Dec 14, 2015
2
3
4
5
6
Information assurance (IA)
is the practice of managing information-related risks.
IA practitioners seek to protect the confidentiality, integrity, and availability of data and their delivery systems.
7
Integrity:Ensuring that data is
Not altered or Destroyed.
Availability: Ensuring that data is Available in when
It is needed.
Confidentiality:Ensuring that only
Authorized personnelHave access to
Data.
8
IA’s Swiss Army Knife skill set
• Inter-personal
• Negotiation and Diplomacy
• Project management
• Technical
• Business
9
IA Camp Counselor (conflict mitigation)
• Ease
• Cost
• Likelihood
• Impact (frustration, security conscience)
• Maintenance
10
Information Assurance To Do:
• Ensure “Rules of Use”
• Ensure procedures follow policies
• Ensure 3rd parties follow policy
• Measure, monitor & report
• Change management Process
• Vulnerability Assessments
• Non-compliance issues
• Security Awareness
11
Information Assurance Tasks:
• Create and implement plans• Develop baselines• Ensure processes address security• Ensure compliance of IT• Integrate Security into organization• Review end user impacts from policies• Hold business end accountable• Establish governance framework• Determine appropriate resources inside/out
12
Risk Assessments (NIST SP800-30 method)
• Define the scope (issues faced by our agency) • Identify the Risks (unique data and addressables) • Analyze the risks (probability of occurrence multiplied
by severity to quantify hazards) • Mitigation Proposal (using cost & benefit analysis) • Evaluate recommended control options (feasibility and
effectiveness) • Review and address concerns • Communicate & Consult • Monitor/review as needed & periodically
13
45
Code
of
Federal
Regs
160,
162,
and
164
14
Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II)
• Required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information.
• The final rule for HIPAA security was published in the Federal Register on February 20, 2003.
15
Who are the covered entities?
Standards for the security of electronic protected health information (PHI) are to be implemented by –health plans
–health care clearinghouses
–certain health care providers.
16
What is PHI?Under HIPAA, there are 18 pieces of information that are considered
identifiable of a patient. 1. Name 2. Postal address (geographic subdivisions smaller than state) 3. All elements of dates, except year 4. Phone number5. Fax number 6. E-mail address 7. Social Security number 8. Medical Record number 9. Health Plan number 10.Account numbers 11.Certificate/license numbers 12.URL 13.IP address 14.Vehicle identifiers 15.Device ID 16.Biometric ID 17.Full face/identifying photo 18.Any other unique identifying number, characteristic, or code
17
What is a health care clearinghouse?
• Health care clearinghouse means a public or private entity, including billing services, repricing companies, community health management information systems or community health information systems, and “value-added” networks and switches, that does either of the following functions:
• (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
• (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
18
What were the deadlines?
• Covered entities, with the exception of small health plans, must have complied with the requirements of this final rule by April 21, 2005.
• Small health plans must have complied with the requirements of this final rule by April 21, 2006.
19
What is a small health plan?
Small health plan means a health plan with annual receipts of $5 million or less.
(The Small Business Administration (SBA) promulgates size standards that indicate the maximum number of employees or annual receipts allowed for a concern)
20
Information Assurance – it’s not just HIPAA
• Identity Theft is big business• Electronic Authentication Act
• WA State Security Breach Notification Law SB6043
Required to notify if personal information stored in an unencrypted electronic format is acquired, or reasonably believed to have been acquired by an unauthorized person
21
HIPAA Violation Penalties
a person who knowingly• uses a unique health identifier, or causes one to be used; • obtains individually identifiable health information relating to an individual; or • discloses individually identifiable health information to another person; is in violation of HIPAA regulations. Such persons are subject to the following
penalties:• a fine of up to $50,000, or up to 1 year in prison, or both; • if the offense is committed under false pretenses, a fine of up to $100,000, up to 5
years in prison, or both; • if the offense is committed with intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both.
HIPAA also provide for civil fines to be imposed by the Secretary of DHHS "on any person" who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year.
22
HIPAA
PRIVACY SECURITY
Standards:
Administrative Controls
Physical Controls
Technical Controls
23
Administrative Safeguards 45CFR164.308
• Security Management Process (a)(1)• Assigned Security Responsibility (a)(2)• Work Security (a)(3)• Information Access Management (a)(4)• Security Awareness & Training (a)(5)• Security Incident Procedures (a)(6)• Contingency Plan (a)(7)• Evaluation (a)(8)• Business Associate Contracts (b)(1)
24
Physical Safeguards 45CFR164.310
• Facility Access Controls (a)(1)• Workstation Use (b)• Workstation Security (c)• Device and Media Controls (d)(1)
Technical Safeguards 45CFR164.312
• Access Control (a)(1)• Audit Controls (b)• Integrity (c)(1)• Person or Entity Authentication (d)• Transmission Security (e)(1)
25
Organization Requirements 45CFR164.314
• Business Associate Contracts (a)(1)• Group Health Plan requirements (b)(1)
Policies, Procedures, & Documentation 45CFR164.316
• Policies and Procedures (a)• Documentation (b)(1)
26
“Required” and “Addressable” Safeguards
(a) If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must implement it.
(b) If a given addressable implementation specification is determined to be an inappropriate and/or unreasonable security measure for the covered entity, but the standard cannot be met without implementation of an additional security safeguard, the covered entity may implement an alternate measure
(c) A covered entity may also decide that a given implementation specification is simply not applicable (that is, neither reasonable nor appropriate) to its situation
27
Administrative Safeguards(R)=Required, (A)=Addressable
• SecurityManagementProcess164.308(a)(1)– Risk Analysis (R)– Risk Management (R)– Sanction Policy (R)– Information System Activity Review (R)
• Assigned Security Responsibility (a)(2)
• Work Security164.308(a)(3)
– Authorization and/or Supervisor (A)– Workforce Clearance Procedure (A)– Termination Procedure (A)
28
Information Access Management164.308(a)(4)§ Isolating Health Care Clearinghouse Functions (R)§ Access Authorization (A)§ Access Establishment and Modification (A)Security Awareness and Training164.308(a)(5)§ Security Reminders (A)§ Protection from Malicious Software (A)§ Log-in Monitoring (A)§ Password Management (A)Security IncidentProcedures164.308(a)(6)§ Response and Reporting (R)
Administrative Safeguards(R)=Required, (A)=Addressable
29
Contingency Plan164.308(a)(7)• Data Backup Plan (R)• Disaster Recovery Plan (R)• Emergency Mode Operation Plan (R)• Testing and Revision Procedures (A)• Applications and Date Criticality Analysis (A)
Evaluation164.308(a)(8)
Business Associate Contracts and Other Arrangements164.308(b)(1)
• Written Contract or Other Arrangement (R)
Administrative Safeguards(R)=Required, (A)=Addressable
30
Facility Access Controls164.310(a)(1)• Contingency Operations (A)• Facility Security Plan (A)• Access Control and Validation Procedures (A)• Maintenance Records (A)
Workstation Use164.310(b)
Workstation Security164.310(c)
Device and Media Controls164.310(d)(1)• Disposal (R)• Media Re-use (R)• Accountability (A)• Data Backup and Storage (A)
Physical Safeguards(R)=Required, (A)=Addressable
31
Access Control 164.312(a)(1)• Unique User Identification (R)• Emergency Access Procedure (R)• Automatic Logoff (A)• Encryption and Decryption (A)Integrity164.312(c)(1)• Mechanism to Authenticate Electronic Protected
Health Information (A)Person or Entity Authentication 164.312(d)Transmission Security164.312(e)(1)• Integrity Controls(A)Encryption (A)
Technical Safeguards(R)=Required, (A)=Addressable
32
Security: Areas of Focus
• Security Risk Management program• Computing Device Use & Password Management• Software Vulnerability Protection• Remote Access & overall Access Management• Back-up and Storage• Encryption and Decryption• Information Asset Classification• Information Systems Risk Management & Incident Tracking • Entity and Person Authentication• Audit Controls• Contingency Planning
33
Recommended resources
• http://www.infragard-wa.org/• http://www.cms.hhs.gov/• http://www.usdoj.gov/olc/hipaa_final.htm• http://www.jhsph.edu/• http://informationlawtheoryandpractice.blogspot.com/• http://www.complianceonline.com/• http://www.infosecurity.pro/
mailto://[email protected]
34
Questions