8/2/2019 IT Security Panel
1/29
Planning for Information SecurityPlanning for Information Securityand HIPAA Complianceand HIPAA Compliance
Security should follow dataSecurity should follow data
Leo Howell, CISSPJohn Baines, CISSPIAS-Information Assurance & Security
ETSS-Enterprise Technology Services &Support North Carolina State University
UNC CAUSE November 2006
Sharon McLawhornMcNeilITCS-Security
Department of ITCSEast Carolina University
8/2/2019 IT Security Panel
2/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 22
Whats it all about, Webster? Defalcation
Pronunciation:*d*-*fal-*k*-sh*n, Date:15th century
1 archaic : DEDUCTION
2 : the act or an instance of embezzling
3 : a failure to meet a promise or an expectation
Malfeasance Pronunciation:*mal-*f*-z*n(t)s
Date:1696 :
wrongdoing or misconduct especially by a public official
Two twenty dollar words Fraud and criminal business acts
Reaction to the excesses of the 80s and 90s
8/2/2019 IT Security Panel
3/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 33
Increasingly ComplicatedCompliance Constraints
Statute Type of requirement Universitydata ExamplelocationFERPA Federal law Student records Faculty PC or
server
HIPAA Federal law Health records Athletics dept.GLBA Federal law Financial data Financial AidPCI DSS Payment Card Industry
-Data Security Std.Credit card data Bookstore server
SB 1048 State Identity Theft law SSN , etc. R & R State Employee PersonalInformation Privacy law Staff data Payroll
FederalGrants Contract requirements Researchmaterials Lab PC
8/2/2019 IT Security Panel
4/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 44
Educational Institutes Seen as EasyMarks
Los Angeles Times article - May 30, 2006
Since January, 2006
at least 845,000 people
have had sensitive information jeopardizedin 29 security failures
at colleges nationwide.
we were adding on another university everyweek to look into
- Michael C. Zweiback, assistant U.S. attorney
8/2/2019 IT Security Panel
5/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 55
Information Security PlanningInformation Security Planning
High level tasksHigh level tasks
Make a conscious decision to plan for securityMake a conscious decision to plan for securityand compliance for improved efficiency andand compliance for improved efficiency andeffectivenesseffectiveness
Understand the business goals and objectivesUnderstand the business goals and objectives Conduct a risk assessment; factor in compliance!Conduct a risk assessment; factor in compliance! Develop the planDevelop the plan
8/2/2019 IT Security Panel
6/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 66
Data Classification Standard, DCSData Classification Standard, DCS
forms the foundationforms the foundation
IdentificationIdentification
ConfidentialityConfidentiality
and sensitivityand sensitivity ClassificationClassification
ProtectionProtection
ConsistencyConsistency
3 classification levels -High, Moderate, Normal
Based on data businessvalue, financialimplications, legalobligations
8/2/2019 IT Security Panel
7/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 77
Data Management Procedures, DMPData Management Procedures, DMP
assigns ownership and accountabilityassigns ownership and accountability
R o l e r e l a t i o n s h i p
U s e r R e s p o n s i b
D a t a C u sP h y s i c a l d a t a
M a n a g e a c
S e c u r i t y Ae . g . A p p l i c a t i
A u t h o r i z e sb a s e d o n G
D a t a S t e wA c c e s s w i t h i n
a c c u r a c y , p r i v
D a t a T r u sO v e r s i g h t r e
8/2/2019 IT Security Panel
8/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 88
Seven StepsSeven StepsRMISMIS Informationnformation Systemystem SecurityecurityP lan, RISSPlan, RISSPLeo HowellLeo Howell
Information Security AnalystInformation Security Analyst
8/2/2019 IT Security Panel
9/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 99
STEP ONE Understand theSTEP ONE Understand the Assetsset Philosophically, wePhilosophically, we
believe that securitybelieve that security
should follow datashould follow data
But we know that notBut we know that not
all data were createdall data were created
equalequal
Effective securitybegins with a solidunderstanding of the
protected assetandits value
At NC State we haveidentified DATA asour primary asset
8/2/2019 IT Security Panel
10/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1010
STEP TWO Identify and prioritizeSTEP TWO Identify and prioritizeThreatshreats Governanceovernance ::
policy breachpolicy breach
rebellionrebellion
Physicalhysical :: data theftdata theft
equipmentequipmenttheft/damagetheft/damage
Endpointndpoint :: thefttheft
social engineeringsocial engineering
Infrastructure &Application: theft
disclosure
DoS
unauthorized access
Data: unauthorized access
corruption/destruction
8/2/2019 IT Security Panel
11/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1111
STEP THREE Identify and rankSTEP THREE Identify and rankVulnerabilitiesulnerabilities Governance:
policy loopholes
Physical: weak perimeter
open access
Endpoint: ignorance
Infrastructure &Application:open network unpatched systems/OS
misconfiguration
Data: unencrypted storage
insecure transmission
8/2/2019 IT Security Panel
12/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1212
STEP FOUR Quantify Relative Risk,STEP FOUR Quantify Relative Risk, R
R = VAT
The greater thenumber ofvulnerabilities thebigger the risk
The greater the valueof the assetthe biggerthe risk
The greater the threatthe bigger the risk
V = vulnerabilityA = asset
T = threat= likelihood of T= likelihood of T
8/2/2019 IT Security Panel
13/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1313
Higher Classificationimplies IncreasedSecurity
STEP FIVE Develop a strategySTEP FIVE Develop a strategy
Types of data stored,accessed, processed or
transmitted dictates OPZ
High- Significantly business impact
- financial loss- regulatory compliance
Moderate- adversely affects
business and reputation
Normal- minimal adverse effect
on business- authorization required
to modify or copy
3 virtual operational protection zones, OPZ based on Data Classif ication
Server withMode ra t e dataLaptop withHigh data
8/2/2019 IT Security Panel
14/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1414
STEP SIX Establish target standardsSTEP SIX Establish target standards
Amount andstringency of
securitycontrols ateach levelvaries with
dataclassification
Seven layers of protection perzone based on COBIT, ISO17799 and NIST 800-53
1.Management & Governance
2.Access control
3.Physical security
4.Endpoint security
5.Infrastructure security6.Application security
7.Data security
8/2/2019 IT Security Panel
15/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1515
Snippet from Data Security StandardSnippet from Data Security Standard
Security Control Red Zone Yellow Zone Green Zone
Encrypt storeddata
Mandatory Recommended Optional
Limit datastored to
external media
Mandatory Recommended Optional
Encrypttransmitteddata
Mandatory Mandatory Recommended
8/2/2019 IT Security Panel
16/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1616
STEP SEVEN Document the planSTEP SEVEN Document the plan
Identify realisticsolutions forapplying theappropriate
securitycontrols at
each level.
Create a list of actionitems for the next 3 to 5years
Prioritize the list based onrisk and reality
Forecast investment
Beg, kick and scream toget funding
Implement the plan over
time
8/2/2019 IT Security Panel
17/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1717
Quick takesQuick takes
Planning paves the way for effectivenessand efficiency for security andcompliance
Understand the business the goals Conduct a risk assessment
Establish a strategy based on data
classification and industry standards Develop a prioritized realistic plan
Go for the long haul!
8/2/2019 IT Security Panel
18/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1818
Key Elements of the HIPAASecurity Rule:
And how to comply
Sharon McLawhorn McNeil
ITCS-Security
Department of ITCSEast Carolina University
8/2/2019 IT Security Panel
19/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 1919
IntroductionIntroduction
HIPAA is theHIPAA is the Health Insurance Portability andHealth Insurance Portability and
Accountability ActAccountability Act. There are thousands of. There are thousands of
organizations that must comply with the HIPAAorganizations that must comply with the HIPAA
Security Rule. The Security Rule is just one part ofSecurity Rule. The Security Rule is just one part of
the federal legislation that was passed into law inthe federal legislation that was passed into law inAugust 1996.August 1996.
The purpose the Security Rule:The purpose the Security Rule:
To allow better access to health insuranceTo allow better access to health insurance
Reduce fraud and abuseReduce fraud and abuse
Lower the overall cost of health care.Lower the overall cost of health care.
8/2/2019 IT Security Panel
20/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2020
What is the HIPAA Security Rule?What is the HIPAA Security Rule?
The rule applies toThe rule applies to electronic protected healthelectronic protected health
informationinformation
(EPHI)(EPHI), which is, which is individually identifiable healthindividually identifiable health
informationinformation in electronic form.in electronic form.
Identifiable health information is:Identifiable health information is:
Your past, present, or future physical or mental healthYour past, present, or future physical or mental health
or condition,or condition, Your type of health care, orYour type of health care, or
Past, present, or future payment methods for the type ofPast, present, or future payment methods for the type of
health care received.health care received.
8/2/2019 IT Security Panel
21/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2121
Who Must Comply?Who Must Comply?
Covered Entities (CEs)Covered Entities (CEs) must comply with the Securitymust comply with the Security
Rule. Covered Entities are health plans, health careRule. Covered Entities are health plans, health care
clearinghouses, and health care providers who transmitclearinghouses, and health care providers who transmit
any EPHI.any EPHI.
Health care plansHealth care plans - HMOs, group health plans, etc.- HMOs, group health plans, etc.
Health care clearinghousesHealth care clearinghouses - billing and repricing- billing and repricing
companies, etc.companies, etc.
Health care providersHealth care providers - doctors, dentists, hospitals,- doctors, dentists, hospitals,
etc.etc.
8/2/2019 IT Security Panel
22/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2222
How Does One Comply?How Does One Comply?
Covered Entities must maintain reasonable andCovered Entities must maintain reasonable and
appropriateappropriate administrativeadministrative,,physicalphysical, and, and
technicaltechnical safeguards to protect the confidentiality,safeguards to protect the confidentiality,integrity, and availability of patient informationintegrity, and availability of patient information..
8/2/2019 IT Security Panel
23/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2323
Administrative SafeguardsAdministrative Safeguards
To comply with the Administrative SafeguardsTo comply with the Administrative Safeguardsportion of the regulation, the covered entity mustportion of the regulation, the covered entity must
implement the following "Required" securityimplement the following "Required" security
management activities:management activities:
Conduct a Risk Analysis.Conduct a Risk Analysis.
Implement Risk Management Actions.Implement Risk Management Actions. Develop a Sanction Policy to deal with violators.Develop a Sanction Policy to deal with violators.
Conduct an Information System Activity Review.Conduct an Information System Activity Review.
8/2/2019 IT Security Panel
24/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2424
Physical SafeguardsPhysical Safeguards
The physical safeguards are a series ofThe physical safeguards are a series ofrequirements meant to protect a Coveredrequirements meant to protect a Covered
Entity's computer systems, network and EPHIEntity's computer systems, network and EPHI
from unauthorized access. The recommendedfrom unauthorized access. The recommendedand required physical safeguards are designedand required physical safeguards are designed
to provide facility access controls to limitto provide facility access controls to limit
access to the organization's computer systems,access to the organization's computer systems,network, and the facility in which it is housed.network, and the facility in which it is housed.
8/2/2019 IT Security Panel
25/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2525
Technical SafeguardsTechnical Safeguards
Technical safeguards refers to the technologyTechnical safeguards refers to the technology
and the procedures used to protect the EPHI andand the procedures used to protect the EPHI and
access to it.access to it.
The goal of technical safeguards is to protectThe goal of technical safeguards is to protect
patient data by allowing access only bypatient data by allowing access only by
individuals or software programs that have beenindividuals or software programs that have beengranted access rights to the information.granted access rights to the information.
8/2/2019 IT Security Panel
26/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2626
Key Elements of ComplianceKey Elements of Compliance
1.1. Obtain and Maintain Senior Management SupportObtain and Maintain Senior Management Support
1.1. Develop and Implement Security PoliciesDevelop and Implement Security Policies
1.1. Conduct and Maintain Inventory of EPHIConduct and Maintain Inventory of EPHI
2.2. Be Aware of Political and Cultural Issues RaisedBe Aware of Political and Cultural Issues Raised
by HIPAAby HIPAA3.3. Conduct Regular and Detailed Risk AnalysisConduct Regular and Detailed Risk Analysis
6.6. Determine What is Appropriate and ReasonableDetermine What is Appropriate and Reasonable
1.1. DocumentationDocumentation2.2. Prepare for ongoing compliancePrepare for ongoing compliance
8/2/2019 IT Security Panel
27/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2727
PenaltiesPenalties
Civil penalties are $100 per violation, up to $25,000Civil penalties are $100 per violation, up to $25,000per year for each violation.per year for each violation.
Criminal penalties range from $50,000 in fines andCriminal penalties range from $50,000 in fines and
one year in prison up to $250,000 in fines and 10 yearsone year in prison up to $250,000 in fines and 10 yearsin jail.in jail.
Additional Negatives:Additional Negatives: Negative publicityNegative publicity
Loss of CustomersLoss of Customers
Loss of Business PartnersLoss of Business Partners
Legal LiabilityLegal Liability
8/2/2019 IT Security Panel
28/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2828
ConclusionConclusion
Compliance will require Covered Entities to:Compliance will require Covered Entities to:
Identify the risks to their EPHIIdentify the risks to their EPHI
Implement security best practicesImplement security best practices
Complying with the Security Rule can requireComplying with the Security Rule can requiresignificant time and resourcessignificant time and resources
Compliance efforts should be currently underwayCompliance efforts should be currently underway
8/2/2019 IT Security Panel
29/29
"Planning for Security and HIPAA Compliance" NCSU and ECU"Planning for Security and HIPAA Compliance" NCSU and ECU 2929
ContactsContacts
NC State UniversityNC State University
Leo Howell, CISSP CEH CCSP CBRMLeo Howell, CISSP CEH CCSP CBRM
Information Security AnalystInformation Security Analyst
IAS-Information Assurance and SecurityIAS-Information Assurance and Security
ETSS-Enterprise Technology Services and SupportETSS-Enterprise Technology Services and Support
[email protected][email protected](919) 513-1169(919) 513-1169
NC State University
John Baines, CISSP
Assistant Director
IAS-Information Assurance and Security
ETSS-Enterprise Technology Services and Support
East Carolina University
Sharon McLawhorn McNeil
IT-Security Analyst
252-328-9112
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]Top Related