Internet2 Health Network Initiative Security Group. Co-Chairs Bob Meeker Sean Lynch Internet2 Program Office Department of Veterans Affairs

Transcription

1 Internet2 Health Network Initiative Security Group Co-Chairs Bob Meeker Sean Lynch Internet2 Program Office Department of Veterans Affairs

2 1. Federal Security Regulations in RHCPP Partnerships Presentation & Discussion 2. 3 rd Party Security/Network Operations Center Support for RHCPPs A concept discussion 3. SEC-WG Action for the Future Round Table

3 1. Federal Security Regulations in RHCPP Partnerships Presentation & Discussion 2. 3 rd Party Security/Network Operations Center Support for RHCPPs A concept discussion 3. SEC-WG Action for the Future Round Table

4 The HIPAA Security Rule Confidentiality & Integrity Entities that manage patient data need to protect that data by making sure it stays confidential, that it isn't altered, and can't be accessed by those not authorized. FTC Red Flag Rule Confidentiality Requires financial institutions to implement a program to detect, prevent and mitigate instances of identity theft. SOX Confidentiality, Integrity & Availability Establishes a requirement for public corporations to install security controls on their system and report on the effectiveness of the controls annually. In the same report, their certified accounting firms must attest to the Corporation s statement and assessment. FISMA Confidentiality, Integrity & Availability Establishes a risk-based policy for cost-effective security in Federal government systems. It is probably the most thorough of the regulations in terms of identifying risk, the selection of required security controls, the assessment of the implementation of those controls, and reporting the status of the controls. 4

5 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 5

6 Deployment of a series of administrative, technical, and physical security procedures for use by covered entities to assure the confidentiality and integrity of electronic protected health information HIPAA Security Rule 6

7 Who is Subject to the Standard? Covered Health Care Providers Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard Health Plans Any individual or group plan that provides or pays the cost of health care (e.g., a health insurance issuer and the Medicare and Medicaid programs) Health Care Clearinghouses A public or private entity that processes another entity s health care transactions from a standard format to a non-standard format, or vice-versa HIPAA Security Rule 7

8 The Business Associate Escape Hatch Protected health information covered entities may be disclosed to a business associate to help the covered entity carry out its health care functions A covered entity must obtain satisfactory assurances in writing that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity The document may be a contract or other agreement between the covered entity and the business associate This is going away! HIPAA Security Rule 8

9 $100 for each violation The total amount imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000 HIPAA Security Rule 9

10 Business Associates must now comply directly with the Security Rule Disclosure accounting requirements must be maintained for disclosure of an electronic health record for treatment, payment or healthcare operations. (Effective date between Jan. 1, 2011 and Jan. 1, 2014) Each individual affected by a security breach must be notified by the entity or business associate that had the breach HHS must issue, and annually update, guidance specifying the technologies and methodologies that will render EPHI secure General effective date is February 17, 2010 HIPAA Security Rule 10

11 Compliance with a patient restriction request is required if the disclosure is to a health plan for purposes of carrying out payment or health care operations (not treatment) and the PHI pertains solely to a health care item or service for which the health care provider has been paid in full Sale of Electronic Health Records, or PHI, is expressly prohibited without patient approval Vendors of personal health records are now subject to HIPAA Periodic audits" by HHS are required to ensure compliance by business associates and covered entities HIPAA Security Rule 11

12 Violations due to "reasonable cause and not to willful neglect Violations due to willful neglect Corrected violations Violations due to willful neglect Violations not corrected properly $1,000 for each violation $10,000 for each violation $50,000 for each violation $100,000 maximum penalty during a calendar year $250,000 maximum penalty during a calendar year $1,500,000 maximum penalty during a calendar year HIPAA Security Rule 12

13 State attorney generals can now bring a HIPAA enforcement action for rules violation States may not initiate action while a Federal action is in progress Individuals affected by a HIPAA violation will be able to receive a percentage of any civil monetary penalty or monetary settlement HIPAA Security Rule 13

14 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 14

15 Develop and implement a written Identity Theft Prevention Program (ITPP) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts FTC Red Flag Rule 15

16 The Program must include four elements as reasonable policies and procedures Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the Program Detect Red Flags that have been incorporated into the Program Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft Ensure the Program is updated periodically, to reflect changes in risks to customers, or to the safety and soundness of the financial institution, or creditor from identity theft FTC Red Flag Rule 16

17 The initial written Program must be approved by the board of directors or a committee of the board The board or a senior executive must have oversight of the development, implementation and administration of the Program Staff must be trained in the Program Oversight authority includes the administration of service provider arrangements FTC Red Flag Rule 17

18 Creditors" with covered accounts A creditor is any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit Non-profit and government entities that defer payment for goods and services are considered creditors Accepting credit cards as a form of payment does not make you a creditor FTC Red Flag Rule 18

19 A covered account is An account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions Any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft FTC Red Flag Rule 19

20 Effectively, anyone that extends credit to consumers comes under the FTC's Red Flag Rule If you accept payment after services are rendered, it is very likely that Red Flag applies to you. Check with your legal department FTC Red Flag Rule 20

21 States may impose a $1,000 penalty if there is no Federal action Penalties imposed by the FTC for violations may not exceed $2,500 per infraction FTC Red Flag Rule 21

22 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 22

23 Corporations are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting The firm s registered accounting firm must, in the same report, attest to and report on the assessment of the effectiveness of the internal control structure and procedures for financial reporting The emphasis is on the accuracy and authenticity of the annual financial statements Sarbanes-Oxley (SOX) 23

24 Applies to all Public Companies Exceptions for Smaller Public Companies: Management assessment delayed until 2007 annual report (Last year) Auditor's attestation delayed until 2008 annual reports (This Year) If you are a public corporation, you are probably undergoing assessments and creating corrective action plans for your deficiencies under the watchful eye of your corporation s registered accounting firm Sarbanes-Oxley (SOX) 24

25 The Public Company Accounting Oversight Board (PCAOB) was created by the Act to: - Develop Standards and Related Rules - Certify Public Accounting Firms SOX is part of the federal code that empowers the FTC with regulatory and enforcement responsibilities Sarbanes-Oxley (SOX) 25

26 Fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation Fines and/or imprisonment up to 10 years for any accountant who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years Fines and/or imprisonment up to 10 years for anyone who knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any federal offense Sarbanes-Oxley (SOX) 26

27 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 27

28 Title III of the E-Government Act of 2002, the Federal Information Security Management Act (FISMA) Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources FISMA 28

29 Each federal agency must develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source FISMA 29

30 For each system: Develop a Plan for security Ensure that appropriate officials are assigned security responsibility Periodically review the security controls in their information systems Authorize system processing prior to operations and, periodically, thereafter Develop a Contingency Plan FISMA 30

31 Who is subject to the Standard? All non-classified Federal Civilian IT Systems including those provided or managed by another agency, contractor, or other source Each agency varies in how it applies FISMA to contractor systems In general, if it has a contract with a Federal agency and 1. Performs data processing for the agency or 2. Has an IT support system that is a repository for agency data or 3. Produces planning or engineering data for the agency You will be subject to FISMA in some form FISMA 31

32 Each agency is responsible for performing a Certification and Accreditation (C&A) on all systems at least once every three years or when significant changes are made to the system Financial systems have an annual C&A requirement For systems having a Moderate or High sensitivity, the assessment must be performed by an independent party Deficiencies are recorded and tracked in Corrective Action Plans (CAP) and reported to OMB, quarterly The Department IG reviews agency C&As to verify that defined process is followed to insure the Authorizing Official has a clear understanding of the risk associated with a system FISMA 32

33 Loss of authority to operate (for contractors possible termination of contract) Loss of system funding except to correct deficiencies In some cases, the opportunity to testify before Congress FISMA 33

34 34

35 All of the standards codify best practices in IT and security including: Documentation (Policy, Procedures, Product, etc.) Separation of duties Minimum privilege Change Management Access Control (Generally, RBAC) & Management Contingency Planning Prudence and due diligence Summary 35

36 All of the standards promote a risk management approach to security in their respective areas of interest All of the standards provide for cost benefit trade-offs in applying controls including consideration for company environment SOX and FISMA include controls that address the other standards Summary 36

37 The Application of these standards to a RHCPP will be determined by the services provided by the entity. If the RHCPP is a legal association of independent businesses to obtain telecommunications services for all, it may be that none of the standards apply. HIPAA No use, storage or visibility of EPHI Red Flag No credit to the public SOX A public corporation subject to FTC regulation? FISMA Carriers are not subject to FISMA, the RHCPP entity is equivalent to a carrier. The system owner is responsible for assuring security Summary 37

38 RHCPP services or characteristics which would be subject to security standards: Administrative, Billing, Payment HIPAA, Red Flag (?) HIE, Central Health Record Storage HIPAA Regional Health Information Organizations HIPAA In the unlikely event that a RHCPP is a public corporation subject to FTC regulation, do not forget SOX Summary 38

39 If the RHCPP entity provides SOC/NOC services, the services should be compliant with HIPPA and FISMA controls If the RHCPP entity provides telecommunications for disaster recovery, it should be designed for compliance with HIPAA and FISMA controls Summary 39

40 FTC Red Flag and HIPAA are the likely standards that will apply to members of an RHCPP consortium HIPAA is a sure thing FTC Red Flag is punishment for the good deed of payment plans for a patient SOX compliance is a benefit of going public (Corporate IPOs) FISMA compliance may stem from collaboration with a Federal Agency Summary 40

41 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 41

42 FISMA HIPAA Security Rule Sarbanes- Oxley (SOX) FTC Red Flag Rule 42

43 Detailed Standards are referenced in the following publication: Department of Health and Human Services Office of the Secretary 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule securityfinalrule.pdf HIPAA Security Rule 43

44 HIPAA Security Educational Paper Series (CMS) Seven papers providing guidance on the implementation of the standards developed by CMS The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (HHS OCR & ONC) Establishes the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a network The Health IT Privacy and Security Toolkit (HHS ONC) Tools for implementing the Privacy and Security Framework HIPAA Security Rule 44

45 Covered Entity Charts (CMS) CoveredEntitycharts.pdf An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (NIST SP Rev 1, Oct 2008) Revision1.pdf HIPAA Security Rule 45

46 1. A fraud alert included with a consumer report 2. Notice of a credit freeze in response to a request for a consumer report 3. A consumer-reporting agency providing a notice of address discrepancy 4. Unusual credit activity, such as an increased number of accounts or inquiries 5. Documents provided for identification appearing altered or forged 6. Photograph on ID inconsistent with appearance of customer 7. Information on ID inconsistent with information provided by person opening account 8. Information on ID, such as signature, inconsistent with information on file at financial institution FTC Red Flag Rule 46

47 9. Application appearing forged or altered or destroyed and reassembled 10. Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration's Death Master File, a file of information associated with Social Security numbers of those who are deceased 11. Lack of correlation between Social Security number range and date of birth 12. Personal identifying information associated with known fraud activity 17. Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service 18. Social Security number provided matching one submitted by another person opening an account or other customers FTC Red Flag Rule 47

48 15. An address or phone number matching one supplied by a large number of applicants 16. The person opening the account unable to supply identifying information in response to notification that the application is incomplete 17. Personal information inconsistent with information already on file at financial institution or creditor 18. Person opening account or customer unable to correctly answer challenge questions 19. Shortly after change of address, creditor receiving request for additional users of account 20. Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment FTC Red Flag Rule 48

49 21. Drastic change in payment patterns, use of available credit or spending patterns 23. An account that has been inactive for a lengthy time suddenly exhibiting unusual activity 24. Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account 25. Financial institution or creditor notified that customer is not receiving paper account statements 26. Financial institution or creditor notified of unauthorized charges or transactions on customer's account 27. Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft FTC Red Flag Rule 49

50 ID Theft Red Flags EDUCAUSE CONNECT [Term View] The Red Flags Rule: What Heath Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft Agencies Issue Final Rules on Identity Theft Red Flags FTC's red flag rules cast wide identity theft net - Network World FTC Red Flag Rule 50

51 Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements Standards_and_Related_Rules/Auditing_Standard_No. 5.aspx Sarbanes-Oxley (SOX) 51

52 The Sarbanes-Oxley Act SOX Internal Control Reporting Provisions Spotlight on: Sarbanes-Oxley Rulemaking and Reports Sarbanes-Oxley Section 404: A Guide for Small Business NIST - RBAC & Sarbanes-Oxley Compliance The Public Company Accounting Oversight Board Sarbanes-Oxley (SOX) 52

53 FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Controls) FISMA 53

54 NIST Special Publication (Security Plan Development) NIST Special Publication (Risk Assessment) NIST Special Publication (Contingency Plan Development) NIST Special Publication (Certification & Accreditation) NIST Special Publication , Draft (Risk Management Framework) NIST Special Publication (Recommended Security Controls) FISMA 54

55 NIST Special Publication A (Security Control Assessment) NIST Special Publication (National Security Systems) NIST Special Publication (Security Category Mapping) NIST Special Publication (Electronic Authentication Guideline) (Appendix A: Estimating Password Entropy and Strength) FISMA 55

56 1. Federal Security Regulations in RHCPP Partnerships. Presentation & Discussion 2. 3 rd Party Security/Network Operations Center Support for RHCPPs A concept discussion 3. SEC-WG Action for the Future Round Table

57 The RHCPP is an assembly of independent businesses and individuals to provide medical care to rural areas The contractual basis for associations vary (association, partnership, joint venture, etc), but must meet the requirements of the FCC RHCPP SOC/NOC Support 57

58 Undetermined organization hierarchy At best, a hazy management structure defined by the type of association agreement Multiple independent entities where the AMCs are the big fish in the pond Diverse physical environments with variable levels of physical security Data centers, store fronts, large and small clinics Guards and badge reader entries to open doors with simple locks SOC/NOC Support 58

59 Diverse systems with broad variations in equipment, staffing and IT security One or more workstations with limited, or no local networks Windows internal firewalls or small internal firewalls Limited, at best, IDS/IPS capability Broad variation in account and password management Minimal, or no IT staff to full organizations Training programs to did you read the manual or office meetings The potential for aged or even legacy technology SOC/NOC Support 59

60 How will the following functions be addressed in the RHCPP environment? - Incident Response - IDS/IPS - NOC/SOC To what level should individual organizations be responsible for local access controls and account management? Some will have very limited or no IT expertise? Can the larger organizations in the RHCPP assume this function? Can it be provided as a network service? SOC/NOC Support 60

61 The creation of a consortium by the RHCPPs to provide common network and security services to the RHCPPs was discussed by a group of attendees at the Fall 08 Internet2 Member Meeting. The services could include: Network Operations (Control & Monitoring) Security Operations (IDS/IPS, Malware Maintenance, Scanning, etc.) Incident Response Account Management SOC/NOC Support 61

62 Is the underlying assumption valid (i.e. the RHCPP entities have a need for this type of service)? How should the stated services be ranked for need? Are other services needed? Are the FCC rules which could limit the ability to obtain services in this fashion? There are multiple approaches for defining a provider. What do the RHCPPs favor? Consortium Independent Third Party Commercial SOC/NOC Support 62

63 SOC/NOC Support 63

64 1. Federal Security Regulations in RHCPP Partnerships. Presentation & Discussion 2. 3 rd Party Security/Network Operations Center Support for RHCPPs A concept discussion 3. SEC-WG Action for the Future Round Table

65 What topics do you believe the HNI Security Working Group should address for the Fall Member Meeting? SEC-WG Action for the Future 65