1

Alan PhillipsSenior Corporate Engineer

Sophos

Securing your Healthcare Organization Begins with Encryption

Jeff BardingSr. Security Administrator Pomona Valley Hospital and Medical Center

Systems Administrator - Information Systems Union Hospital

Josh Penso

2

Alan PhillipsAugust 2014

Data Protection for Health care

3

GoalsOver the years a great deal of time has been spent worrying about Anti-virus, Firewalls and patch management. With good reason these technologies have been high on priority lists.

Of late we have seen more and more emphasis on the impact caused by the loss of personnel information.

This presentation will discuss the way that modern computing practices put data at risk, and the ramifications of that risk to an organization. An overview of the Safeguard Enterprise encryption suite will provide options to mitigate that risk.

Joining us on the call are Josh Penso and Jeff Barding, who will share with us some of their experiences with SGN

44

Where is the data?

5

Not just a laptop anymore

6

Where does your data go?

• Laptops/Mobile computers

• Desktops

• Is your physical security enough to ensure that these are protected?

• USB storage

• Mobile devices

￮ Phones

￮ Tablets

• Network Servers…

• Back up tapes… follow the trail

7

PCI-DSS

State Privacy & Disclosure laws

HIPAA/HITECH

FERPA

FISMA

GLBA

SOX

PIPEDA

Regulations & Rules

8

HIPAA HITECH now applies to Business Associates (BAs) directly.

HITECH also increased the penalties for Violations of HIPAA.

Not just big breaches – 57,000+ breaches reported of under 500 individuals

HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.

HITECH Establishes punishment for willful neglect.

9

• Health Insurance Portability and Accountability Act (HIPAA): Secure “protected health information” (PHI)

• Health Information Technology for Economic and Clinical Health Act (HITECH) includes funding for electronic health records, and enforces increased security & privacy protection requirements.

Definition of Breach

• A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

HIPAA HITECH

10

Guidance to Render Unsecured Protected Health

Information Unusable, Unreadable, or Indecipherable

to Unauthorized Individuals

• Encrypt your Data!!!

• Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.1

11

At a high level, PCI-DSS Boils down to these 4 key things:

1) All merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times –the deadlines have already passed.

2) Merchants cannot store certain credit card information or track data from the magnetic strip or PIN data.

3) If permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required.

4) “Carrot & the Stick” – Safe Harbor from fines IF a merchant was compliance at the time of a breach, versus fines as high as $500,000 per incident and the potential loss of the ability to take credit cards.

Payment Card Industry Data Security Standard12 key elements to protect sensitive data & over 250 controls

Source: PCI DSS Compliance Overview, Braintree Payment Solutions, www.getbraintreee.com

12

Examples of HIPAA settlements

• http://www.hhs.gov/news/press/2014pres/04/20140422b.html

• WellPoint Settles HIPAA Security Case for $1,700,000 - July 11, 2013

• Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 -June 13, 2013

• Idaho State University Settles HIPAA Security Case for $400,000 - May 21, 2013

• HHS announces first HIPAA breach settlement involving less than 500 patients - December 31, 2012

• Massachusetts Provider Settles HIPAA Case for $1.5 Million – September 17, 2012

• Alaska DHSS Settles HIPAA Security Case for $1,700,000 – June 26, 2012

• HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards --April 13, 2012

• HHS settles HIPAA case with BCBST for $1.5 million --March 13, 2012

13

Dermatology practice settles potential HIPAA violations

• $150,0000

• Stolen unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals

• “As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about –identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”

14

Sophos Protects data

15

Security Made Simple – Reference Architecture

16

AT HOME AND ON THE MOVE

Mobile Encryption SafeGuard Encryption

HEADQUARTERS

REMOTE OFFICE

Encryption without compromise

SafeGuard Management Center

SafeGuard Encryption

• Set policy• Report compliance• Store keys• Recover lost p/w

Files

Mgmt

DiskSafeGuard Encryption

Files

Mgmt

SafeGuard EncryptionFiles

Mgmt

Mobile Encryption SafeGuard Encryption

SafeGuard PortableSafeGuard Encryption

1717

Safeguard Enterprise 6.1

18

Introducing Sophos SafeGuard Enterprise 6.1

19

“The traditional view of where data lives”

“Data is moving elsewhere!”

Protecting the Data

To cloud storage On corporate mobilesOn employee devices

20

Management Center

21

Management Center

• Central management of data security policies and protection

• Manage Windows, Mac, Opal and BitLocker

• Predefined and custom security officer roles

• Best in class key management

• Audit the encryption status of the environment and control who has access to what!

22

Device Encryption

23

Device Encryption

• Encrypts laptops, desktops and self-encrypting drives

• Secures all data on PCs and Macs

• Fast initial and on-going encryption

• Secure service accounts for administrators

• Single sign-on

• Central administration and automated deployment

• Easy password recovery options

• Includes Native Device Encryption

“HHS settles HIPAA case with BCBST for $1.5 million”. Here we’ve a case of losing 57 unencrypted Hard drives, not a computer just the drive.

24

Pre-boot Authentication

25

SafeGuard Client For MacOS

• Broader data protection and compliance Full disk encryption (AES 256-bit) for Macs

Compliance audits logs

• End-user productivity Transparent, fast encryption

Graphical power on authentication

Easy recovery options – passwords and data

• Improved IT efficiency Flexible administration options- UI / scripting

Standalone deployment – no need for central mgmt

• Protect investment, manage Costs (TCO) Future integration with Sophos central mgmt

25

Sophos © Confidential. Internal Use only

26

Power On Authentication

SafeGuard Icon

27

Native Device Encryption

28

Native Device Encryption

• Formerly known as Partner connect.

• Manage external Native OS based encryption

• Centrally manages data security across mixed Windows OS computers

Enforces consistent policies

Provides recovery mechanisms for PCs running BitLocker and Mac OSX 10.8/9 File vault 2

Data recovery and central key backup

Centralized log reports

29

Management of the MS BitLocker EngineBuilt in disk encryption

Sophos PIN recovery

Sophos Management

30

Management of Mac FileVault 2Built in disk encryption

Sophos client, recovery etc

Sophos Management

31

Removable Media

32

Data Exchange

• Encrypts removable devices without impacting users• Share data inside/outside organization

Restricts data sharing to specific teams Portable application for use anywhere

• Mix encrypted and non-encrypted data• File Tracking• White/blacklisting of devices

• Alaska DHSS settles HIPAA security case for $1,700,000• The report indicated that a portable electronic storage device (USB

hard drive) possibly containing ePHI was stolen from the vehicle of a DHHS employee.”

33

Sharing data securely on RM, storing on optical

Use casesProtection against lost USB stickControlled access to shared removable driveSimple decommissioning

Encrypt by policy

Managed PC

Password accessOther PC

* SG Portable for sharing with 3rd parties not available for Macs

34

File Share encryption

35

Control your sensitive dataWhere is your data vulnerable?

IT has access to all corporate data

Files on PCs, laptops, removable media:• Local (offline) copies of server

data• Temporary files

Files on servers:• Salary and other personal data• Staff evaluations• Financial data• Analyses• Correspondence• Customer data• Business plans • Research and project data• etc.

Backups are in plain

Devices and data can be lost

Network traffic can be sniffed

No PCI compliance

IT can access local data, too

36

The solution: File ShareUse file and folder encryption to protect important company data

SafeGuard Management

Data at Restand LAN trafficencrypted

37

File servers outside of your networkInfrastructure as a service?

38

Cloud & Mobile Encryption

39

Secure collaboration in the cloudThe GIANT USB Stick in the sky

Use casesSecure data uploaded to the cloudAccess and share data from any place and devicePrevent unauthorized cloud storage providers to access sensitive data

Managed PC

Encrypt by policy

Password access

Mobile device

40

Secure storage in the cloudEncryption for cloud storage

Managed with SafeGuard Enterprise

File reader with password-protected access

41

Mac File Encryption

42

File Encryption on Macs

42

43

Jeff BardingSr. Security Administrator

Pomona Valley Hospital and Medical CenterBeyond the Basics: Protecting Your Data

44

PVHMC: Who We Are

Serving as Pomona’s first hospital in 1903, Pomona Valley Hospital Medical Center (PVHMC) is a 453-bed and acute care facility supporting eastern Los Angeles and the western San Bernardino counties. Focused on community and utilizing cutting-edge technology, PVHMC is nationally recognized for the Hospital’s Centers of Excellence in oncology, cardiac and vascular care, women’s and children’s services, and kidney stones.

45

Outcomes of Partnering with Sophos

• Benefits realized:

￮ Compliance with state and industry regulations

￮ Robust product performance

￮ Ability to scale with organization needs and standards

• Recommendations:￮ Examine your needs and requirements

￮ Encrypt at the right levels accordingly

￮ Remain proactive with your DLP habits

46

For healthcare, I believe there is a definite need for

encryption in general. For our organization, we know that

Sophos and Safeguard Enterprise allow us to go beyond

the basics so we can encrypt based on our needs, such as

full disk or removable media, without ever compromising

the work we do with our patients and the community.

Jeff Barding, Sr. Security Administrator

“

”

47

Josh PensoSystems Administrator - Information Systems

Union HospitalProtecting Devices and Important Patient Data

48

Union Hospital: Who We Are

Originally opened in 1906, Union Hospital in Dover, Ohio is committed to providing quality healthcare and to supporting the local, surrounding communities. In addition to being one of the safest hospitals in the country, Union Hospital is dedicated to the security of their 1000 employees and the confidential information of their patients.

49

Outcomes of Partnering with Sophos

• Benefits realized:

￮ Ease of deployment and management

￮ Thorough security consultation and support

￮ Decrease in organization and operational risk

• Recommendations:￮ Internal discussions and buy-in

￮ Clear procedures and documentation

￮ Staff education and training

50

Deploying, running, and managing device encryption is extremely

easy and incredibly straight-forward for us. We’ve seen a

significant decrease in the number of issues on devices but also

our staff is not negatively impacted by the encryption and we feel

better knowing that our data is well protected.

.

Josh Penso, System Administrator – Information Systems

“

”

5151

Final thoughts

52

“The traditional view of where data lives”

“Data is moving elsewhere!”

Protecting the Data

To cloud storage On corporate mobilesOn employee devices

53

SGN and the cost of Breaches

Breach Records Fine Product

USB stolen from carAssume 10,000 clients

Unknown $1,700,000 SGN DX

Stolen LaptopAssume 5,000 clients

3,600 $1,500,000 SGN DE\NDE

473 unencrypted back-up computer tapes(assume 1,500clients)

800,000 $750,000 SGN FS

54

Consider

• Who needs access to data?

• Where that data may go?

• Your compliance obligations

• Remember if its encrypted it is safe

55

Protecting data across your environment

Corporate Data on Personal devices

Lost Removable Media

Lost Laptops

Corporate data in cloud storage

Sensitive internal data, corporate data in Amazon

servers

Users don’t notice that it’s there

Minimal work for IT

Stolen data from desktops

5656

Questions?

57

Sophos SafeGuard EncryptionFree 30-day Trial

http://www.sophos.com/encryption

Next Steps