Upload
metalogix
View
1.122
Download
1
Embed Size (px)
Citation preview
1 Confidential and Proprietary © Metalogix1 Confidential and Proprietary © Metalogix Move, Manage, Protect
Safeguarding Sensitive Health Information within SharePointHow to avoid the costs of non-compliance
2 Confidential and Proprietary © Metalogix2 Confidential and Proprietary © Metalogix
The safest SharePoint environment is one with no users.
3 Confidential and Proprietary © Metalogix3 Confidential and Proprietary © Metalogix
But once we open the gate…
0 10 20 30 40 50 60 70 80 90 100
23%
25%
44%
51%
74%
78%
86%Emailing confidential documents from the workplace to a home computer or mobile devices using a Web-based email account Retaining confidential documents or files that are no longer required Moving large files containing business confidential information to a Web-based file-sharing application
Sharing files and documents not intended for them
Forwarding confidential files or documents to individuals not authorized to receive themSending confidential files to unauthorized individuals outside the organization Copying documents and files to a USB memory stick
after being downsized from an organization
(Percentage of IT and IT security pros who believe employees are likely or very likely to take action. Ponemon Institute.)
People are willing to bypass security policies to get their jobs done.
4 Confidential and Proprietary © Metalogix4 Confidential and Proprietary © Metalogix
Is your sensitive data really safe?
79%of companies store sensitive or confidential information on SharePoint. – CMS Wire
• Employee info – Credit Card Numbers, salary info• Patient info – ePHI, medical records, insurance• Company information – financial or legal records• Intellectual property – research, formulations,
clinical trials
Even if you have a “secure zone” in your SharePoint farm, users can find ways around it.
Did you know…?
5 Confidential and Proprietary © Metalogix5 Confidential and Proprietary © Metalogix
Neglecting PHI security: the fallout
Regulatory finesCustomer and
shareholder lawsuits
Trade secrets, valuable IP are
exposed
Patients, employees and
partners are less willing to trust
you
What else could you be doing instead of
remediating a data breach?
Financial Competition
Reputation
Opportunity cost
6 Confidential and Proprietary © Metalogix6 Confidential and Proprietary © Metalogix
Average cost of a lost or stolen health record is
$363136%
higher than the average global cost across all industries.
IBM/Ponemon Cost of a Data Breach Study
7 Confidential and Proprietary © Metalogix7 Confidential and Proprietary © Metalogix
HIPAA fines for US companies
EUGDPR fines for companies with EU customers & staff
Customer or shareholder lawsuits
Staff time for investigation and remediation
$1.5 million per each HIPAA violation.
OCR Phase II Audits focus on risk of compromised data and how business associates interact with sensitive content.
20 million Euros (~$22 million) or 4% of annual turnover.
Individual or class action lawsuits, targeting organization
OR executive leadership for negligent behavior.
Mean time to discover a data breach is 206 days and to contain it is 69 days. Insider breaches can often take longer than average to find and fix.
You may need external expertise as well as dedicated staff.
The costs add up1 2 3 4+ + +
8 Confidential and Proprietary © Metalogix8 Confidential and Proprietary © Metalogix
OCR is holding organizations accountable
• Advocate Health – will pay $5.5 million for lax data security and breaches of protected health information for millions of patients, after four unencrypted laptops were stolen.
• Feinstein Institute – fined $3.9 million after it failed to implement safeguards to restrict access to unauthorized users, putting ePHI of ~13,000 patients at risk when a laptop was stolen from an employee’s car.
• Triple-S – settled for $3.5 million after multiple violations, including former staff who retained access to data and a business associate who downloaded ePHI and uploaded it to his new employer’s computer.
• North Memorial Health Care of Minnesota – paying $1.55 million after failing to make a business associate agreement with a contractor or conduct a risk analysis.
• St. Elizabeth’s Medical Center – settled for $218k after staff stored ePHI on an insecure document file-sharing service.
• Washington State Heathcare Authority – pending settlement after employee helped another with a spreadsheet, compromising 91,000 Medicaid patient files.
HIPAA Fines
1
9 Confidential and Proprietary © Metalogix9 Confidential and Proprietary © Metalogix
Global impact of EU GDPR• EU General Data Protection Regulation was ratified in 2016; organizations must be
compliant by 2018.• If you have any EU employee or customer data in your systems, you must comply,
even if you’re based in the Americas or APAC.• Organizations processing data of EU citizens must appoint a Data Protection Officer
(DPO) if they monitor data subjects on a large scale and collect categories of personal information such as health data.
• Failure to comply triggers fines up to 200 million Euros or 4% of annual turnover - whichever is greater.
EUGDPR
2
10 Confidential and Proprietary © Metalogix10 Confidential and Proprietary © Metalogix
Expensive to defend, more expensive to lose
• Affected patients are bringing suit against Advocate Health after negligent security practices exposed the personal health information and social security numbers of more than four million people.
• A physician is the lead plaintiff in a class action lawsuit against Banner Health over a massive data breach that may have exposed personal information of 3.7 million individuals.
• Class action contends UCLA Health failed to take the basic precautionary steps to protect the personal and medical information for as many as 4.5 million individuals.
• Class action contends two employees at Florida Hospital had been printing parts of medical records of approximately 9,000 patients for more than two years.
Lawsuits
3
11 Confidential and Proprietary © Metalogix11 Confidential and Proprietary © Metalogix
Consider time it takes IT and security staff when…
• Your security team (or an auditor) asks for details on how sensitive information is managed within SharePoint?
• Lawyers request a paper trail for eDiscovery?
• You need to track the source of improper data use?
• You take action to remediate issues (if you even can)?
Time4
Remediation time following a breach is increasing
– Frost & Sullivan
Within one day
Two to seven days
Eight to twenty days
Three or more weeks
33%
43%
7% 5%
28%
41%
9% 7%
20%
44%
11% 8%
2011 2013
12 Confidential and Proprietary © Metalogix12 Confidential and Proprietary © Metalogix
Lower your risk of a SharePoint security breach.
13 Confidential and Proprietary © Metalogix13 Confidential and Proprietary © Metalogix
A delicate balance
SecurityUsability
Data sensitivityLOW HIGH
14 Confidential and Proprietary © Metalogix14 Confidential and Proprietary © Metalogix
Misaligned investment vs. risk
External threats
Insiders
0% 10% 20% 30% 40% 50% 60% 70% 80%
75%
25%
41%
65%Percentage of organizations concerned about threat types.
Percentage of security spending dedicated to ad-dressing threats.
overspend
underspend
15 Confidential and Proprietary © Metalogix15 Confidential and Proprietary © Metalogix
Enterprise DLP isn’t sufficient
Adding an enterprise DLP solution on top of SharePoint slows activity. When users upload documents, DLP scans cause user time out errors.
Users believe mistakenly believe documents have reached destination and blame SharePoint when they can’t find their content.
For DLPs to be successful, organizations need to classify data and understand information flows across thousands of assets.
Costly to manage and maintain.
Enterprise DLPs are either too strict or too permissive.
They don’t consider context of the SharePoint user.
It’s not unusual to experience false positive rates of 60% or more.
Network stress
Complex rollouts High false positive rate
16 Confidential and Proprietary © Metalogix16 Confidential and Proprietary © Metalogix
SharePoint out-of-the-box security gaps
In pre-2016 versions, audits, eDiscovery and permissions are time-consuming and difficult to manage, and data leak prevention is practically non-existent.
• Fragmented permissions management• Limited auditing• Poor rights management integration• Limited governance policy enforcement• No active management• Inability to delegate control• Stale sites and out of date content
17 Confidential and Proprietary © Metalogix17 Confidential and Proprietary © Metalogix
SP 2016’s Compliance CenterIt is born from the cloud and makes use of Office 365. Microsoft is taking security and governance seriously.But…. ….it is still not sufficient for data loss prevention
• Basic searching capability for sensitive data types • Downstream prevention actions (preventing users
from moving, deleting files, etc.) lacking• Can’t manage security across multiple SharePoint
deployments
18 Confidential and Proprietary © Metalogix18 Confidential and Proprietary © Metalogix
Make sure you know where all of your sensitive data resides. Scan, detect, and classify ePHI.
Empower employees to adhere to information security plans. Place security controls directly within the workflow, at the point users need them.
Automatically monitor, alert and execute downstream remediation actions.
Consider the context of user behavior, not just permissions and credentials. Location, time of day, and situational analysis matter.
Report on how users interact with data and security controls. Auditors expect a paper trail and proof that you protect ePHI.
Design information governance processes and adoption programs for a proactive approach to SharePoint security.
Plug security gaps
19 Confidential and Proprietary © Metalogix19 Confidential and Proprietary © Metalogix
See what we’ve learned about how SharePoint keeps healthcare data safe –
and how it doesn’t.Get the eBook
Security and Compliance in Healthcare