops, virtual desktops, laptops, servers, storage appliances, PDA devices and more. 6 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY Provides software-based comprehensive security and compliance for critical business servers operating in standalone, virtual, and cloud-based Trend Micro Deep Security environments. Key protection capabilities include: deep packet inspection (enabling IDS/IPS, network application control, and web application protection), firewall, integrity monitoring, and log inspection. . Trend Micro Core Protection Provides automated anti-malware protection designed specifically to meet the for Virtual Machines unique needs of the virtual environment. Features include: active and dormant VM protection, vCenter management integration and a performance-optimized architecture. Messaging Security Provides Smart Protection Network-based anti-spam, anti-phishing and anti- Trend Micro InterScan malware protection as well as outbound content filtering and automated Messaging Security encryption for enterprise email. Available in a variety of deployment models including virtual appliance. Trend Micro Communication Provides dedicated anti-malware protection for Microsoft Exchange, Office & Collaboration Security Communication Server (IM), SharePoint and Lotus Domino. Web Security Provides immediate protection against web threats by integrating multiple layers of protection at the internet gateway. It combines anti-malware and antispyware Trend Micro InterScan Web with Smart Protection Network Web Reputation and URL filtering to detect and Security block threatening web site access based on reputation and company policy. Advanced reporting capabilities provide detailed monitoring and analysis of employee activity. Trend Micro OfficeScan, Together these products enable secure and compliant website operations and Deep Security and web-based communication and collaboration by protecting websites and portals Vulnerability Management from malware infection, day-zero and targeted threats and the exploitation of Services vulnerabilities introduced by web applications and ever-changing site content. Risk Management Trend Micro Vulnerability Delivers total control over software and system vulnerabilities, web content Management Services vulnerabilities, and IT policy compliance Manages breach risk with unique services to discover targeted and zero-day infiltrations that perimeter and content security has failed to detect. Powered by Trend Micro Threat the Smart Protection Network, it features cutting-edge analysis of malware Management Services behavior, advanced threat correlation and consultative planning services to ensure compliance and maximize ePHI protection. Central Management Provides a unified platform for managing security and systems compliance Trend Micro Endpoint across all clients and servers regardless of location or network connectivity. Key Protection Platform components under management include Core Endpoint Security and Web Protection, Data Loss Prevention, Patch Management and Power Management Provides centralized management of many Trend Micro products, simplifying Trend Micro Control Manager configuration and updates and coordinating threat reports and analysis. 7 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY V. HEALTHCARE REGULATION COMPLIANCE WITH TREND MICRO ENTERPRISE SECURITY SOLUTIONS Please see Section 4 for a detailed overview of Trend Micro Enterprise Security products highlighted below. Healthcare Regulation Trend Micro Solutions and Mapping Justification HI TECH Act of 2009—Breach Notification for Unsecured Protected Health Information HITECH § 13402 Trend Micro Enterprise Security Solutions for Endpoint, Messaging, Web, Notification in Case of Breach and Data provide essential functionality to meet ePHI breach notification requirements through security monitoring, threat prevention, and data encryption. HITECH § 13404 Application of Privacy Provisions Monitoring and Penalties to Business Associates of Covered Entities Monitor files on servers known to contain ePHI for tampering, copying or removal with Trend Micro Deep Security. HITECH § 13407 Temporary Breach Notification Routinely discover where ePHI is stored with Trend Micro DLP– to identify Requirement for Vendors of which systems need to be secured and also to determine the possible sources Personal Health Records and of a breach should it occur. Other Non-HIPAA Covered Entities Monitor systems – on-site, remote, or off-line for unauthorized copy of ePHI to external devices or transmission via common applications such as Web, email, 45 CFR parts 160 and 164 and instant messaging with Trend Micro DLP. (Interim Rule) Issued following updates to HIPAA: Monitor end-user systems for access to malicious websites or email suspected of hosting data-stealing malware with Trend Micro OfficeScan and InterScan HIPAA Subpart D Notification in the Case of Web and Messaging Security. Breach of Unsecured Protected Monitor email traffic for ePHI leaks and block inbound spam containing Health Information data-stealing malware with Trend Micro InterScan Messaging Security. HIPAA §164.404 Monitor network traffic for evidence of active malware infections that have Notification to Individuals infiltrated the network with Trend Micro Threat Management Services. (Description of type of unsecured ePHI involved in the Prevention breach) Prevent end users—whether on-site, remote, or off-line—from copying or transmitting ePHI to external devices or unauthorized locations with Trend Micro DLP Prevent sending of emails to outside entities if they contain unencrypted ePHI in the message or attachments with InterScan Messaging Security. Prevent end-user systems from access to malicious websites or email suspected of hosting data-stealing malware with Trend Micro OfficeScan and InterScan Web and Messaging Security. Encryption (see Safe Harbor section below) HI TECH Act of 2009—“Safe Harbor” or exemption from breach notification if PHI is secured using encryption 45 CFR parts 160 and 164 Trend Micro offers encryption solutions which enable covered entities to protect (Interim Rule) (Encryption and ePHI and forego breach notification requirements: destruction for rendering ePHI unusable, unreadable, or Enforce automated encryption of email messages and attachments containing undecipherable to unauthorized unsecured ePHI with Trend Micro Email Encryption. individuals.) Cloud-based key management safeguards keys and generates keys on 45 CFR parts 160 and 164 demand without the need for certificates and per pair pre-registration for all (Interim Rule) (Keep encryption Trend Micro Encryption Solutions. keys on a separate device from the data that they encrypt or decrypt) HIPAA §164.304 Definitions (Encryption) 8 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY Healthcare Regulation Trend Micro Solutions and Mapping Justification HIPAA Security Rules—A subset of the HIPAA rules, covering technical safeguards for PHI data. § 164.306(a)(1) When implemented using the recommended risk assessment and best practices (Protect ePHI: Facilities must from the NIST “Introductory Guide to Implementing the HIPAA Security Rule” protect the confidentiality, (recommended in the Interim Rule), Trend Micro Enterprise Security Solutions availability, and integrity of all ePHI created, received, for Endpoint, Messaging, Web and Data help address confidentiality, availability, maintained, and transmitted.) and integrity of ePHI. § 164.308 (a)(1) Security IT risk management involves inventory of all assets and related vulnerabilities, Management Process threats, likelihood threats, and countermeasures. Trend Micro Enterprise (Includes required risk analysis Security Solutions can help in key areas of the risk management process: and risk management) Discover all enterprise systems which store ePHI data – or assets – with Trend Micro DLP. Scan internal and externally facing systems for vulnerabilities and IT policy compliance with Trend Micro Vulnerability Management Services. Scan external facing healthcare websites and portals with Trend Micro Vulnerability Management Servicesto identify vulnerabilities that could be exploited to gain access to ePHI data. Monitor end-user systems for access to malicious websites or email suspected of hosting data-stealing malware with Trend Micro OfficeScan, InterScan Web Security, and InterScan Messaging Security. Detect and remediate active malware infections using Trend Micro Threat Management Services. Provides network risk assessment audit logging and offers advanced reporting and audit trail to demonstrate infection-free environment. § 164.308 (a)(5)(i) Use Trend Micro Threat Management Services to detect and remediate (Security awareness and active malware infections as well as implement a security strategy and training training) plan that continually improves security posture. § 164.308 (a)(6) Notify users of unauthorized use of ePHI while they are attempting the action (Policies and procedures to using Trend Micro DLP. Display a popup window with the appropriate ePHI address security incidents) protection guidance. § 164.308 (a)(5)(ii)(B) Monitor and block malicious software from infiltrating end user systems, critical (Protection from malicious servers, and block malicious email and Web exposure with Trend Micro software. Procedures for Endpoint, Messaging, and Web Security solutions guarding against, detecting, and reporting malicious software) § 164.308(b)(1) Trend Micro Enterprise Security solutions can be implemented by business (Business associate will associates to secure their operations and protect ePHI. Minimally, Trend Micro appropriately safeguard Email Encryption can provide secure communications between covered information) entities and their business associates. § 164.310(d)(1) Device and Maintain a current inventory of ePHI on the network with discovery scanning Media Controls using Trend Micro DLP. IT change management can include review of (Policies and procedures that discovery reports in order to properly handle systems storing ePHI. govern the receipt , removal and movement of hardware and electronic media containing ePHI) 9 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY Control access to servers or applications using Trend Micro Deep Security, which enables communications to be restricted or allowed based on MAC and IP addresses. § 164.312(a)(1) Access Control (Allow access only to those Role-based access controls (RBAC) and delegated administration using Trend persons or software programs Micro Deep Security to support separation of administrative duties with that have been granted access respect to creating, deploying, and auditing security policy and events that rights) violate the policies. Perform regular discovery of ePHI systems with Trend Micro DLP to determine where access controls must be in place. Healthcare Regulation Trend Micro Solutions and Mapping Justification § 164.312(c)(1) Integrity Monitor the integrity of files containing ePHI data with Trend Micro Deep (Protect ePHI from improper Security, alerting any modification or deletion. alteration or destruction) § 164.312(e)(1) Transmission  Secure emails between employees and external recipients with Trend Micro Security  Email Encryption. (Guard against unauthorized access  to transmitted ePHI)  § 164.514(d) Discover duplicated and unsecured ePHI on laptops, desktops, file servers and (Collect and use the minimum databases on a regular basis with Trend Micro DLP. data necessary) NIST Guidelines— Examples of NIST guidelines intended to help federal government institutions secure ePHI. NIST Publication 800-66 Trend Micro OfficeScan, Deep Security, InterScan Message Security, and (For implementing HIPAA InterScan Web Security directly address these requirements. Security Rules) “Use a combination of security software, Trend Micro Threat Management Services provides antivirus detection for such as antivirus…, personal devices and systems that cannot directly host antivirus security software, e.g., firewalls, spam and Web content MRI scanners, bedside monitors, and legacy devices and systems. filtering,… to stop most attacks, particularly malware;” NIST Publication 800-66: 4.13. Maintain a current inventory of ePHI on the network with discovery scanning Device and Media Controls (§ using Trend Micro DLP. IT change management can include review of 164.310(d)(1)) (What data is discovery reports in order to properly handle systems storing ePHI. maintained by the organization and where?...) NIST Publication 800-66: 4.14. Perform regular discovery of ePHI data on enterprise systems with Trend Access Control §164.312(a)(1)) Micro DLP to determine where access controls must be in place. (Have all applications/systems with ePHI been identified?, Where is ePHI …currently housed?) Payment Card Industry Data Security Standard (PCI DSS)—Compliance Requirements Twelve categories of controls to Trend Micro Enterprise Security Solutions address most PCI requirements. protect cardholder data Please see white paper, ”Trend Micro Solutions for PCI DSS Compliance” For more information please call or visit us at. www.trendmicro.com/go/enterprise +1-877-21-TREND 10 White Paper | Solutions for the Healthcare Industry
TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY VI. FOOTNOTES i HIPAA security requirements detailed in “Title 45 – Public Welfare Subtitle A – Department of Health and Human Services Part 164 – Security and Privacy”, http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr164_07.html ii Department of Health and Human Services, “Health Insurance Reform: Security Standards; Final Rule.” Federal Register, vol. 68, no. 34 (Feb. 20, 2003), pg. 8341. (http://www.cms.hhs.gov/securitystandard/downloads/securityfinalrule.pdf) iii “Department of Health and Human Services | 45 CFR parts 160 and 164 | Breach Notification for Unsecured Protected Health Information; Interim Final Rule”, August 24, 2009 http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf iv “Department of Health and Human Services | 45 CFR parts 160 and 164 | Breach Notification for Unsecured Protected Health Information; Interim Final Rule”, http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf v NIST Special Publication 800–111, “Guide to Storage Encryption Technologies for End User Devices”, November 2007, http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf vi Refer to Section 5 for more details on healthcare regulations/requirements mappings vii “Department of Health and Human Services | 45 CFR parts 160 and 164 | Breach Notification for Unsecured Protected Health Information; Interim Final Rule”, page 6, http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf viii For more information, refer to the white paper, “Trend Micro Solutions for PCI DSS Compliance – Addressing PCI DSS Requirements with Trend Micro Enterprise Security.” © 2010 Trend Micro, Incorporated. All rights reserved. Trend Micro, InterScan, OfficeScan, PortalProtect, ScanMail,Smart Protection Network and the t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. WP01_PCI-TMES_090903 11 White Paper | Solutions for the Healthcare Industry

Empfohlen

HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
Nicholas Davis
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containers
Abhishek Sood
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
wardell henley
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 

Empfohlen

HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
Nicholas Davis
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containers
Abhishek Sood
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
wardell henley
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 
Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines
Aegify Inc.
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
JNicholson
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 
Jelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with AxcientJelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with Axcient
Erin Olson
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
Hipaa Compliance
Hipaa Compliance Hipaa Compliance
Hipaa Compliance
DeterminedSkin124
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
Iso 27001 whitepaper
Iso 27001 whitepaperIso 27001 whitepaper
Iso 27001 whitepaper
Syzygal
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
RightScale
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
supportc2go
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...
Ben Rothke
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoIoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
Glen Koskela
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbiz
shailu devi
 
Performance routing cg_book
Performance routing cg_bookPerformance routing cg_book
Performance routing cg_book
ignarito
 
5 steps to healthy data
5 steps to healthy data5 steps to healthy data
5 steps to healthy data
Keith Braswell
 
My sister’s typycal day pilar peñalver
My sister’s typycal day pilar peñalverMy sister’s typycal day pilar peñalver
My sister’s typycal day pilar peñalver
IES Cristo del Rosario
 

Weitere ähnliche Inhalte

Was ist angesagt?

2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
RightScale
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
supportc2go
 

Was ist angesagt? (19)

You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 
Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
Jelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with AxcientJelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with Axcient
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
Hipaa Compliance
Hipaa Compliance Hipaa Compliance
Hipaa Compliance
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
 
Iso 27001 whitepaper
Iso 27001 whitepaperIso 27001 whitepaper
Iso 27001 whitepaper
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoIoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbiz
 

Andere mochten auch

Performance routing cg_book
Performance routing cg_bookPerformance routing cg_book
Performance routing cg_book
ignarito
 
5 steps to healthy data
5 steps to healthy data5 steps to healthy data
5 steps to healthy data
Keith Braswell
 
My sister’s typycal day pilar peñalver
My sister’s typycal day pilar peñalverMy sister’s typycal day pilar peñalver
My sister’s typycal day pilar peñalver
IES Cristo del Rosario
 
Artigo: Cenários – diferencial estratégico em Inteligência Empresarial - Dani...
Artigo: Cenários – diferencial estratégico em Inteligência Empresarial - Dani...Artigo: Cenários – diferencial estratégico em Inteligência Empresarial - Dani...
Artigo: Cenários – diferencial estratégico em Inteligência Empresarial - Dani...
REVIE Inteligencia Empresarial
 
Plan de acción de crecimiento y empleo (los Cabos)
Plan de acción de crecimiento y empleo (los Cabos)Plan de acción de crecimiento y empleo (los Cabos)
Plan de acción de crecimiento y empleo (los Cabos)
ManfredNolte
 

Andere mochten auch (7)

Performance routing cg_book
Performance routing cg_bookPerformance routing cg_book
Performance routing cg_book
 
5 steps to healthy data
5 steps to healthy data5 steps to healthy data
5 steps to healthy data
 
My sister’s typycal day pilar peñalver
My sister’s typycal day pilar peñalverMy sister’s typycal day pilar peñalver
My sister’s typycal day pilar peñalver
 
Artigo: Cenários – diferencial estratégico em Inteligência Empresarial - Dani...
Artigo: Cenários – diferencial estratégico em Inteligência Empresarial - Dani...Artigo: Cenários – diferencial estratégico em Inteligência Empresarial - Dani...
Artigo: Cenários – diferencial estratégico em Inteligência Empresarial - Dani...
 
Contracorrente3
Contracorrente3Contracorrente3
Contracorrente3
 
Plan de acción de crecimiento y empleo (los Cabos)
Plan de acción de crecimiento y empleo (los Cabos)Plan de acción de crecimiento y empleo (los Cabos)
Plan de acción de crecimiento y empleo (los Cabos)
 
Mesa 3.-IFAI
Mesa 3.-IFAIMesa 3.-IFAI
Mesa 3.-IFAI
 

Ähnlich wie Assuring regulatory compliance, ePHI protection, and secure healthcare delivery

Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
Sarah Kim
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
mohammedfootwear
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
Rapid7
 
Safeguarding_Innovations
Safeguarding_InnovationsSafeguarding_Innovations
Safeguarding_Innovations
PJ Fitzpatrick
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
wlynn1
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdf
arjunenterprises1978
 

Ähnlich wie Assuring regulatory compliance, ePHI protection, and secure healthcare delivery (20)

Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
HIPAA Compliance in 2023
HIPAA Compliance in 2023HIPAA Compliance in 2023
HIPAA Compliance in 2023
 
Data and Network Security: What You Need to Know
Data and Network Security: What You Need to KnowData and Network Security: What You Need to Know
Data and Network Security: What You Need to Know
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
SpeakBio
SpeakBioSpeakBio
SpeakBio
 
HIPAA and Data Breaches_ Mitigating Risks and Ensuring Security - JK Tech.pptx
HIPAA and Data Breaches_ Mitigating Risks and Ensuring Security - JK Tech.pptxHIPAA and Data Breaches_ Mitigating Risks and Ensuring Security - JK Tech.pptx
HIPAA and Data Breaches_ Mitigating Risks and Ensuring Security - JK Tech.pptx
 
HIPAA and Data Breaches_ Mitigating Risks and Ensuring Security - JK Tech.pptx
HIPAA and Data Breaches_ Mitigating Risks and Ensuring Security - JK Tech.pptxHIPAA and Data Breaches_ Mitigating Risks and Ensuring Security - JK Tech.pptx
HIPAA and Data Breaches_ Mitigating Risks and Ensuring Security - JK Tech.pptx
 
Safeguarding_Innovations
Safeguarding_InnovationsSafeguarding_Innovations
Safeguarding_Innovations
 
HIPAA-Compliant Healthcare App.pdf
HIPAA-Compliant Healthcare App.pdfHIPAA-Compliant Healthcare App.pdf
HIPAA-Compliant Healthcare App.pdf
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
Cloud compliance test
Cloud compliance testCloud compliance test
Cloud compliance test
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdf
 

Mehr von Trend Micro

Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
Trend Micro
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
Trend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
Trend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Trend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
Trend Micro
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
Trend Micro
 

Mehr von Trend Micro (20)

Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, Vulnerabilities
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at Large
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in Asia
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT framework
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
 

Assuring regulatory compliance, ePHI protection, and secure healthcare delivery

  • 1. Trend Micro Enterprise Security For the Healthcare Industry A Trend Micro White Paper Assuring regulatory compliance, ePHI protection, and secure healthcare delivery July 2010
  • 2. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY I. HEALTHCARE REQUIREMENTS AND TREND MICRO ENTERPRISE SECURITY The healthcare industry is in a time of great transition, with a government mandate for EHR/EMR systems, increasing security regulations, and greater compliance scrutiny and punitive actions. While EHR systems will ultimately lead to more efficient and effective patient care, they also increase the criminal appeal of attack and an institution’s vulnerability to large-scale ePHI breach. Moreover, increased reliance on IT and EHR systems for mission-critical operations means that any attack or infiltration has the potential to be catastrophic. Compliance with security regulations will guide providers of all types to mitigate their risk, but maximizing protection of these complex operations requires a broader strategy. Trend Micro Enterprise Security provides unique and cost-effective solutions that ensure compliance, maximize protection, and enable your strategic business and IT initiatives. With Trend Micro you can: Comply with HIPAA, HITECH, and PCI regulations Maximize ePHI protection and your reputation Confidently implement EHR modernization Adopt virtualization and cloud computing strategies Consolidate and simplify your security infrastructure Trend Micro Enterprise Security Vulnerability US Healthcare Regulation Endpoint Web Messaging Data and Threat Security Security Security Protection Management HITECH Act Breach notification for unsecured ePHI Encryption (“safe harbor” from breach notification) Extend HIPAA requirements to business associates HIPAA (Health Insurance Portability and Accountability Act) Protection of ePHI confidentiality, availability, and integrity Minimize data collection and use Transmission security Integrity Access control and authentication Device and media controls Security awareness, training, incident procedures Security management process Protection from malicious software PCI DSS (Payment Card Industry Data Security Standard) PCI compliance (see appendix) Trend Micro Solutions for HIPAA, HITECH, and PCI Requirements 1 White Paper | Solutions for the Healthcare Industry
  • 3. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY II. THE HEALTHCARE COMPLIANCE LANDSCAPE Patient data privacy and security regulations along with compliance Regulatory Compliance Applies to: enforcement have evolved for over a decade, but new, more stringent Covered entities including health guidelines, mandates for electronic record modernization, and government plans, health care clearinghouses, and health care providers funding are compelling the industry to make significant investments in Business associates of modernizing and securing their operations. these entities. THE HIPAA RULES – PROTECT ePHI The Health Insurance Portability and Accountability Act (HIPAA) of 1996 states that “covered entities” are required to employ safeguards that “ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI)”i under their controlii. However, the industry has struggled with the choice of specific technologies solutions in the absence of implementation guidelines. Penalties for non- compliance or actual ePHI breach have been minimal as compared with other regulations (e.g., PCI), causing many organizations to delay or insufficiently secure ePHI systems. ELECTRONIC MEDICAL/HEALTH RECORDS (EMR/EHR) – MORE REWARD, MORE RISK A 2004 presidential mandate called for all health records to be electronic by 2014, in hopes of driving improved efficiency and lower costs in healthcare delivery and information management. However resistance to EHR modernization has been considerable due in part to costs, practitioner resistance to change, and the heighted security risks of large-scale breach of digital records. NIST 800-66 – IMPLEMENTATION GUIDELINES FOR HIPAA SECURITY RULE More recently in 2008, the National Institutes of Standards and Technology (NIST) authored “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”, as a framework for federal agencies to achieve HIPAA compliance. Though NIST guidelines do not claim to supersede HIPAA Security or other related rules, the HHS interim final regulations specifically call out NIST and its various publications as trusted resources for technology implementation guidance in key areas such as encryption. As a result, many non-government agencies can also benefit from the technical specifications highlighted in this guide. HITECH ACT OF 2009 – THE NECESSARY INCENTIVES Title XIII of the American Recovery and Reinvestment Act of 2009 is also HITECH Act Highlights known as the Health Information Technology for Economic and Clinical EHR Funding Health Act (HITECH Act). The HITECH Act further reinforces the 2014 EHR Business Partner Compliance mandate and provides the necessary incentives to accelerate EHR adoption Risk assessments and clarify key HIPAA security requirements. Breach notification Safe harbor through encryption Funding: Most significant in the Act is actual funding support for EHR conversion via ARRA funds. While specific amounts and qualification criteria continue to be determined, there is clear government support for migration to EHR, including the implementation of appropriate security systems. 2 White Paper | Solutions for the Healthcare Industry
  • 4. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY Risk Assessments: Risk Assessments can be used in both proactive and reactive ways. The Act specifically identifies risk assessments as necessary in determining, after the fact, whether an incident is indeed a breach of unsecured ePHI and whether even the leak of a subset of an individual’s ePHI could be used to identify the individual. These nuances point to the need for visibility into data and some level of forensics to determine the nature and extent of potential data breaches. Breach Notification Requirements: The HITECH Actiii address the topic of breach notification of unsecured ePHI,iv or ePHI that is ‘not secured through technology or methodology’ for covered entities and for the first time, business associates. Not only do the disclosure requirements subject the organization to public scrutiny on the data breach, but also the costs associated with notifying affected individuals can be significant. Any breach of unsecured ePHI must be disclosed and acted upon as follows: Covered Entity: Notification to affected individuals and Secretary of HHS Business Associates: Notification to affected Covered Entities Secretary of HHS: Post on HHS website if >500 individuals are affected “Safe Harbor” Through Encryption: The Act defines ‘secured’ ePHI as data that is either encrypted or destroyed. It goes further to state that if secured ePHI is involved in a data breach, notification requirements do not apply. This is a significant directive, specifically prescribing encryption as both a preferred means to enforce confidentiality and as a relief from breach notification requirements. The Act also highlights NIST guidelinesv on end user device encryption as a resource for implementation strategy. The ultimate benefit of these specifications to the healthcare organization is specific guidance on how best to protect both patient privacy and the institution’s reputation. STATE PRIVACY LAWSvi Although the HITECH Act asserts precedence over state laws, it also acknowledges the importance of alignment with state laws by specifyingvii a ‘harm’ threshold’, which would notify the affected individual if a specific level of breach has occurred. The ultimate benefit of this consistency is simpler implementation of security controls and fewer notifications. Some laws have extended requirements to encryption of confidential data, bringing Federal and State laws closer and simplifying compliance efforts. PCI ENFORCEMENT LOOMS Healthcare institutions that accept credit card payments are obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS) viii. Health insurance premiums, medical services, and even retail shops located on hospital premises are examples of scenarios where the security of cardholder data is required. PCI enforcement continues to increase and healthcare institutions are well advised to design and implement a security framework that addresses both HIPAA and PCI DSS. 3 White Paper | Solutions for the Healthcare Industry
  • 5. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY III. HEALTHCARE SECURITY & COMPLIANCE CHALLENGES Maintaining regulatory compliance and maximizing security is especially demanding in today’s evolving healthcare industry. Trend Micro understands the challenges and offers solutions that enable you to confidently secure the business and IT initiatives that support your strategic business goals. PROTECT ePHI – AND YOUR REPUTATION While perimeter and content security provide important safeguards, HIPAA and HITECH make it clear that encryption is the only way to ensure the ultimate protection of ePHI and avoid costly disclosures. Effective encryption deployment also requires a data loss prevention (DLP) solution to discover where ePHI is stored and ensure its encryption when transmitted. However, conventional encryption and DLP solutions suffer from major drawbacks that impede their success and widespread adoption by employees: PKI-based email encryption is burdensome and complex to administer and use Endpoint DLP solutions typically have a negative performance and usability impact Trend Micro secures sensitive data with endpoint DLP, email encryption and content filtering solutions that emphasize both security and ease-of-use. Identity-based, universal-reach encryption will ensure adoption of secure data policies across your entire medical ecosystem. SECURE LAPTOPS, PDAS, AND SMART PHONES Mobile laptops, PDAs, and other devices are quickly becoming mainstays of EHR-based care systems and essential to the daily tasks of nurses, physicians and other healthcare professionals. These devices are at extreme risk for attack and ePHI loss, but cannot be adequately protected by network-based solutions. Trend Micro OfficeScan and the Smart Protection Network keep wireless, mobile, and fixed devices of all kinds protected from malware both on and off network. Trend Micro Data Encryption and DLP solutions continuously protect endpoint data while allowing secure communication from any location. PROTECT HEALTHCARE WEBSITES AND PORTALS EHR promises efficient patient and partner data access, however websites have proven to be extremely vulnerable to attack and hijacking, using SQL injection and other techniques. Inadequate website security puts your reputation at risk by exposing patients, their data, and entire databases to attack. Trend Micro Deep Security and Vulnerability Management Services secure patient/partner communication by protecting websites and portals from infection, day-zero threats, and the vulnerabilities introduced by ever-changing web content. SECURE CRITICAL MEDICAL DEVICES Medical devices for patient evaluation and diagnosis are increasingly network-connected and run on general-purpose operating systems such as Microsoft Windows. While greatly improving patient care, these devices are now at risk for compromise and failure due to malware infections or external hacks. Trend Micro Deep Security and OfficeScan minimize the risk of compromise on medical device systems that run on general-purpose operating systems. And for networked devices that cannot be directly secured, Trend Micro Threat Management Services identifies compromises and aids in remediation. 4 White Paper | Solutions for the Healthcare Industry
  • 6. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY CONFIDENTLY IMPLEMENT EHR/EMR INITIATIVES Implementing an EHR system provides a strategic opportunity to improve care while fostering loyalty in a wide network of independent physicians and practices. Securely operating this extended infrastructure requires a security partner capable of protecting operations from hospital floor to cloud-based data centers. Trend Micro Enterprise Security provides comprehensive content and data security for the entire provider ecosystem—across physical, virtual and cloud-based environments. With Trend Micro you can confidently go digital and adopt the latest workplace and technology innovations to support your business initiatives. ADOPT VIRTUALIZATION & CLOUD COMPUTING EHR modernization and “green IT” practices are driving the healthcare industry to adopt server virtualization to enable cost efficient and flexible datacenters and to pave a path toward integrated cloud computing. And desktop virtualization promises new economies and tighter security and policy control. But the complexity and fluidity of virtual environments pose special challenges, rendering traditional IPS, firewall, and antivirus protection insufficient to prevent attacks on virtual servers that process or host ePHI/PCI data. Trend Micro Deep Security provides advanced software-based security that protects physical, virtual, and cloud-based servers with agentless anti-malware, integrated IPS, firewall, integrity monitoring, and more. Along with supplemental malware protection from Trend Micro Core Protection for Virtual Machines, Trend Micro provides a comprehensive software solution for securing complex virtual and cloud environments. CONSOLIDATE AND SIMPLIFY SECURITY INFRASTRUCTURE Over the years, healthcare and benefits providers have built a patchwork of security products in an effort to deal with evolving threats and regulations. The government’s EHR mandate and funding efforts along with the clarity of the HITECH act provide the opportunity for institutions to build a consolidated and simplified security infrastructure in conjunction with their IT new modernization initiatives. Trend Micro solutions are designed to provide comprehensive and consolidated content and security that minimizes the number of products and vendors you must deploy. And with Trend Micro Endpoint Security Platform, you can manage both security and systems using a single integrated application. AUTOMATE IT RISK MANAGEMENT PROCEDURES While the HITECH Act identifies risk assessment as a reactive measure to identify the nature of a breach, most IT organizations recognize the need to proactively avoid data breaches and hacks. Both for corporate governance and HIPAA compliance, organizations should employ risk management practices to identify and assess the vulnerability of critical assets, evaluate infiltrations, and apply additional preventative measures. Trend Micro Vulnerability Management and Threat Management Services support Healthcare IT Risk Management by utilizing cutting-edge analysis of malware behavior and advanced threat correlation to uncover, contain and remediate network infiltrations undetected by perimeter and content security. Going further, Threat Management Services provide root-cause analysis and consultative planning to strengthen your security posture. 5 White Paper | Solutions for the Healthcare Industry
  • 7. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY IV. TREND MICRO ENTERPRISE SECURITY Trend Micro Enterprise Security is a tightly integrated offering of content and data security solutions and services, powered by the Trend Micro Smart Protection Network™. Together they deliver maximum protection from emerging threats while minimizing the cost and complexity of security management. Trend Micro enables you to go beyond addressing fundamental HIPAA and HITECH compliance with practical solutions that truly safeguard your critical operations and infrastructure and enable your strategic business and IT initiatives. Trend Micro Enterprise Security Solutions Description Smart Protection Network Trend Micro Enterprise Security products and services are powered by Smart Trend Micro Smart Protection Protection Network—a next-generation cloud-client infrastructure that combines Network sophisticated cloud-based technology, feedback loops, and the expertise of TrendLabs researchers to deliver real-time protection from emerging threats. Data Protection Provides data loss prevention with extremely accurate and effective detection and protection of sensitive data on the endpoint. Sophisticated fingerprinting, Trend Micro Data Loss statistical algorithms and small footprint ensure high scalability, while HIPAA and Prevention PCI templates and reports simplify tracking and protection of ePHI and cardholder data. Advanced identity-based encryption allows universal reach without pre- registration. Unlike conventional PKI encryption, Trend Micro email encryption uses cloud-based key management to generate keys on demand without the Trend Micro Email Encryption need for certificates and per pair pre-registration. End-user encryption as well as policy-based, automated gateway encryption ensure that all sensitive data is protected and your communications are compliant. Messaging Security Smart Protection Network provides antispam, anti-phishing and anti-malware Trend Micro InterScan protection as well as outbound content filtering and automated encryption for Messaging Security enterprise email. Multiple deployment modes include virtual appliance. Trend Micro Communication Provides dedicated anti-malware protection for Microsoft Exchange, Office & Collaboration Security Communication Server (IM), SharePoint and Lotus Domino. Endpoint Security Trend Micro OfficeScan Provides superior defense against threats—both on and off the corporate network—combining top rated anti-malware with innovative in-the-cloud protection from the Smart Protection Network. File Reputation moves the burden of signature management into the cloud, freeing endpoint resources. Web Reputation protects endpoints by blocking access to malicious sites. OfficeScan offers a single compliance solution to protect desktops, virtual desktops, laptops, servers, storage appliances, PDA devices and more. 6 White Paper | Solutions for the Healthcare Industry
  • 8. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY Provides software-based comprehensive security and compliance for critical business servers operating in standalone, virtual, and cloud-based Trend Micro Deep Security environments. Key protection capabilities include: deep packet inspection (enabling IDS/IPS, network application control, and web application protection), firewall, integrity monitoring, and log inspection. . Trend Micro Core Protection Provides automated anti-malware protection designed specifically to meet the for Virtual Machines unique needs of the virtual environment. Features include: active and dormant VM protection, vCenter management integration and a performance-optimized architecture. Messaging Security Provides Smart Protection Network-based anti-spam, anti-phishing and anti- Trend Micro InterScan malware protection as well as outbound content filtering and automated Messaging Security encryption for enterprise email. Available in a variety of deployment models including virtual appliance. Trend Micro Communication Provides dedicated anti-malware protection for Microsoft Exchange, Office & Collaboration Security Communication Server (IM), SharePoint and Lotus Domino. Web Security Provides immediate protection against web threats by integrating multiple layers of protection at the internet gateway. It combines anti-malware and antispyware Trend Micro InterScan Web with Smart Protection Network Web Reputation and URL filtering to detect and Security block threatening web site access based on reputation and company policy. Advanced reporting capabilities provide detailed monitoring and analysis of employee activity. Trend Micro OfficeScan, Together these products enable secure and compliant website operations and Deep Security and web-based communication and collaboration by protecting websites and portals Vulnerability Management from malware infection, day-zero and targeted threats and the exploitation of Services vulnerabilities introduced by web applications and ever-changing site content. Risk Management Trend Micro Vulnerability Delivers total control over software and system vulnerabilities, web content Management Services vulnerabilities, and IT policy compliance Manages breach risk with unique services to discover targeted and zero-day infiltrations that perimeter and content security has failed to detect. Powered by Trend Micro Threat the Smart Protection Network, it features cutting-edge analysis of malware Management Services behavior, advanced threat correlation and consultative planning services to ensure compliance and maximize ePHI protection. Central Management Provides a unified platform for managing security and systems compliance Trend Micro Endpoint across all clients and servers regardless of location or network connectivity. Key Protection Platform components under management include Core Endpoint Security and Web Protection, Data Loss Prevention, Patch Management and Power Management Provides centralized management of many Trend Micro products, simplifying Trend Micro Control Manager configuration and updates and coordinating threat reports and analysis. 7 White Paper | Solutions for the Healthcare Industry
  • 9. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY V. HEALTHCARE REGULATION COMPLIANCE WITH TREND MICRO ENTERPRISE SECURITY SOLUTIONS Please see Section 4 for a detailed overview of Trend Micro Enterprise Security products highlighted below. Healthcare Regulation Trend Micro Solutions and Mapping Justification HI TECH Act of 2009—Breach Notification for Unsecured Protected Health Information HITECH § 13402 Trend Micro Enterprise Security Solutions for Endpoint, Messaging, Web, Notification in Case of Breach and Data provide essential functionality to meet ePHI breach notification requirements through security monitoring, threat prevention, and data encryption. HITECH § 13404 Application of Privacy Provisions Monitoring and Penalties to Business Associates of Covered Entities Monitor files on servers known to contain ePHI for tampering, copying or removal with Trend Micro Deep Security. HITECH § 13407 Temporary Breach Notification Routinely discover where ePHI is stored with Trend Micro DLP– to identify Requirement for Vendors of which systems need to be secured and also to determine the possible sources Personal Health Records and of a breach should it occur. Other Non-HIPAA Covered Entities Monitor systems – on-site, remote, or off-line for unauthorized copy of ePHI to external devices or transmission via common applications such as Web, email, 45 CFR parts 160 and 164 and instant messaging with Trend Micro DLP. (Interim Rule) Issued following updates to HIPAA: Monitor end-user systems for access to malicious websites or email suspected of hosting data-stealing malware with Trend Micro OfficeScan and InterScan HIPAA Subpart D Notification in the Case of Web and Messaging Security. Breach of Unsecured Protected Monitor email traffic for ePHI leaks and block inbound spam containing Health Information data-stealing malware with Trend Micro InterScan Messaging Security. HIPAA §164.404 Monitor network traffic for evidence of active malware infections that have Notification to Individuals infiltrated the network with Trend Micro Threat Management Services. (Description of type of unsecured ePHI involved in the Prevention breach) Prevent end users—whether on-site, remote, or off-line—from copying or transmitting ePHI to external devices or unauthorized locations with Trend Micro DLP Prevent sending of emails to outside entities if they contain unencrypted ePHI in the message or attachments with InterScan Messaging Security. Prevent end-user systems from access to malicious websites or email suspected of hosting data-stealing malware with Trend Micro OfficeScan and InterScan Web and Messaging Security. Encryption (see Safe Harbor section below) HI TECH Act of 2009—“Safe Harbor” or exemption from breach notification if PHI is secured using encryption 45 CFR parts 160 and 164 Trend Micro offers encryption solutions which enable covered entities to protect (Interim Rule) (Encryption and ePHI and forego breach notification requirements: destruction for rendering ePHI unusable, unreadable, or Enforce automated encryption of email messages and attachments containing undecipherable to unauthorized unsecured ePHI with Trend Micro Email Encryption. individuals.) Cloud-based key management safeguards keys and generates keys on 45 CFR parts 160 and 164 demand without the need for certificates and per pair pre-registration for all (Interim Rule) (Keep encryption Trend Micro Encryption Solutions. keys on a separate device from the data that they encrypt or decrypt) HIPAA §164.304 Definitions (Encryption) 8 White Paper | Solutions for the Healthcare Industry
  • 10. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY Healthcare Regulation Trend Micro Solutions and Mapping Justification HIPAA Security Rules—A subset of the HIPAA rules, covering technical safeguards for PHI data. § 164.306(a)(1) When implemented using the recommended risk assessment and best practices (Protect ePHI: Facilities must from the NIST “Introductory Guide to Implementing the HIPAA Security Rule” protect the confidentiality, (recommended in the Interim Rule), Trend Micro Enterprise Security Solutions availability, and integrity of all ePHI created, received, for Endpoint, Messaging, Web and Data help address confidentiality, availability, maintained, and transmitted.) and integrity of ePHI. § 164.308 (a)(1) Security IT risk management involves inventory of all assets and related vulnerabilities, Management Process threats, likelihood threats, and countermeasures. Trend Micro Enterprise (Includes required risk analysis Security Solutions can help in key areas of the risk management process: and risk management) Discover all enterprise systems which store ePHI data – or assets – with Trend Micro DLP. Scan internal and externally facing systems for vulnerabilities and IT policy compliance with Trend Micro Vulnerability Management Services. Scan external facing healthcare websites and portals with Trend Micro Vulnerability Management Servicesto identify vulnerabilities that could be exploited to gain access to ePHI data. Monitor end-user systems for access to malicious websites or email suspected of hosting data-stealing malware with Trend Micro OfficeScan, InterScan Web Security, and InterScan Messaging Security. Detect and remediate active malware infections using Trend Micro Threat Management Services. Provides network risk assessment audit logging and offers advanced reporting and audit trail to demonstrate infection-free environment. § 164.308 (a)(5)(i) Use Trend Micro Threat Management Services to detect and remediate (Security awareness and active malware infections as well as implement a security strategy and training training) plan that continually improves security posture. § 164.308 (a)(6) Notify users of unauthorized use of ePHI while they are attempting the action (Policies and procedures to using Trend Micro DLP. Display a popup window with the appropriate ePHI address security incidents) protection guidance. § 164.308 (a)(5)(ii)(B) Monitor and block malicious software from infiltrating end user systems, critical (Protection from malicious servers, and block malicious email and Web exposure with Trend Micro software. Procedures for Endpoint, Messaging, and Web Security solutions guarding against, detecting, and reporting malicious software) § 164.308(b)(1) Trend Micro Enterprise Security solutions can be implemented by business (Business associate will associates to secure their operations and protect ePHI. Minimally, Trend Micro appropriately safeguard Email Encryption can provide secure communications between covered information) entities and their business associates. § 164.310(d)(1) Device and Maintain a current inventory of ePHI on the network with discovery scanning Media Controls using Trend Micro DLP. IT change management can include review of (Policies and procedures that discovery reports in order to properly handle systems storing ePHI. govern the receipt , removal and movement of hardware and electronic media containing ePHI) 9 White Paper | Solutions for the Healthcare Industry
  • 11. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY Control access to servers or applications using Trend Micro Deep Security, which enables communications to be restricted or allowed based on MAC and IP addresses. § 164.312(a)(1) Access Control (Allow access only to those Role-based access controls (RBAC) and delegated administration using Trend persons or software programs Micro Deep Security to support separation of administrative duties with that have been granted access respect to creating, deploying, and auditing security policy and events that rights) violate the policies. Perform regular discovery of ePHI systems with Trend Micro DLP to determine where access controls must be in place. Healthcare Regulation Trend Micro Solutions and Mapping Justification § 164.312(c)(1) Integrity Monitor the integrity of files containing ePHI data with Trend Micro Deep (Protect ePHI from improper Security, alerting any modification or deletion. alteration or destruction) § 164.312(e)(1) Transmission  Secure emails between employees and external recipients with Trend Micro Security  Email Encryption. (Guard against unauthorized access  to transmitted ePHI)  § 164.514(d) Discover duplicated and unsecured ePHI on laptops, desktops, file servers and (Collect and use the minimum databases on a regular basis with Trend Micro DLP. data necessary) NIST Guidelines— Examples of NIST guidelines intended to help federal government institutions secure ePHI. NIST Publication 800-66 Trend Micro OfficeScan, Deep Security, InterScan Message Security, and (For implementing HIPAA InterScan Web Security directly address these requirements. Security Rules) “Use a combination of security software, Trend Micro Threat Management Services provides antivirus detection for such as antivirus…, personal devices and systems that cannot directly host antivirus security software, e.g., firewalls, spam and Web content MRI scanners, bedside monitors, and legacy devices and systems. filtering,… to stop most attacks, particularly malware;” NIST Publication 800-66: 4.13. Maintain a current inventory of ePHI on the network with discovery scanning Device and Media Controls (§ using Trend Micro DLP. IT change management can include review of 164.310(d)(1)) (What data is discovery reports in order to properly handle systems storing ePHI. maintained by the organization and where?...) NIST Publication 800-66: 4.14. Perform regular discovery of ePHI data on enterprise systems with Trend Access Control §164.312(a)(1)) Micro DLP to determine where access controls must be in place. (Have all applications/systems with ePHI been identified?, Where is ePHI …currently housed?) Payment Card Industry Data Security Standard (PCI DSS)—Compliance Requirements Twelve categories of controls to Trend Micro Enterprise Security Solutions address most PCI requirements. protect cardholder data Please see white paper, ”Trend Micro Solutions for PCI DSS Compliance” For more information please call or visit us at. www.trendmicro.com/go/enterprise +1-877-21-TREND 10 White Paper | Solutions for the Healthcare Industry
  • 12. TREND MICRO ENTERPRISE SECURITY FOR THE HEALTHCARE INDUSTRY VI. FOOTNOTES i HIPAA security requirements detailed in “Title 45 – Public Welfare Subtitle A – Department of Health and Human Services Part 164 – Security and Privacy”, http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr164_07.html ii Department of Health and Human Services, “Health Insurance Reform: Security Standards; Final Rule.” Federal Register, vol. 68, no. 34 (Feb. 20, 2003), pg. 8341. (http://www.cms.hhs.gov/securitystandard/downloads/securityfinalrule.pdf) iii “Department of Health and Human Services | 45 CFR parts 160 and 164 | Breach Notification for Unsecured Protected Health Information; Interim Final Rule”, August 24, 2009 http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf iv “Department of Health and Human Services | 45 CFR parts 160 and 164 | Breach Notification for Unsecured Protected Health Information; Interim Final Rule”, http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf v NIST Special Publication 800–111, “Guide to Storage Encryption Technologies for End User Devices”, November 2007, http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf vi Refer to Section 5 for more details on healthcare regulations/requirements mappings vii “Department of Health and Human Services | 45 CFR parts 160 and 164 | Breach Notification for Unsecured Protected Health Information; Interim Final Rule”, page 6, http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf viii For more information, refer to the white paper, “Trend Micro Solutions for PCI DSS Compliance – Addressing PCI DSS Requirements with Trend Micro Enterprise Security.” © 2010 Trend Micro, Incorporated. All rights reserved. Trend Micro, InterScan, OfficeScan, PortalProtect, ScanMail,Smart Protection Network and the t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. WP01_PCI-TMES_090903 11 White Paper | Solutions for the Healthcare Industry