Data Loss Prevention and HIPAA Kit Robinson
20 Slides1.36 MB
Data Loss Prevention and HIPAA Kit Robinson Director [email protected]
ID Theft Tops FTC's List of Complaints For the 5th straight year, identity theft ranked 1st of all fraud complaints. 10 million cases of Identity Theft annually. 59 percent of companies have detected some internal abuse of their networks 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Changing Threats to Data Security 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Top 10 Most Frequent Incidents 1. Patient PHI sent to partner, again, and again 2. Employee 401k information sent outbound and inbound 3. Payroll data being sent to home email address 4. Draft press release to outside legal council 5. Financial and M&A postings to message boards 6. Source code sent with resume to competitor 7. SSNs and thousands of them 8. Credit Card or account numbers .and thousands of them 9. Confidential patient information 10. Internal memos and confidential information 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Data Loss Prevention Three Key Customer Challenges 1. Where is my confidential data stored? – Data at Rest 2. Where is my confidential data going? – Data in Motion 3. How do I fix my data loss problems? – Data Policy Enforcement 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Why Data Loss Prevention is a Priority Compliance Brand and Reputation Protection Remediation Cost 1:400 messages contain The Risk confidential information 1:50 network files are wrongly exposed 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
American National Insurance Company Fortune 583 Market Cap 3.25B Revenue 2.9B Employees 4,200 Industry: Insurance Vontu Solution 1. Monitor 2. Prevent Business Drivers – Protect policy holder information – Protect employees PHI – Layered approach with email encryption – HIPAA Compliance Why Vontu Was Selected – Ability to prevent policy breaches – Integration with PGP encryption American National Insurance Results – Monitor all protocols – Prevention activated with PGP within two months – Automated enforcement – Encrypt all emails with employee or patient information
American Association of Retired Persons Fortune 583 Market Cap 3.25B Revenue 2.9B Employees 2,670 Vontu Solution 1. Monitor 2. Prevent Business Drivers – Protect membership information – Protect Social Security Numbers – Protect credit card numbers and PCI compliance – Protect confidential documents Why Vontu Was Selected – Ability to block/quarantine messages – High degree of accuracy – Ability to delegate incident response to business units AARP Results – Secure partner communications – Efficiency in investigations – Updating insecure business processes
Enforce Policies to Reduce Risk 100 Enforcement Levels 1. Remediation 80 2. Notification 3. Prevention and Protection – Fix broken processes Incidents How is Risk Reduced? 60 40 – Educate workforce – Notify policy violators 20 – Notify management – Protect files – Prevent incidents 0 Baseline Remediation Notification Prevention & Protection 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Unified Data At Rest and Data in Motion Protection Intellectual Property Patient Data Employee Data Source Code Design Documents Patent Applications Corporate Data Social Security Numbers Non-Public Information Credit Card Numbers Social Security Numbers Employee Contact Lists 401K and Benefits Info Financials Merger & Acquisitions Strategy and Planning 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Discover and Protect Confidential Data at Rest Define Confidential Data Policy 1 Run Scan and Discover Exposed Data 2 Enforce Policy by Automatically Protecting Files 3 Remediate Incidents 4 Report on Risk and Compliance 5 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Monitor and Prevent Confidential Data in Motion Employee Sends Confidential Data 1 Vontu Detects or Prevents Incident 2 Vontu Notifies Employee 3 Vontu Workflow Automates Remediation 4 Report on Risk and Compliance 5 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Secure Messaging Solution SENSITIVE Employee sends confidential data 1 Vontu detects incidents 2 Vontu tags email message 3 PGP automatically encrypts tagged messages 4 Report on Risk and Compliance 5 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Vontu covers HIPAA Health Insurance Portability & Accountability Act 1996 “Individually Identifiable Health Information” Identifies the individual AND Past, present, or future physical or mental health or condition of an individual OR The provision of health care to an individual OR The past, present, or future payment for the provision of health care to an individual NOT Communications with Treatment, Payment, Operations (TPO) partners Vontu HIPAA Policy How Vontu Detects HIPAA 1. Exact Patient Data – Social Security Numbers – Health Insurance Card Numbers – First Name, Last Name – Address & Phone Numbers WITH 2. Drug, Disease, Treatments – Medical Disease Keywords – Medical Treatment Keywords – Drug Keywords EXCEPT 3. Specific TPO Partners 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Healthcare Solution Pack Solution Pack Data Loss Priorities & Policy Roles & Responsibilities Healthcare Compliance Security Services Responder –Regulations (HIPAA) –M&A language Patient & Employee Data –Account info –Personal info –Enrollment info –Employee benefit info –Pharmacy info –Insurance Claim info Confidential Data –Rate Calculators –Financial info –M&A info –General confidential docs –“Front line” for remediation –“Fan-out” to extended remediation team Security Services Manager –Escalations within the Security Services Compliance Officers –Compliance & incident trends –Risk scorecards Internal Auditors –Compliance & incident trends –Risk scorecards HR/Employee Relations –Incidents that lead to employee termination Legal/Privacy Officers –Investigate incidents to mitigate legal actions –Compliance & incident trends –Risk scorecards Investigations & Forensics –Focused investigation on specific employees Business Unit Managers –Corporate involvement on escalated incidents Executives (trends & dashboards) –Risk trends and performance metrics 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved. –Risk dashboards
Data Loss Prevention Requirements Discover and Protect Confidential Data at Rest Monitor and Prevent Confidential Data in Motion Accurate Detection Across All Content and Groups Automate Enforcement and Response Workflow Encryption Visibility and Control Safeguard Employee Privacy Proven Global Scale and Architecture 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Self-Risk Assessment 1. How many emails leave your company with PHI? 2. Who is sending the confidential information? 3. What are your most offensive protocols? 4. How many of these emails violated a regulation? 5. What is your risk level compared to that of peer companies or competitors? 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Risk Assessment Scorecard Priority Data Severity of Loss Data at Rest Frequency HIPAA High Data in Motion Risk Frequency High 721 incidents High 256 incidents Very High High High Patient Data 2178 incidents Very High High CA 1386 High Very High Very High 78 incidents Medium 9 incidents Very High Medium Medium 939 incidents 132 incidents High Research High Medium High High 624 incidents Very High High 10,178 incidents Physician Referral Risk High 24 incidents High High Severity x Frequency Risk 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Data Loss Prevention In Summary Reduce Risk of Data Loss Reduce Financial Loss Protect Brand and Reputation Demonstrate Compliance “Vontu met all our requirements to meet the highest degree of compliance with both our own data security policies and state and federal regulations” Charles Addison CIO American National Insurance 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.
Data Loss Prevention and HIPAA Kit Robinson Director [email protected]