Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Rule November 16 th, 2004 ISSA/ISC ² Secure SD Security Conference, San Diego, CA Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA,

Published byTamsin Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA Security Rule November 16 th, 2004 ISSA/ISC ² Secure SD Security Conference, San Diego, CA Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA,"— Presentation transcript:

1 HIPAA Security Rule November 16 th, 2004 ISSA/ISC ² Secure SD Security Conference, San Diego, CA Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA, CCSA, Security+ Lead Consultant (Southern California) Verisign Global Security Consulting

2 VeriSign Publicly Traded Company > 3000 Employees $1 Billion in Revenues Operate critical DNS Infrastructure that enables over 10B transactions/Day Secure the information assets of over 400,000 websites and 1,000 large enterprises Largest SS7 Telecommunications network – 2 Billion messages per day 2.8B SS7 signals/day Enable over 1,000 carriers to interconnect Support over 30% of North American e-commerce Over 100 Million E-Commerce Payment Transactions Per Quarter Largest MSSP with over 3000 devices under management

3 Drivers behind HIPAA Efficiency and interoperability between payers, providers, clearinghouses (“covered entities”) “Patient’s Bill of Rights” Enhanced medical record privacy Enhanced medical record security

4 Medical Mistakes kill 98,000/year in the USA

5 Data valuation – what’s gone wrong in healthcare? What is your medical record worth to you? How much do you trust your healthcare provider to keep your medical record private & secure? How many of your friends or neighbors work in a healthcare organization? How many of your enemies? We spend billions protecting financial information, what about health information?

6

7 Do I need to comply? The security rule applies to all IIHI (individually identifiable health information) in electronic form ePHI (electronic Protected Health Information) that is stored and/or transmitted is covered Health information on paper or divulged orally is not covered! The rule is intended to set a minimum level of security for covered entities Covered entities and business associates (through a chain of trust agreement) of those entities are required to comply

8 What’s the business / security value-add? Increased level of confidence from your customers Expansion into healthcare markets for non-healthcare centric services (e.g.: managed security services) Integration of sound security practices to fulfill HIPAA requirements (e.g.: standardized risk assessment methodology, quantifiable security metrics for measuring process improvement) Covered entities MUST comply, of course!

9 Nuts and bolts of the rule Covered entities are required to: Assess potential risks and vulnerabilities Protect against threats to information security or integrity, and against unauthorized use or disclosure Implement and maintain security measures that are appropriate to their needs, capabilities and circumstances Ensure compliance with these safeguards by all staff

10 How is the rule structured? The rule is broken into three sections: administrative safeguards, technical safeguards and physical safeguards There are 18 standards that encompass the 3 types of safeguards Almost every standard has several implementation specifications that are specific requirements within the standard Each implementation specification is either required or addressable

11 Required vs. Addressable Required: Implementation Specification must be met by Covered Entity. Most of the required Implementation Specifications scale to meet covered entity requirements, large or small Addressable: Implementation Specification may not always be appropriate and “scale” to different covered entity sizes. A risk assessment must be performed by the covered entity to surmise what controls are feasible to implement

12 Administrative safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness & Training Security Incident Procedures Contingency Planning Evaluation Business Associate Contracts & Other Arrangements Information Security Program Assigning responsibility (CSO / CISO) Acceptable Use of Computing Resources for staff Access Control (AAA) Training and Education Incident Response Disaster Recovery / Business Resumption Planning Risk Assessment and quantifiable measurement Contracts

13 Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device & Media Controls Physical security of information processing facilities Acceptable Use & control of access to workstations Physical Security of assets (each separate device type is classified as a workstation) Computer Operations 101 (tape labeling and archiving, tape rotation, back-up logs kept up to date, control of removable media containing ePHI)

14 Technical Safeguards Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Unique User ID, Emergency Access, Automatic Logoff Activity review (application & operating system) Verifying data integrity (at rest and in transit) Robust authentication strategy (two-factor) Safeguarding ePHI in transmission (encryption) and verifying integrity (digital signatures)

15 FAILING TO PREPARE IS PREPARING TO FAIL

16 Maximizing investment on compliance Perform regular security assessments on critical assets that contain or may participate in the transmission or storage of ePHI (consider an annual third party assessment to free internal resources up for remediation) Make sure you are effective where the rubber meets the road – does a procedure that a particular business unit performs actually match what’s documented as far as step by step actions? What is the variance? Outsource routine Information Security tasks to free up resources - constant Intrusion Detection alerts and System Activity Review may cost you more in labor to tune and monitor 24x7 in a month than an MSSP may charge for a year contract

17 What are the pitfalls to avoid? The HIPAA Security rule contains a great deal of documentation requirements, but don’t just focus on documentation! Don’t make mountains out of molehills Don’t wait until the 11 th hour to ask for money (especially for awareness and training requirements) Don’t attempt to achieve compliance without a plan (decentralized workgroups work very well) Not leveraging your resources and skill-sets is a recipe for disaster

18 Compliance Tips Establish a formal security program with a designated security officer Establish a standardized risk assessment strategy to prioritize work Implement a security program mapped to best practice security standards, not to a specific regulation Make use of “community standard” guidelines to make sure you’re keeping pace with other providers Collaborate with other providers on how you develop strategies to address the HIPAA Security Rule

19 Reading Room NIST DRAFT SP 800-66 “An Introductory Guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: http://csrc.nist.gov/publications/drafts/DRAFT- sp800-66.pdf Health Insurance Portability and Accountability Act (HIPAA) Home Page: http://www.hhs.gov/ocr/hipaa/ Health Hippo: http://hippo.findlaw.com/hipaa.html

20 Questions & Answers VeriSign Security Services

Download ppt "HIPAA Security Rule November 16 th, 2004 ISSA/ISC ² Secure SD Security Conference, San Diego, CA Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA,"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

Similar presentations

Ads by Google