1 / 20

HIPAA Security Rule

HIPAA Security Rule. November 16 th , 2004 ISSA/ISC ² Secure SD Security Conference, San Diego, CA Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA, CCSA, Security+ Lead Consultant (Southern California) Verisign Global Security Consulting. VeriSign. Publicly Traded Company

elan
Download Presentation

HIPAA Security Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security Rule November 16th, 2004 ISSA/ISC² Secure SD Security Conference, San Diego, CA Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA, CCSA, Security+ Lead Consultant (Southern California) Verisign Global Security Consulting

  2. VeriSign • Publicly Traded Company • > 3000 Employees • $1 Billion in Revenues • Operate critical DNS Infrastructure that enables over 10B transactions/Day • Secure the information assets of over 400,000 websites and 1,000 large enterprises • Largest SS7 Telecommunications network – 2 Billion messages per day • 2.8B SS7 signals/day • Enable over 1,000 carriers to interconnect • Support over 30% of North American e-commerce • Over 100 Million E-Commerce Payment Transactions Per Quarter • Largest MSSP with over 3000 devices under management

  3. Drivers behind HIPAA • Efficiency and interoperability between payers, providers, clearinghouses (“covered entities”) • “Patient’s Bill of Rights” • Enhanced medical record privacy • Enhanced medical record security

  4. Medical Mistakes kill 98,000/year in the USA

  5. Data valuation – what’s gone wrong in healthcare? • What is your medical record worth to you? • How much do you trust your healthcare provider to keep your medical record private & secure? • How many of your friends or neighbors work in a healthcare organization? • How many of your enemies? • We spend billions protecting financial information, what about health information?

  6. Do I need to comply? • The security rule applies to all IIHI (individually identifiable health information) in electronic form • ePHI (electronic Protected Health Information) that is stored and/or transmitted is covered • Health information on paper or divulged orally is not covered! • The rule is intended to set a minimum level of security for covered entities • Covered entities and business associates (through a chain of trust agreement) of those entities are required to comply

  7. What’s the business / security value-add? • Increased level of confidence from your customers • Expansion into healthcare markets for non-healthcare centric services (e.g.: managed security services) • Integration of sound security practices to fulfill HIPAA requirements (e.g.: standardized risk assessment methodology, quantifiable security metrics for measuring process improvement) • Covered entities MUST comply, of course!

  8. Nuts and bolts of the rule Covered entities are required to: • Assess potential risks and vulnerabilities • Protect against threats to information security or integrity, and against unauthorized use or disclosure • Implement and maintain security measures that are appropriate to their needs, capabilities and circumstances • Ensure compliance with these safeguards by all staff

  9. How is the rule structured? • The rule is broken into three sections: administrative safeguards, technical safeguards and physical safeguards • There are 18 standards that encompass the 3 types of safeguards • Almost every standard has several implementation specifications that are specific requirements within the standard • Each implementation specification is either required or addressable

  10. Required: Implementation Specification must be met by Covered Entity. Most of the required Implementation Specifications scale to meet covered entity requirements, large or small Addressable: Implementation Specification may not always be appropriate and “scale” to different covered entity sizes. A risk assessment must be performed by the covered entity to surmise what controls are feasible to implement Required vs. Addressable

  11. Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness & Training Security Incident Procedures Contingency Planning Evaluation Business Associate Contracts & Other Arrangements Information Security Program Assigning responsibility (CSO / CISO) Acceptable Use of Computing Resources for staff Access Control (AAA) Training and Education Incident Response Disaster Recovery / Business Resumption Planning Risk Assessment and quantifiable measurement Contracts Administrative safeguards

  12. Facility Access Controls Workstation Use Workstation Security Device & Media Controls Physical security of information processing facilities Acceptable Use & control of access to workstations Physical Security of assets (each separate device type is classified as a workstation) Computer Operations 101 (tape labeling and archiving, tape rotation, back-up logs kept up to date, control of removable media containing ePHI) Physical Safeguards

  13. Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Unique User ID, Emergency Access, Automatic Logoff Activity review (application & operating system) Verifying data integrity (at rest and in transit) Robust authentication strategy (two-factor) Safeguarding ePHI in transmission (encryption) and verifying integrity (digital signatures) Technical Safeguards

  14. FAILING TO PREPARE IS PREPARING TO FAIL

  15. Maximizing investment on compliance • Perform regular security assessments on critical assets that contain or may participate in the transmission or storage of ePHI (consider an annual third party assessment to free internal resources up for remediation) • Make sure you are effective where the rubber meets the road – does a procedure that a particular business unit performs actually match what’s documented as far as step by step actions? What is the variance? • Outsource routine Information Security tasks to free up resources - constant Intrusion Detection alerts and System Activity Review may cost you more in labor to tune and monitor 24x7 in a month than an MSSP may charge for a year contract

  16. What are the pitfalls to avoid? • The HIPAA Security rule contains a great deal of documentation requirements, but don’t just focus on documentation! • Don’t make mountains out of molehills • Don’t wait until the 11th hour to ask for money (especially for awareness and training requirements) • Don’t attempt to achieve compliance without a plan (decentralized workgroups work very well) • Not leveraging your resources and skill-sets is a recipe for disaster

  17. Compliance Tips • Establish a formal security program with a designated security officer • Establish a standardized risk assessment strategy to prioritize work • Implement a security program mapped to best practice security standards, not to a specific regulation • Make use of “community standard” guidelines to make sure you’re keeping pace with other providers • Collaborate with other providers on how you develop strategies to address the HIPAA Security Rule

  18. Reading Room • NIST DRAFT SP 800-66 “An Introductory Guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: http://csrc.nist.gov/publications/drafts/DRAFT-sp800-66.pdf • Health Insurance Portability and Accountability Act (HIPAA) Home Page: http://www.hhs.gov/ocr/hipaa/ • Health Hippo: http://hippo.findlaw.com/hipaa.html

  19. Questions & Answers VeriSign Security Services

More Related