Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | tamsin-greer |
View: | 216 times |
Download: | 2 times |
HIPAA Security Rule
November 16th, 2004ISSA/ISC² Secure SD Security Conference, San Diego, CA
Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA, CCSA, Security+
Lead Consultant (Southern California)Verisign Global Security Consulting
VeriSignPublicly Traded Company
> 3000 Employees
$1 Billion in Revenues
Operate critical DNS Infrastructure that enables over 10B transactions/Day
Secure the information assets of over 400,000 websites and 1,000 large enterprises
Largest SS7 Telecommunications network – 2 Billion messages per day
2.8B SS7 signals/day
Enable over 1,000 carriers to interconnect
Support over 30% of North American e-commerceOver 100 Million E-Commerce Payment Transactions Per Quarter
Largest MSSP with over 3000 devices under management
Drivers behind HIPAA
Efficiency and interoperability between payers, providers, clearinghouses (“covered entities”)
“Patient’s Bill of Rights”
Enhanced medical record privacy
Enhanced medical record security
Medical Mistakes kill 98,000/year in the USA
Data valuation – what’s gone wrong in healthcare?
What is your medical record worth to you?
How much do you trust your healthcare provider to keep your medical record private & secure?
How many of your friends or neighbors work in a healthcare organization?
How many of your enemies?
We spend billions protecting financial information, what about health information?
Do I need to comply?
The security rule applies to all IIHI (individually identifiable health information) in electronic form
ePHI (electronic Protected Health Information) that is stored and/or transmitted is covered
Health information on paper or divulged orally is not covered!
The rule is intended to set a minimum level of security for covered entities
Covered entities and business associates (through a chain of trust agreement) of those entities are required to comply
What’s the business / security value-add?
Increased level of confidence from your customers
Expansion into healthcare markets for non-healthcare centric services (e.g.: managed security services)
Integration of sound security practices to fulfill HIPAA requirements (e.g.: standardized risk assessment methodology, quantifiable security metrics for measuring process improvement)
Covered entities MUST comply, of course!
Nuts and bolts of the rule
Covered entities are required to:
Assess potential risks and vulnerabilities
Protect against threats to information security or integrity, and against unauthorized use or disclosure
Implement and maintain security measures that are appropriate to their needs, capabilities and circumstances
Ensure compliance with these safeguards by all staff
How is the rule structured?
The rule is broken into three sections: administrative safeguards, technical safeguards and physical safeguards
There are 18 standards that encompass the 3 types of safeguards
Almost every standard has several implementation specifications that are specific requirements within the standard
Each implementation specification is either required or addressable
Required vs. Addressable
Required:
Implementation Specification must be met by Covered Entity. Most of the required Implementation Specifications scale to meet covered entity requirements, large or small
Addressable:
Implementation Specification may not always be appropriate and “scale” to different covered entity sizes. A risk assessment must be performed by the covered entity to surmise what controls are feasible to implement
Administrative safeguards
Security Management Process
Assigned Security Responsibility
Workforce Security
Information Access Management
Security Awareness & Training
Security Incident Procedures
Contingency Planning
Evaluation
Business Associate Contracts & Other Arrangements
Information Security Program
Assigning responsibility (CSO / CISO)
Acceptable Use of Computing Resources for staff
Access Control (AAA)
Training and Education
Incident Response
Disaster Recovery / Business Resumption Planning
Risk Assessment and quantifiable measurement
Contracts
Physical Safeguards
Facility Access Controls
Workstation Use
Workstation Security
Device & Media Controls
Physical security of information processing facilities
Acceptable Use & control of access to workstations
Physical Security of assets (each separate device type is classified as a workstation)
Computer Operations 101 (tape labeling and archiving, tape rotation, back-up logs kept up to date, control of removable media containing ePHI)
Technical Safeguards
Access Control
Audit Controls
Integrity
Person or Entity Authentication
Transmission Security
Unique User ID, Emergency Access, Automatic Logoff
Activity review (application & operating system)
Verifying data integrity (at rest and in transit)
Robust authentication strategy (two-factor)
Safeguarding ePHI in transmission (encryption) and verifying integrity (digital signatures)
FAILING TO PREPARE IS PREPARING TO FAIL
Maximizing investment on compliance
Perform regular security assessments on critical assets that contain or may participate in the transmission or storage of ePHI (consider an annual third party assessment to free internal resources up for remediation)
Make sure you are effective where the rubber meets the road – does a procedure that a particular business unit performs actually match what’s documented as far as step by step actions? What is the variance?
Outsource routine Information Security tasks to free up resources - constant Intrusion Detection alerts and System Activity Review may cost you more in labor to tune and monitor 24x7 in a month than an MSSP may charge for a year contract
What are the pitfalls to avoid?
The HIPAA Security rule contains a great deal of documentation requirements, but don’t just focus on documentation!
Don’t make mountains out of molehills
Don’t wait until the 11th hour to ask for money (especially for awareness and training requirements)
Don’t attempt to achieve compliance without a plan (decentralized workgroups work very well)
Not leveraging your resources and skill-sets is a recipe for disaster
Compliance Tips
Establish a formal security program with a designated security officer
Establish a standardized risk assessment strategy to prioritize work
Implement a security program mapped to best practice security standards, not to a specific regulation
Make use of “community standard” guidelines to make sure you’re keeping pace with other providers
Collaborate with other providers on how you develop strategies to address the HIPAA Security Rule
Reading Room
NIST DRAFT SP 800-66 “An Introductory Guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: http://csrc.nist.gov/publications/drafts/DRAFT-sp800-66.pdf
Health Insurance Portability and Accountability Act (HIPAA) Home Page:
http://www.hhs.gov/ocr/hipaa/
Health Hippo:
http://hippo.findlaw.com/hipaa.html
Questions & Answers
VeriSign Security Services