Presentation is loading. Please wait.

Presentation is loading. Please wait.

Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security.

Published byCornelia King Modified over 8 years ago

Similar presentations

Presentation on theme: "Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security."— Presentation transcript:

1 Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security ETSS-Enterprise Technology Services & Support North Carolina State University UNC CAUSE November 2006 Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University

2 "Planning for Security and HIPAA Compliance" NCSU and ECU2 What’s it all about, Webster? Defalcation Defalcation –Pronunciation:*d*-*fal-*k*-sh*n, –Date:15th century –1 archaic : DEDUCTION –2 : the act or an instance of embezzling –3 : a failure to meet a promise or an expectation Malfeasance Malfeasance –Pronunciation:*mal-*f*-z*n(t)s –Date:1696 : –wrongdoing or misconduct especially by a public official Two twenty dollar words Two twenty dollar words –Fraud and criminal business acts –Reaction to the excesses of the 80’s and 90’s

3 "Planning for Security and HIPAA Compliance" NCSU and ECU3 Increasingly Complicated Compliance Constraints Statute Type of requirement University data Example location FERPA Federal law Student records Faculty PC or server HIPAA Federal law Health records Athletics dept. GLBA Federal law Financial data Financial Aid PCI DSS Payment Card Industry -Data Security Std. Credit card data Bookstore server SB 1048 State Identity Theft law SSN, etc. R & R State Employee Personal Information Privacy law Staff data Payroll Federal Grants Contract requirements Research materials Lab PC

4 "Planning for Security and HIPAA Compliance" NCSU and ECU4 Educational Institutes Seen as Easy Marks Los Angeles Times article - May 30, 2006 Los Angeles Times article - May 30, 2006 ‘Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.’ ‘we were adding on another university every week to look into’ ‘we were adding on another university every week to look into’ - Michael C. Zweiback, assistant U.S. attorney - Michael C. Zweiback, assistant U.S. attorney

5 "Planning for Security and HIPAA Compliance" NCSU and ECU5 Information Security Planning High level tasks Make a conscious decision to plan for security and compliance for improved efficiency and effectiveness Make a conscious decision to plan for security and compliance for improved efficiency and effectiveness Understand the business goals and objectives Understand the business goals and objectives Conduct a risk assessment; factor in compliance! Conduct a risk assessment; factor in compliance! Develop the plan Develop the plan

6 "Planning for Security and HIPAA Compliance" NCSU and ECU6 Data Classification Standard, DCS forms the foundation Identification Identification Confidentiality and sensitivity Confidentiality and sensitivity Classification Classification Protection Protection Consistency Consistency 3 classification levels - High, Moderate, Normal 3 classification levels - High, Moderate, Normal Based on data business value, financial implications, legal obligations Based on data business value, financial implications, legal obligations

7 "Planning for Security and HIPAA Compliance" NCSU and ECU7 Data Management Procedures, DMP assigns ownership and accountability

8 "Planning for Security and HIPAA Compliance" NCSU and ECU8 Seven Steps RMIS Information System Security Plan, RISSP Leo Howell Information Security Analyst Seven Steps RMIS Information System Security Plan, RISSP Leo Howell Information Security Analyst

9 "Planning for Security and HIPAA Compliance" NCSU and ECU9 STEP ONE – Understand the A sset Philosophically, we believe that “security should follow data” Philosophically, we believe that “security should follow data” But we know that not all data were created equal But we know that not all data were created equal Effective security begins with a solid understanding of the protected asset and its value Effective security begins with a solid understanding of the protected asset and its value At NC State we have identified DATA as our primary asset At NC State we have identified DATA as our primary asset

10 "Planning for Security and HIPAA Compliance" NCSU and ECU10 STEP TWO – Identify and prioritize T hreats Governance: Governance: –policy breach –rebellion Physical: Physical: –data theft –equipment theft/damage Endpoint: Endpoint: –theft –social engineering Infrastructure & Application: Infrastructure & Application: –theft –disclosure –DoS –unauthorized access Data: Data: –unauthorized access –corruption/destruction

11 "Planning for Security and HIPAA Compliance" NCSU and ECU11 STEP THREE – Identify and rank V ulnerabilities Governance: Governance: –policy loopholes Physical: Physical: –weak perimeter –open access Endpoint: Endpoint: –ignorance Infrastructure & Application: Infrastructure & Application: –“open” network –unpatched systems/OS –misconfiguration Data: Data: –unencrypted storage –insecure transmission

12 "Planning for Security and HIPAA Compliance" NCSU and ECU12 STEP FOUR – Quantify Relative Risk, R R = µVAT The greater the number of vulnerabilities the bigger the risk The greater the number of vulnerabilities the bigger the risk The greater the value of the asset the bigger the risk The greater the value of the asset the bigger the risk The greater the threat the bigger the risk The greater the threat the bigger the risk V = vulnerability A = asset T = threat µ = likelihood of T

13 "Planning for Security and HIPAA Compliance" NCSU and ECU13 Higher Classification implies Increased Security STEP FIVE – Develop a strategy Types of data stored, accessed, processed or transmitted dictates OPZ High - Significantly business impact - financial loss - regulatory compliance Moderate - adversely affects business and reputation Normal - minimal adverse effect on business - authorization required to modify or copy 3 virtual operational protection zones, OPZ based on Data Classification Server with Moderate data Laptop with High data

14 "Planning for Security and HIPAA Compliance" NCSU and ECU14 STEP SIX – Establish target standards Amount and stringency of security controls at each level varies with data classification Seven layers of protection per zone based on COBIT, ISO 17799 and NIST 800-53 Seven layers of protection per zone based on COBIT, ISO 17799 and NIST 800-53 1.Management & Governance 2.Access control 3.Physical security 4.Endpoint security 5.Infrastructure security 6.Application security 7.Data security

15 "Planning for Security and HIPAA Compliance" NCSU and ECU15 Snippet from Data Security Standard Security Control Red Zone Yellow Zone Green Zone Encrypt stored data MandatoryRecommendedOptional Limit data stored to external media MandatoryRecommendedOptional Encrypt transmitted data MandatoryMandatoryRecommended

16 "Planning for Security and HIPAA Compliance" NCSU and ECU16 STEP SEVEN – Document the plan Identify realistic solutions for applying the appropriate security controls at each level. Create a list of action items for the next 3 to 5 years Create a list of action items for the next 3 to 5 years Prioritize the list based on risk and reality Prioritize the list based on risk and reality Forecast investment Forecast investment Beg, kick and scream to get funding Beg, kick and scream to get funding Implement the plan over time Implement the plan over time

17 "Planning for Security and HIPAA Compliance" NCSU and ECU17 Quick takes Planning paves the way for effectiveness and efficiency for security and compliance Planning paves the way for effectiveness and efficiency for security and compliance Understand the business the goals Understand the business the goals Conduct a risk assessment Conduct a risk assessment Establish a strategy based on data classification and industry standards Establish a strategy based on data classification and industry standards Develop a prioritized realistic plan Develop a prioritized realistic plan Go for the long haul! Go for the long haul!

18 "Planning for Security and HIPAA Compliance" NCSU and ECU18 Key Elements of the HIPAA Security Rule: And how to comply Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University

19 "Planning for Security and HIPAA Compliance" NCSU and ECU19 Introduction HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule:  To allow better access to health insurance  Reduce fraud and abuse  Lower the overall cost of health care.

20 "Planning for Security and HIPAA Compliance" NCSU and ECU20 What is the HIPAA Security Rule? The rule applies to electronic protected health information (EPHI), which is individually identifiable health information in electronic form. Identifiable health information is:  Your past, present, or future physical or mental health or condition,  Your type of health care, or  Past, present, or future payment methods for the type of health care received.

21 "Planning for Security and HIPAA Compliance" NCSU and ECU21 Who Must Comply? Covered Entities (CEs) must comply with the Security Rule. Covered Entities are health plans, health care clearinghouses, and health care providers who transmit any EPHI. Health care plans - HMOs, group health plans, etc. Health care clearinghouses - billing and repricing companies, etc. Health care providers - doctors, dentists, hospitals, etc.

22 "Planning for Security and HIPAA Compliance" NCSU and ECU22 How Does One Comply? Covered Entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of patient information.

23 "Planning for Security and HIPAA Compliance" NCSU and ECU23 Administrative Safeguards To comply with the Administrative Safeguards portion of the regulation, the covered entity must implement the following "Required" security management activities:  Conduct a Risk Analysis.  Implement Risk Management Actions.  Develop a Sanction Policy to deal with violators.  Conduct an Information System Activity Review.

24 "Planning for Security and HIPAA Compliance" NCSU and ECU24 Physical Safeguards The physical safeguards are a series of requirements meant to protect a Covered Entity's computer systems, network and EPHI from unauthorized access. The recommended and required physical safeguards are designed to provide facility access controls to limit access to the organization's computer systems, network, and the facility in which it is housed.

25 "Planning for Security and HIPAA Compliance" NCSU and ECU25 Technical Safeguards Technical safeguards refers to the technology and the procedures used to protect the EPHI and access to it. The goal of technical safeguards is to protect patient data by allowing access only by individuals or software programs that have been granted access rights to the information.

26 "Planning for Security and HIPAA Compliance" NCSU and ECU26 Key Elements of Compliance 1.Obtain and Maintain Senior Management Support 2.Develop and Implement Security Policies 3.Conduct and Maintain Inventory of EPHI 4.Be Aware of Political and Cultural Issues Raised by HIPAA 5.Conduct Regular and Detailed Risk Analysis 6. Determine What is Appropriate and Reasonable 7. Documentation 8. Prepare for ongoing compliance

27 "Planning for Security and HIPAA Compliance" NCSU and ECU27 Penalties  Civil penalties are $100 per violation, up to $25,000 per year for each violation.  Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.  Additional Negatives:  Negative publicity  Loss of Customers  Loss of Business Partners  Legal Liability

28 "Planning for Security and HIPAA Compliance" NCSU and ECU28 Conclusion  Compliance will require Covered Entities to:  Identify the risks to their EPHI  Implement security best practices  Complying with the Security Rule can require significant time and resources  Compliance efforts should be currently underway

29 "Planning for Security and HIPAA Compliance" NCSU and ECU29 Contacts NC State University Leo Howell, CISSP CEH CCSP CBRM Information Security Analyst IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support leo_howell@ncsu.edu (919) 513-1169 NC State University John Baines, CISSP Assistant Director IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support john_baines@ncsu.edu East Carolina University Sharon McLawhorn McNeil IT-Security Analyst McLawhorns@ecu.edu 252-328-9112

Download ppt "Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.

1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.

Similar presentations

Ads by Google