Data Loss Prevention And HIPAA - Ehcca

Data Loss Prevention andHIPAAKit RobinsonDirectorkit.robinson@vontu.com

ID Theft Tops FTC's List of Complaints For the 5th straight year, identity theft ranked 1st of allfraud complaints. 10 million cases of Identity Theft annually. 59 percent of companies have detected some internalabuse of their networks 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Changing Threats to Data Security 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Top 10 Most Frequent Incidents1. Patient PHI sent to partner, again, and again2. Employee 401k information sent outbound and inbound3. Payroll data being sent to home email address4. Draft press release to outside legal council5. Financial and M&A postings to message boards6. Source code sent with resume to competitor7. SSNs and thousands of them8. Credit Card or account numbers .and thousands of them9. Confidential patient information10. Internal memos and confidential information 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Data Loss PreventionThree Key Customer Challenges1. Where is my confidential data stored?–Data at Rest2. Where is my confidential data going?–Data in Motion3. How do I fix my data loss problems?–Data Policy Enforcement 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Why Data Loss Prevention is a Priority Compliance Brand and Reputation Protection Remediation Cost1:400 messages containThe Riskconfidential information1:50 network files arewrongly exposed 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

American National Insurance CompanyBusiness Drivers– Protect policy holder informationFortune 583Market Cap 3.25BRevenue 2.9BEmployees 4,200Industry:InsuranceVontu Solution1. Monitor2. Prevent– Protect employees PHI– Layered approach with email encryption– HIPAA ComplianceWhy Vontu Was Selected– Ability to prevent policy breaches– Integration with PGP encryptionAmerican National Insurance Results– Monitor all protocols– Prevention activated with PGP within two months– Automated enforcement– Encrypt all emails with employee or patientinformation 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

American Association of Retired PersonsBusiness Drivers– Protect membership informationFortune 583Market Cap 3.25BRevenue 2.9BEmployees 2,670Vontu Solution1. Monitor2. Prevent– Protect Social Security Numbers– Protect credit card numbers and PCI compliance– Protect confidential documentsWhy Vontu Was Selected– Ability to block/quarantine messages– High degree of accuracy– Ability to delegate incident response to business unitsAARP Results– Secure partner communications– Efficiency in investigations– Updating insecure business processes 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Enforce Policies to Reduce Risk100Enforcement Levels1. Remediation802. Notification3. Prevention andProtectionIncidentsHow is Risk Reduced?6040– Fix broken processes– Educate workforce20– Notify policy violators– Notify management– Protect files– Prevent n &Protection 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Unified Data At Rest and Data in Motion ProtectionIntellectual PropertyPatient DataEmployee DataSource CodeDesign DocumentsPatent ApplicationsCorporate DataSocial Security NumbersNon-Public InformationCredit Card NumbersSocial Security NumbersEmployee Contact Lists401K and Benefits InfoFinancialsMerger & AcquisitionsStrategy and Planning 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Discover and Protect Confidential Data at RestDefineConfidentialData Policy1RunScan andDiscoverExposedData2EnforcePolicy Report onRisk andCompliance5 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Monitor and Prevent Confidential Data in MotionEmployeeSendsConfidentialData1VontuDetects flowAutomatesRemediation4Report onRisk andCompliance5 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Secure Messaging tudetectsincidents2Vontu sages4Report onRisk andCompliance5 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Vontu covers HIPAAHealth Insurance Portability &Accountability Act 1996“Individually Identifiable HealthInformation”Identifies the individualANDPast, present, or future physical or mentalhealth or condition of an individualORThe provision of health care to anindividualORThe past, present, or future payment forthe provision of health care to anindividualNOTCommunications with Treatment,Payment, Operations (TPO) partnersVontu HIPAA PolicyHow Vontu Detects HIPAA1. Exact Patient Data–Social Security Numbers–Health Insurance Card Numbers–First Name, Last Name–Address & Phone NumbersWITH2. Drug, Disease, Treatments–Medical Disease Keywords–Medical Treatment Keywords–Drug KeywordsEXCEPT3. Specific TPO Partners 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Healthcare Solution PackSolution PackData Loss Priorities & PolicyRoles & ResponsibilitiesHealthcare Compliance Security Services Responder–Regulations (HIPAA)–M&A language Patient & Employee Data–Account info–Personal info–Enrollment info–Employee benefit info–Pharmacy info–Insurance Claim info Confidential Data–Rate Calculators–Financial info–M&A info–General confidential docs–“Front line” for remediation–“Fan-out” to extended remediation team Security Services Manager–Escalations within the Security Services Compliance Officers–Compliance & incident trends–Risk scorecards Internal Auditors–Compliance & incident trends–Risk scorecards HR/Employee Relations–Incidents that lead to employee termination Legal/Privacy Officers–Investigate incidents to mitigate legal actions–Compliance & incident trends–Risk scorecards Investigations & Forensics–Focused investigation on specific employees Business Unit Managers–Corporate involvement on escalated incidents Executives (trends & dashboards)–Risk trends and performance metrics 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.–Risk dashboards

Data Loss Prevention Requirements Discover and Protect Confidential Data at Rest Monitor and Prevent Confidential Data in Motion Accurate Detection Across All Content and Groups Automate Enforcement and Response Workflow Encryption Visibility and Control Safeguard Employee Privacy Proven Global Scale and Architecture 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Self-Risk Assessment1. How many emails leave your company with PHI?2. Who is sending the confidential information?3. What are your most offensive protocols?4. How many of these emails violated a regulation?5. What is your risk level compared to that of peercompanies or competitors? 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Risk Assessment ScorecardPriority DataSeverity of LossData at RestFrequencyHIPAAHighPhysician ReferralHighHighHighFrequency10,178 incidents256 incidentsVery HighHigh2178 incidentsVery HighVery HighVery HighMedium9 incidentsVery HighMediumMediumMedium939 incidents132 incidentsHighHigh624 incidentsVery HighHighHighResearchRiskHighHigh78 incidentsCA 1386RiskHigh721 incidentsPatient DataData in MotionHigh24 incidentsHighHighSeverity x Frequency Risk 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Data Loss Prevention In Summary Reduce Risk of Data Loss Reduce Financial Loss Protect Brand and Reputation Demonstrate Compliance“Vontu met all our requirements to meet the highestdegree of compliance with both our own data securitypolicies and state and federal regulations”Charles AddisonCIOAmerican National Insurance 2006 Vontu, Inc. Proprietary and Confidential. All Rights Reserved.

Data Loss Prevention andHIPAAKit RobinsonDirectorkit.robinson@vontu.com

Data Loss Prevention In Summary Reduce Risk of Data Loss Reduce Financial Loss Protect Brand and Reputation Demonstrate Compliance "Vontu met all our requirements to meet the highest degree of compliance with both our own data security policies and state and federal regulations" Charles Addison CIO American National Insurance