Embed Size (px)
Citation preview
Imperva Helps Healthcare Providers Demonstrate Compliance and Protect PHI
For Healthcare Providers it’s All About Finding BalanceHealthcare Providers process and store vast amounts of sensitive information such as PHI (Protected Healthcare Information), credit cards, personal, and research data. There is a need to protect this sensitive data from careless and malicious insiders, identity thieves, and those looking to make a profit from information theft and fraud. Healthcare providers are being audited more frequently, are suffering higher penalties for non-compliance, and even facing litigation. There are numerous regulations such as the ARRA-HITECH Act of 2009, HIPAA Act of 1996, PCI DSS, Sarbanes-Oxley, and new state privacy laws that must be managed. HIPAA has always sited that PHI requires security and privacy, however there are still a number of well-known breaches.
» In 2006 Farrah Fawcett denounced the National Enquirer for publishing leaked details about her illness. And she criticized UCLA Medical Center for failing to protect her medical records from snooping employees.
» In 2006 Liz Arlene Ramirez in TX, tried to sell an FBI agent’s health records to drug-traffickers for $500 but was intercepted by the FBI and charged with accessing healthcare records “for profit/gain/harm.” This charge has a prison term of up to 10 years and fines up to $250,000.
» In 2007 more than two dozen employees at the Palisades Medical Center in New Jersey were suspended without pay for a month for allegedly accessing George Clooney’s confidential medical records.
» In 2009 the FBI started investigating a $10 million ransom demand by a hacker or hackers who claimed to have stolen nearly 8.3 million patient records from a Virginia government Web site that tracks prescription drug abuse.
There is a need for visibility into all activities related to users interacting with data within healthcare provider networks. Automated and continuous monitoring of these activities can address the goals of security and privacy, as well as meeting and demonstrating compliance. However, an effective monitoring solution must also address the unique challenges faced by healthcare providers.
Imperva understands the challenges intrinsic to balancing cost, operational efficiencies and effectiveness, and protecting PHI and other sensitive data across a broad provider network and even broader medical ecosystem. In addition to sensitive data protection which generally revolves around database security, there is also a need to address the ever growing number of convenience web portals used for B2B and customer self service. This requires web application security. Finally, healthcare providers continue to have tighter IT security budgets compared to other industries, and employees responsible for security often are responsible for multiple domains. Thus they need to address database and web application security with automated, easy to use and easy to maintain solutions that can efficiently and effectively provide protection without additional resources.
CASE STUDYMedical Center Mitigating Attacks on Web PortalsMedical center protects patient data while reducing costs and enhancing the patient experience
Limited resources meant that this medical center was unable to have a dedicated security staff even though their risk posture was increasing because of the deployment of multiple B2B and customer self-service Web portals. These portals were made operational to increase efficiencies and reduce operational costs while allowing patients a confidential and convenient way to access and personalize their health information. On the patient portals, sensitive information includes:
» Health summary, prescriptions, allergies, and immunizations
» Tests ordered and test results
» Email correspondence with healthcare professionals
» Contact information, appointments
Being able to effectively allow patient access to such sensitive information meant that nefarious individuals could also try and exploit the Web portals. In the early stage of the patient Web portal deployment they experienced SQL Injection and Cross-site Scripting (XSS) attacks. These events prompted them to reassess their Security Development Lifecycle (SDLC) and invest in a solution that would better protect their patients.
Figure 1 illustrates how Web portals are extremely beneficial for patient and B2B interactions with the medical center. With unprotected applications, this also opens up a door for attackers to access the same sensitive data.
Figure 1 – Medical Center Web Portal Architecture
Solutions and Benefits
Following a paper evaluation and 2-week product evaluation, they chose the Imperva SecureSphere Web Application Firewall (WAF) to secure their Web portal applications. Imperva SecureSphere was proven to scale to support their commercial applications with minimal disruption to the network topology and the applications being protected. Imperva was also able to help address compliance issues related to HIPAA and PCI by protecting, monitoring, and reporting on application activity.
Because the WAF appliance was deployed as a layer-2 transparent bridge, and because there was no need to install any software or modify the Web applications themselves, the WAF was installed and operational in a matter of hours. After just a couple days of automatic learning the WAF was able to build profiles of the applications and how users interact with them. Following, the WAF was blocking attacks, alerting on incidents, and generating security and compliance reports.
The Imperva SecureSphere WAF provided an easy to implement and easy to use solution that negated the need for additional headcount to monitor their portals. The reporting framework supplied internal and external auditors with the data needed for demonstrating compliance. Best of all, the medical center’s security posture was increased substantially through robust Web application protection and incident detection while allowing the business partners and customers to continue utilizing the portals uninterrupted.
Patients
B2B WebPortal
IMPERVA SECURESPHERE
Attacker
“Web and database
communication has become
integrated into nearly
every BlueCross BlueShield
of Tennessee production
system. So protecting our
Web applications and
databases is a key element
in safeguarding the private
health information of our
members and partners.”
Chris Levan, CIO
CASE STUDYMedical Facility Protecting VIP ClienteleAn Organization Managing Sensitive and Valuable VIP Information Takes Proactive Measures
Prominent people such as Tom Cruise, Britney Spears, Arnold Schwarzenegger, and his wife Maria Shriver have had their healthcare information stolen. Organizations with well-known patients are particularly concerned about security because of the potential value of patient data and thus the potential temptation. This particular medical facility felt that because their network architecture provides a level of separation between sensitive data and the outside world that the greatest threat was from within. They felt that their hiring and quarterly review practices were adequate, but they needed automated tools for capturing and analyzing database audit information.
There is significant data to support their concerns around insiders. Consider the following statistics collected between 2000 and 2007 where known data breaches within the healthcare industry are broken out by breach type. Figure 2 shows a subset of the breach types and illustrates that while only 25% of the breaches were attributed to malicious insiders (likely motivated by money – either need or greed), the number of data records they stole equated to 57% of all records stolen. This shows how malicious insiders can have a devastating impact, even beyond that of hackers.
Sum of Total Records Stolen Breach SourceCareless or Untrained Insider 459,392 30
Hacking 479,726 3Malicious Insider 1,253,050 11
Figure 2 – Records Stolen from Healthcare Organizations Between 2000-2007: InfoSecurityAnalysis.com
Solutions and Benefits
The Imperva SecureSphere Database Activity Monitoring (DAM) solution was chosen for five primary reasons.
1. While they were starting with database activity monitoring, they also wanted it integrated with WAF in a later phase for complete data protection.
2. They didn’t want to depend on the native database audit logs which they felt could be modified by a malicious privileged user.
3. They required a solution that provided visibility across all users, and audited all user interaction with VIP information. For sate disclosure laws on sensitive data, knowing exactly what data was breached and who’s impacted, instead of having to guess and notify possibly every person that was on a compromised system, could be the difference in patient trust.
4. They sought complete separation of duties between DBA operations and audit/security.
5. They needed the ability to interact with large amounts of audit data quickly and easily to identify incidents of possible abuse.
The Imperva SecureSphere DAM solution met these requirements and provided a robust set of visual analytics, and reports to help specifically address PHI abuse by malicious insiders.
“The main reason we chose
Imperva was the ease
of implementation, and
thoroughness for covering
all avenues of data security.
Imperva found out that
one of the applications we
were using leaves sessions
open if the user doesn’t
log out. That’s an issue of
performance as well as
security. Imperva has more
than met my expectations.”
Gary Lilley, Senior Enterprise Security Architect at a State
Healthcare Organization
Imperva SecureSphere Solutions for HealthcareImperva has many healthcare provider customers, and continues to help them address regulations, protect PHI, and mitigate risks related to sensitive data. Imperva protects the applications and databases that process and store sensitive data. Beyond external threats, internal threats, and audit, Imperva SecureSphere offers rich reporting capabilities for demonstrating compliance.
» Can be easily deployed and maintained with little to no involvement from network operations, DBAs, or application mangers, and does not require dedicated headcount
» Addresses compliance in multi-regulated environments and security in tandem
» Protects data by applying security controls where it matters most: applications and database
» Secures information from external attackers, malicious or careless insiders, and privileged users
Healthcare providers must balance costs for security, privacy, and regulatory with business demands. Because of limited budgets and limited staff resources, it is particularly important for solutions to be easy to learn, deploy, and manage. Solutions must also provide significant value out of the box since the cycles available for fine tuning might not be valuable.
Imperva SecureSphere provides automated solutions including data discovery, Web application protection, database protection, and audit. It allows healthcare providers to demonstrate compliance while securing sensitive data such as PHI. Bottom line – Imperva helps Healthcare providers balance their ever expanding security, privacy and regulatory requirements with core business operations.
ImpervaHeadquarters 3400 Bridge Parkway Suite 101 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004
Toll Free (U.S. only): +1-866-926-4678www.imperva.com
© Copyright 2009, ImpervaAll rights reserved. Imperva and SecureSphere are registered trademarks of Imperva.All other brand or product names are trademarks or registered trademarks of their respective holders. #SB-HEALTHCARE-0909rev1
