Redspin Webinar Business Associate Risk

Post on 18-Dec-2014

185 views 1 download

Preview:

Click to see full reader
Report this document
SHARE

description

Webinar on how healthcare organizations can manage business associate IT security risk.

transcript

Navigating Business Associate IT Security Risk

John Abraham – Redspin Security Evangelist

New ResponsibilitiesPart 1For business associates and covered entities under HIPAA / HITECH Act

Expanded Definitions Work for CE + Access PHI = BA Data transmission providers Subcontractors to BA

HIPAA Security Rule...Applies to:

A) Covered Entities B) Business Associates C) Subcontractors D) All of the above

Oops, I didn't know“lack of knowledge” is not a defense*

AKAwhat you don't know

{about BAs}

can hurt you

* 75 Federal Register 40878, July 14th, 2010 NPRM

BAs Dual Risk Liability to government (HIPAA) Liability to CE (BAA)

Liability to government (HIPAA) Liability to government (BA security)

CEs Dual Risk

Penalties throughout PHI supply chain CEs BAs Subcontractors

What's This MeansPart 2

Active Enforcement Fines State budget crisis State Attorney's General

Recent Enforcement Actions* Cignet $4.3million

Failure to provide 41 patient records, ignore subpoena Mass. General Hospital $1million

192 patient records left on subway CAP: Policies, procedures, training, auditing, reporting,

security controls

* http://www.hhs.gov/news/

Transparency Right-to-audit clause in BAA

HIPAA Security Rule Everyone needs to be compliant Everyone needs sound risk management

Effectively Manage Your Own Risk

Part 3

Three rules Focus Existence != Effective Compliance != Security

1Rule:

Everyone has risk.Focus on critical.

Systematic Risk Management

Focus, focus,focus

Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, HIPAA - Administrative Safeguards (§164.308), ...

Systematic risk management Everyone has lots of risk → focus Let risk drive controls → focus Avoid over spending/implementing → focus

1Rule:

Focus

2Rule:

Existencedoes not equal

Effective

PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...

PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...

2Rule:

Don't just assume acontrol is working.

3Rule:

Compliancedoes not equal

Security

Effectively Manage Business Associate Risk

Part 4

Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor

Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor

Matrix

Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor

Questionnaire

HIPAA Risk Analysis

SummaryFor BAs & CEs New responsibilities (HIPAA Sec. Rule) Increased accountability / scrutiny Need effective (true) risk management BAs need to be ready to be audited by CEs CEs need to be ready to audit BAs

{ thank you! }

John Abrahamjabraham@redspin.com805-705-8040 (mobile)

mailto:jabraham@redspin.com

Top related

Webinar: Engaging Women in Trauma- July 9, 2012...Jul 09, 2012  · Webinar: Engaging Women in Trauma-Informed Peer Support July 9, 2012 Cathy Cave, Senior Program Associate, Advocates
Documents
Arizona Group B Teachers SLO Informational Webinar Dr. Carrie L. Giovannone Deputy Associate Superintendent of Research & Evaluation.
Documents
UNDRR GETI and WHO Webinar - PreventionWeb...1 UNDRR GETI and WHO Webinar Speakers: •Dr. Peter Williams, IBM Distinguished Engineer, Retd •Dr. Benjamin Ryan, Clinical Associate
Documents
RACTrac Quarterly Webinar€¦ · RACTrac Quarterly Webinar Elizabeth Baskett, Associate Director, Policy, AHA July 14, 2010
Documents
ANREP Climate Science Initiative Webinar 1 November 2012 Katie Hirschboeck, PhD Chair, Global Change Graduate Interdisciplinary Program & Associate Professor.
Documents
James Cook University - Associate Professor Peta-Ann Teague Dr … · 2020. 4. 24. · jcu.edu.au JCU COVID-19 WEBINAR SERIES EP 1 RNA Viruses for Dummies Presented by: Associate
Documents
Year 4 Implementation Webinar Marcie Sample, Associate Director for College Access and Support September 11, 2014 Marcie Sample, Associate Director for.
Documents
STEM Webinar - INTO University Partnerships Webinar Wednesday 13 ... • Supportive environment with small group teaching. ... • Associate Dean for Learning and Teaching (Science)
Documents
Sean O’Brien Associate General Counsel Illinois Criminal Justice Information Authority ICJIA Monthly ARRA Report Webinar.
Documents
Trends in Healthcare IT - Redspin Information Security
Documents
Department of Education Affinity Webinar April 9, 2014 Presenters: Melissa Caperton Senior Associate American Council on Education American College Application.
Documents
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Information Security
Technology
“Privacy, Security & the CIO” · A Complimentary Webinar From healthsystemCIO.com Sponsored by Redspin ... •The Lighthouse Project will implement a common information security
Documents
CHILD WELFARE REFORM THROUGH A … · Child Development Webinar with international guest speaker Associate Professor Michael Tarren-Sweeney CHILD WELFARE REFORM …
Documents
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Documents
Redspin Report - Protected Health Information 2010 Breach Report
Health & Medicine
AHURI RESEARCH WEBINAR SERIES Redesigning the ......#AHURIwebinar AHURI RESEARCH WEBINAR SERIES Redesigning the system to reduce youth homelessness Associate Professor David MacKenzie
Documents
Introduction to BOCES SAMS Financial System Presented by: Ashley Weil, Associate Accountant Training Webinar August 25, & September 3, 2015.
Documents
PCORI Engagement Webinar Engagement Webinar: ... Sunbo Igho -Osagie, MHSA, PMP, CSSGB. Program Associate, PCORI • PCORI overview: ... • Lines muted during presentation
Documents
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Technology

Copyright © 2018 DOCUMENTS