BuildingaRiskManagementFrameworkforHIPAA&FISMA

ComplianceAnuragShankar

CenterforAppliedCybersecurityResearchIndianaUniversity

2015TechnologyExchangeOctober6,2015

Outline

1. Introduction2. HIPAA&FISMADemystified3. CyberCompliance:TheIUApproach4. Building&LeveragingaRiskManagementFramework5. Conclusion

1.Introduction

Whyatalkoncompliance?

• Wehaveanewusercommunity- clinicalresearchers.• TheirresearchITaregrowingtoHPC,HPN,andHPS*scales.• MedicalschoolITcannotkeepup.• Theirdataislacedwithregulations(HIPAA,FISMA).

• Complianceisaforeignlanguage(tomostofus).• Wedealwiththeusualsuspects– physicalscientistsandengineers.• Regulationsarenotourforte.

*Highperformancecomputing,networkingandstorage

Compliancechallenges

• Fear,uncertainty,doubt.• Languagebarrier.• Lackofresources.• Localrisktolerance.• Riskownership.• Policy.

Thegoalsthismorning

• Learntospeakcompliance.• Bringregulationstoapractical,actionableplane.

2.Regulations- HIPAAandFISMA

HIPAA

WhatisHIPAA?

• HealthInsurance Portability &Accountability Act.• ProvidestheabilitytotransferandcontinuehealthinsurancecoverageforAmericanworkersandtheirfamilieswhentheychangeorlosetheirjobs.

• EnforcedbytheOfficeforCivilRights(OCR)intheU.S.DepartmentofHealth&HumanServices(HHS).

HIPAATimeline

• Passedin1996,becamelawin2001.TheHIPAASecurityRulecameoutin2003.

• TheHealthInformationTechnologyforEconomic&ClinicalHealth(HITECH)Actof2006.

• TheHIPAAOmnibusFinalRuleof2013includedprovisionsfromHITECH&the2008GeneticInformationNondiscriminationAct(GINA).

IsHIPAAallaboutpatientprivacy?

• No.Therearemanyothercomponents.• PrivacyisaddressedthroughtheHIPAAPrivacyRule,theHIPAASecurityRule,and breachnotificationrequirement.

• ThePrivacyRuledefineswhoHIPAAappliesto(acoveredentity),whatisprotected(protectedhealthinformation orPHI),andcoversdisclosuresofPHI.

• TheSecurityRulefocusesexclusivelyonprotectingelectronicPHI(ePHI)inanyform– atrest,intransit,underanalysis,etc.

WhatconstitutesPHI*?Patientinformationinanyform(paper,verbal,electronic)containinganyofthefollowing18identifiers:

1. Names2. Allgeographicsubdivisionssmallerthanastate,includingstreetaddress,city,county,precinct,zipcode,andtheir

equivalentgeocodes,exceptfortheinitialthreedigitsofazipcodeif,accordingtothecurrentpubliclyavailabledatafromtheBureauoftheCensus:(1)thegeographicunitformedbycombiningallzipcodeswiththesamethreeinitialdigitscontainsmorethan20,000people;and(2)theinitialthreedigitsofazipcodeforallsuchgeographicunitscontaining20,000orfewerpeopleischangedto000.

3. Allelementsofdates(exceptyear) fordatesdirectlyrelatedtoanindividual,includingbirthdate,admissiondate,dischargedate,dateofdeath;andallagesover89andallelementsofdates(includingyear)indicativeofsuchage,exceptthatsuchagesandelementsmaybeaggregatedintoasinglecategoryofage90orolder.

4. Telephonenumbers5. Faxnumbers6. Electronicmailaddresses7. SocialSecuritynumbers8. Medicalrecordnumbers9. Healthplanbeneficiarynumbers10. Accountnumbers11. Certificate/licensenumbers12. Vehicleidentifiersandserialnumbers,includinglicenseplatenumbers

PHI,whenproperlyde-identified,isnolongersubjecttoHIPAA

13. Deviceidentifiersandserialnumbers14. Webuniversalresourcelocators(URLs)15. Internetprotocol(IP)addressnumbers16. Biometricidentifiers,includingfingerandvoiceprints17. Fullfacephotographicimagesandanycomparableimages18. Anyotheruniqueidentifyingnumber, characteristicorcode

*Youmayalsohearthetermspersonallyidentifiableinformation(PII),individuallyidentifiablehealthinformation(IIHI), healthinformation,etc.,buttheyarenotcreatedequal.

IsallidentifiablehealthinformationPHI?

• No,onlywhenitiswithinthehealthcarecontext.• Forinstance,

• identifiablehealthinformation(yoursorsomeoneelse’s)yousharepubliclyonFacebookisnotPHI(itisnotsubjecttoHIPAA).

• However,ifamedicalprofessional(doctor,nurse,etc.)sharesitpubliclyonFacebook,itisPHI andthussubjecttoHIPAA.SuchadisclosurewouldbeconsideredabreachunderHIPAA.

WhodoesHIPAAapplyto?

• AHIPAA coveredentity (CE).• Onlyhealthcareproviders,healthplans,andhealthclearinghousesareconsideredcoveredentities.

• Universitiesareoftenhybrid coveredentities,meaningtheyhavebothnon-covered(e.g.theEnglishdept.)andcoveredcomponents(e.g.theStudentHealthCenter,SchoolofMedicine).

• HIPAAappliestotheentireCE(thelegalentity).ItistheCEthatfacespenaltieswhenaHIPAAviolationoccurs,notitsemployeesorsubunits.

DoesHIPAAapplytome?

• Yes,if youserveacoveredentity,• eitherasaunitofyourcoveredentityor• asaBusinessAssociate,AND• youcreate,receive,transmit,ormaintainPHI.

• Youcannotsay“Ididn’tknowwehadPHI”.PlausibledeniabilitycanbequiteexpensiveunderHIPAA.

• Yourorganizationisnotacoveredentityifitisnotinvolvedinhealthcareoperationsdirectly.

Checkwithyourcompliancefolksorcounsel

WhatisaBusinessAssociate(BA)?

• A“apersonororganization,otherthanamemberofacoveredentity'sworkforce,thatperformscertainfunctionsoractivitiesonbehalfof,orprovidescertainservicesto,acoveredentitythatinvolvetheuseordisclosureofindividuallyidentifiablehealthinformation.”

• However,thereisa“conduitexception”whichexcludes”…thoseentitiesprovidingmerecourierservices,suchastheU.S.PostalServiceorUnitedParcelServiceandtheirelectronicequivalents,suchasinternetserviceproviders(ISPs)providingmeredatatransmissionservices.”

BusinessAssociateAgreements

• HIPAAmandatesyoutohaveaBusinessAssociateAgreement(BAA)withBAs(sinceit’sadisclosureofPHI).TheBAsmusthaveBAAswiththeirBAs,andsoon.

• TheBAAmustincludelanguagestatingthattheBAwillprotectyourPHIandabidebyHIPAA.(SampleBAAsareatHHSsite.)

• YouareexpectedtododuediligencetoensurethattheBAcanprotectyourPHIasperHIPAA.

• TheBAsaresubjecttoHIPAAindependentlyiftheyhavePHI.SoaretheirBAs,allthewaydownthechain.

BreachNotification

• HIPAAmandatesabreachofPHItobereportedtotheOCR&thoseaffectedwithin60days.

• Forbreachesinvolving>500individuals,localmediaoutletsmustalsobenotified.

• Itisforyoutodecidewhetherasecurityincidentrisestothelevelofabreach.

Enforcement

• HIPAAviolationscanresultincivilmonetarypenaltiesagainstacoveredentityand/orcriminalpenaltiesagainstindividuals,withimprisonmentupto10years.

• Anauditmayoccurifthereisabreach.However,abreachisnotautomaticallyaHIPAAviolation.

• Auditsusedtooccuronlyinresponsetoabreachoracomplaint.TheOCRhasreceivedfundingtoinstitutearandomauditprogramnow.Theyaregettingreadyforthefirstroundofsuchaudits.

WhenisabreachaHIPAAviolation?

ViolationsoccurswhentheCEisnotdoingduediligencerequiredunderHIPAAorignoringHIPAAaltogether:

• NotrespondingtotheOCRdespiterepeatedrequests.• Havingnoinformationsecurityprocesswhatsoever.• Noriskassessmentandmitigation.• Noincidentresponse.• Nodocumentation.• Notfollowingdocumentedpoliciesandprocedures.

TheOCRexpectsbreaches;thatisnotthepoint

CivilMonetaryPenalties

*=Anactofomission inwhichacoveredentityorbusiness associateknew,orbyexercisingreasonablediligencewouldhaveknown,thattheactoromission violatedanadministrativesimplification(HIPAA)provision, butinwhichthecoveredentityorbusiness associatedidnotactwithwillfulneglect.

Thecostof“Ididn’tknowwehadPHI”.

*

Abreachof100patientrecords=100violations

Maximum“DidNotKnow”costofabreachof100patientrecords=$50Kx100=$5million!

EnforcementinAction

TheCorrectiveActionPlan(CAP)signedby IdahoStateUniversity

Breachesreportedbyuniversitiesì

Thepenaltiesarebad;reputationaldamage isworse

CorrectiveActionPlanforISU

WhatdoesHIPAAmeanforanITprovider?

• ToprotectePHIaspertheHIPAASecurityRule.

TheHIPAASecurityRule

• TheSecurityRulerequires1.Administrative,2.Physical,and3.Technicalsafeguards to

• Ensuretheconfidentiality,integrity,and availabilityofallePHIcreated,received,maintainedortransmitted;

• Identifyandprotectagainstreasonablyanticipatedthreatstothesecurityor integrityoftheinformation;

• Protectagainstreasonablyanticipated,impermissibleusesordisclosures;

• Ensure compliancebytheworkforce;and• Provideameansformanagingriskinanongoingfashion.

SecurityRuleSafeguards

• Administrative– securitymanagement/officer,workforcesecurity,incidentresponse,disasterplanning,evaluations,etc.

• Physical – facilitiesaccess,workstationuse/security,device/mediacontrols,etc.

• Technical – access/auditcontrol,integrity,authentication,transmissionsecurity,etc.

+organizational/policies/documentationrequirements

RequiredandAddressable

• TheSecurityRulesafeguardsareeitherrequired oraddressable.• Required=whatitsays.• Addressable=mustbeinplace,butokifyouexplainwhyyoudon’thaveitinplaceand/orhowyouwillotherwiseaddresstherisk.

HIPAASafeHarbor

• Ifthedataisencryptedatrestandtheencryptionkeyisstoredseparatelyfromthedataandsecured,abreachneednotbereportedtotheOCR.

• ThisiscalledHIPAAsafeharbor.

CanIbecertifiedHIPAAcompliant?

• No,HIPAAdoesn’tdefineathresholdwhereyouaresuddenlycompliant.

• TheOCRhasnotauthorizedanyonetocertifycompliance.• YoucangetthirdpartycertificationbuttheOCRdoesnotrecognizethem.Theymaystillfindyoulacking.

• Allyoucandoisexerciseduediligence- continuouslyassessandmitigaterisk.HIPAAcomplianceiseitherselfassertedorblessedbylocalauthorities.

HowdoIhandleHIPAAthen?

• Basedonyourenvironment,budget,andrisktolerance.• CheckifyourlocalHIPAAComplianceorInformationSecurityfolksalreadyhaveaprocessinplaceorhaverecommendations.Usetheirexpertise.

• SecuringtheePHIanddocumentationisstillyourtask.

FISMA

WhatisFISMA?

FederalInformationSecurityManagementActof2002.

“Eachfederalagencyshalldevelop,document,andimplementanagencywideinformationsecurityprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency…”

WhodoesFISMAapplyto?

• Governmentagencies,theirsubcontractors,orothersourcesthatservetheagencies.

WhendoesFISMAapply?

• Whenyouuseagencysystemstomanageinformationonbehalfofanagency.

• Whenyouuseoroperateinformationsystemsonbehalfofanagency.• Ifyourcontractsaysitdoes.

HHSguidance

“FISMA'srequirementsfollowagencyinformationintoanysystemwhichusesitorprocessesitonbehalfoftheagency.Thatis,whentheultimateresponsibilityandaccountabilityforcontroloftheinformationcontinuestoresidewiththeagency,FISMAapplies.”

• Theterm"onbehalfof"indicatesthatonlythoseentitiesthatareacting,underagencyprinciples,asagents,whereHHS(oracomponent)istheprincipal,arecoveredbyFISMA.

DoesFISMAapplytome?

• Probably,ifyouhaveacontractwithagovt.agency,e.g.NIH.• Checkthecontract;itwillexplicitlystateFISMArequirements.• CheckifFISMAlanguagehasbeenaddedtoexistingcontractswhentheyarerenewed.

• ItissometimespossibletonegotiateFISMAout.

WhatdoesFISMArequire?

• AdoptingtheNISTRiskManagementFramework(RMF).• Accreditation.• Regularreportingandreviews.

TheFISMAWorkflow

Definesystemboundaries

AssessRisk(NIST800-30,37,39)

ApplyControls(NIST800-53)

EvaluateControls(NIST800-53A)

AuthoritytoOperate(ATO)

DefineSystemBoundaries

• Alsoknownastheaccreditationboundaries.• Defineswherethe“system”beginsandends.• Asystemcanbeapartofanetwork,anapplication,alogicalcollectionofdisparatecomponents,etc.

• Aconceptualboundaryextendstoalldirectandindirectusersofthesystemthatreceiveoutput.

• RequiresITprofessionals.

AssessRisk

• GuidancefromNISTdocumentsNIST800-30,37,and39isusedtoconductariskassessment.

• Individualrisksandseverityareidentified.• Aprioritizedlistofrisksiscreated.

SelectControls

• TheresultsoftheriskassessmentandtheNISTcontrolcatalogNIST800-53areusedtoselectcontrolsthatmitigaterisk.

• Existingcontrolswillmitigatesomeoftherisk.Residualriskisaddressedbyaddingmissingcontrols.

• TheFISMAcontractwillspecifytherequiredsecuritycontrolbaseline(High,Medium,orLow).

EvaluateControls

• Requiresregularassessments.• Involvestestingthecontrolsinplacetogaugetheireffectivenessinmitigatingrisk.

• Evaluationscanbeinternalorexternal.• TheNIST800-53AdocumentcoversevaluatingNIST800-53controls.

AuthoritytoOperate(ATO)

• Thecompliancepaperworkissubmittedtotheagency.• AnATOletterisissuedbytheagencyauthorizingtheoperationofthesystem.

• Ifremediationisrequired,theagencymayissueanInterimAuthorityToOperate(IATO)withadefinedenddate.

+continuousmonitoringandregularreportingrequirements.

WhatdoesittaketodoFISMA?

• Asignificantamountofeffortand$$.• DukeMedicine,oneacademicFISMAimplementation,estimatesthat,foreachPIcontract,ittakesthem~25hourstoreviewallthedocumentation,makesuggestedcontractualchangesforagencynegotiation,andcreateaFISMAmanagementplan.

• AseparatebudgetlineitemhastobeincludedinthecontracttocoverFISMAcosts.

• Manyuseacompletelywalledgarden.

3.CyberCompliance:TheIUApproach

History

• IUhasamatureresearchcyberinfrastructure (CI),servingbothlocalandnationalusers.

• ItisprovisionedthroughIU’scentralITorganization.• Itdeliverssupercomputing,datastorage/archival,visualization,applicationdevelopment&optimization,datamanagement,etc.

• Priorto2000,itwasusedalmostexclusivelybytheusualsuspects-physicalscientistsandengineers.

HIPAAintervenes

• ALillyEndowmentgrantin2000toaccelerategenomicsresearchatIUincludedusingtheexistingCIforIUSchoolofMedicineresearchers.

• HIPAAcomplianceforresearchsystemsbecamearequirement.• ForcedustolearnHIPAAandhowitaffectstheresearchworkflow.

Themostimportantcompliancestep

• WecreatedanoversightcommitteetooverseeourHIPAAeffortandputeverystakeholderonit– theComplianceOfficers,Counsel,CISO,SchoolofMedicinefaculty/ITstaff/CIO,CentralITseniormanagement,etc.

• Theybecameourambassadorsandstartedsendingclinicalresearchers,NIHgrantmoney,reflectedgloryourway.

Researchworkflow&compliance

Pre-Grant

•Prelim.Investigation• IRB•CIDesign

Proposal

•ProposalPreparation•BudgetPreparation•ProposalFunding

Execution

• DataAcquisition• DataAnalysis• Simulation• DataManagement• DataSharing• DataVisualization• DataPublishing

Post-Grant

• DataArchival•DataDisposal

Itwasusefultofollowtheresearchdataendtoend,throughitsentirelifecycle tounderstandwherecompliancetouchesit.

Stepsinredinvolvecompliance.

Evolution

• WeinitiatedaHIPAAspecific,homegrowncomplianceprocessin2008.• Itworkedwellinitially,butwastoorigidtoaccommodateotherrulesandregulationsappearingonthehorizon(e.g.FISMA).

• Thismotivatedsearchforastandards based,regulationneutralprocess.

• Theobviouschoicewasthewidelyused,highlyflexibleNIST standard.• Resultedinthecreationofasingle,reusable frameworkforcybercomplianceingeneral.

Howdoesitwork?

1. EstablishthebaseNISTRiskManagementFramework(RMF)2. Align withtheNISTstandard(notindividualregulation)3. Map theregulationtoNIST4. Addmissing*regulatorycontrols

Thisallowsscalinglaterallytocoveranyregulationorpotentialregulationchanges;allthatchangesaresteps2and3

*Regulatorycontrolsmissing fromNIST

HandlingHIPAA

1. AlignwiththeNISTlowsecuritybaseline2. MapHIPAAtoNISTusingNIST800-663. AddHIPAAsafeguardsmissingfromNIST

HIPAAtoNISTMapping (fromNIST800-66)

4.BuildingandLeveragingtheNISTRiskManagementFramework

Whatismanagingcyberrisk?

• Identify,assess,prioritize,andmitigaterisktoassetsonanongoingbasis.

• Focusesonrisk,calculatedasfollows.Risk={Threat/VulnerabilityxLikelihoodxImpact}

• Soabigthreatfromanexistingvulnerabilitythatishighlyunlikelytobeexploited/haslittleimpactislowrisk.Youdon’tkillyourselfoverit.

• Riskassessmentsharplyfocusesattentionandoptimizesresources.

Aren’tfirewalls,encryption,etc.enough?

• No.Technicalcontrolsareonlyonecomponentofcyberriskmanagement.Itrequiresamoreholisticapproach.

• WhynotencryptitallatrestandhaveHIPAAsafeharbor?Becauseit’snotalwayspossible,andyoustillhavetoprotectthekeyserver.

• TheNISTriskmanagementframeworkgivesuspreciselythat.

TheNISTRMF

• Comprisesofthefollowing:

• Goodgovernance=institutionalsecurityorganization,policies,sanctions,enforcement

• Riskmanagement=assessment,mitigationthroughappropriatephysical,administrative,technicalcontrols

• Review =regularmonitoring,reviews,assessment,andmitigation• Awarenessandtraining• Documentation

NISTSecurityLifecycle

ButIdon’thaveresourcestodoallthat

• Youlikelyhavesomeorallofthese:• Aninformationsecurityoffice• InstitutionalITpolicies• Manysecuritycontrolsalreadyinplace• Documentation

• Thisisplentytostartwith.ItmeansthatyouhavethebasicelementsoftheNISTRMFinplacealready.

• Therestisaone-timeefforttoestablishtheRMF.Muchofitisdocumentation.

• Ariskassessmentenablesfurthereconomies.

RiskAssessment

• Thebeginningoftheroadincyberriskmanagement.Youcannotmanageriskunlessyouknowwhatriskyouhave.

• Therearemanywaystoassessrisk,rangingallthewayfrompedestrian(&cheap)tohighlycomplex(&expensive).

• Youreffortshouldbecommensuratewithbudget,risktolerance,andorganizationalcomplexity.

ImplementationSteps

1.AssignResources 2.Develop

tools3.Developprocess

4.Applyprocessto

newsystems

5.Migrateexisting

systemstonewprocess

Developprocess

1. Inventory2.

Documentation of System &

Controls

3. Risk Assessment

4. Risk Response

5. Awareness & Training

6. Oversight & Approval

7. Authority to Operate

8. Ongoing Risk

Management

Inventorywhatyouhave

• Systemdetails,ePHIlocation,securitysettings,BAAs,scaninfo,accessmethods,disposalinformation,etc.

• Software,version,patchlevel,BAAs,scaninfo,etc.• Privilegedaccessinventory- names,roles,datesauthorized,etc.• Incidentlog– incidentsummary,response.

Theinventorytemplate

Documentthesystemandcontrols

• ControlsaredocumentedintheSystemSecurityPlanorSSP.• IUtemplatebasedonwhatDHHS,NASA,etc.usetosatisfyFISMA.• Describessystemname,categorization,contacts,purpose,components,interconnections,boundaries,dependencies,andallNIST800-53security&privacycontrolsinplace.

TheSSPtemplate

Documententerprisecommoncontrols

• IndividualSSPsdescribeNIST800-53controlsyouhaveinplace.• Manyofthesewillbeinheritedfromyourorganization.Theywillapplytoallsystems.Wecallthementerprisecommoncontrols(ECC).

• ItiswastefultoincludethemeverytimeineachSSP.• SodocumentECCsseparatelyandhaveindividualSSPssimplypointtotheECCdocs.

TheECCdocumentisliterally

NIST800-53with

responses

Assessrisk

• Doriskself-assessments;theyarecheap• Havemanagers&systemadministratorssitdownandbrainstorm.• Identifyareasofvulnerabilitiesandriskforthesystem.• Documentriskareas,controlsthataddressthoserisks,residualrisks,andriskseverity.

• Haveexternal,thirdpartyassessmentseveryonceinawhileifyoucanaffordthem.

TheRiskAssessmentReportTemplate

Documentriskresponse

• DocumenthowyouwillrespondtoresidualriskinaPlanofAction&MilestonesorPOA&M document.

• Itstateswhethertheriskwasaccepted,transferred,addressed,ortobemitigated,andreasons,timelinesandplannedmitigationactivities/controls.

• Validreasonsforacceptingariskisbudget,resourceconstraints,etc.Youcanoftenstilladdressthemthroughtraining.

ThePOA&Mtemplate

Trainstaff

• Mandateannualtrainingforbothmanagementandstaffresponsibleforthesystem.

• AtIUthreee-trainingmodulesmustbecompleted:1. ThestandardIUHIPAAtraining(coveringthelawandIUpolicies&

procedures)2. IUHumanSubjectstraining3. UITSspecificinformationonhowHIPAAappliestotheIT

organizationspecifically,ourpolicies&NISTprocedures

• Documentallsecurityrelatedtraininginatraininglog.

Trainusersandraiseawareness

• Provideonlinetrainingandawarenessviaaknowledgebase,YouTubevideosorothermedia,inpersonclasses,andemailalerts.

• Candothingslikelaunchingyourownphishingattack.• Workindividuallywithusers,trainthemasyouhelpthem.• Helpthemcreatetheirown(HIPAA)documentationdescribinghowtheyareprotectingtheirend.

Instituteoversight/approval

• Haveyourauthoritiesprovideoversight(whichmayberequiredatyourinstitution)andapprovalorassignsomeonewithinyourorganization.

• AtIUthecompletedcompliancedocumentationpackageissenttotheIUHIPAAComplianceOffice,theUniversityInformationSecurityOffice,andInternalAudit.

Instituteongoingriskmanagement

• Instituteregular,ongoingriskmanagementthrough:• Regularreviews,riskre-assessments,anddocumentationupdates.• Continuous,automaticmonitoringofsystems.• Annualtraining&awareness.• Oversight.• Externalassessments.• Penetrationtesting.• Campaigns(phishing,etc.)

4.Conclusion

Complianceisdoable

• Thegovernmentdoesnotexpectyoutoundertakeherculeanmeasuresorbuildwalledgardens.

• Cybercompliancerequirementsareallaboutbestpractices,somethingweshouldbedoinganyway(andare,mostly).

• Youlikelyhavesufficientlygoodinformationsecurityinplacealready.Itdoesn’ttakeagargantuanefforttogoalltheway.

Benefits

• AstandardsbasedRMFimplementationmakesyourule/regulationproof.

• Customerswithsensitivedatawilltrustyourshop,bringinginnewbusinessandfunding.

• Yourcompliancefolkswillsendpeopleyourway(oursdo).

• Youwillbetterserveresearchers/yourmission.

Theevolutionofcybersecurity

• Noonethinkscybersecurityisasolvableproblem;Thefixesaren’tworkingdespitehugecybersecuritybudgets.

• Anewapproachcalled“resilience”isemerging.• Ittreatsthesituationjustlikethemedicalestablishmentdoeshumandisease.Youwillbesick.Youwillbehacked.Period.

• Thegoalistosurvivebeinghacked,beresilient.• How?Prevent(defend,detect,remediate- baselineriskmanagement),Respond(incidentresponse),Recover(DR),andRefine(learn,adapt).

Links

• TheHIPAASecurityRule• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

• NIST800-66:GuidetoImplementing theHIPAASecurityRule• http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

• NIST800-53:RecommendedSecurityControls• http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

• NIST800-53A:GuideforAssessingSecurityControls• http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf

• NISTHIPAASecurityRuleToolkit• http://scap.nist.gov/hipaa/

• NISTTemplates(emailme)

Contact

AnuragShankarashankar@iu.edu