Lumension presented alongside United Health Care System on how to protect electronic medical records by enforcing device control and data encryption policies.

1. Medical Records on the Run: Protecting Patient Data with Device Control and Encryption

2. Today’s Agenda Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A

3. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension George Ward CISSP, CISM Manager Information Security, Computer Operations, University Health Care System

4. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A

5. » Challenges of Protecting Patient Data Economic and Competitive Pressures Increased HIPAA and PCI Regulatory Oversight Increasing Value of Personal Healthcare Information Data Sharing Outside of the Four Walls Consumerization of IT Electronic Protected Health Information (EPHI) Disclosure

6. Data Sharing Outside of the Four Walls Accessibility to Medical and Billing Records Increases… as Does the Risk Source: 2008 HIMSS Security Survey

7. Consumerization of IT

9. Data Breaches Risks Incidents Costs

10. Importance of Device Control

13. A Balanced Approach is Needed

14. HIPAA Security Rule Are You Ready?

18. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A

20. 1. Discover all devices that are currently or have ever been connected to every endpoint. 2. Assess device and data usage, including what device, on what machine, by which user, and when. 3. Implement flexible device whitelisting, allowing only approved devices to run. 4. Monitor the effectiveness of device usage policies. 5. Report on data protection policies to prove compliance and conduct forensics. Practical Data Protection Approach

27. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A

30. Health Care Data Loss Incidents in the Headlines

33. Enabling Removable Device Access – Previous Model

34. Lumension Device Control – RBAC for USB Devices

36. Device Control Ensures Security and Enables the Business Pass audits Automate controls Lower Risk Operational Maturity

37. Measurement of Lumension Device Control

38. Granular Controls Enable Effective Policy Plan Device Class Device Description Role-Based Access Control Removable Storage Devices Memory sticks, Flash drives, ZIP Drives, USB Hard Drives, etc. DVD/CD Drives CD, CD-R/W, DVD, DVD R/W Imaging Devices Scanners, webcams, etc. User Defined Devices Non-standard devices (Generic USB Devices, IPAQ, etc.) Blocked Portable Devices Digital Cameras, iPhones, MP3 Players, etc. Modem/Secondary Network Access Devices Modems that do not connect directly through normal channels Palm Handheld Devices Palm PDAs, Smartphones, etc. Floppy Disk Drives IDE, parallel, or USB Floppy Drives RIM Blackberry (Research in Motion) (Research In Motion) Handheld computers/mobile phones Biometric Devices Fingerprint readers, password managers, etc. Tape Drives Internal or external tape drives Windows CE Handheld Devices Windows CE computers using PocketPC OS Wireless Network Interface Cards Wireless LAN Adaptors Allowed Printers (USB/Bluetooth) USB and Bluetooth Printers COM/Serial Port (Serial Communication) Standard modems, phone cradles, etc. LPT/Parallel Ports (Line Printer Terminal) Standard printers, dongles, etc. PS/2 Ports (Personal System/2) Keyboards and Mice Smart Card Readers Readers for smartcards, etokens, or fingerprints

39. Communication and Rollout Plan Communication Means Message Present Status Executive Staff Meeting Overview (this presentation) 3/24/2009 Complete COO Briefing Overview 3/25/2009 Complete Security Management Subcommittee Overview 4/8/2009 Complete Cancer Committee Meeting Agenda item 4/10/2009 Complete E-mail current users Request ‘business need’ justification 4/13/2009 Complete Department Chair Meetings Agenda item 4/13 - 6/16/2009 Complete Department Directors Meeting Overview 4/15/2009 Complete IS Division Meeting Overview 4/15/2009 Complete F-22 Revision Publish link to Project Website 4/15/2009 Complete Internal Posters Devices, contact info, effective date 4/16/2009 Complete Housewide Memo 1 Devices, contact info, effective date 4/21/2009 Complete Medical Executive Committee Overview 4/21/2009 Complete IS Steering Overview 4/22/2009 Complete Employee Communiqué Newsletter Devices, contact info, effective date 4/24/2009 Complete Housewide Memo 2 Devices, contact info, effective date 4/28/2009 Complete Volunteer Executive Committee Meeting Agenda item 4/28/2009 Complete Housewide Memo 3 Devices, contact info, effective date 5/1/2009 Complete Physician Practice Managers Meeting Agenda item 5/1/2009 Complete Medical Staff Monthly Newsletter Devices, contact info, effective date 5/3/2009 Complete Nursing Matters N ewsletter Devices, contact info, effective date 5/3/2009 Complete Foundation Quarterly Newsletter Devices, contact info, effective date 5/15/2009 Complete Volunteer Q uarterly Newsletter Devices, contact info, effective date 5/27/2009 Complete

40. Monthly Newsletters and Memos On May 12, 2009 , University Hospital will protect electronic Protected Health Information (ePHI) by restricting USB storage device use to specific, authorized users. Unauthorized devices such as Universal Serial Bus (USB) drives, external hard drives, and non-encryptable devices such as digital cameras, cell phones, mp3 players, etc., will be blocked. Visit the "Device Control Project" link on the hospital's intranet homepage, or contact Dewayne Winston at [email_address] for more information.

44. Protecting Patient Data and HIPAA Policy-based Device Control and Data Encryption Device Control at University Health Care System Conclusion and Q & A