A project approach to HIPAA

HIPAA Security
A Management System Approach

Dan Wallace
dwallace@growforwardllc.com

2

Agenda
1) The Need for Security Awareness
Programs
2) Security Awareness as a Product
3) Phase 1 – Identify Target Audiences and
Product
4) Phase 2 – Identify Product Distribution
Methods
5) Phase 3 – Obtain Management Support
6) Phase 4 – Product Launch
7) Phase 5 – Effectiveness Assessment
8) Ongoing Enhancements
9) Ideas for Customized Campaigns

HIPAA Security Compliance Framework

3

Introduction to
Management Systems


4
Management System
Overview

A management system is a mechanism
to establish policy and objectives and to put in
place the means achieve those objectives.
Management systems are used by
organizations to develop policies and to put
these into effect via objectives and targets
using:
– Organizational structure
– Systematic procedures
– Measurement and evaluation
– Quality control and continuous
improvement structure, procedures
& measurement are
required by the HIPAA
security regulation

5

Elements of a Management
System

Planning - identification of needs,
resources, structure, responsibilities
Policy - demonstration of commitment and
principles for action
Implementation and operation -
awareness building and training
Performance assessment - monitoring
and measuring, handling non-conformities,
audits
Improvement - corrective and preventive
action, continual improvement)
Management review – oversight,
governance and compliance


6

Information Security
Management System

ISMS That part of the overall management
system, based on a business risk approach, to
establish, implement, operate, monitor,
review, maintain and improve information
security
The Design and Implementation of
the ISMS is influenced by business needs
and objectives, resulting security
requirements, the processes employed and
the size and structure of the organization.
The ISMS and the supporting systems are
designed to change when necessary.


7

Management System
Documentation
Management framework
policies relating to
BS 7799-2
Clause 4 Security Manual

Level 1
Policy, scope
risk assessment,
statement of applicability
Procedure
Define processes – who, s
what, when, where
Level
2 Work
Describes how tasks and specific Instructions,
activities are done checklists,
Level
forms, etc.
3
Provides objective evidence of compliance to
HIPAA security requirements and required by
Level BS7799 clause 3.6
4
Records


8

HIPAA Security
Framework


Phase 1 Project
Charter 9
Plan the
Project

Phase 2 Policies, Standards,

Develop Procedures
ISO/IEC 17799
Policies
Phase 1 &
Phase 3
Threats, Assess 2 Outputs
Vulnerabilities &
Impacts
Risk
Phase 4 Phase 3
Risk Tolerance
Manage Outputs
Degree of
Compliance Risk
OCTAVE
Phase 5 Selected
Remediation
Implement Controls
Plans
Controls

Phase 6 Compliance
Control Objectives Guide
Implemented Compliance
Controls

The Framework

10

Phase One: Project Planning

Gain an understanding of the
organization and technology environment
Establish the objectives of the
management system
Develop project charter document
Roll out methodology and obtain buy in
Develop detailed project plans
Address budget issues
Obtain resource commitments


11

Phase Two: Policy
Development

POLICY DEFINITON: Develop a custom
security policy document, based on ISO/IEC
17799 that is driven by business/clinical need,
and prescribes management direction in
meeting HIPAA security compliance objectives
STANDARDS & PROCEDURE
DEVELOPMENT: Each functional area or
department develops the means to implement
and enforce management’s policies


Policy Definition & Standard 12

Development Process
Determine Map
Identify Develop
Policy Current Analyze Gaps
Current Policies Required Policies
Requirements to Required

• Kickoff • Review • Review HIPAA • Identify Gaps • Kickoff
Existing Security Regs
• Interview Key • Identify • User Training
Policies
Personnel • Review New Areas
• Review details ISO/IEC 17799
• Interview IT & • Assign Policy
of Incidents
security Ownership

• Checkpoint • Consolidate
Findings

Policy Development tasks are the same
for both policy definition and
standards development


13

Procedure Development

A Procedure is the organization of people,
equipment, energy, procedures and material
into the work activities needed to produce a
specified end result (work product).
Procedures are a sequence of repeatable
activities that have measurable inputs, value-
add activities and measurable outputs.
Procedures have a functional focus as
opposed to organizational focus, must have a
specified owner, and use Critical Success
Factors (CSF) to help focus process
execution and maximize improvement efforts.
Each functional area develops their own
procedures consistent with policies. Methods
for procedure development will vary however,
management may elect to issue guidance on
the form and format of documented
procedures.

Required Procedures 14

164.308(a)(4)(ii)(B) Access Authorization (A)
164.310(a)(2)(iii) Access Control and Validation (A)
164.312(a)(1) Access Controls (S)
164.308(a)(4)(ii)(C) Access Establishment and Modification (A)
164.312(b) Audit Controls (S)
164.308(a)(3)(ii)(A) Authorization and/or Supervision (A)
164.312(a)(2)(iii) Automatic Logoff (A)
164.310(a)(2)(i) Contingency Operations (A)
164.308(a)(7)(i) Contingency Plan (S)
164.308(a)(7)(ii)(A) Data Backup Plan (R)
164.310(d)(1) Device and Media Controls (S)
164.308(a)(7)(ii)(B) Disaster Recovery Plan (R)
164.310(d)(2)(i) Disposal (R)
164.312(a)(2)(ii) Emergency Access (R)
164.308(a)(7)(ii)(C) Emergency Mode Operation Plan (R)
164.310(a)(1) Facility Access Controls (S)
164.310(a)(2)(ii) Facility Security Plan (A)
164.308(a)(4)(i) Information Access Management (S)
164.308(a)(1)(ii)(D) Information System Activity Review (R)
164.312(c)(1) Integrity (S)
164.308(a)(4)(ii)(A) Isolating Health Care Clearinghouse Function (R)
164.308(a)(5)(ii)(C) Login Monitoring (A)
164.310(a)(2)(iv) Maintenance Records (A)
164.310(d)(2)(ii) Media Re-Use (R)
164.308(a)(5)(ii)(D) Password Management (A)
164.312(d) Person or Entity Authentication (S)
164.308(a)(5)(ii)(B) Protection from Malicious Software (A)
164.308(a)(6)(i) Security Incident Procedures (S)
164.308(a)(1)(i) Security Management Process (S)
164.308(a)(3)(ii)(C) Termination (A)
164.308(a)(7)(ii)(D) Testing and Revision (A)
164.308(a)(3)(ii)(B) Workforce Clearance (A)
164.308(a)(3)(i) Workforce Security (S)
164.310(b) Workstation Use (S)


15

Phase Three: Risk
Assessment
Overview of the OCTAVE
Process

OCTAVE PROCESS: a
progressive series of self-
directed workshops that results in
an in-depth security analysis of
business and computing
infrastructure elements

16

Phase Three: Risk
Assessment
PREPARATION: Define scope of the risk
assessment, select analysis teams, method
orientation, schedule workshops.
PHASE ONE: BUILD ASSET-BASED
THREAT PROFILES An organizational
evaluation. The analysis team determines what
is important to the organization (information-
related assets) and what is currently being
done to protect those assets.
PHASE TWO: IDENTIFY
INFRASTRUCTURE VULNERABILITIES
An evaluation of the information infrastructure.
The analysis team examines network access
paths, identifying classes of information
technology components related to each critical
asset. The team then determines the extent to
which each class of component is resistant to
network attacks.

17
Phase Four: Risk
Management and
Remediation
PHASE THREE: DEVELOP
SECURITY STRATEGY AND PLANS The
analysis team identifies risks to the
organization’s critical assets and decides what
to do about them. The team creates a
protection strategy for the organization and
mitigation plans to address the risks to the
critical assets, based upon an analysis of the
information gathered.


18

Risk Assessment &
Management


19
Phase Five: Implement
Control Objectives and
Controls
PHASE THREE: DEVELOP
SECURITY STRATEGY AND PLANS The
analysis team identifies risks to the
organization’s critical assets and decides what
to do about them. The team creates a
protection strategy for the organization and
mitigation plans to address the risks to the
critical assets, based upon an analysis of the
information gathered.


20

Phase Six: Prepare the
Statement of Applicability
COMPLIANCE DOCUMENT Written
evidence of the actions taken in the first five
phases with regard to HIPAA compliance.
MANAGEMENT FRAMEWORK
SUMMARY A synopsis of the entire
information security management framework
including the policy, control objectives and
implemented controls.
PROCEDURE INVENTORY A catelogue
of procedures implemented to support the
management framework including
responsibilities and relevant actions.
MANAGEMENT SYSTEM
PROCEDURES Administrative procedures
covering the operation and management of the
management system including responsibilities.

A project approach to HIPAA

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to A project approach to HIPAA

Similar to A project approach to HIPAA (20)

Recently uploaded

Recently uploaded (20)

A project approach to HIPAA