HIPAA Security Rule

November 16th, 2004ISSA/ISC² Secure SD Security Conference, San Diego, CA

Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA, CCSA, Security+

Lead Consultant (Southern California)Verisign Global Security Consulting

VeriSignPublicly Traded Company

> 3000 Employees

$1 Billion in Revenues

Operate critical DNS Infrastructure that enables over 10B transactions/Day

Secure the information assets of over 400,000 websites and 1,000 large enterprises

Largest SS7 Telecommunications network – 2 Billion messages per day

2.8B SS7 signals/day

Enable over 1,000 carriers to interconnect

Support over 30% of North American e-commerceOver 100 Million E-Commerce Payment Transactions Per Quarter

Largest MSSP with over 3000 devices under management

Drivers behind HIPAA

Efficiency and interoperability between payers, providers, clearinghouses (“covered entities”)

“Patient’s Bill of Rights”

Enhanced medical record privacy

Enhanced medical record security

Medical Mistakes kill 98,000/year in the USA

Data valuation – what’s gone wrong in healthcare?

What is your medical record worth to you?

How much do you trust your healthcare provider to keep your medical record private & secure?

How many of your friends or neighbors work in a healthcare organization?

How many of your enemies?

We spend billions protecting financial information, what about health information?

Do I need to comply?

The security rule applies to all IIHI (individually identifiable health information) in electronic form

ePHI (electronic Protected Health Information) that is stored and/or transmitted is covered

Health information on paper or divulged orally is not covered!

The rule is intended to set a minimum level of security for covered entities

Covered entities and business associates (through a chain of trust agreement) of those entities are required to comply

What’s the business / security value-add?

Increased level of confidence from your customers

Expansion into healthcare markets for non-healthcare centric services (e.g.: managed security services)

Integration of sound security practices to fulfill HIPAA requirements (e.g.: standardized risk assessment methodology, quantifiable security metrics for measuring process improvement)

Covered entities MUST comply, of course!

Nuts and bolts of the rule

Covered entities are required to:

Assess potential risks and vulnerabilities

Protect against threats to information security or integrity, and against unauthorized use or disclosure

Implement and maintain security measures that are appropriate to their needs, capabilities and circumstances

Ensure compliance with these safeguards by all staff

How is the rule structured?

The rule is broken into three sections: administrative safeguards, technical safeguards and physical safeguards

There are 18 standards that encompass the 3 types of safeguards

Almost every standard has several implementation specifications that are specific requirements within the standard

Each implementation specification is either required or addressable

Required vs. Addressable

Required:

Implementation Specification must be met by Covered Entity. Most of the required Implementation Specifications scale to meet covered entity requirements, large or small

Addressable:

Implementation Specification may not always be appropriate and “scale” to different covered entity sizes. A risk assessment must be performed by the covered entity to surmise what controls are feasible to implement

Administrative safeguards

Security Management Process

Assigned Security Responsibility

Workforce Security

Information Access Management

Security Awareness & Training

Security Incident Procedures

Contingency Planning

Evaluation

Business Associate Contracts & Other Arrangements

Information Security Program

Assigning responsibility (CSO / CISO)

Acceptable Use of Computing Resources for staff

Access Control (AAA)

Training and Education

Incident Response

Disaster Recovery / Business Resumption Planning

Risk Assessment and quantifiable measurement

Contracts

Physical Safeguards

Facility Access Controls

Workstation Use

Workstation Security

Device & Media Controls

Physical security of information processing facilities

Acceptable Use & control of access to workstations

Physical Security of assets (each separate device type is classified as a workstation)

Computer Operations 101 (tape labeling and archiving, tape rotation, back-up logs kept up to date, control of removable media containing ePHI)

Technical Safeguards

Access Control

Audit Controls

Integrity

Person or Entity Authentication

Transmission Security

Unique User ID, Emergency Access, Automatic Logoff

Activity review (application & operating system)

Verifying data integrity (at rest and in transit)

Robust authentication strategy (two-factor)

Safeguarding ePHI in transmission (encryption) and verifying integrity (digital signatures)

FAILING TO PREPARE IS PREPARING TO FAIL

Maximizing investment on compliance

Perform regular security assessments on critical assets that contain or may participate in the transmission or storage of ePHI (consider an annual third party assessment to free internal resources up for remediation)

Make sure you are effective where the rubber meets the road – does a procedure that a particular business unit performs actually match what’s documented as far as step by step actions? What is the variance?

Outsource routine Information Security tasks to free up resources - constant Intrusion Detection alerts and System Activity Review may cost you more in labor to tune and monitor 24x7 in a month than an MSSP may charge for a year contract

What are the pitfalls to avoid?

The HIPAA Security rule contains a great deal of documentation requirements, but don’t just focus on documentation!

Don’t make mountains out of molehills

Don’t wait until the 11th hour to ask for money (especially for awareness and training requirements)

Don’t attempt to achieve compliance without a plan (decentralized workgroups work very well)

Not leveraging your resources and skill-sets is a recipe for disaster

Compliance Tips

Establish a formal security program with a designated security officer

Establish a standardized risk assessment strategy to prioritize work

Implement a security program mapped to best practice security standards, not to a specific regulation

Make use of “community standard” guidelines to make sure you’re keeping pace with other providers

Collaborate with other providers on how you develop strategies to address the HIPAA Security Rule

Reading Room

NIST DRAFT SP 800-66 “An Introductory Guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: http://csrc.nist.gov/publications/drafts/DRAFT-sp800-66.pdf

Health Insurance Portability and Accountability Act (HIPAA) Home Page:

http://www.hhs.gov/ocr/hipaa/

Health Hippo:

http://hippo.findlaw.com/hipaa.html

Questions & Answers

VeriSign Security Services