HIPAA Security Rule - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

HIPAA Security Rule

Description:

... Training and Education Incident Response Disaster Recovery / Business Resumption Planning Risk Assessment and ... (especially for awareness and training ... – PowerPoint PPT presentation

Number of Views:441
Avg rating:3.0/5.0
Slides: 21
Provided by: TimR59
Category:

less

Transcript and Presenter's Notes

Title: HIPAA Security Rule


1
HIPAA Security Rule
  • November 16th, 2004
  • ISSA/ISCĀ² Secure SD Security Conference, San
    Diego, CA
  • Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA,
    SSCP, TICSA, CCSA,
  • Security
  • Lead Consultant (Southern California)
  • Verisign Global Security Consulting

2
VeriSign
  • Publicly Traded Company
  • gt 3000 Employees
  • 1 Billion in Revenues
  • Operate critical DNS Infrastructure that enables
    over 10B transactions/Day
  • Secure the information assets of over 400,000
    websites and 1,000 large enterprises
  • Largest SS7 Telecommunications network 2
    Billion messages per day
  • 2.8B SS7 signals/day
  • Enable over 1,000 carriers to interconnect
  • Support over 30 of North American e-commerce
  • Over 100 Million E-Commerce Payment Transactions
    Per Quarter
  • Largest MSSP with over 3000 devices under
    management

3
Drivers behind HIPAA
  • Efficiency and interoperability between payers,
    providers, clearinghouses (covered entities)
  • Patients Bill of Rights
  • Enhanced medical record privacy
  • Enhanced medical record security

4
Medical Mistakes kill 98,000/year in the USA
5
Data valuation whats gone wrong in healthcare?
  • What is your medical record worth to you?
  • How much do you trust your healthcare provider to
    keep your medical record private secure?
  • How many of your friends or neighbors work in a
    healthcare organization?
  • How many of your enemies?
  • We spend billions protecting financial
    information, what about health information?

6
(No Transcript)
7
Do I need to comply?
  • The security rule applies to all IIHI
    (individually identifiable health information) in
    electronic form
  • ePHI (electronic Protected Health Information)
    that is stored and/or transmitted is covered
  • Health information on paper or divulged orally is
    not covered!
  • The rule is intended to set a minimum level of
    security for covered entities
  • Covered entities and business associates (through
    a chain of trust agreement) of those entities are
    required to comply

8
Whats the business / security value-add?
  • Increased level of confidence from your customers
  • Expansion into healthcare markets for
    non-healthcare centric services (e.g. managed
    security services)
  • Integration of sound security practices to
    fulfill HIPAA requirements (e.g. standardized
    risk assessment methodology, quantifiable
    security metrics for measuring process
    improvement)
  • Covered entities MUST comply, of course!

9
Nuts and bolts of the rule
  • Covered entities are required to
  • Assess potential risks and vulnerabilities
  • Protect against threats to information security
    or integrity, and against unauthorized use or
    disclosure
  • Implement and maintain security measures that are
    appropriate to their needs, capabilities and
    circumstances
  • Ensure compliance with these safeguards by all
    staff

10
How is the rule structured?
  • The rule is broken into three sections
    administrative safeguards, technical safeguards
    and physical safeguards
  • There are 18 standards that encompass the 3 types
    of safeguards
  • Almost every standard has several implementation
    specifications that are specific requirements
    within the standard
  • Each implementation specification is either
    required or addressable

11
Required vs. Addressable
  • Required
  • Implementation Specification must be met by
    Covered Entity. Most of the required
    Implementation Specifications scale to meet
    covered entity requirements, large or small
  • Addressable
  • Implementation Specification may not always be
    appropriate and scale to different covered
    entity sizes. A risk assessment must be performed
    by the covered entity to surmise what controls
    are feasible to implement

12
Administrative safeguards
  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness Training
  • Security Incident Procedures
  • Contingency Planning
  • Evaluation
  • Business Associate Contracts Other Arrangements
  • Information Security Program
  • Assigning responsibility (CSO / CISO)
  • Acceptable Use of Computing Resources for staff
  • Access Control (AAA)
  • Training and Education
  • Incident Response
  • Disaster Recovery / Business Resumption Planning
  • Risk Assessment and quantifiable measurement
  • Contracts

13
Physical Safeguards
  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device Media Controls
  • Physical security of information processing
    facilities
  • Acceptable Use control of access to
    workstations
  • Physical Security of assets (each separate device
    type is classified as a workstation)
  • Computer Operations 101 (tape labeling and
    archiving, tape rotation, back-up logs kept up to
    date, control of removable media containing ePHI)

14
Technical Safeguards
  • Access Control
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security
  • Unique User ID, Emergency Access, Automatic
    Logoff
  • Activity review (application operating system)
  • Verifying data integrity (at rest and in transit)
  • Robust authentication strategy (two-factor)
  • Safeguarding ePHI in transmission (encryption)
    and verifying integrity (digital signatures)

15
FAILING TO PREPARE IS PREPARING TO FAIL
16
Maximizing investment on compliance
  • Perform regular security assessments on critical
    assets that contain or may participate in the
    transmission or storage of ePHI (consider an
    annual third party assessment to free internal
    resources up for remediation)
  • Make sure you are effective where the rubber
    meets the road does a procedure that a
    particular business unit performs actually match
    whats documented as far as step by step actions?
    What is the variance?
  • Outsource routine Information Security tasks to
    free up resources - constant Intrusion Detection
    alerts and System Activity Review may cost you
    more in labor to tune and monitor 24x7 in a month
    than an MSSP may charge for a year contract

17
What are the pitfalls to avoid?
  • The HIPAA Security rule contains a great deal of
    documentation requirements, but dont just focus
    on documentation!
  • Dont make mountains out of molehills
  • Dont wait until the 11th hour to ask for money
    (especially for awareness and training
    requirements)
  • Dont attempt to achieve compliance without a
    plan (decentralized workgroups work very well)
  • Not leveraging your resources and skill-sets is a
    recipe for disaster

18
Compliance Tips
  • Establish a formal security program with a
    designated security officer
  • Establish a standardized risk assessment strategy
    to prioritize work
  • Implement a security program mapped to best
    practice security standards, not to a specific
    regulation
  • Make use of community standard guidelines to
    make sure youre keeping pace with other
    providers
  • Collaborate with other providers on how you
    develop strategies to address the HIPAA Security
    Rule

19
Reading Room
  • NIST DRAFT SP 800-66 An Introductory Guide for
    implementing the Health Insurance Portability and
    Accountability Act (HIPAA) Security Rule
    http//csrc.nist.gov/publications/drafts/DRAFT-sp8
    00-66.pdf
  • Health Insurance Portability and Accountability
    Act (HIPAA) Home Page
  • http//www.hhs.gov/ocr/hipaa/
  • Health Hippo
  • http//hippo.findlaw.com/hipaa.html

20
Questions Answers
VeriSign Security Services
Write a Comment
User Comments (0)
About PowerShow.com