Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor

•

0 likes•589 views

HIPAA’s Safe Harbor provision is well-known: If PHI is encrypted so that it's unusable, unreadable, or indecipherable to unauthorized individuals, breach notifications aren’t required. However, the U.S. government considers that encryption not validated by NIST to FIPS 140-2 standards is the equal of plaintext. In other words, healthcare providers are rarely in full compliance with the federal benchmark. While governing bodies have been overlooking this incongruity, it is inevitable that the FIPS 140-2 cryptographic standard will be imposed on healthcare providers in the near future. This presentation will prepare attendees for this major hurdle.

Technology

Unsafe Harbor 
Will Your Encryption Weather the Storm?
Ray Potter
CEO, SafeLogic

Safe Harbor
• Eliminates the requirement to notify
affected parties and the federal
government of an ePHI data breach
• ePHI data must be in a format that is
unusable, unreadable, or indecipherable
to unauthorized individuals
2

HIPAA
• Establishes the national set of standards
for the handling of ePHI in electronic form
• Security Standards for the Protection of
ePHI
• Privacy expectations for covered entities
3

HIPAA Security Rule
• General Rules
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Organizational Requirements
• Policies / Procedures and Documentation
Requirements
4

NIST SP 800-66
• Introductory resource guide for Implementing
the HIPAA Security Rule
• Voluntary guideline and best practices for
implementation of HIPAA security rule
• State / local government
• Private industry
• Links NIST Risk Management Framework to HIPAA
Security Rule 5

What's at Risk?
• Personal health info
• Device compromise
• Health
• Life
• How does HIPAA / Safe Harbor help?
7

Access Control
• Access Enforcement
• The organization encrypts or stores off-
line in a secure location
• Media Access
• The system uses cryptographic
mechanisms to protect and restrict
access to information on portable digital
media 8

Identification & Authentication
• Device Identification and Authentication
• Authenticates devices before
establishing remote, wireless network,
and network connections using
bidirectional authentication between
devices that is cryptographically based
9

• Cryptographic Module Authentication
• Implement role-based or identity-based
• Use of Cryptography
• System should use FIPS 140-2 validated
modules
Encryption
10

Data at Rest / Transmission
• Media Storage
• Media Transport
• Transmission Integrity
• Transmission Confidentiality
• Maintain confidentiality and integrity
11

FIPS
140
• Federal
Information
Processing
Standard
140

• Specifies
requirements
for
cryptographic

hardware
and
software
modules

• Published
by
US
(NIST)
and
Canadian

Governments

• Offers
4
levels
of
validation
12

Sections of Requirements
• Module Description
• Interfaces
• Roles, Services, and Authentication
• Finite State Model
• Physical Security
• Operating Environment
• Key Management
• EMI/EMC
• Self Tests
• Design Assurance
• Mitigation of Attacks 13

Value
• Standardized algorithms
• Algorithm testing
• Documented processes
• Documented code
14

Why Compliance?
• Vendors need to be able to sell products
to the regulated industries
• Vendors need to remain competitive
• End users need security assurance
15

Let’s Connect
• @SafeLogic

• @SafeLogic_Ray

• www.safelogic.com
16

What's hot

Need for cybersecurity

Sri Manakula Vinayagar Engineering College

HxRefactored - TrueVault - Jason Wang - API Pitch

HxRefactored

Security Issues in Internet of Things

Lohith Haravu Chandrashekar

HIPAA

Druce MacFarlane

PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data. To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses. The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.

Pcishrinktofitpresentation 151125162550-lva1-app6891

Risk Crew

Circuit security

Paperjam_redaction

Deral Heiland CISSP, serves as a the Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on a numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.

IoT Security – Executing an Effective Security Testing Process

EC-Council

Presciense InterQuest IoT Talk

Jonathan Lishawa

Attack and Defence in Mobile Apps

David Johansson

eHealth ….. How to trust a cloud?

Mario Drobics

Products throughout air conditioning, heating and refrigeration industry are preparing for the new connected home and commercial space with real time monitoring, remote diagnostics, predictive maintenance, adaptive performance and increased efficiency. Ciqada offers a turnkey IoT solution for product developers and engineers while Mars International provides both electrical and mechanical engineering expertise to help bring new products to market as well as retrofit existing products.

IoT Integration in the Air conditioning, Heating and Refrigeration industry ...

Art Garcia

IoT/M2M Security

Yu-Hsin Hung

During our journey towards Serverless Architecture, we’ve found how security in serverless applications is different from the traditional cloud. Serverless can be a dangerous place unless you prepare yourself with the best practices. There are bullies out there who desperately wants to break into your system. DDoS attackers, ransomware distributors and all kinds of cyber creeps preying on our databases and poorly configured serverless functions. Here is the Serverless Security Checklist to ensure serverless security.

Serverless Security Checklist

Simform

Anypoint enterprise security

Krishna_in

01 presentation-kenwillen

InfinIT - Innovationsnetværket for it

Cyber intelligence-services

Cyber 51 LLC

Smart Business using IoT

Mithileysh Sathiyanarayanan

"Security and Sanity in the HIPAA-Compliant Workplace" - Alex Connor, Lead Architect at Crimson Care Management at Advisory Board Co. How are Cloud, the Internet of Things, and mobile devices disrupting healthcare IT? Are these tools or security threats? What do doctors, administrators, researchers, nurses, and patients think of technology? Join us on Sept 3rd to discuss the future of healthcare and technology.

CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...

CloudCamp Chicago

Cyber Security Overview for Small Businesses

Charles Cline

Cloud computing 10 cloud security advantages and challenges

Vaibhav Khanna

What's hot (20)

Need for cybersecurity

HxRefactored - TrueVault - Jason Wang - API Pitch

Security Issues in Internet of Things

HIPAA

Pcishrinktofitpresentation 151125162550-lva1-app6891

Circuit security

IoT Security – Executing an Effective Security Testing Process

Presciense InterQuest IoT Talk

Attack and Defence in Mobile Apps

eHealth ….. How to trust a cloud?

IoT Integration in the Air conditioning, Heating and Refrigeration industry ...

IoT/M2M Security

Serverless Security Checklist

Anypoint enterprise security

01 presentation-kenwillen

Cyber intelligence-services

Smart Business using IoT

CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...

Cyber Security Overview for Small Businesses

Cloud computing 10 cloud security advantages and challenges

Viewers also liked

Hidden in Plain Sight: DUAL_EC_DRBG 'n stuff

WhiskeyNeon

Skeleton key malware detection owasp

Tal Be'ery

LSA2 - 02 chrooting

Marian Marinov

Identity is one of the cornerstones of application security. On windows domains, identity is managed through Active Directory (AD) Domain service on the Domain Controller (DC). Therefore, it should come as no surprise that advanced attackers are actively targeting the DC. Earlier this year, Dell Secureworks had shared a report on an advanced attack campaign utilizing a dedicated DC malware, named “Skeleton Key” Malware. The Skeleton Key malware modifies the DC behavior to accept authentications specifying a secret ”Skeleton key” (i.e. “master key”) password, thus enabling the attackers to login from any computer as any domain user without installing any additional malware while keeping the original users’ authentication behavior. On this talk, we will explore the unique interaction between such malware functionality and the Kerberos authentication protocol; We will put a special emphasis on its manifestation over the network traffic. We will also share a script that implements the remotes detection of the skeleton key malware functionality. The talk was given on TCE2015 summer school, Technion, Israel

One Key to Rule Them All: Detecting the Skeleton Key Malware

Tal Be'ery

Public-Key Identification Schemes Based on Multivariate Polynomials

Cassius Puodzius

Healthcare IT thought leadership and practice managers continually seek ways to foster a culture of alertness when it comes to HIPAA compliance. They have the dual challenge of staying on the right side of federal regulators and stopping would-be hackers. This is especially true given the potential impact a data breach can have on their organization’s reputation and bottom line. By reflecting on 2015, it becomes clear that covered entities and business associates alike will continue to prepare to mitigate the threat of cyber-attacks and the planned ramp up of OCR Phase 2 Audits. HIPAA compliance Tune-up for 2016 is the topic of this webinar – which will be focused on mitigation strategies Covered Entities and BA’s alike can take to minimize the risk of data breach or actions prompting an OCR Audit.

HIPAA compliance tuneup 2016

Compliancy Group

EuroBSDCon 2014 Program Front

eurobsdcon

In the fall of 2013, NIST reopened the public comment period for Special Publication 800-90A and released a supplemental ITL Security Bulletin, inciting a flurry of concern and activity about random number generation and entropy. The initial enforcement of these new and confusing entropy standards brought CMVP progress to a crawl while labs and vendor engineers scrambled to find answers. Potter will review an R&D effort to solve the entropy conundrum and keep open a fast track to validation. This research effort was launched as the CMVP issued a moratorium on entropy testing in a good faith move designed to keep the queue moving. This presentation will detail the results of this research effort for the first time in public.

Solving 800-90 Entropy Requirements in Software

Ray Potter

Signature from One-way Functions

Cassius Puodzius

Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow. Particular focus will be given to the different steps required to fully compromise both central management servers and managed stations. Who does not want to transform a major managed AV into his private botnet within minutes? Jerome Nokin works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.

StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet

StHack

ATA e-Business FORUM 2014, Presentation Proposal, San Antonio, Texas, Bruno Chatel, Chadocs From the version 2013.1, the ATA Spec 2300 can be considered as ready for implementation. This presentation details the implementation perspectives of the specification in the whole process of Flight Operations data management, from the OEM data producer to the operators’ needs and uses (customization and final pilot uses). It highlights the different possible scenarios to implement the specification, with the triggers, functional areas and the possible approaches, taking into account existing systems and constraints. After a very short review of the status of ATA Spec 2300 (functional perimeter: Flight Operations data exchange, version 2013.1 all flight crew manuals, ready to implement), the presentation describes the global functional process of Flight Operations data management and identifies where ATA Spec 2300 is designed to be used. It also highlights the expected value-added in the process. OEMs are data producers, providing data to operators who need to customize and publish the flight ops manuals to final users (including on-board/on-ground e-viewer applications).. Based on this global view, several opportunities to implement systems based on ATA Spec 2300 are studied: o OEM: producing and delivering ATA Spec 2300 compliant data. Based on different OEM approaches and taking into account the existing constraints (systems, programs, etc.), several questions are discussed: the triggers for OEM to implement such systems, the possible levels of support of the specification features, and, at a high level, the impacts on the current data production process. o Operators/airlines: customizing OEM data, producing its own data, publishing in different environments (paper, electronic viewers, on board, on ground). As an airline would take advantage of receiving ATA 2300 compliant data from OEMs when it will be produced, in the meantime an anticipated approach may be considered. The perspective for an airline to develop a new system to manage its flight operations data needs to consider the advantage of using ATA Spec 2300, a standard business-focused data format, as the core data model of the system and as the internal exchange data format between modules (content management, publishing engines, electronic consultation tools). The advantages and difficulties are discussed with the general principles of using ATA 2300 compliant features at different levels of the airline process. Finally, for any scenario, the real remaining question is: when?

ATA Spec 2300, implementation perspectives. Who, why, what, how… When? Bruno ...

Bruno Chatel

Le protocole ccTalk est utilisé dans la communication entre les périphériques de gestion de monnaie que l'on retrouve dans la plupart des machines de vente, comme les distributeurs automatiques. Ce protocole n'est pas très connu, et peu d'information existe sur Internet à ce sujet. Cette présentation vise en premier lieu à présenter le protocole ccTalk et ses applications. Divers outils permettant de travailler avec ce protocole seront aussi présentés ainsi que plusieurs faiblesses d'implémentation ou de protocole.

StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin

StHack

Erase icitst

nashvasan

"This session brings together the interests of engineering, compliance, and security as you align healthcare workloads to the controls in the HIPAA Security Rule. We'll discuss how to architect for HIPAA compliance using AWS, and introduce a number of new services added to the HIPAA program in 2015, such as Amazon Relational Database Service (RDS), Amazon DynamoDB, and Amazon Elastic MapReduce (EMR). You'll hear from customers who process and store Protected Health Information on AWS, and how they satisfied their compliance requirements while maintaining agility. This session helps security and compliance experts see what's technically possible on AWS, and how implementing the Technical Safeguards in the HIPAA Security Rule is simple and familiar. We map the Security Rule's Technical Safeguards to AWS features and design patterns to help developers, operations teams, and engineers speak the language of their security and compliance peers."

(SEC304) Architecting for HIPAA Compliance on AWS

Amazon Web Services

La mouvance NoSQL fait de plus en plus parler d'elle. La plupart du temps open source, les implémentations sont nombreuses et offrent des alternatives intéressantes à la rigidité du SQL. Malheureusement ces diverses solutions NoSQL (MongoDB, CouchDB, Cassandra...) débarquent avec NoSecurity. Nous verrons que, tout comme le SQL, une mauvaise utilisation des clients/drivers peut avoir des conséquences tout aussi critique, si ce n'est plus...

StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection

StHack

Abstract Researchers in many scientific fields routinely work with sensitive or restricted data such as patient records, human genetic sequences, or interviews with dissidents in oppressive regimes. Keeping this data secure while retaining the ability to process and analyse it is a non-trivial problem. The University of Oslo's TSD service is a "walled garden" environment for storing and processing this type of data. We present the architecture of TSD and describe how FreeBSD is used to control the interface between TSD and the world. Speaker bio Dag-Erling Smørgrav is a senior engineer at the University of Oslo, one of the developers of the TSD service and a member of the University's CERT and information security team. He has been a FreeBSD committer since 1998 and is currently serving as FreeBSD's Security Officer. He is also the author of OpenPAM.

University of Oslo's TSD service - storing sensitive & restricted data by D...

eurobsdcon

Abstract Programs that talk over the internet today require unpredictable secrets to thwart passive eavesdroppers and active men-in-the-middle. Unix folklore teaches that programs must acquire these secrets from a beast called `entropy' in the pantheon of information theory, who lives in /dev/random, and that in neighbouring /dev/urandom lives only a false idol. The truth, however, is not so mystical. I will discuss what /dev/random and /dev/urandom actually mean, what applications actually need, and how they should attain it. I will also discuss the implementation of /dev/u?random in NetBSD and the kernel's cryptographic pseudorandom number generation API. Speaker bio Taylor `Riastradh' Campbell is not a cryptographer, but has spent enough time scrutinizing crypto in the software he relies on to notice when it's done wrong. In 2011, Taylor found what may be Colin Percival's most embarrassing bug when he noticed the two missing characters `++' to increment the AES-CTR nonce in Tarsnap leading to reused -- and thereby decidedly predictable -- key streams. Taylor became afflicted with a NetBSD commit bit later in 2011 for unrelated reasons, and has since participated in rototilling the NetBSD kernel entropy subsystem.

The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell

eurobsdcon

Over the last several months a staggering series of revelations have been reported about the wide-reaching efforts of the United States National Security Agency (NSA) to intercept digital communications. Though not surprising to learn the NSA—an intelligence organization—is spying on global targets, the apparent scale and sophistication of their capabilities have been turning heads internationally. Last September, troubling allegations emerged suggesting the NSA influenced the National Institute of Standards and Technology (NIST) into standardizing a cryptographic primitive with a secret backdoor. If true, the backdoor would provide the NSA with a major advantage in its efforts to snoop communications through something known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Although the ensuing backlash has seen the offending code yanked from most major security products, surprising details about the program continue to emerge. In this talk we will explain why random bits are crucial to online privacy, and what you could potentially do to people whose "random" bits you can predict. We will talk about Dual_EC_DRBG, and explain how the backdoor works in general terms. Finally, we will discuss some of the implications of state-level adversaries to health privacy and offer some high-level directions for healthcare providers to pursue.

Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRB...

Khaled El Emam

The general purpose of software obfuscation is to make the analysis of software as difficult and expensive as possible, while keeping the original behaviour of the program. Its main applications are the protection of sensitive code and/or intellectual property. This talk will show you the two major types of obfuscation (control flow, data flow), several techniques of these two categories, and then concrete examples of "source-to-source" obfuscation applied to the Python langage. Bio : Native of Bordeaux, Ninon Eyrolles completed her studies at Bordeaux 1 University (Master Cryptologie et Sécurité Informatique), and did an internship in the LaBRI. Then she exiled herself to Paris for her final internship, and stayed there to start a thesis on software obfuscation.

StHack 2014 - Ninon Eyrolles Obfuscation 101

StHack

Juin 2006, le NIST publie les spécifications de plusieurs générateurs de nombres pseudo-aléatoires, dont le tristement célèbre Dual_EC_DRBG, dans la norme NIST SP 800-90A, et cela malgré le scepticisme de la communauté crypto. Depuis, il a été démontré que ce générateur peut facilement être détourné pour rendre ses sorties totalement prévisibles, en faisant un cas d'école de kleptographie (ce qui n'a pas empêché qu'il soit utilisé). Cette présentation technique donnera les bases nécessaires pour comprendre l'utilisation des courbes elliptiques en cryptographie et comment elles ont servi à corrompre ce générateur d'aléa.

Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...

StHack

Viewers also liked (20)

Hidden in Plain Sight: DUAL_EC_DRBG 'n stuff

Skeleton key malware detection owasp

LSA2 - 02 chrooting

One Key to Rule Them All: Detecting the Skeleton Key Malware

Public-Key Identification Schemes Based on Multivariate Polynomials

HIPAA compliance tuneup 2016

EuroBSDCon 2014 Program Front

Solving 800-90 Entropy Requirements in Software

Signature from One-way Functions

StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet

ATA Spec 2300, implementation perspectives. Who, why, what, how… When? Bruno ...

StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin

Erase icitst

(SEC304) Architecting for HIPAA Compliance on AWS

StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection

University of Oslo's TSD service - storing sensitive & restricted data by D...

The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell

Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRB...

StHack 2014 - Ninon Eyrolles Obfuscation 101

Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...

Similar to Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor

The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more. With all the options available for securing IBM i data at rest and in motion, how do you know where to begin? View this webinar on-demand to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees. Topics include: • Protecting data with encryption and the need for strong key management • Use cases that are best for tokenization • Options for permanently de-identifying data • Securing data in motion across networks

Key Concepts for Protecting the Privacy of IBM i Data

Precisely

Feisal nanji himss 13 -- finalfinalfinal

Feisal Nanji

SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008

Denny Lee

The continuous news of personal information stolen from major retailers and financial institutions have driven consumers and regulatory bodies to demand that more action be taken to ensure data protection and privacy. Regulations such as PCI DSS, HIPAA, GDPR, and FISMA require that personal data be protected against unauthorized access using technologies like encryption, tokenization, masking, secure file transfer and more. With all the options available for securing IBM i data at rest and in motion, how do you know where to begin? Register to get up to speed on the key concepts you need to know about assuring data privacy for your customers, business partners and employees. Topics will include: - Protecting data with encryption and the need for strong key management - Use Cases that are best for tokenization - Options for permanently deidentifying data - Securing data in motion across networks

Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)

Precisely

Where to Store the Cloud Encryption Keys - InterOp 2012

Trend Micro

Provable Device Cybersecurity in Blockchain Transactions

Rivetz

Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...

Cloudera, Inc.

The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, mandating that data about consumers be protected against a breach. If your IBM i system contains data for consumers from the state of California, the time to prepare is now. In this webinar featuring well-known IBM i encryption expert Patrick Townsend, we share information that will help you prepare for CCPA compliance, including: • Consumer rights granted by CCPA • Hardening systems to prevent a breach • Obscuring data to prevent exposure • How Syncsort can help CCPA is almost here. View this webinar on-demand and get started down the path to compliance!

Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured

Precisely

Regulatory bodies and consumers demand that personal data be secured against unauthorized access. Personal data protection is, in fact, required by government and industry regulations such as PCI, HIPAA, GDPR, FISMA and more. With all the options available for securing IBM i data at rest, how do you know which will best suit your needs? View this webinar on-demand to learn the basics about data encryption, tokenization and anonymization and when each should be used. Topics include: • Differences between encryption, tokenization and anonymization • Pros and cons for each form of data protection • Tips for using the various protection methods • How Syncsort can help

Security 101: Protecting Data with Encryption, Tokenization & Anonymization

Precisely

Understanding and controlling all the points of access to IBM i systems IBM i is securable BUT not secured by default. To comply with increasingly strict IT security regulations, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing risks and taking control of logon security, powerful authorities, and system access. With the right tools and process, you can ensure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise on your IBM i systems. View this webcast on-demand to learn: • How to secure network access and communication port • How to implement different authentication options and tradeoffs • How to limit the number of privileged user accounts • How Syncsort’s security solutions can help

Protecting Your Business from Unauthorized IBM i Access

Precisely

Multiple security regulations became effective across the globe in 2018, most notably the European Union’s General Data Protection Regulation (GDPR), and additional regulations are on their heels. The California Consumer Privacy Act, with its GDPR-like requirements, is just one of the regulations that requires planning and preparation today. If you need to implement security policies for IBM i systems and data that will meet today’s compliance requirements and prepare you for those that are on the way, this webinar will help you get on the right track.

Complying with Cybersecurity Regulations for IBM i Servers and Data

Precisely

12/7/2016 - It's difficult to avoid news stories about hacks and misused databases. For our Q4 meetup, we will discuss what nonprofits can do to protect their systems and data. Each panelist will outline best practices for protecting your own data as well as constituent data. PANELISTS * Mary Gardner, Chief Information Security Officer at Seattle Children's Hospital. * Ralph Johnson, Chief Information Security and Privacy Officer, King County * Peter Kittas, Web and IT Consultant, Revelate LLC

Seattle Tech4Good meetup: Data Security and Privacy

Sabra Goldick

Hipaa security compliance checklist for developers & business associates

Shoba Krishnamurthy

Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)

OnRamp

In a recent survey of IBM Power Systems users, 52% state they are focusing security investments on compliance auditing and reporting while 28% said they anticipate increased regulatory complexity as a security challenge for the remainder of the year. Do you need to accelerate compliance for your IBM i systems? Whether it be for PCI, SOX, GDPR or other regulations, view this 15-minute webcast on-demand to learn more about: • The importance of security risk assessments for compliance • Implementing compliance policies that align with regulations • Generating reports and alerts that flag compliance issues • Trade-offs between do-it-yourself and third-party solutions

Accelerating Regulatory Compliance for IBM i Systems

Precisely

A panel of experts from the companies that were chosen as “5 Key tools to help your organization achieve HIPAA compliance” In this webinar we will highlight ways for you and your organization to use tools to help make the task of HIPAA compliance easier and more effective. Panelist: Bob Grant ex HIPAA auditor and CCO of Compliancy Group LLC Andy Nieto, Health IT Strategist at DataMotion April Sage Director of Healthcare IT at Online Tech Asaf Cidon CEO and co-founder of Sookasa Daryl Glover Exec VP Strategic Initiatives of qliqSOFT

The must have tools to address your HIPAA compliance challenge

Compliancy Group

IBM i is securable BUT not secured by default. To help protect your organization from the increasing security threats, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing your risks and taking control of logon security, powerful authorities, and system access. With the right tools and process, you can assure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise, on your IBM i systems. Watch this on-demand webcast to learn: • How to secure network access and communication ports • How to implement different authentication options and tradeoffs • How to limit the number of privileged user accounts • How Precisely’s Assure Security can help

Lock it Down: Access Control for IBM i

Precisely

Endpoint Security for Mobile Devices

David Shepherd

In Cloud, existing vulnerabilities, threats, and associated attacks raise several security concerns. Vulnerabilities in Cloud can be defined as the loopholes in the security architecture of Cloud, which can be exploited by an adversary via sophisticated techniques to gain access to the network and other infrastructure resources. In these slides, we discuss major Cloud specific vulnerabilities, which pose serious threats to Cloud computing.

Cloud security

Adeel Javaid

Regulatory Intelligence

Armin Torres

Similar to Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor (20)

Key Concepts for Protecting the Privacy of IBM i Data

Feisal nanji himss 13 -- finalfinalfinal

SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008

Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)

Where to Store the Cloud Encryption Keys - InterOp 2012

Provable Device Cybersecurity in Blockchain Transactions

Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...

Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured

Security 101: Protecting Data with Encryption, Tokenization & Anonymization

Protecting Your Business from Unauthorized IBM i Access

Complying with Cybersecurity Regulations for IBM i Servers and Data

Seattle Tech4Good meetup: Data Security and Privacy

Hipaa security compliance checklist for developers & business associates

Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)

Accelerating Regulatory Compliance for IBM i Systems

The must have tools to address your HIPAA compliance challenge

Lock it Down: Access Control for IBM i

Endpoint Security for Mobile Devices

Cloud security

Regulatory Intelligence

Recently uploaded

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Manulife - Insurer Transformation Award 2024

The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Real Time Object Detection Using Open CV

Khem

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

apidays

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

DBX First Quarter 2024 Investor Presentation

Dropbox

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Recently uploaded (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Powerful Google developer tools for immediate impact! (2023-24 C)

A Year of the Servo Reboot: Where Are We Now?

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Corporate and higher education May webinar.pptx

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Manulife - Insurer Transformation Award 2024

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Real Time Object Detection Using Open CV

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Data Cloud, More than a CDP by Matt Robison

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Axa Assurance Maroc - Insurer Innovation Award 2024

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

DBX First Quarter 2024 Investor Presentation

Boost Fertility New Invention Ups Success Rates.pdf

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor

1. Unsafe Harbor  Will Your Encryption Weather the Storm? Ray Potter CEO, SafeLogic

2. Safe Harbor • Eliminates the requirement to notify affected parties and the federal government of an ePHI data breach • ePHI data must be in a format that is unusable, unreadable, or indecipherable to unauthorized individuals 2

3. HIPAA • Establishes the national set of standards for the handling of ePHI in electronic form • Security Standards for the Protection of ePHI • Privacy expectations for covered entities 3

4. HIPAA Security Rule • General Rules • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Organizational Requirements • Policies / Procedures and Documentation Requirements 4

5. NIST SP 800-66 • Introductory resource guide for Implementing the HIPAA Security Rule • Voluntary guideline and best practices for implementation of HIPAA security rule • State / local government • Private industry • Links NIST Risk Management Framework to HIPAA Security Rule 5

6. Risk Management Framework 6

7. What's at Risk? • Personal health info • Device compromise • Health • Life • How does HIPAA / Safe Harbor help? 7

8. Access Control • Access Enforcement • The organization encrypts or stores off- line in a secure location • Media Access • The system uses cryptographic mechanisms to protect and restrict access to information on portable digital media 8

9. Identification & Authentication • Device Identification and Authentication • Authenticates devices before establishing remote, wireless network, and network connections using bidirectional authentication between devices that is cryptographically based 9

10. • Cryptographic Module Authentication • Implement role-based or identity-based • Use of Cryptography • System should use FIPS 140-2 validated modules Encryption 10

11. Data at Rest / Transmission • Media Storage • Media Transport • Transmission Integrity • Transmission Confidentiality • Maintain confidentiality and integrity 11

12. FIPS 140 • Federal Information Processing Standard 140 • Specifies requirements for cryptographic hardware and software modules • Published by US (NIST) and Canadian Governments • Offers 4 levels of validation 12

13. Sections of Requirements • Module Description • Interfaces • Roles, Services, and Authentication • Finite State Model • Physical Security • Operating Environment • Key Management • EMI/EMC • Self Tests • Design Assurance • Mitigation of Attacks 13

14. Value • Standardized algorithms • Algorithm testing • Documented processes • Documented code 14

15. Why Compliance? • Vendors need to be able to sell products to the regulated industries • Vendors need to remain competitive • End users need security assurance 15

16. Let’s Connect • @SafeLogic • @SafeLogic_Ray • www.safelogic.com 16

Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor

Similar to Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor (20)

Recently uploaded

Recently uploaded (20)

Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor