Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Meaningful Use and Security Risk Analysis


Published on

Presentation delivered by FRSecure president, Evan Francen to the 100+ Iowa CPSI User Group attendees on October 18th, 2011.

Meaningful Use Core Requirement "Security Risk Analysis"

Published in: Technology
  • Be the first to comment

Meaningful Use and Security Risk Analysis

  1. 1. Meaningful Use and Security Risk Analysis Iowa CPSI User Group – October18th 2011 Presented by Evan Francen, President – FRSecure, LLC
  2. 2. IntroductionSpeaker – Evan Francen, CISSP CISM CCSK• President & Co-founder of FRSecure• 20 years of information security experience• Security evangelist with more than 700 published articles• Experience with 150+ public & private organizations.
  3. 3. Introduction Topics • Healthcare Regulation • Meaningful Use Requirements • Measure 14 of 14 – Protect Health Information• “Conduct or review a security risk analysis” Fundamental Concepts • Security Risk Analysis Best Practices • Security Risk Analysis Common Mistakes
  4. 4. Healthcare Regulation In General: Health care regulation has gotten more officious and granular. With respect to security and privacy, HIPAA has always been aimed atprotecting sensitive health information. HIPAA has been ineffective in this regard due to lack of focus and confusion.“Navigating the Meaningful Use and Standards and Certification Criteria Final Rules can sometimes be a challenge.” – Source: U.S. Department of Health & Human Services (
  5. 5. Meaningful Use Requirements Meaningful use of health information technology is an umbrella term for rules and regulations that hospitals and physicians must meet to qualify for federalincentive funding under the American Recovery and Reinvestment Act of 2009 (ARRA). But you already knew this… Eligible Hospital and CAH Meaningful Use – (14) Core and (10) Menu Set Objectives
  6. 6. Measure 14 of 14 - Protect Electronic Health InformationObjective: Protect electronic health information created or maintained by thecertified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Measure 14 of 14 is NOT A NEW REQUIREMENT!The Final Rule on Security Standards was issued on February 20, 2003. It took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for "small plans".
  7. 7. Measure 14 of 14 - Protect Electronic Health Information45 CFR Section 164.308(a)(1)(ii)(A) of the HIPAA Security Rule requires that the organization "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information [ePHI] held by the covered entity.”45 CFR Section 164.308(a)(1)(ii)(B) requires an organization to ―implementsecurity measures sufficient to reduce risks and vulnerabilities to a reasonableand appropriate level to comply with CFR 45 164.306(a) which is the General Requirements of the Security Rule.
  8. 8. “Conduct or review a security risk analysis” Fundamental ConceptsWhat is “security”? (question for you)
  9. 9. “Conduct or review a security risk analysis” Fundamental ConceptsInformation Security is:The application of Administrative, Physical and Technical controls in an effort toprotect the Confidentiality, Integrity, and Availability of Information.Controls:• Administrative – Policies, procedures, processes• Physical – Locks, cameras, alarm systems• Technical – Firewalls, anti-virus software, permissionsProtect:• Confidentiality – Disclosure to authorized entities• Integrity – Accuracy and completeness• Availability – Accessible when required and authorized
  10. 10. “Conduct or review a security risk analysis” Fundamental Concepts What is “risk”?
  11. 11. “Conduct or review a security risk analysis” Fundamental ConceptsRisk is a function of two criteria:1. The likelihood of a threat exploiting a vulnerability, and2. The resulting impact it would have on the organization.Threat - These are things that can go wrong or that can attack the system.Examples might include fire or fraud. Threats are ever present for everysystem.Vulnerability – A weakness in a system or gap in a control Risk = Likelihood x Impact
  12. 12. “Conduct or review a security risk analysis” Fundamental ConceptsA “security risk analysis” is the process of identifying,prioritizing, and estimating information security risks.Risks (likelihood & impact) of unauthorized:• Disclosure• Alteration (or modification), and/or;• Destructionof information under the custodial care of an organization.
  13. 13. “Conduct or review a security risk analysis” Fundamental ConceptsTypes of risk analysis: Quantitative Risk Analysis • Uses hard metrics, such as dollars. • Objective • Difficult • Costly Qualitative Risk Analysis • Uses best estimates based on experience • Subjective • Less Difficult • Less Expensive Gap Analysis
  14. 14. “Conduct or review a security risk analysis” Best Practices “The Security Rule does not prescribe a specific risk analysis methodology” - .pdf A “methodology” is nothing more than a way of doing something.
  15. 15. “Conduct or review a security risk analysis” Best Practices For organizations with an informal riskmanagement program, an ideal approach may be a qualitative gap risk analysis. Qualitative – Subjective, best-effort criteria and metrics assigned based upon experience and knowledge. Gap – Assess the risks inherent in gaps with a chosen information security framework.
  16. 16. “Conduct or review a security risk analysis” Qualitative Gap Risk Analysis1. Choose a well-known information security framework• ISO 27002 (17799:2005)• NIST• COBITThe information security framework is a reference to/fromwhich you will manage your information security efforts.
  17. 17. “Conduct or review a security risk analysis” Qualitative Gap Risk Analysis2. Compare your existing information security controls against the information security framework you have chosen.Example:Control 5.1.2 in the ISO 27002 standard states:“The information security policy should be reviewed at planned intervals or ifsignificant changes occur to ensure its continuing suitability, adequacy, andeffectiveness.”Questions:Does your organization review information security policy at planned intervals?
  18. 18. “Conduct or review a security risk analysis” Qualitative Gap Risk Analysis3. Where there are gaps, assign best-effort metrics, based on experience (qualitative).Example:In the previous example, let’s assume that the answer is “Yes”, but the requirement toreview information security policies has not been documented.Metrics:Likelihood that the lack of documentation will lead to a compromise, on a scale of 1 -5(5 being most likely). – 2Impact that a potential compromise would have on the organization, on a scale of 1 – 5(5 being most impactful/catastrophic) – 2
  19. 19. “Conduct or review a security risk analysis” Qualitative Gap Risk Analysis4. Assign risk “rating” based upon the metrics (use a risk matrix).
  20. 20. “Conduct or review a security risk analysis” Qualitative Gap Risk Analysis5. Define and document risk decision criteria.When confronted with a risk, you have four choices:• Risk Avoidance• Risk Acceptance What are the• Risk Transference criteria for risk decision making?• Risk Mitigation
  21. 21. Keep in mind…A risk analysis is an integral part of an organization’s overallrisk management program.Some “security risk analysis” best practices:• The risk analysis methodology should be documented.• The risk analysis methodology should be repeatable.• The risk analysis methodology should be auditable• Internal risk analyses should be conducted no less than annually.• Independent risk analyses should be conducted periodically.
  22. 22. Common MistakesWhen conducting a security risk analysis:• Scope is too narrow• Too technically focused – People are the most significant risk• Convenience shouldn’t always trump security• Lack of documentation• Assessment is only done once• Lack of management buy-in or involvement
  23. 23. Common MistakesCommon risks that are often overlooked:• Physical risks• Policies are hard to understand and follow• Vendor risk management• Inventory of assets is incomplete or informal• Internal and external vulnerability scans are not regularly conducted.• Incident management• Disaster recovery planning• Poor training and awareness
  24. 24. About RK Dixon & FRSecureRK Dixon is a market leader when it comes to copiers, printers, networks, andpure drinking water systems. Our products and services allow customers tostreamline operations while reducing costs at the same time. We serve thousandsof companies, organizations, and government entities in Iowa, Illinois, andWisconsin. Visit us online at LLC is a full-service information security consulting company; dedicatedto information security education, awareness, application, and improvement.FRSecure helps our clients understand, design, implement, and manage best-in-class information security solutions; thereby achieving optimal value for everyinformation security dollar spent. Visit us online at Dixon and FRSecure have partnered to offer services throughout Iowa, Illinois,and Wisconsin.
  25. 25. Questions?You made it!If you would like acopy of thispresentation, pleasebe sure to give meyour business card.