Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO Information Services Sharon Knowles Information Assurance Compliance MUSC Medical Center
Overview Information Security Fundamentals HIPAA Security vs. HIPAA Privacy How the two regulations differ MUSC's compliance strategy New Security Responsibilities Enterprise Covered Entities System Owners Other individuals
Information Security Process The goal: protection of information assets from threats to their: availability integrity confidentiality Security is a process... not a product not really a state either not set it and forget it
Information Security A Risk Management Process Risk management the process for making security decisions Steps in the process identify significant risks evaluate possible controls implement the most cost effective set of controls that will keep risks within acceptable levels Caveat: zero risk is not attainable
MUSC's Information Security Policy System Owners Are Responsible For... Ensuring that accurate and thorough risk assessments are conducted and documented at appropriate points in the lifecycle of the System, beginning prior to the System's implementation, and that the findings are applied to the effective management of risks over the entire life of the System. Ensuring that appropriate System specific policies, procedures and safeguards are developed and implemented, to comply with all applicable MUSC policies, any applicable Entity policies, and all applicable laws and regulations.
Information Assurance Standard of Due Care duty is to protect against all reasonably anticipated threats by implementing reasonable and appropriate safeguards Reasonable and appropriate ideally, minimum but sufficient controls must avoid unacceptable risks must avoid unnecessary expense
Reasonable and Appropriate How to achieve? the risk management process assessment of risk evaluation and selection of controls approval, funding, implementation, operation How to verify? the compliance process documentation audits and other reviews
Information Assurance Compliance Process Document the level of assurance Are all security responsibilities clearly defined and understood? Is a sound (risk based and cost conscious) decision making process being followed? Are security procedures documented? Are procedures being followed? Are controls working as intended?
HIPAA: Security Rule vs. Privacy Rule Security is more than just privacy confidentiality, integrity, availability PHI vs. ephi all electronic ( computerized ) PHI is subject to both the Privacy Rule and the Security Rule telephone and fax communications are subject to the Privacy Rule, but not the Security Rule Covered Entities (CEs) responsible for compliance with both regulations
Security vs. Privacy: MUSC Overall HIPAA compliance strategy Organizational: MUSC OHCA comprised of 4 CEs Privacy Rule strategy policies were set by each MUSC Entity Security Rule strategy One set of enterprise wide security policies these policies apply to all MUSC Entities not just for HIPAA/ePHI, but for all types of protected information 16 new policies and 1 updated policy were issued by the Office of the President in Feb 2005
MUSC's Security Policies Computer Use Policy (updated) Information Security Policies (new) Information Security, Risk Management, Evaluation, Workforce Security, Awareness and Training, Incident Response, Contingency Plan, Workstation Use, Device and Media Controls, Access Control, Network Access, Audit Controls, Person or Entity Authentication, Data Integrity, Encryption, Documentation
New Security Responsibilities Enterprise (Office of the CIO) Covered Entities (CEs) System Owners and System Administrators Managers and Supervisors Workforce members
Responsibilities: OCIO Information Security Office (ISO) will: Document security architecture and plans Coordinate development of enterprise policies, standards, guidelines Manage Enterprise level safeguards Develop shared tools and services Direct MUSC's incident response team Conduct vulnerability assessments
Covered Entities Each Entity will designate an Information Assurance Compliance Officer (IACO), who will: Monitor compliance (system owners, system administrators, managers, supervisors, workforce members) Report violations of policy to appropriate enforcement authorities Ensure access to documentation and training
System Owners Each System must have a designated System Owner, who will: Assess and manage security risks Risk assessments and risk management plans must be documented if the system contains protected information (e.g. ephi) Ensure that appropriate safeguards are implemented Some safeguards are required only if the System contains protected information (e.g. ephi) Also, designate a System Administrator
MUSC Risk Management Standards Standards established for managing risk at 4 stages in the System life cycle Initiation Development/Procurement Implementation Post Implementation aka Existing Systems
Existing Systems i.e. Post Implementation Stage Have you... Registered your system? Designated a System Administrator? Conducted a System risk assessment? Implemented appropriate safeguards? administrative measures physical security measures technical measures document, document, document...
Step 1.0: Review MUSC Policies, Standards and Guidelines URL: http://www.musc.edu/security
Step 2.0: Document Current System Environment and Personnel Deliverable: Security Documentation, Section 2 (System Identification) System Name Key System Personnel Functional Description Key Components System Boundaries Relationships with other systems interfaces, interdependencies
Step 3.0: Document Current System Specific Security Procedures and Other Controls Deliverable: Security Documentation, Section 3 (Current System Procedures) Use the MUSC Information Security Policy Compliance Checklist for System Owners as a guide http://www.musc.edu/security/tools
Step 4.0: Identify and Analyze Potential Issues Deliverable: Risk Analysis Worksheet http://www.musc.edu/security/tools Priorities Address policy compliance gaps identified using the Policy Checklist, or any other assessments Decide how to address other risks identified through formal risk analysis process
Step 5.0: Develop Security Plan Deliverable: Security Plan Summary http://www.musc.edu/security/tools Document your plan for resolving all known compliance gaps who what when
Step 6.0: Execute Security Plan Deliverables Document changes made to system procedures and other controls (Section 3, Current System Procedures) Progress and status reports as required by your Entity's IACO
Are We There Yet? Security is never finished Repeat the risk management cycle as warranted by conditions respond to environmental, operational, policy, and/or regulatory changes Evaluate the effectiveness of your System's security measures until your System is retired Set it and forget it? Not an option!