Presentation is loading. Please wait.

Presentation is loading. Please wait.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Published byAshlee Gilbert Modified over 7 years ago

Similar presentations

Presentation on theme: "HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project."— Presentation transcript:

1 HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project

2 AGENDA  Legislative Impacts  Security Standards  Cybersecurity Profile  Summary of Findings

3 Legislative Impacts The effects of Presidential Policy Directive 21, the Executive Order, and the May 2011 Cybersecurity Legislative Proposal

4 Functional Relationships  Greatest relationship is with OCR  OCR has failed to meet requirements outlined  Legislation was designed to increase accountability & strengthen nation’s infrastructure  Most recent report shows lack of routine, preventative audit

5 Baseline Framework  Complete overhaul of security framework  Pre-existing relationships strengthened  Monthly joint briefings

6 Privacy & Civil Liberties Protection  Create risk management protocol & program  Increase internet and network security

7 Critical Infrastructure Cybersecurity infrastructure needs strengthening Cybersecurity infrastructure needs strengthening There are notable improvements that have taken place There are notable improvements that have taken place

8 Security Standards In respect to Federal Information Processing Standards Publication (FIPS PUB) 200 and ISO 27001/27002

9 The Standards FIPS 200 Minimum security requirements for federal information and information systems. Enterprise-wide program that supports the operations of the company Baseline standard of practice ISO 27001/27002 Designed to increase efficiency and effectiveness Provides pertinent information to consumer, compliance with local laws and regulations, increases collaboration, and efficient security cost management. 27002 discusses implementation of 27001

10 Points of Analysis System Impact Levels Impact levels are the amount of risk placed upon the confidentiality, integrity, and availability of company information. Minimum Security Requirements Assesses the baseline requirements for information security as presented by the standard. Security Control Selection Focuses on how each standard defines the selection of appropriate security control based upon the system impact level..

11 Points of Analysis Implementation This section considers the differences in implementation as well as how the different standards guide organizations towards successful implementation. Certification Process Evaluates the differences between the requirements and processes for obtaining compliance and certification under each standard.

12 Cybersecurity Profile Created in response to NIST’s security controls

13 Risk Assessment Vulnerability Scanning Update Tool Capacity Provides updates to the system as needed Tracks changes made and produces reports Privileged Access Separates general scanning software from those that are provided access to privileged information Security test and evaluation identifies vulnerabilities within the system Every system is required to have and run the program routinely

14 Identification & Authentication Local Access to Privileged Accounts Decreases the chances that an unauthorized user can gain access to privilege accounts ID badges, PIV cards/numbers, and unique passwords have increased security within HHS Remote Access Multi-level authorization policy Employee accountability Security standards outlining saving methods and data security

15 Incident Response Incident Response (IR) Training Designed to decrease incidents resulting from human error HHS ensures routine, high quality training of employees Deactivation sequences employed upon termination of a team member Incident Handling Incidents can be traced back to employee Breach Response Team (BRT) handles all incidents

16 Recommendations Update the seemingly 14 year old remote access policy Improve password verification systems Implement a password viability time period System-wide application automatic password reset after incidents/security breach

17 Summary The Department of Health and Human Services (HHS) has created a fairly comprehensive and solid systems security plan that addresses not only the major concerns of the organization but also the national standards that have been developed. HHS not only has a plan in place that is well implemented and maintained, it also has a documentation process that ensures the improvement of its systems and processes. Though there are still areas of growth that can strengthen the organization’s infrastructure while subsequently strengthening the nation’s infrastructure, overall HHS has implemented a plethora of strategies and internal policies in order to decrease health fraud and ensure the safety of privileged data.

18 References   Department of Health and Human Services. (2014 March 10). Strategic goal 4: Ensure efficiency, transparency, accountability, and effectiveness of HHS programs. Retrieved from: http://www.hhs.gov/strategic-plan/goal4.html   Department of Health and Human Services (2014 May 12). HHS activities to enhance cybersecurity. Retrieved from: http://www.phe.gov/Preparedness/planning/cip/Pages/eo13636.aspx Department of Health and Human Services. (2014a). The department of health and human services information security for managers [PowerPoint slides]. Retrieved from: http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/infosecurity-managers.pdf Department of Health and Human Services (2014b). The department of health and human services information systems security awareness training [PowerPoint slides]. Retrieved from: http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/issa.pdf   Disterer, G. (2013). ISO/IEC 27000, 27001, and 27002 for information security management. Journal of Information Security, 4, 92-100. Retrieved from: http://dx.doi.org/10.4236/jis.2013.42011   GAO. (2006). Department of health and human services needs to fully implement its program (GAO-07-267). Washington, DC. Retrieved from: http://www.gao.gov/new.items/d06267.pdf

19   National Institue of Standards and Technology [NIST]. (2006). Minimum security requirements for federal information and information systems. Federal Information Processing Standards Publication.   National Institute of Standards and Technology. (2014). Assessing security and privacy controls in federal information systems and organizations (NIST Special Publication 800-53Ar4). DOI: hhtp://dx.doi.org/10.6028/NIST.SP.800- 53Ar4   Obama, B. (2013, February 19). Executive order 13636 – Improving critical infrastructure cybersecurity. Federal Register. 78(33). Retrieved from: https://learn.umuc.edu/d2l/le/content/47852/viewContent/2363928/View   Salmon, T.M. (2013). The office for civil rights did not met all federal requirements in its oversight and enforcements of the health insurance portability an accountability act security rule. Washington, DC. Retrieved from: https://oig.hhs.gov/oas/reports/region4/41105025.pdf   The White House. (2013, February 12). Briefing Room. Retrieved 01 22, 2015, from The White House: http://www.whitehouse.gov/the-press- office/2013/02/12/presidential-policy-directive-critical-infrastructure- security-and-resil

Download ppt "HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
DOT Office of Inspector General Audit of DOT’s Office of the Secretary’s Acquisition Function Federal Audit Executive Council Procurement Training Conference.

DOT Office of Inspector General Audit of DOT’s Office of the Secretary’s Acquisition Function Federal Audit Executive Council Procurement Training Conference.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Similar presentations

Ads by Google