Information confidentiality: business risks and regulations

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Information confidentiality: business risks and regulations Mike Ryan

Keeley Collins

June 10, 2013

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

Agenda

• Data privacy needs and risks

• Recent regulations (HIPAA)

• Options and alternatives

• HP offers in this area


Data privacy and risks


Risks to data – risk to your business

Data privacy more important than ever

“Everyone” now needs to protect data from access by unauthorized parties:

• Government & financial

• Health care

• Insurance

• Research/universities

• Technology

• Other

Risks and consequences

• Regulatory fines & penalties

• Litigation

• Intellectual property loss

• Brand and reputation

What data is being protected? • Intellectual property

• Client data

• Financial data

• Research

• Networks

• PII – Personally Identifiable Info

• PHI – Protected Health Info

Overview


Increasing governance means costs to most companies

Data privacy regulations

• HIPAA/HITECH

• Graham Leach Bliley (GLB)

• Family Education Rights and Privacy Act (FERPA & FISMA)

• Payment card industry data security standards (PCI- DSS)

• Safe Harbor – European Union and the United States

• Cookie & web beacon laws

“In 2010, 69 percent of the 964 IT and business leaders surveyed said compliance is their primary driver for encryption, an increase of five percentage points from last year. Mitigating data breaches falls to second place, with 63 percent saying it was a top driver for encryption adoption.” Ponemon Institute’s annual U.S. Enterprise Encryption Trends report


Recent data privacy updates & news

• Cookie & web beacon legislation footprint expanding

– UK (2012)

– Mexico (effective April 2013)

• EU data privacy regulatory updates (expected mid-2014)

• Google fined for privacy violations by German Privacy Commission (Johannes Caspar)

• US Dept of Commerce draft privacy legislation

• US HIPAA/HITECH final omnibus – January 2013

The only thing constant is… change


Recent regulation (HIPAA)


HIPAA defined

HIPAA overview

Health Insurance Portability and Accountability Act (HIPAA) passed by congress in 1996: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and

their families when they change or lose their jobs

• Reduces health care fraud and abuse

• Mandates industry-wide standards for health care information on electronic billing and other processes

• Requires the protection and confidential handling of protected health information


HIPAA – U.S. federal medical privacy law Historical timeline and basic facts

1996 - HIPAA 2009 – HITECH Act 2013 - Omnibus final

rule to HIPAA/HITECH

Sets baseline for medical privacy: privacy rule, security rule and enforcement rule Covered entities: Health plans, Health care providers Health care clearing houses Business associates are “indirectly regulated” via BAA

Designed to encourage electronic recording keeping • Extended HIPAA to business

associates • Imposed breach notification

requirements to CE and BA • Increased vigilance around PHI • Increased enforcement

/penalties

Regulations and rules to implement requirements of HITECH Act

• Heightened concern of HP customers regarding data privacy

• Statutory obligations for BAs • Mandatory flow downs to sub-

contractors • Necessitate BAA modifications • Modifies breach notification

rules

Courtesy Suzanne Miller, HP Senior Legal Counsel


Who’s impacted

• Health care providers

Doctors offices, hospitals, universities, VA

• Insurers

HMOs

• Self-insured companies

• Retail (in-store pharmacy)

• Health care processors

• Health care IT integrators/OEMS

• Pharmaceutical

An extended group


HP ... Has more than 45 years of experience in the health and life sciences industry Performs 2.4 billion healthcare transactions annually, including 1 billion in

healthcare claims Serves 13 of the top 15 pharmaceutical companies, ranked by revenue Provides services to health and human services programs in 35 states and

supports Medicaid systems in 20 states Is the largest provider of Medicaid services in the U.S., supporting programs that

administer $140 billion USD in Medicaid benefits annually

* Health & Life Sciences Industry overview, HP, April 2013 http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA1-0181ENW&cc=us&lc=en

HIPAA/HITECH – who can you trust? HP in healthcare-by the numbers *

http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA1-0181ENW&cc=us&lc=en





”Covered Entities” – Refers to health plans, health care clearinghouses and health care providers who submit electronic transactions or store information electronically.

HIPAA overview

Privacy

The HIPAA privacy rule establishes national standards to protect individuals’ medical records and other personal health information. Applies to “covered entities”. The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization

Security

The HIPAA security rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The security rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

HIPAA rules regarding protected health information (PHI)


“We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information. . .”

Georgina Verdugo, OCR Director, 2011


HIPAA/HITECH front runners in enforcement activities

HIPAA/HITECH and enforcement • Covered entities and business associates directly responsible/accountable to HHS & State

Attorneys General

• Stringent breach notification requirements

• Required compliance with privacy and security rule safeguards

• Penalties for failing to implement safeguards


HIPAA Omnibus – January 2013 updates

HHS announced final Omnibus rules amending HIPAA (1996) and HITECH Act (2009)

• Effective on March 26, 2013

• Supplement and modify the HIPAA privacy, security, breach reporting and enforcement rules

• Significant changes include:

– Expanded definitions – business associates, unsecured PHI, breach conditions

– Breach notification standards for data-protection are different from the security & privacy rule

– Even “secured” PHI – if disclosed impermissibly – can be considered a breach

– Breaches no longer have to prove significant risk of harm (financial, reputation, etc.)

– Provides assessment specifications


Data breach examples

Penalty/cost impact

Ponemon Institute estimates the cost of a data breach at $214 per compromised record

Military hospital/clinic (9/14/2011)

4.9 million military patients may be affected by loss computer tapes containing their health information

Commercial health plan (1/21/2011)

1.9 million health plan members notified that hard-drives containing their PHI were missing

Health care network (12/23/2010)

1.7 million impacted due to computer back-up tapes stolen from vehicle

Hospice (6/1/2010)

441 patients impacted due to stolen laptop

Fined $50K by HHS in 2013


Costs of compliance vs. non-compliance Ponemon Institute, 2011

http://www.tripwire.com/blog/wp-content/uploads/2011/03/PonemonComplianceActivities.jpg

http://www.tripwire.com/blog/wp-content/uploads/2011/03/PonemonNonComplianceActivities.jpg

Costs of compliance vs. non-compliance

Higher security score = lower costs of non-compliance

Security effectiveness score

25 best practices

40 studies

Top security attributes: 1. Monitor & enforce security policy

2. Conduct ongoing audits

3. Attract & retain security professionals

4. Ensure minimal system downtime due to security violations

5. Prevent or curtail viruses, malware and spyware infections

Ponemon Institute, 2011

Cindy Valladares, Tripwire. “Understanding the Cost of Compliance – Part III. March 28, 2011. URL: http://www.tripwire.com/state-of-security/it-security-data-protection/understanding-the-cost-of-compliance-part-iii/

http://www.tripwire.com/blog/wp-content/uploads/2011/03/SES_NonCompliance.png

http://www.tripwire.com/state-of-security/it-security-data-protection/understanding-the-cost-of-compliance-part-iii/
























An ounce of prevention is worth a pound of cure

Recommendations & next steps

Identify PHI and PII touch points – and implement security provisions

• Assess your environment including mobile devices, servers and networks against the security rule.

• Review your security policies & procedures. Update your training.

• Evaluate your data security, destruction and transmission practices.

• Implement encryption technology and access control mechanisms (passwords, ACL’s)

• Ensure your records meet standards – review new breach and assessment guidelines.

Review vendor contracts

• Be sure they can protect your information and that you have purchased the right products and services to enable compliance.

• Evaluate where vendors have access to PHI, and what scope. Restrict it where feasible.

• Update business associate agreements by September 2014.


An ounce of prevention is worth a pound of cure

Recommendations & next steps, cont’d.

Assess your organization’s use and disclosure of PII and PHI

• Clearly classify systems and data

• Control your use, disclosure and retention to the minimum necessary

• Develop a security incident response plan —

– Assemble a response team

– Review & understand how the Omnibus changed breach notification

– Assess using the 4-part assessment criteria

– Create breach notification policies and procedures to help guide your organization through identifying and handling breaches


Options & alternatives


Hardware, services options and alternatives

Strategies to protect your data

Hardware • Invest in encryption technologies

• Reduces burden and risk around disk media

Media handling • Implement policies and procedures around handling media removed from IT assets

• Consider disk retention or processing alternatives

Asset lifecycle management • Implement policies around assets retired from service

• Sanitize media contained in assets before reuse or resale

• Remove other identifying information before disposal

Security assessment & governance Governance risk & compliance, operations, applications, endpoint, network & data center


HP offers


Offers from HP

Protection within HP products

Protect your data at rest • Self Encrypting Drives (SED) for the 3PAR StoreServ 10000 and StoreServ 7000 storage arrays

• HP XP P9000 DKA Encryption Software enables controller based encryption of hard drives

Optional on P9000 storage arrays

• HP Encryption SAN Switch and blades

• HP 1/8 G2 Autoloader and ESL/EML/MSL Tape Libraries

Erase your data when “done” • HP disk sanitizer

– Free tool for HP desktops and towers erases to DOD (D5220 22-M) standards

– Located at HP.com (http://www8.hp.com/us/en/support-drivers/privacy-dataprotection/index.html)

• HP volume shredder for P9000, XP24000, and XP12000 arrays

– Performs repetitive overwrites up to 8 passes (exceeds DOD 5220)

– Included with array manager software on P9000/XP24000 (optional on XP12000)

http://www8.hp.com/us/en/support-drivers/privacy-dataprotection/index.html






Offers from HP

Defective media retention

Keep your media • All hard drives and eligible SSD/flash drives retained by the customer when replaced as part of a service

event

• Customer free to handle, process or dispose of media to accommodate policies, procedures, or regulations

• Available for most HP products such as storage arrays, enclosures, servers, desktops, and workstations

• Offered as HP care pack or as support contract as option to all coverage level and agreement durations


Offers from HP

Comprehensive defective material retention

Keep all data-retentive parts • Also includes all hard drives and eligible SSD/flash drives retained by the customer when replaced as part of

a service event

• Extends scope to other parts, such as systems boards containing RAM, controllers, cache, and more

• Not a requirement for HIPAA but of high interest to government and financial sectors

Assures lower level identifiable information such as contacts, node names, and IP addresses are protected Note: PHI not likely contained in these components

• Customer free to handle, process, or dispose of materials to accommodate policies, procedures, or regulations

• Available for most HP products such as storage arrays, enclosures, servers, desktops, and workstations

• Offered as HP care pack or as support contract as option to all coverage level and agreement durations

Announcement: June 10, 2013 with availability July 1, 2013


Offers from HP

HP data sanitization service

Remove data from your storage assets

• Removes data from most HP and third party storage arrays and enclosures

• Allows re-use, sale, or disposal of the asset

• Facilitates compliance with policies and regulations

• Erases data to DOD (D5220 22-M) and NIST 800-88 “clear” standards

• Detailed documentation/confirmation of operations and status provided by serial number

• On-site or off-site delivery choices provided; destruction optionally available

• Offered as HP care packs or custom scope of work

Service brief and datasheet available

http://h20195.www2.hp.com/V2/GetPDF.aspx/4AA4-5272ENW.pdf


http://h20195.www2.hp.com/V2/GetPDF.aspx/5981-9510EN.pdf


Offers from HP

HP asset recovery service

Your retired assets: recover market value and responsible disposal • Turnkey solution to removes retired IT assets from inventory

• Recovers value of surplus IT assets

Assets with market value processed and sold – proceeds returned to customer less fees

• Assets with no value recycled and disposed of responsibly

• Available for most HP or non-HP IT assets including arrays, servers, desktops, printers, networks, and mobile devices

• De-install, inventory, sorting, and processing of products included

• All media sanitized, identification information removed; cleaning/testing if intended for resale

• On-site or off-site delivery choices provided; destruction optionally available

Service brief and datasheet available



Offers from HP

HP custom services

Flexible management of media removed from service • Provides options in handling media removed as part of a service event

• Alternative to Defective Material Retention (DMR)

• Eliminates unwanted accumulation of defective media

• Options offered:

– On-site sanitization of hard drives to DOD or NIST standards

Media passing sanitization process returned to HP

– On-site destruction of hard drives meeting NIST “purge” and “destroy” standards

– Off-site media processing using secure transportation

– Responsible recycling of scrap items

• Available via custom quote; standardized services under evaluation


HP security portfolio: six key areas

HP security and risk management

Security governance, risk, and compliance: protect your reputation, manage risk, and achieve regulatory compliance by replacing disparate governance functions with an integrated set of services

Operations security: integrate information from various security disciplines. Connect your security processes with your business processes

Application security: build enterprise security into your applications. Automate detection and response to vulnerabilities, and enable business agility through secure web applications

Endpoint security: protect all your endpoint devices and minimize risk inherent in a mobile workforce while centralizing and consolidating management tools to reduce costs

Network security: prevent network intrusions while making applications available. Avoid zero-day attacks and automate policy enforcement

Data Center Security: embed security holistically across networking, virtualization, mobility, and cloud in your data center


For more information

Privacy/data protection & disk sanitization website • HP disk sanitizer tool (desktops/towers)

• HP’s media handling policy for healthcare customers

• HP’s media sanitization policy for returned drives

Enterprise security & risk management website: HP products and services for risk management & security

HIPAA regulations : • Health & human services, health info & privacy - http://www.hhs.gov/ocr/privacy/index.html

• Federal register (final rule) - http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf


http://www8.hp.com/us/en/business-solutions/solution.html?compURI=1079733&jumpid=hpr_r1002_usen_link1

http://www.hhs.gov/ocr/privacy/index.html

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf










Q & A


Learn more about this topic

Use HP Autonomy’s Augmented Reality (AR) to access more content

1. Launch the HP Autonomy AR app*

2. View this slide through the app

3. Unlock additional information!

*Available on the App Store and Google Play


Thank you