The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Information Security Policies and Standards
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Uday O. Ali Pabrai, CISSP, CHSS Chief executive, HIPAA Academy Health care & HIPAA Security Remediation.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Questions HHS May Ask in a HIPAA Audit: Critical Steps for Compliance Uday Ali Pabrai, CISSP, CSCS Author, The Art of Information Security.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
HIPAA Security Final Rule Overview
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
Information Security tools for records managers Frank Rankin.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
An Independent Licensee of the Blue Cross Blue Shield Association Right Sizing the HIPAA Security Program Laurie Leer, CISSP;Manager Information Systems.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS

Healthcare Security Challenges Password management InfoSec policies Contingency plans Malicious software Wireless proliferation Audit capabilities IT staff’s security capabilities

Security Today “99% of all reported intrusions result through exploitation of known vulnerabilities or configuration errors, for which safeguards and countermeasures are available” NIST “The health care industry was subject to the third highest number of severe events” Symantec

Standards & Regulatory Compliance Seriously influence security architecture priorities: ISO 17799/BS7799 HIPAA FISMA Sarbanes-Oxley GLB California Privacy Laws

ISO and BS 7799 Security Standards Covers Ten Areas: 1.Security Policy 2.Security Organization 3.Asset Classification and Control 4.Personnel Security 5.Physical and Environmental Security 6.Computer & Network Management 7.System Access Control 8.System Development and Maintenance 9.Business Continuity Planning 10.Compliance

HIPAA Security Security Mgmt. Process, Sec. Officer Workforce Security, Info. Access Mgmt. Security Training, Security Incident Proc. Contingency Plan, Evaluation, BACs Facility Access Controls Workstation Use Workstation Security Device & Media Controls Access Control Audit Control Integrity Person or Entity Authentication Transmission Security CIA

FISMA The Federal Information Security Management Act (FISMA) is Title III of the U.S. E-Government Act (Public Law ) It was signed into law by U.S. President George W. Bush in December FISMA impacts all U.S. federal information systems The FISMA legislation is about protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide CIA

Enterprise Security Roadmap

Risk Analysis “Every covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its electronic Protected Health Information (EPHI)” HIPAA Security Rule Not just a paper exercise Technical Review must be completed

Procedures Security Policies Security Strategies Business Vision Align strategy with business goals Analyze technology architecture Evaluate role of third parties Determine gaps that need policies Validate contingency and other plans Align policies with strategy Activities Document security procedures Develop plans for physical security CIA Understand the business Understand future goals Target Audience Security practitioners Department heads Security Officer Executive management Security Strategy and Policies

Contingency Plan It is a Federal law that must be complied with A HIPAA Security Rule Standard that includes: –Data Backup Plan (R) –Disaster Recovery Plan (R) –Emergency Mode Operation Plan (R) –Testing and Revision (A) –Applications and Data Criticality Analysis (A) Requirements also further identified under Physical and Technical Safeguards

Core Objectives Must establish policies/procedures for responding to an emergency that damages systems that contain EPHI Core objectives include the capability to: –Restore operations at an alternate site –Recover operations using alternate equipment –Perform some or all of the affected business processes and associated EPHI using other means Must develop a coordinated strategy that involves plans, procedures and technical measures to enable the recovery of systems, operations, and data after a disruption

Typical Security Remediation Initiatives Launch Activities –Deploy Firewall Solutions, IDS/IPS –Secure Facilities & Server Systems –Deploy Device & Media Control Solutions –Implement Identity Management Systems –Deploy Access Control Solutions –Implement Auto-logoff Capabilities –Deploy Integrity Controls and Encryption –Activate Auditing Capabilities –Test Contingency Plans

Wireless Challenges Lack of user authentication Weak encryption Poor network management Vulnerable to attacks: –Man-in-the-middle –Rogue access points –Session hijacking –DoS

Wireless Strategy Conduct risk analysis Develop security policies –Wireless Mobile devices –Encryption Remediation: Design infrastructure –Firewall –IDS –Wired network

Secure Third Parties Review existing Business Associate Contracts (BACs) or equivalent –Privacy compliance should have covered most of these relationships –Verify the flow of your sensitive information to BAs BAs are part of a Chain of Custody –Don’t be the “weakest link” –Be sure to pass along requirements to protect sensitive to your subcontractors

Train Workforce Establish Processes for: –Security Reminders –Protection from Malicious Software –Login Monitoring –Password Management

Evaluate & Audit Establish Processes for: –Risk Management –Audit Deliverables: –Ensure compliance with legislation(s) and standard(s) as required –“Close and Lock” all Security Gaps

The Importance of Audits Audit provide insight into vulnerabilities of an organization Audit on a regular basis Audits conducted must be thorough and comprehensive Strong audit trails help the entity ensure the CIA of sensitive information and other vital assets Key to responding to Security incident/complaint

Defense In-Depth Firewall Systems Critical Info & Vital Assets IDS/IPS Authentication Authorization Physical Security

Centralize management of ALL critical servers, Internet access, wireless APs Ensure secure flow and storage of not just EPHI, but all vital information Recognize IT as a fast emerging: –Strategic asset, Critical asset Raise employee communication & training, morale Security: An Executive Priority Summary: Serious Risk

Enterprise Security Goals Establish your enterprise security objectives. These may include: 1.Ensure confidentiality, integrity & availability of all sensitive business information 2.Protect against any reasonably anticipated threats or hazards to the security or integrity of information 3.Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required 4.Ensure compliance with legislations and standards as required

CIA - Security

Thank You! The Art of Information Security Available ONLY at

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.