Healthcare InfoSec Overview          HIPAA          Compliance          Solutions   Joseph Patrick Schorr, CISSP, MCSE, CC...
Agenda •   The KentTrust Story •   The state of InfoSec - 2001 •   HIPAA to-Date •   Privacy Standards •   Implications on...
KentTrust Mission     “To provide professional and    innovative Information Security  solutions to industry, government, ...
Why KentTrust Security Solutions?    • Our security consultants are seasoned security      professionals- 6 CISSP’s, 5 CCS...
Engagement Methodology     5-Phase KentTrusted™ Cycle   I Security Architecture Review   II Security Posture Assessment   ...
2001 – The State of InfoSec             Attacks and Abuses on the Rise    • 40% of respondents detected external system   ...
2001 – The State of InfoSec   • 85% of large corporations and government agencies     detected computer security breaches ...
Attack SophisticationEXPERTISE REQUIRED                                                                          Stealth /...
Sources of Attack             Foreign Government                     8% Foreign Corporations         10%                  ...
Proof Positive Financial Losses Due to Cyber-attacks    Denial of     Service   ($8,247,500)        Virus  ($29,171,700)  ...
HIPAA Introduction• One of the most high-impact pieces of  legislation to affect the health care industry!• The Industry g...
Introduction (cont.)• Affects nearly everyone in healthcare  – Payers, employers, providers, clearinghouses,    health car...
Who Does This Affect?• Health Plans:   – Individual or group plans that provide for or pays the cost     of medical care  ...
HIPAA to date• Health Insurance Portability &    Accountability Act of 1996 (HIPAA)• Public Law 104-191• Based on Kennedy-...
Security Categories  1. Administrative Procedures to Guard Data     Integrity, Confidentiality, and Availability  2. Physi...
Privacy Categories        Administrative Procedures               Sets standards for:  • Certification                - Pe...
Privacy Categories              Physical Safeguards– Governs physical security and org. issues:   • Assigned Security Resp...
Privacy Categories           Technical Security Services  – Dictate general security safeguards  – Standards Covered:     ...
Privacy Categories         Technical Security Mechanisms• Communications/Network Controls   – Basic networking safeguards ...
HIPAA - Your Needs• Need to know where you are today and where you  need to go to gain compliance• Need additional informa...
Your needs• Organizations may need to undergo significant  cultural transformation in the way patient  information is hand...
Your needs (cont.) • Need to meet Short Timeframe • Most health care organizations will have only   2 years to comply • Br...
Implications for your organization    • Acute Impact      – Requires health care organizations to completely        rethin...
Implications for your organization                Strategic Impact    HIPAA electronic    standards and    security    req...
more “implications”…    • Cost Savings        – Reduction in processing costs        – Simplification of manual processing...
more “implications”…• Non-compliance   – $100 for each violation, total for each requirement in     calendar year not more...
Getting from Point “A” to “B”       The final regulations will not        mandate specific security        practices and t...
Security Services Approach    • Help prepare an organization for HIPAA      regulations and standards    • Awareness train...
HIPAA Compliance Review • A simple and meaningful Security Gap Analysis Audit    – determine the magnitude of the regulato...
CommonalitiesTypical Gaps Found During HIPAA Gap Analysis Audits• Out-of-Date or Non-existent Disaster Recovery or  Busine...
Homework!!!Think about your environment…• Consistent security policy definitions?• Information architecture  – Business pr...
Pithy Quote  “If you reveal your secrets to the wind you      should not blame the wind for revealing      them to the tre...
Questions
Contact us to Secure your Information                         Security Solutions                Division of Kent Technolog...
Upcoming SlideShare
Loading in …5
×

HIPAA Preso

491
-1

Published on

This preso is now about 13-14 years(?) old as of 2014.

HIPAA presentation I created back when HIPAA was new and I was the InfoSec Security Practice Leader for a now defunct company. The whole preso was my design, right down to making the template.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
491
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

HIPAA Preso

  1. 1. Healthcare InfoSec Overview HIPAA Compliance Solutions Joseph Patrick Schorr, CISSP, MCSE, CCDA Security Consulting Practice Leader
  2. 2. Agenda • The KentTrust Story • The state of InfoSec - 2001 • HIPAA to-Date • Privacy Standards • Implications on Your Organization • Your Needs • Why Should You Comply? • KentTrust Security Services Approach
  3. 3. KentTrust Mission “To provide professional and innovative Information Security solutions to industry, government, and society through leading edgeknowledge, skill set, and technologies”
  4. 4. Why KentTrust Security Solutions? • Our security consultants are seasoned security professionals- 6 CISSP’s, 5 CCSE’s, 1 CISA, 7 MCSE’s – Industry recognized certifications • We have provided solutions for all types of organizations – Private Industry (health care, banking, commerce, etc.) – Government (Federal, State, Local) • Experience with the full spectrum of InfoSec – Security Policy, Penetration testing and probing, Vulnerability assessments, HIPAA reviews, PKI, E- Commerce, Security architecture reviews, Intrusion detection, etc.
  5. 5. Engagement Methodology 5-Phase KentTrusted™ Cycle I Security Architecture Review II Security Posture Assessment III Security Solutions Deployment IV Security Operations Program V Security Awareness Program
  6. 6. 2001 – The State of InfoSec Attacks and Abuses on the Rise • 40% of respondents detected external system penetrations and probings • 38% of respondents detected Denial of Service (DoS) attacks • 91% of respondents detected abuse of Internet access privileges • 94% of respondents detected computer viruses Source: Computer Security Institute, 2001
  7. 7. 2001 – The State of InfoSec • 85% of large corporations and government agencies detected computer security breaches • 64% acknowledged financial losses due to breaches • The respondents reported $377,828,700 in financial losses • 69% of respondents cited their Internet connection as the point of attack, 31% cited an internal point of attack • External attacks rose from 59% in 2000 to 69% in 2001 Source: Computer Security Institute, 2001
  8. 8. Attack SophisticationEXPERTISE REQUIRED Stealth / Advanced Scanning Techniques Denial of Service Packet Spoofing Sniffers DDoS Attacks Sweepers WWW Attacks Automated Probes/Scans Back Doors Disabling Audits GUI Network Management Diagnostics BurglariesSOPHISTICATION Hijacking Sessions Of TOOLS Exploiting Known Vulnerabilities Password Cracking Self-Replicating Code Password Guessing 1980 1985 1990 1995 1999 2000 InformationWeek > Security > Cisco Warns Of IOS Security Flaw > June 29, 2001
  9. 9. Sources of Attack Foreign Government 8% Foreign Corporations 10% Disgruntled Employees 33% US Competitors 18% Independent Hackers 30%
  10. 10. Proof Positive Financial Losses Due to Cyber-attacks Denial of Service ($8,247,500) Virus ($29,171,700) Internal Millions Abuse ($29,171,700) System Penetration ($7,104,000) 0 10 20 30 Source: Federal Bureau of Investigation, 2000 (243 Respondents)
  11. 11. HIPAA Introduction• One of the most high-impact pieces of legislation to affect the health care industry!• The Industry generally agrees that HIPAA impact will be more extensive than the Year 2000 Problem• Healthcare experts predict that large healthcare providers and/or payers will have to spend $50 to $200 million to become HIPAA compliant
  12. 12. Introduction (cont.)• Affects nearly everyone in healthcare – Payers, employers, providers, clearinghouses, health care information systems vendors, billing agents, and service organizations• Impacts nearly every business process – All individually identifiable information relating to patients or any person receiving services. – Past, present, or future health conditions, treatment or payment for treatment – Demographic data collected by plans or providers
  13. 13. Who Does This Affect?• Health Plans: – Individual or group plans that provide for or pays the cost of medical care – Employers who self-insure• Providers – Hospitals, Medical Groups, Physician’s LLPs, Clinics, Emergency Care Facilities and any other person furnishing health care services or supplies• Health Care Clearinghouse – Any public or private organization that processes or facilitates the processing of health information• Other Affected Entities – Employers who want to utilize medical information do data mining – Pharmaceutical companies conducting clinical research
  14. 14. HIPAA to date• Health Insurance Portability & Accountability Act of 1996 (HIPAA)• Public Law 104-191• Based on Kennedy-Kassebaum• Designed to: – Assure health insurance portability – Reduce health care fraud and abuse – Guarantee security and privacy of health information – Enforce standards for health information• HIPAA-Sec Effective 4/14/2001• 2 Years to Achieve Compliance (October 2002) ARE YOU AWAKE ???
  15. 15. Security Categories 1. Administrative Procedures to Guard Data Integrity, Confidentiality, and Availability 2. Physical Safeguards to Guard Data Integrity, Confidentiality, and Availability 3. Technical Security Services to Guard Data Integrity, Confidentiality, and Availability 4. Technical Security Mechanisms to Guard Data Integrity, Confidentiality, and Availability
  16. 16. Privacy Categories Administrative Procedures Sets standards for: • Certification - Personal Security • Chain of Trust Agreements - Training • Contingency Planning - Termination Procedures • Record Processing - Security Incident Response • Information Access Control - Security Configuration • Internal Audit - Management • Security Management
  17. 17. Privacy Categories Physical Safeguards– Governs physical security and org. issues: • Assigned Security Responsibility • Media controls • Physical access controls • PC Policy/guideline • Secure work station location • Security awareness training • Business Continuity & Disaster Recovery Plans
  18. 18. Privacy Categories Technical Security Services – Dictate general security safeguards – Standards Covered: • Access Control • Audit Controls – Authorization Control • Data Authentication (Integrity) – Entity Authentication
  19. 19. Privacy Categories Technical Security Mechanisms• Communications/Network Controls – Basic networking safeguards (alarms, access controls, audit trails, event reporting & etc.) – Network security issues • Integrity (message corruption) and confidentiality (message interception) • Protection from unauthorized remote access – Digital Signatures
  20. 20. HIPAA - Your Needs• Need to know where you are today and where you need to go to gain compliance• Need additional information security technology solutions may be required (e.g., Public Key Infrastructure, Virtual Private Network, Improved Logging, Business Continuity Plans)• Business processes may need major enhancements to ensure that security and privacy requirements are met
  21. 21. Your needs• Organizations may need to undergo significant cultural transformation in the way patient information is handled, used, communicated and shared• Policies and procedures may have to be developed and existing ones modified• Proposed regulations require staffing of a “Privacy Official”• Budgeting and staffing for next two years will be impacted -- need to understand how much
  22. 22. Your needs (cont.) • Need to meet Short Timeframe • Most health care organizations will have only 2 years to comply • Broad Scope (need expertise) – HIPAA will impact all functions, processes and systems that store, handle or generate health information – Mainframes - Servers - Workstations – Policies and Procedures – Training Staff
  23. 23. Implications for your organization • Acute Impact – Requires health care organizations to completely rethink the way in which they protect the security and privacy of patients and consumers information – Mandates standard formats for the most common transactions between health care organizations – In many cases requires replacement or substantial change to providers’ current systems and processes to comply with HIPAA regulations
  24. 24. Implications for your organization Strategic Impact HIPAA electronic standards and security requirements become key enablers in moving forward
  25. 25. more “implications”… • Cost Savings – Reduction in processing costs – Simplification of manual processing • Improved Customer Service – Reduced Errors – Quicker turnaround • Mobilizes the industry • Gives direction • Gives timetable • Not prescriptive • Shows the public we care
  26. 26. more “implications”…• Non-compliance – $100 for each violation, total for each requirement in calendar year not more than $25,000• Wrongful disclosure of individually identifiable health information – Uses or causes to be used a unique health identifier – Obtains individually identifiable health information – Discloses individually identifiable health information – $50,000 and/or 1 yr imprisonment – $100,000 and/or 5 yrs imprisonment for false pretenses – $250,000 and/or 10 yrs imprisonment for intent to sell
  27. 27. Getting from Point “A” to “B” The final regulations will not mandate specific security practices and technology… Health care entities must assess potential risks to their data and develop, implement, and maintain appropriate security measures
  28. 28. Security Services Approach • Help prepare an organization for HIPAA regulations and standards • Awareness training to better understand the implications of the new standards and their effects on the organization.
  29. 29. HIPAA Compliance Review • A simple and meaningful Security Gap Analysis Audit – determine the magnitude of the regulatory impact on your organization and establish the scope of your compliance effort. • Network Vulnerability Assessments • Provide extensive documentation supporting the recommended HIPAA compliance of the organization • Implement and deploy the HIPAA compliant recommended solutions
  30. 30. CommonalitiesTypical Gaps Found During HIPAA Gap Analysis Audits• Out-of-Date or Non-existent Disaster Recovery or Business Continuity Plans in Place• Current Computing Systems Cannot Meet HIPAA standards for Security – OS Versions Cannot be Upgraded – OS Simply Lacks Security Capabilities• HIPAA Compliant Policies and Procedures not in Place or Not Being Followed• Inadequate Data Backup Plan in Place• Infrastructure (Network or Systems) Vulnerable
  31. 31. Homework!!!Think about your environment…• Consistent security policy definitions?• Information architecture – Business process definitions • Who shares information? and why? – Information content definitions • What information is shared? – Computational definitions • How is information shared? – Engineering/Technical • The last thing consider
  32. 32. Pithy Quote “If you reveal your secrets to the wind you should not blame the wind for revealing them to the trees.” Khalil Gibran
  33. 33. Questions
  34. 34. Contact us to Secure your Information Security Solutions Division of Kent Technologies 5911-K Breckenridge Park Drive Tampa, Florida 33610 (614)766-8482 www.KentTrust.com

×