planning for information security and hipaa compliance “security should follow data” leo howell,...

Planning for Information Planning for Information Security and HIPAA Security and HIPAA

ComplianceCompliance

““Security should follow Security should follow data”data”

Leo Howell, CISSPLeo Howell, CISSP

John Baines, CISSPJohn Baines, CISSP

IAS-Information Assurance & SecurityIAS-Information Assurance & Security

ETSS-Enterprise Technology Services ETSS-Enterprise Technology Services & Support North Carolina State & Support North Carolina State

UniversityUniversity

UNC CAUSE November 2006

Sharon McLawhorn Sharon McLawhorn McNeilMcNeil

ITCS-SecurityITCS-Security

Department of ITCSDepartment of ITCS

East Carolina East Carolina UniversityUniversity

"Planning for Security and HIPAA C"Planning for Security and HIPAA Compliance" NCSU and ECUompliance" NCSU and ECU

22

What’s it all about, Webster?What’s it all about, Webster? DefalcationDefalcation

– Pronunciation:*d*-*fal-*k*-sh*n, Pronunciation:*d*-*fal-*k*-sh*n, – Date:15th centuryDate:15th century– 1 archaic : DEDUCTION1 archaic : DEDUCTION– 2 : the act or an instance of embezzling2 : the act or an instance of embezzling– 3 : a failure to meet a promise or an expectation3 : a failure to meet a promise or an expectation

MalfeasanceMalfeasance– Pronunciation:*mal-*f*-z*n(t)sPronunciation:*mal-*f*-z*n(t)s– Date:1696 : Date:1696 : – wrongdoing or misconduct especially by a public officialwrongdoing or misconduct especially by a public official

Two twenty dollar wordsTwo twenty dollar words– Fraud and criminal business actsFraud and criminal business acts– Reaction to the excesses of the 80’s and 90’sReaction to the excesses of the 80’s and 90’s


33

Increasingly Complicated Increasingly Complicated Compliance ConstraintsCompliance Constraints

StatuteStatute Type of Type of requirementrequirement

University University datadata

Example Example locationlocation

FERPAFERPA Federal lawFederal law Student Student recordsrecords

Faculty PC or Faculty PC or serverserver

HIPAAHIPAA Federal lawFederal law Health Health recordsrecords

Athletics Athletics dept.dept.

GLBAGLBA Federal lawFederal law Financial Financial datadata

Financial AidFinancial Aid

PCI DSSPCI DSS Payment Card Payment Card Industry -Data Industry -Data Security Std.Security Std.

Credit card Credit card datadata

Bookstore Bookstore serverserver

SB 1048SB 1048 State Identity Theft State Identity Theft lawlaw

SSN , etc.SSN , etc. R & RR & R

State Employee Personal State Employee Personal Information Privacy lawInformation Privacy law

Staff dataStaff data PayrollPayroll

Federal Federal GrantsGrants

Contract Contract requirementsrequirements

Research Research materialsmaterials

Lab PCLab PC


44

Educational Institutes Seen as Educational Institutes Seen as Easy MarksEasy Marks

Los Angeles Times article - May 30, 2006Los Angeles Times article - May 30, 2006‘‘Since January, 2006Since January, 2006

at least at least 845,000845,000 people people

have had have had sensitive information jeopardizedsensitive information jeopardized

in in 2929 security failures security failures

at at colleges nationwidecolleges nationwide.’ .’ ‘‘we were adding on another university we were adding on another university

every week to look into’ every week to look into’ - - Michael C. Zweiback, assistant U.S. attorney Michael C. Zweiback, assistant U.S. attorney


55

Information Security Planning Information Security Planning High level tasksHigh level tasks

Make a conscious decision to plan for Make a conscious decision to plan for security and compliance for improved security and compliance for improved efficiency and effectiveness efficiency and effectiveness

Understand the business goals and Understand the business goals and objectivesobjectives

Conduct a risk assessment; factor in Conduct a risk assessment; factor in compliance!compliance!

Develop the planDevelop the plan


66

Data Classification Standard, Data Classification Standard, DCS forms the foundationDCS forms the foundation

Identification Identification Confidentiality Confidentiality

and sensitivityand sensitivity ClassificationClassification Protection Protection Consistency Consistency

3 classification levels 3 classification levels - High, Moderate, - High, Moderate, NormalNormal

Based on data Based on data business value, business value, financial financial implications, legal implications, legal obligationsobligations


77

Data Management Procedures, Data Management Procedures, DMP assigns ownership and DMP assigns ownership and

accountabilityaccountabilityR ole re lationships

U serR e sp o ns ib ilites

D ata C ustodiansP h ys ica l d a ta m a n ag e m e nt

M a n ag e a cce ss rig h ts

Security Adm istratore .g . A p p lica tio n S e cu rity U n it

A u th orize s u se rsb a sed on G u id e lin es

D ata S tew ardA cce ss w ith in h is o r h e r u n it

a ccu racy, p riva cy, a n d se cu rity

D ata TrusteeO ve rs igh t re sp on s ib ility


88

Seven StepsSeven StepsRRMIS MIS IInformation nformation SSystem ystem

SSecurity ecurity PPlan, RISSPlan, RISSP

Leo HowellLeo HowellInformation Security AnalystInformation Security Analyst


99

STEP ONE – Understand the STEP ONE – Understand the AAssetsset

Philosophically, we Philosophically, we believe that believe that “security should “security should follow data”follow data”

But we know that But we know that not all data were not all data were created equalcreated equal

Effective security Effective security begins with a solid begins with a solid understanding of understanding of the protected the protected asset asset and its valueand its value

At NC State we At NC State we have identified have identified DATA as our DATA as our primary assetprimary asset


1010

STEP TWO – Identify and STEP TWO – Identify and prioritize prioritize TThreatshreats

GovernanceGovernance: : – policy breachpolicy breach– rebellionrebellion

PhysicalPhysical: : – data theftdata theft– equipment equipment

theft/damagetheft/damage EndpointEndpoint: :

– thefttheft– social engineeringsocial engineering

Infrastructure & Infrastructure & ApplicationApplication: : – thefttheft

– disclosuredisclosure

– DoSDoS

– unauthorized access unauthorized access

DataData: : – unauthorized accessunauthorized access

– corruption/destructioncorruption/destruction


1111

STEP THREE – Identify and rank STEP THREE – Identify and rank VVulnerabilitiesulnerabilities

GovernanceGovernance: : – policy loopholespolicy loopholes

PhysicalPhysical: : – weak perimeterweak perimeter

– open accessopen access EndpointEndpoint: :

– ignoranceignorance

Infrastructure & Infrastructure & ApplicationApplication: :

– ““open” networkopen” network

– unpatched unpatched systems/OSsystems/OS

– misconfiguration misconfiguration

DataData: :

– unencrypted storageunencrypted storage

– insecure transmissioninsecure transmission


1212

STEP FOUR – Quantify Relative STEP FOUR – Quantify Relative Risk, Risk, RR

R = R = µµVATVAT

The greater the The greater the number of number of vulnerabilities the vulnerabilities the bigger the riskbigger the risk

The greater the value The greater the value of the assetof the asset the the bigger the riskbigger the risk

The greater the The greater the threat the bigger the threat the bigger the risk risk

V = vulnerabilityA = assetT = threatµµ = likelihood of T = likelihood of T


1313

Higher Classification Higher Classification implies Increased implies Increased

SecuritySecurity

STEP FIVE – Develop a strategySTEP FIVE – Develop a strategy

Types of dataTypes of data stored, stored, accessed, processed or accessed, processed or

transmitted transmitted dictates OPZdictates OPZ

High- Significantly business impact

- financial loss- regulatory compliance

Moderate- adversely affects

business and reputation

Normal- minimal adverse effect

on business- authorization required

to modify or copy

3 virtual operational protection zones, OPZ

based on Data Classification

Server with Moderate data

Laptop withHigh data


1414

STEP SIX – Establish target STEP SIX – Establish target standards standards

Amount and Amount and stringency of stringency of

security security controls at controls at each level each level varies with varies with

data data classificationclassification

Seven layers of protection Seven layers of protection per zone based on COBIT, per zone based on COBIT, ISO 17799 and NIST 800-53ISO 17799 and NIST 800-53

1.1.Management & Management & GovernanceGovernance

2.2.Access controlAccess control

3.3.Physical securityPhysical security

4.4.Endpoint securityEndpoint security

5.5.Infrastructure securityInfrastructure security

6.6.Application securityApplication security

7.7.Data securityData security


1515

Snippet from Data Security Snippet from Data Security StandardStandard

Security Security ControlControl

Red ZoneRed Zone Yellow ZoneYellow Zone Green ZoneGreen Zone

Encrypt Encrypt stored datastored data

MandatoryMandatory RecommendeRecommendedd

OptionalOptional

Limit data Limit data stored to stored to external external mediamedia

MandatoryMandatory RecommendeRecommendedd

OptionalOptional

Encrypt Encrypt transmitted transmitted datadata

MandatoryMandatory MandatoryMandatory RecommendRecommendeded


1616

STEP SEVEN – Document the planSTEP SEVEN – Document the plan

Identify Identify realistic realistic

solutions for solutions for applying the applying the appropriate appropriate

security security controls at controls at each level.each level.

Create a list of action Create a list of action items for the next 3 to items for the next 3 to 5 years5 years

Prioritize the list based Prioritize the list based on risk and realityon risk and reality

Forecast investmentForecast investment Beg, kick and scream Beg, kick and scream

to get fundingto get funding Implement the plan Implement the plan

over timeover time


1717

Quick takesQuick takes

Planning paves the way for Planning paves the way for effectiveness and efficiency for effectiveness and efficiency for security and compliancesecurity and compliance

Understand the business the goalsUnderstand the business the goals Conduct a risk assessmentConduct a risk assessment Establish a strategy based on data Establish a strategy based on data

classification and industry standardsclassification and industry standards Develop a prioritized realistic planDevelop a prioritized realistic plan Go for the long haul!Go for the long haul!


1818

Key Elements of the Key Elements of the HIPAA Security Rule:HIPAA Security Rule:And how to complyAnd how to comply

Sharon McLawhorn McNeilSharon McLawhorn McNeilITCS-SecurityITCS-Security

Department of ITCSDepartment of ITCSEast Carolina UniversityEast Carolina University


1919

IntroductionIntroduction

HIPAA is the HIPAA is the Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act. There are thousands of . There are thousands of organizations that must comply with the HIPAA organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in the federal legislation that was passed into law in August 1996.August 1996.

The purpose the Security Rule:The purpose the Security Rule:

To allow better access to health insuranceTo allow better access to health insurance

Reduce fraud and abuseReduce fraud and abuse

Lower the overall cost of health care.Lower the overall cost of health care.


2020

What is the HIPAA Security Rule?What is the HIPAA Security Rule?

The rule applies to The rule applies to electronic protected health electronic protected health informationinformation

(EPHI)(EPHI), which is , which is individually identifiable healthindividually identifiable health

informationinformation in electronic form. in electronic form.

Identifiable health information is:Identifiable health information is: Your past, present, or future physical or mental health Your past, present, or future physical or mental health

or condition, or condition, Your type of health care, or Your type of health care, or Past, present, or future payment methods for the type of Past, present, or future payment methods for the type of

health care received.health care received.


2121

Who Must Comply?Who Must Comply?

Covered Entities (CEs)Covered Entities (CEs) must comply with the Security must comply with the Security Rule. Covered Entities are health plans, health care Rule. Covered Entities are health plans, health care clearinghouses, and health care providers who transmit clearinghouses, and health care providers who transmit any EPHI.any EPHI.

Health care plansHealth care plans - HMOs, group health plans, etc. - HMOs, group health plans, etc.

Health care clearinghousesHealth care clearinghouses - billing and repricing - billing and repricing companies, etc.companies, etc.

Health care providersHealth care providers - doctors, dentists, hospitals, etc. - doctors, dentists, hospitals, etc.


2222

How Does One Comply?How Does One Comply?

Covered Entities must maintain reasonable andCovered Entities must maintain reasonable and

appropriate appropriate administrativeadministrative, , physicalphysical, and, and

technicaltechnical safeguards to protect the safeguards to protect the confidentiality,confidentiality,

integrity, and availability of patient informationintegrity, and availability of patient information..


2323

Administrative SafeguardsAdministrative Safeguards

To comply with the Administrative SafeguardsTo comply with the Administrative Safeguards

portion of the regulation, the covered entity mustportion of the regulation, the covered entity must

implement the following "Required" securityimplement the following "Required" security

management activities: management activities:

Conduct a Risk Analysis. Conduct a Risk Analysis. Implement Risk Management Actions. Implement Risk Management Actions. Develop a Sanction Policy to deal with violators. Develop a Sanction Policy to deal with violators.

Conduct an Information System Activity Review.Conduct an Information System Activity Review.


2424

Physical SafeguardsPhysical Safeguards

The physical safeguards are a series of The physical safeguards are a series of requirements meant to protect a Covered requirements meant to protect a Covered Entity's computer systems, network and EPHI Entity's computer systems, network and EPHI from unauthorized access. The recommended from unauthorized access. The recommended and required physical safeguards are designed and required physical safeguards are designed to provide facility access controls to limit to provide facility access controls to limit access to the organization's computer systems, access to the organization's computer systems, network, and the facility in which it is housed. network, and the facility in which it is housed.


2525

Technical SafeguardsTechnical Safeguards

Technical safeguards refers to the technology and Technical safeguards refers to the technology and the procedures used to protect the EPHI and access the procedures used to protect the EPHI and access to it. to it.

The goal of technical safeguards is to protect The goal of technical safeguards is to protect patient data by allowing access only by individuals patient data by allowing access only by individuals or software programs that have been granted or software programs that have been granted access rights to the information.access rights to the information.


2626

Key Elements of Compliance Key Elements of Compliance 1.1. Obtain and Maintain Senior Management Obtain and Maintain Senior Management

Support Support

2.2. Develop and Implement Security PoliciesDevelop and Implement Security Policies3.3. Conduct and Maintain Inventory of EPHIConduct and Maintain Inventory of EPHI4.4. Be Aware of Political and Cultural Issues Raised Be Aware of Political and Cultural Issues Raised

by HIPAAby HIPAA

5.5. Conduct Regular and Detailed Risk AnalysisConduct Regular and Detailed Risk Analysis

6.6. Determine What is Appropriate and Reasonable Determine What is Appropriate and Reasonable

7.7. DocumentationDocumentation

8.8. Prepare for ongoing compliancePrepare for ongoing compliance


2727

PenaltiesPenalties

Civil penalties are $100 per violation, up to $25,000 per Civil penalties are $100 per violation, up to $25,000 per year for each violation. year for each violation.

Criminal penalties range from $50,000 in fines and one Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in year in prison up to $250,000 in fines and 10 years in jail. jail.

Additional Negatives:Additional Negatives: Negative publicity Negative publicity Loss of Customers Loss of Customers Loss of Business Partners Loss of Business Partners Legal LiabilityLegal Liability


2828

ConclusionConclusion

Compliance will require Covered Entities to:Compliance will require Covered Entities to: Identify the risks to their EPHIIdentify the risks to their EPHI Implement security best practicesImplement security best practices Complying with the Security Rule can require Complying with the Security Rule can require

significant time and resourcessignificant time and resources Compliance efforts should be currently underwayCompliance efforts should be currently underway


2929

ContactsContactsNC State UniversityNC State University

Leo Howell, CISSP CEH CCSP CBRMLeo Howell, CISSP CEH CCSP CBRM

Information Security AnalystInformation Security Analyst

IAS-Information Assurance and SecurityIAS-Information Assurance and Security

ETSS-Enterprise Technology Services and ETSS-Enterprise Technology Services and SupportSupport

[email protected][email protected]

(919) 513-1169(919) 513-1169

NC State UniversityNC State University

John Baines, CISSPJohn Baines, CISSP

Assistant DirectorAssistant Director

IAS-Information Assurance and SecurityIAS-Information Assurance and Security

ETSS-Enterprise Technology Services and ETSS-Enterprise Technology Services and SupportSupport

[email protected][email protected]

East Carolina UniversityEast Carolina University

Sharon McLawhorn Sharon McLawhorn McNeilMcNeil

IT-Security AnalystIT-Security Analyst

[email protected]@ecu.edu

252-328-9112 252-328-9112

planning for information security and hipaa compliance “security should follow data” leo howell,...

Documents

hipaa compliance security

hipaa compliance ncsu

security failures

data business value

plan slide

attorney slide

s slide

data leo howell