Your SlideShare is downloading. ×
IT security panel - moeshesh
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

IT security panel - moeshesh

311
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
311
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. UNC CAUSE November 2006 Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP Sharon McLawhorn John Baines, CISSP McNeil IAS-Information Assurance & Security ITCS-SecurityETSS-Enterprise Technology Services & Department of ITCSSupport North Carolina State University East Carolina University
  • 2. What’s it all about, Webster? Defalcation – Pronunciation:*d*-*fal-*k*-sh*n, – Date:15th century – 1 archaic : DEDUCTION – 2 : the act or an instance of embezzling – 3 : a failure to meet a promise or an expectation Malfeasance – Pronunciation:*mal-*f*-z*n(t)s – Date:1696 : – wrongdoing or misconduct especially by a public official Two twenty dollar words – Fraud and criminal business acts – Reaction to the excesses of the 80’s and 90’s "Planning for Security and HIPAA Compliance" NCSU and ECU 2
  • 3. Increasingly Complicated Compliance ConstraintsStatute Type of requirement University Example data locationFERPA Federal law Student Faculty PC or records serverHIPAA Federal law Health records Athletics dept.GLBA Federal law Financial data Financial AidPCI DSS Payment Card Industry Credit card Bookstore -Data Security Std. data serverSB 1048 State Identity Theft law SSN , etc. R&RState Employee Personal Staff data Payroll Information Privacy lawFederal Contract requirements Research Lab PC Grants materials "Planning for Security and HIPAA Compliance" NCSU and ECU 3
  • 4. Educational Institutes Seen as Easy Marks Los Angeles Times article - May 30, 2006 ‘Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.’ ‘we were adding on another university every week to look into’ - Michael C. Zweiback, assistant U.S. attorney "Planning for Security and HIPAA Compliance" NCSU and ECU 4
  • 5. Information Security Planning High level tasks Make a conscious decision to plan for security and compliance for improved efficiency and effectiveness Understand the business goals and objectives Conduct a risk assessment; factor in compliance! Develop the plan "Planning for Security and HIPAA Compliance" NCSU and ECU 5
  • 6. Data Classification Standard, DCS forms the foundation 3 classification levels -  Identification High, Moderate, Normal  Confidentiality Based on data business and sensitivity value, financial  Classification implications, legal  Protection obligations  Consistency "Planning for Security and HIPAA Compliance" NCSU and ECU 6
  • 7. Data Management Procedures, DMPassigns ownership and accountability R o le re la tio n s h ip s D a ta T ru s te e O v e r s ig h t r e s p o n s ib ility D a ta S te w a rd A c c e s s w i t h i n h i s o r h e r u n it a c c u r a c y , p riv a c y , a n d s e c u r ity U ser D a ta C u s to d ia n s S e c u r ity A d m is tr a to r R e s p o n s ib ilit e s P h y s ic a l d a t a m a n a g e m e n t e . g . A p p l i c a t i o n S e c u r i t y U n it M a n a g e a c c e s s r ig h ts A u t h o r iz e s u s e rs b a s e d o n G u id e lin e s "Planning for Security and HIPAA Compliance" NCSU and ECU 7
  • 8. Seven StepsRMIS Information System Security Plan, RISSP Leo Howell Information Security Analyst  "Planning for Security and HIPAA Compliance" NCSU and ECU 8
  • 9. STEP ONE – Understand the Asset Effective security  Philosophically, we begins with a solid believe that “security understanding of the should follow data” protected asset and  But we know that not its value all data were created At NC State we have equal identified DATA as our primary asset "Planning for Security and HIPAA Compliance" NCSU and ECU 9
  • 10. STEP TWO – Identify and prioritize Threats Governance:  Infrastructure & – policy breach Application: – rebellion – theft Physical: – disclosure – data theft – equipment – DoS theft/damage – unauthorized access Endpoint:  Data: – theft – unauthorized access – social engineering – corruption/destruction "Planning for Security and HIPAA Compliance" NCSU and ECU 10
  • 11. STEP THREE – Identify and rank Vulnerabilities Governance:  Infrastructure & – policy loopholes Application: Physical: – “open” network – weak perimeter – unpatched systems/OS – open access – misconfiguration Endpoint:  Data: – ignorance – unencrypted storage – insecure transmission "Planning for Security and HIPAA Compliance" NCSU and ECU 11
  • 12. STEP FOUR – Quantify Relative Risk, R  The greater the number of vulnerabilities the bigger the riskR = µVAT  The greater the value of the asset the bigger V = vulnerability A = asset the risk T = threat µ = likelihood of T  The greater the threat the bigger the risk "Planning for Security and HIPAA Compliance" NCSU and ECU 12
  • 13. STEP FIVE – Develop a strategy 3 virtual operational protection zones, OPZ based on Data Classification High Moderate - Significantly business impact - adversely affects - financial loss business and reputation - regulatory compliance Normal - minimal adverse effect on businessLaptop with - authorization required Server withHigh data to modify or copy Moderate data Types of data stored, Higher Classification implies accessed, processed or Increased Security transmitted dictates OPZ "Planning for Security and HIPAA Compliance" NCSU and ECU 13
  • 14. STEP SIX – Establish target standards Seven layers of protection per zone based on COBIT, ISO 17799 and NIST 800-53 Amount and stringency of 1.Management & Governance security 2.Access control controls at 3.Physical security each level 4.Endpoint security varies with data 5.Infrastructure security classification 6.Application security 7.Data security "Planning for Security and HIPAA Compliance" NCSU and ECU 14
  • 15. Snippet from Data Security Standard Security Red Zone Yellow Zone Green Zone ControlEncrypt stored Mandatory Recommended OptionaldataLimit data Mandatory Recommended Optionalstored toexternal mediaEncrypt Mandatory Mandatory Recommendedtransmitteddata "Planning for Security and HIPAA Compliance" NCSU and ECU 15
  • 16. STEP SEVEN – Document the plan Create a list of action items for the next 3 to 5 Identify realistic years solutions for Prioritize the list based on applying the risk and reality appropriate Forecast investment security controls at Beg, kick and scream to each level. get funding Implement the plan over time "Planning for Security and HIPAA Compliance" NCSU and ECU 16
  • 17. Quick takes Planning paves the way for effectiveness and efficiency for security and compliance Understand the business the goals Conduct a risk assessment Establish a strategy based on data classification and industry standards Develop a prioritized realistic plan Go for the long haul! "Planning for Security and HIPAA Compliance" NCSU and ECU 17
  • 18. Key Elements of the HIPAA Security Rule: And how to comply Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University "Planning for Security and HIPAA Compliance" NCSU and ECU 18
  • 19. Introduction HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule: To allow better access to health insurance Reduce fraud and abuse Lower the overall cost of health care. "Planning for Security and HIPAA Compliance" NCSU and ECU 19
  • 20. What is the HIPAA Security Rule?The rule applies to electronic protected health information(EPHI), which is individually identifiable healthinformation in electronic form.Identifiable health information is: Your past, present, or future physical or mental health or condition, Your type of health care, or Past, present, or future payment methods for the type of health care received. "Planning for Security and HIPAA Compliance" NCSU and ECU 20
  • 21. Who Must Comply?Covered Entities (CEs) must comply with the SecurityRule. Covered Entities are health plans, health careclearinghouses, and health care providers who transmitany EPHI.Health care plans - HMOs, group health plans, etc.Health care clearinghouses - billing and repricingcompanies, etc.Health care providers - doctors, dentists, hospitals,etc. "Planning for Security and HIPAA Compliance" NCSU and ECU 21
  • 22. How Does One Comply?Covered Entities must maintain reasonable andappropriate administrative, physical, andtechnical safeguards to protect the confidentiality,integrity, and availability of patient information. "Planning for Security and HIPAA Compliance" NCSU and ECU 22
  • 23. Administrative SafeguardsTo comply with the Administrative Safeguardsportion of the regulation, the covered entity mustimplement the following "Required" securitymanagement activities: Conduct a Risk Analysis. Implement Risk Management Actions. Develop a Sanction Policy to deal with violators. Conduct an Information System Activity Review. "Planning for Security and HIPAA Compliance" NCSU and ECU 23
  • 24. Physical SafeguardsThe physical safeguards are a series ofrequirements meant to protect a CoveredEntitys computer systems, network and EPHIfrom unauthorized access. The recommendedand required physical safeguards are designedto provide facility access controls to limitaccess to the organizations computer systems,network, and the facility in which it is housed. "Planning for Security and HIPAA Compliance" NCSU and ECU 24
  • 25. Technical SafeguardsTechnical safeguards refers to the technologyand the procedures used to protect the EPHIand access to it.The goal of technical safeguards is to protectpatient data by allowing access only byindividuals or software programs that havebeen granted access rights to the information. "Planning for Security and HIPAA Compliance" NCSU and ECU 25
  • 26. Key Elements of Compliance1. Obtain and Maintain Senior Management Support2. Develop and Implement Security Policies3. Conduct and Maintain Inventory of EPHI4. Be Aware of Political and Cultural Issues Raised by HIPAA5. Conduct Regular and Detailed Risk Analysis6. Determine What is Appropriate and Reasonable7. Documentation8. Prepare for ongoing compliance "Planning for Security and HIPAA Compliance" NCSU and ECU 26
  • 27. Penalties Civil penalties are $100 per violation, up to $25,000 per year for each violation. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.  Additional Negatives:  Negative publicity  Loss of Customers  Loss of Business Partners  Legal Liability "Planning for Security and HIPAA Compliance" NCSU and ECU 27
  • 28. Conclusion Compliance will require Covered Entities to:  Identify the risks to their EPHI  Implement security best practices  Complying with the Security Rule can require significant time and resources  Compliance efforts should be currently underway "Planning for Security and HIPAA Compliance" NCSU and ECU 28
  • 29. ContactsNC State University East Carolina University Leo Howell, CISSP CEH CCSP CBRM Sharon McLawhorn McNeil Information Security Analyst IT-Security Analyst IAS-Information Assurance and Security McLawhorns@ecu.edu ETSS-Enterprise Technology Services and Support 252-328-9112 leo_howell@ncsu.edu (919) 513-1169NC State University John Baines, CISSP Assistant Director IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support john_baines@ncsu.edu "Planning for Security and HIPAA Compliance" NCSU and ECU 29