1 / 29

Planning for Information Security and HIPAA Compliance

UNC CAUSE November 2006. Planning for Information Security and HIPAA Compliance. “Security should follow data”. Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security ETSS-Enterprise Technology Services & Support North Carolina State University. Sharon McLawhorn McNeil

minor
Download Presentation

Planning for Information Security and HIPAA Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UNC CAUSE November 2006 Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security ETSS-Enterprise Technology Services & Support North Carolina State University Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University

  2. What’s it all about, Webster? • Defalcation • Pronunciation:*d*-*fal-*k*-sh*n, • Date:15th century • 1 archaic : DEDUCTION • 2 : the act or an instance of embezzling • 3 : a failure to meet a promise or an expectation • Malfeasance • Pronunciation:*mal-*f*-z*n(t)s • Date:1696 : • wrongdoing or misconduct especially by a public official • Two twenty dollar words • Fraud and criminal business acts • Reaction to the excesses of the 80’s and 90’s "Planning for Security and HIPAA Compliance" NCSU and ECU

  3. Increasingly Complicated Compliance Constraints "Planning for Security and HIPAA Compliance" NCSU and ECU

  4. Educational Institutes Seen as Easy Marks • Los Angeles Times article - May 30, 2006 ‘Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.’ • ‘we were adding on another university every week to look into’ - Michael C. Zweiback, assistant U.S. attorney "Planning for Security and HIPAA Compliance" NCSU and ECU

  5. Information Security Planning High level tasks • Make a conscious decision to plan for security and compliance for improved efficiency and effectiveness • Understand the business goals and objectives • Conduct a risk assessment; factor in compliance! • Develop the plan "Planning for Security and HIPAA Compliance" NCSU and ECU

  6. Data Classification Standard, DCS forms the foundation • Identification • Confidentiality and sensitivity • Classification • Protection • Consistency • 3 classification levels - High, Moderate, Normal • Based on data business value, financial implications, legal obligations "Planning for Security and HIPAA Compliance" NCSU and ECU

  7. Data Management Procedures, DMP assigns ownership and accountability "Planning for Security and HIPAA Compliance" NCSU and ECU

  8. Seven StepsRMIS Information System Security Plan, RISSPLeo HowellInformation Security Analyst "Planning for Security and HIPAA Compliance" NCSU and ECU

  9. STEP ONE – Understand the Asset • Philosophically, we believe that “security should follow data” • But we know that not all data were created equal • Effective security begins with a solid understanding of the protected asset and its value • At NC State we have identified DATA as our primary asset "Planning for Security and HIPAA Compliance" NCSU and ECU

  10. STEP TWO – Identify and prioritize Threats • Governance: • policy breach • rebellion • Physical: • data theft • equipment theft/damage • Endpoint: • theft • social engineering • Infrastructure & Application: • theft • disclosure • DoS • unauthorized access • Data: • unauthorized access • corruption/destruction "Planning for Security and HIPAA Compliance" NCSU and ECU

  11. STEP THREE – Identify and rank Vulnerabilities • Governance: • policy loopholes • Physical: • weak perimeter • open access • Endpoint: • ignorance • Infrastructure & Application: • “open” network • unpatched systems/OS • misconfiguration • Data: • unencrypted storage • insecure transmission "Planning for Security and HIPAA Compliance" NCSU and ECU

  12. STEP FOUR – Quantify Relative Risk, R • The greater the number of vulnerabilities the bigger the risk • The greater the value of the assetthe bigger the risk • The greater the threat the bigger the risk R = µVAT V = vulnerability A = asset T = threat µ = likelihood of T "Planning for Security and HIPAA Compliance" NCSU and ECU

  13. High - Significantly business impact - financial loss - regulatory compliance Moderate - adversely affects business and reputation • Normal • minimal adverse effect • on business • authorization required • to modify or copy Laptop with High data Server with Moderate data STEP FIVE – Develop a strategy 3 virtual operational protection zones, OPZ based on Data Classification Types of data stored, accessed, processed or transmitted dictates OPZ Higher Classification implies Increased Security "Planning for Security and HIPAA Compliance" NCSU and ECU

  14. STEP SIX – Establish target standards • Seven layers of protection per zone based on COBIT, ISO 17799 and NIST 800-53 • Management & Governance • Access control • Physical security • Endpoint security • Infrastructure security • Application security • Data security Amount and stringency of security controls at each level varies with data classification "Planning for Security and HIPAA Compliance" NCSU and ECU

  15. Snippet from Data Security Standard "Planning for Security and HIPAA Compliance" NCSU and ECU

  16. STEP SEVEN – Document the plan • Create a list of action items for the next 3 to 5 years • Prioritize the list based on risk and reality • Forecast investment • Beg, kick and scream to get funding • Implement the plan over time Identify realistic solutions for applying the appropriate security controls at each level. "Planning for Security and HIPAA Compliance" NCSU and ECU

  17. Quick takes • Planning paves the way for effectiveness and efficiency for security and compliance • Understand the business the goals • Conduct a risk assessment • Establish a strategy based on data classification and industry standards • Develop a prioritized realistic plan • Go for the long haul! "Planning for Security and HIPAA Compliance" NCSU and ECU

  18. Key Elements of the HIPAA Security Rule:And how to comply Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University "Planning for Security and HIPAA Compliance" NCSU and ECU

  19. Introduction HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule: • To allow better access to health insurance • Reduce fraud and abuse • Lower the overall cost of health care. "Planning for Security and HIPAA Compliance" NCSU and ECU

  20. What is the HIPAA Security Rule? The rule applies to electronic protected health information (EPHI), which is individually identifiable health information in electronic form. Identifiable health information is: • Your past, present, or future physical or mental health or condition, • Your type of health care, or • Past, present, or future payment methods for the type of health care received. "Planning for Security and HIPAA Compliance" NCSU and ECU

  21. Who Must Comply? Covered Entities (CEs) must comply with the Security Rule. Covered Entities are health plans, health care clearinghouses, and health care providers who transmit any EPHI. Health care plans - HMOs, group health plans, etc. Health care clearinghouses - billing and repricing companies, etc. Health care providers - doctors, dentists, hospitals, etc. "Planning for Security and HIPAA Compliance" NCSU and ECU

  22. How Does One Comply? Covered Entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of patient information. "Planning for Security and HIPAA Compliance" NCSU and ECU

  23. Administrative Safeguards To comply with the Administrative Safeguards portion of the regulation, the covered entity must implement the following "Required" security management activities: • Conduct a Risk Analysis. • Implement Risk Management Actions. • Develop a Sanction Policy to deal with violators. • Conduct an Information System Activity Review. "Planning for Security and HIPAA Compliance" NCSU and ECU

  24. Physical Safeguards The physical safeguards are a series of requirements meant to protect a Covered Entity's computer systems, network and EPHI from unauthorized access. The recommended and required physical safeguards are designed to provide facility access controls to limit access to the organization's computer systems, network, and the facility in which it is housed. "Planning for Security and HIPAA Compliance" NCSU and ECU

  25. Technical Safeguards Technical safeguards refers to the technology and the procedures used to protect the EPHI and access to it. The goal of technical safeguards is to protect patient data by allowing access only by individuals or software programs that have been granted access rights to the information. "Planning for Security and HIPAA Compliance" NCSU and ECU

  26. Key Elements of Compliance • Obtain and Maintain Senior Management Support • Develop and Implement Security Policies • Conduct and Maintain Inventory of EPHI • Be Aware of Political and Cultural Issues Raised by HIPAA • Conduct Regular and Detailed Risk Analysis • Determine What is Appropriate and Reasonable • Documentation • Prepare for ongoing compliance "Planning for Security and HIPAA Compliance" NCSU and ECU

  27. Penalties • Civil penalties are $100 per violation, up to $25,000 per year for each violation. • Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail. • Additional Negatives: • Negative publicity • Loss of Customers • Loss of Business Partners • Legal Liability "Planning for Security and HIPAA Compliance" NCSU and ECU

  28. Conclusion • Compliance will require Covered Entities to: • Identify the risks to their EPHI • Implement security best practices • Complying with the Security Rule can require significant time and resources • Compliance efforts should be currently underway "Planning for Security and HIPAA Compliance" NCSU and ECU

  29. Contacts NC State University Leo Howell, CISSP CEH CCSP CBRM Information Security Analyst IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support leo_howell@ncsu.edu (919) 513-1169 East Carolina University Sharon McLawhorn McNeil IT-Security Analyst McLawhorns@ecu.edu 252-328-9112 NC State University John Baines, CISSP Assistant Director IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support john_baines@ncsu.edu "Planning for Security and HIPAA Compliance" NCSU and ECU

More Related