iamers presentation-2

(c)2012 The Lorenzi Group & DF Labs

Emerging Issues in Data Security, Data Privacy, & Employee Monitoring

DF LabsThe Lorenzi Group

IAMERs 8th Annual Meeting2012

Data Security What data are we talking about?

Health Financial Product Innovation Operations & Strategy


Data Privacy – US vs. EU Main Difference:

EU – All about regulation & compliance protecting the rights of the individual.

USA – National security & the company interests are protected first.

Patriot Act Safe Harbor Preventive Monitoring & Security

Analytics


Privacy in the EU: ….possible modification soon No More Local Implementation Only one notification Under the new proposals national data

protection authorities will be able to penalize data protection breaches by imposing fines of up to 2 percent of the global annual revenues of a business.

Immediate data breach notification


Security Analytics:The Next Frontier Proactive Monitoring of data traffic Internal monitoring more important than

external monitoring Baselines Metrics Patterns, anomalies & Standard

Deviation


Discussion Points HIPAA/EU Healthcare Privacy (aka

Directive) Insurance Companies & Data Theft

Protection FCPA/UK Bribery Act 2010 Medical Fraud Employee Monitoring


HIPAA & the EU Directive

United States Federal Mandate Health related

information Can encompass

Financial Info

European Union EU Mandate (w/

country-specific regulators)


Insurance Co’s & Data Theft More control over data theft claims Policies becoming more restrictive Coverage becoming more focused Moving away from typical coverage as

add-on Immediate action required by insured


US FCPA & UK Bribery Act 2010 Foreign Corrupt Practices Act Revenue generator for Federal Gov’ts Regulator base and depth growing “Double Jeopardy” does not apply Recently expanded to vendors, partners

& consultants


Medical Fraud Equipment being sold on Black

Market/Gray Market Purchases made with false information:

Credit Cards Federal Tax Id’s (Corporate ID Theft) Unauthorized Personnel

FBI issued report showing 40% Corporate Cybercrime is Employee Driven


Employee Monitoring Key part of Security Analytics

US: Company owned EU: Data owned

German Unions seeing great success

Sony vs. Lockheed

Lockheed Martin, KaiserPermanente, USPS


Employee Monitoring (pt2)

In EU, Employee monitoring may not be allowed. In some cases, in fact: Privacy Impact Labor Law

Cases where monitoring data and preventing incidents are mandatory i.e. the Italian 231/01



Incident Prevention and Preparation

(Including Forensics and Fraud)

Pre-Incident Preparation

Application Security Management

Test Your Tech

Enterprise Business Security

IT SecurityProcess Management and Support, including vulnerability management

Know where your data are

Risk Mitigation FrameworkFonte: Dflabs&Terremark

Business Risk Management, Policy, standards, Technologies, Legal

and guidelines

Incident Response and investigation

(Including Forensics and Fraud)

Use the Right

Technology

Risk Mitigation Framework: Example in the Medical Device World FDA: Which medical devices are covered by this guidance?

Medical devices that incorporate off-the-shelf (OTS) software Medical Devices that can be connected to a private intranet or

the public Internet This information also may be useful to network administrators

in health care organizations and information technology vendors.

Who is responsible for ensuring the safety and effectiveness of medical devices?

The device manufacturer bears the responsibility for the continued safe and effective performance of their medical device,

The device manufacturer does not bear responsibility for the Hospital Network

Source: FDA 2012


Risk Mitigation Framework: Example in the Medical Device World

A vendor in the medical devices arena asked DFLabs to perform the following tasks: Code Audit on the Device Software Security Assessment on the Device Itself Security Guidelines for the Device setup Contractual Technical Support Vs, Hospital

Relationships

Source: FDA 2012(c)2012 The Lorenzi Group & DF Labs

Risk Mitigation Framework:Example in the Hospital World Prominent Hospital has a MAJOR/Gross data

breach Post event Security Analysis ID’d

Lack of Controls Too much & contradicting Information Employee Monitoring would have ID threat risk

prior to event

Set it & Forget Security it is DEAD. Diligence is KEY to success.


Questions?

Robert FitzgeraldThe Lorenzi Group

+1-866-632-9880 www.thelorenzigroup.com [email protected]

Dario ForteDF Labs

+39-0373-83196www.dflabs.com [email protected]


http://www.thelorenzigroup.com/

http://www.dflabs.com/