Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.

Slides:



Advertisements
Similar presentations
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Advertisements

David Assee BBA, MCSE Florida International University
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Security Controls – What Works
Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Application Threat Modeling Workshop
Introduction to Network Defense
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
Information Security Training for Management Complying with the HIPAA Security Law.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
HIPAA COMPLIANCE WITH DELL
Security Risk Assessment Applied Risk Management July 2002.
What does “secure” mean? Protecting Valuables
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Security Architecture
SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Risk Assessment Farrokh Alemi, Ph.D. Monday, July 14, 2003.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Security Compliance …from Planning to Practice Sharon A. Budman Director of HIPAA Privacy & Security September 13, 2004 © University of Miami Office of.
TM 13-1 Copyright © 1999 Addison Wesley Longman, Inc. Data and Database Administration.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Overview of Database Security Introduction Security Problems Security Controls Designing Database Security.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
TM 13-1 Copyright © 1999 Addison Wesley Longman, Inc. Data and Database Administration.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
SELF-GUIDED SECURITY ASSESSMENT
Design for Security Pepper.
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Chapter 19: Building Systems with Assurance
Must cost less than possible Impact
SELF-GUIDED SECURITY ASSESSMENT
IBM GTS Storage Security and Compliance overview.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003

Components of Risk Analysis EPHI boundary definition Threat identification Vulnerability identification Security control analysis Risk likelihood determination Impact analysis Risk determination Security control recommendations Based on Steve Weil’s recommendations

Step 1: EPHI Boundary Definition Inventory of Information system hardware and software details, including: – Internal and external interfaces of information systems – Identification of the primary users of the information systems and EPHI – Basic function and purpose of the EPHI and information system – Technical controls (e.g., hardware or software access control mechanisms, encryption) and non technical controls (e.g., security policies, employee training) being used to protect EPHI and information systems

Step 2: Threat Identification Natural: floods, earthquakes, tornados, etc. Human: unintentional (incorrect data entry or accidental deletion of data) and intentional (denial of service attack, installing malicious software). Environmental: power failures, hazardous material spill, etc.

Step 3: Vulnerability Identification Vulnerability lists such as the NIST vulnerability database ( Trace the “footprint” Defined rules of engagement (what time of day the assessments can occur, what types of attacks are appropriate, what systems will be assessed, etc.) BEFORE the assessment begins

Step 4: Security Control Analysis Access control Authentication Audit trail Alarm

Step 5: Risk Likelihood Determination Three factors should be considered: – Threat motivation and capability – Type of vulnerability – Existence and effectiveness of security controls Numerical rating of risks – Frequency – Subjective probability Divide and conquer Group consensus Estimate-talk-estimate Upper and lower limits

Step 6: Impact Analysis Confidentiality: EPHI is disclosed or accessed in an unauthorized manner Integrity: EPHI is improperly modified Availability: EPHI is unavailable to authorized users

Step 7: Risk Determination Aggregate risks from individual factors to identify risk for a specific system containing EPHI – Under assumptions of independence Bayes formula could be used Posterior odds of security breach is equal to prior odds multiplied by likelihood ratios of each threat

Step 8: Security Control Recommendations Mitigate Eliminate Insure Hedge

Sample surveys Ontario Privacy Diagnostic Tools HIPAA Compliance Gap Identification EDI risk assessment check list

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.