The development and deployment of an enterprise Security Policy that defines the what and how of enterprise security is now mandated by numerous regulatory and industry standards, such as HIPAA and PCI-DSS. The development of a Security Policy, however, generally takes specialized skills that most organizations do not have. As a result, the process either takes a significant amount of time, or a significant amount of money.
Info-Tech’s Security Policy Solution Set will help you:
•Understand what goes into a Security Policy and why.
•Determine which specific policies are required by your organization.
•Streamline the creation of a policy set via customizable standards-based templates.
•Implement policies in an order that makes sense.
•Understand policy enforcement.
Use this material to build the Policies you need to be protected and compliant without spending a penny.
The development and deployment of an enterprise Security Policy that defines the what and how of enterprise security is now mandated by numerous regulatory and industry standards, such as HIPAA and PCI-DSS. The development of a Security Policy, however, generally takes specialized skills that most organizations do not have. As a result, the process either takes a significant amount of time, or a significant amount of money.
Info-Tech’s Security Policy Solution Set will help you:
•Understand what goes into a Security Policy and why.
•Determine which specific policies are required by your organization.
•Streamline the creation of a policy set via customizable standards-based templates.
•Implement policies in an order that makes sense.
•Understand policy enforcement.
Use this material to build the Policies you need to be protected and compliant without spending a penny.
We live in a digital world in which our happiness, health, and even our lives can depend on the performance of technology. From medical equipment to cars, and home security systems to smartphones, computerized equipment plays a greater role in the human experience with each passing year.
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
The Data Protection Act 2019, was enacted on November 8th, 2019, ushering a new era of accountability and responsibility with regard to processing of personal data and information. Naturally, there has been a resurrection of the chatter around data protection in increasingly data-driven social and economic settings. The question on everyone’s mind being what does this mean for me?
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
Transforming Expectations for Treat-Intelligence SharingEMC
Gain insight into a new approach to information-sharing processes for threat intelligence which ensures that data distribution is relevant, actionable, and automated.
RSA Security Briefs provide executives and practitioners with essential guidance on today’s most pressing information-security risks and opportunities. Each Brief is created by a select response team of security and technology experts who mobilize across companies to share specialized knowledge on a critical emerging topic. Offering both big-picture insight and practical technology advice, these papers are vital reading for today’s forward-thinking security leaders.
DR. STEVEN GORIAH,
Vice President of Information Technology & CISO
Westchester Medical Center Health Network
The U.S Healthcare system is seeing a
staggering amount of security breaches each
year. In this session, you’ll learn about the role
of a cybersecurity framework, best practices in
choosing a framework, and which framework
best fits your organization and why. Dr. Goriah
will also speak on implementation, roles and
responsibilities and why it's essential to create
a culture of privacy and security
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
Biznesa infrastruktūras un datu drošības juridiskie aspekti. Carlos Trigoso, EY Eiropas, Vidējo Austrumu, Indijas un Āfrikas reģiona vadības konsultāciju centra Informācijas drošības virziena vecākais projektu vadītājs.
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and organisations and data subjects alike are mostly in the dark about what it means and how it affects them This is a summary of the regulation and how businesses can leverage the implementation of international standards such as ISO 27001 to meet the requirements of the regulation.
Guide to hipaa compliance for containersAbhishek Sood
he challenge with HIPAA is that it doesn’t define, at a detailed level, the countermeasures you must put in place to comply with its Security Rule.
With the advent of microservices it is likely that many new healthcare apps are being built with containers, changing how you will secure compliance for them.
In this extensive, 38-page white paper discover how to achieve compliance with the HIPAA Security Rule for containerized workloads for healthcare apps.
Explain the security implications of HIPPA requirements for hospital.pdfarjunenterprises1978
Explain the security implications of HIPPA requirements for hospital networks.
your responce should be 300 words
Solution
HIPAAstands for Health Insurance Portability and Accountability Act.
Passed in 1996 HIPAA is a federal law that sets a national standard to protect medical records
and other personal health information. The rule defines \"protected health information\" as health
information that:
1. Identifies an individual and
2. Is maintained or exchanged electronically or in hard copy.
If the information has any components that could be used to identify a person, it would be
protected. The protection would stay with the information as long as the information is in the
hands of a covered entity or a business associate.
HIPAA Security Rules
The portion of the HIPAA law that most impacts technology interests is the section on
Administrative Simplification (Title II, Subtitle F). Administrative Simplification seeks to force
uniform standards in the electronic interchange of health information (through the Transaction
Rule) and also mandates guidelines for the security (Security rules) and privacy (Privacy rules)
of that information whether in transit or stored. The HIPAA Security regulations apply to that
protected health information that is electronically maintained or used in an electronic
transmission1
. Administrative Simplification is divided in to Transaction, Security and Privacy Rules.
The HIPAA Security rules are divided into four sections:
· Administrative Safeguards
· Physical Safeguards
· Security Services
· Security Mechanisms
Administrative safeguards deal with those administrative policies, procedures and practices that
are used by a covered entity to handle protected health information. These generally take the
form of written policies and procedures that are practiced in normal day-to-day operations.
Physical safeguards deal with physical access to data and facilities within that contain protected
health information. Security services and security mechanisms specifically address technical
systems, networks and applications that possess or transmit protected
health information.
The HIPAA Security rules mandate that if healthcare information (also referred to in the HIPAA
text as protected health information) is stored or processed electronically, then the security rule
applies to that covered entity. This would seem to exempt pure paper-based operations from the
Security rules, but even
these organizations likely use fax technology, which is covered by the HIPAA security rule.
Accordingly, there are very few healthcare organizations that will escape the grasp of the HIPAA
regulations as very few are entirely paper-based.
HIPAA Security rules essentially resemble a collection of the recommended best practices for
security management and operations. For this reason, if the healthcare organization has already
adopted sound security practices, the HIPAA-compliance effort should be minimal. Given that
Security is not a prime conc.
We live in a digital world in which our happiness, health, and even our lives can depend on the performance of technology. From medical equipment to cars, and home security systems to smartphones, computerized equipment plays a greater role in the human experience with each passing year.
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
The Data Protection Act 2019, was enacted on November 8th, 2019, ushering a new era of accountability and responsibility with regard to processing of personal data and information. Naturally, there has been a resurrection of the chatter around data protection in increasingly data-driven social and economic settings. The question on everyone’s mind being what does this mean for me?
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
Transforming Expectations for Treat-Intelligence SharingEMC
Gain insight into a new approach to information-sharing processes for threat intelligence which ensures that data distribution is relevant, actionable, and automated.
RSA Security Briefs provide executives and practitioners with essential guidance on today’s most pressing information-security risks and opportunities. Each Brief is created by a select response team of security and technology experts who mobilize across companies to share specialized knowledge on a critical emerging topic. Offering both big-picture insight and practical technology advice, these papers are vital reading for today’s forward-thinking security leaders.
DR. STEVEN GORIAH,
Vice President of Information Technology & CISO
Westchester Medical Center Health Network
The U.S Healthcare system is seeing a
staggering amount of security breaches each
year. In this session, you’ll learn about the role
of a cybersecurity framework, best practices in
choosing a framework, and which framework
best fits your organization and why. Dr. Goriah
will also speak on implementation, roles and
responsibilities and why it's essential to create
a culture of privacy and security
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
Biznesa infrastruktūras un datu drošības juridiskie aspekti. Carlos Trigoso, EY Eiropas, Vidējo Austrumu, Indijas un Āfrikas reģiona vadības konsultāciju centra Informācijas drošības virziena vecākais projektu vadītājs.
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and organisations and data subjects alike are mostly in the dark about what it means and how it affects them This is a summary of the regulation and how businesses can leverage the implementation of international standards such as ISO 27001 to meet the requirements of the regulation.
Guide to hipaa compliance for containersAbhishek Sood
he challenge with HIPAA is that it doesn’t define, at a detailed level, the countermeasures you must put in place to comply with its Security Rule.
With the advent of microservices it is likely that many new healthcare apps are being built with containers, changing how you will secure compliance for them.
In this extensive, 38-page white paper discover how to achieve compliance with the HIPAA Security Rule for containerized workloads for healthcare apps.
Explain the security implications of HIPPA requirements for hospital.pdfarjunenterprises1978
Explain the security implications of HIPPA requirements for hospital networks.
your responce should be 300 words
Solution
HIPAAstands for Health Insurance Portability and Accountability Act.
Passed in 1996 HIPAA is a federal law that sets a national standard to protect medical records
and other personal health information. The rule defines \"protected health information\" as health
information that:
1. Identifies an individual and
2. Is maintained or exchanged electronically or in hard copy.
If the information has any components that could be used to identify a person, it would be
protected. The protection would stay with the information as long as the information is in the
hands of a covered entity or a business associate.
HIPAA Security Rules
The portion of the HIPAA law that most impacts technology interests is the section on
Administrative Simplification (Title II, Subtitle F). Administrative Simplification seeks to force
uniform standards in the electronic interchange of health information (through the Transaction
Rule) and also mandates guidelines for the security (Security rules) and privacy (Privacy rules)
of that information whether in transit or stored. The HIPAA Security regulations apply to that
protected health information that is electronically maintained or used in an electronic
transmission1
. Administrative Simplification is divided in to Transaction, Security and Privacy Rules.
The HIPAA Security rules are divided into four sections:
· Administrative Safeguards
· Physical Safeguards
· Security Services
· Security Mechanisms
Administrative safeguards deal with those administrative policies, procedures and practices that
are used by a covered entity to handle protected health information. These generally take the
form of written policies and procedures that are practiced in normal day-to-day operations.
Physical safeguards deal with physical access to data and facilities within that contain protected
health information. Security services and security mechanisms specifically address technical
systems, networks and applications that possess or transmit protected
health information.
The HIPAA Security rules mandate that if healthcare information (also referred to in the HIPAA
text as protected health information) is stored or processed electronically, then the security rule
applies to that covered entity. This would seem to exempt pure paper-based operations from the
Security rules, but even
these organizations likely use fax technology, which is covered by the HIPAA security rule.
Accordingly, there are very few healthcare organizations that will escape the grasp of the HIPAA
regulations as very few are entirely paper-based.
HIPAA Security rules essentially resemble a collection of the recommended best practices for
security management and operations. For this reason, if the healthcare organization has already
adopted sound security practices, the HIPAA-compliance effort should be minimal. Given that
Security is not a prime conc.
If you have more questions about HIPAA cloud compliance requirements or how prancer can help your healthcare facility achieve and maintain compliance, contact us today to learn more.
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...Ajeet Singh
With this fast paced world, healthcare consumers want their personalised information at a great speed. 71% of millennials want doctors to provide mobile applications for actively managing their health information which Salesforce health cloud does very well. Salesforce Health Cloud is fabricated to combine power and security of cloud with social and mobile technologies.
Let us first see what is HIPAA’s story and then move forward how Salesforce Health Cloud meet HIPAA guidelines.
The increase level of awareness and training is also very important as is the culture impact of the CE’s environment. How you proceed to successfully train and change the culture depends on the choice of an external HIPAA-HITECH privacy and security auditor. Simply stated, your external auditor should possess the skills and knowledge to comprehensively evaluate all aspect of the HIPAA-HITECH impact on your practice. Upon completion of an audit each area should address its findings, impact and corrective action plan. The action plan should incorporate the training requirements and a training plan to address the specific requirements of each staff member’s relevance to their job function within the practice.
Importance of Following HITECH Compliance Guidelines Aegify Inc.
HITECH is an ungraded and improvised version of HIPAA (Health Insurance Portability and Accountability Act) that was implementes in 1996. Since then, most healthcare institutions have been adhering to it.
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
Describe one safeguard that should be in place to protect the confidentiality of health information
when a health care organization uses a home-based medical transcriptionist and one safeguard
that should be in place to protect the security of that health information.Please support your
answer with APA references.Thanks
Solution
This is a summary of key elements of the Security Rule including who is covered, what
information is protected, and what safeguards must be in place to ensure appropriate protection
of electronic protected health information. Because it is an overview of the Security Rule, it does
not address every detail of each provision.
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the
Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations
protecting the privacy and security of certain health information.1 To fulfill this requirement,
HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security
Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information,
establishes national standards for the protection of certain health information. The Security
Standards for the Protection of Electronic Protected Health Information (the Security Rule)
establish a national set of security standards for protecting certain health information that is held
or transferred in electronic form. The Security Rule operationalizes the protections contained in
the Privacy Rule by addressing the technical and non-technical safeguards that organizations
called “covered entities” must put in place to secure individuals’ “electronic protected health
information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for
enforcing the Privacy and Security Rules with voluntary compliance activities and civil money
penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for
protecting health information existed in the health care industry. At the same time, new
technologies were evolving, and the health care industry began to move away from paper
processes and rely more heavily on the use of electronic information systems to pay claims,
answer eligibility questions, provide health information and conduct a host of other
administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry
(CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory
systems. Health plans are providing access to claims and care management, as well as member
self-service applications. While this means that the medical workforce can be more mobile and
efficient (i.e., physicians can check patient records and test results from wherever they are), the
rise in the adoption rate of these technologies increases the potential security risks.
A major goal of the Security Rule is to protect th.
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!Shelly Megan
All the healthcare applications dealing with PHI data must comply with HIPAA rules and regulations as sensitive patient data is vulnerable to security threats and violations. HIPAA compliance ensures high security and privacy of sensitive healthcare patient data by enforcing measures such as access control, encryption, data disposal, data backup, automatic logging-off, auditing, etc.
What exactly is HIPPA Compliance, and why is it important in app development? Things to think about, and how to get your own app ,a comprehensive guide to follow Checkout the presentation to know more
It is now more important than ever to ensure your breach security is on par or better than the rest of the industry. Review these slides to ensure you understand the regulations surrounding patient privacy and how to prevent future breaches.
Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health Information
1. HIPAA and Beyond
How to Effectively Safeguard Electronic
Protected Health Information
Ben Rothke, CISSP PCI QSA
August 4th, 2008
2. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
Introduction HIPAA Privacy Rule and Security Rule. The
In the world of information security, well-defined Privacy Rule became effective in April 2003 and
security programs are the forests, and regulations establishes regulations for the use and disclo-
like HIPAA, SoX and PCI are the trees. And too sure of Protected Health Information (PHI). PHI
many healthcare organizations mistake the forest is broadly defined as any information about the
for the trees. health status, provision of health care, or pay-
ment for health care that can be linked to an in-
By way of analogy, one of the benefits of Social dividual. This is interpreted rather broadly and
Security is SSI or Supplemental Security Income. includes any part of a patient’s medical record or
The operative word is supplemental. Social Se- payment history1.
curity is meant to augment your retirement, not
be the main income source for your retirement. The HIPAA security rule was issued in February
HIPAA is much like SSI and meant to supplement 2003 and complements the Privacy Rule. While
your formal information security program. If you the Privacy Rule pertains to all PHI, including
view HIPAA as the end-all of your information paper- and electronic-based, the Security Rule
security and privacy program, you are in huge deals specifically with electronic PHI (EPHI) and
trouble. lays out three types of security safeguards re-
quired for compliance: administrative, physical
This white paper will detail how to go beyond and technical. For each, the Rule identifies vari-
HIPAA by showing how to use HIPAA as the ous security standards, and for each standard, it
starting point for your security program, and then names both required and addressable implemen-
using best practices and Lumension Security so- tation specifications.
lutions to improve your overall security posture.
Moving Beyond HIPAA
HIPAA – Showing its Age HIPAA was created by non-security personnel,
Imagine paying $1.25 for a gallon of gasoline. who likely could not differentiate between a fire-
One would have to go all the way back to 1996 to wall and fire extinguisher. The outcome is that
get that price. Going back to 1996 also takes us HIPAA lacks the depth and breadth on which to
to the year when Congress enacted the Health build an information security program. If you build
Insurance Portability and Accountability Act your security and privacy program with HIPAA
(HIPAA). solely as its foundation, it will fail as HIPAA takes
a myopic view of security and privacy with PHI
HIPAA was created for health insurance reform being the center of its universe. But there is much
and the streamlining of claims, and not about more to information security than PHI.
security and privacy. Title I of HIPAA protects
health insurance coverage for workers and their With that, covered entities2 (CE) must look be-
families when they change or lose their jobs. Ti- yond HIPAA and focus globally if they want more
tle II of HIPAA known as the Administrative Sim- than simply HIPAA compliance.
plification provisions, requires the establishment
of national standards for electronic health care While the intent of HIPAA was valorous, over a
transactions and national identifiers for providers, decade has passed since its initial inception and
health insurance plans, and employers. it has already begun to show its age. Organiza-
tions that mistakenly look to HIPAA for their secu-
Administration Simplification provisions also ad- rity infrastructure should stop being shortsighted
dress the security and privacy of patient health and look forward.
data. The HIPAA security and privacy rules are
meant to improve the efficiency and effective- While HIPAA is a static regulation, CE’s exist in a
ness of the nation’s health care system by en- dynamic IT world with new threats coming about
couraging the widespread use of electronic data daily. When HIPAA first came out, vulnerability
interchange in the US health care system. assessments, patching and configuration reme-
diation were only typically performed quarterly at
HIPAA Security and Privacy Rule best. Now with zero-day threats, lack of a de-
Within Administration Simplification exists the fined network perimeter and focus on information
3. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
protection, the need for real-time patching and Using frameworks such as ISO-17799 or ITIL
proactive endpoint and data protection is a basic helps CE’s by giving them a structure with which
requirement. to protect their IT assets. Also, when an organi-
zation decides to formally embrace a framework,
The following steps in this white paper will show it sends a strong message of its commitment to
you how to get that global view and how to move information security.
beyond HIPAA for any CE.
Within HIPAA, using a framework can be espe-
Step 1 - Using a Framework for Security cially valuable as it can show others the depth of
The healthcare industry doesn’t have a lack of your security program, and your overall commit-
information security products at its disposal. ment to their security and privacy. As security
Data centers are stocked full of racks of firewalls, is becoming a differentiating factor, the use of
VPN’s, security appliances and much more. a framework can differentiate your organization
While the underlying infrastructure is there, the from insecure ones.
challenges CE’s face is making these products
work together, to provide adequate security, and Step 2 – Risk Assessment
to support their HIPAA compliance effort. The foundation of any information security pro-
gram must be a formal and comprehensive risk
By employing a well-developed, organized and assessment. If you don’t know your risks, you
enforced set of security policies, and by under- have no idea of your security context, no idea of
standing where your exposures reside, you will who your adversaries are, and in essence, you
be better prepared for issues when they occur. are shooting in the security dark. CE’s that jump
Organizations that do not define and enforce se- into doing information security without a compre-
curity policies proactively are in for a rough time hensive and formal risk assessment end up do-
when disaster strikes. Simply put, if your security ing a lot of security stuff, but don’t have much to
infrastructure isn’t built on a solid foundation, it is show for it when all is said and done. To properly
bound to collapse under the weight of increased protect your network, you need to create a matrix
threats and vulnerabilities. By creating a security detailing the risks your organization faces, listing
foundation, CE’s can easily deal with any new the level of the threat against the likelihood of it
regulation. happening.
This is especially true given the compliance 80/20 Once the risk assessment is complete, don’t
rule. If you take all of the security and privacy make the mistake of attempting to quickly fix all
regulations and combine them, there is roughly of the problems by creating a huge to-do list and
an 80% commonality between them. The 80/20 then giving it to external consultants to complete.
rules shows that having a core framework in The only way to effectively manage risk on en-
place to deal with the 80% commonality means terprise networks is to approach the remediation
that at worst an enterprise will only have 20% of process in a formal strategic manner - create de-
the new regulation to deal with. tailed project plans under the control of an effec-
tive project manager.
That is where information security frameworks
come into the picture. An information security The beauty of a risk assessment is that it tells
framework contains the assumptions, concepts, you exactly what you need to worry about. If you
risk values, and security practices underlying an don’t take this approach, you end up defending
organization’s information security infrastructure. against murky hackers and vague threats from
Frameworks such as ISO 270013 and 270024 somewhere. A formalized risk assessment gives
and ITIL5 (IT Infrastructure Library) are needed you the knowledge to know who your enemy re-
because current healthcare security projects are ally is; Sun Tzu would be proud.
much more complex than those of years past.
Frameworks provide the formal approach to se- A risk assessment is the ultimate commitment to
curity, especially since too many CE’s take an ad HIPAA, as it shows that a CE isn’t simply trying to
hoc approach to security, which is an abomina- take a rubber stamp approach to HIPAA, rather
tion to every security professional. they are trying to get to the core of the security
and privacy issues. More importantly, it shows
4. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
that a CE is focusing on the real threats, rather configuration consistency within your organiza-
than on perceived external threats. tion. The benefits of Standard Operating Proce-
dures (SOP) are immense and include:
Step 3 – The 3 P’s • Standardize operations among divisions
(Policy, Processes, Procedures) and departments
CE’s need information security policies to ensure • Reduce confusion
a safe and sound infrastructure. Security policies • Designate responsibility
are often the first step in ensuring that corporate • Improve accountability of personnel
assets are not squandered by some nefarious • Record the performance of all tasks and
employees. Security policies are like fiber, that their results
is, the kind you eat. Everyone agrees that fiber • Reduce costs
is good for you, but no one really wants to eat it • Reduce liability
- so too with information security policies. They
are sorely needed, but most users don’t go out of There are many sources for SOP’s, some of
their way to comply with them. And in many CE’s, which include:
they are not even trained in what they have to do. • ISO 17799
But failure to have adequate information security • CoBIT
policies can lead to myriad risks for a CE. • NIST 800 series
• Standards for Security Categorization
The centrality of information security policies of Federal Information and Information
to virtually everything that happens in the infor- Systems (FIPS 199)
mation security field is increasingly evident. For • ITIL
example, system administrators cannot secure-
ly and effectively install a firewall unless they Step 4 – Training and Awareness
have received a set of clear information security Effective information security training and aware-
policies. These policies will stipulate the type of ness effort can’t be initiated without first writing
transmission services that should be permitted, information security policies which provide the
how to authenticate the identities of users, and essential content for training and awareness ma-
how to log security-relevant events. terials. Establishing clear expectations through
an information security awareness program is a
Similarly, an effective information security train- critical element of an effective and enforceable
ing and awareness effort cannot be initiated with- set of policies.
out first writing information security policies, be-
cause policies provide the essential content upon Awareness is specifically required in HIPAA sec-
which training and awareness material rely. It is tion § 164.308 Administrative safeguards, which
for these reasons that every major regulation or states in section (5)(i) Standard: Security aware-
standard relating to information security and/or ness and training. Implement a security aware-
data privacy specifically requires written security ness and training program for all members of its
policy documents. workforce (including management).
A comprehensive set of security policies are re- So important is awareness that The Standard of
quired to map abstract security concepts to the Good Practice for Information Security from the
real world implementation of your security solu- Information Security Forum (ISF) writes that spe-
tions as policy defines the aims and goals of the cific activities should be undertaken, such as a
CE. security awareness program, to promote security
awareness to all individuals who have access to
Security processes can help a CE optimize their the information and systems of the organization,
IT security infrastructure. The more complex an with the objective to ensure all relevant individu-
organization’s IT security infrastructure becomes, als apply security controls and prevent important
the more important it is to follow consistent and information used throughout the organization
formal security operational processes and poli- from being compromised or disclosed to unau-
cies. thorized individuals.
Effective procedures ensure a standard level of The ISF defines security awareness as the ex-
5. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
tent to which staff understand the importance of Moving Beyond HIPAA
information security, the level of security required Once you take care of the above fundamental
by the organization and their individual security steps, go full-steam into HIPAA compliance. It
responsibilities. is also important to do these steps before using
a solution. But once that is done, Lumension’s
One of the major problems with all information suite of proactive security solutions can help in
security policies revolves around management your HIPAA program to ensure that confidential
not knowing whether users have read and un- medical records, specifically patient health in-
derstood the policies. If users have not read the formation, remain secure.
policies, they may ignorantly do things that cause
security problems, for example, opening a file Endpoints, especially ones that move on and
sent as an email attachment without scanning the off the network, are extremely vulnerable to
file with a virus detection package. If users have data threats as their configurations drift over
read the policies, but not sufficiently understood time and not kept up-to-date with the latest
them, they may do things that cause security anti-virus and operating system and application
problems. patches. Add to this unmanaged removable
media (podslurpers) and insecure applications,
The true test of understanding would be obser- which together can easily open the floodgates
vation in real-world working environments, but for data to escape into the wrong hands, wheth-
that is too expensive for many CE’s. As the next er intentionally or accidentally.
best thing, users can be tested to determine that
they understood the policy, and if they pass a The fact that so many endpoints are infested
quiz, then access privileges may be granted. For with spyware, keyloggers and other types of
example, a worker who wanted to telecommute malware, which so easily compromise the in-
could read the telecommuting security policy, tegrity and confidentiality of patient information,
take a quiz, and get a passing score, at which should give any CIO pause.
point management would authorize the user to
gain access to the organization’s internal network Lumension Security’s Proactive Security Suite
over the Internet using a virtual private network. ensures ePHI privacy by providing the neces-
In sophisticated organizations, such privileges sary controls to manage the data flowing to and
may be enabled automatically based on a quiz from network endpoints and by rapidly secur-
delivered through an intranet computer-based ing endpoint configurations and patching and
training system or software. remediating software vulnerabilities that could
leave IT assets and sensitive data exposed.
Some of these solutions include:
Solution Benefits
Lumension Security • Complete network-based scanning solution enables assessment and
Vulnerability Management analysis of threats impacting all network devices.
• Proactive management of threats through automated collection, analysis,
and delivery of patches (all major operating systems and applications) across
heterogeneous networks.
• Out-of-the-box regulatory and standards-based assessment to ensure
endpoints are properly configured.
• Custom remediation capabilities to address configuration issues, remove
unauthorized files and applications, address zero-day threats, patch custom
software and more.
Lumension Security Policy-based enforcement of application use to secure your endpoints from
Endpoint Protection malware, spyware and unwanted or unlicensed software.
Lumension Security Policy-based enforcement of removable device use to control the flow of
Data Protection inbound and outbound data from your endpoints.
Lumension Security Robust data warehouse that enables easy creation and sharing of reports on
Reporting and Compliance all aspects of your security efforts in support of policy compliance.
6. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
The following table lists just some of the many benefits in which Lumension Security’s Proactive Security
Suite helps CE’s:
Main Benefit Other Benefits
Comply with HIPAA • Reduce the risk of ePHI from being improperly disclosed
requirements for safeguarding • Prove compliance with HIPAA by providing a detailed audit trail of all
the integrity and availability of device and application execution attempts, by tracking data that is copied
ePHI to and from removable devices and by controlling what data is allowed to
be copied to a device at the file level
• Patch and remediate vulnerabilities before they can be exploited to
access ePHI
• Control and monitor the flow of inbound and outbound ePHI with
removable media and devices
• Identify organizational security holes in the protection of ePHI through
comprehensive auditing capabilities
Prevent malware execution • Protect against network security breaches where ePHI could be exposed
originating at an endpoint to fraud
• Enable the transmission, integrity, confidentiality and retention of ePHI
without disruption, corruption or loss
Improve IT system performance • Prevent unwanted applications and devices from burdening network
bandwidth
• Enable faster computing resources on network, laptops and PCs
• Maintain PCs’ performance as new with configurations remaining stable
Reduce endpoint security TCO • Minimize security or HIPAA compliance crisis response
• Remediate vulnerabilities more quickly and with fewer required
resources
Improve end user productivity • Block unwanted, non-business applications
• Enforce policy to ensure endpoints run as expected
Conclusion
Security and the protection of PHI is more than just firewalls and encryption. By having this broad ap-
proach, and rising above the minimal protection that HIPAA offers, CE’s can ensure that they are HIPAA
compliant not only with the letter of the law, but more importantly, the spirit of the law.
7. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
About the Author
Ben Rothke CISSP, PCI QSA (ben@rothke.com) is a New York based Security Consultant and the author
of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006).
About Lumension Security™
Lumension Security™, formed by the combination of PatchLink® Corporation and SecureWave® S.A., is
a recognized, global security management company, providing unified protection and control of enterprise
endpoints for more than 5,100 customers and 14 million nodes worldwide. Leveraging its proven Proactive
Security Model, Lumension Security enables organizations to effectively manage risk at the endpoint by
delivering best-of-breed, policy-based solutions that simplify the entire security management lifecycle. This
includes Vulnerability Management, Endpoint Protection, Data Protection and Reporting Compliance.
Headquartered in Scottsdale, Arizona, Lumension has offices worldwide, including Virginia, Florida, Lux-
embourg, the United Kingdom, Spain, Australia, Hong Kong and Singapore.
Lumension Security™, Inc.
15580 N. Greenway-Hayden Loop, Suite 100
Scottsdale, AZ 85260
www.lumension.com
Footnotes:
1. This is due in part since it is relatively easy to correlate unrelated data.
2. Any organization that routinely handles protected health information in any capacity is in all probability a covered entity.
3. ISO/IEC 27001 is the formal standard against which organizations may seek independent certification of their Information
Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information
security processes and controls systematically and consistently throughout the organizations).
4. ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are re-
sponsible for initiating, implementing or maintaining Information Security Management Systems (ISMS).
5. ITIL is a customizable framework of best practices designed to promote quality computing services in the information technol-
ogy sector.