1. An Independent Licensee of the Blue Cross Blue Shield Association Right Sizing the HIPAA Security Program Laurie Leer, CISSP;Manager Information Systems Security Shana Chung, CISSP; Director Contract Management (HIPAA Compliance, Definition & Evaluation)

2. 2 Introductions and Agenda HIPAA Security Standards = Project Requirements Covered Entity Deliverables Risk Assessment: Key to Sizing the HIPAA Security Program Right Sizing Risk Assessment: Getting Started Sample Risk Assessment Summary Risk Assessment as a Tool to Size a HIPAA Security Program Right Size = Reasonable and Appropriate Survey Results Conclusions

3. 3 HIPAA Security Standards = Project Requirements Standards define project scope and approach –Applies to electronic protected health information (EPHI). A covered entity must: ensure the confidentiality, integrity, and availability of all EPHI it creates, receives, maintains or transmits protect against any reasonably anticipated threats or hazards to the security or integrity of such information protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part ensure compliance with this subpart by its workforce The standards define required deliverables –Standards describe high-level deliverables Policies, procedures, periodic reviews, etc. –Specifications describe required content e.g., “Procedures to regularly review records of system activity”

4. 4 Covered Entity Required Deliverables Document how the covered entity (CE) met each specification –Criteria evaluated in choosing a solution for a given specification [164.306(b)] Factors from 164.308(a)(1) - covered later Organizational and environmental factors Contracts or superceding state law Other constraints – Solution implemented Solution description Policies and procedures to maintain the solution Audit trails or other mechanisms to assure ongoing effectiveness and workforce compliance –Required vs. addressable specifications Required specifications must be implemented as stated An addressable specification must be implemented, or the CE must document why it was not and the equivalent measures implemented

5. 5 Risk Assessment: Key to Sizing a Security Program 164.308(a) (1) requires CEs to: –Conduct accurate and thorough assessments of EPHI potential risks and confidentiality, integrity, and availability vulnerabilities held by the CE –Implement security measures to reduce risks and vulnerabilities to comply with §164.306(a) Risk is a compound value or judgment based on the following: –Threat –Vulnerability to the threat –Probability of exploiting the vulnerability –Cost or other adverse effect if successfully exploited Apply sound business judgment –Absolute security doesn’t exist –Management may make an informed judgment to accept risk

6. 6 “Accurate and Thorough” Right Sizing 164.306(b) instructs us to consider: –(i) The size, complexity, and capabilities of the covered entity –(ii) The covered entity's technical infrastructure, hardware and software security capabilities –(iii) The costs of security measures –(iv) The probability and criticality of potential risks to EPHI HIPAA Security program should scale against 164.306(b) –Number of different EPHI stores the organization has –Size and/or location of the workforce –Number of different EDI connections or Web services transporting EPHI –Robustness of the baseline security program How “probable and critical” are more organization-specific –What EPHI is critical to the organization mission or operations? –What security and privacy risks have been identified?

7. 7 “Reasonable and Appropriate” Right Sizing What is a “reasonable and appropriate level” of risk and vulnerability? –Common practices for similar organizations –Case law –Source documents for HIPAA Security Rules NIST http://csrc.nist.gov/publications/nistpubs/index.htmlhttp://csrc.nist.gov/publications/nistpubs/index.html OMB Circulars http://www.whitehouse.gov/omb/circulars/index.htmlhttp://www.whitehouse.gov/omb/circulars/index.html Mapped standards in the 1998 Draft Rules: ASTM, ANSI, IEEE, ISO, etc. Common practices for similar organizations –Common practices are both human and technical –Similar organizations = similar business model and workforce size Case law –“Reasonable person” standards have developed in other areas of law –TriWest Healthcare Alliance suit –National Academy of Science study (2002) recommends laws that hold system operators liable for security breaches

8. 8 “Reasonable and Appropriate” Right Sizing (cont.) Some guidance available in NIST’s “Generally Accepted Principles and Practices for Secure Information Technology Systems” –“Risk management requires the analysis of risk, relative to potential benefits, consideration of alternatives, and, finally, implementation of what management determines to be the best course of action.” –“Management needs to decide if the operation of the IT system is acceptable, given the kind and severity of remaining risks.” ‘Best course of action’ decision should occur at the right management level –If potential costs are known: Approving manager should have authority for that amount –If costs can’t be estimated: Approval comes from manager with responsibility over the system or vulnerable information –If the risk spans departments: Approval comes from all affected department heads or executive responsible overall

9. 9 Risk Assessment: Getting Started Common elements of risk management –Formal, repeatable process –Reliable metrics and probability algorithms –Clear documentation and outputs –Adequate training for assessment personnel –Management authorization Missing link is often “metrics and probability” –Some data about number of incidents; very little predictive value –Available data focuses on hacker-style attacks. No reliable metric sources around internal threats and vulnerabilities –In many cases, management decisions are based on incomplete data Consider starting with the HIPAA Security Rules as assessment targets –Identify ‘reasonably anticipated threats’ affecting organization’s ability to comply –Assess organization’s degree of vulnerability to the identified threats –Use vulnerability data to set the scope of the HIPAA Security Program

10. 10 Sample Risk Assessment Summary

11. 11 Using Risk Assessment to Size the HIPAA Security Program Set scope –Zero probability is out-of-scope (e.g., if clearinghouse rules do not apply to your organization, you have no probability of being out of compliance with that rule) –Set work priority 1. High probability and high cost of occurrence 2. Medium probability and high cost of occurrence 3. High probability and low cost of occurrence 4. Low probability and high cost of occurrence 5. All other combinations Define project plan and work schedule in priority order –Standardize work breakdown structures  Phases collect related groups of work (activities) along the critical path  Activities collect related tasks along the critical path  Milestones signal acceptance of major deliverables and completion of activities  Use life cycle approach to activities »Requirements  Alternatives  Solution Selection  Build/Test  Deploy  Maintain

12. 12 Right Size = Reasonable and Appropriate Outputs from solution selection document the reasonableness and appropriateness of the selected security measures Standardize deliverables as much as feasible –Document at least 2 alternatives Include factors from 164.306(b) Document the fit between requirements and each alternative Estimate cost & time to implement Summarize reasons for recommending one alternative –Document management approval for selected solution Outputs from maintenance determine ongoing costs and staffing needs –Document maintenance oversight roles, responsibilities and procedures 164.306(e) : “Security measures... must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of EPHI” –Document intersections with other processes required by HIPAA Security rules Risk analysis and management; system activity review; access authorization; contingency planning; evaluation; etc.

13. 13 Information Security Program Survey Our methodology Respondents –Type Covered entity - plan, clearinghouse, provider Hybrid Other (includes business associate, consultant, vendor) – Size Total employees Number of IT FTEs –IT Security Number of IT Security FTEs Annual IT Security training budget Annual IT Security budget –By confidence in meeting HIPAA Security compliance date

14. 14 Respondents by Type of Organization Other (vendor, consultant, attorney, etc.)

15. 15 Respondents by Size of Organization- Total Number of Employees

16. 16 Respondents by Size of IT Department Total Number of IT FTEs 1-50 IT Employees 51-500 IT Employees 501-1000 IT Employees 1001-5000 IT Employees 5000+ IT Employees

17. 17 Does Your Organization Have IT Security FTEs?

18. 18 How Much Do You Spend Annually On IT Security

19. 19 Is Organization Confident of Meeting HIPAA Security Deadline?

20. 20 Some of the Challenges Communication –Does the right hand know what the left hand is doing? Prioritization –Are “dubious projects” getting the money? Training –NIST and others address this

21. 21 Does Scalability = Reality? Is bigger really better? –Security spending doesn’t necessarily scale to an organization’s size –HIPAA and GLB are acknowledged as contributing to policy/procedure infrastructure in larger organizations –Damage to an organization’s reputation is more of a concern Related surveys –“US Healthcare Industry Quarterly HIPAA Survey Results: Winter 2003” http://www.hipaadvisory.com “Security remediation efforts are progressing slowly” –“Does Company Size Really Matter?,” Information Security, September 2002 http://www.infosecuritymag.com/2002/sep/2002survey.pdf

22. 22 Conclusions