Safeguarding Healthcare Information in SharePoint

1 Confidential and Proprietary © Metalogix1 Confidential and Proprietary © Metalogix Move, Manage, Protect

Safeguarding Sensitive Health Information within SharePointHow to avoid the costs of non-compliance

2 Confidential and Proprietary © Metalogix2 Confidential and Proprietary © Metalogix

The safest SharePoint environment is one with no users.


But once we open the gate…

0 10 20 30 40 50 60 70 80 90 100

23%

25%

44%

51%

74%

78%

86%Emailing confidential documents from the workplace to a home computer or mobile devices using a Web-based email account Retaining confidential documents or files that are no longer required Moving large files containing business confidential information to a Web-based file-sharing application

Sharing files and documents not intended for them

Forwarding confidential files or documents to individuals not authorized to receive themSending confidential files to unauthorized individuals outside the organization Copying documents and files to a USB memory stick

after being downsized from an organization

(Percentage of IT and IT security pros who believe employees are likely or very likely to take action. Ponemon Institute.)

People are willing to bypass security policies to get their jobs done.


Is your sensitive data really safe?

79%of companies store sensitive or confidential information on SharePoint. – CMS Wire

• Employee info – Credit Card Numbers, salary info• Patient info – ePHI, medical records, insurance• Company information – financial or legal records• Intellectual property – research, formulations,

clinical trials

Even if you have a “secure zone” in your SharePoint farm, users can find ways around it.

Did you know…?


Neglecting PHI security: the fallout

Regulatory finesCustomer and

shareholder lawsuits

Trade secrets, valuable IP are

exposed

Patients, employees and

partners are less willing to trust

you

What else could you be doing instead of

remediating a data breach?

Financial Competition

Reputation

Opportunity cost


Average cost of a lost or stolen health record is

$363136%

higher than the average global cost across all industries.

IBM/Ponemon Cost of a Data Breach Study


HIPAA fines for US companies

EUGDPR fines for companies with EU customers & staff

Customer or shareholder lawsuits

Staff time for investigation and remediation

$1.5 million per each HIPAA violation.

OCR Phase II Audits focus on risk of compromised data and how business associates interact with sensitive content.

20 million Euros (~$22 million) or 4% of annual turnover.

Individual or class action lawsuits, targeting organization

OR executive leadership for negligent behavior.

Mean time to discover a data breach is 206 days and to contain it is 69 days. Insider breaches can often take longer than average to find and fix.

You may need external expertise as well as dedicated staff.

The costs add up1 2 3 4+ + +


OCR is holding organizations accountable

• Advocate Health – will pay $5.5 million for lax data security and breaches of protected health information for millions of patients, after four unencrypted laptops were stolen.

• Feinstein Institute – fined $3.9 million after it failed to implement safeguards to restrict access to unauthorized users, putting ePHI of ~13,000 patients at risk when a laptop was stolen from an employee’s car.

• Triple-S – settled for $3.5 million after multiple violations, including former staff who retained access to data and a business associate who downloaded ePHI and uploaded it to his new employer’s computer.

• North Memorial Health Care of Minnesota – paying $1.55 million after failing to make a business associate agreement with a contractor or conduct a risk analysis.

• St. Elizabeth’s Medical Center – settled for $218k after staff stored ePHI on an insecure document file-sharing service.

• Washington State Heathcare Authority – pending settlement after employee helped another with a spreadsheet, compromising 91,000 Medicaid patient files.

HIPAA Fines

1


Global impact of EU GDPR• EU General Data Protection Regulation was ratified in 2016; organizations must be

compliant by 2018.• If you have any EU employee or customer data in your systems, you must comply,

even if you’re based in the Americas or APAC.• Organizations processing data of EU citizens must appoint a Data Protection Officer

(DPO) if they monitor data subjects on a large scale and collect categories of personal information such as health data.

• Failure to comply triggers fines up to 200 million Euros or 4% of annual turnover - whichever is greater.

EUGDPR

2


Expensive to defend, more expensive to lose

• Affected patients are bringing suit against Advocate Health after negligent security practices exposed the personal health information and social security numbers of more than four million people.

• A physician is the lead plaintiff in a class action lawsuit against Banner Health over a massive data breach that may have exposed personal information of 3.7 million individuals.

• Class action contends UCLA Health failed to take the basic precautionary steps to protect the personal and medical information for as many as 4.5 million individuals.

• Class action contends two employees at Florida Hospital had been printing parts of medical records of approximately 9,000 patients for more than two years.

Lawsuits

3


Consider time it takes IT and security staff when…

• Your security team (or an auditor) asks for details on how sensitive information is managed within SharePoint?

• Lawyers request a paper trail for eDiscovery?

• You need to track the source of improper data use?

• You take action to remediate issues (if you even can)?

Time4

Remediation time following a breach is increasing

– Frost & Sullivan

Within one day

Two to seven days

Eight to twenty days

Three or more weeks

33%

43%

7% 5%

28%

41%

9% 7%

20%

44%

11% 8%

2011 2013


Lower your risk of a SharePoint security breach.


A delicate balance

SecurityUsability

Data sensitivityLOW HIGH


Misaligned investment vs. risk

External threats

Insiders

0% 10% 20% 30% 40% 50% 60% 70% 80%

75%

25%

41%

65%Percentage of organizations concerned about threat types.

Percentage of security spending dedicated to ad-dressing threats.

overspend

underspend


Enterprise DLP isn’t sufficient

Adding an enterprise DLP solution on top of SharePoint slows activity. When users upload documents, DLP scans cause user time out errors.

Users believe mistakenly believe documents have reached destination and blame SharePoint when they can’t find their content.

For DLPs to be successful, organizations need to classify data and understand information flows across thousands of assets.

Costly to manage and maintain.

Enterprise DLPs are either too strict or too permissive.

They don’t consider context of the SharePoint user.

It’s not unusual to experience false positive rates of 60% or more.

Network stress

Complex rollouts High false positive rate


SharePoint out-of-the-box security gaps

In pre-2016 versions, audits, eDiscovery and permissions are time-consuming and difficult to manage, and data leak prevention is practically non-existent.

• Fragmented permissions management• Limited auditing• Poor rights management integration• Limited governance policy enforcement• No active management• Inability to delegate control• Stale sites and out of date content


SP 2016’s Compliance CenterIt is born from the cloud and makes use of Office 365. Microsoft is taking security and governance seriously.But…. ….it is still not sufficient for data loss prevention

• Basic searching capability for sensitive data types • Downstream prevention actions (preventing users

from moving, deleting files, etc.) lacking• Can’t manage security across multiple SharePoint

deployments


Make sure you know where all of your sensitive data resides. Scan, detect, and classify ePHI.

Empower employees to adhere to information security plans. Place security controls directly within the workflow, at the point users need them.

Automatically monitor, alert and execute downstream remediation actions.

Consider the context of user behavior, not just permissions and credentials. Location, time of day, and situational analysis matter.

Report on how users interact with data and security controls. Auditors expect a paper trail and proof that you protect ePHI.

Design information governance processes and adoption programs for a proactive approach to SharePoint security.

Plug security gaps


See what we’ve learned about how SharePoint keeps healthcare data safe –

and how it doesn’t.Get the eBook

Security and Compliance in Healthcare

http://pages.metalogix.com/ebook-security-compliance-healthcare.html