• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
HIPAA Preso
 

HIPAA Preso

on

  • 592 views

HIPAA presentation I created back when HIPAA was new and I was the InfoSec Security Practice Leader for a now defunct company. The whole preso was my design, right down to making the template.

HIPAA presentation I created back when HIPAA was new and I was the InfoSec Security Practice Leader for a now defunct company. The whole preso was my design, right down to making the template.

Statistics

Views

Total Views
592
Views on SlideShare
584
Embed Views
8

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 8

http://www.techgig.com 6
http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    HIPAA Preso HIPAA Preso Presentation Transcript

    • Healthcare InfoSec Overview HIPAA Compliance Solutions Joseph Patrick Schorr, CISSP, MCSE, CCDA Security Consulting Practice Leader
    • Agenda • The KentTrust Story • The state of InfoSec - 2001 • HIPAA to-Date • Privacy Standards • Implications on Your Organization • Your Needs • Why Should You Comply? • KentTrust Security Services Approach
    • KentTrust Mission “To provide professional and innovative Information Security solutions to industry, government, and society through leading edgeknowledge, skill set, and technologies”
    • Why KentTrust Security Solutions? • Our security consultants are seasoned security professionals- 6 CISSP’s, 5 CCSE’s, 1 CISA, 7 MCSE’s – Industry recognized certifications • We have provided solutions for all types of organizations – Private Industry (health care, banking, commerce, etc.) – Government (Federal, State, Local) • Experience with the full spectrum of InfoSec – Security Policy, Penetration testing and probing, Vulnerability assessments, HIPAA reviews, PKI, E- Commerce, Security architecture reviews, Intrusion detection, etc.
    • Engagement Methodology 5-Phase KentTrusted™ Cycle I Security Architecture Review II Security Posture Assessment III Security Solutions Deployment IV Security Operations Program V Security Awareness Program
    • 2001 – The State of InfoSec Attacks and Abuses on the Rise • 40% of respondents detected external system penetrations and probings • 38% of respondents detected Denial of Service (DoS) attacks • 91% of respondents detected abuse of Internet access privileges • 94% of respondents detected computer viruses Source: Computer Security Institute, 2001
    • 2001 – The State of InfoSec • 85% of large corporations and government agencies detected computer security breaches • 64% acknowledged financial losses due to breaches • The respondents reported $377,828,700 in financial losses • 69% of respondents cited their Internet connection as the point of attack, 31% cited an internal point of attack • External attacks rose from 59% in 2000 to 69% in 2001 Source: Computer Security Institute, 2001
    • Attack SophisticationEXPERTISE REQUIRED Stealth / Advanced Scanning Techniques Denial of Service Packet Spoofing Sniffers DDoS Attacks Sweepers WWW Attacks Automated Probes/Scans Back Doors Disabling Audits GUI Network Management Diagnostics BurglariesSOPHISTICATION Hijacking Sessions Of TOOLS Exploiting Known Vulnerabilities Password Cracking Self-Replicating Code Password Guessing 1980 1985 1990 1995 1999 2000 InformationWeek > Security > Cisco Warns Of IOS Security Flaw > June 29, 2001
    • Sources of Attack Foreign Government 8% Foreign Corporations 10% Disgruntled Employees 33% US Competitors 18% Independent Hackers 30%
    • Proof Positive Financial Losses Due to Cyber-attacks Denial of Service ($8,247,500) Virus ($29,171,700) Internal Millions Abuse ($29,171,700) System Penetration ($7,104,000) 0 10 20 30 Source: Federal Bureau of Investigation, 2000 (243 Respondents)
    • HIPAA Introduction• One of the most high-impact pieces of legislation to affect the health care industry!• The Industry generally agrees that HIPAA impact will be more extensive than the Year 2000 Problem• Healthcare experts predict that large healthcare providers and/or payers will have to spend $50 to $200 million to become HIPAA compliant
    • Introduction (cont.)• Affects nearly everyone in healthcare – Payers, employers, providers, clearinghouses, health care information systems vendors, billing agents, and service organizations• Impacts nearly every business process – All individually identifiable information relating to patients or any person receiving services. – Past, present, or future health conditions, treatment or payment for treatment – Demographic data collected by plans or providers
    • Who Does This Affect?• Health Plans: – Individual or group plans that provide for or pays the cost of medical care – Employers who self-insure• Providers – Hospitals, Medical Groups, Physician’s LLPs, Clinics, Emergency Care Facilities and any other person furnishing health care services or supplies• Health Care Clearinghouse – Any public or private organization that processes or facilitates the processing of health information• Other Affected Entities – Employers who want to utilize medical information do data mining – Pharmaceutical companies conducting clinical research
    • HIPAA to date• Health Insurance Portability & Accountability Act of 1996 (HIPAA)• Public Law 104-191• Based on Kennedy-Kassebaum• Designed to: – Assure health insurance portability – Reduce health care fraud and abuse – Guarantee security and privacy of health information – Enforce standards for health information• HIPAA-Sec Effective 4/14/2001• 2 Years to Achieve Compliance (October 2002) ARE YOU AWAKE ???
    • Security Categories 1. Administrative Procedures to Guard Data Integrity, Confidentiality, and Availability 2. Physical Safeguards to Guard Data Integrity, Confidentiality, and Availability 3. Technical Security Services to Guard Data Integrity, Confidentiality, and Availability 4. Technical Security Mechanisms to Guard Data Integrity, Confidentiality, and Availability
    • Privacy Categories Administrative Procedures Sets standards for: • Certification - Personal Security • Chain of Trust Agreements - Training • Contingency Planning - Termination Procedures • Record Processing - Security Incident Response • Information Access Control - Security Configuration • Internal Audit - Management • Security Management
    • Privacy Categories Physical Safeguards– Governs physical security and org. issues: • Assigned Security Responsibility • Media controls • Physical access controls • PC Policy/guideline • Secure work station location • Security awareness training • Business Continuity & Disaster Recovery Plans
    • Privacy Categories Technical Security Services – Dictate general security safeguards – Standards Covered: • Access Control • Audit Controls – Authorization Control • Data Authentication (Integrity) – Entity Authentication
    • Privacy Categories Technical Security Mechanisms• Communications/Network Controls – Basic networking safeguards (alarms, access controls, audit trails, event reporting & etc.) – Network security issues • Integrity (message corruption) and confidentiality (message interception) • Protection from unauthorized remote access – Digital Signatures
    • HIPAA - Your Needs• Need to know where you are today and where you need to go to gain compliance• Need additional information security technology solutions may be required (e.g., Public Key Infrastructure, Virtual Private Network, Improved Logging, Business Continuity Plans)• Business processes may need major enhancements to ensure that security and privacy requirements are met
    • Your needs• Organizations may need to undergo significant cultural transformation in the way patient information is handled, used, communicated and shared• Policies and procedures may have to be developed and existing ones modified• Proposed regulations require staffing of a “Privacy Official”• Budgeting and staffing for next two years will be impacted -- need to understand how much
    • Your needs (cont.) • Need to meet Short Timeframe • Most health care organizations will have only 2 years to comply • Broad Scope (need expertise) – HIPAA will impact all functions, processes and systems that store, handle or generate health information – Mainframes - Servers - Workstations – Policies and Procedures – Training Staff
    • Implications for your organization • Acute Impact – Requires health care organizations to completely rethink the way in which they protect the security and privacy of patients and consumers information – Mandates standard formats for the most common transactions between health care organizations – In many cases requires replacement or substantial change to providers’ current systems and processes to comply with HIPAA regulations
    • Implications for your organization Strategic Impact HIPAA electronic standards and security requirements become key enablers in moving forward
    • more “implications”… • Cost Savings – Reduction in processing costs – Simplification of manual processing • Improved Customer Service – Reduced Errors – Quicker turnaround • Mobilizes the industry • Gives direction • Gives timetable • Not prescriptive • Shows the public we care
    • more “implications”…• Non-compliance – $100 for each violation, total for each requirement in calendar year not more than $25,000• Wrongful disclosure of individually identifiable health information – Uses or causes to be used a unique health identifier – Obtains individually identifiable health information – Discloses individually identifiable health information – $50,000 and/or 1 yr imprisonment – $100,000 and/or 5 yrs imprisonment for false pretenses – $250,000 and/or 10 yrs imprisonment for intent to sell
    • Getting from Point “A” to “B” The final regulations will not mandate specific security practices and technology… Health care entities must assess potential risks to their data and develop, implement, and maintain appropriate security measures
    • Security Services Approach • Help prepare an organization for HIPAA regulations and standards • Awareness training to better understand the implications of the new standards and their effects on the organization.
    • HIPAA Compliance Review • A simple and meaningful Security Gap Analysis Audit – determine the magnitude of the regulatory impact on your organization and establish the scope of your compliance effort. • Network Vulnerability Assessments • Provide extensive documentation supporting the recommended HIPAA compliance of the organization • Implement and deploy the HIPAA compliant recommended solutions
    • CommonalitiesTypical Gaps Found During HIPAA Gap Analysis Audits• Out-of-Date or Non-existent Disaster Recovery or Business Continuity Plans in Place• Current Computing Systems Cannot Meet HIPAA standards for Security – OS Versions Cannot be Upgraded – OS Simply Lacks Security Capabilities• HIPAA Compliant Policies and Procedures not in Place or Not Being Followed• Inadequate Data Backup Plan in Place• Infrastructure (Network or Systems) Vulnerable
    • Homework!!!Think about your environment…• Consistent security policy definitions?• Information architecture – Business process definitions • Who shares information? and why? – Information content definitions • What information is shared? – Computational definitions • How is information shared? – Engineering/Technical • The last thing consider
    • Pithy Quote “If you reveal your secrets to the wind you should not blame the wind for revealing them to the trees.” Khalil Gibran
    • Questions
    • Contact us to Secure your Information Security Solutions Division of Kent Technologies 5911-K Breckenridge Park Drive Tampa, Florida 33610 (614)766-8482 www.KentTrust.com