1 / 30

security basics hipaa

2004 (c) Breakwater Security Associates, All Rights Reserved. Presentation Overview. Evolution of SecurityHIPAA Security RuleAddressable vs. RequiredAdministrative ControlsTechnical ControlsIntegrity Controls. 2004 (c) Breakwater Security Associates, All Rights Reserved. Evolution of Security.

emily
Download Presentation

security basics hipaa

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    2. 2004 (c) Breakwater Security Associates, All Rights Reserved

    3. 2004 (c) Breakwater Security Associates, All Rights Reserved Evolution of Security

    4. 2004 (c) Breakwater Security Associates, All Rights Reserved Evolution of Security

    5. 2004 (c) Breakwater Security Associates, All Rights Reserved Security Life Cycle

    6. 2004 (c) Breakwater Security Associates, All Rights Reserved ISO 17799 defines security as preserving: Confidentiality - ensuring that information is accessible only to those authorized to have access; Integrity - safeguarding the accuracy and completeness of information and processing methods; Availability - ensuring that authorized users have access to information and associated assets when required. Security Program - Defined

    7. 2004 (c) Breakwater Security Associates, All Rights Reserved Security Program “Musts” Must provide the security vehicle and momentum to protect company assets Must be recognized within the organization as the focal point for security Must be supported and enforced at every level Must assist the business in achieving its goals Security Program - Defined

    8. 2004 (c) Breakwater Security Associates, All Rights Reserved Compliance Regulatory Compliance FDA, HIPAA, GLBA EU Data Protection/Safe Harbors Business Best Practices ISO 17799, NIST, SEC Critical Infrastructure Protection US Federal Guidelines Security Program - Elements

    9. 2004 (c) Breakwater Security Associates, All Rights Reserved General requirements. Covered entities must do the following: Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. Ensure compliance. HIPAA Security - Defined

    10. 2004 (c) Breakwater Security Associates, All Rights Reserved Standards Must be met Based on ISO17799 standards Implementation Specifications Specific areas within each standard, which must be addressed. Does not encompass the entire standard. HIPAA Security Overview

    11. 2004 (c) Breakwater Security Associates, All Rights Reserved When a standard includes required implementation specifications, a covered entity must implement the implementation specifications. When a standard includes addressable implementation specifications, a covered entity must— Assess the implementation specification to determine if it is a reasonable and appropriate method of protecting EPHI within the organization. If not applicable then document why. Implement an equivalent alternative. HIPAA Security (Addressable vs. Required)

    12. 2004 (c) Breakwater Security Associates, All Rights Reserved Standard – Access Control Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights. Implementation Specifications Unique User ID (Required) Emergency Access Procedures (Required) Automatic Logoff (Addressable) Encryption & Decryption (Addressable) HIPAA Security - Example

    13. 2004 (c) Breakwater Security Associates, All Rights Reserved Security is achieved by implementing appropriate controls in the form of Policy, Organizational structure & Technology in conjunction with the business objectives. Security Program - Defined

    14. 2004 (c) Breakwater Security Associates, All Rights Reserved Administrative & Physical Security Processes Organization Policy Third Party Agreements Business Continuity Management Data & Asset Classification Awareness & Training Personnel Security Physical & Environment Security Processes

    15. 2004 (c) Breakwater Security Associates, All Rights Reserved Administrative & Physical Security Processes Organization Policy Third Party Agreements Business Continuity Management Data & Asset Classification Awareness & Training Personnel Security Physical & Environment Security Processes – High Level

    16. 2004 (c) Breakwater Security Associates, All Rights Reserved Security Processes Mapped

    17. 2004 (c) Breakwater Security Associates, All Rights Reserved Administrative & Physical Security Processes Organization Policy Data & Asset Classification Third Party Agreements Business Continuity Management Awareness & Training Personnel Security Physical & Environment Administrative Controls

    18. 2004 (c) Breakwater Security Associates, All Rights Reserved Security Organization Must fit the organization’s needs Security Roles Governance Proactive Reactive Effectiveness Authority Communication

    19. 2004 (c) Breakwater Security Associates, All Rights Reserved Security Organization

    20. 2004 (c) Breakwater Security Associates, All Rights Reserved Policy Development IT Security Guiding Principles Commitment Classification Accountability Authority Responsibility Review

    21. 2004 (c) Breakwater Security Associates, All Rights Reserved Policy Development System & Issue Papers Network Security Policy Domain Security Policy Remote Access Policy Password Policy Virus & Content Security Policy Host Data Sheets Host1 Security Data Sheet Host2 Security Data Sheet

    22. 2004 (c) Breakwater Security Associates, All Rights Reserved Policy Framework

    23. 2004 (c) Breakwater Security Associates, All Rights Reserved Technical Controls Authorization Access Audit & Monitoring

    24. 2004 (c) Breakwater Security Associates, All Rights Reserved Authorization Based on Corporate Assets & Responsibilities Policy Access based on “Need to Know” System & Data Owners Approval Authority IT Support Personnel Granting Authority Separation of Duties

    25. 2004 (c) Breakwater Security Associates, All Rights Reserved Access Controls Based on Classification Policy Least Privileged Model Layered Security Physical Separation Network Segmentation Role-based Access Controls Data Classification

    26. 2004 (c) Breakwater Security Associates, All Rights Reserved Access Controls Architecture

    27. 2004 (c) Breakwater Security Associates, All Rights Reserved Audit & Monitoring Centralized Logging Automated Monitoring & Notification Layered Security Define security zones Never allow direct access across 2 zones. E.g.. Public to Classified Reduces risk Response & Reporting

    28. 2004 (c) Breakwater Security Associates, All Rights Reserved Integrity Controls Anti-virus Patch Management Change Management Standard Configurations Software Life-Cycle

    29. 2004 (c) Breakwater Security Associates, All Rights Reserved Questions?

    30. 2004 (c) Breakwater Security Associates, All Rights Reserved

More Related