it security panel

8/2/2019 IT Security Panel

1/29

Planning for Information SecurityPlanning for Information Securityand HIPAA Complianceand HIPAA Compliance

Security should follow dataSecurity should follow data

Leo Howell, CISSPJohn Baines, CISSPIAS-Information Assurance & Security

ETSS-Enterprise Technology Services &Support North Carolina State University

UNC CAUSE November 2006

Sharon McLawhornMcNeilITCS-Security

Department of ITCSEast Carolina University


2/29

"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 22

Whats it all about, Webster? Defalcation

Pronunciation:*d*-*fal-*k*-sh*n, Date:15th century

1 archaic : DEDUCTION

2 : the act or an instance of embezzling

3 : a failure to meet a promise or an expectation

Malfeasance Pronunciation:*mal-*f*-z*n(t)s

Date:1696 :

wrongdoing or misconduct especially by a public official

Two twenty dollar words Fraud and criminal business acts

Reaction to the excesses of the 80s and 90s


3/29


Increasingly ComplicatedCompliance Constraints

Statute Type of requirement Universitydata ExamplelocationFERPA Federal law Student records Faculty PC or

server

HIPAA Federal law Health records Athletics dept.GLBA Federal law Financial data Financial AidPCI DSS Payment Card Industry

-Data Security Std.Credit card data Bookstore server

SB 1048 State Identity Theft law SSN , etc. R & R State Employee PersonalInformation Privacy law Staff data Payroll

FederalGrants Contract requirements Researchmaterials Lab PC


4/29


Educational Institutes Seen as EasyMarks

Los Angeles Times article - May 30, 2006

Since January, 2006

at least 845,000 people

have had sensitive information jeopardizedin 29 security failures

at colleges nationwide.

we were adding on another university everyweek to look into

- Michael C. Zweiback, assistant U.S. attorney


5/29


Information Security PlanningInformation Security Planning

High level tasksHigh level tasks

Make a conscious decision to plan for securityMake a conscious decision to plan for securityand compliance for improved efficiency andand compliance for improved efficiency andeffectivenesseffectiveness

Understand the business goals and objectivesUnderstand the business goals and objectives Conduct a risk assessment; factor in compliance!Conduct a risk assessment; factor in compliance! Develop the planDevelop the plan


6/29


Data Classification Standard, DCSData Classification Standard, DCS

forms the foundationforms the foundation

IdentificationIdentification

ConfidentialityConfidentiality

and sensitivityand sensitivity ClassificationClassification

ProtectionProtection

ConsistencyConsistency

3 classification levels -High, Moderate, Normal

Based on data businessvalue, financialimplications, legalobligations


7/29


Data Management Procedures, DMPData Management Procedures, DMP

assigns ownership and accountabilityassigns ownership and accountability

R o l e r e l a t i o n s h i p

U s e r R e s p o n s i b

D a t a C u sP h y s i c a l d a t a

M a n a g e a c

S e c u r i t y Ae . g . A p p l i c a t i

A u t h o r i z e sb a s e d o n G

D a t a S t e wA c c e s s w i t h i n

a c c u r a c y , p r i v

D a t a T r u sO v e r s i g h t r e


8/29


Seven StepsSeven StepsRMISMIS Informationnformation Systemystem SecurityecurityP lan, RISSPlan, RISSPLeo HowellLeo Howell

Information Security AnalystInformation Security Analyst


9/29


STEP ONE Understand theSTEP ONE Understand the Assetsset Philosophically, wePhilosophically, we

believe that securitybelieve that security

should follow datashould follow data

But we know that notBut we know that not

all data were createdall data were created

equalequal

Effective securitybegins with a solidunderstanding of the

protected assetandits value

At NC State we haveidentified DATA asour primary asset


10/29


STEP TWO Identify and prioritizeSTEP TWO Identify and prioritizeThreatshreats Governanceovernance ::

policy breachpolicy breach

rebellionrebellion

Physicalhysical :: data theftdata theft

equipmentequipmenttheft/damagetheft/damage

Endpointndpoint :: thefttheft

social engineeringsocial engineering

Infrastructure &Application: theft

disclosure

DoS

unauthorized access

Data: unauthorized access

corruption/destruction


11/29


STEP THREE Identify and rankSTEP THREE Identify and rankVulnerabilitiesulnerabilities Governance:

policy loopholes

Physical: weak perimeter

open access

Endpoint: ignorance

Infrastructure &Application:open network unpatched systems/OS

misconfiguration

Data: unencrypted storage

insecure transmission


12/29


STEP FOUR Quantify Relative Risk,STEP FOUR Quantify Relative Risk, R

R = VAT

The greater thenumber ofvulnerabilities thebigger the risk

The greater the valueof the assetthe biggerthe risk

The greater the threatthe bigger the risk

V = vulnerabilityA = asset

T = threat= likelihood of T= likelihood of T


13/29


Higher Classificationimplies IncreasedSecurity

STEP FIVE Develop a strategySTEP FIVE Develop a strategy

Types of data stored,accessed, processed or

transmitted dictates OPZ

High- Significantly business impact

- financial loss- regulatory compliance

Moderate- adversely affects

business and reputation

Normal- minimal adverse effect

on business- authorization required

to modify or copy

3 virtual operational protection zones, OPZ based on Data Classif ication

Server withMode ra t e dataLaptop withHigh data


14/29


STEP SIX Establish target standardsSTEP SIX Establish target standards

Amount andstringency of

securitycontrols ateach levelvaries with

dataclassification

Seven layers of protection perzone based on COBIT, ISO17799 and NIST 800-53

1.Management & Governance

2.Access control

3.Physical security

4.Endpoint security

5.Infrastructure security6.Application security

7.Data security


15/29


Snippet from Data Security StandardSnippet from Data Security Standard

Security Control Red Zone Yellow Zone Green Zone

Encrypt storeddata

Mandatory Recommended Optional

Limit datastored to

external media

Mandatory Recommended Optional

Encrypttransmitteddata

Mandatory Mandatory Recommended


16/29


STEP SEVEN Document the planSTEP SEVEN Document the plan

Identify realisticsolutions forapplying theappropriate

securitycontrols at

each level.

Create a list of actionitems for the next 3 to 5years

Prioritize the list based onrisk and reality

Forecast investment

Beg, kick and scream toget funding

Implement the plan over

time


17/29


Quick takesQuick takes

Planning paves the way for effectivenessand efficiency for security andcompliance

Understand the business the goals Conduct a risk assessment

Establish a strategy based on data

classification and industry standards Develop a prioritized realistic plan

Go for the long haul!


18/29


Key Elements of the HIPAASecurity Rule:

And how to comply

Sharon McLawhorn McNeil

ITCS-Security

Department of ITCSEast Carolina University


19/29


IntroductionIntroduction

HIPAA is theHIPAA is the Health Insurance Portability andHealth Insurance Portability and

Accountability ActAccountability Act. There are thousands of. There are thousands of

organizations that must comply with the HIPAAorganizations that must comply with the HIPAA

Security Rule. The Security Rule is just one part ofSecurity Rule. The Security Rule is just one part of

the federal legislation that was passed into law inthe federal legislation that was passed into law inAugust 1996.August 1996.

The purpose the Security Rule:The purpose the Security Rule:

To allow better access to health insuranceTo allow better access to health insurance

Reduce fraud and abuseReduce fraud and abuse

Lower the overall cost of health care.Lower the overall cost of health care.


20/29


What is the HIPAA Security Rule?What is the HIPAA Security Rule?

The rule applies toThe rule applies to electronic protected healthelectronic protected health

informationinformation

(EPHI)(EPHI), which is, which is individually identifiable healthindividually identifiable health

informationinformation in electronic form.in electronic form.

Identifiable health information is:Identifiable health information is:

Your past, present, or future physical or mental healthYour past, present, or future physical or mental health

or condition,or condition, Your type of health care, orYour type of health care, or

Past, present, or future payment methods for the type ofPast, present, or future payment methods for the type of

health care received.health care received.


21/29


Who Must Comply?Who Must Comply?

Covered Entities (CEs)Covered Entities (CEs) must comply with the Securitymust comply with the Security

Rule. Covered Entities are health plans, health careRule. Covered Entities are health plans, health care

clearinghouses, and health care providers who transmitclearinghouses, and health care providers who transmit

any EPHI.any EPHI.

Health care plansHealth care plans - HMOs, group health plans, etc.- HMOs, group health plans, etc.

Health care clearinghousesHealth care clearinghouses - billing and repricing- billing and repricing

companies, etc.companies, etc.

Health care providersHealth care providers - doctors, dentists, hospitals,- doctors, dentists, hospitals,

etc.etc.


22/29


How Does One Comply?How Does One Comply?

Covered Entities must maintain reasonable andCovered Entities must maintain reasonable and

appropriateappropriate administrativeadministrative,,physicalphysical, and, and

technicaltechnical safeguards to protect the confidentiality,safeguards to protect the confidentiality,integrity, and availability of patient informationintegrity, and availability of patient information..


23/29


Administrative SafeguardsAdministrative Safeguards

To comply with the Administrative SafeguardsTo comply with the Administrative Safeguardsportion of the regulation, the covered entity mustportion of the regulation, the covered entity must

implement the following "Required" securityimplement the following "Required" security

management activities:management activities:

Conduct a Risk Analysis.Conduct a Risk Analysis.

Implement Risk Management Actions.Implement Risk Management Actions. Develop a Sanction Policy to deal with violators.Develop a Sanction Policy to deal with violators.

Conduct an Information System Activity Review.Conduct an Information System Activity Review.


24/29


Physical SafeguardsPhysical Safeguards

The physical safeguards are a series ofThe physical safeguards are a series ofrequirements meant to protect a Coveredrequirements meant to protect a Covered

Entity's computer systems, network and EPHIEntity's computer systems, network and EPHI

from unauthorized access. The recommendedfrom unauthorized access. The recommendedand required physical safeguards are designedand required physical safeguards are designed

to provide facility access controls to limitto provide facility access controls to limit

access to the organization's computer systems,access to the organization's computer systems,network, and the facility in which it is housed.network, and the facility in which it is housed.


25/29


Technical SafeguardsTechnical Safeguards

Technical safeguards refers to the technologyTechnical safeguards refers to the technology

and the procedures used to protect the EPHI andand the procedures used to protect the EPHI and

access to it.access to it.

The goal of technical safeguards is to protectThe goal of technical safeguards is to protect

patient data by allowing access only bypatient data by allowing access only by

individuals or software programs that have beenindividuals or software programs that have beengranted access rights to the information.granted access rights to the information.


26/29


Key Elements of ComplianceKey Elements of Compliance

1.1. Obtain and Maintain Senior Management SupportObtain and Maintain Senior Management Support

1.1. Develop and Implement Security PoliciesDevelop and Implement Security Policies

1.1. Conduct and Maintain Inventory of EPHIConduct and Maintain Inventory of EPHI

2.2. Be Aware of Political and Cultural Issues RaisedBe Aware of Political and Cultural Issues Raised

by HIPAAby HIPAA3.3. Conduct Regular and Detailed Risk AnalysisConduct Regular and Detailed Risk Analysis

6.6. Determine What is Appropriate and ReasonableDetermine What is Appropriate and Reasonable

1.1. DocumentationDocumentation2.2. Prepare for ongoing compliancePrepare for ongoing compliance


27/29


PenaltiesPenalties

Civil penalties are $100 per violation, up to $25,000Civil penalties are $100 per violation, up to $25,000per year for each violation.per year for each violation.

Criminal penalties range from $50,000 in fines andCriminal penalties range from $50,000 in fines and

one year in prison up to $250,000 in fines and 10 yearsone year in prison up to $250,000 in fines and 10 yearsin jail.in jail.

Additional Negatives:Additional Negatives: Negative publicityNegative publicity

Loss of CustomersLoss of Customers

Loss of Business PartnersLoss of Business Partners

Legal LiabilityLegal Liability


28/29


ConclusionConclusion

Compliance will require Covered Entities to:Compliance will require Covered Entities to:

Identify the risks to their EPHIIdentify the risks to their EPHI

Implement security best practicesImplement security best practices

Complying with the Security Rule can requireComplying with the Security Rule can requiresignificant time and resourcessignificant time and resources

Compliance efforts should be currently underwayCompliance efforts should be currently underway


29/29


ContactsContacts

NC State UniversityNC State University

Leo Howell, CISSP CEH CCSP CBRMLeo Howell, CISSP CEH CCSP CBRM

Information Security AnalystInformation Security Analyst

IAS-Information Assurance and SecurityIAS-Information Assurance and Security

ETSS-Enterprise Technology Services and SupportETSS-Enterprise Technology Services and Support

[email protected][email protected](919) 513-1169(919) 513-1169

NC State University

John Baines, CISSP

Assistant Director

IAS-Information Assurance and Security

ETSS-Enterprise Technology Services and Support

[email protected]

East Carolina University

Sharon McLawhorn McNeil

IT-Security Analyst

[email protected]

252-328-9112
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]

it security panel

Documents