Lumension presented alongside United Health Care System on how to protect electronic medical records by enforcing device control and data encryption policies.
Medical Records on the Run: Protecting Patient Data with Device Control and Encryption
1. Medical Records on the Run: Protecting Patient Data with Device Control and Encryption
2. Today’s Agenda Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
3. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension George Ward CISSP, CISM Manager Information Security, Computer Operations, University Health Care System
4. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
5. » Challenges of Protecting Patient Data Economic and Competitive Pressures Increased HIPAA and PCI Regulatory Oversight Increasing Value of Personal Healthcare Information Data Sharing Outside of the Four Walls Consumerization of IT Electronic Protected Health Information (EPHI) Disclosure
6. Data Sharing Outside of the Four Walls Accessibility to Medical and Billing Records Increases… as Does the Risk Source: 2008 HIMSS Security Survey
18. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
19.
20. 1. Discover all devices that are currently or have ever been connected to every endpoint. 2. Assess device and data usage, including what device, on what machine, by which user, and when. 3. Implement flexible device whitelisting, allowing only approved devices to run. 4. Monitor the effectiveness of device usage policies. 5. Report on data protection policies to prove compliance and conduct forensics. Practical Data Protection Approach
21.
22.
23.
24.
25.
26.
27. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
38. Granular Controls Enable Effective Policy Plan Device Class Device Description Role-Based Access Control Removable Storage Devices Memory sticks, Flash drives, ZIP Drives, USB Hard Drives, etc. DVD/CD Drives CD, CD-R/W, DVD, DVD R/W Imaging Devices Scanners, webcams, etc. User Defined Devices Non-standard devices (Generic USB Devices, IPAQ, etc.) Blocked Portable Devices Digital Cameras, iPhones, MP3 Players, etc. Modem/Secondary Network Access Devices Modems that do not connect directly through normal channels Palm Handheld Devices Palm PDAs, Smartphones, etc. Floppy Disk Drives IDE, parallel, or USB Floppy Drives RIM Blackberry (Research in Motion) (Research In Motion) Handheld computers/mobile phones Biometric Devices Fingerprint readers, password managers, etc. Tape Drives Internal or external tape drives Windows CE Handheld Devices Windows CE computers using PocketPC OS Wireless Network Interface Cards Wireless LAN Adaptors Allowed Printers (USB/Bluetooth) USB and Bluetooth Printers COM/Serial Port (Serial Communication) Standard modems, phone cradles, etc. LPT/Parallel Ports (Line Printer Terminal) Standard printers, dongles, etc. PS/2 Ports (Personal System/2) Keyboards and Mice Smart Card Readers Readers for smartcards, etokens, or fingerprints
39. Communication and Rollout Plan Communication Means Message Present Status Executive Staff Meeting Overview (this presentation) 3/24/2009 Complete COO Briefing Overview 3/25/2009 Complete Security Management Subcommittee Overview 4/8/2009 Complete Cancer Committee Meeting Agenda item 4/10/2009 Complete E-mail current users Request ‘business need’ justification 4/13/2009 Complete Department Chair Meetings Agenda item 4/13 - 6/16/2009 Complete Department Directors Meeting Overview 4/15/2009 Complete IS Division Meeting Overview 4/15/2009 Complete F-22 Revision Publish link to Project Website 4/15/2009 Complete Internal Posters Devices, contact info, effective date 4/16/2009 Complete Housewide Memo 1 Devices, contact info, effective date 4/21/2009 Complete Medical Executive Committee Overview 4/21/2009 Complete IS Steering Overview 4/22/2009 Complete Employee Communiqué Newsletter Devices, contact info, effective date 4/24/2009 Complete Housewide Memo 2 Devices, contact info, effective date 4/28/2009 Complete Volunteer Executive Committee Meeting Agenda item 4/28/2009 Complete Housewide Memo 3 Devices, contact info, effective date 5/1/2009 Complete Physician Practice Managers Meeting Agenda item 5/1/2009 Complete Medical Staff Monthly Newsletter Devices, contact info, effective date 5/3/2009 Complete Nursing Matters N ewsletter Devices, contact info, effective date 5/3/2009 Complete Foundation Quarterly Newsletter Devices, contact info, effective date 5/15/2009 Complete Volunteer Q uarterly Newsletter Devices, contact info, effective date 5/27/2009 Complete
40. Monthly Newsletters and Memos On May 12, 2009 , University Hospital will protect electronic Protected Health Information (ePHI) by restricting USB storage device use to specific, authorized users. Unauthorized devices such as Universal Serial Bus (USB) drives, external hard drives, and non-encryptable devices such as digital cameras, cell phones, mp3 players, etc., will be blocked. Visit the "Device Control Project" link on the hospital's intranet homepage, or contact Dewayne Winston at [email_address] for more information.
41.
42.
43.
44. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A
We covered email with iron mail – this was a logical next for us – the audit finding drove the timing Like I said we were already publishing healthcare sector data breaches monthly and encouraging the use of encrypted drives We didn’t want to show up on the list
Monitored user USB activity for app. 6 months before activating controls. Identified users and their roles. Able to target communications directly to users requiring USB devices for business needs.
In order to protect information such as patient data, personal identification identifiers, authentication credentials, corporate financial data, intellectual property and classified files, USB endpoint security software and hardware needs to be purchased to eliminate the risk of data being lost or stolen from within the organization.
Devices that cannot store data are Allowed (USB mice, keyboards, printers, etc.) SEE NEXT SLIDE FOR DETAILS
Communication began going out 6+ weeks before implementation.
File shadowing records the file names of files transferred to USB devices.