Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

This preso is now about 16 years(?) old as of 2017.

HIPAA presentation I created back when HIPAA was new and I was the InfoSec Security Practice Leader for a now defunct company.

Published in: Technology
  • Be the first to comment

  • Be the first to like this


  1. 1. Healthcare InfoSec Overview HIPAA Compliance Solutions Joseph Patrick Schorr, CISSP, MCSE, CCDA Security Consulting Practice Leader
  2. 2. Agenda • The KentTrust Story • The state of InfoSec - 2001 • HIPAA to-Date • Privacy Standards • Implications on Your Organization • Your Needs • Why Should You Comply? • KentTrust Security Services Approach
  3. 3. KentTrust Mission “To provide professional and innovative Information Security solutions to industry, government, and society through leading edgeknowledge, skill set, and technologies”
  4. 4. Why KentTrust Security Solutions? • Our security consultants are seasoned security professionals- 6 CISSP’s, 5 CCSE’s, 1 CISA, 7 MCSE’s – Industry recognized certifications • We have provided solutions for all types of organizations – Private Industry (health care, banking, commerce, etc.) – Government (Federal, State, Local) • Experience with the full spectrum of InfoSec – Security Policy, Penetration testing and probing, Vulnerability assessments, HIPAA reviews, PKI, E- Commerce, Security architecture reviews, Intrusion detection, etc.
  5. 5. Engagement Methodology 5-Phase KentTrusted™ Cycle I Security Architecture Review II Security Posture Assessment III Security Solutions Deployment IV Security Operations Program V Security Awareness Program
  6. 6. 2001 – The State of InfoSec Attacks and Abuses on the Rise • 40% of respondents detected external system penetrations and probings • 38% of respondents detected Denial of Service (DoS) attacks • 91% of respondents detected abuse of Internet access privileges • 94% of respondents detected computer viruses Source: Computer Security Institute, 2001
  7. 7. 2001 – The State of InfoSec • 85% of large corporations and government agencies detected computer security breaches • 64% acknowledged financial losses due to breaches • The respondents reported $377,828,700 in financial losses • 69% of respondents cited their Internet connection as the point of attack, 31% cited an internal point of attack • External attacks rose from 59% in 2000 to 69% in 2001 Source: Computer Security Institute, 2001
  8. 8. Attack SophisticationEXPERTISE REQUIRED Stealth / Advanced Scanning Techniques Denial of Service Packet Spoofing Sniffers DDoS Attacks Sweepers WWW Attacks Automated Probes/Scans Back Doors Disabling Audits GUI Network Management Diagnostics BurglariesSOPHISTICATION Hijacking Sessions Of TOOLS Exploiting Known Vulnerabilities Password Cracking Self-Replicating Code Password Guessing 1980 1985 1990 1995 1999 2000 InformationWeek > Security > Cisco Warns Of IOS Security Flaw > June 29, 2001
  9. 9. Sources of Attack Foreign Government 8% Foreign Corporations 10% Disgruntled Employees 33% US Competitors 18% Independent Hackers 30%
  10. 10. Proof Positive Financial Losses Due to Cyber-attacks Denial of Service ($8,247,500) Virus ($29,171,700) Internal Millions Abuse ($29,171,700) System Penetration ($7,104,000) 0 10 20 30 Source: Federal Bureau of Investigation, 2000 (243 Respondents)
  11. 11. HIPAA Introduction• One of the most high-impact pieces of legislation to affect the health care industry!• The Industry generally agrees that HIPAA impact will be more extensive than the Year 2000 Problem• Healthcare experts predict that large healthcare providers and/or payers will have to spend $50 to $200 million to become HIPAA compliant
  12. 12. Introduction (cont.)• Affects nearly everyone in healthcare – Payers, employers, providers, clearinghouses, health care information systems vendors, billing agents, and service organizations• Impacts nearly every business process – All individually identifiable information relating to patients or any person receiving services. – Past, present, or future health conditions, treatment or payment for treatment – Demographic data collected by plans or providers
  13. 13. Who Does This Affect?• Health Plans: – Individual or group plans that provide for or pays the cost of medical care – Employers who self-insure• Providers – Hospitals, Medical Groups, Physician’s LLPs, Clinics, Emergency Care Facilities and any other person furnishing health care services or supplies• Health Care Clearinghouse – Any public or private organization that processes or facilitates the processing of health information• Other Affected Entities – Employers who want to utilize medical information do data mining – Pharmaceutical companies conducting clinical research
  14. 14. HIPAA to date• Health Insurance Portability & Accountability Act of 1996 (HIPAA)• Public Law 104-191• Based on Kennedy-Kassebaum• Designed to: – Assure health insurance portability – Reduce health care fraud and abuse – Guarantee security and privacy of health information – Enforce standards for health information• HIPAA-Sec Effective 4/14/2001• 2 Years to Achieve Compliance (October 2002) ARE YOU AWAKE ???
  15. 15. Security Categories 1. Administrative Procedures to Guard Data Integrity, Confidentiality, and Availability 2. Physical Safeguards to Guard Data Integrity, Confidentiality, and Availability 3. Technical Security Services to Guard Data Integrity, Confidentiality, and Availability 4. Technical Security Mechanisms to Guard Data Integrity, Confidentiality, and Availability
  16. 16. Privacy Categories Administrative Procedures Sets standards for: • Certification - Personal Security • Chain of Trust Agreements - Training • Contingency Planning - Termination Procedures • Record Processing - Security Incident Response • Information Access Control - Security Configuration • Internal Audit - Management • Security Management
  17. 17. Privacy Categories Physical Safeguards– Governs physical security and org. issues: • Assigned Security Responsibility • Media controls • Physical access controls • PC Policy/guideline • Secure work station location • Security awareness training • Business Continuity & Disaster Recovery Plans
  18. 18. Privacy Categories Technical Security Services – Dictate general security safeguards – Standards Covered: • Access Control • Audit Controls – Authorization Control • Data Authentication (Integrity) – Entity Authentication
  19. 19. Privacy Categories Technical Security Mechanisms• Communications/Network Controls – Basic networking safeguards (alarms, access controls, audit trails, event reporting & etc.) – Network security issues • Integrity (message corruption) and confidentiality (message interception) • Protection from unauthorized remote access – Digital Signatures
  20. 20. HIPAA - Your Needs• Need to know where you are today and where you need to go to gain compliance• Need additional information security technology solutions may be required (e.g., Public Key Infrastructure, Virtual Private Network, Improved Logging, Business Continuity Plans)• Business processes may need major enhancements to ensure that security and privacy requirements are met
  21. 21. Your needs• Organizations may need to undergo significant cultural transformation in the way patient information is handled, used, communicated and shared• Policies and procedures may have to be developed and existing ones modified• Proposed regulations require staffing of a “Privacy Official”• Budgeting and staffing for next two years will be impacted -- need to understand how much
  22. 22. Your needs (cont.) • Need to meet Short Timeframe • Most health care organizations will have only 2 years to comply • Broad Scope (need expertise) – HIPAA will impact all functions, processes and systems that store, handle or generate health information – Mainframes - Servers - Workstations – Policies and Procedures – Training Staff
  23. 23. Implications for your organization • Acute Impact – Requires health care organizations to completely rethink the way in which they protect the security and privacy of patients and consumers information – Mandates standard formats for the most common transactions between health care organizations – In many cases requires replacement or substantial change to providers’ current systems and processes to comply with HIPAA regulations
  24. 24. Implications for your organization Strategic Impact HIPAA electronic standards and security requirements become key enablers in moving forward
  25. 25. more “implications”… • Cost Savings – Reduction in processing costs – Simplification of manual processing • Improved Customer Service – Reduced Errors – Quicker turnaround • Mobilizes the industry • Gives direction • Gives timetable • Not prescriptive • Shows the public we care
  26. 26. more “implications”…• Non-compliance – $100 for each violation, total for each requirement in calendar year not more than $25,000• Wrongful disclosure of individually identifiable health information – Uses or causes to be used a unique health identifier – Obtains individually identifiable health information – Discloses individually identifiable health information – $50,000 and/or 1 yr imprisonment – $100,000 and/or 5 yrs imprisonment for false pretenses – $250,000 and/or 10 yrs imprisonment for intent to sell
  27. 27. Getting from Point “A” to “B” The final regulations will not mandate specific security practices and technology… Health care entities must assess potential risks to their data and develop, implement, and maintain appropriate security measures
  28. 28. Security Services Approach • Help prepare an organization for HIPAA regulations and standards • Awareness training to better understand the implications of the new standards and their effects on the organization.
  29. 29. HIPAA Compliance Review • A simple and meaningful Security Gap Analysis Audit – determine the magnitude of the regulatory impact on your organization and establish the scope of your compliance effort. • Network Vulnerability Assessments • Provide extensive documentation supporting the recommended HIPAA compliance of the organization • Implement and deploy the HIPAA compliant recommended solutions
  30. 30. CommonalitiesTypical Gaps Found During HIPAA Gap Analysis Audits• Out-of-Date or Non-existent Disaster Recovery or Business Continuity Plans in Place• Current Computing Systems Cannot Meet HIPAA standards for Security – OS Versions Cannot be Upgraded – OS Simply Lacks Security Capabilities• HIPAA Compliant Policies and Procedures not in Place or Not Being Followed• Inadequate Data Backup Plan in Place• Infrastructure (Network or Systems) Vulnerable
  31. 31. Homework!!!Think about your environment…• Consistent security policy definitions?• Information architecture – Business process definitions • Who shares information? and why? – Information content definitions • What information is shared? – Computational definitions • How is information shared? – Engineering/Technical • The last thing consider
  32. 32. Pithy Quote “If you reveal your secrets to the wind you should not blame the wind for revealing them to the trees.” Khalil Gibran
  33. 33. Questions
  34. 34. Contact us to Secure your Information Security Solutions Division of Kent Technologies 5911-K Breckenridge Park Drive Tampa, Florida 33610 (614)766-8482