The team conducted a cybersecurity assessment of a dental office which included a vulnerability assessment, wireless audit, and HIPAA inspection. They found many vulnerabilities and non-compliances initially. The team then developed a security plan, disaster recovery plan, and conducted remediation activities. This improved the security posture and HIPAA compliance of the dental office. A cost avoidance analysis was also performed to demonstrate the benefits of the project.
Presentations that briefly covers HIPAA and concentrates of the Risk Assessment portion which is a requirement for overall compliance and meaningful use.
Meaningful Use and Security Risk AnalysisEvan Francen
Presentation delivered by FRSecure president, Evan Francen to the 100+ Iowa CPSI User Group attendees on October 18th, 2011.
Meaningful Use Core Requirement "Security Risk Analysis"
Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
In September, OSHA released its latest “Top 10” list of most frequently cited workplace violations. Hear our expert analyze the most common OSHA violations and the overall state of EHS regulatory compliance in 2019.
Presentations that briefly covers HIPAA and concentrates of the Risk Assessment portion which is a requirement for overall compliance and meaningful use.
Meaningful Use and Security Risk AnalysisEvan Francen
Presentation delivered by FRSecure president, Evan Francen to the 100+ Iowa CPSI User Group attendees on October 18th, 2011.
Meaningful Use Core Requirement "Security Risk Analysis"
Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
In September, OSHA released its latest “Top 10” list of most frequently cited workplace violations. Hear our expert analyze the most common OSHA violations and the overall state of EHS regulatory compliance in 2019.
Use of the COBIT Security Baseline as a framework for an information
security program at a large state agency. Presented at the 2005 MN Govt IT
Symposium.
This ppt talks about information security audit checklist. All the required checklist in per-audit, during audit and post-audit are covered inside with a sample audit checklist briefly explained.
My presentation at 7th Business Security Conference in Warsaw. Describes ON Semiconductor approach to implement Physical Security Management system globally.
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...Triumvirate Environmental
Recently there have been regulatory updates that affect healthcare facilities including standards that apply to hospital accreditation. The Joint Commission applies standards that pertain to federal Medicare and Medicaid reimbursement. Has your facility adapted to comply with the current and updated standards? Hear our expert provide a comprehensive look at the “Environment of Care” and see how to better adapt your facility to ensure the health and safety of hospital staff, patients, and visitors.
The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Intland Software GmbH
Check out our latest webinar to learn more about complying with IEC 62304, ISO 14971, IEC 60601, and relevant FDA regulations (for instance, Title 21 CFR Part 11 about electronic signatures). In this webinar, we discussed the requirements set forth by these standards. We also showed our Intland's Medical IEC 62304 Template to leverage codeBeamer ALM's advanced capabilities and to facilitate compliance with these regulations.
This presentation will give you an overview of safety
management system, importance of safety, incident, accident and near miss, Hazards and Risk assessment , Risk Matrix, Risk controls and Mitigation Plan.
A firewall risk assessment is a detailed assessment approach of a firewall topology and configuration that has been implemented to protect your information, systems, applications, and overall business operations.
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
Please scroll to your appropriate warehouse for the Spring POS Order. There have been a few other supplemental orders placed outside of this master file; Gena will communicate pertinent details as they arise.
Use of the COBIT Security Baseline as a framework for an information
security program at a large state agency. Presented at the 2005 MN Govt IT
Symposium.
This ppt talks about information security audit checklist. All the required checklist in per-audit, during audit and post-audit are covered inside with a sample audit checklist briefly explained.
My presentation at 7th Business Security Conference in Warsaw. Describes ON Semiconductor approach to implement Physical Security Management system globally.
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...Triumvirate Environmental
Recently there have been regulatory updates that affect healthcare facilities including standards that apply to hospital accreditation. The Joint Commission applies standards that pertain to federal Medicare and Medicaid reimbursement. Has your facility adapted to comply with the current and updated standards? Hear our expert provide a comprehensive look at the “Environment of Care” and see how to better adapt your facility to ensure the health and safety of hospital staff, patients, and visitors.
The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Intland Software GmbH
Check out our latest webinar to learn more about complying with IEC 62304, ISO 14971, IEC 60601, and relevant FDA regulations (for instance, Title 21 CFR Part 11 about electronic signatures). In this webinar, we discussed the requirements set forth by these standards. We also showed our Intland's Medical IEC 62304 Template to leverage codeBeamer ALM's advanced capabilities and to facilitate compliance with these regulations.
This presentation will give you an overview of safety
management system, importance of safety, incident, accident and near miss, Hazards and Risk assessment , Risk Matrix, Risk controls and Mitigation Plan.
A firewall risk assessment is a detailed assessment approach of a firewall topology and configuration that has been implemented to protect your information, systems, applications, and overall business operations.
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
Please scroll to your appropriate warehouse for the Spring POS Order. There have been a few other supplemental orders placed outside of this master file; Gena will communicate pertinent details as they arise.
OCR is increasing its audits of the HIPAA compliance of health care providers. An OCR audit that finds noncompliance may lead to a significant fine or financial settlement. Adam Greene, partner at Davis Wright Tremaine and past regulator at OCR, will review the latest information about the OCR audit program, including OCR’s focus on information security risk analysis and ensuring that breach notification policies and procedures are up-to-date consistent with recent regulatory changes. Learn about recent changes to HIPAA rules, the focus of upcoming audits, the importance of a good breach response program to reduce potential liability, and how best to prepare your organization. In addition, you’ll hear how to prepare for and respond to the inevitable data breach.
To View the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/ocr-hipaa-audits...will-you-be-prepared/r-general
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
ControlCase HIPAA Compliance as a Service (CaaS)
is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.
Get your Ducks in a Row - The OCR Audit Season is About to BeginID Experts
The HHS Office for Civil Rights has unveiled information about Phase 2 of its HIPAA audits. These audits will be conducted by OCR itself and will focus on high-risk areas and enforcement. Organizations may be hearing from OCR over this summer, with audits to begin in the fall. This webinar will overview some lessons learned from the first round of audits and highlight the changes and process for the next round. Phase 2’s additional focus on compliance with breach notification rule will be discussed. We also will provide some tips to prepare for the audits, which also will be helpful to prepare for any OCR investigation or compliance review.
To view the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/get-your-ducks-in-a-row-the-ocr-audit-season-is-about-to-begin/r-general
Computer Software Assurance (CSA): Understanding the FDA’s New Draft GuidanceGreenlight Guru
Understand the FDA's new draft guidance on Computer Software Assurance (CSA).
This presentation originally aired during the 2022 Future of QMS Requirements Virtual Summit.
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
With the computer systems and networks of electric, natural gas, and water distribution systems now connected to the Internet, the nation’s critical infrastructure is more vulnerable to attack. A recent Wall Street Journal article stated that many utility IT environments have already been breached by spies, terrorists, and hostile countries, often leaving bits of code behind that could be used against critical infrastructure during times of hostility. The U.S. Cyber Consequence Unit declared that the cost of such an attack could be substantial: “It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures could exceed $700 billion USD - the equivalent of 50 major hurricanes hitting U.S. soil at once.”
Vulnerability and exposure of utilities’ critical infrastructures originate from the Supervisory Control and Data Acquisition (SCADA) and Distribution Automation (DA) systems that communicate and control devices on utility grids and distribution systems. Many of these systems have been in operation for years (sometimes for decades), and are not designed with security in mind. Regulatory bodies have recognized the many security issues to critical infrastructure and have begun to establish and enforce requirements in an attempt to shore up potential exposures. One such regulation is NERC CIP, which includes eight reliability standards consisting of 160 requirements for electric and power companies to address. And as of July 1, 2010, these companies must be “auditably compliant” or else they risk getting slapped with a $1 million per day, per CIP violation.
In this roundtable discussion, we will highlight:
• The security challenges facing utilities today
• The six critical elements to achieving economical NERC CIP compliance
• How utilities can secure critical infrastructure in today’s networked environment
What Covered Entities Need to Know about OCR HIPAA AuditsIatric Systems
Learn how to be better prepared to comply with today's patient privacy rules and regulations.
Hosted by HealthITSecurity.com, you'll get insight directly from HIPAA officer Iliana L. Peters, J.D., LL.M. As senior advisor for HIPAA Compliance and Enforcement, she is today's leading source for understanding HIPAA requirements.
Ms. Peters presents OCR’s 2017 to 2018 goals and objectives and tells you how you can:
-Uncover the patient privacy risks and vulnerabilities in your healthcare organization
-Determine where you can use technology to assist in and encourage consistent compliance
-Manage risk when vendors have access to your patient data
Securing Healthcare Data on AWS for HIPAAAlert Logic
Get the scoop on addressing HIPAA compliance requirements and using DevOps and a Security Operations Center (SOC) to assist with compliance.
Slides from AWS Healthcare Meetup in NYC with Logicworks and Alert Logic on May 4, 2016.
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
The must have tools to address your HIPAA compliance challengeCompliancy Group
A panel of experts from the companies that were chosen as “5 Key tools to help your organization achieve HIPAA compliance” In this webinar we will highlight ways for you and your organization to use tools to help make the task of HIPAA compliance easier and more effective.
Panelist:
Bob Grant ex HIPAA auditor and CCO of Compliancy Group LLC
Andy Nieto, Health IT Strategist at DataMotion
April Sage Director of Healthcare IT at Online Tech
Asaf Cidon CEO and co-founder of Sookasa
Daryl Glover Exec VP Strategic Initiatives of qliqSOFT
1. Cybersecurity
Assessment for
Soft Touch Dentistry
Perry Escamilla, Kevin Jones, Jim Patterson,
Leon Slack, Jason Smith & Robert Valdez
National University, Capstone
Professor Bane
2. Summary
• Project Overview
• Project Schedule
• HIPAA
• HIPAA Auditing, Wireless Audit
• Vulnerability Assessment
• DRP/BCP
• Security Plan Development
• Cost Avoidance
• Conclusion
National University2 Jason
3. Organization Chart
Jason Smith
Project Manager
Kevin Jones
Vulnerability
Assessor
Leon Slack
Disaster
Recovery
Robert Valdez
HIPAA Auditor
Perry Escamilla
Remediation
Planner
Jim Patterson
Security Planner
3 National University Jason
5. Project Overview
• Soft Touch Dentistry is a small dental office in Murrieta, CA. Team
Ruby, comprised of six students from National University, proposed to
the dentistry a project to conduct a cybersecurity assessment of their
medical practice.
• The assessment consisted of a vulnerability assessment, wireless
audit and a HIPAA inspection.
• Furthermore, Team Ruby put together a Business Continuity Plan,
Disaster Recovery plan and a Security Plan for the dentistry to assist
them with those items as well.
• Lastly, Team Ruby performed a cost avoidance analysis to
demonstrate how their project benefited the dentistry and how the
dentistry was able to now avoid some future costs because of the
project being performed for them.
5 National University Jason
12. Purpose
HIPAA is the Health Insurance Portability and Accountability
Act. There are thousands of organizations that must comply
with the HIPAA Security Rule. The Security Rule is just one part
of the federal legislation that was passed into law in August
1996.
The purpose the Security Rule:
• To allow better access to health insurance
• Reduce fraud and abuse
• Lower the overall cost of health care
12 National University Robert
13. Administrative Safeguards
Compliance with the Administrative Safeguards portion must include
implementation of the following:
• Conduct a risk analysis
• Implement risk management controls
• Develop a security plan
• Conduct periodic information system reviews and training
13 National University Robert
14. Physical Safeguards
Compliance with the Physical Safeguards portion must include
implementation of the following:
• Contingency operations
• Limit facility access and restricting levels of access
• Proper management of organization's computer systems and network
• Appropriate device and media controls
14 National University Robert
15. Technical Safeguards
Compliance with the Technical Safeguards portion must include
implementation of the following:
• Appropriate access controls such as unique user IDs and permissions
• Automatic logoff procedures
• Encryption and decryption procedures
• Measures to ensure integrity of ePHI
15 National University Robert
16. Key Elements of Compliance
• Senior Management Support is essential
• Conduct and maintain inventory of ePHI
• Conduct regular and detailed risk analysis
• Determine what is appropriate and reasonable
• Develop and implement security policies
• Prepare for ongoing compliance
• Maintain a security-minded culture within workplace
16 National University Robert
17. Penalties
Civil penalties vary from $100 to $50,000 per violation with annual max
penalty of $1.5 million depending on depth of negligence
Criminal penalties and imprisonment could also be sentenced in
additional to civil penalties
Additional Negatives:
• Negative publicity
• Loss of customers
• Loss of business
• Legal liability
17 National University Robert
19. Soft Touch Dentistry Initial Assessment
Safeguards Security Standards
Assessment Percentage
Assessment
Compliance Rating
Administrative Safeguards §164.308(a)(1)(i) Security Management Process 25% Partial
§164.308(a)(2) Assigned Security Responsibility 25% Partial
§164.308(a)(3)(i) Workforce Security 4% Partial
§164.308(a)(4)(i) Information Access Management 20% Partial
§164.308(a)(5)(i) Security Awareness and Training 13% Partial
§164.308(a)(6)(i) Security Incident Procedures 0% Non-Compliant
§164.308(a)(7)(i) Contingency Plan 0% Non-Compliant
§164.308(a)(8) Evaluation 25% Partial
§164.308(b)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant
Physical Safeguards §164.310(a)(1) Facility Access Controls 0% Non-Compliant
§164.310(b) Workstation Use 0% Non-Compliant
§164.310(c) Workstation Security 0% Non-Compliant
§164.310(d)(1) Device and Media Controls 0% Non-Compliant
Technical Safeguards §164.312(a)(1) Access Control 0% Non-Compliant
§164.312(b) Audit Controls 0% Non-Compliant
§164.312(c)(1) Integrity 0% Non-Compliant
§164.312(d) Person or Entity Authentication 0% Non-Compliant
§164.312(e)(1) Transmission Security 0% Non-Compliant
Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant
§164.314(b)(1) Requirements for Group Health Plans 0% Non-Compliant
Policy, Procedures, and
Documentation
§164.316(a) Policy and Procedures 0% Non-Compliant
§164.316(b)(1) Documentation 0% Non-Compliant
19 National University Robert
20. Soft Touch Dentistry Post Team Ruby
Safeguards Security Standards
Assessment Percentage
Assessment Compliance
Rating
Administrative Safeguards §164.308(a)(1)(i) Security Management Process 88% Partial
§164.308(a)(2) Assigned Security Responsibility 100% Compliant
§164.308(a)(3)(i) Workforce Security 68% Partial
§164.308(a)(4)(i) Information Access Management 60% Partial
§164.308(a)(5)(i) Security Awareness and Training 38% Partial
§164.308(a)(6)(i) Security Incident Procedures 100% Compliant
§164.308(a)(7)(i) Contingency Plan 42% Partial
§164.308(a)(8) Evaluation 75% Partial
§164.308(b)(1) Business Associate Contracts and Other Arrangements 100% Compliant
Physical Safeguards §164.310(a)(1) Facility Access Controls 93% Partial
§164.310(b) Workstation Use 100% Compliant
§164.310(c) Workstation Security 100% Compliant
§164.310(d)(1) Device and Media Controls 56% Partial
Technical Safeguards §164.312(a)(1) Access Control 41% Partial
§164.312(b) Audit Controls 0% Non-Compliant
§164.312(c)(1) Integrity 0% Non-Compliant
§164.312(d) Person or Entity Authentication 0% Non-Compliant
§164.312(e)(1) Transmission Security 0% Non-Compliant
Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 100% Compliant
§164.314(b)(1) Requirements for Group Health Plans 0% Not Applicable
Policy, Procedures, and
Documentation
§164.316(a) Policy and Procedures 100% Compliant
§164.316(b)(1) Documentation 100% Compliant
20 National University Robert
21. New Soft Touch Dentistry Policies
• Access, Use and Disclosure
• Request for Accounting of Disclosures
• Disclosure of Patient Information to the Public
• Release of Information to Media and Public
• Network, and E-mail Usage (Acceptable Use)
• Facsimile of Information
• Notice of Privacy Practices
• Information Security Program
• Information Security Incident Reporting and Response
• Soft Touch Dentistry Compliance Program
• Credit Card and Payment Card Information Protection
21 National University Robert
24. What Was Found
• Password was all numbers, 129458866.
• Password was protected by WEP (Wired Equivalent Privacy),.
• Password was available for anyone to use.
• Wireless network was connected to the physical business network.
National University24 Kevin
26. SANS Institute Case Study
• Study performed by Daniel O’Dorisio
• Submitted 12/23/2003
• Singled out five regulations in 164.312
that pertain to wireless
communication.
• Expressed the language of the HIPAA
safeguards in regular terms and how
they could be breached by wireless
vulnerabilities.
National University26 Kevin
27. HIPAA Safeguards
• 164.312 Person Authentication
• A covered entity must, in accordance with Sec. 164.306: (d) Standard: Person
or entity authentication. Implement procedures to verify that a person or
entity seeking access to electronic protected health information is the one
claimed.
• 164.312 Access Control
• A covered entity must, in accordance with Sec. 164.306: (a)(1) Standard:
Access control. Implement technical policies and procedures for electronic
information systems that maintain electronic protected health information to
allow access only to those persons or software programs that have been
granted access rights as specified in Sec. 164.308(a)(4).
27 National University Kevin
28. HIPAA Safeguards
28
• 164.312 Integrity
• A covered entity must, in accordance with Sec. 164.306: (c)(1) Standard:
Integrity. Implement policies and procedures to protect electronic protected
health information from improper alteration or destruction.
• 164.312 Transmission Security
• A covered entity must, in accordance with Sec. 164.306: (e)(1) Standard:
Transmission security. Implement technical security measures to guard
against unauthorized access to electronic protected health information that is
being transmitted over an electronic communications network.
National University Kevin
30. Vulnerability Assessment Defined & Tool
• “A vulnerability assessment is a search for these
weaknesses/exposures in order to apply a patch or fix to prevent a
compromise” (SANS, 2001).
• Retina
• Ease of use
• Free Trials (Savings of $1,700 Dollars)
• Industry Accepted Tool
• Fast Local Scans (3 – 10 minutes per machine)
30 National University Jason
31. High, Medium & Low
31 National University Jason
May result in the high costly loss of assets; risks that
significantly violate, harm or impede operations
May result in the costly loss of assets; risks that violate,
harm, or impede operations
May result in the loss of some assets or may affect
operations
32. Vulnerabilities Found
Total Findings – 1,137
32 National University Jason
76%
Findings Fixed 862
High Not Fixed 3
High False Positive 1
Medium Not Fixed 29
Medium False Positives 24
Low Not Fixed 218
33. Vulnerabilities Found (Continued)
High & Medium Findings Fixed - 862
33 National University Jason
94%
Findings Fixed 862
High Not Fixed 3
High False Positive 1
Medium Not Fixed 29
Medium False Positives 24
34. Plan of Action & Milestones (Open)
34 National University Jason
35. Plan of Action & Milestones (Closed)
35 National University Jason
37. Initial Findings
Physical Description of the Site
• Located at 25395 Hancock Ave. and is zoned as Office Research Park (ORP) by
the city of Murrieta
• The site is between two major freeways, approximately 1 mile east of the I-15
and 0.4 miles west of the I-215 and approximately 0.3 miles north of Murrieta
Hot Springs Rd.
• Parcel Map (PM) 26610 and Assessor’s Parcel Number (APN) 910-250-007
• Building construction is Type V–N (also known as V–B); wood framed building
with no fire protection for the exterior walls
• Unarmed security guard onsite between 8:00 AM and 5:00 PM during the
week and contains a general announcing system
38 National University Leon
38. Initial Findings (cont.)
Physical Description of the Site (cont.)
• Soft Touch Dental office itself does not have an alarm system or enhanced
locks
• The site is approximately 2.2 miles or 6 minutes south of the Murrieta City
Police Department at 2 Town Center
• Chances of being a victim of a violent crime are 1 in 1505 in Murrieta as
compared to 1 in 252 for the state of California
39 National University Leon
39. Initial Findings (cont.)
• Physical Description of the Site (cont.)
• Risk to the Physical Property
• Fire
• Greatest risk overall
• Building construction is TYPE V-B, offers no protection for the external walls
• Proprietor states that they have insurance
• Flood
• The site is not in danger of flooding or other related incidents
• Earthquake
• Less than 10% chance of major structural damage
• Building is located on a sandstone formation
• No major active faults nearby
40 National University Leon
40. • Office Description
• The office is located on the 2nd floor and totals less than 800 sq. ft.
• Contains two entry points
• Exam room, private office, rest rooms, employee break area, utility/wiring
closet and X-ray area
Initial Findings (cont.)
41 National University Leon
41. Initial Findings (cont.)
• Office Description (cont.)
• Door between the patient waiting area and exam
area is unsecured
• Utility/Wiring closet is unlocked
• Water heater risk
PBX Switch
Patch Panel
UPS Units
Network Switch
DSL Router
42 National University Leon
42. Initial Findings (cont.)
• Office Description (cont.)
• One of the ports is not mounted to the break out box and thus exposes the
wiring to possible damage
43 National University Leon
Exposed wiring
43. Initial Findings (cont.)
• Office Description (cont.)
• There are no network connections in the private office space. The connection
for the server and office workstation are ran along the floor out into hallway
and then into the x-ray area
44 National University Leon
Office Server
Office Workstation
Hallway
Workstation &
Server Cable
Office Exit
44. • Office Risks
• Networking and communications equipment at risk from a water heater leak
• Poor wiring may be leading to some spotty network performance
• There are no protections in place on the network. It is recommended that the
network be segmented and a firewall put in place.
Initial Findings (cont.)
45 National University Leon
45. Initial Findings (cont.)
• Administration
• Mutual Aid and Assistance Memorandum of Understanding is a verbal
commitment
• Policies and Procedures do not exist for any IT operations
• Staff performs a manual copy of the server’s D: drive on a daily basis to one
of two 300 GB external hard drives
• Administrative Risks
• The current saves process is inadequate and is not saving any of the Dentrix
data.
• The Mutual Aid and Assistance MOU needs to be formalized
• Written policies and procedures for IT operations need to be developed
46 National University Leon
46. Asset Inventory and Replacement
• Current Inventory
• 7 desktop workstations w/ monitors
• 3 laptop workstations
• 2 MFC printers
• 1 server
• 1 24-port switch
• 2 5-port switches
• Replacement List and Costs
• Costs do not reflect any taxes or shipping fees
• The list assumes that all telecommunication and internet connectivity are in
place and functional
47 National University Leon
47. Estimated cost to replace would be: $9,435.74
Asset Inventory and Replacement (cont.)
Item Source Quantity Unit Cost Total Cost
Desktop Workstation Dell Corp 7 $679.00 $4,753.00
Laptop Workstation Dell Corp 3 $479.00 $1,437.00
Server Dell Corp 1 $1,914.44 $1,914.44
MFC Printer Canon 2 $148.98 $297.96
24 Port Network Switch Linksys 1 $177.99 $177.99
Wireless Access Point Amped Wireless 1 $71.99 $71.99
5 Port Network Switch Linksys 2 $39.97 $79.94
KVM Switch Office Depot 1 $73.49 $73.49
Monitors Walmart 7 $89.99 $629.93
Total Estimated Costs $9,435.74
48 National University Leon
48. DRP/BCP Development Approach
• Small Office with Limited Resources
• Key Personnel
• The Owner
• The Office Manager
• Mutual Aid and Assistance Memorandum of Understanding
• Developed one based off of an MOU between the California Emergency
Management Agency and the California Dental Identification Team
• Critical Data Sources
• Dentrix Database
• Critical Office Correspondence
49 National University Leon
49. • Critical Services
• Access to an alternative site
• Procurement and installation of replacement equipment
• Restoration of Dentrix data and Dentrix operations
• Restoration of critical office correspondence data
• Recovery Process
• In the case of the loss of the office spaces, a 5 day plan has been described in
the Disaster Recovery Plan
• Plan can be tailored down for loss of critical infrastructure
DRP/BCP Development Approach (cont.)
50 National University Leon
50. • Data Backup and Recovery Plan
• Continue to use the external hard disk drives
• Need to run Dentrix back-up process from the Server Administration Utility
• Need to test encryption of the back-up drives
• No data restoration procedures have been written at this time
• Dentrix restoration requires the removal of all database files
• The office does not have a second server system to use for the restoration check
• Restoration procedures have been added to the POA&M
• Equipment Restoration Plan
• Cost was a driving concern
• Chose business class hardware for server and workstations
DRP/BCP Development Approach (cont.)
51 National University Leon
52. Managing Enterprise Risk
• Key activities in managing enterprise-level risk—risk resulting
from the operation of an information system:
• Categorize the information system
• Select set of minimum (baseline) security controls
• Refine the security control set based on risk assessment
• Document security controls in system security plan
• Implement the security controls in the information system
• Assess the security controls
• Determine agency-level risk and risk acceptability
• Authorize information system operation
• Monitor security controls on a continuous basis
53 National University Jim
53. Publication Overview
• NIST Special Publication 800-18 (Security Planning)
• FIPS Publication 199 (Security Categorization)
• NIST Special Publication 800-60 Vol 1 & 2 (Security Category Mapping)
• FIPS Publication 200 (Minimum Security Requirements)
• NIST Special Publication 800-53R4 (Recommended
• Security Controls)
• NIST Special Publication 800-30 (Risk Assessment)
• NIST Special Publication 800-66R1 (Guide for Implementing HIPAA)
• ISO/IEC 27000 (Establishing an Information Security Management System
(ISMS)
• ISO/IEC 27002 (Code of practice for information security controls)
• NIST Special Publication 800-53A (Security Control Assessment)
• NIST Special Publication 800-37 (Certification & Accreditation)
Source: NIST SP 800-18 Pg 11
54 National University Jim
54. Categorizing Information and
Information Systems
(Source: FIPS 199 Table 1 Pg 6)
Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law.
55 National University Jim
Purpose
• Enabled Soft Touch Dentistry to implement appropriate controls in a cost effective manner based on potential impact to
defined security objectives.
Objectives
• CONFIDENTIALITY: The loss of confidentiality is the unauthorized disclosure of information (EX. ePHI)
• INGERITY: The loss of integrity is the unauthorized modification or destruction of information (EX. Payment
Modifications)
• AVAILABILITY: The loss of availability is the disrupt of use or access to information or the information system (EX.
Ransomware)
Impacts
• A categorization of LOW is defined as having a limited adverse effect on organization mission
• A categorization of MODERATE is defined as having a serious effect on organization mission
• A categorization of HIGH is defined as having a serious/catastrophic impact on organization mission
55. Categorizing Information Types
Identification of Information Types
Information is categorized according to its information type. An information type is a specific category of information;
Soft Touch Dentistry Critical Information
• Personally Identifiable Information (PII)
• Patient health information (ePHI)
• Patient credit card and insurance billing information.
Source: NIST SP 800-60 Vol 1 Pg 16
56 Jim
• Privacy
• Proprietary
• Medical
• Financial
56. D.14.4 Health Care Delivery Services Information Type
Supports the delivery of health care, planning of health services and the managing of clinical information and
documentation. The recommended provisional security categorization for health care delivery services
information is as follows:
Security Category = {(confidentiality, Low), (integrity, High), (availability, Low)}
Confidentiality
The confidentiality impact level is the effect of unauthorized disclosure of health care delivery services on the
ability of responsible agencies to provide and support the delivery of health care to its beneficiaries will have
only a limited adverse effect on agency operations, assets, or individuals.
Special Factors Affecting Confidentiality Impact Determination: In some cases, unauthorized disclosure of this
information such as privacy-protected medical records can have serious consequences for agency operations.
In such cases, the confidentiality impact level may be moderate.
Categorizing Information Types
Source: NIST SP 800-60 Vol 2 Pg 171
57. System Categorization
Recommended Integrity Impact Level: Because of the potential for the loss of human life, the provisional
integrity impact level recommended for health care delivery services information is high.
Organizations should: (i) review the appropriateness of the provisional impact levels based on the
organization, environment, mission, use, and data sharing; (ii) adjust the security objective impact levels as
necessary using the special factors guidance found in Volume II, Appendices C and D; and (iii) document all
adjustments to the impact levels and provide the rationale or justification for the adjustments.
Provisional Impact Levels
Review and Adjust Impact Levels
Final Information System Categorization was Evaluated as Moderate58
(Source: NIST SP 800-60 Vol 2 Pg 172)
(NIST SP 800-60 Vol 1 Pg 23)
58. NIST Security Control Selection
FIPS 200 – Provides the minimum security requirements covering seventeen (17) security-related areas.
• States that selected set of controls must include at least one baseline
• Must include all controls in the baseline unless exceptions based on tailoring
NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
• 18 Control Families
• Seventeen control families for an information system
• One control family focusing on organization-wide requirements (Program Management)
• Provides tailored set of baseline security controls based on overall system categorization
• 159 Controls based on an information system categorized at the Moderate impact level
• Tailoring Controls
• Provides a cost-effective, risk-based security approach that supports organizational mission/business
needs.
• Identifying Common Security Controls
• Apply Scoping Considerations
• Select Compensating Controls
• Supplement with Control Enhancements
• Documentation
59 National University Jim
59. ISO 27002 Security Control Selection
ISO 27002 Security Techniques, Code of Practice for Information Security Controls
• International standard intended to be used as guidance for organizations implementing commonly accepted
information security controls
• States that security controls from any or all clauses could be important, therefore each organization applying this
standard should identify applicable controls based on how important they are to the specific application
• Contains the actual “best practices” details of what goes into building a comprehensive IT security program
• The selection of controls is dependent upon organizational decisions based on organizational risk acceptance
• May be regarded as a starting point for developing organization-specific guidelines
• 14 Security Clauses (Policies, Human Resource Security, Access Control etc.)
• 35 Security Control Categories (Policies for Information Security, Review of Policies)
• Objective
• 114 Controls
• Implementation Guidance
• Other Information
60 National University Jim
61. Implementing Controls
• Developed Policies
• Patched Software
• Developed Training
• Implemented Access Controls
• Unique user accounts
• Strong passwords
• Group Policy Objects
• Changed Default Passwords
• Made recommendations in POA&M
62 National University Jim
64. HIPAA Fine Breakdown
• Covered entity was not aware of
the violation
• $100 per violation
• Not to exceed $25,000
• Violation occurred due to
“reasonable cause”
• $1,000 per violation
• Not to exceed $100,000
• Due to willful neglect
• $10,000 per violation
• Not to exceed $250,000
• Due to willful neglect, Violation
is not corrected
• $50,000 per incident
• Not to exceed $1,500,000
65 National University Perry
67. Lessons Learned
• Project Management is the key to completing these assessments.
Conducting this training while doing the project resulted in lessons
learned that were too late to implement
• Small businesses are challenged to maintain compliance with federal
regulations
• Understanding the current environment, personnel, equipment etc..,
is important prior to finalizing project scope and statement of work
• Creating a work breakdown eliminates confusion for task assignments
68 National University Jim
68. Conclusion
• Project Overview
• Project Schedule
• HIPAA
• HIPAA Wireless Audit
Project Value
• Provided a no-cost vulnerability and HIPAA assessment that resulted in the
implementation of controls that significantly hardened from attack the Soft
Touch Dentistry information system. Policies and training were also
developed that position the organization to take control of their cybersecurity
posture in the future.
National University69 Jim
• Vulnerability Assessment
• DRP/BCP
• Security Plan Development
• Cost Avoidance