planning for information security and hipaa compliance “security should follow data” leo howell,...
Post on 24-Dec-2015
221 Views
Preview:
TRANSCRIPT
Planning for Information Planning for Information Security and HIPAA Security and HIPAA
ComplianceCompliance
““Security should follow Security should follow data”data”
Leo Howell, CISSPLeo Howell, CISSP
John Baines, CISSPJohn Baines, CISSP
IAS-Information Assurance & SecurityIAS-Information Assurance & Security
ETSS-Enterprise Technology Services ETSS-Enterprise Technology Services & Support North Carolina State & Support North Carolina State
UniversityUniversity
UNC CAUSE November 2006
Sharon McLawhorn Sharon McLawhorn McNeilMcNeil
ITCS-SecurityITCS-Security
Department of ITCSDepartment of ITCS
East Carolina East Carolina UniversityUniversity
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
22
What’s it all about, Webster?What’s it all about, Webster? DefalcationDefalcation
– Pronunciation:*d*-*fal-*k*-sh*n, Pronunciation:*d*-*fal-*k*-sh*n, – Date:15th centuryDate:15th century– 1 archaic : DEDUCTION1 archaic : DEDUCTION– 2 : the act or an instance of embezzling2 : the act or an instance of embezzling– 3 : a failure to meet a promise or an expectation3 : a failure to meet a promise or an expectation
MalfeasanceMalfeasance– Pronunciation:*mal-*f*-z*n(t)sPronunciation:*mal-*f*-z*n(t)s– Date:1696 : Date:1696 : – wrongdoing or misconduct especially by a public officialwrongdoing or misconduct especially by a public official
Two twenty dollar wordsTwo twenty dollar words– Fraud and criminal business actsFraud and criminal business acts– Reaction to the excesses of the 80’s and 90’sReaction to the excesses of the 80’s and 90’s
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
33
Increasingly Complicated Increasingly Complicated Compliance ConstraintsCompliance Constraints
StatuteStatute Type of Type of requirementrequirement
University University datadata
Example Example locationlocation
FERPAFERPA Federal lawFederal law Student Student recordsrecords
Faculty PC or Faculty PC or serverserver
HIPAAHIPAA Federal lawFederal law Health Health recordsrecords
Athletics Athletics dept.dept.
GLBAGLBA Federal lawFederal law Financial Financial datadata
Financial AidFinancial Aid
PCI DSSPCI DSS Payment Card Payment Card Industry -Data Industry -Data Security Std.Security Std.
Credit card Credit card datadata
Bookstore Bookstore serverserver
SB 1048SB 1048 State Identity Theft State Identity Theft lawlaw
SSN , etc.SSN , etc. R & RR & R
State Employee Personal State Employee Personal Information Privacy lawInformation Privacy law
Staff dataStaff data PayrollPayroll
Federal Federal GrantsGrants
Contract Contract requirementsrequirements
Research Research materialsmaterials
Lab PCLab PC
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
44
Educational Institutes Seen as Educational Institutes Seen as Easy MarksEasy Marks
Los Angeles Times article - May 30, 2006Los Angeles Times article - May 30, 2006‘‘Since January, 2006Since January, 2006
at least at least 845,000845,000 people people
have had have had sensitive information jeopardizedsensitive information jeopardized
in in 2929 security failures security failures
at at colleges nationwidecolleges nationwide.’ .’ ‘‘we were adding on another university we were adding on another university
every week to look into’ every week to look into’ - - Michael C. Zweiback, assistant U.S. attorney Michael C. Zweiback, assistant U.S. attorney
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
55
Information Security Planning Information Security Planning High level tasksHigh level tasks
Make a conscious decision to plan for Make a conscious decision to plan for security and compliance for improved security and compliance for improved efficiency and effectiveness efficiency and effectiveness
Understand the business goals and Understand the business goals and objectivesobjectives
Conduct a risk assessment; factor in Conduct a risk assessment; factor in compliance!compliance!
Develop the planDevelop the plan
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
66
Data Classification Standard, Data Classification Standard, DCS forms the foundationDCS forms the foundation
Identification Identification Confidentiality Confidentiality
and sensitivityand sensitivity ClassificationClassification Protection Protection Consistency Consistency
3 classification levels 3 classification levels - High, Moderate, - High, Moderate, NormalNormal
Based on data Based on data business value, business value, financial financial implications, legal implications, legal obligationsobligations
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
77
Data Management Procedures, Data Management Procedures, DMP assigns ownership and DMP assigns ownership and
accountabilityaccountabilityR ole re lationships
U serR e sp o ns ib ilites
D ata C ustodiansP h ys ica l d a ta m a n ag e m e nt
M a n ag e a cce ss rig h ts
Security Adm istratore .g . A p p lica tio n S e cu rity U n it
A u th orize s u se rsb a sed on G u id e lin es
D ata S tew ardA cce ss w ith in h is o r h e r u n it
a ccu racy, p riva cy, a n d se cu rity
D ata TrusteeO ve rs igh t re sp on s ib ility
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
88
Seven StepsSeven StepsRRMIS MIS IInformation nformation SSystem ystem
SSecurity ecurity PPlan, RISSPlan, RISSP
Leo HowellLeo HowellInformation Security AnalystInformation Security Analyst
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
99
STEP ONE – Understand the STEP ONE – Understand the AAssetsset
Philosophically, we Philosophically, we believe that believe that “security should “security should follow data”follow data”
But we know that But we know that not all data were not all data were created equalcreated equal
Effective security Effective security begins with a solid begins with a solid understanding of understanding of the protected the protected asset asset and its valueand its value
At NC State we At NC State we have identified have identified DATA as our DATA as our primary assetprimary asset
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1010
STEP TWO – Identify and STEP TWO – Identify and prioritize prioritize TThreatshreats
GovernanceGovernance: : – policy breachpolicy breach– rebellionrebellion
PhysicalPhysical: : – data theftdata theft– equipment equipment
theft/damagetheft/damage EndpointEndpoint: :
– thefttheft– social engineeringsocial engineering
Infrastructure & Infrastructure & ApplicationApplication: : – thefttheft
– disclosuredisclosure
– DoSDoS
– unauthorized access unauthorized access
DataData: : – unauthorized accessunauthorized access
– corruption/destructioncorruption/destruction
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1111
STEP THREE – Identify and rank STEP THREE – Identify and rank VVulnerabilitiesulnerabilities
GovernanceGovernance: : – policy loopholespolicy loopholes
PhysicalPhysical: : – weak perimeterweak perimeter
– open accessopen access EndpointEndpoint: :
– ignoranceignorance
Infrastructure & Infrastructure & ApplicationApplication: :
– ““open” networkopen” network
– unpatched unpatched systems/OSsystems/OS
– misconfiguration misconfiguration
DataData: :
– unencrypted storageunencrypted storage
– insecure transmissioninsecure transmission
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1212
STEP FOUR – Quantify Relative STEP FOUR – Quantify Relative Risk, Risk, RR
R = R = µµVATVAT
The greater the The greater the number of number of vulnerabilities the vulnerabilities the bigger the riskbigger the risk
The greater the value The greater the value of the assetof the asset the the bigger the riskbigger the risk
The greater the The greater the threat the bigger the threat the bigger the risk risk
V = vulnerabilityA = assetT = threatµµ = likelihood of T = likelihood of T
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1313
Higher Classification Higher Classification implies Increased implies Increased
SecuritySecurity
STEP FIVE – Develop a strategySTEP FIVE – Develop a strategy
Types of dataTypes of data stored, stored, accessed, processed or accessed, processed or
transmitted transmitted dictates OPZdictates OPZ
High- Significantly business impact
- financial loss- regulatory compliance
Moderate- adversely affects
business and reputation
Normal- minimal adverse effect
on business- authorization required
to modify or copy
3 virtual operational protection zones, OPZ
based on Data Classification
Server with Moderate data
Laptop withHigh data
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1414
STEP SIX – Establish target STEP SIX – Establish target standards standards
Amount and Amount and stringency of stringency of
security security controls at controls at each level each level varies with varies with
data data classificationclassification
Seven layers of protection Seven layers of protection per zone based on COBIT, per zone based on COBIT, ISO 17799 and NIST 800-53ISO 17799 and NIST 800-53
1.1.Management & Management & GovernanceGovernance
2.2.Access controlAccess control
3.3.Physical securityPhysical security
4.4.Endpoint securityEndpoint security
5.5.Infrastructure securityInfrastructure security
6.6.Application securityApplication security
7.7.Data securityData security
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1515
Snippet from Data Security Snippet from Data Security StandardStandard
Security Security ControlControl
Red ZoneRed Zone Yellow ZoneYellow Zone Green ZoneGreen Zone
Encrypt Encrypt stored datastored data
MandatoryMandatory RecommendeRecommendedd
OptionalOptional
Limit data Limit data stored to stored to external external mediamedia
MandatoryMandatory RecommendeRecommendedd
OptionalOptional
Encrypt Encrypt transmitted transmitted datadata
MandatoryMandatory MandatoryMandatory RecommendRecommendeded
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1616
STEP SEVEN – Document the planSTEP SEVEN – Document the plan
Identify Identify realistic realistic
solutions for solutions for applying the applying the appropriate appropriate
security security controls at controls at each level.each level.
Create a list of action Create a list of action items for the next 3 to items for the next 3 to 5 years5 years
Prioritize the list based Prioritize the list based on risk and realityon risk and reality
Forecast investmentForecast investment Beg, kick and scream Beg, kick and scream
to get fundingto get funding Implement the plan Implement the plan
over timeover time
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1717
Quick takesQuick takes
Planning paves the way for Planning paves the way for effectiveness and efficiency for effectiveness and efficiency for security and compliancesecurity and compliance
Understand the business the goalsUnderstand the business the goals Conduct a risk assessmentConduct a risk assessment Establish a strategy based on data Establish a strategy based on data
classification and industry standardsclassification and industry standards Develop a prioritized realistic planDevelop a prioritized realistic plan Go for the long haul!Go for the long haul!
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1818
Key Elements of the Key Elements of the HIPAA Security Rule:HIPAA Security Rule:And how to complyAnd how to comply
Sharon McLawhorn McNeilSharon McLawhorn McNeilITCS-SecurityITCS-Security
Department of ITCSDepartment of ITCSEast Carolina UniversityEast Carolina University
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
1919
IntroductionIntroduction
HIPAA is the HIPAA is the Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act. There are thousands of . There are thousands of organizations that must comply with the HIPAA organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in the federal legislation that was passed into law in August 1996.August 1996.
The purpose the Security Rule:The purpose the Security Rule:
To allow better access to health insuranceTo allow better access to health insurance
Reduce fraud and abuseReduce fraud and abuse
Lower the overall cost of health care.Lower the overall cost of health care.
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2020
What is the HIPAA Security Rule?What is the HIPAA Security Rule?
The rule applies to The rule applies to electronic protected health electronic protected health informationinformation
(EPHI)(EPHI), which is , which is individually identifiable healthindividually identifiable health
informationinformation in electronic form. in electronic form.
Identifiable health information is:Identifiable health information is: Your past, present, or future physical or mental health Your past, present, or future physical or mental health
or condition, or condition, Your type of health care, or Your type of health care, or Past, present, or future payment methods for the type of Past, present, or future payment methods for the type of
health care received.health care received.
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2121
Who Must Comply?Who Must Comply?
Covered Entities (CEs)Covered Entities (CEs) must comply with the Security must comply with the Security Rule. Covered Entities are health plans, health care Rule. Covered Entities are health plans, health care clearinghouses, and health care providers who transmit clearinghouses, and health care providers who transmit any EPHI.any EPHI.
Health care plansHealth care plans - HMOs, group health plans, etc. - HMOs, group health plans, etc.
Health care clearinghousesHealth care clearinghouses - billing and repricing - billing and repricing companies, etc.companies, etc.
Health care providersHealth care providers - doctors, dentists, hospitals, etc. - doctors, dentists, hospitals, etc.
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2222
How Does One Comply?How Does One Comply?
Covered Entities must maintain reasonable andCovered Entities must maintain reasonable and
appropriate appropriate administrativeadministrative, , physicalphysical, and, and
technicaltechnical safeguards to protect the safeguards to protect the confidentiality,confidentiality,
integrity, and availability of patient informationintegrity, and availability of patient information..
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2323
Administrative SafeguardsAdministrative Safeguards
To comply with the Administrative SafeguardsTo comply with the Administrative Safeguards
portion of the regulation, the covered entity mustportion of the regulation, the covered entity must
implement the following "Required" securityimplement the following "Required" security
management activities: management activities:
Conduct a Risk Analysis. Conduct a Risk Analysis. Implement Risk Management Actions. Implement Risk Management Actions. Develop a Sanction Policy to deal with violators. Develop a Sanction Policy to deal with violators.
Conduct an Information System Activity Review.Conduct an Information System Activity Review.
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2424
Physical SafeguardsPhysical Safeguards
The physical safeguards are a series of The physical safeguards are a series of requirements meant to protect a Covered requirements meant to protect a Covered Entity's computer systems, network and EPHI Entity's computer systems, network and EPHI from unauthorized access. The recommended from unauthorized access. The recommended and required physical safeguards are designed and required physical safeguards are designed to provide facility access controls to limit to provide facility access controls to limit access to the organization's computer systems, access to the organization's computer systems, network, and the facility in which it is housed. network, and the facility in which it is housed.
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2525
Technical SafeguardsTechnical Safeguards
Technical safeguards refers to the technology and Technical safeguards refers to the technology and the procedures used to protect the EPHI and access the procedures used to protect the EPHI and access to it. to it.
The goal of technical safeguards is to protect The goal of technical safeguards is to protect patient data by allowing access only by individuals patient data by allowing access only by individuals or software programs that have been granted or software programs that have been granted access rights to the information.access rights to the information.
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2626
Key Elements of Compliance Key Elements of Compliance 1.1. Obtain and Maintain Senior Management Obtain and Maintain Senior Management
Support Support
2.2. Develop and Implement Security PoliciesDevelop and Implement Security Policies3.3. Conduct and Maintain Inventory of EPHIConduct and Maintain Inventory of EPHI4.4. Be Aware of Political and Cultural Issues Raised Be Aware of Political and Cultural Issues Raised
by HIPAAby HIPAA
5.5. Conduct Regular and Detailed Risk AnalysisConduct Regular and Detailed Risk Analysis
6.6. Determine What is Appropriate and Reasonable Determine What is Appropriate and Reasonable
7.7. DocumentationDocumentation
8.8. Prepare for ongoing compliancePrepare for ongoing compliance
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2727
PenaltiesPenalties
Civil penalties are $100 per violation, up to $25,000 per Civil penalties are $100 per violation, up to $25,000 per year for each violation. year for each violation.
Criminal penalties range from $50,000 in fines and one Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in year in prison up to $250,000 in fines and 10 years in jail. jail.
Additional Negatives:Additional Negatives: Negative publicity Negative publicity Loss of Customers Loss of Customers Loss of Business Partners Loss of Business Partners Legal LiabilityLegal Liability
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2828
ConclusionConclusion
Compliance will require Covered Entities to:Compliance will require Covered Entities to: Identify the risks to their EPHIIdentify the risks to their EPHI Implement security best practicesImplement security best practices Complying with the Security Rule can require Complying with the Security Rule can require
significant time and resourcessignificant time and resources Compliance efforts should be currently underwayCompliance efforts should be currently underway
"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU
2929
ContactsContactsNC State UniversityNC State University
Leo Howell, CISSP CEH CCSP CBRMLeo Howell, CISSP CEH CCSP CBRM
Information Security AnalystInformation Security Analyst
IAS-Information Assurance and SecurityIAS-Information Assurance and Security
ETSS-Enterprise Technology Services and ETSS-Enterprise Technology Services and SupportSupport
leo_howell@ncsu.eduleo_howell@ncsu.edu
(919) 513-1169(919) 513-1169
NC State UniversityNC State University
John Baines, CISSPJohn Baines, CISSP
Assistant DirectorAssistant Director
IAS-Information Assurance and SecurityIAS-Information Assurance and Security
ETSS-Enterprise Technology Services and ETSS-Enterprise Technology Services and SupportSupport
john_baines@ncsu.edujohn_baines@ncsu.edu
East Carolina UniversityEast Carolina University
Sharon McLawhorn Sharon McLawhorn McNeilMcNeil
IT-Security AnalystIT-Security Analyst
McLawhorns@ecu.eduMcLawhorns@ecu.edu
252-328-9112 252-328-9112
top related