Download presentation
Presentation is loading. Please wait.
Published byLea Dunkerson Modified over 10 years ago
2
Presented to OUHSC Policies and Procedures Workshop IT Information Security Services
3
Agenda: Information Security Program 1.Business Value 2.Business Drivers 3.Managing Risk 4.Building Trust 1.Business Value 2.Business Drivers 3.Managing Risk 4.Building Trust
4
Business Value of Information Security: Protection of mission critical information
5
Protection of mission critical information: Electronic Health Records
6
Protection of mission critical information: Credit Card Numbers
7
Protection of mission critical information: Student Records
8
Protection of mission critical information: Personally Identifiable Information
9
Information Security provides: ConfidentialityAvailabilityIntegrity
10
The right data to the right people at the right time at the right time
11
Business Value of information Security: Maximize Business Opportunities
12
Business opportunity: $19.2 billion from ARRA Incentives: Payments of $44,000 - $64,000 Per Physician to Providers who… Demonstrate proper implementation of EHR Incentives: Payments of $44,000 - $64,000 Per Physician to Providers who… Demonstrate proper implementation of EHR
13
Business opportunity: Electronic commerce 100,000 cc transactions $17,500,000 annual amount 100,000 cc transactions $17,500,000 annual amount
14
Business Value of Information Security: Protection of mission critical information In order to: Minimize RiskMinimize Risk Support academic, research and health care business continuity and opportunitiesSupport academic, research and health care business continuity and opportunities
15
Business value: A reputation that took decades to build can be threatened by a single event.A reputation that took decades to build can be threatened by a single event.
16
Information Security 2.Business Drivers
17
Business Drivers Clinical systems (managed university computer, protected network)
18
Business Drivers Research systems (semi-managed computer, open network)
19
Business Drivers Business/Financial/Legal systems (managed university computer, protected network) Business/Financial/Legal systems (managed university computer, protected network)
20
Business Drivers Classroom/library systems (managed and unmanaged computers, open network) Classroom/library systems (managed and unmanaged computers, open network)
21
Business Drivers Student systems (unmanaged computer, open network) Student systems (unmanaged computer, open network)
22
Business Drivers Mobile systems (managed and unmanaged computer, open network ) Mobile systems (managed and unmanaged computer, open network )
23
Business Drivers Home systems (unmanaged computer, open network) Home systems (unmanaged computer, open network)
24
Business Drivers Criminal systems
25
Business Drivers: Our diverse IT environment Different management, connectivity needs, risks ITs a jungle out there!
26
Business Drivers: Increasing risks of doing business
27
Business Drivers: Regulations The government responds: HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry (PCI) Data Security Standard eDiscovery Rules of Civil Procedure State Data Breach Notification FTC Red Flag Identity Theft Prevention Family Educational Rights and Privacy Act (FERPA)- rev x The government responds: HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry (PCI) Data Security Standard eDiscovery Rules of Civil Procedure State Data Breach Notification FTC Red Flag Identity Theft Prevention Family Educational Rights and Privacy Act (FERPA)- rev x
28
Regulations: HIPAA Health Insurance Portability and Accountability Act
29
Regulations: HIPAA Health Insurance Portability and Accountability Act –Encourage use of Electronic Health Record (EHR) –Ensure the privacy and security of the EHR Health Insurance Portability and Accountability Act –Encourage use of Electronic Health Record (EHR) –Ensure the privacy and security of the EHR
30
HIPAA: General Rules Implement safeguards that reasonably and appropriately protect –Confidentiality –Integrity –Availability of Electronic Protected Health Information (ePHI) Implement safeguards that reasonably and appropriately protect –Confidentiality –Integrity –Availability of Electronic Protected Health Information (ePHI)
31
HIPAA: Security Categories Administrative safeguards Physical safeguards Technical safeguards Administrative safeguards Physical safeguards Technical safeguards
32
HIPAA: Security Categories Administrative safeguards: –Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entitys workforce in relation to the protection of ePHI. Administrative safeguards: –Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entitys workforce in relation to the protection of ePHI.
33
HIPAA: Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and other arrangements Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and other arrangements
34
HIPAA: Administrative Safeguards Security Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations. –Risk analysis (R) –Risk management (R) –Sanction Policy (R) –Information system activity review (R) Security Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations. –Risk analysis (R) –Risk management (R) –Sanction Policy (R) –Information system activity review (R)
35
HIPAA: Security Categories Physical safeguards: –Physical measures, policies, and procedures to protect a covered entitys electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion. Physical safeguards: –Physical measures, policies, and procedures to protect a covered entitys electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion.
36
HIPAA: Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Facility Access Controls Workstation Use Workstation Security Device and Media Controls
37
HIPAA: Security Categories Technical safeguards: –The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it. Technical safeguards: –The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it.
38
HIPAA: Technical Safeguards Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security
39
Information Security: HIPAA/HITECH Update Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health
40
Information Security: HIPAA/HITECH Update HITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA) Enacted on February 17, 2009 Compliant on February 17, 2010 HITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA) Enacted on February 17, 2009 Compliant on February 17, 2010
41
Information Security: HIPAA/HITECH Update Goal : –Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians HITECH affects HIPAA… –HITECH directly regulates business associates for the first time Goal : –Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians HITECH affects HIPAA… –HITECH directly regulates business associates for the first time
42
Information Security: HIPAA/HITECH Update Penalties –Establishes a tiered system of civil penalties –Civil penalties on a covered entity if the violation is due to willful neglect –Covered entities may not know it violated HIPAA Current max. penalty of $100 per violation, up to $25,000 per year for each type of violation –Violation due to reasonable cause $1,000/$100,000 –Violation due to willful neglect $500,000/$1.5 million Penalties –Establishes a tiered system of civil penalties –Civil penalties on a covered entity if the violation is due to willful neglect –Covered entities may not know it violated HIPAA Current max. penalty of $100 per violation, up to $25,000 per year for each type of violation –Violation due to reasonable cause $1,000/$100,000 –Violation due to willful neglect $500,000/$1.5 million
43
HITECH Act (Effective immediately) Breach notification (for unsecured PHI) You are required to notify each individual affected by a security breach… Breach notification (for unsecured PHI) You are required to notify each individual affected by a security breach…
44
Information Security: HIPAA/HITECH Update Breach Notification –Notify individuals without unreasonable delay <60 days Letter or e-mail (if preferred by individual) Website posting >500 individuals in a state, prominent media outlets Notify HHS – listed on their website Breach Notification –Notify individuals without unreasonable delay <60 days Letter or e-mail (if preferred by individual) Website posting >500 individuals in a state, prominent media outlets Notify HHS – listed on their website
45
Information Security: HIPAA/HITECH Update unsecured PHR identifiable information : Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretarys guidance. unsecured PHR identifiable information : Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretarys guidance.
46
HITECH Act (encryption and destruction) Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1.Encryption 2.Destruction Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1.Encryption 2.Destruction
47
Information Security: PCI DSS Payment Card Industry Data Security Standards
48
Information Security: PCI DSS Payment Card Industry Data Security Standards (PCI DSS) –Technical and operational requirements –Any entity that stores, transmits, or processes cardholder data must comply with the PCI DSS –Non-compliance Large fines Legal contract breach Loss of ability to accept payments via credit cards Payment Card Industry Data Security Standards (PCI DSS) –Technical and operational requirements –Any entity that stores, transmits, or processes cardholder data must comply with the PCI DSS –Non-compliance Large fines Legal contract breach Loss of ability to accept payments via credit cards
49
Payment Card Industry Data Security Standard (PCI-DSS) Annual assessment process required for 100+ business units on OUHSC and Tulsa campuses
50
Regulations: What do they all have in common? Adopt security to minimize risks to Information What do they all have in common? Adopt security to minimize risks to Information
51
Managing Risk: Bryan starts here 3.Managing Risk
52
Managing Risk: Risk = Vulnerability + Threat + Impact
53
What is a Vulnerability? Managing Risk: Vulnerability Error in the programming code inside an application Improperly configured system settings Minimally implemented security controls Weak or easily guessed passwords Lack of security awareness among computer users
54
Risk Management: Software vulnerabilities 484 Vulnerabilities identified in 1 month
55
Common threats Managing Risk: Threats Viruses, worms, and other malware Malicious persons outside the organization Insiders with approved access to systems Denial of Service attacks Social Engineering
56
Managing Risk: Threat - Malicious code 134,625 viruses detected at gateway 7,876 at desktop 1st quarter of FY10 134,625 viruses detected at gateway 7,876 at desktop 1st quarter of FY10
57
Managing Risk: Threat - Malicious software from the web Malicious software downloads from the web –Spyware –Trojan Horse –Key Loggers 1 in 10 web sites attempt to download software without permission Malicious software downloads from the web –Spyware –Trojan Horse –Key Loggers 1 in 10 web sites attempt to download software without permission OUHSC Threat Level
58
Managing Risk: Organizational Risks Compromise of critical data Destruction of critical data Breach of compliance Loss of access Costly recovery efforts Damage to reputation
59
Managing Risk: Data breaches (up 69% in 2008)
60
Managing Risk: Data breach costs Data Breach Costs $202 each compromised record $282 each compromised healthcare record Data Breach Costs $202 each compromised record $282 each compromised healthcare record
61
Mobile Devices: Minimize Risks Limits on stored data Passwords Encryption
62
Action items (review Portable Computing Device Security) PCDs should not be used to store Sensitive Data unless data is encrypted.Sensitive Data PCDs that connect to the OU network or store OU data must use a device password. PCDs that store Sensitive Data must use encryption. Appropriate physical security measures should be taken to prevent theft of PCDs and their media or data. Report the theft or loss of a PCD containing Sensitive Data with this form.form PCDs should not be used to store Sensitive Data unless data is encrypted.Sensitive Data PCDs that connect to the OU network or store OU data must use a device password. PCDs that store Sensitive Data must use encryption. Appropriate physical security measures should be taken to prevent theft of PCDs and their media or data. Report the theft or loss of a PCD containing Sensitive Data with this form.form
63
Defense in Depth Managing Risk: Best Practices Implement a multi-tiered security architecture Layered Network Security- Zones of Trust Classify and protect data based on risk
64
Building Trust: Layered Network Security- Zones of Trust
65
Solution Approach Define a consistent policy By defining a consistent policy for each set of resources with similar requirements (for communication and protection), an enterprise can increase the efficiency and effectiveness of business appropriate protection functions. Group resources according to policy As IT environments, threats, attacks and the network topologies in which they exist have become more complex, the need for explicitly grouping resources in terms of their communication and protection requirements has increased. Define a consistent policy By defining a consistent policy for each set of resources with similar requirements (for communication and protection), an enterprise can increase the efficiency and effectiveness of business appropriate protection functions. Group resources according to policy As IT environments, threats, attacks and the network topologies in which they exist have become more complex, the need for explicitly grouping resources in terms of their communication and protection requirements has increased.
66
Zones Support Layered Application Architectures
67
Best Practices Managing Risk: Best Practices Secure network resources Patch computer systems Educate computer users
68
Information Security - Programs and Services: I.Risk Management II.Regulatory Compliance III.Policy Development IV.Training Education and Awareness V.Disaster Recovery and Business Continuity VI.Incident Management
69
I.Risk Management processes A.Identify information assets B.Classify C.Assess risks D.Mitigate risks A.Identify information assets B.Classify C.Assess risks D.Mitigate risks
70
I.Risk Management process examples: C. Assess risks Network vulnerability scanning Technology Product Review http://it.ouhsc.edu/forms/purchasereview.asp Business Impact Assessments (BIA) PCI Self Assessment Questionnaire (SAQ) C. Assess risks Network vulnerability scanning Technology Product Review http://it.ouhsc.edu/forms/purchasereview.asp Business Impact Assessments (BIA) PCI Self Assessment Questionnaire (SAQ)
71
I.Risk Management process examples: D. Mitigate risks Technology –Layered Network Security Architecture –Perimeter firewall –Data center firewall –Secure data center for Sensitive information –Gateway and desktop anti-virus –Email encryption D. Mitigate risks Technology –Layered Network Security Architecture –Perimeter firewall –Data center firewall –Secure data center for Sensitive information –Gateway and desktop anti-virus –Email encryption
72
I.Risk Management process examples: D. Mitigate risks People: Training Education and Awareness Process: Policies and Procedures D. Mitigate risks People: Training Education and Awareness Process: Policies and Procedures
73
Regulatory Compliance: Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) Act Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Data Security Standard (PCI-DSS) State Breach Notification State Breach Notification eDiscovery / Preservation of ESI eDiscovery / Preservation of ESI FTC Red Flag Rules for Identity Theft FDA Rule on Electronic Records FDA Rule on Electronic Records State of Oklahoma Security Policy State of Oklahoma Security Policy State HB for Risk Assessment State HB for Risk Assessment National Institute of Standards National Institute of Standards Gramm Leach Bliley (GLB) Act FERPA FERPA Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) Act Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Data Security Standard (PCI-DSS) State Breach Notification State Breach Notification eDiscovery / Preservation of ESI eDiscovery / Preservation of ESI FTC Red Flag Rules for Identity Theft FDA Rule on Electronic Records FDA Rule on Electronic Records State of Oklahoma Security Policy State of Oklahoma Security Policy State HB for Risk Assessment State HB for Risk Assessment National Institute of Standards National Institute of Standards Gramm Leach Bliley (GLB) Act FERPA FERPA HIPAA is only the tip of the regulatory iceberg
74
Holistic approach to regulatory compliance 1.Understand business value and drivers 2.Determine applicable regulations/best practices 3.Find the Gaps 4.Develop a holistic treatment plan 1.Understand business value and drivers 2.Determine applicable regulations/best practices 3.Find the Gaps 4.Develop a holistic treatment plan
75
II.Policy Development Following organization policies and best practices = regulatory compliance http://it.ouhsc.edu/policies/ Business manager view http://it.ouhsc.edu/policies/fordataowners_busadmi ns.asphttp://it.ouhsc.edu/policies/fordataowners_busadmi ns.asp Following organization policies and best practices = regulatory compliance http://it.ouhsc.edu/policies/ Business manager view http://it.ouhsc.edu/policies/fordataowners_busadmi ns.asphttp://it.ouhsc.edu/policies/fordataowners_busadmi ns.asp
76
IV. Training Education and Awareness Program HIPAA online courses New employee orientations New resident orientations New student orientations IRB Education day Cyber Security day Departmental presentations HIPAA online courses New employee orientations New resident orientations New student orientations IRB Education day Cyber Security day Departmental presentations
77
Disaster Recovery and Business Continuity V. Disaster Recovery and Business Continuity Annual Disaster Recovery Plan for OSF National Incident Management System (NIMS), Incident Command System (ICS) Tabletop Exercise (TTX) Business Impact Assessment for key areas Annual Disaster Recovery Plan for OSF National Incident Management System (NIMS), Incident Command System (ICS) Tabletop Exercise (TTX) Business Impact Assessment for key areas
78
Incident Management VI. Incident Management Detection Response Reporting Remediation Information Security Incident Reporting Procedures http://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asphttp://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asp Detection Response Reporting Remediation Information Security Incident Reporting Procedures http://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asphttp://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asp
79
Consider your risk Where is your information stored? Is it safe from common threats? Where is your information stored? Is it safe from common threats?
80
Action items: Review current technologies that can protect information: Data in motion Data at rest Data in use deleted Data disposal Review current technologies that can protect information: Data in motion Data at rest Data in use deleted Data disposal
81
Information Security: Safe Practice- Follow Policies Follow policies to help protect your dataFollow policies to help protect your data Technology Purchase Review http://it.ouhsc.edu/forms/purchasereview.asp http://it.ouhsc.edu/forms/purchasereview.asp See http://it.ouhsc.edu/policies/See http://it.ouhsc.edu/policies/http://it.ouhsc.edu/policies/
82
Information Security Services Staff: o Greg Bostic o Randy Moore o Steve Payne o Bryan Smith o Robyne Rhode o 405-271-2476 o IT-Security@ouhsc.edu IT-Security@ouhsc.edu o http://it.ouhsc.edu/services/infosecurity/ http://it.ouhsc.edu/services/infosecurity/ o Greg Bostic o Randy Moore o Steve Payne o Bryan Smith o Robyne Rhode o 405-271-2476 o IT-Security@ouhsc.edu IT-Security@ouhsc.edu o http://it.ouhsc.edu/services/infosecurity/ http://it.ouhsc.edu/services/infosecurity/
83
Questions ? ?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.