Redspin Webinar Business Associate Risk

458 views

Published on

Webinar on how healthcare organizations can manage business associate IT security risk.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
458
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Redspin Webinar Business Associate Risk

  1. 1. Navigating Business AssociateIT Security RiskJohn Abraham – Redspin Security Evangelist
  2. 2. Part 1New ResponsibilitiesFor business associates and covered entitiesunder HIPAA / HITECH Act
  3. 3. Expanded Definitions Work for CE + Access PHI = BA Data transmission providers Subcontractors to BA
  4. 4. HIPAA Security Rule...Applies to:  A) Covered Entities  B) Business Associates  C) Subcontractors  D) All of the above
  5. 5. Oops, I didnt know“lack of knowledge” is not a defense* AKA what you dont know {about BAs} can hurt you * 75 Federal Register 40878, July 14 , 2010 th NPRM
  6. 6. BAs Dual Risk Liability to government (HIPAA) Liability to CE (BAA)
  7. 7. CEs Dual Risk Liability to government (HIPAA) Liability to government (BA security)
  8. 8. Penalties throughoutPHI supply chain CEs BAs Subcontractors
  9. 9. Part 2Whats This Means
  10. 10. Active Enforcement Fines State budget crisis State Attorneys General
  11. 11. Recent Enforcement Actions* Cignet $4.3million  Failure to provide 41 patient records, ignore subpoena Mass. General Hospital $1million  192 patient records left on subway  CAP: Policies, procedures, training, auditing, reporting, security controls * http://www.hhs.gov/news/
  12. 12. Transparency Right-to-audit clause in BAA
  13. 13. HIPAA Security Rule Everyone needs to be compliant Everyone needs sound risk management
  14. 14. Part 3Effectively ManageYour Own Risk
  15. 15. Three rules Focus Existence != Effective Compliance != Security
  16. 16. 1 Rule:Everyone has risk. Focus on critical.
  17. 17. Systematic Risk Management Focus, focus, focus
  18. 18. Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT,HIPAA - Administrative Safeguards (§164.308), ...
  19. 19. Focus 1 Rule:Systematic risk management Everyone has lots of risk → focus Let risk drive controls → focus Avoid over spending/implementing → focus
  20. 20. 2 Rule:Existence do es not equalEffective
  21. 21. PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq wwwaccess-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftpaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnetaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
  22. 22. PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 autointerface ethernet2 autonameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50...access-list out permit tcp any host 10.0.0.15 eq smtpaccess-list out permit tcp any host 10.0.0.15 eq wwwaccess-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtpaccess-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftpaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq httpsaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37access-list in permit udp 172.16.0.0 255.255.255.0 any eq timeaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq domainaccess-list in permit udp 172.16.0.0 255.255.255.0 any eq telnetaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq sshaccess-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytimeaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq wwwaccess-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https...ip address outside 10.0.0.2 255.255.255.0ip address inside 172.16.0.2 255.255.255.0ip address dmz 192.168.0.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 10.0.0.3nat (inside) 1 172.16.0.0 255.255.255.0 0 0static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0access-group out in interface outsideaccess-group in in interface insideaccess-group dmz in interface dmz...
  23. 23. 2Rule:Dont just assume acontrol is working.
  24. 24. 3 Rule:Compliance does not eq ua l Security
  25. 25. Part 4Effectively ManageBusiness Associate Risk
  26. 26. Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor
  27. 27. Systematic Approach1. Identify2. Classify Matrix3. Prioritize4. Additional Evaluation5. Monitor
  28. 28. Systematic Approach1. Identify2. Classify3. Prioritize4. Additional Evaluation5. Monitor Questionnaire HIPAA Risk Analysis
  29. 29. SummaryFor BAs & CEs New responsibilities (HIPAA Sec. Rule) Increased accountability / scrutiny Need effective (true) risk management BAs need to be ready to be audited by CEs CEs need to be ready to audit BAs
  30. 30. { thank you! }John Abrahamjabraham@redspin.com805-705-8040 (mobile)

×