How to Guard Healthcare Information with Device Control and Data Encryption
August 07, 2012
The need to protect digitized health information is a top priority in the healthcare industry. HIPAA and the HITECH Act put pressure on your organization to maintain the privacy and security of patient data, with the potential legal liability for non-compliance. So how does your healthcare organization meet or exceed industry best practices in guarding healthcare information?
Eric: Hello, everyone, and welcome to this Lumension webcast, "How to Guard Healthcare Information with Device Control and Data Encryption." My name is Eric Ogren, and along with Chris Merritt from Lumension, we'll be the co-presenters for today's event. The need to protect digitized health information is a top priority in the healthcare industry. HIPAA and the HITECH Act put pressure on the organization to maintain the privacy and security of patient data with a potential legal liability for noncompliance. So how does your healthcare organization meet or exceed industry best practices regarding healthcare information? These are the topics that Chris and I will be covering today over the next 50 minutes. We appreciate your time and attention. And actually we're looking forward to a good interactive session.
In today's webcast, we will discuss practical recommendations for improving security, including what PHI breaches are currently documented by the U.S. Department of Health and Human Resources, HHS, and why these breaches are occurring, how a healthcare organization can mitigate costs with encryption technologies, and what to look for in device control and full disk encryption solutions. So our objectives as we get to today's session is to understand better the seriousness of HIPAA security trends, including the impact of cryptography and the disclosure regulations and trends. We'll also want to be sure we cover top recommendations, especially with Lumension products, that help you prepare for HIPAA and protect your customers' data in the best manner possible.
And to do this we have, well, Chris is an expert and I'm here as well. I am Eric Ogren and I'm the principal analyst of The Ogren Group. I have been in enterprise security for better than 15 years directing products at RSA Security, executive marketing positions with OKENA on the hosting solution prevention side, and then a bunch of other, you know, pretty cool things. Chris Merritt is the solution marketing director at Lumension. And as we go through this, you'll hear that Chris really understands this stuff. And, you know, his experience really can help us out a lot. So I welcome you to this.
A couple housekeeping notes, if I may. Chris and I actually prefer a very interactive session. So if you have questions for either Chris or I, please submit them via the question box at the top of the screen. We'll try to answer as many as we can, even as we go along. And to start that, you know, I'd like Chris to be able to push a poll and ask you a question and get started and just get a sense of how interactive we can make this. So Chris, please, it's all yours.
Chris: Great. Thanks, Eric. So I'd like to push the first poll. The first question is how many data breaches have you experienced in the past year? And we've got 5 choices here ranging from none to 10. So we'll let this run while we begin our presentation. And we'll look at the results in a couple of minutes. So I want to start by talking about the current challenges in the healthcare industry. I'm sure you're all aware that we're seeing a lot of data breaches. I pulled a few headlines from just the last couple of weeks, not to name and shame, but just to point out that we're still seeing a lot of data breaches occurring. We're seeing laptops being stolen from the office. We're seeing desktops or laptops being stolen from homes or cars. We're seeing thumb drives being lost or stolen. And that's just a portion of what all we're seeing out there. So why are these breaches occurring? And what can we do about them? And that's kinda what we want to focus in on this presentation today.
The number of breaches we're seeing have been the subject of many surveys. And we'll see what our audience says here in a second, Eric, but recently, Kroll conducted a survey of healthcare organizations across the U.S., and they found that 27% of all respondents had some sort of security breach in the past year. And this survey came out in April 2012. And that represents a jump up from 19% in 2010 and 13% in 2008. They do this survey every two years. And what's more distressing, perhaps, is the fact that of those who reported a breach, 69%, well over two-thirds, experienced more than 1 breach. If we look at the HHS breach database, I looked at it back in the end of June, I took a snapshot of the database, and I found that there were 435 incidents involving about 20.6 million records. The median impact was a little over 2,000 records per breach. Interestingly, four states had no impact from breached data records, but two had very large impacts on a per capita basis. Now, what's not shown in the HHS database are breaches that impacted less than 500 records. They're not required to report those by law. However, a recent conference in June, the OCR reported that 57,000 incidents occurred where less than 500 records were breached. So we're seeing that there's a tremendous under-reporting of data breaches out there.
So one of the things that I did when I looked at this data was to look at the difference between covered entities and business associates. And I discovered that while only 22% of the incidents reported in the HHS database were related to BAs, they had an outside impact on the number of records that had been breached. And, in fact, they had something like 60% of the records impacted. Now, you know, the devil are in the detail whenever you look at data like this, right? And if we remove the single largest data breach, which occurred about a year ago down in San Antonio, was attributed to a BA based in Virginia, if we remove that 4.9 million records, we still see that, you know, 95 incidents, about 22% of the breaches were due to BAs. And that impacted about 7.2 million records, so about 50%. So we still see that BAs have an outside impact. Now, the other thing I looked at, and I looked at a lot of things at this data, and I actually have a blog post up on this on...do you see the blog post headline there, "By the Numbers: US Healthcare Data." You can find that at blog.lumension.com. I discovered that about 70% of the incidents and about 86% of the records could have been mitigated if encryption had been used.
So that's, you know, of course, a huge number. The question is what does this really mean to the organization? If we take the Ponemon numbers of what a data breach costs is and we...you know, they report different numbers. The latest number from I think it's April was $240 per record, but that includes customer churn and things like this. So let's use the hard numbers, so the hard costs, to cover things like forensics, doing the mop-up, providing credit reporting services, providing PR, you know, all of these sorts of hard costs that an organization runs into, that comes to about $73 a record. And if we look at the number of incidents that could have been reduced or eliminated if we had had encryption in place, we're talking about $1.5 billion in the last couple of years. So that's a pretty significant number. So before I move on, let's look at the vote. I am going to stop the results. And hopefully everybody can see this. Wow. We have a great audience here. Eric, can you see these results?
Eric: I cannot, Chris, actually, funny enough. Let me use my moderator powers here. Oh, wow.
Chris: Oh, good.
Eric: Nobody's been breached, is that what you are seeing?
Chris: Yeah, 67% have not been breached. And 33% have seen 1 to 2 breaches. So that's pretty impressive and well done, guys, out there in the audience.
Eric: Yeah, or a lot of you are in for a surprise.
Chris: Well, we hope not. And we hope that we're gonna help prevent some of that. Okay. So let's move on and look at what these breaches mean. What we know is that the OCR is...and that's the Office of Civil Rights for folks who don't know this. And they're the ones who have been handed the responsibility of conducting audits and enforcing most of the HIPAA, HITECH security and privacy rules. They announced back in October last year that they were going to start a program of audits. And they had a plan of about 20 audits as kind of the preliminary phase. And then they were going to issue a report, and then conduct the remaining 95 audits through the end of 2012. They issued a report in this June conference that I mentioned earlier. I have the link to the PDF there. If you want that report and you can't get it off of this slide deck, drop me an email, and I'll send it to you.
What's interesting about this is that they found a great number of issues ranging across a wide variety of areas. And these included the lack of a risk analysis, the ability to respond to incidents, contingency planning, authentication, physical access and, of course, encryption. So there's a lot of issues that they found in conducting these audits. So their recommendations based on these reviews are to make sure that every covered entity has conducted a robust review and assessment of their security systems and that they determine what lines of businesses are affected by HIPAA so that they make sure that they've got everything covered. One of the interesting things about HITECH, of course, is that it enforces the HIPAA security rules on BAs, and covered entities are responsible for making sure that they're meeting those requirements. The next recommendation is to make sure that you map the PHI, the protected health information, flow across your organization, as well as flows to and from these third-party organizations. And then, of course, you know, you have to find all your PHI. And then finally, their recommendation, of course, is to look at the guidance that's available on the OCR website. And I've spent a little bit of time on that site and there's a tremendous amount of information available. So, you know, it's a good source of information to start your program with.
So looking at the specifics of the security audits, we see that they found about 43% of the incidents impacted the administrative safeguards. Only about 17% impacted physical safeguards. And another 41% impacted technical safeguards. So, you know, here again, the audits are being conducted. They're very comprehensive. They're looking at all aspects of the security and privacy rules. And they really are being used to start to enforce these rules. And, of course, as we know, one of the big things about HITECH is that it really gave teeth to HIPAA, to the requirements of HIPAA. And there's some anecdotal stories out there about, you know, the HIPAA fines were somewhere in the $25,000 range, and some organizations took a rather lackadaisical view to that. Now, the fines can range up to $1.5 million, and it includes personal liability, if there's willful negligence. So we'll look at that in a second.
So here's some of the headlines of some of the enforcement that OCR has meted out here in the last couple of months. We see this is basically the accounting for the last about 12 months when OCR started fining organizations. And, again, not to name and blame, but just to point out that there's some significant areas that OCR are starting to enforce. And we see the fines. If we look at the fines that are listed here, I think I totaled up about $9.25 million total fines so far in this enforcement period, but we also see the criminal conviction. We see one headline here from, well, about a year and a half ago, two years ago, where someone was put in jail for two years. Looking at other criminal convictions, they range from probation to jail time. So these, you know, of course, are things that we want to avoid. And then finally, you know, and this is impossible to keep track of, but there's many lawsuits that are being discussed out there.
So the last thing that I kinda want to cover in this section is the impact of meaningful use on the protection of protected health information. As you know, stage 1, meaningful use stage 1, has been effective since February of this year. The OCR via the healthit.gov site has issued guidance as to what organizations need to do to meet the stage 1 requirements. And as you know, that the government has been using a carrot and stick approach to getting meaningful use in place. And there's substantial monetary or monies available to organizations who do start using the EHRs, but these also have impact on the organization. So, you know, they get the incentives, right, but they have to spend, put the effort into making the EHRs useable and used. There are some core objectives within this guidance from the OCR. And I've listed one of them here.
The one that's kinda most interesting to me, at least, is to protect this data through the implementation of, you know, appropriate technical capabilities. So what we'll look at next is what those might include, but before we go there, stage 2 was recently pushed from 2013 to 2014. And the current thinking is that encryption and auditable events are gonna be two key components of certification with regards to security requirements. So, you know, we're in the midst of trying to get stage 1 meaningful use in place. We're looking at stage 2 requirements coming in force in about a year and a half. And there's, of course, no rest for the wicked, so stage 3 recommendations are going to be published or are currently expected to be published in May of next year. I think the final comment period just closed like last week. It might be this week or next, I'm not very certain on that. So that's kinda where the state of things with HIPAA and HITECH are.
What I'd like to do now is go ahead and push our second poll. And we're asking, "How many business associates do you work with, and how good is their data security?" And we have answers that range from none or I have no idea, perfectly acceptable, to, you know, a few that we know they don't have so good security or few that have good security and, again, many that have not so good security and many that have good security. So while we're letting that run, Eric, any thoughts on how this meaningful use and the protection of EHRs impacts IT security?
Eric: Yes, coincidentally enough. And let me just advance to the next slide. Actually this was great, Chris. I think one of the takeaways I had from your talk there was just what kind of piece are in HIPAA right now and how fast the regulations are moving, that they've really been pretty aggressive about securing electronic health records. And it wasn't that long ago where, you know, health organizations were almost kinda ignoring HIPAA because there was no fines, there was no really enforcement capabilities, but that has certainly changed. And, you know, some of these kind of fines I see and actions can really not only be detrimental to people's careers, but from a business standpoint, it has a huge impact on the ability to do business in certain states and certain organizations. So it's a big deal square there. So let me…
Chris: Yeah. You know, and talking about that, you sent me an article on I think it was Monday about the organization of a business associate in Minnesota. And for folks out there in our audience who don't know about this case, an organization in Minnesota was sued under the HITECH Act by the state AG. The results are in, as they say. And the organization was fined $2.5 million, so a significant fine. They were barred from doing business in the state of Minnesota for two years, if I recall correctly, and the estimate was that that was about $40 to $50 million in lost revenue. Is that right, Eric?
Eric: Yep. It's just huge, a huge [inaudible 00:22:11].
Chris: Yeah. And then if they want to come back and do business in the state, they have to do so under the "guidance" of the state AG. So, you know, you were talking about the impact on IT and, you know, on the organizations and on people's careers. I mean, can you imagine doing business and having the state AG and his associates in your back pocket every day for four years? That will be a drag.
Eric: The government is here to help us. Yep, you gotta like it.
Chris: Right. Before we move on, let's look at the results of our second poll. So what I see here is that 10% of folks said none or no idea, 20% said a few, but with not so good security, 60% said a few with good security, and 18% said many with not so good security. So I'm gonna stop the voting there. And so, you know, the interesting thing, the 60%, a few with good security. So that's very interesting that that's the biggest number there, huh?
Eric: Yeah. Yikes. Well, actually, let's just move on and spend the next few minutes looking at some of the IT security challenges in healthcare. And, you know, my objective over these next minutes is actually to challenge you a bit and give you a chance to think of the right approaches and different things you can do. I mean, I wish there were canned answers, but, you know, really honestly, we're in such early days that, you know, there are not a lot of best practices in some of the things we want to do. When we're talking about… We'll skip this slide here, but we'll come back to it.
So one of the things I find is that, you know, technology is moving faster than compliance regulations can keep up. You know, this is something I did yesterday. And, you know, honestly, I did it a couple months ago for the first time, I just wanted to be sure it's still true is, you know, I just did a Google search on HIPAA compliance virtualization, and there's no hhs.gov sources on the first two pages. You know, I got a lot of vendor stuff.
Now, we are not covering virtualization today, but this does speak to the relationships with BAs in terms of this diagram, which you see on the left would really be virtual machines. On the left side here, even though the text doesn't come up for you, and my apologies for that, but the left side is the virtual data center. And we have VMs on service in a DMZ. On the right side of this, there's the VMs. And this virtual data center is web, PIC, and HIPAA. And they all have different concerns in terms of how data can be mixed and matched, how virtual machines can share resources and be co-resident with other ones. And the way we get to the cloud has huge implications in terms of how we work with BAs and how BAs work with their clients because we are now dealing with different infrastructures and different shared resources. And being able to report and communicate across those boundaries is going to be a real challenge for all of us. And it really does kind of boil down to endpoint defenses, defense in depth, and visibility or intelligence.
So the reason for this slide is, you know, I share your pain, I feel your pain in many cases because most of us are looking at how to better use cloud resources with BAs, how to do...you know, we talked about bringing your own devices and we see that in healthcare frequently with practitioners walking around with tablets and phones, and they want to be able to access health information, you know, right there, have it right there at their fingertips. It creates huge security concerns because that data now has to be available, but it also has the ePHI pass to be secured.
And as we even get into designer attacks, some of the old ways we have looked at doing things from a security standpoint really aren't quite the best anymore. They're still good, they still have their needs, but we'll talk a little bit more about that, but that it has caused a...it's actually an interesting shift in security I could say. You know, when I started in security in '93, you know, access control for dial-up was huge. And, you know, so authentication and all of that stuff was the foundation for a good security structure, but now with mobility and people coming, you know, with PCs instead of going to homes and people started being more mobile, a lot of the emphasis shifted to anti-malware, you know, to be able to prevent attacks. Now, we know that that type of approach is completely overwhelmed. And a lot of the strength of disclosure regulations in HIPAA is focusing on the data and the cryptography. So security actually, you know, has been innovative and has been moving. We also…
Chris: Eric, we have just a practical note for our audience. If you still see the question page, you should on that question page in the upper right see a close button. If you close that, you'll be taken back to the slide deck. So I hope that helps everyone.
Eric: Awesome. Thanks, Chris. Yeah, one last thought on this is to, you know, pay careful attention. Chris gave you some great resources. HIPAA compliance has the concept of addressable, adjustable controls. And that is something you're going to need to be familiar with how to use it and its limitations as you move your program forward. What it basically says is that there are newer security technologies or newer technologies that you find a new way of securing a business capability that's not in the specifications, you may document that saying this is how you meet the requirements as specified by, you know, the HIPAA compliance regs, and this is why you think you're meeting those. And that's fine. And you will need to do that with mobility, with virtualization, and some of the future technologies that are coming up, you know, hard and fast.
But also understand that when it comes to data, and Chris will talk about this I'm sure when we get into...we already mentioned [inaudible 00:29:09] encryption and device control, addressable controls don't give you an out from the disclosure regulations. So the word of advice there is addressable is a key concept you will need to know to be HIPAA-compliant and move security forward and lock step with that. And your employees and business leaders will be totally on board with that, but just understand from the disclosure regulations that, you know, cryptography is king. And that's actually doubly enough to be the foundation for a lot of security practices. But there are a few things that we've bandied about that are still hugely important for us. In this case, defense in depth. And I put this slide in there to give you something to think about because historically, traditionally, you know, we thought of defense in depth as stacking some of the same types of layers.
So we would stack, you know, AV and IDS and attack scanning technologies thinking that if one doesn't get it, the other will. What we're finding now though, at least what I find in my research from The Ogren Group is there's no one approach that solves all the problems, and that the best defense in depth is to blend different approaches. And that is the recommendation here. So there's a couple key things we see here. Vulnerability management remains key and important and really under-appreciated. And I include hacking as a big piece of that. So every piece of malware event that I look at always tends to come back to a known vulnerability that has been out there for six months to a year or longer that simply just has not been patched. And the patch has been available, it just hasn't been applied. So the number one place to start is to just be fanatical about patching. You know, I understand with servers, you might have to talk about virtual patching or other types of capabilities, but really, I don't know that you could patch enough. I really don't. Everything comes…every attack, every data loss from an intruder tends to come from a known vulnerability that that patch is available for and just hasn't been applied. And that speaks to our ability to actually manage our infrastructure a little bit better.
Attack scanning on the lower right is pretty self-explanatory. You know, everybody needs antivirus and I certainly would not recommend changing that. It's just an appreciation that it's so overwhelmed by itself that it can't solve all of the problems for us. And one particular thing I wanted to call out here, which is in terms of designer attacks, attacks that are designed specifically towards your health organization or to take patient data actually uses the strength of AV research against it.
We saw this with some of the recent attacks where they know if there's only a limited number of samples detected, that the researchers will not spend time creating an antidote for that attack and an attack signature. So AV may see it, but the researchers are going to pass it by because it just doesn't look like it's prevalent in the world. And, of course, it's not because it's only hid in your organization. So the signature anti-malware, people, will never ever be able to really test that for you .You need to be able to complement that. One way to do that is the positive model of configuration and device control, you know, intelligent whitelisting where you have the ability to say, "This is what I really want my endpoint or my server configuration to look like and I want to be able to be notified whenever that changes from and drifts out of a noncompliance state." That's hugely positive. If a designer attack comes, that technology will actually say, "Wait a minute. Something's happened on this machine that's not authorized." It can either be blocked or alerted so you can track it down and make sure an attack doesn't linger in your network forever.
Data protection, we'll talk about cryptography. The one on the right I think gives us a lot of potential insecurities. It's reputation behavior. Now I am a behavior bigot. I totally admit that, but what it means is the technology exists now to be able to say, "This file looks suspicious. This server or this endpoint is starting to talk to links that, you know, don't look like they're the ones we want to talk to." They may be doing different geographies or they're using the protocols that aren't normal. It does require skilled security resources to investigate, but that is the only chance against new threats. And it's the only way to catch attacks that, you know, have already penetrated your network, and that's to be able to look at behavior that's abnormal.
So I would say in terms of your researching for new technologies, be sure to look at reputation services, you know, for files because, after all, you will be sharing, you know, confidential data between your BAs and payment processors and healthcare practitioners and providers. So being able to detect files that are, you know, being correlated with attacks or appearing in places they shouldn't appear is going to be hugely important for you. And then that investigation may actually find something and ward off a disclosure event that could be crippling to your business.
And the way to do that is in the middle it's just part of everything. This is one of the key tricks is to automate and actually try to audit some reporting mechanism for compliance to a very active inspection capability. This is where the visibility of your business is going to pop up is just security's ability to look everywhere, ensure security software is running where it needs to be, but also be able to catch the reputations and catch events that are questionable and investigate them.
Okay, l I guess I have a slide out of order here, but we can do this cartoon. I hope you can read the cartoon. It's actually a few years old but, you know, I love it. This is meant to speak to, I'm fumbling through my old copies here, so hang on with me there, to the role of security from a process standpoint. And we're security professionals, and I believe most of the people attending this session are security professionals, and we feel and we live and breathe security every day. And to us, it's just intuitive some of the security mechanisms and, you know, that we enforce and say, "Well, no. This is the way that it needs to be to secure the network." And that is our value to the business. That's why they hire us. It's often why they value us, but it's also put as you go through the builder thing here is the business has different types of concerns.
So when we stop and say, "Oops, a security event," and start sounding alarms and shutting things down, you know, your business managers will go, "Gaaa!" You know, they will respond like, "Why can't I do my job? Why is security getting in my way? What have I done wrong?" And, you know, they just won't always quite get it. So security for security's sake, I mean, it can happen. And it can happen with certain types of data and certain types of businesses, but in general, I think security, we really have to work with the business teams to make sure security dovetails with the way people do their jobs. And it also kind of speaks to the need to train and communicate security needs across the business.
So the last balloon here of, "Then how would you learn?" I think is pretty cool. And, you know, having to learn by giving them wedgies and stirring them up and, you know, slapping wrists is, you know, that's not fun. It's much more challenging and interesting to get the business teams involved early. And they want to be involved early. They're responsible for it. They understand the need for security, but help them avoid those traps. And we can definitely do that. And so a lot of our job now is going to be coaching and training and teaching and understanding there are going to be blips. You know, people will do things. They will have software installed that, you know, you need to go back and say, "That's not compliant," or you will see electronic PHI on devices that shouldn't be there any longer that needs to be cleaned up. Help them figure out why that needs to be cleaned up, where they can get it if they need it again, and automate the process to drive the cost out of this so it can be done effectively and productively. There we go.
So at the end, you know, the team approaches win. They really do. Like I said, there are very, very few industries and very few in healthcare actually where security can be autonomous and just, you know, implement their rules, you know. So my advice to you is involve the business early and continually. So, you know, once a quarter's not enough. It just has to be, you know, a constant, continual process. If you're looking for addressable approaches because the business wants to move forward and there may not be guidance in the HIPAA regulations for BYOB or cloud, but you know from a security standpoint are the principles of the HIPAA regulations of protecting the data, of protecting the configurations, of being able to close vulnerabilities, so work with your business leaders to say, "Here's how we can use the cloud more," or if you're a BA and you're talking back to your clients, "Here's how you can protect your data and isolate it," you know, more than…and you know, perhaps they can even do it in their own, but really show that. And document everything. So it's document addressable approaches, review results, review decisions, and communicate those back, you know. And that's how you start training IT staff and users on HIPAA and its disclosure regulations.
Two other things in the slides I was trying to see is on the ongoing communications is, you know, learn, learn, learn. You'll be doing this again because there will be new technologies coming out, the regulations will shift. This is an ongoing process. It's not going to be a, "Here's the best practices and implement it." This is something that will be evolving, you know, day after day, you know, from here on out. And from a technology standpoint, you know, I mean, I am a big fan of auditing everything. And, you know, it's not just because I was working at an, you know, auditing company, but it's you don't know what you are going to need in the future or what you're going to need to support an investigation or make business decisions. So as much as possible, audit everything that's going on with your business, both inbound and outbound. So with that, I appreciate that. I'm going to turn it back to you, Chris. We've got about 15 minutes to go. And, you know, I'm sure people want to hear about the recommendations of what you can do now and how Lumension helps get them there.
Chris: Yeah. Thanks, Eric. Before we go into that, I'm gonna ask our last poll question. You should see this up on your screens now. So where are you with your risk assessment process? So they're a very critical part of the HIPAA, HITECH guidance, and something that Eric was just talking about is conducting a risk assessment. So the answers are I haven't started it yet, it's in progress, mostly complete, complete with some issues discovered that we're gonna have to fix, or complete and no corrective actions needed. So I'm hoping our audience is in E, that would be great, but in the meantime we'll get ready to move into the next slide.
As we're waiting for some results to come in, you know, your last point, Eric, is very interesting. We did a webinar, I don't know, about a year and a half, two years ago, with a healthcare organization down in Atlanta. And, you know, you were talking about processes and, you know, establishing policies and continuous audit. You were talking about training your people and the involvement of various stakeholders within the organization. And in this webinar, George Ward gave a really good rundown of how he went about implementing a device control and encryption process in his organization to ensure that no data breaches were going to occur via USB flash drives or CDs or other removable media or storage devices.
And, you know, he talked about having started very early, getting the stakeholders together, getting them on board with the reasons why they were going down this route that had been discovered because of an audit finding, deficiency finding, and how they continuously communicated with the entire organization as they started to roll out device control. So it's something that, you know, as technologists we tend to overlook a little bit, the people side of the equation, but as you kinda walk through it is that there's the technology, there's the process, and there's the people, and in this webinar, which you can find on our website, George really does a good job of walking people through that people side of things.
Eric: Yeah. That's an excellent point. I didn't cover some data I had about surveys, concerns about cloud computing, which is slightly different, but yeah. And at first glance, it's concerns about security dominates the feedback from the survey. You know, everyone's concerned about security and access to information and etc., but what was also telling was that when asked, you know, are employees receptive and business leaders who sat there, you know, the answer was they're highly receptive about cloud computing. And, you know, so the ability and the opportunity to work with the businesses and the employees, as you say Chris, and from the Atlanta customer was just huge, and it will pay big, big dividends.
Chris: Yep. Well, let's stop the voting here and look at the results of we asked about the risk assessment. We have 33% of folks have not started yet. So that's very interesting. Forty-two percent of folks are in progress. And then we have an even split between people who are mostly complete, complete with some actions needed, and complete with no corrective actions needed. So it looks like there's a tremendous need out there to get started with your risk assessment. So that's very interesting. Is that something you've seen out there, Eric?
Eric: Definitely. In fact, most of the time, I see assessment as an ongoing practice, you know. So I would say those that have completed it, if they've completed one, they've probably already started the next.
Chris: Yeah. And it's probably better to do them in-house before the OCR knocks on your door, right?
Chris: So when Eric and I started talking about this webinar, we were really focused on the encryption thing. So, you know, the headline was, "How to Guard Healthcare Information with Device Control and Data Encryption." And as we talked a little more, you saw in our agenda that we were gonna come up with three recommendations. And after listening to Eric talk and looking at his slides, I'm sorry, but I've expanded it a little bit more. We're gonna look at five areas that we recommend that folks look at in trying to protect their ePHI.
Now, before I get into some of the specific technologies out there, I want to talk just a little bit about the structure of our products and our Lumension Endpoint Management and Security Suite. And this is a suite of modules, products that address a lot of the areas that Eric talked about in that slide about defense in depth. So we see on the operations side, on the left side, we see the patching and vulnerability management. We see the configuration management. And we see some other things in there that help with the endpoint operations and really establish that foundation of security. Eric mentioned that lot of vulnerabilities are exploited. Known vulnerabilities with patches are exploited for data breaches. The estimates are from Gartner that about 60% of all breaches occur because of a misconfigured endpoint or server or what have you, so 60% due to configuration problems. A further 35% are caused by known vulnerabilities that have patches for them. So think about that. From an operational standpoint, you can close down 95% of your attack surface just by having patch remediation and configuration management on your endpoints.
On the right side, we see the security modules. And we, of course, have the antivirus. We have an application control. So Eric talked about whitelisting. And we have kind of the headlines items for today's talk, the device control and disk encryption. All of these sit on our platform, which provide an organization with single server, single console scalable architecture that allows them to provide visibility across their entire organization and to install a single modular agent on the endpoint so that you reduce the agent load on those endpoints to reduce the impact on productivity and so on and so forth. And, of course, there's reporting services for both the audit issues and for the forensics that, you know, the ingress/egress that Eric was talking about. So all of this really reduces the technological complexity and integration costs that you have in trying to protect endpoints.
Now, I'm gonna go through a couple of these technologies to address some of the issues that we've talked about here today. So I want to start with the patch and remediation module. As I mentioned, about 35% of all breaches occur because of known vulnerabilities with patches that are available. The difficulty is that we tend to think of our IT environment as a Microsoft world, but it really isn't that way anymore. And, in fact, recent studies show that only 20%, 21% of vulnerabilities on an endpoint are related to Microsoft. So that includes the OS and the native applications, so Excel and Word and things like that, right? About 79%, 80% of all vulnerabilities on an endpoint come from third-party applications, things like that Adobe, Firefox, RealNetworks, Java, and especially Java recently, Apple, in fact, now up and coming.
So it's important that we have a tool in place that addresses not only the heterogeneous nature of our environment, so the various platforms we have, but also addresses all of these third-party applications. And in a good world, you'd centralize the management of all of these things. I mean, obviously, you know, Adobe has an updater. Mozilla has an updater, but from an organizational point of view, just because somebody has the ability to update and reduce the vulnerabilities on their endpoint doesn't mean they're actually doing it. So having that centralized visibility into what the status of the endpoint is and how current they are with patches is very important. And, in fact, most organizations are progressing down the path where they have very specific KPIs or metrics around the number of known vulnerabilities that remain open after a certain period of time.
Now, that varies by organization. Some organizations want to do it as quickly as possible, others take a more measured approach, you know, take a week to assess the patches, make sure that it doesn't interfere with anything, take a week to do a soft rollout to some test boxes, make sure everything's copacetic, and then the final week is, you know, mass rollout and make sure that you've got everything covered. Now, of course, you're not gonna cover everything. There are boxes that you may not want to touch, say, for instance, high-value, but very locked down servers or things like this, or even training boxes that are sitting in your training rooms that you only turn on every three, four months, but you at least need to know those boxes are there. And you need to know what the status of them is and that you're, you know, kinda ignoring them on purpose and that you have a plan to remediate. This is important both for your own sanity, but also if you get audited or, you know, you do your internal audits, you want to be able to understand why it is that the boxes are in what condition.
Now, in conjunction with that, we have the configuration, the security configuration management module, again, 60%, so a vast majority of malware intrusions, of data breaches, caused by misconfigured boxes. So you want to make sure that these boxes are configured properly. So you'll want to be able to provide the security configuration baselines for, you know, the work stations, desktops, laptops, things like that, servers, and any other laptops that are mobile that you are responsible for. And you want to be able to do that from a single point of control. You'll want to have a continuous and proactive assessment of these boxes to prevent that configuration drift that Eric was talking about and to make sure that everyone stays in compliance with policy. And in addition, you'd probably want to be able to implement out-of-the-box regulatory and industry standard configuration templates so that you make sure that everything's up to snuff. So these are very important parts of establishing that baseline of security within your organization.
Now, moving on, we talked a lot about device control. And this is an area where, you know, we've seen a pretty big blind spot in a lot of different industries. So we do all the right stuff on the laptops and the desktops and the servers. We have the GPOs in place. And we have people who can break GPOs. So maybe we get a third-party security configuration product that make sure that people can't break them, but we have ports that are open. And we know that there are a lot of high visibility incidents lately where various ports were used to do nefarious things. And, of course, as I pointed out earlier in the presentation, a lot of USB sticks are used to transport data back and forth to home or, you know, being used to do backups, things like this, so we need to make sure that we've got an eye on that blind spot, those ports, and the devices that get stuck into those ports, not only the USB sticks, but also CDs, DVDs that data can be burned onto, and even external hard drives that are used for backup or, you know, disaster recovery or what have you. A recent study…
Chris: Yeah? Mm-hmm.
Eric: Yeah. This is Eric. Well, we just have about three minutes left. And I don't know if we'll have time for questions at the end, but the hour's coming up close. So let's [inaudible 00:54:51].
Chris: Okay. Very good. Thank you. Let me just finish real quickly on the device control, and we'll get to the next. So the thing that you want to think about when you're implementing a device control policy is that you have the centralized visibility into what devices are being used, by whom, when, and why, and that you have the ability to track the data that are being taken on or off of your network via these removable devices and that in the case something happens that those devices are encrypted, that you can prove that they're encrypted. So these are some key points about having a device control policy in place.
And finally, we'll look at full disk encryption. And an interesting area, technology's been out for well over a decade. Various surveys suggest that it's not fully implemented in many organizations. It's somewhat daunting sometimes. The full disk encryption that Lumension provides has been around for a decade. It provides a single sign-on via Windows to enforce a secure pre-boot authentication. The interesting thing here, a recent study has shown that full disk encryption benefits exceed the implementation costs by a factor ranging at 4 to 20 times. And this is a Ponemon research that was done first quarter of this year, so a tremendously valuable thing. And if you can do it in a transparent manner, then you've really increased the security of your organization with very little impact on the productivity. So very quickly, kinda we talked about defense in depth, so some of the issues that Eric talked about, the technologies that Lumension provides.
The last thing I want to touch on very quickly is in addition to the LEMSS, the Lumension Endpoint Management and Security Suite solution that we have, we also have a risk management tool that many folks out there, you know, the 75% of folks who have not yet started their risk assessment, might find very useful. I don't have a lot of time, but I just wanted to talk briefly about this because it can save organizations a lot of time. You know, we've been focused on HITECH, but most organizations in the healthcare industry really have a lot more regulations that they have to pay attention to. If they're public, they have to pay attention to SOX and GLBA. Most organizations have some sort of PCI requirement on them. You might have international requirements. You definitely have state and local data breach regulations. So the increasing regulations are very important, but the methods by which we assess that are still stuck kind of in the Stone Age. We're putting things in a spreadsheet and we have various silos looking at data and it never comes together.
So Lumension Risk Manager provides a menu-driven, framework-based assessment. And it supports these HITECH regulations and a lot of these other regulations to provide harmonized controls across all of these regulations and can be...you know, it's a centralized repository. It gives you real-time dashboards to tell you what is going on within the entirety of the organization. And, you know, we talked about business associates earlier. You can use this to keep tabs on what your business associates are doing. So I'm gonna leave it at that. Eric, I'm gonna move onto the last slide here in the last couple of minutes we have left. I just wanted to let folks know that we do have several tools out there on our website that are free and available for you to use. One of the more useful ones, perhaps, is the Device Scanner to discover all the removable devices that have been connected to your endpoints so that you can start to get a handle, you know, get that visibility into what's really going on in your organization. If you want to test out the Lumension Data Protection Solution, which includes some of the things we've talked about today, you can go onto our website and download a free trial. We also have a lot of healthcare-related resources on our website so please feel free to go access some of those. We've talked about some of the webinars we've done with practitioners in the field. We've got some healthcare-specific white papers here for folks to read about. So Eric, with that, we're a little over one hour. I think we're gonna have to cut it off there.
Eric: Look, it's a shame because actually, Chris, the data you have and the way you presented it is actually really cool and it's been fab so I thank you so much for your participation in today's event. Audience, we're running out of time, but please remember there will be a recording of this webcast that will be available online via the Lumension website very shortly and it's something you can share with your friends at www.lumension.com. For more information on Lumension or any of Lumension's solutions, you know, please contact us. You can go to lumension.com. Visit the blog and there's a lot of good information there as well, at blog.lumension.com or give us a call, 888-725-7828 or email at [email protected] Thank you so much for attending. I hope you got a lot out of this session. This now concludes our webcast. Have a good day.