CA Technologies Healthcare security solutions: Protecting your organization, patients, and information

agility made possible™

CA TECHNOLOGIES: SECURITY SOLUTIONS FOR THE HEALTHCARE INDUSTRY

Healthcare industry Are you prepared? imperatives Healthcare information breaches are up more than 120% over the previous year and 41% Security, Privacy, and of hospitals now have ≥ 10 data breaches annually according to the Spring 2010 National Survey of Hospital Compliance Executives. The recent release of the Ponemon Compliance Institute’s Benchmark Study on Patient Privacy and Data Security indicates that Federal HITECH/HIPAA requirements demand regulations have not improved the safety of patient records; 58% of organizations have safeguarding of PHI or face serious little or no confidence in their ability to appropriately secure patient records. Additionally, penalties. There will be greater need 71% of healthcare organizations have inadequate resources and 69% have insufficient to have audit, tracking, and reporting processes to prevent and detect patient data loss. capabilities for IT systems capturing PHI. As Meaningful Use incentives drive healthcare providers to increase their reliance on electronic data, there is an urgent need to adequately secure and protect information. In Automation and Agility addition, HITECH legislation enhances Health Insurance Portability and Accountability Industry reforms will require IT Act (HIPAA) privacy and security rules mandating costly penalties for data breaches and departments to respond quickly to includes new Protected Health Information (PHI) disclosure regulations. changing business needs, operate without service disruptions, and While the use of technology among healthcare communities can make communication ensure high system and application easier, aid the decision-making process, and help elevate the quality of patient care, all performance using automated of the benefits of automation are offset if the availability and integrity of the patient data processes, further increasing the need are compromised. Security breaches can have a negative effect on the organization’s for enhanced information security. brand, credibility and patient revenue. Patient care and life status can be affected if PHI is compromised or released. Data Availability Clinical applications such as In order to realize the benefits of technology and to meet regulatory and compliance Electronic Health Records (EHRs) and mandates, healthcare organizations must proactively plan for and implement strong Computerized Physician Order Entry safeguards to assure information is available when and where it is needed, while protecting (CPOE) are the lifeblood of health it from unauthorized use and distribution. systems – they need to be available 24x7, perform according to SLAs and The key questions that must be answered by all security solutions are: user expectations, and have proper security at all levels to prevent • Who has access to which systems, applications, services and information? unauthorized user access and data • Are they who they claim to be? distribution. • What can they do with that access? • What can they do with the information they obtained? • What did they do when accessing the systems/information? Cost Containment As cost pressures mount, healthcare CIOs will take innovative approaches to reduce IT expenses such as server and application consolidation, virtualization, sourcing and models. Maintaining PHI security and privacy across all environments will be paramount. CA TECHNOLOGIES: SECURITY SOLUTIONS FOR THE HEALTHCARE INDUSTRY

Driving the need for Meeting user needs increased security Many constituents can benefit from increased interoperability, mobility, and connected Interoperability healthcare. And while the benefits of storing electronic health records versus physical storage include lower costs, fewer errors, and more readily available medical records, As healthcare organizations there is an increased need to implement stronger security measures to protect patient continually enhance the delivery information and to enable you to confirm that you are providing only authorized access to and quality of patient care services, those healthcare professionals with a right to know. building health information systems that work together within and across organizational boundaries is a major Healthcare Executives imperative. Creating highly efficient systems that house and protect With the growing number of sophisticated and financially-driven security threats, electronic records and data will healthcare executives need to proactively detect and prevent costly data breaches that enable organizations to accelerate can potentially damage an organization’s brand and public image. Providing appropriate the achievement of Meaningful and secure access to medical records enables healthcare executives to bolster patient Use criteria. Implementing a confidence, provide physicians with the information they need to provide top-level care, comprehensive information security and enhance compliance with HIPAA and HITECH regulations. Healthcare Executives’ needs program is required so organizations include: can achieve higher levels of interoperability and confidently • Protecting the brand and image of the organization meet HIPAA security and privacy • Preventing unauthorized access and malicious use of information requirements. Physicians Mobility While mobile technologies will have With a keen focus on providing high quality patient care and reducing medical errors, a major impact on patient care, physicians and their staff must be able to securely access, share, and update patient mobility also increases the risk of information and records. Providing physicians and their staff with role and identity- PHI breaches. As more users rely based access to specific data and content will enhance the control and security of private on mobile devices for health care information and allow physicians to securely collaborate with other physicians to solve services, healthcare IT organizations complex clinical problems. The once isolated practitioner can now deliver better, timelier must develop holistic enterprise healthcare in a truly integrated fashion with help from a team of clinical partners. security strategies and requirements Physicians need: to mitigate the risk of costly data breaches brought on by the • Quick, secure, reliable, 24X7 access to patient information regardless of location consumerization of IT. • Strong but convenient online

Connected Health Patients As efforts increase to deliver patient care where and when it is needed and Patients need to trust that their PHI is securely transported throughout the Health to provide flexible opportunities for Information Exchange (HIE) and that they or a physician or healthcare facility can securely consumers to engage with clinicians access their health records anytime, anywhere. In addition, enabling patients to become and better self-manage their care, more proactive in their own healthcare by ensuring their access to secure PHI allows both many readily available networking physicians and patients to take a more active role to better manage their health state and mobile technologies will be while improving patient/physician communication and the overall quality, accuracy and deployed. As remote care increases, timeliness of the care provided. Patients need: so does the potential for security breaches, enhancing the need for a • Quick, easy access to personal health records and diagnosis information well-planned security strategy. • Mobile access to medical records • Confidence and trust that information is protected from unauthorized access and that physicians have the abiltiy to access and share PHI with other practitioners CA TECHNOLOGIES: SECURITY SOLUTIONS FOR THE HEALTHCARE INDUSTRY

Proactively manage and Protect your information with security solutions from mitigate security risks CA Technologies

Control Identities CA Technologies develops and delivers content-aware identity and access management Healthcare organizations must solutions that help healthcare organizations find, classify and control how information is provide online access to resources to used based both on user identity and content of the data, across physical, virtual and cloud ever-increasing numbers and types of environments. users. Managing these user identities, as well as governing what they can Traditional Identity and Access Management (IAM) stops at the point of access, so access based on their role is a critical organizations have less control. The CA Content-Aware IAM solution helps you control user challenge from both a security and an identities and their access to key applications and information. But, unlike traditional IAM, efficiency standpoint. it also controls what users can do with the information once they access it. In this way, CA Content-Aware IAM provides improved PHI security and protection compared to other IAM Control Access solutions. Controlling access to critical applications and systems is required We enable you to protect critical patient and business information in order to mitigate not only for effective compliance, risks, comply with regulations and enforce information use policies, giving you the ability but also to protect shareholder and confidence to provide secure medical information to authorized users when and where value, customer information, and they need it. intellectual property. Without effective user authentication Our security solutions and support of industry-related technologies helps you ensure all and access policy enforcement, users have only the designated level of access rights to protected medical resources, and improper access (either intentional those rights are enforced appropriately. or inadvertent) can have disastrous effects. There are three important Our solutions also help you automate costly and error-prone manual processes so you can areas to consider: lower administration costs and simplify your healthcare compliance audits. • Controlling access to web-based applications and services With security solutions from CA Technologies, you can: • Controlling access of privileged • Reduce risks and vulnerabilities with proactive controls for sensitive data users to information, • Help improve patient, physician and executive confidence by preventing data loss and applications, and services, and information breaches • Advanced authentication

Control Information Enforcement of access control over Control Control Control sensitive information is only the first step in a comprehensive approach to information security. Once users have gained legitimate access to this data, many organizations have little or no Identity Access Information control over what those users can do with it. These organizations often business Manage and govern Control access to Find, classify and are not fully aware of all the places need identities and what systems and applications control how information their sensitive information is stored, they can access based across physical, virtual and is used based on and have no protection against the on their role cloud environments content and identity improper disclosure or theft of this capabilities • Identity Governance • Privileged User Management • Discovery & Classification information. • Provisioning/On-boarding • Web Access Management • Data Policy Management • User Activity and • Virtualization Security Complaince reporting • Advanced Authentication • Fraud Prevention

Content-aware IAM CA TECHNOLOGIES: SECURITY SOLUTIONS FOR THE HEALTHCARE INDUSTRY

“Our research shows Technologies supported that the healthcare industry is struggling to and Governance protect sensitive medical information, putting patients Identity management and governance controls what healthcare workers and patients can at risk of medical identity access based on their role. Clinicians with excessive privileges or entitlements can create chaos in a healthcare organization from a security, compliance, and liability standpoint. fraud and costing hospitals Identity management and governance not only control what users can access based on and other healthcare services their role, but also how they use the data that they access. This capability can reduce companies millions in annual excessive administrative resources as well as reduce security risk and simplify compliance. breach-related costs.” It is critical that all clinicians be assigned the proper role(s) for their function within the Dr. Larry Ponemon, chairman and organization, and that they have only the proper access rights for that role. Therefore, founder, Ponemon Institute ensuring that all users and roles comply with defined policy helps to protect critical November 2010 electronic health and personal records from improper use. Ensuring role compliance through automated identity governance processes helps to protect this critical information. Role compliance includes activities such as entitlements certification, role management and privilege cleanup, all of which helps to ensure that each user has only the proper access rights relevant to their role in the healthcare organization. By implementing role “Across the board, we are compliance, costs can be reduced, while providing users with better service and reducing security exposure. not spending enough on data security, and that tells Strong Authentication me that IT is not quite an institutional priority…There It is essential that each user is uniquely authenticated, and that the method used to is still a lot of work to do in authenticate each user is appropriate for the sensitivity of the information or application the industry with regard to being accessed. For many environments, the traditional username and password do not security.” provide adequate security, and strong (two-factor) authentication will be required. Strong authentication is critical for healthcare providers to protect PHI, achieve compliance, and Mac McMillan, chair of the HIMSS avoid the potentially reputational impacts of breaches of patient records. Privacy and Security Committee at the Chicago-based Healthcare Data Loss Prevention (DLP) Information Management Systems Society DLP detects and prevents unauthorized use of confidential healthcare data and provides a March 2011 spectrum of remediation actions so that effective enforcement of information use policy can be achieved throughout the organization. DLP is designed to protect and control data- in-motion on the network and in the messaging system, data-in-use at the endpoint, and data-at-rest on servers and in repositories across the enterprise. “The role of information technology has never Web Single Sign-On (SSO) been as important to the restructuring of the U.S. Web Single Sign-On streamlines the log-on processes with one sign-on sequence for fast access to patient data in multiple authorized applications and . This capability healthcare system as it is allows clinicians to easily access all the applications they need, thus allowing more today.” timely patient care while potentially improving security levels with the elimination of the temptation to write down or share passwords. HITRUST Leadership Roundtable 2011 CA TECHNOLOGIES: SECURITY SOLUTIONS FOR THE HEALTHCARE INDUSTRY

Enhancing the patient Business benefits experience Our security solutions enable your CA Technologies can help your healthcare organization secure information and organization to enhance the patient applications, as well as deliver new applications and services more quickly to your experience by providing secure access providers, payers, patients, and partners. These applications can provide a personalized and to key medical information within positive user experience; thereby strengthening users’ satisfaction and helping you meet and across systems and at point of your organizational mission and goals. Additionally, CA Technologies enables safe access care. to your on-premise and cloud applications by extending security to the cloud. Our robust on-premise security solutions protect access to applications whether on premises or in the Improve patient safety cloud. This combination of on-premise and cloud-based security services help you protect Over the last decade patient safety your applications today, and migrate to cloud applications at your pace. has been in the spotlight. With secure and accurate records, physicians Reduce risks and prevent security breaches can administer tests and treatments and medication can be administered CA Technologies helps make certain that your critical electronic healthcare resources are accurately and in a timely way. protected, as well as helping to ensure that only properly authorized users and patients Effective security controls also can access them, and only in approved ways. It allows security events to be logged and permits pharmacists to confirm analyzed quickly to identify and remediate potential security, fraud and compliance issues, information before dispensing including improper disclosure or use of sensitive medical and/or patient information. and complying with healthcare regulations; helping to ensure the right doctor is administering the Improve regulatory compliance right medication to the right patient regardless of healthcare setting or Your healthcare organization will have the tools necessary to support continuous geographic location based on the compliance with HIPAA/HITECH and other federal and state regulations. With automated secure access of the patient’s data. and centrally managed security capabilities, along with extensive auditing, your healthcare compliance efforts can become much simpler because you can more easily prove and validate the effective operation of your established security controls. Improve patient satisfaction The healthcare industry is extremely competitive, for organizational Reduce administrative expense and improve efficiency success and growth, focus must be placed on improving the patient Automation of security administrative processes, especially those related to managing experience. Secure information practitioners, patients and support staff identities and access rights can enable significant and access can impact overall operational efficiencies; reducing your overall IT costs. Automation can also help to satisfaction for a patient making improve user and management productivity, since less time has to be spent working with the choice of future healthcare manual processes. providers. Patients expect that their personal data is secure and accessible by their providers and healthcare organization. In addition, remote access of personal health information through a secure exchange is essential for a patient who is traveling and requires remote treatment. CA TECHNOLOGIES: SECURITY SOLUTIONS FOR THE HEALTHCARE INDUSTRY

Protect your business, The CA Technologies advantage patients and information CA Technologies has been a leader in IT management for over 30 years with hundreds of • Proactively secure sensitive healthcare customers globally in payer, provider and pharmaceutical segments. information Security solutions from CA Technologies deliver enhanced protection for your organization, • Prevent security breaches information, and patients by controlling user identities, access, and usage of vital health and medical information. This important capability increases your overall security, and • Control user identities and their helps prevent inappropriate breaches and use of your EHR, Personal Health Record (PHR) access based on roles and Health Information Systems (HIS) data.

• Reduce risks with strong And, our ability to support a wide variety of platforms (from distributed to mainframe) privileged user management and deployment models (including cloud and virtualized environments) provides a consistent and secure platform across your healthcare IT environment, including emerging • Enable business opportunities technologies. with Web access management With CA Technologies, you can confidently and proactively implement a secure • Improve patient confidence by environment to protect sensitive information, avoid security breaches, improve patient preventing data loss confidence, and meet current and future compliance requirements.

• Safeguard the relationship between provider, payer, patient and partners

CA Technologies is actively involved with the Copyright ©2011. CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein Health Information Trust Alliance (HITRUST) belong to their respective companies. This document is for your informational purposes only. CA assumes no and was one of the first organizations involved responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA with the development of the HITRUST provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties Common Security Framework (CSF), the most of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or widely-adopted security framework in the damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business inter- U.S. healthcare industry. The CSF is the first IT ruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. security framework developed specifically for CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall healthcare information that can be used by serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, any and all organizations that create, access, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (col- store or exchange personal health and financial lectively, “Laws”) referenced in this document. You should consult with competent legal counsel regarding any information. Laws referenced herein.