UNC CAUSE November 2006

Planning for Information Security and HIPAA Compliance

Security should follow data
Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security ETSS-Enterprise Technology Services & Support North Carolina State University Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University

Whats it all about, Webster?

Defalcation
Pronunciation:*d*-*fal-*k*-sh*n, Date:15th century 1 archaic : DEDUCTION 2 : the act or an instance of embezzling 3 : a failure to meet a promise or an expectation

Malfeasance
Pronunciation:*mal-*f*-z*n(t)s Date:1696 : wrongdoing or misconduct especially by a public official

Two twenty dollar words

Fraud and criminal business acts Reaction to the excesses of the 80s and 90s
"Planning for Security and HIPAA Compliance" NCSU and ECU 2

Statute FERPA HIPAA GLBA

Increasingly Complicated Compliance Constraints

Type of requirement Federal law Federal law Federal law Payment Card Industry -Data Security Std. State Identity Theft law University data

Example location

Student records Faculty PC or server Health records Financial data Athletics dept. Financial Aid

PCI DSS SB 1048

Credit card data Bookstore server SSN , etc. Staff data Research materials R&R Payroll Lab PC

State Employee Personal Information Privacy law Federal Grants Contract requirements

"Planning for Security and HIPAA Compliance" NCSU and ECU

Educational Institutes Seen as Easy Marks

Los Angeles Times article - May 30, 2006

Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.

we were adding on another university every week to look into - Michael C. Zweiback, assistant U.S. attorney
"Planning for Security and HIPAA Compliance" NCSU and ECU 4

Information Security Planning High level tasks

Make a conscious decision to plan for security and compliance for improved efficiency and effectiveness Understand the business goals and objectives Conduct a risk assessment; factor in compliance! Develop the plan

"Planning for Security and HIPAA Compliance" NCSU and ECU

Data Classification Standard, DCS forms the foundation

3 classification levels High, Moderate, Normal Based on data business value, financial implications, legal obligations

Identification Confidentiality and sensitivity Classification Protection Consistency

"Planning for Security and HIPAA Compliance" NCSU and ECU

Data Management Procedures, DMP assigns ownership and accountability

R
O

o
D
v e

l e
a t a

r e
t r e

l a
s p

t i o n
o n s ib

s h
ilit y

i p

T r u s t e e

r s i g h

D
A a

a t a

t e w

a r d

c c e s s w c c u r a c y ,

it h i n h is o r h e r u n it p r iv a c y , a n d s e c u r i t

U
R e

s e r
s p o n s i b

a t a

u s t o S d e i ca un r s i t y

d m

i l P i t eh sy s i c a l d a t a e m . ga . n Aa p p lm i c ea nt i to n g e M a n a g e a c c e s s A ru i gt h h o t s r i z e s u b a s e d o n G u i

"Planning for Security and HIPAA Compliance" NCSU and ECU

Seven Steps R MIS I nformation S ystem S ecurity P lan, RISSP Leo Howell Information Security Analyst
"Planning for Security and HIPAA Compliance" NCSU and ECU 8

STEP ONE Understand the A sset

Effective security begins with a solid understanding of the protected asset and its value At NC State we have identified DATA as our primary asset

Philosophically, we believe that security should follow data But we know that not all data were created equal

"Planning for Security and HIPAA Compliance" NCSU and ECU

STEP TWO Identify and prioritize T hreats

Governance :
policy breach rebellion

Infrastructure & Application:

theft disclosure DoS unauthorized access

Physical :
data theft equipment theft/damage

Endpoint :
theft social engineering

Data:
unauthorized access corruption/destruction
10

"Planning for Security and HIPAA Compliance" NCSU and ECU

STEP THREE Identify and rank V ulnerabilities

Governance:
policy loopholes

Infrastructure & Application:

open network unpatched systems/OS misconfiguration

Physical:
weak perimeter open access

Endpoint:
ignorance

Data:
unencrypted storage insecure transmission

"Planning for Security and HIPAA Compliance" NCSU and ECU

11

STEP FOUR Quantify Relative Risk, R

R = VAT
V = vulnerability A = asset T = threat = likelihood of T

The greater the number of vulnerabilities the bigger the risk The greater the value of the asset the bigger the risk The greater the threat the bigger the risk
12

"Planning for Security and HIPAA Compliance" NCSU and ECU

STEP FIVE Develop a strategy

3 virtual operational protection zones, based on Data Classification High
Moderate - adversely affects business and reputation

OPZ

- Significantly business impact - financial loss - regulatory compliance

Laptop with High data

Normal - minimal adverse effect on business - authorization required to modify or copy

Server with Moderate data

Types of data stored, accessed, processed or transmitted dictates OPZ

Higher Classification implies Increased Security

13

"Planning for Security and HIPAA Compliance" NCSU and ECU

STEP SIX Establish target standards

Seven layers of protection per zone based on COBIT, ISO 17799 and NIST 800-53 1.Management & Governance 2.Access control 3.Physical security 4.Endpoint security 5.Infrastructure security 6.Application security 7.Data security

Amount and stringency of security controls at each level varies with data classification

"Planning for Security and HIPAA Compliance" NCSU and ECU

14

Snippet from Data Security Standard

Security Control Encrypt stored data Limit data stored to external media Encrypt transmitted data Red Zone Mandatory Mandatory Yellow Zone Recommended Recommended Green Zone Optional Optional

Mandatory

Mandatory

Recommended

"Planning for Security and HIPAA Compliance" NCSU and ECU

15

STEP SEVEN Document the plan

Create

a list of action items for the next 3 to 5 years Prioritize the list based on risk and reality Forecast investment Beg, kick and scream to get funding Implement the plan over time

Identify realistic solutions for applying the appropriate security controls at each level.

"Planning for Security and HIPAA Compliance" NCSU and ECU

16

Quick takes
Planning

paves the way for effectiveness and efficiency for security and compliance Understand the business the goals Conduct a risk assessment Establish a strategy based on data classification and industry standards Develop a prioritized realistic plan Go for the long haul!
"Planning for Security and HIPAA Compliance" NCSU and ECU 17

Key Elements of the HIPAA Security Rule: And how to comply

Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University

"Planning for Security and HIPAA Compliance" NCSU and ECU

18

Introduction
HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule:

To allow better access to health insurance Reduce fraud and abuse Lower the overall cost of health care.
"Planning for Security and HIPAA Compliance" NCSU and ECU 19

What is the HIPAA Security Rule?

The rule applies to electronic protected health information (EPHI), which is individually identifiable health information in electronic form. Identifiable health information is:

Your past, present, or future physical or mental health or condition, Your type of health care, or Past, present, or future payment methods for the type of health care received.
"Planning for Security and HIPAA Compliance" NCSU and ECU 20

Who Must Comply?

Covered Entities (CEs) must comply with the Security Rule. Covered Entities are health plans, health care clearinghouses, and health care providers who transmit any EPHI. Health care plans - HMOs, group health plans, etc. Health care clearinghouses - billing and repricing companies, etc. Health care providers - doctors, dentists, hospitals, etc.
"Planning for Security and HIPAA Compliance" NCSU and ECU 21

How Does One Comply?

Covered Entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of patient information.

"Planning for Security and HIPAA Compliance" NCSU and ECU

22

Administrative Safeguards
To comply with the Administrative Safeguards portion of the regulation, the covered entity must implement the following "Required" security management activities:

Conduct a Risk Analysis. Implement Risk Management Actions. Develop a Sanction Policy to deal with violators. Conduct an Information System Activity Review.
"Planning for Security and HIPAA Compliance" NCSU and ECU 23

Physical Safeguards
The physical safeguards are a series of requirements meant to protect a Covered Entity's computer systems, network and EPHI from unauthorized access. The recommended and required physical safeguards are designed to provide facility access controls to limit access to the organization's computer systems, network, and the facility in which it is housed.

"Planning for Security and HIPAA Compliance" NCSU and ECU

24

Technical Safeguards
Technical safeguards refers to the technology and the procedures used to protect the EPHI and access to it. The goal of technical safeguards is to protect patient data by allowing access only by individuals or software programs that have been granted access rights to the information.

"Planning for Security and HIPAA Compliance" NCSU and ECU

25

Key Elements of Compliance

1. 1. 1. 2. Obtain and Maintain Senior Management Support Develop and Implement Security Policies Conduct and Maintain Inventory of EPHI Be Aware of Political and Cultural Issues Raised by HIPAA 3. Conduct Regular and Detailed Risk Analysis 6. Determine What is Appropriate and Reasonable 1. Documentation 2. Prepare for ongoing compliance
"Planning for Security and HIPAA Compliance" NCSU and ECU 26

Penalties

Civil penalties are $100 per violation, up to $25,000 per year for each violation. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
Additional Negatives:
Negative publicity Loss of Customers Loss of Business Partners Legal Liability
"Planning for Security and HIPAA Compliance" NCSU and ECU 27

Conclusion

Compliance will require Covered Entities to:

Identify the risks to their EPHI Implement security best practices Complying with the Security Rule can require significant time and resources Compliance efforts should be currently underway

"Planning for Security and HIPAA Compliance" NCSU and ECU

28

Contacts
NC State University Leo Howell, CISSP CEH CCSP CBRM Information Security Analyst IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support leo_howell@ncsu.edu (919) 513-1169 NC State University John Baines, CISSP Assistant Director IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support john_baines@ncsu.edu

East Carolina University Sharon McLawhorn McNeil IT-Security Analyst McLawhorns@ecu.edu 252-328-9112

"Planning for Security and HIPAA Compliance" NCSU and ECU

29