Data Security and Healthcare
• Complex data flows
• Millions of electronic medical records across
many systems
• New and emerging business relationships
• Changing and maturing compliance frameworks
• Diverse population of mobile devices interacting
The Clinical Setting and Information
Security
Compliance vs. Security View
• HIPAA/HITECH
• Meaningful Use
• Payment Card Industry
Compliance is the
floor of Security Not the ceiling
Information Security Program View
• Governance
• Risk Management • Compliance & Policy
• Continuous Monitoring & Audit
• Identity Management & Access Control • Threat & Vulnerability Management • Security Architecture and Standards • Security Incident Management
• Security Awareness & Training • Business Continuity & Disaster
Recovery
Healthcare Security is not a unique snowflake.
Managing data security requires a programmatic approach to help ensure that controls are effectively planned, budgeted,
Risk Management Services Threat Management Services Vulnerability Management Services Indicators & Warnings Exposure Levels Technical Control Allocation Protection Services • Boundary • Network • Server • Application • End Point
Monitoring & Detection Services
• Network Monitoring • Activity Monitoring • Integrity Monitoring • Data Loss Monitoring
Incident Response
Services
Security
Architecture
Security Services View
Choosing Your Data Security Controls
1. Select your data security controls wisely.
2. Know your real needs,
performance expectations and operational / budget
constraints.
End Point Security Architecture
• Needs to address the following
– Diversity of the end point. (Medical device, desktop, mobile, laptops, etc…)
– Bring Your Own Device (BYOD) – Interaction with people and process
End Point Security Policy Enforcement
Points
Managed Business Workstation
Managed Clinical Workstation
Unmanaged – Medical System Device - System
Unmanaged – BYOD
Active Directory Group Policy End Point Encryption
AV/Host Intrusion Prevention Host Data Loss Prevention
Virtualized Desktops / Applications Active Directory Group Policy Virtualized Desktops / Applications End Point Encryption
AV/Host Intrusion Prevention Host Data Loss Prevention
Network Segmentation / Zoning Active Directory Group Policy End Point Encryption
AV/Host Intrusion Prevention
Mobile Device Management
And lets not forget about these…..
Identity & Access Control
The complexity of managing identities and authentication across the enterprise is becoming more and more complex.
It is critical that you create an access control strategy that can adapt to the health care system’s evolving application portfolio, organizational structure and business
relationships. The more you can automate the better.
Entitlements HR Data Credentialing Data Contractor Data Student Data Identity
System Health Applications
Business Applications
User
Provisioning
Complex Passwords Tap Badging Single Sign On Two Factor
Have an auditing strategy that regularly validates the effectiveness of your user provisioning and de-provisioning activities.
Role Base Access Controls
Boundary Security Architecture
• Needs to address the following
– Data Flow – Ports and Protocols Management
– Consider the diversity of your end points and how data is accessed
Boundary Policy Enforcement Points
Internet – Untrusted Zone
DMZ Security Zone Firewall B2B VPN Client VPN Two Factor Web Application
Guest Wireless Networks
Provider Wireless Networks
Staff Wireless Networks
Data Center Security Zones
Entity – Hospital Security Zones
Data Center Operations Security
Security Monitoring Strategy
Protection Strategy
• Virtualization • Storage Level Encryption • Patch Management • Secure Media Disposal • Database Security • Application Security • Server Hardening • Identity - Access Control • Federation Services • Public Key Infrastructure • Privileged Access ManagementNetwork Security Events
High Criticality - Sensitivity Moderate Criticality - Sensitivity
Privileged - User Activity Monitoring
Security Monitoring
• Have a plan
– Where will you store the logs – What do you want to see
– What will you do with the events – You will need some talent
Network Data Loss Prevention
E-Mail Gateway Web Gateway
End Point Policy and Event Aggregation Network Intrusion Prevention
Firewalls / VPN Radius
Network Security Event Log Aggregation
Applications – Patient Usage\Activity Applications – Internal Usage\Activity Applications – Cloud – Usage\Activity
Activity Log Aggregation Authentication Services
Identity Services
End Point & Network Components Application Monitoring
At Rest Scanning
Security
Monitoring
Anti Virus – Host Intrusion Prevention
Ensure it is aligned with your incident
People
• Ensure your data security plan
addresses people and positive security behaviors.
• Get beyond the compliance checkbox. • Train them to how to use the controls
and identify malicious activity.
• Train them how to protect themselves and the systems they operate.
• Make sure awareness is continuous.
Policy & Standards
• Ensure you review your technical focused policies
• Ensure you have an exception process with teeth
• Have a solid technology audit & assessment plan
• Address the people, processes and technology
Corporate Security Policy Corporate Security Standards Compliance, Security, Privacy & Controls
Corporate Security
Some takeaways
• Ensure your Data Security Plan covers the “blocking and tackling.” • Prioritize based on the biggest threats and high-risk processes and
systems.
• Embrace the changing environment; it’s not going to get less complex or easier.
• When addressing data security understand that you need to consider the local healthcare ecosystem. What you do has an impact.
• Solid, well-communicated policy and standards are critical for success. – Integrates into IT Management Processes and support models. – Ensure your customers know how to use the controls.
