Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented to OUHSC Policies and Procedures Workshop IT Information Security Services.

Similar presentations


Presentation on theme: "Presented to OUHSC Policies and Procedures Workshop IT Information Security Services."— Presentation transcript:

1

2 Presented to OUHSC Policies and Procedures Workshop IT Information Security Services

3 Agenda: Information Security Program 1.Business Value 2.Business Drivers 3.Managing Risk 4.Building Trust 1.Business Value 2.Business Drivers 3.Managing Risk 4.Building Trust

4 Business Value of Information Security: Protection of mission critical information

5 Protection of mission critical information: Electronic Health Records

6 Protection of mission critical information: Credit Card Numbers

7 Protection of mission critical information: Student Records

8 Protection of mission critical information: Personally Identifiable Information

9 Information Security provides: ConfidentialityAvailabilityIntegrity

10 The right data to the right people at the right time at the right time

11 Business Value of information Security: Maximize Business Opportunities

12 Business opportunity: $19.2 billion from ARRA Incentives: Payments of $44,000 - $64,000 Per Physician to Providers who… Demonstrate proper implementation of EHR Incentives: Payments of $44,000 - $64,000 Per Physician to Providers who… Demonstrate proper implementation of EHR

13 Business opportunity: Electronic commerce 100,000 cc transactions $17,500,000 annual amount 100,000 cc transactions $17,500,000 annual amount

14 Business Value of Information Security: Protection of mission critical information In order to: Minimize RiskMinimize Risk Support academic, research and health care business continuity and opportunitiesSupport academic, research and health care business continuity and opportunities

15 Business value: A reputation that took decades to build can be threatened by a single event.A reputation that took decades to build can be threatened by a single event.

16 Information Security 2.Business Drivers

17 Business Drivers Clinical systems (managed university computer, protected network)

18 Business Drivers Research systems (semi-managed computer, open network)

19 Business Drivers Business/Financial/Legal systems (managed university computer, protected network) Business/Financial/Legal systems (managed university computer, protected network)

20 Business Drivers Classroom/library systems (managed and unmanaged computers, open network) Classroom/library systems (managed and unmanaged computers, open network)

21 Business Drivers Student systems (unmanaged computer, open network) Student systems (unmanaged computer, open network)

22 Business Drivers Mobile systems (managed and unmanaged computer, open network ) Mobile systems (managed and unmanaged computer, open network )

23 Business Drivers Home systems (unmanaged computer, open network) Home systems (unmanaged computer, open network)

24 Business Drivers Criminal systems

25 Business Drivers: Our diverse IT environment Different management, connectivity needs, risks ITs a jungle out there!

26 Business Drivers: Increasing risks of doing business

27 Business Drivers: Regulations The government responds: HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry (PCI) Data Security Standard eDiscovery Rules of Civil Procedure State Data Breach Notification FTC Red Flag Identity Theft Prevention Family Educational Rights and Privacy Act (FERPA)- rev x The government responds: HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry (PCI) Data Security Standard eDiscovery Rules of Civil Procedure State Data Breach Notification FTC Red Flag Identity Theft Prevention Family Educational Rights and Privacy Act (FERPA)- rev x

28 Regulations: HIPAA Health Insurance Portability and Accountability Act

29 Regulations: HIPAA Health Insurance Portability and Accountability Act –Encourage use of Electronic Health Record (EHR) –Ensure the privacy and security of the EHR Health Insurance Portability and Accountability Act –Encourage use of Electronic Health Record (EHR) –Ensure the privacy and security of the EHR

30 HIPAA: General Rules Implement safeguards that reasonably and appropriately protect –Confidentiality –Integrity –Availability of Electronic Protected Health Information (ePHI) Implement safeguards that reasonably and appropriately protect –Confidentiality –Integrity –Availability of Electronic Protected Health Information (ePHI)

31 HIPAA: Security Categories Administrative safeguards Physical safeguards Technical safeguards Administrative safeguards Physical safeguards Technical safeguards

32 HIPAA: Security Categories Administrative safeguards: –Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entitys workforce in relation to the protection of ePHI. Administrative safeguards: –Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entitys workforce in relation to the protection of ePHI.

33 HIPAA: Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and other arrangements Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and other arrangements

34 HIPAA: Administrative Safeguards Security Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations. –Risk analysis (R) –Risk management (R) –Sanction Policy (R) –Information system activity review (R) Security Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations. –Risk analysis (R) –Risk management (R) –Sanction Policy (R) –Information system activity review (R)

35 HIPAA: Security Categories Physical safeguards: –Physical measures, policies, and procedures to protect a covered entitys electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion. Physical safeguards: –Physical measures, policies, and procedures to protect a covered entitys electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion.

36 HIPAA: Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Facility Access Controls Workstation Use Workstation Security Device and Media Controls

37 HIPAA: Security Categories Technical safeguards: –The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it. Technical safeguards: –The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it.

38 HIPAA: Technical Safeguards Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security

39 Information Security: HIPAA/HITECH Update Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health

40 Information Security: HIPAA/HITECH Update HITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA) Enacted on February 17, 2009 Compliant on February 17, 2010 HITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA) Enacted on February 17, 2009 Compliant on February 17, 2010

41 Information Security: HIPAA/HITECH Update Goal : –Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians HITECH affects HIPAA… –HITECH directly regulates business associates for the first time Goal : –Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians HITECH affects HIPAA… –HITECH directly regulates business associates for the first time

42 Information Security: HIPAA/HITECH Update Penalties –Establishes a tiered system of civil penalties –Civil penalties on a covered entity if the violation is due to willful neglect –Covered entities may not know it violated HIPAA Current max. penalty of $100 per violation, up to $25,000 per year for each type of violation –Violation due to reasonable cause $1,000/$100,000 –Violation due to willful neglect $500,000/$1.5 million Penalties –Establishes a tiered system of civil penalties –Civil penalties on a covered entity if the violation is due to willful neglect –Covered entities may not know it violated HIPAA Current max. penalty of $100 per violation, up to $25,000 per year for each type of violation –Violation due to reasonable cause $1,000/$100,000 –Violation due to willful neglect $500,000/$1.5 million

43 HITECH Act (Effective immediately) Breach notification (for unsecured PHI) You are required to notify each individual affected by a security breach… Breach notification (for unsecured PHI) You are required to notify each individual affected by a security breach…

44 Information Security: HIPAA/HITECH Update Breach Notification –Notify individuals without unreasonable delay <60 days Letter or (if preferred by individual) Website posting >500 individuals in a state, prominent media outlets Notify HHS – listed on their website Breach Notification –Notify individuals without unreasonable delay <60 days Letter or (if preferred by individual) Website posting >500 individuals in a state, prominent media outlets Notify HHS – listed on their website

45 Information Security: HIPAA/HITECH Update unsecured PHR identifiable information : Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretarys guidance. unsecured PHR identifiable information : Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretarys guidance.

46 HITECH Act (encryption and destruction) Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1.Encryption 2.Destruction Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1.Encryption 2.Destruction

47 Information Security: PCI DSS Payment Card Industry Data Security Standards

48 Information Security: PCI DSS Payment Card Industry Data Security Standards (PCI DSS) –Technical and operational requirements –Any entity that stores, transmits, or processes cardholder data must comply with the PCI DSS –Non-compliance Large fines Legal contract breach Loss of ability to accept payments via credit cards Payment Card Industry Data Security Standards (PCI DSS) –Technical and operational requirements –Any entity that stores, transmits, or processes cardholder data must comply with the PCI DSS –Non-compliance Large fines Legal contract breach Loss of ability to accept payments via credit cards

49 Payment Card Industry Data Security Standard (PCI-DSS) Annual assessment process required for 100+ business units on OUHSC and Tulsa campuses

50 Regulations: What do they all have in common? Adopt security to minimize risks to Information What do they all have in common? Adopt security to minimize risks to Information

51 Managing Risk: Bryan starts here 3.Managing Risk

52 Managing Risk: Risk = Vulnerability + Threat + Impact

53 What is a Vulnerability? Managing Risk: Vulnerability Error in the programming code inside an application Improperly configured system settings Minimally implemented security controls Weak or easily guessed passwords Lack of security awareness among computer users

54 Risk Management: Software vulnerabilities 484 Vulnerabilities identified in 1 month

55 Common threats Managing Risk: Threats Viruses, worms, and other malware Malicious persons outside the organization Insiders with approved access to systems Denial of Service attacks Social Engineering

56 Managing Risk: Threat - Malicious code 134,625 viruses detected at gateway 7,876 at desktop 1st quarter of FY10 134,625 viruses detected at gateway 7,876 at desktop 1st quarter of FY10

57 Managing Risk: Threat - Malicious software from the web Malicious software downloads from the web –Spyware –Trojan Horse –Key Loggers 1 in 10 web sites attempt to download software without permission Malicious software downloads from the web –Spyware –Trojan Horse –Key Loggers 1 in 10 web sites attempt to download software without permission OUHSC Threat Level

58 Managing Risk: Organizational Risks Compromise of critical data Destruction of critical data Breach of compliance Loss of access Costly recovery efforts Damage to reputation

59 Managing Risk: Data breaches (up 69% in 2008)

60 Managing Risk: Data breach costs Data Breach Costs $202 each compromised record $282 each compromised healthcare record Data Breach Costs $202 each compromised record $282 each compromised healthcare record

61 Mobile Devices: Minimize Risks Limits on stored data Passwords Encryption

62 Action items (review Portable Computing Device Security) PCDs should not be used to store Sensitive Data unless data is encrypted.Sensitive Data PCDs that connect to the OU network or store OU data must use a device password. PCDs that store Sensitive Data must use encryption. Appropriate physical security measures should be taken to prevent theft of PCDs and their media or data. Report the theft or loss of a PCD containing Sensitive Data with this form.form PCDs should not be used to store Sensitive Data unless data is encrypted.Sensitive Data PCDs that connect to the OU network or store OU data must use a device password. PCDs that store Sensitive Data must use encryption. Appropriate physical security measures should be taken to prevent theft of PCDs and their media or data. Report the theft or loss of a PCD containing Sensitive Data with this form.form

63 Defense in Depth Managing Risk: Best Practices Implement a multi-tiered security architecture Layered Network Security- Zones of Trust Classify and protect data based on risk

64 Building Trust: Layered Network Security- Zones of Trust

65 Solution Approach Define a consistent policy By defining a consistent policy for each set of resources with similar requirements (for communication and protection), an enterprise can increase the efficiency and effectiveness of business appropriate protection functions. Group resources according to policy As IT environments, threats, attacks and the network topologies in which they exist have become more complex, the need for explicitly grouping resources in terms of their communication and protection requirements has increased. Define a consistent policy By defining a consistent policy for each set of resources with similar requirements (for communication and protection), an enterprise can increase the efficiency and effectiveness of business appropriate protection functions. Group resources according to policy As IT environments, threats, attacks and the network topologies in which they exist have become more complex, the need for explicitly grouping resources in terms of their communication and protection requirements has increased.

66 Zones Support Layered Application Architectures

67 Best Practices Managing Risk: Best Practices Secure network resources Patch computer systems Educate computer users

68 Information Security - Programs and Services: I.Risk Management II.Regulatory Compliance III.Policy Development IV.Training Education and Awareness V.Disaster Recovery and Business Continuity VI.Incident Management

69 I.Risk Management processes A.Identify information assets B.Classify C.Assess risks D.Mitigate risks A.Identify information assets B.Classify C.Assess risks D.Mitigate risks

70 I.Risk Management process examples: C. Assess risks Network vulnerability scanning Technology Product Review Business Impact Assessments (BIA) PCI Self Assessment Questionnaire (SAQ) C. Assess risks Network vulnerability scanning Technology Product Review Business Impact Assessments (BIA) PCI Self Assessment Questionnaire (SAQ)

71 I.Risk Management process examples: D. Mitigate risks Technology –Layered Network Security Architecture –Perimeter firewall –Data center firewall –Secure data center for Sensitive information –Gateway and desktop anti-virus – encryption D. Mitigate risks Technology –Layered Network Security Architecture –Perimeter firewall –Data center firewall –Secure data center for Sensitive information –Gateway and desktop anti-virus – encryption

72 I.Risk Management process examples: D. Mitigate risks People: Training Education and Awareness Process: Policies and Procedures D. Mitigate risks People: Training Education and Awareness Process: Policies and Procedures

73 Regulatory Compliance: Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) Act Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Data Security Standard (PCI-DSS) State Breach Notification State Breach Notification eDiscovery / Preservation of ESI eDiscovery / Preservation of ESI FTC Red Flag Rules for Identity Theft FDA Rule on Electronic Records FDA Rule on Electronic Records State of Oklahoma Security Policy State of Oklahoma Security Policy State HB for Risk Assessment State HB for Risk Assessment National Institute of Standards National Institute of Standards Gramm Leach Bliley (GLB) Act FERPA FERPA Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) Act Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Data Security Standard (PCI-DSS) State Breach Notification State Breach Notification eDiscovery / Preservation of ESI eDiscovery / Preservation of ESI FTC Red Flag Rules for Identity Theft FDA Rule on Electronic Records FDA Rule on Electronic Records State of Oklahoma Security Policy State of Oklahoma Security Policy State HB for Risk Assessment State HB for Risk Assessment National Institute of Standards National Institute of Standards Gramm Leach Bliley (GLB) Act FERPA FERPA HIPAA is only the tip of the regulatory iceberg

74 Holistic approach to regulatory compliance 1.Understand business value and drivers 2.Determine applicable regulations/best practices 3.Find the Gaps 4.Develop a holistic treatment plan 1.Understand business value and drivers 2.Determine applicable regulations/best practices 3.Find the Gaps 4.Develop a holistic treatment plan

75 II.Policy Development Following organization policies and best practices = regulatory compliance Business manager view ns.asphttp://it.ouhsc.edu/policies/fordataowners_busadmi ns.asp Following organization policies and best practices = regulatory compliance Business manager view ns.asphttp://it.ouhsc.edu/policies/fordataowners_busadmi ns.asp

76 IV. Training Education and Awareness Program HIPAA online courses New employee orientations New resident orientations New student orientations IRB Education day Cyber Security day Departmental presentations HIPAA online courses New employee orientations New resident orientations New student orientations IRB Education day Cyber Security day Departmental presentations

77 Disaster Recovery and Business Continuity V. Disaster Recovery and Business Continuity Annual Disaster Recovery Plan for OSF National Incident Management System (NIMS), Incident Command System (ICS) Tabletop Exercise (TTX) Business Impact Assessment for key areas Annual Disaster Recovery Plan for OSF National Incident Management System (NIMS), Incident Command System (ICS) Tabletop Exercise (TTX) Business Impact Assessment for key areas

78 Incident Management VI. Incident Management Detection Response Reporting Remediation Information Security Incident Reporting Procedures orting.asphttp://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asp Detection Response Reporting Remediation Information Security Incident Reporting Procedures orting.asphttp://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asp

79 Consider your risk Where is your information stored? Is it safe from common threats? Where is your information stored? Is it safe from common threats?

80 Action items: Review current technologies that can protect information: Data in motion Data at rest Data in use deleted Data disposal Review current technologies that can protect information: Data in motion Data at rest Data in use deleted Data disposal

81 Information Security: Safe Practice- Follow Policies Follow policies to help protect your dataFollow policies to help protect your data Technology Purchase Review See

82 Information Security Services Staff: o Greg Bostic o Randy Moore o Steve Payne o Bryan Smith o Robyne Rhode o o o o Greg Bostic o Randy Moore o Steve Payne o Bryan Smith o Robyne Rhode o o o

83 Questions ? ?


Download ppt "Presented to OUHSC Policies and Procedures Workshop IT Information Security Services."

Similar presentations


Ads by Google