Upload
kenneth-barker
View
217
Download
2
Embed Size (px)
Citation preview
Protect your Patient Data: Learn How to Avoid Costly
Privacy & Security Breaches within your Organization
Tuesday, June 21, 2011
Sponsored by:
ModeratorMike MiliardManaging Editor Healthcare IT News
Valerie Hamilton Marketing Manager Healthcare/Life SciencesCertified Senior IT SpecialistIBM Rational Software
Guest Speakers
© 2011 IBM Corporation© 2011 IBM Corporation
Protect your Patient Data
Learn How to Avoid Costly Privacy & Security Breaches within your Organization
Valerie [email protected]
© 2011 IBM Corporation
Security and compliance risks in the healthcare industry
Data breach affects 1.9 million individuals - includes medical
information, Social Security numbers and other sensitive information
- Health IT Law Blog, March 2011
Hackers Break Into Virginia Health Website - deleting records on more than 8 million patients
- Washington Post, May 2009
Data Breach Affects 2,777 Patients
- eWeek.com, March 2011
Healthcare Suffers More Data Breaches Than Financial Services -
more than three times!
- Darkreading.com, August 2010
Survey shows that data breaches and unauthorized access to their clinical
applications are Hospitals biggest worry.
- Darkreading.com, August 2010
Provider reports potential theft of data on 84,000 patients
- HealthImaging.com, February 2011
Data breaches of patient information cost healthcare organizations in the U.S. nearly $6 billion annually, and many breaches go undetected!
- HealthImaging.com, November 2010
© 2011 IBM Corporation
What are some of the drivers? Why are risks on the rise?
Regulatory Compliance The Health Insurance Portability and Accountability Act (HIPAA) - regulations for protecting the
privacy and security of health information
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information.
Increase in vulnerability disclosure
Cost cutting in current economic climate Increased demands decreases efficiencies
Enterprise Modernization Traditional applications are being driven to the online
world - increasing corporate risk
User demand The public is demanding rich applications requiring
advanced coding techniques; which introduces more risk and threats
Risks
© 2011 IBM Corporation
The changing landscape…The healthcare industry is becoming more interconnected
The Opportunity – smarter planet
Researchers
Providers
Medical RecordsPhysicians
Pharmaceuticals
Device Makers
Health Plans
And more…
Medical Products
© 2011 IBM Corporation
The healthcare industry relies on Web-enabled software
Increased data availability are increasing the attack surface
and
Network security does little once an organization enables a web application
WebApplications
Web 2.0and SOA
Databases
Intuitive interfaces for access to relevant client
information (history, billing, diagnosis, results, etc), client
interaction, and integration with health
care partners
Collaboration among peers and partners
Backend of every Web application
© 2011 IBM Corporation
The risk to sensitive information and compliance
Risks and ThreatsCosts of Security
BreachesCompliance
Demands
Stealing Sensitive Information is the 2nd highest motivation for Web application attacks
Source: Ponemon Institute, Cost of a Data Breach, 2010
Average cost of a security breach is $7.25 million
Client notification ($214 per compromised record)
Fines (HIPAA annual maximum as high as $1.5 million)
Brand loss and lawsuits Disruption to
business operations
Failure to Comply - HIPAA allows both civil and criminal penalties, including fines and possible time in jail
Failure is not an option!
© 2011 IBM Corporation
Source: 121st Annual HIMSS Leadership Survey, March 2010
Top Concern — Security of computerized medical information
Security concerns are keeping CIOs in healthcare organizations awake at night
Approximately 23% noted that their organization had a security breach in the past year
30% surveyed indicated compliance with HIPAA security regulations/CMS security audits was a concern
Only 4% of respondents indicated that they don’t have any concerns about their security
© 2011 IBM Corporation
11
Web application vulnerabilities represented the largest category in vulnerability disclosures
According to IBM X-Force Trend & Risk Report, 49% of all vulnerabilities are Web application
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot
Source: IBM Internet Security Systems 2010 X-Force® Year End Trend & Risk Report
As more information is available ‘online’ – the threat increases
Hackers continue to focus on Web applications…they are easy points of entry and there is valuable personal data exchanged
© 2011 IBM Corporation12
DATA AND INFORMATIONUnderstand, deploy, and properly test controls for access to and usage of sensitive data
PEOPLE AND IDENTITYMitigate the risks associated with user access to corporate resources
APPLICATION AND PROCESSKeep applications secure, protected from malicious or fraudulent use, and hardened against failure
NETWORK, SERVER AND END POINTOptimize service availability by mitigating risks to network components
PHYSICAL INFRASTRUCTUREProvide actionable intelligence on the desired state of physical infrastructure security and make improvements
A complete security frameworkSecurity governance, risk management and compliance
© 2011 IBM Corporation
Web application securityApplications and process
• Assess security needs and risks– Identify security gaps
– Build secure processes
– Integrate Web application security into holistic security strategy
• Implement processes and solutions
– Identify vulnerabilities and develop secure code
– Protect web applications and web services from attack
– Secure databases associated with applications
• Utilize security experts– Reduce the cost and complexity of
security operations
© 2011 IBM Corporation
Deploying secure web applications
Op
erat
ion
al R
isk
Mg
mt
Application & resource protection in operationApplication & resource protection in operation
Secure application development across design,
code, build, test phases
Secure application development across design,
code, build, test phases Assessment of Source CodeAssessment of Source Code
Identity & Access ManagementIdentity & Access Management
Web Application ProtectionWeb Application Protection
Secure Web ServicesSecure Web Services
Assessment Functioning ApplicationAssessment Functioning Application
Final Security AuditFinal Security Audit
Production-Site MonitoringProduction-Site Monitoring
Risk AssessmentRisk Assessment
Policy & Requirements DefinitionPolicy & Requirements Definition
14
Pro
acti
ve R
isk
Mit
igat
ion
Deploy Web ApplicationDeploy Web Application
© 2011 IBM Corporation
Reduce the possibility and impact of security vulnerabilities
Automate2 Embed3
Identify and mitigate security and compliance risks before they become an issue
Centralize security and compliance scanning for the enterprise
Automate web application security testing and compliance analysis
Embed security and compliance across the software/systems development lifecycle
Centralize1
Protect and secure sensitive information
© 2011 IBM Corporation
Manage security and compliance of web applications
Anticipate and prevent – not just respond to – security and compliance breaches
Centralize and automate web application security and compliance analysis Enable security testing to identify vulnerabilities and
accessibility issues Utilize web site content scanning and analysis to
help ensure compliance with privacy, accessibility, and key industry regulations (e.g., HIPAA)
Embed security and compliance across the development lifecycle Demonstrate compliance by ensuring full
traceability of requirements Deploy change management with access control,
electronic signatures (21 CFR Part 11), repeatable processes and audit trails
Enable collaborative test management to mitigate business risk and increase quality
Incorporate security/compliance testing during development
“The issues we find…help our site owners to identify and address certain areas of
noncompliance and improve the sites. This helps improve the environment of trust and
helps prolong customer relationships.”
- Compliance manager Large Health products company
© 2011 IBM Corporation
Centralize and automate web application security and compliance
Address vulnerabilities in networked applications and critical Web sites
Improve the accuracy and reliability of your
online applications
Increase productivity savings over manual
security and compliance testing
Support compliance with privacy and
accessibility mandates and key regulations
Streamline compliance reporting
Prioritize findings and generate actionable
information to assist with remediation
Track risk reduction over time
© 2011 IBM Corporation
Reduce security and compliance risks during development
Root Cause:
Secure coding practices are typically not part of core development objectives
In general, development is lacking tools to automate, mitigate risk and test security
Vulnerabilities are continually introduced into application code
BuildCoding QA Security Production
Most security and compliance issues are found
just prior to going live
Most security and compliance issues are found
just prior to going live
Desired ProfileDesired Profile
© 2011 IBM Corporation
During the coding phase $80/defect
During the build phase $240/defect
Once released as a product $7,600/defectPlusLaw suits, loss of customer trust,damage to brand
During the QA/Testing phase$960/defect
The increasing costs of fixing a defect….
80% of development costs are spent identifying and correcting defects!*
*National Institute of Standards & Technology Source: GBS Industry standard studyDefect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.
19
What is the cost of a fixing a security or compliance vulnerability?…the same as the cost of a defect but with greater implications
© 2011 IBM Corporation
Embed security and compliance across the development lifecycle
REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD TESTTEST
Demonstrate compliance by ensuring full lifecycle traceability of requirements
Change Management with access control, e-signatures, repeatable processes and audit trails
Collaborative test management to mitigate risk and increase quality
Automate security/compliance testing into the IDE, build process, and QA
© 2011 IBM Corporation
What is the ROI of application security testing?
Cost Savings – Testing Early in Dev
Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense
Cost Savings – Automated Testing
Automated testing provides productivity savings over manual testing
Cost Avoidance – Of A Security Breach
Costs of a security breach can include audit fees, legal fees, regulatory fines, lost customer revenue & brand damage
80% of development costs are spent identifying and correcting defects
Code stage is $80/defect, QA/Testing is $960/defect
50 applications annually w/ 25 issues per application, testing at code stage saves $1.1M over testing at QA stage Source: GBS Industry standard study
Outsourced audits can cost $10,000 to $50,000 per application
At $20,000 an app, 50 audits will cost $1M.
With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)
The cost to companies is $214 per compromised record
The average cost per data breach is $7.25 Million
Source: Ponemon Institute, Cost of a Data Breach, 2010
© 2011 IBM Corporation
Summary: Security and compliance for the health care industry
Centralize and automate web application security and compliance analysis
• Avoid the risk of a data breach, exposing unsuspecting visitors to malware attacks, and falling out of compliance with security, privacy, or accessibility requirements
Embed and drive security and compliance into the software development life cycle
• Ensure full traceability of requirements from definition to testing
• Manage change request using repeatable processes, secure access, e-signatures and audit trails
• Increase quality through collaborative test management and continual security testing
Meet stringent and constantly changing compliance and regulatory requirements
Anticipate and prevent
Secure and protect sensitive patient data Ensure trusted transactions between
health care partners
© 2011 IBM Corporation23
© Copyright IBM Corporation 2011. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
For more information please visit…
IBM Rational Solutions for Healthcare and Life Sciences at:
http://www.ibm.com/software/rational/solutions/healthcare/
QUESTIONS?Submit your question to today’s speakers by typing your
question into the box on the left side of your screen and then hitting ‘submit.’
If you have news or comments on this topic for the editors of Healthcare IT News,please email [email protected]
Sponsored by: