White Paper Strengthening Information Assurance in Healthcare

Similar documents
HIPAA Security Rule Compliance

HIPAA Compliance and the Protection of Patient Health Information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

ITAR Compliance Best Practices Guide

The Impact of HIPAA and HITECH

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Bellevue University Cybersecurity Programs & Courses

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

UF IT Risk Assessment Standard

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Bridging the HIPAA/HITECH Compliance Gap

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

HIPAA Compliance Review Analysis and Summary of Results

HIPAA: Compliance Essentials

HIPAA and Mental Health Privacy:

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

NERC CIP VERSION 5 COMPLIANCE

How-To Guide: Cyber Security. Content Provided by

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

GoodData Corporation Security White Paper

How To Protect Yourself From Cyber Threats

State of South Carolina Policy Guidance and Training

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

IoT & SCADA Cyber Security Services

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA PRIVACY AND SECURITY AWARENESS

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Risk Management Guide for Information Technology Systems. NIST SP Overview

Performing Effective Risk Assessments Dos and Don ts

Compliance Risk Management IT Governance Assurance

Big Data, Big Risk, Big Rewards. Hussein Syed

SECURITY. Risk & Compliance Services

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Preparing for the HIPAA Security Rule

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA Security Training Manual

SCAC Annual Conference. Cybersecurity Demystified

Secure Endpoint Management. Presented by Kinette Crain and Brad Lewis

HIPAA Compliance Evaluation Report

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

HIPAA Security Compliance Reviews

Managing Cyber & Privacy Risks

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Data Breach and Senior Living Communities May 29, 2015

Our Commitment to Information Security

Cisco Security Optimization Service

AB 1149 Compliance: Data Security Best Practices

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Document Imaging Solutions. The secure exchange of protected health information.

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Impact of Data Breaches

Preemptive security solutions for healthcare

Orbograph HIPAA/HITECH Compliance, Resiliency and Security

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

CORE Security and GLBA

Network Security & Privacy Landscape

The Protection Mission a constant endeavor

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

What is required of a compliant Risk Assessment?

FACT SHEET: Ransomware and HIPAA

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Nine Steps to Smart Security for Small Businesses

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Best Practices for DLP Implementation in Healthcare Organizations

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Chapter 6: Fundamental Cloud Security

Assessing Your HIPAA Compliance Risk

Transcription:

White Paper Strengthening Information Assurance in Healthcare Date: April, 2011 Provided by: Concurrent Technologies Corporation (CTC) 100 CTC Drive Johnstown, PA 15904-1935 wwwctccom Business Point of Contact: Mr Dave Davis Senior Director, Healthcare Initiatives Phone: (814) 269-2582 Email: davisd@ctccom

The 2009 changes to the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rules and Security Safeguards have had a major impact on healthcare providers as well as noncovered entities as there is no longer the option of voluntary compliance The changes include mandatory audits for HIPPA compliance, significant fines for non-compliance and criminal charges for violations HIPPA s rules authorization requirements (fines can range from $10K- $50K per violation) This paper focuses on the HIPPA regulations as it pertains to information technology security and an approach to address information assurance Covered entities and business associates should note that while successful compliance assessments may be a starting point for information security, it really only provides a minimal level of information assurance and does not provide a practical indication of the overall security posture of the organization It is not sufficient to concentrate only on infrastructure controls as the majority of cyber attacks are increasingly occurring at the application layer and unprotected endpoints Data from MITRE indicates that compliance only assessments provide approximately 45% coverage of known vulnerabilities Attackers know this, and will assume that you are compliant, and therefore concentrate on the remaining 55% of the attack surface As electronic exchange of Protected Health Information (PHI) becomes the norm, covered entities must have assurances that PHI is safeguarded as it is transmitted between corporate and local facilities, third party service providers, governmental entities, or other public health entities What assurances do you have that other facilities have appropriate safeguards for PHI you provide? What assurances do you have that the health information technology software that you have deployed was developed using industry standard software assurance practices? Have your employees been sufficiently trained in information security practices? Do you have a good understanding of what security controls you have in place, what they protect, their effectiveness, and where the gaps are if any? Are all endpoints protected (including business and personal mobile devices such as laptops, phones)? How often are you reassessing security safeguards, policies and procedures? Is there too much focus on protection and too little on detection and response? When choosing security safeguards, entities must assess these controls and understand how the controls relate to the various states and places in which information assets can exist The McCumber Cube provides a concise framework that models the perspectives that one must consider for information assurance and how information assets can coexist in multiple dimensions When assessing an information security problem, it provides a good reference for thinking about the problem from each perspective 1

Security Goals/Services Transmission Confidentiality Integrity Availability Storage Processing Information States Policies & Practices Technology Human Factors Counter-Measures Figure 1 McCumber Cube Information Security Goals/Services Confidentiality information should not be disclosed to unauthorized users Integrity information (and systems) should not be modified (maliciously or accidentally) outside of authorized processes Availability information should be reliably accessible to authorized users Information States Transmission information moving from source to destination Storage information at rest, waiting to be accessed Processing information is being examined or modified Security Counter-Measures Technology hardware and software used to limit threats and vulnerabilities Policies & Practices defined goals and procedures for mitigating risks Human Factors - awareness, education, and training For example, file or disk encryption is a technology that addresses confidentiality of information in storage However, it does not address availability if the password is lost, or human factors and policies if the password is weak or obtained through social engineering (awareness, education), or transmission if the data must be decrypted for another office or entity to receive who then retains the information unencrypted in a mobile device (unprotected endpoint) Identification of Critical Program Information (CPI) and Critical Technology (CT) is the backbone for all risk management strategic scheduling and resource decisions Given the fact that resources are not unlimited and that entities may not have the ability to conduct full-scale 2

risk management activities on all of its critical assets, it is still crucial to identify and collect knowledge of these assets to aid in the appropriate prioritization and allocation of resources across the entire enterprise This knowledge is also useful for characterizing and prioritizing the potential risks to critical assets and determining the entity s overall security posture CTC advocates a more positive approach to information assurance through both compliance assessments, CPI/CT identification and threat modeling with more emphasis on the effectiveness that security controls have in limiting or mitigating threats in each dimension of information assurance Compliance only assessments at most, provide half of the threat coverage and are more negatively focused on the non-compliance gaps CTC utilizes a multi-tiered approach to risk management that minimizes effort for lower risk areas and maximizes understanding and mitigation planning for higher risk areas Tier 1 Assessment Objectives: Identify critical technology (CT) and critical program information (CPI) likely to pose increased risk (ie critical asset identification) Activities: Identify and collect basic information about all critical assets This information consists of very high-level indicators (criticality) of critical assets Mechanisms: Interviews and survey Investment: Minimal cost and effort to interview and fill in survey information Deliverables: Report containing results of surveys, prioritized list of critical assets by criticality Tier 2 Assessment Objectives: Identify which critical assets will require more immediate investigation and assessment to quantify and mitigate risk Review policies and procedures for compliance to HIPPA privacy rule Initial review of security controls for compliance with HIPPA Security Safeguards Activities: Includes Tier 1 activities Collect more detailed information about specific technologies utilized to provide confidentiality, integrity, availability of critical assets Review policies and procedures documentation for HIPPA compliance Review and determination of the existence and effectiveness of required HIPPA Security Safeguards Mechanisms: Interviews, surveys, documentation review, threat modeling Investment: Additional cost for documentation reviews, additional interviews and surveys, and threat modeling Deliverables: Report containing results of surveys, compliance checks, and results of threat modeling providing further detail of criticality, risks and mitigations for identified critical assets Tier 3 Assessment Objectives: Determine the overall health of security safeguards applied to the critical assets with a high criticality Test and identify issues/vulnerabilities with associated security safeguards and recommend appropriate mitigations In-depth review of policies 3

and procedures for potential recommendations of changes to improve and reduce security management costs Activities: Includes all tier 2 activities Analysis of security safeguards which include basic application penetration-tests In-depth review of policies and procedures Mechanisms: Interviews, surveys, document reviews, penetration-test and scanning tools Investment: Additional costs for in-depth reviews, application penetration-tests, scanning and analysis Deliverables: Report containing results of reviews and application penetration and scan tests providing further detail of criticality, risks and mitigations for identified critical assets Tier 4 Assessment Objectives: Determine the overall health of critical assets with a criticality of Medium or higher Test and identify issues/vulnerabilities with associated security safeguards and recommend appropriate mitigations Review of auditing procedures and electronic monitoring of security controls Review of education, training, and security awareness programs with recommendations to address identified gaps Review of compliance with HIPPA, Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG), National Institute of Standards and Technology (NIST) 800-53, and International Organization for Standardization (ISO) 17799 Activities: Includes Tier 3 activities Complete review of policies and procedures and security safeguards against HIPPA, DISA STIG, NIST 800-53, ISO 17799 In-depth review of education, training, and security awareness documents and procedures Mechanisms: Interviews, surveys, document reviews, penetration-test and scanning tools Investment: Additional costs for compliance checks, education and training reviews, and added application penetration-tests, scanning and analysis Deliverables: Report containing results of reviews, compliance checks, and results of application penetration and scan tests providing further detail of criticality, risks and mitigations for identified critical assets In summary, CTC provides our customers with end-to-end risk management solutions that focus on security risk management across the HIT enterprise 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information