• No results found

Data Security in a Mobile, Cloud-Based World

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Data Security in a Mobile, Cloud-Based World"

Copied!
48
0
0

Loading.... (view fulltext now)

Download now ( 48 Page )

Full text

(1)

#NatCon14 #NatCon14

Data Security in a Mobile,

Cloud-Based World

Jacob Buckley-Fortin

CEO eHana

What we’ll cover

• Trends • Risks

(2)

#NatCon14

Trends

Mobile Has Taken Over

(3)
(4)

#NatCon14

• 450 million users worldwide

• Adopted primarily outside of the U.S.

• More messages sent than SMS worldwide • More photos sent than Facebook

$19,000,000,000

(5)
(6)
(7)
(8)
(9)

#NatCon14

The Cloud is Taking Over

Trend #2

(10)

#NatCon14

Services Delivered

Over the Internet

Three Key Service Models

(11)

#NatCon14 Infrastructure as a Service

Replaces physical devices you would normally host • Virtual Servers • Virtual Storage • Virtual Network Equipment Platform as a Service Hosted Application

Program Interfaces (APIs) • Development

(12)

#NatCon14

Hosted software delivered over the Internet

• Productivity Software • Electronic Health Records • Customer Relationship Management • Helpdesk • Human Resources • General Ledger • Enterprise Resource Planning • Appointment Reminders • Other things… Software as a Service

Benefits of the Cloud

• Speed

• Cost (expense vs. asset) • Scale

• Updates

(13)

#NatCon14

Google Apps for Nonprofits

(14)

#NatCon14

SaaS vs. Legacy

(15)

#NatCon14

“Software is Eating the

World”

Marc Andreessen

(16)

#NatCon14

Industrial Economy • HQ-Oriented,

process-centric workplace

• Analog products, one-size-fits-all

• System-centric back-office IT

Information Economy • Distributed, mobile,

dynamic, agile workplace

• Digital, smart, predictive products

• User-centric, simple front-office IT

Compliance

(17)

#NatCon14 Security Laws

• HIPAA (and HITECH/HIPAA)

• FTC Act section 5 (unfair and deceptive practice) • State breach laws

• State information security laws (201 CMR 17 is the strictest in the country)

• State-specific laws for specific medical conditions

Protected Health Information

1. Names;

2. All geographical subdivisions smaller

than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code;

3. All elements of dates (except year) for

dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

4. Phone numbers; 5. Fax numbers;

6. Electronic mail addresses; 7. Social Security numbers; 8. Medical record numbers;

9. Health plan beneficiary numbers; 10. Account numbers;

11. Certificate/license numbers; 12. Vehicle identifiers and serial

numbers, including license plate numbers;

13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs);

15. Internet Protocol (IP) address

numbers;

16. Biometric identifiers, including finger and voice prints;

17. Full face photographic images and any comparable images; and

18. Any other unique identifying number,

(18)

#NatCon14 State Standards – MA P.I.I.

A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number;

(b) Driver's license number or state-issued identification card number; or

(c) Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account

(19)

#NatCon14 Big vendors will now sign BAAs

(20)
(21)
(22)

#NatCon14

Theft + Loss = 82% of records

(23)
(24)

#NatCon14 Breach Notification

• U.S. states have 47 breach notice laws • HIPAA is the only federal breach notice

law, and it only applies to HIPAA CEs and BAs

• HIPAA breach standard was tightened in 2013

– Risk analysis required if not reporting

Breach Notification

• Breach means “the acquisition, access, use, or disclosure of PHI in a manner not permitted… which compromises the

security or privacy of the PHI”

(25)

#NatCon14 Breach Notification

• Requires immediate notification of Federal Gov’t > 500 individuals affected

• Annual notification < 500 individuals • Notification to a major media outlet

• Listed on public website (“public shaming”) • Individual notification to patients

• Penalties range from $10,000 - $1.5M

(26)

#NatCon14

Recommendations

(27)

#NatCon14

Safe Harbor - Algorithmic Process

(28)

#NatCon14

ENCRY

PTION

-

(29)

#NatCon14

DISK

ENCRY

(30)

#NatCon14

(31)

#NatCon14

ENCRY

PTION

-

(32)

#NatCon14

HIPAA Safe Harbor

(33)

#NatCon14

Supported by all 4 major

Operating Systems

Microsoft “Bitlocker” • Windows Vista, 7, 8 (Pro) • Transparent operation • TPM, USB, PIN Control Panel > System and

(34)

#NatCon14 OS X “FileVault”

• OS X 10.3+ • Transparent

operation

Preferences > Security & Privacy

(35)

#NatCon14 iPhone + iPad

• iOS 3.0+

• Just use a PIN

Settings > General > Passcode Lock

Touch ID

(36)

#NatCon14

Unless you have 3rd party software…

• Windows XP, 2000 laptops • OS X before 10.3 Panther • Android 2.X Phones/Tablets

• Original iPhones … may be at risk!

So, about Windows XP…

• Security updates, support have ended • Windows XP machines storing PHI are

likely not HIPAA compliant

(37)

#NatCon14

Required by 201 CMR 17

17.04(5) Encryption of all personal information stored on laptops or other

portable devices

Require Full Disk Encryption

(38)

#NatCon14

Create BYOD Policies

Recommendation #2

Bring Your Own Device (BYOD)

• 68% CIOs support BYOD in some form • 46% enforce device security

(39)

#NatCon14

“When strong winds

blow, don’t build walls

but rather windmills.”

(40)

#NatCon14 Bring Your Own Device (BYOD)

• Technical Approach (MDM) • Roles & Responsibilities – Users – Purchasing – Helpdesk • Training

• Privacy of user data • Security

– Transmission – At-rest

• Plans & Carriers • Apps

• Asset Tracking • Incentives

BYOD Agreements

• Determines eligibility

• Defines reimbursement levels • Explains security considerations • Defines acceptable use

(41)

#NatCon14

Implement Mobile Device

Management (MDM)

Recommendation #3

Mobile Device Management (MDM)

(42)

#NatCon14 MDM Enrollment • Text message • Email • Web address MDM Security

• Require device encryption

(43)

#NatCon14 MDM Workflow

• Install apps

• Add Wifi Passwords • Install email accounts

• Limit sharing of corporate resources • Add bookmarks

MDM Device Management

• Remove corporate assets when employee leaves

(44)

#NatCon14

(45)

#NatCon14

Unified Threat Management

(UTM)

(46)

#NatCon14 Components of UTM • Firewall • Intrusion Prevention • Antivirus / Antispam • VPN • Content Filtering • DLP strategies Examples

• Prevent use of USB sticks

• Implement web filtering – Dropbox, Google Drive, etc.

• Review Instant Messaging, email filters, secure email

(47)

#NatCon14

Remember:

Mobile & Cloud Security

is Just Security

• Develop written infosec plan • Assign Security & Privacy

officer

• Lock out terminated employees

• Manage 3rd-parties

• Restrict physical access to PHI

• Document incidents & breaches

• Use Single Sign-On

• Password complexity & resets

• Block after multiple attempts • Encrypt data in transit

(especially over wifi) • Monitor systems • Use firewalls • Educate and train

(48)

References

Download now ( PDF - 48 Page - 4.44 MB )

Related documents

Phishing Past, Present and Future

In summary, treat any email that asks for your account, password, social security number, credit card number, or other sensitive information as a phishing scam...

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

 Personal health information, social security number, driver’s license number, state identification card number, or an account number, credit card number, or debit card number,

Please send all correspondence to my/our Residence/Office of A or B

&#34;I/We agree and acknowledge that usage of the Debit card, Debit card Personal Identification Number (PIN), Phonebanking Personal Identification Number (PIN), Credit Card,

Practitioner s Perspective

Data that may not be retained is the “card security code data, the PIN verifi cation code number, or the full contents of any track of magnetic stripe data.” “Card security

Serato Dj Serial Number Or Voucher Code

Expansion Pack with a license number or voucher .... 2 License key productively recognizes any bass alteration for example bass drop ... Serato DJ Pro includes a number of

IDENTITY THEFT IN SOUTH CAROLINA: 2014 UPDATE. Marti Phillips, Esq. Director, Identity Theft Unit South Carolina Department of Consumer Affairs

Financial account #, or credit card or debit card # in combination with any required security code, access code, or password that would permit access to a resident's

TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith

– i.e., Social Security number, driver’s license number, bank account information, credit card information, online/financial account username and password, medical information,

Please accept this letter and enclosed resume as an application for your Visual Information Specialist opening advertised on the NASAJobs website.

 Earned my Bachelor’s degree in Marketing at Rochester Institute of Technology, where I was involved in the Saunders College of Business Honors Program.. My honor’s thesis