SlideShare une entreprise Scribd logo

Using Data Security to address HIPAA and HITECH Regulations

Hostway|HOSTING
Hostway|HOSTING

Learn how data encryption and encryption key management address compliance for healthcare providers and payers. Join Derek Tumulak, VP Product Management at Vormetric, and Tricia Pattee, HOSTING Product Manager as they discuss how HIPAA/HITECH regulations impact electronic protected health information (PHI) and best practices to safeguard sensitive patient data. Discover how: • HIPAA and HITECH regulatory mandates impact data security for healthcare institutions • Strong encryption and policy-based access controls provide a separation of duties between data security and system administrators • Secure key management and policy management ensure consistency in applying policies and encryption keys to both structured and unstructured data • Rapid implementation is achieved because encryption is transparent to users, applications, databases and storage systems • The HOSTING and Vormetric cloud solution can satisfy HIPAA and HITECH compliance requirements in the cloud

Technologie
1  sur  28
1 Using Data Security to Address HIPAA and HITECH Regulations
• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar • Please submit questions via the button on the upper left of the viewer • If we don’t get to your question during the webinar, we will follow up with you via email • Download related resources via the “Attachments” button above the viewing panel • On Twitter? Join the conversation: @HOSTINGdotcom, @Vormetric 2 Housekeeping
Agenda • Introduction • Cloud Security Challenges • HIPAA/HITECH Compliance Requirements • Data Security Solutions • Q&A
Vormetric – Data Security • Vision • To Secure the World’s Information • Industry Leading Data Security Company • Based in San Jose, CA since 2001 • Customers Protected • 17 of Fortune 30 customers • 1500+ customers in 22 countries • 155 petabytes+, 500K+ servers • Cloud Service Providers Partnerships • To enable data security protection with our cloud partners Best Encryption Best Security & Compliance Virtualized Environments
March 2014 Security is the leading cloud adoption concern Need to establish trust and controls in the cloud
Incident Management Breach Notifications Post Breach Lost Business Costs $417,000 $509,237 $1,599,996 $3,324,959 Average costs incurred by American companies after a data breach
Healthcare Education Biopharma Financial Communications Industrial Consumer Services Energy Technology Media Hospitality Transportation Research Retail Public $359 $294 $227 $206 $177 $160 $155 $145 $141 $138 $137 $122 $121 $119 $105 $100 Healthcare has the highest per capita costs following a breach
• Notify individuals of breach of unsecured health information • Information is only secured if it is encrypted or destroyed • Encryption must meet NIST 800-111 encryption requirements • Keys must be kept on a separate device than the data • Only FIPS encryption algorithms can be used • Omnibus Rule - Expands HIPAA requirements to business partners of payers, providers and clearinghouses HIPAA/HITECH Act Key requirements to think about
• HITECH Act included provisions for increased enforcement of HIPAA Privacy and Security Rules: • Requires HHS to formally investigate any complaint of a violation of HIPAA if a preliminary investigation indicates a possible violation due to willful neglect, and to impose civil penalties for these violations. • Allows state Attorneys General to bring civil actions in federal court on behalf of state residents if there is reason to believe that the interest of one or more residents has been threatened or adversely affected by a person who violates HIPAA. 9 Potential Consequences of Non-Compliance Increased enforcement and penalties (fines)
• The security requirements, taken independently of one another, can prove costly and time-consuming to implement adequately. • Typically, various solutions may have to be integrated to provide adequate protection for dispersed data and implementations can prove to be very complex. • Protecting unstructured data. • While some types of data, such as credit card data or social security numbers, can be readily located and protected, unstructured data frequently found in EMRs can be more difficult to protect. • The data may consist of a variety of file types. • Patient record forms, medical imagery files, and other file types that are not easily protected due to being highly distributed environments. • Controlling access to ePHI • While encryption protects data, robust policy and encryption key management is required to prevent unauthorized access or disclosure of PHI. 10 Complying with HIPAA/HITECH Some of the top challenges
• Comprehensive solution for protecting ePHI in any environment • For example, applications, file types, and even operating systems. • Structured and unstructured data, including big data and databases (DB2, Oracle, SQL, Informix etc.) • Private, Public and Hybrid Clouds • Vormetric Transparent Encryption offers: • Strong data security controls, leveraging both encryption and policy-based access controls • Separation of duties • Auditing capabilities • Heterogeneous systems support • Management via a centralized policy and key management console 11 Vormetric Data Security Achieving compliance with ease
FIPS Encryption Secure Key Management Meets NIST 800-111 Proven Performance Encryption + Access Control Audit Separation of Duties Low TCO Rapidly Deployable Vormetric Data Security for HIPAA/HITECH “Vormetric encrypts in a way to minimize performance overhead. It also offers separation of duties, centralized key management and policy management” Noel Yuhanna Forrester Research
13 HIPAA security rule, which states data at rest should be encrypted unless it's not "reasonable and appropriate." With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. When doing business with the federal government we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. Extensible Controls for Compliance Encryption, access control, and audit logs
Tape Archives Key Management … Privileged User Control Access Policies Physical Security Full Disk Encryption Cloud Migration Cloud Encryption PII Compliance App Encryption Customer Records Database Encryption Expense Reports File Encryption ++++++ Each use case requires individual infrastructure, management consoles and training Complex – Inefficient – Expensive Avoid Encryption Silos A disjointed, expensive collection of point products
HOSTING Cloud Solution Data-at-rest security enabled by Vormetric Transparent Encryption Key Management Transparent Encryption Transparent Encryption
Stored Data Protection for HIPAA/HITECH Data-at-Rest Encryption and Key Management Secure VPN Vormetric Data Security Manager (virtual or hosted physical appliances) Deployed in cloud example DSM Key management: • Virtual appliance in cloud • Appliance hosted by provider
Stored Data Protection for HIPAA/HITECH Data-at-Rest Encryption and Key Management Secure VPN Vormetric Data Security Manager (virtual or physical appliances) Deployed on premise example DSM Key management: • Appliance on premise • Virtual appliance on premise
Access Control for HIPAA/HITECH Assuring least privileged access Data Access Policy #1 User: AccountsPayable App: ERP Opp: Read Only Time: Any Resources: Any HR ERP Directory User: AccountsPayable App: ERP What: Read File Time: 2PM 11/14/2013 Where: ERP Directory Vormetric Transparent Encryption Accounts Payable Directory
Block access and log attempt Access Control for HIPAA/HITECH Assuring least privileged access Access Policy #1 User: AccountsPayable App: ERP Opp: Read Only Time: Any Resources: Any HR ERP Directory User: SystemAdmin- Group Process: Cat command What: Read File Time: 2PM 11/14/2013 Where: HR ERP Directory Vormetric Transparent Encryption Accounts Payable Directory
Security Intelligence For HIPAA/HITECH File access audit trail to demonstrate compliance of breaches took months, or even years, to discover.66% Verizon 2013 data breach investigations report Log and audit data access, in support: Alarm abnormal access patterns Identify compromised users, administrators and applications Accelerate APT and malicious insider recognition Supports compliance and contractual mandate reporting of breaches were spotted by an external party – 9% were spotted by customers. 69%
Vormetric logs all data events for security intelligence and analysis
attempted to read Access was denied Amin Dirk Snowman imitated user steve and a protected file. because he violated a policy. Vormetric enables you to identify and track unauthorized attempts at protected data.
Data source Analytics Reports Dashboards What if queries UnstructuredStructuredData Financial Data Healthcare Data Credit cards Logs PII Big Data Error logsDisk cacheConfiguratio n System logs Database Data warehouse ERP CRM Audio video Excel, CSV Social media Logs Vormetric Transparent Encryption or Vormetric Application Encryption Vormetric Transparent Encryption Vormetric Transparent Encryption or Vormetric Application Encryption End to End Big Data Security and Compliance
Guidance provided in the HIPAA FAQ, published by HHS, makes it clear that encryption is essentially mandatory. How? Because it would be difficult to determine that it’s not a “reasonable and appropriate” control based on an assessment of risk regarding protecting the confidentiality of ePHI. Also, because of what encryption does to data, finding a reasonable and appropriate “equivalent alternative measure” is essentially impossible. - Healthcare IT News The Last Thing You Want To Hear… Doctor, is my data safe?
Hosting customer success story Healthcare example
Implement with Confidence “It’s very apparent that Vormetric is major steps in front of the competition.” – Sabastian High, senior manager for Product Development Standards and Innovation, McKesson, Inc. “My concern with encryption was the overhead on user and application performance. With Vormetric, people have no idea it’s even running.” – Karl Mudra, CIO, Delta Dental of Missouri
28 Q&A Derek Tumulak | VP Product Management, Vormetric Tricia Pattee | Product Manager, HOSTING

Recommandé

Operationalizing Management of Data Incidents Post Final Rule
Operationalizing Management of Data Incidents Post Final RuleOperationalizing Management of Data Incidents Post Final Rule
Operationalizing Management of Data Incidents Post Final Rule
ID Experts
 
Keeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementKeeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor Management
Paige Rasid
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
David Sweigert
 
Compliance-as-a-Crisis: Managing Cloud Compliance
Compliance-as-a-Crisis: Managing Cloud ComplianceCompliance-as-a-Crisis: Managing Cloud Compliance
Compliance-as-a-Crisis: Managing Cloud Compliance
Hostway|HOSTING
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite Things
Hostway|HOSTING
 
KPIs: Aligning Your IT and Business Objectives
KPIs: Aligning Your IT and Business ObjectivesKPIs: Aligning Your IT and Business Objectives
KPIs: Aligning Your IT and Business Objectives
Hostway|HOSTING
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
Hostway|HOSTING
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 

Recommandé

Operationalizing Management of Data Incidents Post Final Rule
Operationalizing Management of Data Incidents Post Final RuleOperationalizing Management of Data Incidents Post Final Rule
Operationalizing Management of Data Incidents Post Final Rule
ID Experts
 
Keeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementKeeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor Management
Paige Rasid
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
David Sweigert
 
Compliance-as-a-Crisis: Managing Cloud Compliance
Compliance-as-a-Crisis: Managing Cloud ComplianceCompliance-as-a-Crisis: Managing Cloud Compliance
Compliance-as-a-Crisis: Managing Cloud Compliance
Hostway|HOSTING
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite Things
Hostway|HOSTING
 
KPIs: Aligning Your IT and Business Objectives
KPIs: Aligning Your IT and Business ObjectivesKPIs: Aligning Your IT and Business Objectives
KPIs: Aligning Your IT and Business Objectives
Hostway|HOSTING
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
Hostway|HOSTING
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Hacking Airwaves with Pineapples
Hacking Airwaves with PineapplesHacking Airwaves with Pineapples
Hacking Airwaves with Pineapples
Hostway|HOSTING
 
5 Cloud Migration Experiences Not to Be Repeated
5 Cloud Migration Experiences Not to Be Repeated5 Cloud Migration Experiences Not to Be Repeated
5 Cloud Migration Experiences Not to Be Repeated
Hostway|HOSTING
 
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You SignCaveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Hostway|HOSTING
 
Cloud Migration: Tales from the Trenches
Cloud Migration: Tales from the TrenchesCloud Migration: Tales from the Trenches
Cloud Migration: Tales from the Trenches
Hostway|HOSTING
 
Protecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it HappensProtecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it Happens
Hostway|HOSTING
 
Don’t Get Caught with An Out of Support MS SQL Server…
Don’t Get Caught with An Out of Support MS SQL Server…Don’t Get Caught with An Out of Support MS SQL Server…
Don’t Get Caught with An Out of Support MS SQL Server…
Hostway|HOSTING
 
Content Delivery in an On-Demand Age
Content Delivery in an On-Demand AgeContent Delivery in an On-Demand Age
Content Delivery in an On-Demand Age
Hostway|HOSTING
 
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
High Performance Security: Mitigating DDoS Attacks Without Losing Your EdgeHigh Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
Hostway|HOSTING
 
Finding Success with Managed Services in the Azure Environment
Finding Success with Managed Services in the Azure EnvironmentFinding Success with Managed Services in the Azure Environment
Finding Success with Managed Services in the Azure Environment
Hostway|HOSTING
 
DR in the Cloud: Finding the Right Tool for the Job
DR in the Cloud: Finding the Right Tool for the JobDR in the Cloud: Finding the Right Tool for the Job
DR in the Cloud: Finding the Right Tool for the Job
Hostway|HOSTING
 
Safeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudSafeguarding PCI Data in the Cloud
Safeguarding PCI Data in the Cloud
Hostway|HOSTING
 
Understanding Your Cloud Service Provider’s BAA
Understanding Your Cloud Service Provider’s BAAUnderstanding Your Cloud Service Provider’s BAA
Understanding Your Cloud Service Provider’s BAA
Hostway|HOSTING
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
Hostway|HOSTING
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/Dev
Hostway|HOSTING
 
New Business Models in Behavioral Health IT
New Business Models in Behavioral Health ITNew Business Models in Behavioral Health IT
New Business Models in Behavioral Health IT
Hostway|HOSTING
 
Introducing HOSTING Labs - Ed Schaefer
Introducing HOSTING Labs - Ed Schaefer Introducing HOSTING Labs - Ed Schaefer
Introducing HOSTING Labs - Ed Schaefer
Hostway|HOSTING
 
Event Sponsor ScienceLogic - CTO Antonio Piraino
Event Sponsor ScienceLogic - CTO Antonio Piraino Event Sponsor ScienceLogic - CTO Antonio Piraino
Event Sponsor ScienceLogic - CTO Antonio Piraino
Hostway|HOSTING
 
Event Sponsor NetApp - CSO- Jon Kissane
Event Sponsor NetApp - CSO- Jon Kissane Event Sponsor NetApp - CSO- Jon Kissane
Event Sponsor NetApp - CSO- Jon Kissane
Hostway|HOSTING
 
2nd Watch CTO - Kris Blisner
2nd Watch CTO - Kris Blisner2nd Watch CTO - Kris Blisner
2nd Watch CTO - Kris Blisner
Hostway|HOSTING
 
Keynote Speaker James Staten, Microsoft
Keynote Speaker James Staten, Microsoft Keynote Speaker James Staten, Microsoft
Keynote Speaker James Staten, Microsoft
Hostway|HOSTING
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Contenu connexe

Plus de Hostway|HOSTING

Content Delivery in an On-Demand Age
Content Delivery in an On-Demand AgeContent Delivery in an On-Demand Age
Content Delivery in an On-Demand Age
Hostway|HOSTING
 
Safeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudSafeguarding PCI Data in the Cloud
Safeguarding PCI Data in the Cloud
Hostway|HOSTING
 

Plus de Hostway|HOSTING (20)

Hacking Airwaves with Pineapples
Hacking Airwaves with PineapplesHacking Airwaves with Pineapples
Hacking Airwaves with Pineapples
 
5 Cloud Migration Experiences Not to Be Repeated
5 Cloud Migration Experiences Not to Be Repeated5 Cloud Migration Experiences Not to Be Repeated
5 Cloud Migration Experiences Not to Be Repeated
 
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You SignCaveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
 
Cloud Migration: Tales from the Trenches
Cloud Migration: Tales from the TrenchesCloud Migration: Tales from the Trenches
Cloud Migration: Tales from the Trenches
 
Protecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it HappensProtecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it Happens
 
Don’t Get Caught with An Out of Support MS SQL Server…
Don’t Get Caught with An Out of Support MS SQL Server…Don’t Get Caught with An Out of Support MS SQL Server…
Don’t Get Caught with An Out of Support MS SQL Server…
 
Content Delivery in an On-Demand Age
Content Delivery in an On-Demand AgeContent Delivery in an On-Demand Age
Content Delivery in an On-Demand Age
 
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
High Performance Security: Mitigating DDoS Attacks Without Losing Your EdgeHigh Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
 
Finding Success with Managed Services in the Azure Environment
Finding Success with Managed Services in the Azure EnvironmentFinding Success with Managed Services in the Azure Environment
Finding Success with Managed Services in the Azure Environment
 
DR in the Cloud: Finding the Right Tool for the Job
DR in the Cloud: Finding the Right Tool for the JobDR in the Cloud: Finding the Right Tool for the Job
DR in the Cloud: Finding the Right Tool for the Job
 
Safeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudSafeguarding PCI Data in the Cloud
Safeguarding PCI Data in the Cloud
 
Understanding Your Cloud Service Provider’s BAA
Understanding Your Cloud Service Provider’s BAAUnderstanding Your Cloud Service Provider’s BAA
Understanding Your Cloud Service Provider’s BAA
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/Dev
 
New Business Models in Behavioral Health IT
New Business Models in Behavioral Health ITNew Business Models in Behavioral Health IT
New Business Models in Behavioral Health IT
 
Introducing HOSTING Labs - Ed Schaefer
Introducing HOSTING Labs - Ed Schaefer Introducing HOSTING Labs - Ed Schaefer
Introducing HOSTING Labs - Ed Schaefer
 
Event Sponsor ScienceLogic - CTO Antonio Piraino
Event Sponsor ScienceLogic - CTO Antonio Piraino Event Sponsor ScienceLogic - CTO Antonio Piraino
Event Sponsor ScienceLogic - CTO Antonio Piraino
 
Event Sponsor NetApp - CSO- Jon Kissane
Event Sponsor NetApp - CSO- Jon Kissane Event Sponsor NetApp - CSO- Jon Kissane
Event Sponsor NetApp - CSO- Jon Kissane
 
2nd Watch CTO - Kris Blisner
2nd Watch CTO - Kris Blisner2nd Watch CTO - Kris Blisner
2nd Watch CTO - Kris Blisner
 
Keynote Speaker James Staten, Microsoft
Keynote Speaker James Staten, Microsoft Keynote Speaker James Staten, Microsoft
Keynote Speaker James Staten, Microsoft
 

Dernier

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Dernier (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Using Data Security to address HIPAA and HITECH Regulations

  • 1. 1 Using Data Security to Address HIPAA and HITECH Regulations
  • 2. • This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar • Please submit questions via the button on the upper left of the viewer • If we don’t get to your question during the webinar, we will follow up with you via email • Download related resources via the “Attachments” button above the viewing panel • On Twitter? Join the conversation: @HOSTINGdotcom, @Vormetric 2 Housekeeping
  • 3. Agenda • Introduction • Cloud Security Challenges • HIPAA/HITECH Compliance Requirements • Data Security Solutions • Q&A
  • 4. Vormetric – Data Security • Vision • To Secure the World’s Information • Industry Leading Data Security Company • Based in San Jose, CA since 2001 • Customers Protected • 17 of Fortune 30 customers • 1500+ customers in 22 countries • 155 petabytes+, 500K+ servers • Cloud Service Providers Partnerships • To enable data security protection with our cloud partners Best Encryption Best Security & Compliance Virtualized Environments
  • 5. March 2014 Security is the leading cloud adoption concern Need to establish trust and controls in the cloud
  • 6. Incident Management Breach Notifications Post Breach Lost Business Costs $417,000 $509,237 $1,599,996 $3,324,959 Average costs incurred by American companies after a data breach
  • 8. • Notify individuals of breach of unsecured health information • Information is only secured if it is encrypted or destroyed • Encryption must meet NIST 800-111 encryption requirements • Keys must be kept on a separate device than the data • Only FIPS encryption algorithms can be used • Omnibus Rule - Expands HIPAA requirements to business partners of payers, providers and clearinghouses HIPAA/HITECH Act Key requirements to think about
  • 9. • HITECH Act included provisions for increased enforcement of HIPAA Privacy and Security Rules: • Requires HHS to formally investigate any complaint of a violation of HIPAA if a preliminary investigation indicates a possible violation due to willful neglect, and to impose civil penalties for these violations. • Allows state Attorneys General to bring civil actions in federal court on behalf of state residents if there is reason to believe that the interest of one or more residents has been threatened or adversely affected by a person who violates HIPAA. 9 Potential Consequences of Non-Compliance Increased enforcement and penalties (fines)
  • 10. • The security requirements, taken independently of one another, can prove costly and time-consuming to implement adequately. • Typically, various solutions may have to be integrated to provide adequate protection for dispersed data and implementations can prove to be very complex. • Protecting unstructured data. • While some types of data, such as credit card data or social security numbers, can be readily located and protected, unstructured data frequently found in EMRs can be more difficult to protect. • The data may consist of a variety of file types. • Patient record forms, medical imagery files, and other file types that are not easily protected due to being highly distributed environments. • Controlling access to ePHI • While encryption protects data, robust policy and encryption key management is required to prevent unauthorized access or disclosure of PHI. 10 Complying with HIPAA/HITECH Some of the top challenges
  • 11. • Comprehensive solution for protecting ePHI in any environment • For example, applications, file types, and even operating systems. • Structured and unstructured data, including big data and databases (DB2, Oracle, SQL, Informix etc.) • Private, Public and Hybrid Clouds • Vormetric Transparent Encryption offers: • Strong data security controls, leveraging both encryption and policy-based access controls • Separation of duties • Auditing capabilities • Heterogeneous systems support • Management via a centralized policy and key management console 11 Vormetric Data Security Achieving compliance with ease
  • 12. FIPS Encryption Secure Key Management Meets NIST 800-111 Proven Performance Encryption + Access Control Audit Separation of Duties Low TCO Rapidly Deployable Vormetric Data Security for HIPAA/HITECH “Vormetric encrypts in a way to minimize performance overhead. It also offers separation of duties, centralized key management and policy management” Noel Yuhanna Forrester Research
  • 13. 13 HIPAA security rule, which states data at rest should be encrypted unless it's not "reasonable and appropriate." With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. When doing business with the federal government we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. Extensible Controls for Compliance Encryption, access control, and audit logs
  • 14. Tape Archives Key Management … Privileged User Control Access Policies Physical Security Full Disk Encryption Cloud Migration Cloud Encryption PII Compliance App Encryption Customer Records Database Encryption Expense Reports File Encryption ++++++ Each use case requires individual infrastructure, management consoles and training Complex – Inefficient – Expensive Avoid Encryption Silos A disjointed, expensive collection of point products
  • 15. HOSTING Cloud Solution Data-at-rest security enabled by Vormetric Transparent Encryption Key Management Transparent Encryption Transparent Encryption
  • 16. Stored Data Protection for HIPAA/HITECH Data-at-Rest Encryption and Key Management Secure VPN Vormetric Data Security Manager (virtual or hosted physical appliances) Deployed in cloud example DSM Key management: • Virtual appliance in cloud • Appliance hosted by provider
  • 17. Stored Data Protection for HIPAA/HITECH Data-at-Rest Encryption and Key Management Secure VPN Vormetric Data Security Manager (virtual or physical appliances) Deployed on premise example DSM Key management: • Appliance on premise • Virtual appliance on premise
  • 18. Access Control for HIPAA/HITECH Assuring least privileged access Data Access Policy #1 User: AccountsPayable App: ERP Opp: Read Only Time: Any Resources: Any HR ERP Directory User: AccountsPayable App: ERP What: Read File Time: 2PM 11/14/2013 Where: ERP Directory Vormetric Transparent Encryption Accounts Payable Directory
  • 19. Block access and log attempt Access Control for HIPAA/HITECH Assuring least privileged access Access Policy #1 User: AccountsPayable App: ERP Opp: Read Only Time: Any Resources: Any HR ERP Directory User: SystemAdmin- Group Process: Cat command What: Read File Time: 2PM 11/14/2013 Where: HR ERP Directory Vormetric Transparent Encryption Accounts Payable Directory
  • 20. Security Intelligence For HIPAA/HITECH File access audit trail to demonstrate compliance of breaches took months, or even years, to discover.66% Verizon 2013 data breach investigations report Log and audit data access, in support: Alarm abnormal access patterns Identify compromised users, administrators and applications Accelerate APT and malicious insider recognition Supports compliance and contractual mandate reporting of breaches were spotted by an external party – 9% were spotted by customers. 69%
  • 21.
  • 22. Vormetric logs all data events for security intelligence and analysis
  • 23. attempted to read Access was denied Amin Dirk Snowman imitated user steve and a protected file. because he violated a policy. Vormetric enables you to identify and track unauthorized attempts at protected data.
  • 24. Data source Analytics Reports Dashboards What if queries UnstructuredStructuredData Financial Data Healthcare Data Credit cards Logs PII Big Data Error logsDisk cacheConfiguratio n System logs Database Data warehouse ERP CRM Audio video Excel, CSV Social media Logs Vormetric Transparent Encryption or Vormetric Application Encryption Vormetric Transparent Encryption Vormetric Transparent Encryption or Vormetric Application Encryption End to End Big Data Security and Compliance
  • 25. Guidance provided in the HIPAA FAQ, published by HHS, makes it clear that encryption is essentially mandatory. How? Because it would be difficult to determine that it’s not a “reasonable and appropriate” control based on an assessment of risk regarding protecting the confidentiality of ePHI. Also, because of what encryption does to data, finding a reasonable and appropriate “equivalent alternative measure” is essentially impossible. - Healthcare IT News The Last Thing You Want To Hear… Doctor, is my data safe?
  • 26. Hosting customer success story Healthcare example
  • 27. Implement with Confidence “It’s very apparent that Vormetric is major steps in front of the competition.” – Sabastian High, senior manager for Product Development Standards and Innovation, McKesson, Inc. “My concern with encryption was the overhead on user and application performance. With Vormetric, people have no idea it’s even running.” – Karl Mudra, CIO, Delta Dental of Missouri
  • 28. 28 Q&A Derek Tumulak | VP Product Management, Vormetric Tricia Pattee | Product Manager, HOSTING

Notes de l'éditeur

  1. 9/25/15 – Per Andy, Forrester and Gov awards are not issued yet.
  2. If the frequency of attacks doesn’t push you to make security a top priority, take a look at what it could cost if you are subjected to a data breach. As revealed in the 2014 Ponemon Institute Cost of Data Breach Study, the total average organizational cost of a data breach for U.S. companies is $5.85 million (up 15% from 2013) $417,000 for detection costs (including forensic and investigative activities and crisis team management) $509,237 for breach notification costs $1,599,996 for post-breach remediation costs (including help desk activities, product discounts, identity theft protection services, and dealing with regulators) $3,324,959 in lost business costs (including reputational injury, diminished goodwill, and loss of business). It is important to note that Ponemon’s survey is limited to data breaches affecting fewer than 100,000 records. For that reason, these figures can be dramatically higher for large data breaches. This study doesn’t include all of the stories we have all heard involving Home Depot, Sony, Staples, etc. and the average costs are still that high! In fact, Target’s breach around the 2013 holiday season incurred $88 million in costs and affected more than 100 million customer records, including stolen credit and debit card information.
  3. The average costs per record also vary by industry. Heavily regulated industries such as healthcare, education, pharmaceutical and financial services had a per capita data breach cost substantially above the overall mean of $145. Public sector organizations and retail companies had a per capita cost well below the overall mean value. The average number of records breached in the US is just under 30,000 while the average per capita cost of the breach is $201, up from $188 in 2013. To put that into perspective, a healthcare company with the average number of records would have fees of $10.7M. A company in the finance industry with that number of records would pay over $6M. So you can see how much costs will vary based on industry, size of company, amount of data, and other factors. Now let’s take a look on what you can do to reduce these costs in the unfortunate instance of a data breach.
  4. http://www.mintz.com/newsletter/2013/Advisories/3128-0613-NAT-PRIV/index.html