Date post: | 18-Dec-2014 |
Category: |
Health & Medicine |
Upload: | redspin-inc |
View: | 636 times |
Download: | 0 times |
How to Prepare Your Organization for a HIPAA Security Risk Analysis
Presented by:
John Abraham
Founder & Chief Security Evangelist
Redspin
• Penetration Testing– External Infrastructure
– Internal Infrastructure
– Web Applications
• IT Security Controls – HIPAA
– FFIEC/GLBA
– PCI
– NERC
• Social Engineering
About Redspin
About The Speaker
John AbrahamFounder & Chief Security Evangelist
As Redspin's founder and Chief Security Evangelist, John is passionate about the importance of a structured information security program that enables management to focus IT resources on the most pressing security risk. John's belief is that addressing subtle issues within an organization's IT environment can yield significant business impact, so an ounce of prevention is the key operative behavior of successful risk management programs. John is one of Redspin's health IT security specialists, is a regular speaker on topics of security and healthcare ePHI risk management, and enjoys working with IT teams, compliance officers and executives on practical approaches to data security mitigation strategies.
Preparing Your Organization for aHIPAA Security Risk Analysis
What we’ll cover today:
What is it?
How does it fit into my security program?
What are the preparation steps?
How can I avoid pitfalls & maximize value?
Why now?
Meaningful use core objective (protecting ePHI)
HIPAA Compliance
Risk management
Part 1HIPAA Security Risk Analysis
1. What is it?
2. How does it fit into my security program?
3. What are the preparation steps?
4. How can I avoid pitfalls & maximize value?
HIPAA Security Rule§ 164.308(a)(1)(ii)(A)
“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”
What is a Risk Analysis?(Also called: Risk Assessment)
Assessment of risk
CIA: confidentiality, availability and integrity
EPHI: created, received, maintained, transmitted
How is it performed?- It’s an evaluation
1. Where is ePHI, what are critical apps
2. Threats
3. Vulnerabilities
4. Existing controls (effective?)
5. Determine risk (= probability * impact)
Flexibility on RA Approach
“Security Rule does not prescribe a specific risk analysis methodology”
“Methods will vary dependent on the size, complexity, and capabilities of the organization”
“There are numerous methods of performing risk analysis”
“There is no single method or 'best practice' that guarantees compliance with the Security Rule”
Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010
-http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
Goals and Objectives
Identify (and prioritize) risk
Ensure controls are working
Recommend improvements
Foundation for robust security program
Achieve compliance
- HIPAA Security Rule & Meaningful Use
Expected Outcomes
IT transparency
Executive understanding of current state of security
Prioritized view of risk
Provide data needed to create IT action plan
Part 2HIPAA Security Risk Analysis
1. What is it?
2. How does it fit into my security program?
3. What are the preparation steps?
4. How can I avoid pitfalls & maximize value?
Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT,
HIPAA - Administrative Safeguards (§164.308), ...
Risk Analysis
“Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in
the Security Rule.”
“A risk analysis is foundational”
“The Security Rule requires entities to evaluate risks and vulnerabilities... and to implement reasonable and appropriate security measures... Risk analysis is the first step in that process.”
Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
Part 3HIPAA Security Risk Analysis
1. What is it?
2. How does it fit into my security program?
3. What are the preparation steps?
4. How can I avoid pitfalls & maximize value?
• Vendor selection (2-8 weeks)
• Risk Analysis timeline (1-4 weeks)Time
• Vendor selection (IT, compliance, executive)
• During RA (1 liaison)People
• Varies depending on size/complexityBudget
Organizational Resources
What about cost?
Variables
– Depends on complexity, satellite locations, …
– Web application and network penetration testing
– Social engineering
– Business associate risk
What is needed for a proposal?
What is size & complexity of IT environment
Key criteria...
RFP Template
What is needed for analysis?
Liaison
ePHI inventory
Critical business associates
ISO – person responsible for security
Security policy
Documentation (whatever is available)
- Network diagrams, audit results, system docs
Part 4HIPAA Security Risk Analysis
1. What is it?
2. How does it fit into my security program?
3. What are the preparation steps?
4. How can I avoid pitfalls & maximize value?
Waiting for network to stabilize
1Pitfall
It Never Does!
Assuming control addresses risk
2Pitfall
Existencedoes not equal
Effective
Thinking compliance is security
3Pitfall
Compliancedoes not equal
Security
Waiting until you implement ____
It may not be a high priority
4Pitfall
Using a check-box approach to RA
5Pitfall
False positives make you look bad
Creates focus on less important issues, while
missing critical risk
Expensive mitigation
Lack of context
HIPAA Security Rule
Covered entities may use any security measures that
allow the covered entity to reasonably and appropriately
implement the standards and implementation
specifications as specified in this subpart.
HIPAA Security Rule
In deciding which security measures to use, a covered entity must take into account the following factors:
– (i) The size, complexity, and capabilities of the covered entity.
– (ii) The covered entity's technical infrastructure, hardware, and
software security capabilities.
– (iii) The costs of security measures.
– (iv) The probability and criticality of potential risks to electronic
protected health information.
SummaryHIPAA Security Risk Analysis
What is it?
How does it fit into my security program?
What are the preparation steps?
How can I avoid pitfalls & maximize value?