Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Published byMitchell Harmon Modified over 8 years ago

Similar presentations

Presentation on theme: "Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,"— Presentation transcript:

1 Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000024.

2 Technical Safeguards: Intrusion Detection System (IDS) Monitors networks or systems for malicious activities or policy violations. Logs such activity and notifies administrator. Takes preemptive actions to stop activities. NOT a firewall (and vice versa). Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 2

3 Technical Safeguards: Audit Logging Hardware/software/procedural mechanisms to record & examine access & other activity Data to be logged can vary depending on level of access controls to ePHI data. In general, servers should use OS system logging tools to track: –Who accessed (or tried to access) server. –What data/databases were accessed, any changes made. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 3

4 Technical Safeguards: Audit Logging (cont’d) EHR should also support logging: –User access –Patient data accessed –Sign-on failures –Data changes made Periodic proactive audits (sampling) –Consider for higher-risk patient populations (e.g., employees) or after publicized events –To deter abuse, make users aware. Reactive audits triggered by defined event Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 4

5 Technical Safeguards: Offsite Access Should be tightly regulated. Utilize Virtual Private Network (VPN) and encryption at all times. VPN –Uses encryption, authentication, authorization, Network Access Quarantine Control to protect data. –Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec) Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 5

6 What is a Virtual Private Network (VPN)? Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 6 VPN routerInternet VPN client installed on user’s laptop Encrypted Communication

7 Server & Computer Security Tips Install firewall, IDS, & monitoring tools to monitor & protect all servers using/storing ePHI. Strong policies for use of ePHI. Rename local administrator & guest accounts; strong passwords; disable unused accounts. NTFS file system (Windows servers) Antivirus software, with updates Attack surface reduction tool: turn off unneeded server applications & reduce attack surface. Configure server correctly, with vendor Create security baseline; tools available. Install service packs within 48 hours of release. Lock down database applications, regularly install updates. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 7

8 Contingency Plans Critical data backed up and stored Emergency call list Plan to restore systems Plan to move into temporary office Secure offsite storage Situations that may activate contingency plan Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 8

9 Contingency Plans (cont’d) Written plans –Risk analysis/assessment –Database backup –Database secure storage –Data restore plan –Disaster recovery plan –Critical incident response plan Software inventory Hardware inventory Logs: transmission points Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 9

10 Data Backup Policy Data integrity just as important as confidentiality. Backing up critical files, including patient or EHR databases, helps ensure data recovery after catastrophic failure or security breach. Determine procedures, hardware, and software required for reliable & efficient backup of production databases. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 10

11 Secure Data Storage & Restore Policies Data most susceptible to corruption or loss in state of rest (90% of the time). Databases need particularly thorough analysis for risks. Detailed guidelines for securing and safely restoring data stored on network. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 11

12 Disaster Recovery & Critical Incident Response Plans Address emergencies requiring immediate intervention to protect network or restore operational status after catastrophe. Based on original risk analysis. Outlines elements, procedures, & people needed to restore network or mitigate imminent threat in timely manner. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 12

13 Hardware & Software Inventories Hardware inventory –Loss of hardware can mean a loss much greater than just replacement cost. –Helps ensure equipment properly locked down and secure. Software inventory –Provides insight to manage/mitigate risks to network from software vulnerability. –Facilitates proper software management practices, patching. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 13

14 Logs: Transmission Points Effective logging and monitoring strategy is critical to network security. Logs can be overwhelmingly large. Determine which data need stringent monitoring (e.g., who is accessing); begin by concentrating efforts there. Written plan of what is logged & why, with procedures for auditing & record of accountability to ensure compliance. Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 14

15 Summary Security measures to be implemented on your network will largely depend on: –Federal, state, & local requirements –Organizational requirements –Network type topology & operating system (OS) Component 8/Unit 6bHealth IT Workforce Curriculum Version 2.0 Spring 2011 15

16 Reference University of Wisconsin-Madison HIPAA Security Best Practices Guidelines, #3 Audit Controls, 4D –http://hipaa.wisc.edu/docs/auditControls.pdf Component 8/Unit 8aHealth IT Workforce Curriculum Version 2.0 Spring 2011 16

Download ppt "Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,"

Similar presentations

David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,

Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,

Similar presentations

Ads by Google