CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
1 1 Risk Management: How to Comply with Everything July 11, 2013.
National Infrastructure Protection Plan
CSF Roadmap 2015 and Beyond Presented By Bryan S. Cline, Ph.D.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
Office of Inspector General (OIG) Internal Audit
Risk Assessment Frameworks
Complying With The Federal Information Security Act (FISMA)
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
NIST Special Publication Revision 1
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.
Meaningful Use Security Risk Analysis Passing Your Audit.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Eliza de Guzman HTM 520 Health Information Exchange.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
HIPAA Security Final Rule Overview
Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
An Independent Licensee of the Blue Cross Blue Shield Association Right Sizing the HIPAA Security Program Laurie Leer, CISSP;Manager Information Systems.
Governance, risk and ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
IAEA International Atomic Energy Agency Functional and Security Domains Presented by:
An Information Security Management System
SELF-GUIDED SECURITY ASSESSMENT
An Overview on Risk Management
JU September Stakeholder Engagement Conference Webinar #1
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
In-depth look at the security risk analysis
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.
Risk Assessment = Risky Business
Internal control - the IA perspective
Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.
SELF-GUIDED SECURITY ASSESSMENT
HIPAA Security Standards Final Rule
National Congress on Health Care Compliance
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Cyber Security in a Risk Management Framework
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
An overview of Internal Controls Structure & Mechanism
HIPAA Security Risk Assessment (SRA)
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST

Why does HITRUST exist? Multitude of challenges –Significant government oversight –Evolving requirements –Complex business relationships –Uncertain standard of care Reasonable and appropriate? Adequate protection? Page 2

Page 3 Principle driver …

Page 4 “Overarching” requirement Page 4 45 CFR § (a)(1) –Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 CFR § (a) –(1) Ensure the [CIA] of all [ePHI] the covered entity or business associate creates, receives, maintains or transmits. –(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

Page 5 What exactly is a risk assessment? Page 5 Risk assessment –“The process of identifying, estimating, and prioritizing risks … resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.” NIST SP , Managing Information Security Risk Risk analysis –“Examination of information to identify the risk to an information asset. Synonymous with risk assessment” CNSSI No. 4009, National IA Glossary “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule” HHS Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Page 6 Risk management lifecycle Page 6

Page 7 Risk analysis process Page 7

Page 8 HHS interpretation Page 8 HHS Guidance on RA Requirements under the Security Rule –Scope the assessment to include all ePHI –ID & document all assets with ePHI –ID & document all reasonably anticipated threats to ePHI –Assess all current security measures –Determine the likelihood of threat occurrence –Determine the potential impact of a threat occurrence –Determine the level of risk –Document assigned risk levels and corrective actions –Rinse & repeat

Page 9 Traditional approach Page 9 Conduct comprehensive risk analysis –Threat & vulnerability assessment –Information asset valuation –Information protection control selection Comprehensive risk analysis difficult for most –Lack of skilled resources, funding, time –Limited information available

Page 10 Framework Approach Page 10 Modify general baseline control standard –Threat modeling / control selection performed by capable, third- party for general threats, vulnerabilities –Baseline controls assigned based on confidentiality, and/or criticality Baseline control approach most widely used –ISO/IEC 27001/27002, part of the ISO/IEC series RMF –NIST SP , part of the NIST SP 800-series RMF –HITRUST CSF, part of the HITRUST RMF Based on ISO/IEC and integrates a significant portion of NIST SP requirements

Page 11 HITRUST Risk Analysis Page 11 Modified Guidance on RA Requirements for the Security Rule –Scope the assessment to include all ePHI –ID & document all assets with ePHI (inventory and categorization) –Select a control baseline for given categorization (risk factors) –Assess all current security measures (gap analysis) –Determine the likelihood of a control failure –Determine the potential impact of a control failure –Determine the level of residual risk –Document assigned risk levels and corrective actions –Rinse & repeat Note: A threat catalog is being developed as part of a HITRUST C3 initiative to map threats to specific controls, which will support the requirement to enumerate and address all reasonably anticipated threats.

Page 12 Justification for the approach Page 12 All federal agencies use the NIST RMF –NIST SP r1, Guide for Conducting Risk Assessments, addresses traditional RA Typical risk factors include threat, vulnerability, impact, likelihood, and predisposing condition –BUT … NIST SP r1, Guide to Applying the [RMF] to Federal Information Systems, doesn’t address threat identification Categorize information system Select security controls Implement security controls … –Hardly seems fair, does it? Traditional approach likely used due to lack of federally recognized healthcare security framework … including NIST

Page 13 But what about everything else in HIPAA? Page 13 RA requirement is one of 42 stds & specifications Like RA, other requirements lack prescription –What safeguards are reasonable and appropriate? –What is adequate protection? Simple HIPAA requirement-based approaches to risk analysis lack depth, breadth and rigor OCR will not accept a risk analysis based on the old OCR Audit Protocol developed by KPMG (Linda Sanchez, 2014 HCCA conference) –Implies controls reviewed do not sufficiently address all reasonably anticipated threats –Implies similar approaches based on HIPAA standards and specifications are also flawed

Page 14 Defining reasonable and appropriate for healthcare Page 14 HITRUST CSF –Built on international framework, ISO –Additional prescription provided by: ISO & NIST SP CMS IS ARS (High-level baseline) PCI-DSS Others –CSF controls mapped to HIPAA E.g., (a)(5)(ii)(C), Log-in Monitoring (Addressable) 8 controls provide direct support: 01.b., 01.c, 01.e, 02.i, 09.aa, 09.ab, 09.ad, 09.af 7 controls provide indirect support: 01.q, 01.s, 01.t, 01.u, 06.e, 06.i, 11.a

Page 15 Prego … it’s in there! Page 15

Page 16 But what about NIST? Page 16 NIST SP r4 moderate-level baseline –All controls –All enhancements Requirements tailored/harmonized for healthcare –Reasonable and appropriate –Adequate protection Mappings are similar to HIPAA –Direct mappings with relevant language –Indirect or supportive mappings with relevant language Mappings are consistent with NIST mappings to ISO/IEC 2001:2005

Page 17 Prego … it’s in there! Page 17

Page 18 But what about the “other” NIST? Page 18 The NIST Cybersecurity Framework provides structure for sector- level cybersecurity frameworks and organizational-level programs HITRUST provides a healthcare-specific implementation of the NIST framework that addresses a broad spectrum of information security risk (not just cybersecurity) CSF controls mapped to 100% of the NIST cybersecurity subcategories (w/ language updates) – 2014 CSF v6.1

Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP HITRUST Advisor Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP HITRUST Advisor

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.