A project approach to HIPAA


Published on

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A project approach to HIPAA

  1. 1. HIPAA Security A Management System Approach Dan Wallace dwallace@growforwardllc.com
  2. 2. 2 Agenda 1) The Need for Security Awareness Programs 2) Security Awareness as a Product 3) Phase 1 – Identify Target Audiences and Product 4) Phase 2 – Identify Product Distribution Methods 5) Phase 3 – Obtain Management Support 6) Phase 4 – Product Launch 7) Phase 5 – Effectiveness Assessment 8) Ongoing Enhancements 9) Ideas for Customized Campaigns HIPAA Security Compliance Framework
  3. 3. 3 Introduction to Management Systems HIPAA Security Compliance Framework
  4. 4. 4 Management System Overview A management system is a mechanism to establish policy and objectives and to put in place the means achieve those objectives. Management systems are used by organizations to develop policies and to put these into effect via objectives and targets using: – Organizational structure – Systematic procedures – Measurement and evaluation – Quality control and continuous improvement structure, procedures & measurement are required by the HIPAA security regulation HIPAA Security Compliance Framework
  5. 5. 5 Elements of a Management System Planning - identification of needs, resources, structure, responsibilities Policy - demonstration of commitment and principles for action Implementation and operation - awareness building and training Performance assessment - monitoring and measuring, handling non-conformities, audits Improvement - corrective and preventive action, continual improvement) Management review – oversight, governance and compliance HIPAA Security Compliance Framework
  6. 6. 6 Information Security Management System ISMS That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security The Design and Implementation of the ISMS is influenced by business needs and objectives, resulting security requirements, the processes employed and the size and structure of the organization. The ISMS and the supporting systems are designed to change when necessary. HIPAA Security Compliance Framework
  7. 7. 7 Management System Documentation Management framework policies relating to BS 7799-2 Clause 4 Security Manual Level 1 Policy, scope risk assessment, statement of applicability Procedure Define processes – who, s what, when, where Level 2 Work Describes how tasks and specific Instructions, activities are done checklists, Level forms, etc. 3 Provides objective evidence of compliance to HIPAA security requirements and required by Level BS7799 clause 3.6 4 Records HIPAA Security Compliance Framework
  8. 8. 8 HIPAA Security Framework HIPAA Security Compliance Framework
  9. 9. Phase 1 Project Charter 9 Plan the Project Phase 2 Policies, Standards, Develop Procedures ISO/IEC 17799 Policies Phase 1 & Phase 3 Threats, Assess 2 Outputs Vulnerabilities & Impacts Risk Phase 4 Phase 3 Risk Tolerance Manage Outputs Degree of Compliance Risk OCTAVE Phase 5 Selected Remediation Implement Controls Plans Controls Phase 6 Compliance Control Objectives Guide Implemented Compliance Controls The Framework HIPAA Security Compliance Framework
  10. 10. 10 Phase One: Project Planning Gain an understanding of the organization and technology environment Establish the objectives of the management system Develop project charter document Roll out methodology and obtain buy in Develop detailed project plans Address budget issues Obtain resource commitments HIPAA Security Compliance Framework
  11. 11. 11 Phase Two: Policy Development POLICY DEFINITON: Develop a custom security policy document, based on ISO/IEC 17799 that is driven by business/clinical need, and prescribes management direction in meeting HIPAA security compliance objectives STANDARDS & PROCEDURE DEVELOPMENT: Each functional area or department develops the means to implement and enforce management’s policies HIPAA Security Compliance Framework
  12. 12. Policy Definition & Standard 12 Development Process Determine Map Identify Develop Policy Current Analyze Gaps Current Policies Required Policies Requirements to Required • Kickoff • Review • Review HIPAA • Identify Gaps • Kickoff Existing Security Regs • Interview Key • Identify • User Training Policies Personnel • Review New Areas • Review details ISO/IEC 17799 • Interview IT & • Assign Policy of Incidents security Ownership • Checkpoint • Consolidate Findings Policy Development tasks are the same for both policy definition and standards development HIPAA Security Compliance Framework
  13. 13. 13 Procedure Development A Procedure is the organization of people, equipment, energy, procedures and material into the work activities needed to produce a specified end result (work product). Procedures are a sequence of repeatable activities that have measurable inputs, value- add activities and measurable outputs. Procedures have a functional focus as opposed to organizational focus, must have a specified owner, and use Critical Success Factors (CSF) to help focus process execution and maximize improvement efforts. Each functional area develops their own procedures consistent with policies. Methods for procedure development will vary however, management may elect to issue guidance on the form and format of documented procedures. HIPAA Security Compliance Framework
  14. 14. Required Procedures 14 164.308(a)(4)(ii)(B) Access Authorization (A) 164.310(a)(2)(iii) Access Control and Validation (A) 164.312(a)(1) Access Controls (S) 164.308(a)(4)(ii)(C) Access Establishment and Modification (A) 164.312(b) Audit Controls (S) 164.308(a)(3)(ii)(A) Authorization and/or Supervision (A) 164.312(a)(2)(iii) Automatic Logoff (A) 164.310(a)(2)(i) Contingency Operations (A) 164.308(a)(7)(i) Contingency Plan (S) 164.308(a)(7)(ii)(A) Data Backup Plan (R) 164.310(d)(1) Device and Media Controls (S) 164.308(a)(7)(ii)(B) Disaster Recovery Plan (R) 164.310(d)(2)(i) Disposal (R) 164.312(a)(2)(ii) Emergency Access (R) 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan (R) 164.310(a)(1) Facility Access Controls (S) 164.310(a)(2)(ii) Facility Security Plan (A) 164.308(a)(4)(i) Information Access Management (S) 164.308(a)(1)(ii)(D) Information System Activity Review (R) 164.312(c)(1) Integrity (S) 164.308(a)(4)(ii)(A) Isolating Health Care Clearinghouse Function (R) 164.308(a)(5)(ii)(C) Login Monitoring (A) 164.310(a)(2)(iv) Maintenance Records (A) 164.310(d)(2)(ii) Media Re-Use (R) 164.308(a)(5)(ii)(D) Password Management (A) 164.312(d) Person or Entity Authentication (S) 164.308(a)(5)(ii)(B) Protection from Malicious Software (A) 164.308(a)(6)(i) Security Incident Procedures (S) 164.308(a)(1)(i) Security Management Process (S) 164.308(a)(3)(ii)(C) Termination (A) 164.308(a)(7)(ii)(D) Testing and Revision (A) 164.308(a)(3)(ii)(B) Workforce Clearance (A) 164.308(a)(3)(i) Workforce Security (S) 164.310(b) Workstation Use (S) HIPAA Security Compliance Framework
  15. 15. 15 Phase Three: Risk Assessment Overview of the OCTAVE Process OCTAVE PROCESS: a progressive series of self- directed workshops that results in an in-depth security analysis of business and computing infrastructure elements HIPAA Security Compliance Framework
  16. 16. 16 Phase Three: Risk Assessment PREPARATION: Define scope of the risk assessment, select analysis teams, method orientation, schedule workshops. PHASE ONE: BUILD ASSET-BASED THREAT PROFILES An organizational evaluation. The analysis team determines what is important to the organization (information- related assets) and what is currently being done to protect those assets. PHASE TWO: IDENTIFY INFRASTRUCTURE VULNERABILITIES An evaluation of the information infrastructure. The analysis team examines network access paths, identifying classes of information technology components related to each critical asset. The team then determines the extent to which each class of component is resistant to network attacks. HIPAA Security Compliance Framework
  17. 17. 17 Phase Four: Risk Management and Remediation PHASE THREE: DEVELOP SECURITY STRATEGY AND PLANS The analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. HIPAA Security Compliance Framework
  18. 18. 18 Risk Assessment & Management HIPAA Security Compliance Framework
  19. 19. 19 Phase Five: Implement Control Objectives and Controls PHASE THREE: DEVELOP SECURITY STRATEGY AND PLANS The analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. HIPAA Security Compliance Framework
  20. 20. 20 Phase Six: Prepare the Statement of Applicability COMPLIANCE DOCUMENT Written evidence of the actions taken in the first five phases with regard to HIPAA compliance. MANAGEMENT FRAMEWORK SUMMARY A synopsis of the entire information security management framework including the policy, control objectives and implemented controls. PROCEDURE INVENTORY A catelogue of procedures implemented to support the management framework including responsibilities and relevant actions. MANAGEMENT SYSTEM PROCEDURES Administrative procedures covering the operation and management of the management system including responsibilities. HIPAA Security Compliance Framework