cobbassociates.co m Copyright, 2003, Stephen Cobb Strategies for Overall Data Security, HIPAA, and 21 CFR Part 11 Compliance Practical Strategies for Risk Assessment, Authentication, Encryption, and Other Mandated Security Measures Stephen Cobb, CISSP Senior VP, Research and Education, ePrivacy Group Author: Privacy for Business—Web Sites and Email Data Security in the Pharmaceutical Industry July 31 - August 1, 2003, Sheraton Society Hill, Philadelphia, PA
30
Embed
Stephen Cobb, CISSP Senior VP, Research and Education, ePrivacy Group
Strategies for Overall Data Security, HIPAA, and 21 CFR Part 11 Compliance Practical Strategies for Risk Assessment, Authentication, Encryption, and Other Mandated Security Measures. Data Security in the Pharmaceutical Industry July 31 - August 1, 2003, Sheraton Society Hill, Philadelphia, PA. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
cobbassociates.comCopyright, 2003, Stephen Cobb
Strategies for Overall Data Security, HIPAA, and 21 CFR Part 11 Compliance
Practical Strategies for Risk Assessment, Authentication, Encryption, and Other Mandated Security Measures
Stephen Cobb, CISSPSenior VP, Research and Education, ePrivacy GroupAuthor: Privacy for Business—Web Sites and Email
Data Security in the Pharmaceutical IndustryJuly 31 - August 1, 2003, Sheraton Society Hill, Philadelphia, PA
Security technology has focused on defending corporate secrets and government networks, but health care and research also have serious security requirements:
– Care and research require data sharing
– Privacy requires data protection and data sharing
– Privacy and security standards require compliance
Hackers broke into the computer systems belonging to a clinic in the UK, altered medical records of 6 patients who had just been screened for cancer—switched test results from negative to positive—those patients spent several days thinking that they had cancer
The night before a patient was due to have a brain tumor removed, hackers broke into the computer where the tests were stored and corrupted the database. Surgery had to be postponed while the tests were redone
Source: Richard Pethia, Software Engineering Institute (SEI)
PittsburghWhy? Because We CanSlogan from DEF CON III
Leaves organizations exposed to court rulings when cases are brought by persons claiming harm from exposure of their health data– Requires organizations to know what an expert
would determine acceptable risk to be Standards in other areas can be applied
– E.g. FTC has created standards that apply to all companies, including pharmas, healthcare
– Specify expert = CISSP or equivalent– Require risk assessment– Reasonableness test applies
Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all
electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
5. Policies and procedures & documentation requirements
Technically, compliance with Security Rule is April, 2005 (with one more year for smaller orgs).But Privacy Rule requires appropriate protections by April, 2003 and the Security Rule defines appropriate protections.Regulators may not audit until 2005+ but litigators will probably not hesitate to bring suit this year.
These are “Standards” that specify steps which must be taken or addressed.
E.g. a security management process is required to be in place and someone must be assigned responsibility for security, but management of passwords is addressable.
Data backup plan and a disaster plan are required, but testing of contingency plan is addressable.
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality ofpotential risks to electronic protected health information.
Are you qualified to determine probability and criticality of potential risks?
Some implementation specifications are required and must be implemented as specified.
Others are “addressable” which means you must: assess whether the implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and, as applicable to the entity--
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate-- (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate.
Public key encryption uses a pair of keys– One you can share (public) and one you keep secret (private)
My Private Key + Your Public Key + Plaintext = Ciphertext Ciphertext + Your Private Key + My Public Key = Plaintext The keys are mathematically linked so that:
– If I use my private key and your public key to encipher a message then only you can decipher, using your private key, my public key
Because public key can be public, key exchange is easier than with symmetric private key, but processing is slow
So only encrypt a key to symmetrically encrypted bulk data Public key also used in digital signatures for message
It is an actual transformation of the message itself that incorporates a "secret" known only to the signer, and is therefore tied to both the signer and the message being signed
A signer's digital signature will be different for each different document he or she signs
All digital signatures can be consider electronic signatures (21 CFR Part 11)
But not all electronic signatures are digital signatures
Need people’s public keys in order to communicate either with authentication and/or encryption
Digital certificates are issued by a Certificate Authority (CA) and they store:– The name of the entity (person or organization) – The entity's public key– The digital signature of issuing CA– The issuing CA public key– Other pertinent information about the entity, such as
Encrypted storage– Where access controls are not enough, or to enforce
granularity in access controls Encrypted transfer
– When communication channel is not secure – E.g. Internet, phone lines at home, on road
HIPAA does not say that data travelingon the Internet has to be encrypted, but– Judge will not be asking “Was it PHI?”– Will be asking “Why wasn’t it encrypted?”– You won’t find be able to a credible witness to say there was
PKI, digital certificates, electronic signatures, and VPNs are NOT secure without proper support– Access controls, training and awareness are required– The more heavily you rely on credentials– The more heavily they must be defended
They are at risk from:– weak passwords, lost laptops, loose PDAs– careless wireless, lazy dial-ins– thoughtless road users, worm and virus victims