Learn about the four key HIPAA technical requirements and some of the tools that can help secure the cloud so that your org achieve HIPAA compliance.

1. STORYBOAR

2. STORYBOAR
8%
of healthcare orgs
had cloud apps
deployed in 2014
37%
of healthcare orgs
had cloud apps
deployed in 2015
cloud
adoption is
rising fast
Bitglass Cloud Adoption Report

3. STORYBOAR
the traditional
approach to
security is
inadequate

4. STORYBOAR
native security features can’t be relied upon:
the data blind spot
components
usage/consumption
data
application
services
servers & storage
network
layer
data
application
infrastructure
owner
enterprise

5. STORYBOAR
security must
evolve to
protect data
outside the
firewall
cloud:
attack on SaaS
vendor risks
sensitive data
access:
uncontrolled
access from
any device
network:
data breach -
exfiltration &
Shadow IT
mobile:
lost device with
sensitive data
5

6. STORYBOAR
HIPAA technical safeguards for cloud
■ access control
○ granular context-based controls over access
to both managed and unmanaged devices
○ secure identity/authentication
■ transmission security
○ end-to-end encryption
■ audit and visibility

7. STORYBOAR
access controls
the new data reality requires a new security architecture
■ cross-device, cross-platform agentless
data protection
■ granular DLP for data at rest and in
motion
■ contextual access control

8. STORYBOAR
controlling access from unmanaged mobile devices
■ secure mobile devices without invasive
profiles or certificates; support multiple
affiliations
■ protect data in “unwrappable” native apps
like mail, contacts, calendar
■ selectively wipe corporate data
■ enforce device security policies
■ full data control and visibility for IT

9. STORYBOAR
identity
centralized identity management is key to securing data
■ cloud app identity management should
maintain the best practices of on-prem
identity
■ SSO enables cross-app visibility into
suspicious access activity
■ contextual multi-factor authentication
mitigates risk

10. STORYBOAR
transmission security
end-to-end protection
■ cloud data doesn’t exist only “in the cloud”
■ a complete solution must provide visibility and
control over data in the cloud
■ solution must also protect data on end-user
devices
■ leverage contextual access controls

11. STORYBOAR
audit and visibility
■ detailed logging for compliance and
audit.
■ identify PHI data at rest and external
sharing
■ easily modify sharing permissions and
quarantine files for review
■ detect and be alerted instantly of
suspicious behavior

12. STORYBOAR
data integrity
■ secure the data in the cloud - where you
have versioning and control over
permissions
■ apply granular DLP to sensitive data with
spectrum of actions from watermarking to
encryption.

13. STORYBOAR
CASB: a
better
approach to
cloud security
identity
discovery
data-centric
security
mobile

14. STORYBOAR
secure
office 365
+ byod
challenge
■ Inadequate native O365 security
■ Controlled access from managed & unmanaged
devices
■ Limit external sharing
■ Interoperable with existing infrastructure, e.g.
Bluecoat, ADFS
solution
■ Real-time inline DLP on any device (Citadel)
■ Contextual access control on managed &
unmanaged devices (Omni)
■ API control in the cloud
■ Discover data breach & Shadow IT
fortune 50
healthcare
provider

15. STORYBOAR
HIPAA
compliant
mobility
challenge:
■ Existing solution, AT&T Toggle, was obsolete
■ HIPAA-compliant BYOD
■ Migration path to Office 365
solution:
■ Agentless deployment
■ Usability, transparency & privacy
■ DLP of PII, PCI & PHI
■ Selective wipe; device PIN & encryption
■ Improved mobility for care providers
major
US hospital
system

16. STORYBOAR
our
mission
total
data
protection est. jan
2013
100+
customers
tier 1
VCs

17. resources:
more info about cloud security
■ Report: 2016 healthcare breaches
■ Whitepaper: The Definitive Guide to CASBs

18. STORYBOAR
bitglass.com
@bitglass