A Technical Template for HIPAA Security Compliance

Similar documents

HIPAA Compliance for Mobile Healthcare. Peter J. Haigh, FHIMSS Verizon

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Security Rule Compliance

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Information Security Overview

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security Alert

Healthcare Compliance Solutions

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

HIPAA Security Matrix

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

White Paper. Support for the HIPAA Security Rule PowerScribe 360

HIPAA Compliance Guide

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Policies and Compliance Guide

HIPAA and Mental Health Privacy:

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Compliance: Are you prepared for the new regulatory changes?

An Effective MSP Approach Towards HIPAA Compliance

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Security Is Everyone s Concern:

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

How To Write A Health Care Security Rule For A University

HIPAA COMPLIANCE REVIEW

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Cloud Computing in a HIPAA- Compliant World. NRTRC Telemedicine Conference Dean Oswald March 25, 2014

HIPAA: In Plain English

VMware vcloud Air HIPAA Matrix

ITS HIPAA Security Compliance Recommendations

CHIS, Inc. Privacy General Guidelines

HIPAA Security Checklist

The Second National HIPAA Summit

C.T. Hellmuth & Associates, Inc.

Procedure Title: TennDent HIPAA Security Awareness and Training

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Datto Compliance 101 1

State HIPAA Security Policy State of Connecticut

SECURITY RISK ASSESSMENT SUMMARY

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

An Introduction to HIPAA and how it relates to docstar

HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Krengel Technology HIPAA Policies and Documentation

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Bridging the HIPAA/HITECH Compliance Gap

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Policy Title: HIPAA Security Awareness and Training

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

University of Pittsburgh Security Assessment Questionnaire (v1.5)

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

HIPAA Security Series

HIPAA Security Compliance Reviews

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Compliance Guide

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Altius IT Policy Collection Compliance and Standards Matrix

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA PRIVACY AND SECURITY AWARENESS

Information Security Program Management Standard

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Cisco Advanced Services for Network Security

STATEMENT OF WORK FOR HIPAA SECURITY RISK ANALYSIS

Transcription:

A Technical Template for HIPAA Security Compliance Peter J. Haigh, FHIMSS peter.haigh@verizon.com Thomas Welch, CISSP, CPP twelch@sendsecure.com Reproduction of this material is permitted, with attribution, for non-commercial purposes. This presentation represents the professional opinion of the authors. Verizon and Secure Enterprise Solutions accept no liability, expressed or implied, for the material contained herein. 1

Beware of the Hippo too!! 2

3

Context - Privacy & Security under HIPAA Privacy is what you must promise to do, on or before 4/14/2003 Security is about how you fulfil the promise on 4/14/2003, as well as 4/2005 ( stop-gap security) Networks are how the authorized (and unauthorized) get PHI Improper network activity specifically identified as a Security incident Therefore network security is of paramount importance 4

Securing the Network Sources of Security Threats Insiders/outsiders = 70/30, maybe 80/20 Malicious, dishonest, corrupt, distracted, disgruntled, negligent Naturally curious, poorly trained, terminated Terrorists Hackers & Crackers Computer criminals Securing the Network Perimeter Outsiders & remote users Policy, Training, Access Control, Monitoring, etc. Insiders Beware of outdated or crustacean security 5

State of the Art Security pre-gunpowder! 6

What changed in the Final HIPAA Security Regulations? Alignment with the Privacy Regulations Services & mechanisms = Technical Safeguards 69 required implementation specifications (RIS) reduced to 13 (20 including subsections) 22 addressable implementation specifications (AIS) New Definition of Electronic Media Voice (including voice-mail and video teleconferencing) & paper to paper fax not covered Voice response & faxback are covered What about Voice & Video over IP? More regulations to come Electronic signature Non-electronic PHI Enforcement But, no evolving versions 7

What changed in the Final HIPAA Security Regulations? Risk Analysis Vital! What is the Risk that (just a few examples): PHI can be used/disclosed inappropriately on: Internet transmissions? Wireless LANs? Tele-worker Workstations? Portable Devices (Hand-helds, PDAs)? Passwords can be compromised? Security incidents go undetected? Social engineering will result in unauthorized access? Document what you plan to do/not do, and why! 8

Security Standards Matrix Administrative Safeguards 12 Required 11 Addressable Physical Safeguards 4 Required 6 Addressable Technical Safeguards 4 Required 5 Addressable Note: The concept of addressable implementation specifications was introduced to provide covered entities with additional flexibility with respect to compliance with the security standard. 9

HIPAA v. ISO Standards Administrative Safeguards Organizational Security Information Security Policy Personnel Security Business Continuity Management Compliance Physical Safeguards Physical & Environmental Security Technical Safeguards Asset Classification and Control Access Control Communications and Operations Management Systems Development and Maintenance 10

Administrative Safeguards Standards Sections Implementation Specification R/A T Security Management Process 164.308(a)(1) Risk Analysis R Risk Management R Sanction Policy R IS Activity Review R Assigned Security Responsibility 164.308(a)(2) R Workforce Security 164.308(a)(3) Authorization and/or Supervision A Workforce Clearance Procedures A Termination Procedures A Information Access Management 164.308(a)(4) Isolating Health care Clearinghouse Function R Access Authorization A Y Access Establishment and Modification A Y Security Awareness and Training 164.308(a)(5) Security Reminders A Protection from Malicious Software A Y Log-in Monitoring A Y Password Management A Security Incident Procedures 164.308(a)(6) Response and Reporting R Y Contingency Plan 164.308(a)(7) Data Backup Plan R Y Disaster Recovery Plan R Y Emergency Mode Operation Plan R Y Testing and Revision Procedure A Applications and Data Criticality Analysis A Evaluation 164.308(a)(8) R BA Contracts and Other Arrangement 164.308(b)(1) Written Contract or Other Arrangement R 11

Physical Safeguards Standards Sections Implementation Specifications R/A T Facility Access Controls 164.301(a)(1) Contingency Operations A Facility Security Plan A Access Control and Validation Procedures A Y Maintenance Records A Workstation Use 164.310(b) Documented procedures for system use R Y Workstation Security 164.310(c) Physical placement and control R Y Device and Media Controls 164.310(d)(1) Disposal R Y Media Re-use R Y Accountability A Data Backup and Storage A Y 12

Technical Safeguards Standards Sections Implementation Specifications R/A T Access Controls 164.312(a)(1) Unique User Identification R Y Emergency Access Procedure R Y Automatic Logoff A Y Encryption and Decryption A Y Audit Controls 164.312(b) R Y Integrity 164.312(c)(1) Mechanism to Authenticate Electronic PHI A Y Person or Entity Authentication 164.312(d) R Y Transmission Security 164.312(e)(1) Integrity Controls A Y Encryption A Y 13

Steps to Technical Compliance Conduct a Thorough Risk Assessment Evaluate the Risks Design a Secure Architecture Select & Implement Countermeasures Firewalls IDS Standardized hardware-software platforms Host Hardening Strong Authentication & Access Control (w/auditing) Integrity Controls (i.e. Tripwire) Encryption and VPNs Virus protection Conduct Follow-up Audits (Quarterly) Establish Evidence that You re Doing Something Waiting is Risky Business 14

Information Security Lifecycle CIRT & Forensics Security Assurance Testing Reporting Monitoring Training Security is a process not a product... Technology Implementation VPN Encryption Firewalls Authentication IDS, etc. Business Applications & Services Networks, Intranet, Internet, Remote Access Hardware & Operating Systems Policy & Architecture Risk Assessment Security Policy Building Blocks People Process Technology Solution Design & Selection Security Design Technology Selection 15

Project Approach Recommendations Future State Findings Current State High Risk Medium Risk Low risk Business & IT Strategies Security Requirements & Risk Management Security Policy Security Organization Asset Classification & Control Personnel Security Physical & Environmental Security Communications & Operations Management Access Control Systems Development & Maintenance Business Continuity Management Compliance 16

Cost of Security Costs Level of Security 17

Be Prepared for an Attack No one is immune! and the threat is increasing. 18

Technical Compliance Summary Security is more than just a Login It MUST be implemented in layers Security should be as transparent as possible An organization must be ready to: Protect Detect Respond to any type of adverse event The GOOD NEWS many technical tools are available to improve security 19

20