Page 1
© by Seclarity Inc. 2005, Slide: 1
Seclarity, Inc.11705 Lightfall CourtColumbia, MD 21044
A Blumberg Capital, Valley Ventures and Intel Capital Funded Security Company
Gary Christoph, Ph.D.Sr. VP Government and Healthcare
[email protected]
April 8, 2005
HIPAA Strategies
Page 2
© by Zephra Corporation 2002, Slide: 2 © by Seclarity Inc. 2004, Slide: 2 © by Seclarity Inc. 2005, Slide: 2
The Issue
• Recent Compliance Mandates (HIPAA, GLBA, SarbOx, etc.) are (unfortunately) strong security drivers
• Network Security is Hard and Expensive
• Use a “Common Sense” approach
Page 3
© by Zephra Corporation 2002, Slide: 3 © by Seclarity Inc. 2004, Slide: 3 © by Seclarity Inc. 2005, Slide: 3
AdministrativeProcedures Technical Security
Services
• Not currently required
Electronic Signature
Physical Safeguards
General Rules
Limitations
Technical Security Mechanisms
HIPAA
Title IIAdministrativeSimplification
TransactionStandards
StandardCode Sets
Unique HealthIdentifiers
Security Privacy
• Chain of Trust Agreement• Certification,
• Secure Workstation• Physical Access Controls, Media Controls, etc.• Security Awareness
• PHI data elements defined• Notice of Privacy Practices mandated
• Consent required for routine use• Authorization required for non-routine
use• Business associate contracts required• Designated Privacy Officer
stored, in any medium (electronic, paper, oral)
• Data Authentication
• Internal Audit, Training, Written Policies & Procedures, etc.
• Internal Audit, Training, Written Policies & Procedures, etc.
• Training• Training
• Basic Network Safeguards
• Integrity and Protection
• Basic Network Safeguards
• Integrity and Protection
• Access Controls• Authorization• Access Controls• Authorization
• Entity Authentication• Entity Authentication
• Covers Protected Health Information (PHI) transmitted or
• Covers Protected Health Information (PHI) transmitted or
• Minimum necessary disclosure/use of data
• Minimum necessary disclosure/use of data
Page 4
© by Zephra Corporation 2002, Slide: 4 © by Seclarity Inc. 2004, Slide: 4 © by Seclarity Inc. 2005, Slide: 4
What Does HIPAA Really Require?
YOU MUST:
• Think about the risks you face
• Develop coherent, enforceable policy
• Write it down
• Implement/operate whatever controls this requires
• Train/educate staff
• Periodically test & document
Page 5
© by Zephra Corporation 2002, Slide: 5 © by Seclarity Inc. 2004, Slide: 5 © by Seclarity Inc. 2005, Slide: 5
• Policy is not written down
• Written policy is not followed
• Implementations are not “fire and forget”
• Consultants aim to make money, not fix the problem
Compliance Issues:
Page 6
© by Zephra Corporation 2002, Slide: 6 © by Seclarity Inc. 2004, Slide: 6 © by Seclarity Inc. 2005, Slide: 6
• People are involved People are neither repeatable nor logical People on the job make inappropriate assumptions
• Technical Solutions are too complex Point products do not tile the floor Management of many solutions is not easy or cheap Pace of technological change adds new vulnerabilities
(e.g., wireless)
• Administrative Solutions that are not Processes get in the way of work Controls violated without your knowledge or without
consequence
Hard NW Security/Privacy Issues:
Page 7
© by Zephra Corporation 2002, Slide: 7 © by Seclarity Inc. 2004, Slide: 7 © by Seclarity Inc. 2005, Slide: 7
• Decide what is important to protect
• Find a simple way to protect it• Document it
A Simple Strategy:
Page 8
© by Zephra Corporation 2002, Slide: 8 © by Seclarity Inc. 2004, Slide: 8 © by Seclarity Inc. 2005, Slide: 8
The Regs were written to be scalable and technology neutral.
Why?• Rules have to cover everything from a one-
person Dentist’s office in Podunk, Missouri, to Johns Hopkins Hospital
• It economically makes no sense to require everyone to have the same controls
• Technology evolves
Therefore: The solution must fit the need
Page 9
© by Zephra Corporation 2002, Slide: 9 © by Seclarity Inc. 2004, Slide: 9 © by Seclarity Inc. 2005, Slide: 9
Technical Solution Target
• Want transparency Easy for users to comply Easy for admins to enforce
• Want universality Everywhere same policy enforced the same Use technology to reduce administrative controls
• Want simplicity Complexity is the enemy Easy to manage
• Want verifiability Documentable
• Want cheap Do not want to go out of business
Page 10
© by Zephra Corporation 2002, Slide: 10 © by Seclarity Inc. 2004, Slide: 10 © by Seclarity Inc. 2005, Slide: 10
A Simplified View of a Contemporary“Secured” Network:
VPN IDS Proxy
Wireless
Remote usersWith Software VPN agents
Unencrypted Traffic
Encrypted Traffic
Internet
Firewall
Unencrypted Traffic
Page 11
© by Zephra Corporation 2002, Slide: 11 © by Seclarity Inc. 2004, Slide: 11 © by Seclarity Inc. 2005, Slide: 11
A Simple view of an Endpoint-Secured Network:
Wireless
Remote user
Encrypted Traffic
Encrypted TrafficInternet
Firewall
Encrypted Traffic