HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Red Flag Rules: What they are? & What you need to do
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
DOT Office of Inspector General Audit of DOT’s Office of the Secretary’s Acquisition Function Federal Audit Executive Council Procurement Training Conference.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO Certification.
IT Security Challenges In Higher Education Steve Schuster Cornell University.
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Standards for Shared ICT Jeju, 13 – 16 May 2013 Gale Lightfoot Senior Staff Program Manager, Office of the CTO, SPB Cisco ATIS Cybersecurity Standards.
Complying With The Federal Information Security Act (FISMA)
Vendor Risk: Effective Management is Essential
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
HIPAA PRIVACY AND SECURITY AWARENESS.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
United States Department of Agriculture Food Safety and Inspection Service February William C. Smith Assistant Administrator Office of Program.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Eliza de Guzman HTM 520 Health Information Exchange.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Primary Steps for Achieving ISO Certification.
On completion of the scenario, students will be able to: Learning Outcomes 1 Critically analyse and prioritise information security risks. 2 Systematically.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Presenter: Mohammed Jalaluddin
CSIA 412 Final Project 10 July 2015 By: Brandon D. Waugh
Audit Findings: SQL Database
IS4680 Security Auditing for Compliance
County HIPAA Review All Rights Reserved 2002.
HIPAA Security Standards Final Rule
Introduction to the PACS Security
Presentation transcript:

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project

AGENDA  Legislative Impacts  Security Standards  Cybersecurity Profile  Summary of Findings

Legislative Impacts The effects of Presidential Policy Directive 21, the Executive Order, and the May 2011 Cybersecurity Legislative Proposal

Functional Relationships  Greatest relationship is with OCR  OCR has failed to meet requirements outlined  Legislation was designed to increase accountability & strengthen nation’s infrastructure  Most recent report shows lack of routine, preventative audit

Baseline Framework  Complete overhaul of security framework  Pre-existing relationships strengthened  Monthly joint briefings

Privacy & Civil Liberties Protection  Create risk management protocol & program  Increase internet and network security

Critical Infrastructure Cybersecurity infrastructure needs strengthening Cybersecurity infrastructure needs strengthening There are notable improvements that have taken place There are notable improvements that have taken place

Security Standards In respect to Federal Information Processing Standards Publication (FIPS PUB) 200 and ISO 27001/27002

The Standards FIPS 200 Minimum security requirements for federal information and information systems. Enterprise-wide program that supports the operations of the company Baseline standard of practice ISO 27001/27002 Designed to increase efficiency and effectiveness Provides pertinent information to consumer, compliance with local laws and regulations, increases collaboration, and efficient security cost management discusses implementation of 27001

Points of Analysis System Impact Levels Impact levels are the amount of risk placed upon the confidentiality, integrity, and availability of company information. Minimum Security Requirements Assesses the baseline requirements for information security as presented by the standard. Security Control Selection Focuses on how each standard defines the selection of appropriate security control based upon the system impact level..

Points of Analysis Implementation This section considers the differences in implementation as well as how the different standards guide organizations towards successful implementation. Certification Process Evaluates the differences between the requirements and processes for obtaining compliance and certification under each standard.

Cybersecurity Profile Created in response to NIST’s security controls

Risk Assessment Vulnerability Scanning Update Tool Capacity Provides updates to the system as needed Tracks changes made and produces reports Privileged Access Separates general scanning software from those that are provided access to privileged information Security test and evaluation identifies vulnerabilities within the system Every system is required to have and run the program routinely

Identification & Authentication Local Access to Privileged Accounts Decreases the chances that an unauthorized user can gain access to privilege accounts ID badges, PIV cards/numbers, and unique passwords have increased security within HHS Remote Access Multi-level authorization policy Employee accountability Security standards outlining saving methods and data security

Incident Response Incident Response (IR) Training Designed to decrease incidents resulting from human error HHS ensures routine, high quality training of employees Deactivation sequences employed upon termination of a team member Incident Handling Incidents can be traced back to employee Breach Response Team (BRT) handles all incidents

Recommendations Update the seemingly 14 year old remote access policy Improve password verification systems Implement a password viability time period System-wide application automatic password reset after incidents/security breach

Summary The Department of Health and Human Services (HHS) has created a fairly comprehensive and solid systems security plan that addresses not only the major concerns of the organization but also the national standards that have been developed. HHS not only has a plan in place that is well implemented and maintained, it also has a documentation process that ensures the improvement of its systems and processes. Though there are still areas of growth that can strengthen the organization’s infrastructure while subsequently strengthening the nation’s infrastructure, overall HHS has implemented a plethora of strategies and internal policies in order to decrease health fraud and ensure the safety of privileged data.

References   Department of Health and Human Services. (2014 March 10). Strategic goal 4: Ensure efficiency, transparency, accountability, and effectiveness of HHS programs. Retrieved from:   Department of Health and Human Services (2014 May 12). HHS activities to enhance cybersecurity. Retrieved from: Department of Health and Human Services. (2014a). The department of health and human services information security for managers [PowerPoint slides]. Retrieved from: Department of Health and Human Services (2014b). The department of health and human services information systems security awareness training [PowerPoint slides]. Retrieved from:   Disterer, G. (2013). ISO/IEC 27000, 27001, and for information security management. Journal of Information Security, 4, Retrieved from:   GAO. (2006). Department of health and human services needs to fully implement its program (GAO ). Washington, DC. Retrieved from:

  National Institue of Standards and Technology [NIST]. (2006). Minimum security requirements for federal information and information systems. Federal Information Processing Standards Publication.   National Institute of Standards and Technology. (2014). Assessing security and privacy controls in federal information systems and organizations (NIST Special Publication Ar4). DOI: hhtp://dx.doi.org/ /NIST.SP Ar4   Obama, B. (2013, February 19). Executive order – Improving critical infrastructure cybersecurity. Federal Register. 78(33). Retrieved from:   Salmon, T.M. (2013). The office for civil rights did not met all federal requirements in its oversight and enforcements of the health insurance portability an accountability act security rule. Washington, DC. Retrieved from:   The White House. (2013, February 12). Briefing Room. Retrieved 01 22, 2015, from The White House: office/2013/02/12/presidential-policy-directive-critical-infrastructure- security-and-resil

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.