PHI- Protected Health INFO HIPAA compliance. Prescription medication bottles.
Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification...
Transcript of Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification...
Quality health plans & benefits Healthier living Financial well-being Intelligent solutions
Jim Routh September, 2014
Climate Change: It's about Managing Risk, Not Just Compliance
Aetna Inc.
Objectives
2
1. Present a model for risk-driven information security
2. Suggest an alternative approach to managing risk in your security technology portfolio
3. Encourage you to consider changes in your approach to information security
Aetna Inc.
The Evolving Role of the CISO
Chief information security officer A Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and
maintaining processes across the organization to reduce information and information technology (IT) risks
Aetna Inc.
The Opportunity Awaits Us
4
• Medical/health fraud is $80 billion annually Institute of Medicine report, The Healthcare Imperative
• An example of fraud is medical identity theft, which is growing at close to 20% annually (500k cases) Poneman
• # of devices connected to the Internet in 2020 will be 50 billion Cisco
$500 $25
FULZ • Insurance card • Bank account • SSN • Email address
SSN Aug. 1st Aug. 8th
$1.00 $.48
Aetna Inc.
Compliance-Driven Info Sec
Event Awareness Committee Legislative Law Rules Enforcement Regulatory
Aetna Inc. 6
HiTech Act
HIPAA Event Awareness Committee Legislative Law Rules Enforcement
Regulatory
HIPAA
1996
Kennedy-Kassebaum
Bill
1993-94
+3
HIPAA Privacy Rule
1999
+6
HIPAA Privacy Rule -Final
2002
+9
Final Rule Security on security standards
2003
+10 2005
+12 2003
+10
Privacy Compliance date
Security Compliance date
Final Rule on HIPAA
Enforcement
2006
+13 2009 +16
HiTech Act Rule
2010
+17
Aetna Inc.
Risk-Driven Information Security
Event Awareness Committee Legislative Law Rules Enforcement Regulatory
Threat
Aetna Inc.
Separate Privacy Program from Information Security Program
8
Info Sec Privacy
Federal
State
Local
External Threat
Internal Threat
Vulnerability Assessment
Aetna Inc.
Consume Cyber Security Intelligence
9
3rd Party
Information Sharing
Public Domain National Cyber Security and Communications Center
Aetna Inc.
The Threat Landscape
10
Organized cyber criminals
Mobile Devices
Geo Political
Aetna Inc.
New Information Classification Model
11
Confidential Information • Protected Health Information (PHI)
• Medical Records • Diagnosis & Procedure Codes • Lab Results • Claim Data • Etc.
• Personally Identifiable Information (PII) • Name, Address
• Street, City, State, Zip Code • Member ID • DOB • Telephone & Fax Numbers • Email Addresses • Etc.
• Company Financial Data • Merger & Acquisition Data
• Controls Meet All HIPAA & Other Regulatory Requirements
- Nothing changes
New Controls: • Encryption or
Tokenization • 2 Factor Authentication • Increased Auditing &
Monitoring
Restricted Data: •Credit Card Data •SSN •Credentials
• User IDs & Passwords
Aetna Inc.
Changing Business Practices
12
Consumer Provider Payer
SSN
Aetna Inc.
A Security Technology Portfolio
13
Legacy Technology Mature Meets basic requirements
Legacy to Replace
Needs replacement No longer mitigates risk
New Technology Solutions
Emerging technology controls
65%
10% 25%
Aetna Inc.
Apply Portfolio Management Theory
14
Angel/Early Stage VC Backed IPO Private Equity Round 1 Round 2 Round 3 Product/Service
0
2
4
6
8
1 2 3 4 5
Market SharePrice
• Product/Service market value increases with maturity • Price follows market value • More investors means higher pricing, more market share
means higher pricing • Select technology early and apply rigorous testing while
sharing feedback
Buy Here
Aetna Inc.
Let’s Talk SMAC!
15
SMAC
Social Mobile
Analytics Cloud
Aetna Inc.
Cloud Consumption
16
Total # Cloud Services Identified
1,180
Average # Cloud Services Used
2,365
Healthcare
Aetna Inc.
Majority of the 2,365 Services Used Lack Basic Security Features
Provide Multi-Factor
Authentication
16%
Encrypt Data at Rest
11%
Are ISO 27001 Certified
4%
Controls
Cloud Usage benchmark data
17
Aetna Inc.
Security Ranking of File Sharing Services 178 TOTAL FILE SHARING
SERVICES Top 10 File Sharing Services
A B C D E F G H I J
1
10
9
8
7
6
5
4
3
2
High Risk
Medium Risk
Risk Distribution
18
4
5
6
9
1 2
3 7 8
10
Aetna Inc.
Mobile Ecosystem Controls?
19
Aetna Inc.
Developer for Aetna Insurance++
20
Aetna Inc.
The Mobile App Uses Permissions…
22 of the apps are requesting the GET_ACCOUNTS permission
GET_ACCOUNTS lets you see various accounts on a phone via account manager, including Google, Facebook, Twitter, etc.
In this app, it is used by ad library called "com.edealya", seemingly for ad tracking and targeting, quote: “eDealya enables marketers to respond to social intent with an in-context, on-time, and relevant mobile advertisement.”
21
Aetna Inc.
eDealya
22
Reference: eDealya Website - https://www.e-dealya.com/wp-content/uploads/2013/07/eDealya-One-Pager-v4.3.1.pdf
Aetna Inc.
New Authentication Models Are Needed
23
Decision Data Input for RISK SCORING
Measurements-See Key Below
Read/Transmit
Build Data Accelerometer Data H,MF, P,S R,T Apt Folder data H,N R Battery Usage H R,T Blacklist Device ID H R,T Bluetooth settings H,T R,T Call Settings H R,T Customer ID H R,T Device ID H R,T Fonts installed H,MF,N, R,T Last Power up F,H,N,T,TB,TD R,T Manufacture build data H R,T Network F,H,MF,N,T,TD R,T Preference settings H R,T Processing Power H R,T Random number [inauth] H R,T Security H,MF,N,S,V R,T Sound H R,T Storage/memory H R,T Su Library data H R Super User data H R Test-Release data H R Time Zone Setting F,H,MF,N,TB R,T Transmission settings H R,T Unique ID H R,T Wi-Fi settings F,H,N,S,T,TB,TD,V R,T Call Data Call Country Codes F,H,MF,N,S,T,TB,TD,
V R,T
Call Data H R,T Call Duration H,MF,T, R,T
Aetna Inc.
Using Technical Innovation to Improve Controls
• Overlapping controls enables Aetna to invest in emerging technologies with game-changing capabilities
Micro-virtualization
Host-based intrusion detection 1
White listing processes
Host-based intrusion detection 2
0
2
4
6
8
1 2 3 4 5
Market Share
PriceAetna Purchased here
24
Aetna Inc.
Trusted Email Lifecycle Summary
25
Aetna Inc.
Benefit Summary
26
On July 14 2014 #1 Targeted Domain for malicious email American Healthholding.com supported DMARC enforcement:
Total malicious email removed from delivery (7/14- 8/30): 10,276,150