Right%20Sizing%20the%20HIPAA%20Security%20Program - PowerPoint PPT Presentation

About This Presentation
Title:

Right%20Sizing%20the%20HIPAA%20Security%20Program

Description:

HIPAA Security Program Laurie Leer, CISSP; ... to the organization mission or operations? What security and ... on IT Security Tech training and 38% spend ... – PowerPoint PPT presentation

Number of Views:211
Avg rating:3.0/5.0
Slides: 23
Provided by: Laurie192
Category:

less

Transcript and Presenter's Notes

Title: Right%20Sizing%20the%20HIPAA%20Security%20Program


1
Right Sizing the HIPAA Security Program
  • Laurie Leer, CISSPManager Information Systems
    Security
  • Shana Chung, CISSP Director Contract Management
    (HIPAA Compliance, Definition Evaluation)

2
Introductions and Agenda
  • HIPAA Security Standards Project Requirements
  • Covered Entity Deliverables
  • Risk Assessment Key to Sizing the HIPAA Security
    Program
  • Right Sizing
  • Risk Assessment Getting Started
  • Sample Risk Assessment Summary
  • Risk Assessment as a Tool to Size a HIPAA
    Security Program
  • Right Size Reasonable and Appropriate
  • Survey Results
  • Conclusions

3
HIPAA Security Standards Project Requirements
  • Standards define project scope and approach
  • Applies to electronic protected health
    information (EPHI). A covered entity must
  • ensure the confidentiality, integrity, and
    availability of all EPHI it creates, receives,
    maintains or transmits
  • protect against any reasonably anticipated
    threats or hazards to the security or integrity
    of such information
  • protect against any reasonably anticipated uses
    or disclosures of such information that are not
    permitted or required under subpart E of this
    part
  • ensure compliance with this subpart by its
    workforce
  • The standards define required deliverables
  • Standards describe high-level deliverables
  • Policies, procedures, periodic reviews, etc.
  • Specifications describe required content
  • e.g., Procedures to regularly review records of
    system activity

4
Covered Entity Required Deliverables
  • Document how the covered entity (CE) met each
    specification
  • Criteria evaluated in choosing a solution for a
    given specification 164.306(b)
  • Factors from 164.308(a)(1) - covered later
  • Organizational and environmental factors
  • Contracts or superceding state law
  • Other constraints
  • Solution implemented
  • Solution description
  • Policies and procedures to maintain the solution
  • Audit trails or other mechanisms to assure
    ongoing effectiveness and workforce compliance
  • Required vs. addressable specifications
  • Required specifications must be implemented as
    stated
  • An addressable specification must be implemented,
    or the CE must document why it was not and the
    equivalent measures implemented

5
Risk Assessment Key to Sizing a Security Program
  • 164.308(a) (1) requires CEs to
  • Conduct accurate and thorough assessments of EPHI
    potential risks and confidentiality, integrity,
    and availability vulnerabilities held by the CE
  • Implement security measures to reduce risks and
    vulnerabilities to comply with 164.306(a)
  • Risk is a compound value or judgment based on
    the following
  • Threat
  • Vulnerability to the threat
  • Probability of exploiting the vulnerability
  • Cost or other adverse effect if successfully
    exploited
  • Apply sound business judgment
  • Absolute security doesnt exist
  • Management may make an informed judgment to
    accept risk

6
Accurate and Thorough Right Sizing
  • 164.306(b) instructs us to consider
  • (i) The size, complexity, and capabilities of the
    covered entity
  • (ii) The covered entity's technical
    infrastructure, hardware and software security
    capabilities
  • (iii) The costs of security measures
  • (iv) The probability and criticality of potential
    risks to EPHI
  • HIPAA Security program should scale against
    164.306(b)
  • Number of different EPHI stores the organization
    has
  • Size and/or location of the workforce
  • Number of different EDI connections or Web
    services transporting EPHI
  • Robustness of the baseline security program
  • How probable and critical are more
    organization-specific
  • What EPHI is critical to the organization mission
    or operations?
  • What security and privacy risks have been
    identified?

7
Reasonable and Appropriate Right Sizing
  • What is a reasonable and appropriate level of
    risk and vulnerability?
  • Common practices for similar organizations
  • Case law
  • Source documents for HIPAA Security Rules
  • NIST http//csrc.nist.gov/publications/nistpubs/in
    dex.html
  • OMB Circulars http//www.whitehouse.gov/omb/circul
    ars/index.html
  • Mapped standards in the 1998 Draft Rules ASTM,
    ANSI, IEEE, ISO, etc.
  • Common practices for similar organizations
  • Common practices are both human and technical
  • Similar organizations similar business model
    and workforce size
  • Case law
  • Reasonable person standards have developed in
    other areas of law
  • TriWest Healthcare Alliance suit
  • National Academy of Science study (2002)
    recommends laws that hold system operators liable
    for security breaches

8
Reasonable and Appropriate Right Sizing (cont.)
  • Some guidance available in NISTs Generally
    Accepted Principles and Practices for Secure
    Information Technology Systems
  • Risk management requires the analysis of risk,
    relative to potential benefits, consideration of
    alternatives, and, finally, implementation of
    what management determines to be the best course
    of action.
  • Management needs to decide if the operation of
    the IT system is acceptable, given the kind and
    severity of remaining risks.
  • Best course of action decision should occur at
    the right management level
  • If potential costs are known Approving manager
    should have authority for that amount
  • If costs cant be estimated Approval comes from
    manager with responsibility over the system or
    vulnerable information
  • If the risk spans departments Approval comes
    from all affected department heads or executive
    responsible overall

9
Risk Assessment Getting Started
  • Common elements of risk management
  • Formal, repeatable process
  • Reliable metrics and probability algorithms
  • Clear documentation and outputs
  • Adequate training for assessment personnel
  • Management authorization
  • Missing link is often metrics and probability
  • Some data about number of incidents very little
    predictive value
  • Available data focuses on hacker-style attacks.
    No reliable metric sources around internal
    threats and vulnerabilities
  • In many cases, management decisions are based on
    incomplete data
  • Consider starting with the HIPAA Security Rules
    as assessment targets
  • Identify reasonably anticipated threats
    affecting organizations ability to comply
  • Assess organizations degree of vulnerability to
    the identified threats
  • Use vulnerability data to set the scope of the
    HIPAA Security Program

10
Sample Risk Assessment Summary
11
Using Risk Assessment to Size the HIPAA Security
Program
  • Set scope
  • Zero probability is out-of-scope (e.g., if
    clearinghouse rules do not apply to your
    organization, you have no probability of being
    out of compliance with that rule)
  • Set work priority
  • 1. High probability and high cost of occurrence
  • 2. Medium probability and high cost of
    occurrence
  • 3. High probability and low cost of occurrence
  • 4. Low probability and high cost of occurrence
  • 5. All other combinations
  • Define project plan and work schedule in priority
    order
  • Standardize work breakdown structures
  • Phases collect related groups of work
    (activities) along the critical path
  • Activities collect related tasks along the
    critical path
  • Milestones signal acceptance of major
    deliverables and completion of activities
  • Use life cycle approach to activities
  • Requirements ? Alternatives ? Solution Selection
    ? Build/Test ? Deploy ? Maintain

12
Right Size Reasonable and Appropriate
  • Outputs from solution selection document the
    reasonableness and appropriateness of the
    selected security measures
  • Standardize deliverables as much as feasible
  • Document at least 2 alternatives
  • Include factors from 164.306(b)
  • Document the fit between requirements and each
    alternative
  • Estimate cost time to implement
  • Summarize reasons for recommending one
    alternative
  • Document management approval for selected
    solution
  • Outputs from maintenance determine ongoing costs
    and staffing needs
  • Document maintenance oversight roles,
    responsibilities and procedures
  • 164.306(e) Security measures . . . must be
    reviewed and modified as needed to continue
    provision of reasonable and appropriate
    protection of EPHI
  • Document intersections with other processes
    required by HIPAA Security rules
  • Risk analysis and management system activity
    review access authorization contingency
    planning evaluation etc.

13
Information Security Program Survey
  • Our methodology
  • Respondents
  • Type
  • Covered entity - plan, clearinghouse, provider
  • Hybrid
  • Other (includes business associate, consultant,
    vendor)
  • Size
  • Total employees
  • Number of IT FTEs
  • IT Security
  • Number of IT Security FTEs
  • Annual IT Security training budget
  • Annual IT Security budget
  • By confidence in meeting HIPAA Security
    compliance date

14
Respondents by Type of Organization
Other (vendor, consultant, attorney, etc.)
15
Respondents by Size of Organization- Total
Number of Employees
16
Respondents by Size of IT DepartmentTotal Number
of IT FTEs
1-50 IT Employees
51-500 IT Employees
501-1000 IT Employees
1001-5000 IT Employees
5000 IT Employees
17
Does Your Organization Have IT Security FTEs?
18
How Much Do You Spend AnnuallyOn IT Security
19
Is Organization Confident of Meeting HIPAA
Security Deadline?
20
Some of the Challenges
  • Communication
  • Does the right hand know what the left hand is
    doing?
  • Prioritization
  • Are dubious projects getting the money?
  • Training
  • NIST and others address this

21
Does Scalability Reality?
  • Is bigger really better?
  • Security spending doesnt necessarily scale to an
    organizations size
  • HIPAA and GLB are acknowledged as contributing to
    policy/procedure infrastructure in larger
    organizations
  • Damage to an organizations reputation is more of
    a concern
  • Related surveys
  • US Healthcare Industry Quarterly HIPAA Survey
    Results Winter 2003
  • http//www.hipaadvisory.com
  • Security remediation efforts are progressing
    slowly
  • Does Company Size Really Matter?, Information
    Security, September 2002
  • http//www.infosecuritymag.com/2002/sep/2002s
    urvey.pdf

22
Conclusions
Write a Comment
User Comments (0)
About PowerShow.com