Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applying Technical Solutions. The ables Addressable Arguable Reasonable.

Published byDevin Lewis Modified over 10 years ago

Similar presentations

Presentation on theme: "Applying Technical Solutions. The ables Addressable Arguable Reasonable."— Presentation transcript:

1 Applying Technical Solutions

2 The ables Addressable Arguable Reasonable

3 §164.306 G eneral Rules §164.306 (a) Covered entities must do the following: §164.306 (a)(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. §164.306 (a)(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. §164.306 (a)(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. §164.306 (a)(4) Ensure compliance by its workforce.

4 §164.306 (b) Flexibility of Approach §164.306 (b)(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. §164.306 (b)(2) In deciding which security measures to use, a covered entity must take into account the following factors: §164.306 (b)(2)(i) The size, complexity, and capabilities of the covered entity. §164.306 (b)(2)(ii) The covered entity's technical infrastructure, hardware, and software security capabilities. §164.306 (b)(2)(iii) The costs of security measures. §164.306 (b)(2)(iv) The probability and criticality of potential risks to electronic protected health information.

5 Implementation Specifications §164.306 (d) Implementation specifications. §164.306 (d) (1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification. §164.306 (d)(2) When a standard adopted includes required implementation specifications, a covered entity must implement the implementation specifications. §164.306 (d)(3) When a standard adopted includes addressable implementation specifications, a covered entity must

6 Addressable Standards §164.306 (d)(3)(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and §164.306 (d)(3)(ii) As applicable §164.306(d)(3)(ii)(A) Implement the implementation specification if reasonable and appropriate; or §164.306(d)(3)(ii)(B) If implementing the implementation specification is not reasonable and appropriate §164.306(d)(3)(ii)(B)(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and §164.306(d)(3)(ii)(B)(2) Implement an equivalent alternative measure if reasonable and appropriate.

7 Risk Analysis 164.308.a.1 (R) Network Based Scanners TCP/IP Simulate behavior of attackers to expose vulnerability Have policy based configuration - COTS Have configuration file - Free Configuration file or policy launches multiple programs Must be run from a multi threaded operating system Exploits designed to expose vulnerabilities Additional exploiting required

8 Risk Analysis 164.308.a.1 (R) Network Based Scanners All have strengths and weaknesses Internet Scanner Security Analyzer By-Control NMAP Sara Satan Nessus

9 Risk Analysis 164.308.a.1 (R) Host Based Scanners Check for consistencies in the corporate security policy Enforce security policy Installed on the Host Machine Detects vulnerabilities Can be multi platform

10 Risk Analysis 164.308.a.1 (R) Host Based Scanners System Scanner- Internet Security Systems Security Analyzer – NetIQ By-Control - Bindview Corp ECM – Configuresoft

11 Information System Activity Review 164.308.a.1 (R) Host Based Intrusion Detection Monitors a systems applications log files Responds with an alarm Responds with countermeasure

12 Information System Activity Review 164.308.a.1 (R) Host Based Intrusion Detection Mantrap- Recourse Technologies Netvision Policy Management- NetVision Tripwire for Servers- Tripwire Inc Enterprise Security Solution - Bindview

13 Isolate Clearinghouse function 164.308.a.4 (R) Network Architecture VLANS – switching and routing traffic Servers – were they reside Email – content security and encryption Firewall– control communications

14 Isolate Clearinghouse function 164.308.a.4 (R) Firewall System or group of systems that enforces an access control policy between networks Firewall Technology Cisco PIX Checkpoint Firewall 1 Storm Watch

15 Protection from Malicious Software 164.308.a.5 (A) Denial of Service (DOS attack) Smurf attack Buffer Overflow attack Syn attack Teardrop attack

16 Protection from Malicious Software 164.308.a.5 (A) Denial of Service (DOS attack) Smurf attack Buffer Overflow attack Syn attack Teardrop attack

17 Protection from Malicious Software 164.308.a.5 (A) Worms Viruses Protection Server based Workstation based

18 Protection from Malicious Software 164.308.a.5 (A) Denial of Service (DOS attack) Smurf attack Buffer Overflow attack Syn attack Teardrop attack

19 Protection from Malicious Software 164.308.a.5 (A) Anti Denial of Service (DOS attack) tools Attack Mitigator – Top Layer Networks Pest Patrol – Pest Patrol Inc. ManHunt – Recourse Technologies NetDirector – Niksum Inc

20 Contingency Plan 164.308.a.5 (A) Disaster Recovery Plan Software Relational databases built on word processing capabilities to develop and maintain disaster recovery plans Recovery – SunGuard LDPRS – Strohl Systems

21 Device and Media Controls 164.310.d.1 (R) Disposal Cyber scrub Re-image Drive Copy Drive Image

22 Workstation Security 164.310.c. (R) Harden Policy for hardening all desktop configurations Secure Operating System Policy on workstation use Data at rest encryption (laptop) Grim Card Cyber Dog

23 Access Control 164.312.a (A) Encryption and Decryption Sophisticated computer algorithms are use to encrypt the files in storage (at rest) then decrypt when needed, Data at rest Servers and Applications Ancort Grimdisk Cryptodisk

24 Audit Controls 164.312.b (R) Real Time Security Awareness See what is happening across the enterprise from a single console. Back up log files from a single location Cost justified by reduction in personnel RTSA Manhunt NetForensics NSAG First Assurance

25 Integrity 164.312.c (A) Public Key Infrastructure (PKI) Desktop - Email Network - VPN Cost justified by reduction in personnel Verify Designated Record Set (DRS) has not been modified.

26 Transmission Security 164.312.e (A) Integrity Controls VPN VLAN Email Encryption Encryption IPSec PPTP Router and VPN driven encryption schemas

27 Enterprise Solutions Enterprise Security Administration NetVision Policy Management Suite Real Secure Site Protector By-Admin Key benefits: Tool that provides enterprise wide security administration Keeping track of user access and across the enterprise Role based access built in to access control model

Download ppt "Applying Technical Solutions. The ables Addressable Arguable Reasonable."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Security Controls – What Works

Security Controls – What Works
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Similar presentations

Ads by Google