Security Compliance In a Post-ACA World

Transcription

1 1 Security Compliance In a Post-ACA World Security Compliance in a Post-ACA World Discussion of building a security compliance framework as part of an ACA Health Insurance Exchange implementation. Further discussion of the implementation to transform the organizational approach to security compliance. Richard Chapman Senior Security/Compliance Officer Kentucky Health Benefit Exchange 2 1

2 November 1, Kentucky HBE Security Compliance Requirements Security Plan NIST Workbook Privacy Impact Assessment Information Security Risk Assessment IRS Security Procedures Report 4 2

3 An Abundance of Federal Guidance 5 What, inject who? Helping the Business to Understand the Requirements was a Challenge Business Our website has been hit with a SQL injection attack Security 6 3

4 Lessons Learned Regarding Security Compliance from a Health Benefit Exchange implementation Security Compliance is a business problem and is not limited to only the IT Security technical team A Single Compliance Framework on which to focus efforts saves time Data exchange agreements are a GREAT way to manage 3 rd parties with limited resources 7 Lesson 1: Security Compliance is not only for the technical IT Security team 8 A spring 2014 federal HHS Office of the Inspector General Audit focused on testing controls, testing procedures and executive awareness of the compliance program The move to ongoing monitoring of controls rather than audit response is a cultural shift for the whole organization Third party management is a continual cost challenge for security compliance and the federal bodies are not lessening the standards 4

5 Lesson 2: Pick a Single Compliance Framework on which to focus Organizational Compliance Efforts HIPAA NIST IRS Publication CFR CMS/FISMA 9 Focusing on a Single Framework to Maximize Resource HIPAA 45 CFR 160 CMS MARS-E NIST SP IRS Pub 1075 Foundational Emerging Standardized Integrated 10 5

6 NIST has a Family for Every Occasion Management Technical Operational CA Security Assessment & Authorization AC Access Control AT Awareness & Training PL Planning AU Audit & Accountability CM Configuration Management RA Risk Assessment SA System & Services Acquisition PM Program Management IA Identification & Authentication SC System & Communications Protection CP Contingency Planning IR Incident Response MA Maintenance MP Media Protection PE Physical & Environmental Protection PS Personnel Security 11 SI System & Information Integrity Common Framework Enables Better Business Standardizing Language Enables Unlocking Business Potential 12 6

7 Lesson 3: Data Exchange Agreements are a GREAT way to manage 3 rd parties with limited resources Creates awareness and agreements on security compliance terms Requires an executive signature for awareness Creates discussion over proper use of the data to be shared with 3 rd parties Costs only the staff time needed to execute the agreement Terms for renewal can be required to ensure regular review of the data exchange Can be more specific on data protection terms than general HIPAA compliance 13 Using Data Exchange Agreements to Describe Data in Detail 14 7

8 Monitoring 3 rd Party Business Partners is an Expensive Challenge 15 Thoughts for a Post-ACA Security Compliance World Business compliance departments should consider baseline measurements and ongoing statistics to monitor IT Security compliance Risk Management necessitates that a general compliance office have the necessary security compliance language skills to be conversant with IT Security teams IT Security compliance organizations should include a range of business skills to combine regulatory documentation experience with technical security experience for a well-rounded approach 16 8

9 The GOAL is to Manage Organizational Risk while still providing Stewardship of User Data Citizen Business Security 17 Takeaways In Transforming Security 18 9