1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007 Todd.Plesco@infosecurity.pro.

1

Security Planning(From a CISO’s perspective)

by Todd Plesco24OCT2007

Todd.Plesco@infosecurity.pro

2

3

4

5

6

Information assurance (IA)

is the practice of managing information-related risks.

IA practitioners seek to protect the confidentiality, integrity, and availability of data and their delivery systems.

7

Integrity:Ensuring that data is

Not altered or Destroyed.

Availability: Ensuring that data is Available in when

It is needed.

Confidentiality:Ensuring that only

Authorized personnelHave access to

Data.

8

IA’s Swiss Army Knife skill set

• Inter-personal

• Negotiation and Diplomacy

• Project management

• Technical

• Business

9

IA Camp Counselor (conflict mitigation)

• Ease

• Cost

• Likelihood

• Impact (frustration, security conscience)

• Maintenance

10

Information Assurance To Do:

• Ensure “Rules of Use”

• Ensure procedures follow policies

• Ensure 3rd parties follow policy

• Measure, monitor & report

• Change management Process

• Vulnerability Assessments

• Non-compliance issues

• Security Awareness

11

Information Assurance Tasks:

• Create and implement plans• Develop baselines• Ensure processes address security• Ensure compliance of IT• Integrate Security into organization• Review end user impacts from policies• Hold business end accountable• Establish governance framework• Determine appropriate resources inside/out

12

Risk Assessments (NIST SP800-30 method)

• Define the scope (issues faced by our agency) • Identify the Risks (unique data and addressables) • Analyze the risks (probability of occurrence multiplied

by severity to quantify hazards) • Mitigation Proposal (using cost & benefit analysis) • Evaluate recommended control options (feasibility and

effectiveness) • Review and address concerns • Communicate & Consult • Monitor/review as needed & periodically

13

45

Code

of

Federal

Regs

160,

162,

and

164

14

Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II)

• Required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. 

• The final rule for HIPAA security was published in the Federal Register on February 20, 2003.

15

Who are the covered entities?

Standards for the security of electronic protected health information (PHI) are to be implemented by –health plans

–health care clearinghouses

–certain health care providers.

16

What is PHI?Under HIPAA, there are 18 pieces of information that are considered

identifiable of a patient. 1. Name 2. Postal address (geographic subdivisions smaller than state) 3. All elements of dates, except year 4. Phone number5. Fax number 6. E-mail address 7. Social Security number 8. Medical Record number 9. Health Plan number 10.Account numbers 11.Certificate/license numbers 12.URL 13.IP address 14.Vehicle identifiers 15.Device ID 16.Biometric ID 17.Full face/identifying photo 18.Any other unique identifying number, characteristic, or code

17

What is a health care clearinghouse?

• Health care clearinghouse means a public or private entity, including billing services, repricing companies, community health management information systems or community health information systems, and “value-added” networks and switches, that does either of the following functions:

• (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.

• (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

18

What were the deadlines?

• Covered entities, with the exception of small health plans, must have complied with the requirements of this final rule by April 21, 2005.

• Small health plans must have complied with the requirements of this final rule by April 21, 2006.

19

What is a small health plan?

Small health plan means a health plan with annual receipts of $5 million or less.

(The Small Business Administration (SBA) promulgates size standards that indicate the maximum number of employees or annual receipts allowed for a concern)

20

Information Assurance – it’s not just HIPAA

• Identity Theft is big business• Electronic Authentication Act

• WA State Security Breach Notification Law SB6043

Required to notify if personal information stored in an unencrypted electronic format is acquired, or reasonably believed to have been acquired by an unauthorized person

21

HIPAA Violation Penalties

a person who knowingly• uses a unique health identifier, or causes one to be used; • obtains individually identifiable health information relating to an individual; or • discloses individually identifiable health information to another person; is in violation of HIPAA regulations. Such persons are subject to the following

penalties:• a fine of up to $50,000, or up to 1 year in prison, or both; • if the offense is committed under false pretenses, a fine of up to $100,000, up to 5

years in prison, or both; • if the offense is committed with intent to sell, transfer, or use individually

identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both.

HIPAA also provide for civil fines to be imposed by the Secretary of DHHS "on any person" who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year.

22

HIPAA

PRIVACY SECURITY

Standards:

Administrative Controls

Physical Controls

Technical Controls

23

Administrative Safeguards 45CFR164.308

• Security Management Process (a)(1)• Assigned Security Responsibility (a)(2)• Work Security (a)(3)• Information Access Management (a)(4)• Security Awareness & Training (a)(5)• Security Incident Procedures (a)(6)• Contingency Plan (a)(7)• Evaluation (a)(8)• Business Associate Contracts (b)(1)

24

Physical Safeguards 45CFR164.310

• Facility Access Controls (a)(1)• Workstation Use (b)• Workstation Security (c)• Device and Media Controls (d)(1)

Technical Safeguards 45CFR164.312

• Access Control (a)(1)• Audit Controls (b)• Integrity (c)(1)• Person or Entity Authentication (d)• Transmission Security (e)(1)

25

Organization Requirements 45CFR164.314

• Business Associate Contracts (a)(1)• Group Health Plan requirements (b)(1)

Policies, Procedures, & Documentation 45CFR164.316

• Policies and Procedures (a)• Documentation (b)(1)

26

“Required” and “Addressable” Safeguards

(a) If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must implement it.

(b) If a given addressable implementation specification is determined to be an inappropriate and/or unreasonable security measure for the covered entity, but the standard cannot be met without implementation of an additional security safeguard, the covered entity may implement an alternate measure

(c) A covered entity may also decide that a given implementation specification is simply not applicable (that is, neither reasonable nor appropriate) to its situation

27

Administrative Safeguards(R)=Required, (A)=Addressable

• SecurityManagementProcess164.308(a)(1)– Risk Analysis (R)– Risk Management (R)– Sanction Policy (R)– Information System Activity Review (R)

• Assigned Security Responsibility (a)(2)

• Work Security164.308(a)(3)

– Authorization and/or Supervisor (A)– Workforce Clearance Procedure (A)– Termination Procedure (A)

28

Information Access Management164.308(a)(4)§ Isolating Health Care Clearinghouse Functions (R)§ Access Authorization (A)§ Access Establishment and Modification (A)Security Awareness and Training164.308(a)(5)§ Security Reminders (A)§ Protection from Malicious Software (A)§ Log-in Monitoring (A)§ Password Management (A)Security IncidentProcedures164.308(a)(6)§ Response and Reporting (R)

Administrative Safeguards(R)=Required, (A)=Addressable

29

Contingency Plan164.308(a)(7)• Data Backup Plan (R)• Disaster Recovery Plan (R)• Emergency Mode Operation Plan (R)• Testing and Revision Procedures (A)• Applications and Date Criticality Analysis (A)

Evaluation164.308(a)(8)

Business Associate Contracts and Other Arrangements164.308(b)(1)

• Written Contract or Other Arrangement (R)

Administrative Safeguards(R)=Required, (A)=Addressable

30

Facility Access Controls164.310(a)(1)• Contingency Operations (A)• Facility Security Plan (A)• Access Control and Validation Procedures (A)• Maintenance Records (A)

Workstation Use164.310(b)

Workstation Security164.310(c)

Device and Media Controls164.310(d)(1)• Disposal (R)• Media Re-use (R)• Accountability (A)• Data Backup and Storage (A)

Physical Safeguards(R)=Required, (A)=Addressable

31

Access Control 164.312(a)(1)• Unique User Identification (R)• Emergency Access Procedure (R)• Automatic Logoff (A)• Encryption and Decryption (A)Integrity164.312(c)(1)• Mechanism to Authenticate Electronic Protected

Health Information (A)Person or Entity Authentication 164.312(d)Transmission Security164.312(e)(1)• Integrity Controls(A)Encryption (A)

Technical Safeguards(R)=Required, (A)=Addressable

32

Security: Areas of Focus

• Security Risk Management program• Computing Device Use & Password Management• Software Vulnerability Protection• Remote Access & overall Access Management• Back-up and Storage• Encryption and Decryption• Information Asset Classification• Information Systems Risk Management & Incident Tracking • Entity and Person Authentication• Audit Controls• Contingency Planning

33

Recommended resources

• http://www.infragard-wa.org/• http://www.cms.hhs.gov/• http://www.usdoj.gov/olc/hipaa_final.htm• http://www.jhsph.edu/• http://informationlawtheoryandpractice.blogspot.com/• http://www.complianceonline.com/• http://www.infosecurity.pro/

mailto://Todd.Plesco@infosecurity.pro

34

Questions