Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Redspin Webinar Business Associate Risk

194
views

Published on

Webinar on how healthcare organizations can manage business associate IT security risk.

Webinar on how healthcare organizations can manage business associate IT security risk.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
194
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Navigating Business AssociateIT Security RiskJohn Abraham – Redspin Security Evangelist
  • 2. Part 1New ResponsibilitiesFor business associates and covered entitiesunder HIPAA / HITECH Act
  • 3. Expanded Definitions Work for CE + Access PHI = BA Data transmission providers Subcontractors to BA
  • 4. HIPAA Security Rule...Applies to:  A) Covered Entities  B) Business Associates  C) Subcontractors  D) All of the above
  • 5. Oops, I didnt know“lack of knowledge” is not a defense* AKA what you dont know {about BAs} can hurt you * 75 Federal Register 40878, July 14 , 2010 th NPRM
  • 6. BAs Dual Risk Liability to government (HIPAA) Liability to CE (BAA)
  • 7. CEs Dual Risk Liability to government (HIPAA) Liability to government (BA security)
  • 8. Penalties throughoutPHI supply chain CEs BAs Subcontractors
  • 9. Part 2Whats This Means
  • 10. Active Enforcement Fines State budget crisis State Attorneys General
  • 11. Recent Enforcement Actions* Cignet $4.3million  Failure to provide 41 patient records, ignore subpoena Mass. General Hospital $1million  192 patient records left on subway  CAP: Policies, procedures, training, auditing, reporting, security controls * http://www.hhs.gov/news/
  • 12. Transparency Right-to-audit clause in BAA
  • 13. HIPAA Security Rule Everyone needs to be compliant Everyone needs sound risk management
  • 14. Part 3Effectively ManageYour Own Risk
  • 15. Three rules Focus Existence != Effective Compliance != Security
  • 16. 1 Rule:Everyone has risk. Focus on critical.
  • 17. Systematic Risk Management Focus, focus, focus
  • 18. Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT,HIPAA - Administrative Safeguards (§164.308), ...
  • 19. Focus 1 Rule:Systematic risk management Everyone has lots of risk → focus Let risk drive controls → focus Avoid over spending/implementing → focus
  • 20. 2 Rule:Existence do es not equalEffective
  • 21. PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq wwwaccess-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftpaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnetaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
  • 22. PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq wwwaccess-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftpaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnetaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
  • 23. 2Rule:Dont just assume acontrol is working.
  • 24. 3 Rule:Compliance does not eq ua l Security
  • 25. Part 4Effectively ManageBusiness Associate Risk
  • 26. Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor
  • 27. Systematic Approach1. Identify2. Classify Matrix3. Prioritize4. Additional Evaluation5. Monitor
  • 28. Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor Questionnaire HIPAA Risk Analysis
  • 29. SummaryFor BAs & CEs New responsibilities (HIPAA Sec. Rule) Increased accountability / scrutiny Need effective (true) risk management BAs need to be ready to be audited by CEs CEs need to be ready to audit BAs
  • 30. { thank you! }John Abrahamjabraham@redspin.com805-705-8040 (mobile)