Addressing Data Protection Requirements of HITECHla.trendmicro.com/media/wp/hitech-compliance-whitepaper-en.pdf · enacted HIPAA legislation. ! REQUIREMENTS UNDER HITECH ACT ... Trend

A Trend Micro White Paper | June 2012

Addressing the Data Protection Requirements of the HITECH Act

Trend Micro, Incorporated

Simplifying data protection for healthcare industry compliance with endpoint encryption

Page 2 of 14 | Trend Micro White Paper | Addressing the Data Protection Requirements of the HITECH Act

INTRODUCTION

In February 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act as a component of the American Recovery and Reinvestment Act of 2009 (ARRA), which contained substantial provisions for the safeguarding of protected health information (PHI) by healthcare organizations as well as their business associates. The HITECH Act, also known as the Stimulus Bill, continues the effort of the Health Insurance Portability and Accountability Act (HIPAA) to encourage movement to electronic patient records and to deliver stricter data protection regulations for more secure patient privacy.

Among the most important of the HITECH Act mandates is a federal breach notification requirement for stored health information that is not encrypted or otherwise made indecipherable, as well as increasing penalties for violations in four established tiers. Until this law was passed, only two of the 48 states with data breach notification requirements included health information as a specified data type. Now, with the HITECH Act, the entire United States healthcare industry and their business associates must understand and fulfill the data breach notification requirements.

With HITECH Act in effect, the problems and challenges associated with it are already being felt. Thousands of healthcare businesses find themselves struggling to understand the HITECH Act's breach notification requirements as well as what it means to encrypt their data. The U.S. Department of Health and Human Services (HHS) and state Attorneys General have also introduced more severe penalties for failure to comply within specified HITECH time limits—and these penalties are already being enforced. To keep patient information protected and avoid penalties, healthcare organizations must implement an organization-wide data security strategy immediately. The urgent need for a solution is highlighted by a Ponemon Institute December 2011 report, which found 78% of organizations surveyed had experienced a data breach in the past 12-24 months.

This whitepaper is written to specifically address healthcare organizations’ HITECH concerns and questions, so that they have confidence in Trend Micro’s ability to untangle the complexity and ensure compliance.

Topics covered in this whitepaper:

• HITECH Act data security requirements defined • Healthcare data security trends • Nine predictions for the healthcare industry in 2013 • Untangling the complexities of data protection • Benefits and key advantages of endpoint encryption

Further, an appendix provides suggested policy settings to help protect data and comply with the HITECH Act.


HITECH ACT DEFINED The Health Information Technology for Economic and Clinical Health (HITECH) Act’s goal is to advance the use of health information technology (HIT) and electronic health records (EHR). It does so in four ways:

1. Requires the government to take a leadership role to develop standards that allow for the nationwide electronic exchange and use of health information to improve quality and coordination of care.

2. Invests $20 billion in health information technology infrastructure, Medicare, and Medicaid incentives to encourage doctors and hospitals to use HIT to electronically exchange patient health information.

3. Saves the government $10 billion, and generates additional savings throughout the health sector—through improvements in quality of care and care coordination, and reductions in medical errors and duplicative care.

4. Strengthens Federal privacy and security laws to protect identifiable health information from misuse as the health care sector increases use of HIT.

The Congressional Budget Office estimates 90 percent of doctors and 70 percent of hospitals will be using comprehensive EHRs within the next decade, emphasizing the need for the HITECH Act’s data security and breach notification requirements, which go beyond previously enacted HIPAA legislation. REQUIREMENTS UNDER HITECH ACT

HITECH applies to “Covered Entities” and their “Business Associates.”

Provisions within the HITECH Act require affected patients, Health and Human Services (HHS), and in certain situations, the media, to be notified in the event of an unauthorized disclosure of patient-protected health information.

Stricter requirements have been established for securing and maintaining privacy of sensitive patient information—as well as larger penalties for violations. Under the Act, negligent compliance practices can result in fines up to $1.5 million per incident, and state Attorneys General have the authority to prosecute organizations that encounter a breach.

The HHS is directed to provide guidance to support the requirements of the HITECH Act. One part of this guidance includes “specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” This applies to data at rest and in transit. The guidance is based on the Federal Information Process Standards (FIPS) developed by the National Institute of Standards and Technology (NIST), which require providers to be able to prove that information is protected in the event of a breach.


HHS defines some standards for measuring data protection solutions using the NIST guidelines. They have deemed that any data at rest that meets the NIST Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, will render stored electronic information secure.

ENFORCEMENT, PENALTIES, AND RULES

There have been several high profile incidents where fines have been assessed. For example, Massachusetts General Hospital, one of the nation’s most prestigious hospitals, reached a $1 million settlement in 2011 after an employee left records of sixty-six patients on a subway. The University of California Los Angeles Health System was fined $865,000 in 2011 after several employees viewed celebrity patients’ medical records without permission. That same year, Connecticut insurance provider Health Net Inc. paid $250,000 for waiting more than six months to notify 500,000 patients that their unencrypted patient health information was on a missing disk drive.

In March 2012, Blue Cross Blue Shield (BCBS) of Tennessee was assessed the maximum penalty of $1.5 million for the loss of an unencrypted hard drive. BCBS of Tennessee also incurred $17 million in expenses to notify all of their patients and to perform a risk assessment.

Theses fines are an indicator of a more aggressive enforcement posture across the country for the growing number of healthcare data privacy/data breach incidents.

One of the greatest data security controversies is centered on HHS’ “harm threshold” provision that was meant to assist covered entities and business associates to determine whether or not to report a breach. HHS mandated that “post-incident risk assessments” be used to determine the level of risk to the affected patients. If the assessment determined that there was substantial “risk of financial, reputational or other harm” as a result of the incident, the organization was required to notify the affected individuals (as well as HHS and possibly the media).

The “harm threshold” created concern among privacy advocates that this “self-monitoring” approach would lead to inconsistent reporting and potentially intentional non-reporting of serious data privacy exposures. As a result of this uproar, HHS withdrew their final rule for further consideration. It remains unclear whether their final rule will contain a “harm threshold” for data breach notification.


DATA SECURITY TRENDS AND PREDICTIONS

TRENDS IN THE HEALTHCARE INDUSTRY

The Ponemon Institute conducted a Benchmark Study on Patient Privacy and Data Security in December 2011. They found that data breaches are a frequent occurrence in healthcare organizations, threatening patient privacy and leaving healthcare organizations with a heavy financial burden. The loss or theft of patient information experienced by healthcare providers in the Ponemon Study revealed that the number of data breaches among healthcare organizations is still growing. On average, it estimates that data breaches cost organizations $2,243,700, representing an increase of $183,526 from the 2010 study.

Here are additional trends uncovered by the Ponemon study:

• Frequency of breaches has increased 32 percent from previous year

• 96 percent of all healthcare providers had at least one data breach in the last two years

• The average number of lost or stolen records per breach was 2,575—an increase from an average of 1,769 reported the previous year

• The top three causes for a data breach are: lost or stolen computing devices, third-party error, and unintentional employee action

The top three causes for data breaches remain unchanged from 2010. The only exception is that lost or stolen computing devices have been cited by 49 percent of respondents, up from 41 percent in 2010.

As health information exchanges are implemented, millions of electronic health records have the potential for unauthorized access resulting in numerous violations of the HITECH Act and other data breach laws. Numerous highly publicized data security events have quickly impacted how healthcare organizations and their business associates are approaching data security moving forward.

NINE PREDICTIONS FOR THE HEALTHCARE INDUSTRY FOR 2013

1. Increase in the number of smaller scale breaches reported: Healthcare entities are now required to report breaches affecting 500 or more individuals.

2. Increase in low-tech data theft: There will be an increase in low-tech theft, where data is stolen through non-electronic means. Data thieves look for the path of least resistance, focusing on areas of least attention to the organization.

3. USB flash drives, smartphones, and laptops will dominate the data theft landscape: These devices will increase the number of patient records exposed and will be the major source of data breaches and theft.

4. Increased collaboration and interoperability: Interoperability of systems is a requirement for healthcare organizations switching to electronic health records. This interoperability of systems will increase the vulnerability and risk of data to exposure, loss, and theft.


5. Data encryption will drive data compliance: Data encryption is one of the best defenses against data theft and exposure of electronic health records. Encryption is fast becoming an essential part of healthcare organizations’ data security plans. By properly encrypting patient records, the data is protected, regardless of whether it is lost or stolen.

6. Third parties must implement data security practices: The HITECH Act is placing business associates of healthcare organizations, such as CPA firms and attorneys, under the same stringent breach notification requirements, increasing the scope of data security plans.

7. Data protection and privacy awareness training will be mandatory: Training is becoming an essential component of healthcare organizations’ data security plans. Programs are being developed and implemented to train employees on the importance of adhering to data security policies, guidelines for securing patient records and confidential information, how to recognize data security vulnerabilities, and how to report potential data security breaches.

8. Federal breach notification law: There are indicators that a Federal breach notification law will be introduced. It has already been presented to Congressional committee and a vote is expected in 2012.

9. Stakeholder involvement: Increasingly HITECH Act and regulatory compliance mandates are being added as an agenda item to board of directors and executive meetings so that healthcare decision makers can keep their organizations out of the next data breach headline.

HOW TREND MICRO CAN HELP

According to the 2011 Ponemon Study, 23 percent of healthcare organizations use a process that relies on policies and procedures to detect and prevent data breach incidents. In addition, 55 percent have a combination of “ad hoc” processes and manual procedures for data security. The complexity of conventional solutions is the cause for these approaches to data protection. Conventional solutions push “there is no silver bullet to data protection” as an excuse for not being advanced enough to provide a comprehensive, fortified, and easy-to-use data protection solution.

TREND MICRO™ ENDPOINT ENCRYPTION

Trend Micro helps those responsible for safeguarding patient records find peace of mind by untangling the complexities of data protection and HITECH Act compliance by providing a comprehensive, policy-driven, and easy to use data encryption solution for PCs, laptops, and USB flash drives. With Trend Micro™ Endpoint Encryption, healthcare organizations and their business associates can achieve the HITECH Act’s stringent regulatory compliance requirements for data security.


Trend Micro Endpoint Encryption addresses many of the data security challenges that healthcare organizations face by seamlessly integrating the multiple hardware and software encryption options required to protect electronic healthcare records wherever they travel. The encryption and management options include:

• Full disk encryption

• File/folder encryption

• Removable media encryption

• Email attachment encryption

• Management of self-encrypting hard drives

• Granular port and device control

This easy-to-use solution manages both hardware and software encryption across the enterprise from a single management console and server. The encryption of entire hard drives, specific files, folders, removable media, and storage devices is transparent. With the flexibility to seamlessly transition between encryption types, Trend Micro Endpoint Encryption provides customers with the ability to protect patient records and sensitive data even as the data is transferred and copied to different devices.

Trend Micro Endpoint Encryption Comprehensive hardware and software encryption and port and device control for laptops, desktops, and USB flash drives

PolicyServer: Central management server for policy administration, authentication, reporting, auditing, and alerting

DataArmor: Full disk encryption for desktops, laptops, and management of Self-Encrypting Hard Drives

FileArmor: File folder encryption, and port and device control


Trend Micro Endpoint Encryption for Removable Media Encrypts data and provides port and device control


FileArmor: File folder encryption, and port and device control

Trend Micro KeyArmor Fully encrypted USB flash drive with embedded antivirus



BENEFITS OF TREND MICRO ENDPOINT ENCRYPTION

Comprehensive Data and Device Encryption • Protects patient and electronic health records with fully integrated, full disk, file

folder, USB, and removable media encryption • Offers flexible hardware- and software-based encryption for mixed environments • Encrypts the entire hard drive: master boot record, OS, system files,

swap/hibernation files • Supports self-encrypting drives from Seagate and emerging TCG Opal SED

standard • Enables automatic and transparent encryption without performance degradation

Centralized Policy Administration and Key Management

• Provides visibility and control over encryption, monitoring, and protection of data • Supports a unified data repository with single management server and console • Automates policy enforcement with optional remediation of security events

Device Management • Manages policies to protect data on desktops, laptops, and USBs • Automatically recognizes, adds, and deploys policies to new devices • Collects device-specific information such as device attributes, directory listing, and

unique device IDs based on device name, MAC address, and CPU identifier

Advanced Reporting and Auditing • Facilitates HITECH Act compliance with data protection mandates • Provides detailed auditing and reporting by individual, organizational unit, and

device • Assists compliance initiatives with audit trail for all administrative actions

Pre-Boot Multi-Factor Authentication • Offers flexible authentication, including fixed password, CAC, PIV, Pin, and

ColorCode® • Enables policy update before authentication by real-time communication to the

management server • Triggers lockout feature in response to incorrect authentication attempts • Offers configurable action on failed password attempt threshold • Supports multiple user and administrator accounts per device

Administrative Tools and Active Directory Integration • Provides remote one-time password • Leverages Active Directory and existing IT infrastructure for deployment and

management


KEY ADVANTAGES

Privacy and Compliance: Enables automation of HITECH Act compliance enforcement with policy-based encryption

Low Total Cost of Ownership: Makes it easy to deploy, configure, and manage encryption as an integrated solution

Broad Platform Coverage: Secures sensitive data on laptops, desktops, removable media, and USB flash drives

Validated Protection: Ensures robust security through government certifications including FIPS 140-2 Level 2 and Common Criteria EAL 4+

Forward Compatible: Supports emerging self-encrypting hard drives

With its FIPS 140-2 Level 2 validation, Common Criteria EAL 4+, and other elite security certifications, Trend Micro Endpoint Encryption is designed to protect data for the most security conscious organizations, such as the United States military.

Trend Micro Endpoint Encryption helps achieve the data protection requirements mandated in the HITECH Act. And, because of the breadth of device protection (laptops, desktops, USB flash drives), and ease of administration and deployment, healthcare organizations of all sizes can benefit from its superior data protection capabilities.

CONCLUSION

Security and regulatory compliance mandates are changing rapidly. Digital records are becoming the industry standard. Threats targeting data are becoming more frequent and sophisticated. Taken together, these developments mean that the importance of data protection is higher than ever before. Healthcare organizations are looking for security solutions that enable them to meet the HITECH Act and regulatory compliance mandates while being scalable, manageable, and evolving to meet new risks and requirements.

With a range of centrally managed encryption solutions that cover a broad range of capabilities and device types, while including pre-configured default policies, automated remediation and robust reporting to show compliance, Trend Micro offers a powerful combination of immediate protection with less complexity. With Trend Micro Endpoint Encryption, healthcare organizations are empowered to minimize the time needed to protect patient records and other sensitive data.


APPENDIX: SUGGESTED TREND MICRO ENDPOINT ENCRYPTION POLICY SETTINGS

Below are suggested policy and default setting healthcare organizations should use to protect data and meet HITECH Act regulatory compliance mandates.

For HITECH Data Protection Mandates

Management Server

Settings

Standard

Setting

Aggressive

Setting Rationale

Central Management Required Required

Central management is required for policy administration and enforcement of encryption, authentication, port, and device control policies, as well as reporting, logging, auditing, and alerting.

Reporting Required Required Enterprise-wide, individual, and device reporting required to verify security policy and encryption status.

Alerting

8 consecutive failed logon attempts on a single device

If failed encryption of initial and/or ongoing authentication, log all failed authentication attempts

Policy tampering—daily alert

6 consecutive failed logon attempts on a single device

If failed encryption of initial and/or ongoing authentication

Log all failed authentication attempts

Policy tampering — instant alert

Pre-configured policies to notify when events or thresholds are met.

Passwords

Restrict passwords to include minimum 8 characters that include at least 1 alpha and 1 numeric values

Password renewal every 90 days

Restrict passwords to include minimum 8 - 10 characters and include at least 1 alpha, 1 numeric, and 1 special character values

Password renewal every 60 days

Restrict passwords to include minimum length, alpha, numeric, special characters (or a combination), number of consecutive characters, and frequency for renewal.


Login

Login required after every 15 minutes of inactivity

Require users to log in 1x month or lockout

Time delay when allowable login attempt threshold reached

Login required after every 15 minutes of inactivity

Require users to log in 1x week or lockout

Time-delay lock out when allowable login attempt threshold reached

Specify the period of inactivity (in minutes), whereby the authentication screen will be displayed on the device.

Encryption Standard

Setting

Aggressive

Setting Rationale

Hard Drive Require Require Require full disk encryption of entire hard drive including applications, OS, and every partition.

Removable Media Encryption Require Require

Set default policy to require all data copied to removable media be encrypted.

Email Encryption

Optional Require Require email encryption of employees directly responsible for the handling of PHI and electronic patient records.

Email Attachments

Optional Require

Require encryption of email attachments of employees directly responsible for the handling of PHI and electronic patient records.

Hardware USB Encryption Allow Require

Require hardware-encrypted devices for employees directly responsible for the handling of PHI.

Offline Decryption Tool Restrict Restrict + log

Track offline usage

Allow decryption tool with senior executive approval.

Encrypt Tasks and Contacts Require Require

Set default policy to automatically encrypt tasks and contacts.


Port Control

Standard

Setting

Aggressive

Setting Rationale

USB Restrict Restrict

Restrict ports to require encryption policies.

For employees responsible for patient records, restrict Wi-Fi networks to all secure networks only.

Bluetooth Restrict Restrict

FireWIre Restrict Restrict

PCMCIA Restrict Restrict

SD Restrict Restrict

Serial Allow Allow

Parallel Allow Allow

Wi-Fi Allow Restrict

Device & Storage Control

Standard Setting Aggressive

Setting Rationale

Storage Control

Encrypt all data copied to non-encrypted storage devices and USB flash drives

Allow data copied to hardware encrypted USB flash drives

Encrypt all data copied to CD/DVDs

Block auto run feature

Only allow company issued hardware encrypted USB flash drives + Log offline usage of the devices

Allow + white list KeyArmor USB flash drive

Block auto run feature

Block data copied to CD/DVDs

At a minimum, all PHI written to storage devices must be encrypted with FIPS certified encryption, providing verifiable and fortified protection in the event the storage device is lost or stolen.

A more aggressive approach is to restrict the use of storage devices to approved devices such as Trend Micro KeyArmor USB devices.

A convenience feature of many operating systems is the ability to automatically execute a program upon the insertion of removable media. This feature, known as “auto run” or smart functionality, could be a


security threat and should be disabled by default.

Many formats for writing files to media such as CD/DVD do not support the event logging. By setting a policy to automatically encrypt all data copied to removable media reduces this concern.

File Control Allow with log Log – write only In order to support audit and investigation of security incidents involving PHI, log all files written to external storage devices.

Wi-Fi Network Allow + log

Restrict to secure networks and block peer to peer communication

Wireless networks present a risk to the protection of PHI. For employees with regular access and use of patient records, restrict use to an approved list of secure Wi-Fi networks.

©2012 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, OfficeScan, and Trend Micro Control Manager are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WP01_HITECH_Compliance_120531US]

TREND MICRO™ Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site: www.trendmicro.com.

TREND MICRO INC. U.S. toll free: +1 800.228.5651 Phone: +1 408.257.1500 Fax: +1408.257.2003 www.trendmicro.com.

Documents

Addressing Data Protection Requirements of HITECHla.trendmicro.com/media/wp/hitech-compliance-whitepaper-en.pdf · enacted HIPAA legislation. ! REQUIREMENTS UNDER HITECH ACT ... Trend