Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Slides:

Advertisements

Similar presentations

David Assee BBA, MCSE Florida International University

Advertisements

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Security Controls – What Works

Information Security Policies and Standards

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Computer Security: Principles and Practice

Stephen S. Yau CSE , Fall Security Strategies.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Information Security Information Technology and Computing Services Information Technology and Computing Services

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Information Security Technological Security Implementation and Privacy Protection.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Security Architecture

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Unit 8b Troubleshooting; Maintenance and Upgrades; Interaction with Vendors, Developers, and Users Component 8 Installation and Maintenance of Health IT.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Information Systems Security

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Unit 6a System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Chapter 2 Securing Network Server and User Workstations.

Small Business Security Keith Slagle April 24, 2007.

IT Priorities Minimize CAPEX Maximize employee productivity Grow the business Add new compute resources real- time to support growth Meet compliance requirements.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

Component 8 Installation and Maintenance of Health IT Systems Unit 9b Creating Fault-Tolerant Systems, Backups, and Decommissioning This material was developed.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Managed IT Services JND Consulting Group LLC

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 3 This material was developed by Oregon Health & Science University,

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

Information Systems Security

Blackboard Security System

Working at a Small-to-Medium Business or ISP – Chapter 8

Installation and Maintenance of Health IT Systems

Final HIPAA Security Rule

Lesson 16-Windows NT Security Issues

County HIPAA Review All Rights Reserved 2002.

Contact Center Security Strategies

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC

Technical Safeguards: Intrusion Detection System (IDS) Monitors networks or systems for malicious activities or policy violations. Logs such activity and notifies administrator. Takes preemptive actions to stop activities. NOT a firewall (and vice versa). Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Technical Safeguards: Audit Logging Hardware/software/procedural mechanisms to record & examine access & other activity Data to be logged can vary depending on level of access controls to ePHI data. In general, servers should use OS system logging tools to track: –Who accessed (or tried to access) server. –What data/databases were accessed, any changes made. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Technical Safeguards: Audit Logging (cont’d) EHR should also support logging: –User access –Patient data accessed –Sign-on failures –Data changes made Periodic proactive audits (sampling) –Consider for higher-risk patient populations (e.g., employees) or after publicized events –To deter abuse, make users aware. Reactive audits triggered by defined event Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Technical Safeguards: Offsite Access Should be tightly regulated. Utilize Virtual Private Network (VPN) and encryption at all times. VPN –Uses encryption, authentication, authorization, Network Access Quarantine Control to protect data. –Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec) Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

What is a Virtual Private Network (VPN)? Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring VPN routerInternet VPN client installed on user’s laptop Encrypted Communication

Server & Computer Security Tips Install firewall, IDS, & monitoring tools to monitor & protect all servers using/storing ePHI. Strong policies for use of ePHI. Rename local administrator & guest accounts; strong passwords; disable unused accounts. NTFS file system (Windows servers) Antivirus software, with updates Attack surface reduction tool: turn off unneeded server applications & reduce attack surface. Configure server correctly, with vendor Create security baseline; tools available. Install service packs within 48 hours of release. Lock down database applications, regularly install updates. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Contingency Plans Critical data backed up and stored Emergency call list Plan to restore systems Plan to move into temporary office Secure offsite storage Situations that may activate contingency plan Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Contingency Plans (cont’d) Written plans –Risk analysis/assessment –Database backup –Database secure storage –Data restore plan –Disaster recovery plan –Critical incident response plan Software inventory Hardware inventory Logs: transmission points Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Data Backup Policy Data integrity just as important as confidentiality. Backing up critical files, including patient or EHR databases, helps ensure data recovery after catastrophic failure or security breach. Determine procedures, hardware, and software required for reliable & efficient backup of production databases. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Secure Data Storage & Restore Policies Data most susceptible to corruption or loss in state of rest (90% of the time). Databases need particularly thorough analysis for risks. Detailed guidelines for securing and safely restoring data stored on network. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Disaster Recovery & Critical Incident Response Plans Address emergencies requiring immediate intervention to protect network or restore operational status after catastrophe. Based on original risk analysis. Outlines elements, procedures, & people needed to restore network or mitigate imminent threat in timely manner. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Hardware & Software Inventories Hardware inventory –Loss of hardware can mean a loss much greater than just replacement cost. –Helps ensure equipment properly locked down and secure. Software inventory –Provides insight to manage/mitigate risks to network from software vulnerability. –Facilitates proper software management practices, patching. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Logs: Transmission Points Effective logging and monitoring strategy is critical to network security. Logs can be overwhelmingly large. Determine which data need stringent monitoring (e.g., who is accessing); begin by concentrating efforts there. Written plan of what is logged & why, with procedures for auditing & record of accountability to ensure compliance. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Summary Security measures to be implemented on your network will largely depend on: –Federal, state, & local requirements –Organizational requirements –Network type topology & operating system (OS) Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring

Reference University of Wisconsin-Madison HIPAA Security Best Practices Guidelines, #3 Audit Controls, 4D – Component 8/Unit 8aHealth IT Workforce Curriculum Version 2.0 Spring