Professional Documents
Culture Documents
Planning For Information Security and HIPAA Compliance
Planning For Information Security and HIPAA Compliance
Defalcation
Pronunciation:*d*-*fal-*k*-sh*n, Date:15th century 1 archaic : DEDUCTION 2 : the act or an instance of embezzling 3 : a failure to meet a promise or an expectation
Malfeasance
Pronunciation:*mal-*f*-z*n(t)s Date:1696 : wrongdoing or misconduct especially by a public official
Example location
Student records Faculty PC or server Health records Financial data Athletics dept. Financial Aid
Credit card data Bookstore server SSN , etc. Staff data Research materials R&R Payroll Lab PC
State Employee Personal Information Privacy law Federal Grants Contract requirements
we were adding on another university every week to look into - Michael C. Zweiback, assistant U.S. attorney
"Planning for Security and HIPAA Compliance" NCSU and ECU 4
Make a conscious decision to plan for security and compliance for improved efficiency and effectiveness Understand the business goals and objectives Conduct a risk assessment; factor in compliance! Develop the plan
3 classification levels High, Moderate, Normal Based on data business value, financial implications, legal obligations
o
D
v e
l e
a t a
r e
t r e
l a
s p
t i o n
o n s ib
s h
ilit y
i p
T r u s t e e
r s i g h
D
A a
a t a
t e w
a r d
c c e s s w c c u r a c y ,
it h i n h is o r h e r u n it p r iv a c y , a n d s e c u r i t
U
R e
s e r
s p o n s i b
a t a
u s t o S d e i ca un r s i t y
d m
i l P i t eh sy s i c a l d a t a e m . ga . n Aa p p lm i c ea nt i to n g e M a n a g e a c c e s s A ru i gt h h o t s r i z e s u b a s e d o n G u i
Seven Steps R MIS I nformation S ystem S ecurity P lan, RISSP Leo Howell Information Security Analyst
"Planning for Security and HIPAA Compliance" NCSU and ECU 8
Effective security begins with a solid understanding of the protected asset and its value At NC State we have identified DATA as our primary asset
Philosophically, we believe that security should follow data But we know that not all data were created equal
Governance :
policy breach rebellion
Physical :
data theft equipment theft/damage
Endpoint :
theft social engineering
Data:
unauthorized access corruption/destruction
10
Governance:
policy loopholes
Physical:
weak perimeter open access
Endpoint:
ignorance
Data:
unencrypted storage insecure transmission
11
R = VAT
V = vulnerability A = asset T = threat = likelihood of T
The greater the number of vulnerabilities the bigger the risk The greater the value of the asset the bigger the risk The greater the threat the bigger the risk
12
OPZ
Seven layers of protection per zone based on COBIT, ISO 17799 and NIST 800-53 1.Management & Governance 2.Access control 3.Physical security 4.Endpoint security 5.Infrastructure security 6.Application security 7.Data security
Amount and stringency of security controls at each level varies with data classification
14
Mandatory
Mandatory
Recommended
15
a list of action items for the next 3 to 5 years Prioritize the list based on risk and reality Forecast investment Beg, kick and scream to get funding Implement the plan over time
Identify realistic solutions for applying the appropriate security controls at each level.
16
Quick takes
Planning
paves the way for effectiveness and efficiency for security and compliance Understand the business the goals Conduct a risk assessment Establish a strategy based on data classification and industry standards Develop a prioritized realistic plan Go for the long haul!
"Planning for Security and HIPAA Compliance" NCSU and ECU 17
18
Introduction
HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule:
To allow better access to health insurance Reduce fraud and abuse Lower the overall cost of health care.
"Planning for Security and HIPAA Compliance" NCSU and ECU 19
Your past, present, or future physical or mental health or condition, Your type of health care, or Past, present, or future payment methods for the type of health care received.
"Planning for Security and HIPAA Compliance" NCSU and ECU 20
22
Administrative Safeguards
To comply with the Administrative Safeguards portion of the regulation, the covered entity must implement the following "Required" security management activities:
Conduct a Risk Analysis. Implement Risk Management Actions. Develop a Sanction Policy to deal with violators. Conduct an Information System Activity Review.
"Planning for Security and HIPAA Compliance" NCSU and ECU 23
Physical Safeguards
The physical safeguards are a series of requirements meant to protect a Covered Entity's computer systems, network and EPHI from unauthorized access. The recommended and required physical safeguards are designed to provide facility access controls to limit access to the organization's computer systems, network, and the facility in which it is housed.
24
Technical Safeguards
Technical safeguards refers to the technology and the procedures used to protect the EPHI and access to it. The goal of technical safeguards is to protect patient data by allowing access only by individuals or software programs that have been granted access rights to the information.
25
Penalties
Civil penalties are $100 per violation, up to $25,000 per year for each violation. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
Additional Negatives:
Negative publicity Loss of Customers Loss of Business Partners Legal Liability
"Planning for Security and HIPAA Compliance" NCSU and ECU 27
Conclusion
28
Contacts
NC State University Leo Howell, CISSP CEH CCSP CBRM Information Security Analyst IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support leo_howell@ncsu.edu (919) 513-1169 NC State University John Baines, CISSP Assistant Director IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support john_baines@ncsu.edu
East Carolina University Sharon McLawhorn McNeil IT-Security Analyst McLawhorns@ecu.edu 252-328-9112
29