Post on 18-Dec-2014
description
transcript
Navigating Business Associate IT Security Risk
John Abraham – Redspin Security Evangelist
New ResponsibilitiesPart 1For business associates and covered entities under HIPAA / HITECH Act
Expanded Definitions Work for CE + Access PHI = BA Data transmission providers Subcontractors to BA
HIPAA Security Rule...Applies to:
A) Covered Entities B) Business Associates C) Subcontractors D) All of the above
Oops, I didn't know“lack of knowledge” is not a defense*
AKAwhat you don't know
{about BAs}
can hurt you
* 75 Federal Register 40878, July 14th, 2010 NPRM
BAs Dual Risk Liability to government (HIPAA) Liability to CE (BAA)
Liability to government (HIPAA) Liability to government (BA security)
CEs Dual Risk
Penalties throughout PHI supply chain CEs BAs Subcontractors
What's This MeansPart 2
Active Enforcement Fines State budget crisis State Attorney's General
Recent Enforcement Actions* Cignet $4.3million
Failure to provide 41 patient records, ignore subpoena Mass. General Hospital $1million
192 patient records left on subway CAP: Policies, procedures, training, auditing, reporting,
security controls
* http://www.hhs.gov/news/
Transparency Right-to-audit clause in BAA
HIPAA Security Rule Everyone needs to be compliant Everyone needs sound risk management
Effectively Manage Your Own Risk
Part 3
Three rules Focus Existence != Effective Compliance != Security
1Rule:
Everyone has risk.Focus on critical.
Systematic Risk Management
Focus, focus,focus
Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, HIPAA - Administrative Safeguards (§164.308), ...
Systematic risk management Everyone has lots of risk → focus Let risk drive controls → focus Avoid over spending/implementing → focus
1Rule:
Focus
2Rule:
Existencedoes not equal
Effective
PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
2Rule:
Don't just assume acontrol is working.
3Rule:
Compliancedoes not equal
Security
Effectively Manage Business Associate Risk
Part 4
Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor
Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor
Matrix
Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor
Questionnaire
HIPAA Risk Analysis
SummaryFor BAs & CEs New responsibilities (HIPAA Sec. Rule) Increased accountability / scrutiny Need effective (true) risk management BAs need to be ready to be audited by CEs CEs need to be ready to audit BAs