0
Roadmap to IT Security Best Practices Justin Copeland President, Triggerfish Corporation
Outline <ul><li>Why is it important?  </li></ul><ul><li>How to start… </li></ul><ul><li>Best practices </li></ul><ul><li>I...
Objective of IT Security <ul><li>The ideal system will protect unauthorized use of information systems for one second long...
Why is it important?  <ul><li>In a post HIPAA era, IT security is increasingly requiring us to operationalize many of the ...
IT Security – How to start… <ul><li>Identify the protection needed </li></ul><ul><li>Select the methods to protect </li></...
Step 1 <ul><li>What to protect? </li></ul><ul><ul><li>Electronic Protected Health Information (EPHI) </li></ul></ul><ul><u...
Step 2 <ul><li>Identify most cost-effective methods to protect critical assets. </li></ul><ul><ul><li>Role-based security ...
Step 3 <ul><li>Pre-plan your response to an attack </li></ul><ul><ul><li>Identification of security breach scenarios </li>...
Best Practices <ul><li>Strong Authentication of users </li></ul><ul><li>Enterprise-wide authentication </li></ul><ul><li>U...
Best Practices…People Security <ul><li>Background checks </li></ul><ul><li>Auditing of system access </li></ul><ul><li>Ens...
Best Practices…Social Engineering <ul><li>Use of non-technical means to get information that allows unauthorized access. <...
Best Practices…Policies <ul><li>User Passwords </li></ul><ul><li>Physical Security </li></ul><ul><li>Intrusion Detection <...
Best Practices…Process Security <ul><li>Integrate security into disaster recovery plan </li></ul><ul><li>Regulatory requir...
<ul><ul><li>Info you can use… Security Guidance for Remote Users </li></ul></ul><ul><ul><li>http://www.hhs.gov/ocr/privacy...
Security Guidance for Remote Users <ul><ul><li>CMS has offered additional guidance related to safeguarding the confidentia...
Security Guidance for Remote Users <ul><li>This guidance focuses on: </li></ul><ul><ul><li>The use of portable media/devic...
Security Guidance for Remote Users <ul><li>Risk Analysis </li></ul><ul><li>Three groupings of risk: </li></ul><ul><ul><li>...
Security Guidance for Remote Users <ul><li>Risk Analysis </li></ul><ul><li>Policies require training </li></ul><ul><li>Add...
Security Guidance for Remote Users <ul><li>Access  Risk Mitigation Strategies </li></ul><ul><li>Implement two-factor authe...
Security Guidance for Remote Users <ul><li>Access  Risk Mitigation Strategies </li></ul><ul><li>Install personal firewall ...
Security Guidance for Remote Users <ul><li>Storing Risk Mitigation Strategies </li></ul><ul><li>Implement process for main...
Security Guidance for Remote Users <ul><li>Storing Risk Mitigation Strategies </li></ul><ul><li>Password protect files and...
Security Guidance for Remote Users <ul><li>Storing Risk Mitigation Strategies </li></ul><ul><li>Develop processes to rollo...
Security Guidance for Remote Users <ul><li>Storing Risk Mitigation Strategies </li></ul><ul><li>Establish EPHI deletion an...
Security Guidance for Remote Users <ul><li>Transmitting Risk Mitigation Strategies </li></ul><ul><li>Prohibit transmission...
Security Guidance for Remote Users <ul><li>Transmitting Risk Mitigation Strategies </li></ul><ul><li>Use more secure conne...
Security Guidance for Remote Users <ul><li>Transmitting Risk Mitigation Strategies </li></ul><ul><li>Implement and mandate...
Security Guidance for Remote Users <ul><li>Transmitting Risk Mitigation Strategies </li></ul><ul><li>Install virus-protect...
<ul><ul><li>Info you can use… System Log File Management </li></ul></ul><ul><li>http://csrc.nist.gov/publications/nistpubs...
System Log Management <ul><li>Establish policies and procedures for log management </li></ul><ul><li>Prioritize Log Manage...
System Log Management <ul><li>Create and maintain a log management infrastructure </li></ul><ul><li>Provide proper support...
<ul><ul><li>Info you can use… Stage One Criteria for Meaningful Use </li></ul></ul><ul><ul><li>Core Measure </li></ul></ul...
Meaningful Use <ul><li>While this is really nothing new, this initiative requires participants to further demonstrate comp...
Meaningful Use <ul><li>Conduct or review a security risk analysis </li></ul><ul><li>Implement security updates as necessar...
Sample Roadmap
Resources <ul><li>NIST </li></ul><ul><ul><li>http://csrc.nist.gov </li></ul></ul><ul><li>HIMSS Privacy & Security Toolkit ...
<ul><ul><li>This PowerPoint was presented at the 2011 SuccessEHS Customer Conference.  </li></ul></ul><ul><ul><li>www.succ...
Upcoming SlideShare
Loading in...5
×

Roadmap to IT Security Best Practices

2,684

Published on

One of the core Meaningful use measures requires providers to perform a security audit to ensure the protection of patient information. Learn more about what a security audit should entail, as well as potential risks and how configuration options within the SuccessEHS solution can be used to protect patient data.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,684
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
135
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Roadmap to IT Security Best Practices"

  1. 1. Roadmap to IT Security Best Practices Justin Copeland President, Triggerfish Corporation
  2. 2. Outline <ul><li>Why is it important? </li></ul><ul><li>How to start… </li></ul><ul><li>Best practices </li></ul><ul><li>Information you can use… </li></ul><ul><ul><li>Remote Users – CMS Guidance </li></ul></ul><ul><ul><li>Meaningful Use – Security Risk Analysis </li></ul></ul><ul><ul><li>Systems Log Management </li></ul></ul><ul><ul><li>IT Security Roadmap </li></ul></ul>
  3. 3. Objective of IT Security <ul><li>The ideal system will protect unauthorized use of information systems for one second longer than the maximum limits of frustration and tenacity of the worst hacker or until the information is no longer of value. </li></ul>
  4. 4. Why is it important? <ul><li>In a post HIPAA era, IT security is increasingly requiring us to operationalize many of the practices that have been contained in “policy” for several years. </li></ul><ul><li>The risk of disclosure is quite real and the cost non-compliance is ever increasing. </li></ul><ul><li>If it hasn’t already…IT Security will likely start showing up in your operating budget! </li></ul>
  5. 5. IT Security – How to start… <ul><li>Identify the protection needed </li></ul><ul><li>Select the methods to protect </li></ul><ul><li>Plan for detection recovery and response </li></ul>
  6. 6. Step 1 <ul><li>What to protect? </li></ul><ul><ul><li>Electronic Protected Health Information (EPHI) </li></ul></ul><ul><ul><li>Billing systems </li></ul></ul><ul><ul><li>Proprietary business information </li></ul></ul>
  7. 7. Step 2 <ul><li>Identify most cost-effective methods to protect critical assets. </li></ul><ul><ul><li>Role-based security </li></ul></ul><ul><ul><li>Policies & operational procedures </li></ul></ul><ul><ul><li>Intrusion Detection and Response </li></ul></ul><ul><ul><li>Auditing </li></ul></ul>
  8. 8. Step 3 <ul><li>Pre-plan your response to an attack </li></ul><ul><ul><li>Identification of security breach scenarios </li></ul></ul><ul><ul><li>Response procedures after an attack </li></ul></ul><ul><ul><li>Incident reporting and corrective actions </li></ul></ul>
  9. 9. Best Practices <ul><li>Strong Authentication of users </li></ul><ul><li>Enterprise-wide authentication </li></ul><ul><li>User access validation </li></ul><ul><li>Expanded audit trails </li></ul>
  10. 10. Best Practices…People Security <ul><li>Background checks </li></ul><ul><li>Auditing of system access </li></ul><ul><li>Ensure credentials of system administrators are retrievable in the event of a separation </li></ul><ul><li>Training </li></ul>
  11. 11. Best Practices…Social Engineering <ul><li>Use of non-technical means to get information that allows unauthorized access. </li></ul><ul><ul><li>Forbid exchange of passwords among employees for any reason </li></ul></ul><ul><ul><li>Train staff to deal with social techniques used to gain unauthorized access to PHI </li></ul></ul>
  12. 12. Best Practices…Policies <ul><li>User Passwords </li></ul><ul><li>Physical Security </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Disaster Recovery testing </li></ul>
  13. 13. Best Practices…Process Security <ul><li>Integrate security into disaster recovery plan </li></ul><ul><li>Regulatory requirements </li></ul><ul><li>Accidental disclosures, deletions or alterations </li></ul><ul><li>Threat Analysis </li></ul><ul><li>Security Checklists </li></ul><ul><li>Change control processes </li></ul>
  14. 14. <ul><ul><li>Info you can use… Security Guidance for Remote Users </li></ul></ul><ul><ul><li>http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf </li></ul></ul>
  15. 15. Security Guidance for Remote Users <ul><ul><li>CMS has offered additional guidance related to safeguarding the confidentiality, integrity and availability of EPHI under the HIPAA Security Rule . </li></ul></ul>
  16. 16. Security Guidance for Remote Users <ul><li>This guidance focuses on: </li></ul><ul><ul><li>The use of portable media/devices (such as USB flash drives) that store EPHI </li></ul></ul><ul><ul><li>Offsite access or transport of EPHI via laptops, PDA’s, home computers or other non corporate equipment </li></ul></ul>
  17. 17. Security Guidance for Remote Users <ul><li>Risk Analysis </li></ul><ul><li>Three groupings of risk: </li></ul><ul><ul><li>Access </li></ul></ul><ul><ul><li>Storage </li></ul></ul><ul><ul><li>Transmission </li></ul></ul>
  18. 18. Security Guidance for Remote Users <ul><li>Risk Analysis </li></ul><ul><li>Policies require training </li></ul><ul><li>Addressing security incidents and noncompliance </li></ul><ul><li>Discuss possible Risk Management Strategies </li></ul>
  19. 19. Security Guidance for Remote Users <ul><li>Access Risk Mitigation Strategies </li></ul><ul><li>Implement two-factor authentication </li></ul><ul><li>Implement specific processes for authorizing remote users </li></ul><ul><li>Establish procedures for session termination on inactive devices </li></ul>
  20. 20. Security Guidance for Remote Users <ul><li>Access Risk Mitigation Strategies </li></ul><ul><li>Install personal firewall software on all devices that store EPHI </li></ul><ul><li>Install, use and update virus-protection software on all devices that access EPHI </li></ul>
  21. 21. Security Guidance for Remote Users <ul><li>Storing Risk Mitigation Strategies </li></ul><ul><li>Implement process for maintaining inventory and record of movement of devices containing EPHI </li></ul><ul><li>Require lock-down of unattended laptops </li></ul>
  22. 22. Security Guidance for Remote Users <ul><li>Storing Risk Mitigation Strategies </li></ul><ul><li>Password protect files and devices containing EPHI </li></ul><ul><li>Require that portable devices containing EPHI employ encryption </li></ul>
  23. 23. Security Guidance for Remote Users <ul><li>Storing Risk Mitigation Strategies </li></ul><ul><li>Develop processes to rollout security updates to portable devices </li></ul><ul><li>Consider the use of biometrics on portable devices </li></ul>
  24. 24. Security Guidance for Remote Users <ul><li>Storing Risk Mitigation Strategies </li></ul><ul><li>Establish EPHI deletion and media disposal policies </li></ul><ul><li>Install virus-protection on devices that store EPHI </li></ul>
  25. 25. Security Guidance for Remote Users <ul><li>Transmitting Risk Mitigation Strategies </li></ul><ul><li>Prohibit transmission of EPHI via open network </li></ul><ul><li>Prohibit use of offsite devices or WAP for non-secure access to email </li></ul>
  26. 26. Security Guidance for Remote Users <ul><li>Transmitting Risk Mitigation Strategies </li></ul><ul><li>Use more secure connections for email via SSL and the use of message-level standards such as S/MIME, SET, PEC, PGP, etc. </li></ul>
  27. 27. Security Guidance for Remote Users <ul><li>Transmitting Risk Mitigation Strategies </li></ul><ul><li>Implement and mandate strong encryption solutions for transmission of EPHI (e.g. SSL, HTTPS, etc.) </li></ul>
  28. 28. Security Guidance for Remote Users <ul><li>Transmitting Risk Mitigation Strategies </li></ul><ul><li>Install virus-protection software on portable devices that can be used to transmit EPHI </li></ul>
  29. 29. <ul><ul><li>Info you can use… System Log File Management </li></ul></ul><ul><li>http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf </li></ul>
  30. 30. System Log Management <ul><li>Establish policies and procedures for log management </li></ul><ul><li>Prioritize Log Management appropriately throughout the organization </li></ul>
  31. 31. System Log Management <ul><li>Create and maintain a log management infrastructure </li></ul><ul><li>Provide proper support for all staff with log management responsibilities </li></ul>
  32. 32. <ul><ul><li>Info you can use… Stage One Criteria for Meaningful Use </li></ul></ul><ul><ul><li>Core Measure </li></ul></ul><ul><li>“ Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.” </li></ul>
  33. 33. Meaningful Use <ul><li>While this is really nothing new, this initiative requires participants to further demonstrate compliance to 45 CRF 164.308 (a)(1) of the Final Rule (HIPAA Security) </li></ul>
  34. 34. Meaningful Use <ul><li>Conduct or review a security risk analysis </li></ul><ul><li>Implement security updates as necessary and correct identified security deficiencies as part of its risk management process </li></ul><ul><li>This is not a “check the box” type of activity </li></ul><ul><li>http :// www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf </li></ul>
  35. 35. Sample Roadmap
  36. 36. Resources <ul><li>NIST </li></ul><ul><ul><li>http://csrc.nist.gov </li></ul></ul><ul><li>HIMSS Privacy & Security Toolkit </li></ul><ul><ul><li>http://www.himss.org </li></ul></ul>
  37. 37. <ul><ul><li>This PowerPoint was presented at the 2011 SuccessEHS Customer Conference. </li></ul></ul><ul><ul><li>www.successehs.com </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×