Information security legislation

1

Information Security Legislation

“A Practical Guide to Security Assessments”By Sudhanshu Kairab(Chapter 10)

Sohel Imroz4/4/2006

2

Some “not-so-bad” News

• U.S. government has set significant penalties for noncompliance with HIPAA

• Penalties for noncompliance with HIPAA Regulations:– Individual noncompliance

• Up to $100

3

Some “very bad” News

• Penalties for noncompliance with HIPAA Regulations (cont’d):– Multiple occurrences of same

noncompliance• Up to $25,000.00 per year

– Wrongful disclosure of health information• Up to $50,000.00 • 1 year in prison

4

Some “scary” News

• Penalties for noncompliance with HIPAA Regulations (cont’d):– Wrongful disclosure of health information

under false pretense• Up to $100,000.00• 5 years in prison

– Wrongful disclosure of health information with intent to sell, transfer, or use• Up to $250,000.00• 10 years in prison

5

But, I have good

news !

6

Agenda

• Why such legislation acts?• Various legislation acts:

– HIPAA– GLBA– Sarbanes-Oxley Act– Safe Harbor– FISMA

7

HIPAA

• Health Insurance Portability and Accountability Act

• Formerly known as the Kennedy/ Kassebaum Act

• Was enacted by the Congress in 1996• Primary purpose:

– Improve health insurance accessibility for people changing employers or leaving the workforce (Source: http://www.emrworld.net/emr-research/articles/hipaa.ppt#257,2,Overview)

- Provide “Administrative Simplification” provisions

8

HIPAA (cont’d)

• Administrative Simplification provisions:– National standards– Unique health identifiers– Security standards– Privacy and confidentiality

9

HIPAA (cont’d)

• Objectives of Administrative Simplification provisions:– Improve efficiency of NHS– Reduce cost– Reduce fraud– Protect patient rights– Access to consistent clinical data– Information availability– Security standards for web-based

technology

10

HIPAA (cont’d)

• Who must comply with HIPAA:– Health care providers– Health plans– Health care clearinghouses

• Key points to note:– HIPAA does not say how compliance will

be achieved– Requirements are too broad– A lot of room for interpretation

11

GLBA

• Gramm-Leach-Bliley Act• Was signed into law in 1999, and was

in effect as of July 2001• GLBA repealed the Glass-Steagall Act• Primary purpose:

– Provide customers with privacy notice– Privacy notice must be given to customer

BEFORE any business agreement– Customers may “opt-out”

12

GLBA (cont’d)

• GLBA security requirements:– Information security program– Coordination of Information Security

program– Regular risk analysis– Implementation of controls to mitigate

risks– Overseeing the service providers– Evaluation and adjustment

13

GLBA (cont’d)

• Penalties for noncompliance with GLBA:– Financial institutions:

• Up to $100,000.00 for each violation

– Officers and directors:• Up to $10,000.00 for each violation

14

Sarbanes-Oxley Act

• Was enacted in July 30, 2002• Answer to a series of corporate

financial scandals, e.g. Enron, Tyco International, WorldCom

• Named after Senator Paul Sarbanes, and Representative Michael Oxley

15

Sarbanes-Oxley Act (cont’d)

• Some key provisions– CEO and CFO must certify financial reports

(Section 302)– Ban on personal loans to executive officers

(Section 402-A)– Prohibition on internal trades (Section 306)– Public reporting of CEO and CFO

compensation (Section 304)– Criminal and civil penalties (Title IX)– Results of management testing and

evaluation (Section 404)

16

Sarbanes-Oxley Act (cont’d)

• Cost of Sarbanes-Oxley compliance:

“FEI surveyed 224 public companies with average revenues of $2.5 billion to gauge Section 404 compliance cost estimates. Results showed the total cost of compliance is now estimated at $3.14 million, or 62% more than the $1.93 million estimate identified in FEI’s January 2004 survey. The companies surveyed expect to pay their auditors $823,200 in fees for attestation of their internal controls, in addition to the annual audit fees. This compares to the $590,100 companies expected auditors would charge for attestation in January 2004.”

Source: Financial Executive Internationals (http://www.fei.org/news/404_july.cfm)

17

Safe Harbor

• Result of European Commission’s Directive of Data Protection

• Was enacted in October 1998• Primary purpose:

– Personal data cannot be transmitted between European companies and non-European companies that do not meet the EC’s privacy standard

18

Safe Harbor (cont’d)

• EU Safe Harbor Principles:– Notice to individuals about the specific

purposes of the data collection – Choice to opt-out of disclosure to third-

parties or additional uses (opt-in for sensitive information)

– Require third-party agents who receive personal information to provide the same level of privacy protection

19

Safe Harbor (cont’d)

• EU Safe Harbor Principles (cont’d):– Allow means for an individual to access

personal information held – Take reasonable precautions from loss,

misuse or unauthorized access – Keep data reliable for its intended use – Provide a readily available recourse

mechanism – Provide procedures verifying

implementation of principles

20

FISMA

• Federal Information Security Management Act

• Was enacted in 2002• Primary purpose:

– To strengthen information security programs at federal agencies

– Provide a information security framework– Does not provide any hard standards or

guidelines

21

FISMA (cont’d)

• Key responsibilities:– Provide information security

commensurate with the associated risk– Perform a risk assessment– Implement policies and procedures – Conduct periodic test– Have a CISO– Conduct ongoing evaluation and

adjustment

22

A Final

Thought