Stepen Cobb, Rainbow Technologies, 1 of 18
HIPAA, Privacy, Security,
& Good Business
Stephen Cobb, CISSP
Dir. Research & E...
Stepen Cobb, Rainbow Technologies, 2 of 18
HIPAA, Privacy, Security, & Business
• HIPAA is about privacy, but not just pri...
Stepen Cobb, Rainbow Technologies, 3 of 18
HIPAA is about privacy
• 164.502 Uses and disclosures of protected health
infor...
Stepen Cobb, Rainbow Technologies, 4 of 18
HIPAA is not just about privacy
• Paraphrase: “appropriate safeguards to protec...
Stepen Cobb, Rainbow Technologies, 5 of 18
HIPAA may become more specific
• HIPAA 142 describes “a set of requirements wit...
Stepen Cobb, Rainbow Technologies, 6 of 18
If 142 follows160, then HIPAA will:
• require each health care entity engaged i...
Stepen Cobb, Rainbow Technologies, 7 of 18
We can call this the writing on the wall.
• We are looking at a Federally manda...
Stepen Cobb, Rainbow Technologies, 8 of 18
Security practices in the proposed standard
are divided into two categories
• O...
Stepen Cobb, Rainbow Technologies, 9 of 18
We can see that HIPAA is also about
systems & security
• As we get to grips wit...
Stepen Cobb, Rainbow Technologies, 10 of 18
But privacy is not the same as security
• Privacy is a value, and, to differin...
Stepen Cobb, Rainbow Technologies, 11 of 18
But without security, you can’t deliver
privacy
• You need to make sure the vi...
Stepen Cobb, Rainbow Technologies, 12 of 18
HIPAA not the only privacy legislation
• Right to Financial Privacy Act
• Chil...
Stepen Cobb, Rainbow Technologies, 13 of 18
G-L-B affects wide range of companies
• Joint Final Rule of OCC, FRB, FDIC, OT...
Stepen Cobb, Rainbow Technologies, 14 of 18
HIPAA not the only security legislation
• require that each bank implement a c...
Stepen Cobb, Rainbow Technologies, 15 of 18
Privacy not the only reason for security
• If you do security right, you also ...
Stepen Cobb, Rainbow Technologies, 16 of 18
Businesses that “get” privacy & security
today will do better than those that ...
Stepen Cobb, Rainbow Technologies, 17 of 18
And this is not just my opinion
• Companies must take a whole-view approach to...
Stepen Cobb, Rainbow Technologies, 18 of 18
Thank You!
Stephen Cobb
Upcoming SlideShare
Loading in …5
×

HIPAA, Privacy, Security, and Good Business

435 views
264 views

Published on

HIPAA's implications for privacy and security practices in American businesses, addressed in March of 2001 at the Employers' Summit on Health Care, by Stephen Cobb, CISSP. Uploaded in 2014 for the historical record.

Published in: Healthcare
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
435
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

HIPAA, Privacy, Security, and Good Business

  1. 1. Stepen Cobb, Rainbow Technologies, 1 of 18 HIPAA, Privacy, Security, & Good Business Stephen Cobb, CISSP Dir. Research & Education Rainbow Technologies, Spectria Division Employers' Summit on Health Care March 21 - 22, 2001
  2. 2. Stepen Cobb, Rainbow Technologies, 2 of 18 HIPAA, Privacy, Security, & Business • HIPAA is about privacy, but not just privacy. • HIPAA is also about systems and security. • Privacy is not the same as security, but • Without security, you can’t deliver privacy. • HIPAA is not the only privacy legislation. • HIPAA is not the only security legislation. • Privacy is not the only reason for security. • Businesses that “get” privacy and security today will do better than those that don’t.
  3. 3. Stepen Cobb, Rainbow Technologies, 3 of 18 HIPAA is about privacy • 164.502 Uses and disclosures of protected health information: general rules. – (a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. • 164.530 Administrative requirements. – (c)(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
  4. 4. Stepen Cobb, Rainbow Technologies, 4 of 18 HIPAA is not just about privacy • Paraphrase: “appropriate safeguards to protect the privacy of health information.” • That is, to ensure privacy you need security. • But HIPAA 160 is not specific about security: – Implementation specification: safeguards. – A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
  5. 5. Stepen Cobb, Rainbow Technologies, 5 of 18 HIPAA may become more specific • HIPAA 142 describes “a set of requirements with implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure.” • “we are designating a new, comprehensive standard...which defines the security requirements to be fulfilled to preserve health information confidentiality and privacy as defined in the law.” – 45 CFR Part 142, Security & Electronic Signature Standards, Federal Register, Vol. 63, No. 155, 8/12/98
  6. 6. Stepen Cobb, Rainbow Technologies, 6 of 18 If 142 follows160, then HIPAA will: • require each health care entity engaged in electronic maintenance or transmission of health information • to assess potential risks and vulnerabilities to the individual health data in its possession in electronic form, • and develop, implement, and maintain appropriate security measures. • 142 stresses that these measures must be documented and kept current.
  7. 7. Stepen Cobb, Rainbow Technologies, 7 of 18 We can call this the writing on the wall. • We are looking at a Federally mandated standard for security practices within companies involved in healthcare or handling health-related information. • Note that these are considered: – practices necessary to conduct business electronically in the health care industry today. • In other words, normal business costs, – things you should be doing today, possibly pre-empting arguments over the cost of such standards.
  8. 8. Stepen Cobb, Rainbow Technologies, 8 of 18 Security practices in the proposed standard are divided into two categories • Organizational Practices – Security and confidentiality policies – Information security officers – Education and training programs, and – Sanctions • Technical Practices and Procedures – Individual authentication of users – Access controls – Audit trails – Physical security – Disaster recovery – Protection of remote access points – Protection of external electronic communications – Software discipline, and – System assessment. Use these as a check list for comparison with your current security practices.
  9. 9. Stepen Cobb, Rainbow Technologies, 9 of 18 We can see that HIPAA is also about systems & security • As we get to grips with 164.530(c)(1) – “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” • We have to anticipate what 142 will consider appropriate, and plan accordingly.
  10. 10. Stepen Cobb, Rainbow Technologies, 10 of 18 But privacy is not the same as security • Privacy is a value, and, to differing degrees, in different cultures, a right. • Security is a discipline, a methodology and a technology. • Security is neutral – it can serve privacy or hinder it. – e.g. security technology such as biometrics, which can prevent unauthorized persons from accessing data, can also be used to track people without their consent, often considered an invasion of privacy.
  11. 11. Stepen Cobb, Rainbow Technologies, 11 of 18 But without security, you can’t deliver privacy • You need to make sure the vital ingredients of security are in place: – Policies, procedures, classification, officers, training, awareness, sanctions. – Strong, granular authentication, access controls, intrusion detection. – Software methodology, discipline, testing, penetration testing.
  12. 12. Stepen Cobb, Rainbow Technologies, 12 of 18 HIPAA not the only privacy legislation • Right to Financial Privacy Act • Children's Online Privacy Protection Act • Bank Secrecy Act • Fair Credit Reporting Act • Identity Theft and Assumption Deterrence Act of 1998 • Fair Debt Collection Practices Act • Financial Institution Data Match • Title V, Gramm-Leach-Bliley Act
  13. 13. Stepen Cobb, Rainbow Technologies, 13 of 18 G-L-B affects wide range of companies • Joint Final Rule of OCC, FRB, FDIC, OTS Privacy of Consumer Financial Information. • Requires a financial institution to provide notice to customers about its privacy policies and practices; • Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and • Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure.
  14. 14. Stepen Cobb, Rainbow Technologies, 14 of 18 HIPAA not the only security legislation • require that each bank implement a comprehensive written information security program that includes administrative, technical and physical safeguards for customer records and information appropriate to the size and complexity of the bank and the nature and scope of its activities; • require the bank's board of directors, or an appropriate committee of the board, to approve and oversee the development, implementation and maintenance of the bank's information security program; and • requires banks to exercise appropriate due diligence in selecting and monitoring service providers, and that service providers implement appropriate security measures to meet the objectives of the guidelines.
  15. 15. Stepen Cobb, Rainbow Technologies, 15 of 18 Privacy not the only reason for security • If you do security right, you also get protection from: – Malicious hackers, disgruntled employees. – Malicious code, viruses, Trojan Horses. – Industrial and government espionage. – Stupid user errors and omissions. – Allegations of negligence and shareholder lawsuits if something does go wrong.
  16. 16. Stepen Cobb, Rainbow Technologies, 16 of 18 Businesses that “get” privacy & security today will do better than those that don’t • Privacy is about respect for individuals, many of whom are your customers. • Security is about the quality of your company in the age of information. • Tomorrow’s top companies will be those that figure out today, how to respect privacy and protect information systems while efficiently marketing and delivering goods and services.
  17. 17. Stepen Cobb, Rainbow Technologies, 17 of 18 And this is not just my opinion • Companies must take a whole-view approach to privacy – To survive mounting consumer anxiety and the growing labyrinth of US and foreign regulation, firms need to institutionalize their commitment to protecting and managing their customers’ privacy by taking a comprehensive, whole-view approach to privacy. – Anyone today who thinks the privacy issue has peaked is greatly mistaken. As with environmentalism [in the 60s] we are in the early stages of a sweeping change in attitudes that will fuel years of political battles and put once-routine business practices under the microscope. • Forrester Report, February 2001
  18. 18. Stepen Cobb, Rainbow Technologies, 18 of 18 Thank You! Stephen Cobb

×