Date post: | 07-Jan-2017 |
Category: |
Technology |
Upload: | alert-logic |
View: | 239 times |
Download: | 1 times |
Patient Data is More Portable than it has even been
• 44% of healthcare orgs already host clinical apps in the cloud (HIMSS)
• More than 50% of US doctors are receiving MU Incentives for EHR (HHS)
• More than 40% of physicians use mobile devices to access PHI (Deloitte)
Impact: Protecting the confidentiality, integrity, and availability of this information (PHI) becomes crucial
The HIPAA Security Rule
• Safeguard the confidentiality, integrity and availability of ePHI
• Protect ePHI systems and data against reasonably anticipated threats
Stipulates processes for securing electronic protected health records
Technical Safeguards
Physical Safeguards
Administrative Safeguards
HIPAA Breach Notification rule • Safeguard the confidentiality, integrity and availability of
ePHI data • Protect ePHI systems and data against reasonably
anticipated threats
HIPAA Privacy rule • Safeguard the confidentiality, integrity & availability of
ePHI • Protect ePHI systems and data against reasonably
anticipated threats
The HIPAA Security Rule
HIPAA Security rule • Safeguard the confidentiality, integrity and availability of ePHI data • Protect ePHI systems and data against reasonably anticipated threats
Administrative Safeguards - Security Management Process - Assigned Security Responsibility - Workforce Security - Information Access Management - Security Awareness and Training - Security Incident Procedures - Contingency Plan - Evaluation - Business Associate Contracts
Physical Safeguards - Facility Access Controls - Workstation Use - Workstation Security - Device and Media Controls
Technical Safeguards - Access Control - Audit Controls - Integrity - Person or Entity Authentication - Transmission Security
Technical Safeguards
Physical Safeguards
Administrative Safeguards
Administrative Safeguards Key Requirement: • Implement security measures for
protecting ePHI • Manage the conduct of the workforce in
relation protecting ePHI
How to comply: • Vulnerability Assessment (Risk analysis) • Intrusion Detection (Risk management,
protection from malicious s/w, incident response)
• Web App. Firewall (Risk management, protection from malicious s/w, incident response)
• Log management/SIEM (Tracking access authorization/modification, backup services)
• Security monitoring (Application and data criticality analysis)
Addressing HIPAA Compliance Requirements
Technical Safeguards
Physical Safeguards
Administrative Safeguards
Physical Safeguards Key requirement: • Physical measures to protect
ePHI and related systems from unauthorized intrusion and natural hazards.
How to comply: • Log management/SIEM (Tracking
access control changes and data backups, enabling disaster recovery and integrity assurance of logs)
Addressing HIPAA Compliance Requirements
Technical Safeguards
Physical Safeguards
Administrative Safeguards
Technical Safeguards Key requirement: • Technology that protects ePHI
and controls access to it:
How to Comply • Intrusion Detection (Automated
security analysis with pre-built alerts and reports)
• Log management/SIEM (Automates log collection, aggregation and normalization across sources, tracks changes in access control, cryptographic services, audit services)
Addressing HIPAA Compliance Requirements
Using DevOps to Assist with Compliance
• Deployment automation to automatically apply security agents and configuration.
• Leverage tools such as CloudFormation to deploy applications in a consistent and reviewable manner.
• Use CloudTrail to create an audit trail of infrastructure changes. • Leverage IAM to restrict users to BAA approved services,
constraints. • AWS Config Rules can help identify violations of volume
encryption, dedicated tenacny.
How Cloud Defender Works in AWS
AWS Service Log Collection Web and Network Security Events, Application & server logs
Continuous Vulnerability Scanning Configuration Assessments, and Environment
Visibility
AWS SERVICES INSTANCES & APPLICATIONS
Analytics Platform Threat Intel & Context Expert Analysis
Threat Detection with Remediation Tactics
YOUR TEAM
Vulnerability & Configuration Issues
Make HIPAA Easier with a Security Operations Center
• 24x7 monitoring by GIAC-certified security analysts - Proactive identification and response to suspicious activity - Incident response and escalation - Recommendations for resolution
• Ongoing tuning delivers protection and application availability - Tuning in response to changing attacks and customer application changes - All team members are responsible for identifying new patterns of attacks that feed into building of
new security content
Summary: Alert Logic Provides Broad HIPAA Coverage
HIPAA Rule Alert Logic
Phy
sica
l S
afeg
uard
s 164.310 (a) Facility access controls ✔
164.310 (d) Device and media controls ✔
Tech
nica
l S
afeg
uard
s
164.312 (a) (1) Access control ✔ 164.312 (b) Audit controls ✔ 164.312 (c) Integrity ✔ 164.312 (e) Transmission security ✔
HIPAA Rule Alert Logic
Adm
inis
trativ
e S
afeg
uard
s 164.308 (a) (1) Security Management Process ✔ 164.308 (a) (3) Workforce Security ✔ 164.308 (a) (4) Information Access Management ✔ 164.308 (a) (5) Security Awareness and Training ✔ 164.308 (a) (6) Security Incident Procedures ✔ 164.308 (a) (7) Contingency Plan ✔
HIPAA Security rule • Safeguard the confidentiality, integrity and availability of ePHI data • Protect ePHI systems and data against reasonably anticipated threats