Information security legislation


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information security legislation

  1. 1. Information Security Legislation “ A Practical Guide to Security Assessments” By Sudhanshu Kairab (Chapter 10) Sohel Imroz 4/4/2006
  2. 2. Some “not-so-bad” News <ul><li>U.S. government has set significant penalties for noncompliance with HIPAA </li></ul><ul><li>Penalties for noncompliance with HIPAA Regulations: </li></ul><ul><ul><li>Individual noncompliance </li></ul></ul><ul><ul><ul><li>Up to $100 </li></ul></ul></ul>
  3. 3. Some “very bad” News <ul><li>Penalties for noncompliance with HIPAA Regulations (cont’d): </li></ul><ul><ul><li>Multiple occurrences of same noncompliance </li></ul></ul><ul><ul><ul><li>Up to $25,000.00 per year </li></ul></ul></ul><ul><ul><li>Wrongful disclosure of health information </li></ul></ul><ul><ul><ul><li>Up to $50,000.00 </li></ul></ul></ul><ul><ul><ul><li>1 year in prison </li></ul></ul></ul>
  4. 4. Some “scary” News <ul><li>Penalties for noncompliance with HIPAA Regulations (cont’d): </li></ul><ul><ul><li>Wrongful disclosure of health information under false pretense </li></ul></ul><ul><ul><ul><li>Up to $100,000.00 </li></ul></ul></ul><ul><ul><ul><li>5 years in prison </li></ul></ul></ul><ul><ul><li>Wrongful disclosure of health information with intent to sell, transfer, or use </li></ul></ul><ul><ul><ul><li>Up to $250,000.00 </li></ul></ul></ul><ul><ul><ul><li>10 years in prison </li></ul></ul></ul>
  5. 5. <ul><li>But, I have good news ! </li></ul>
  6. 6. Agenda <ul><li>Why such legislation acts? </li></ul><ul><li>Various legislation acts: </li></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>GLBA </li></ul></ul><ul><ul><li>Sarbanes-Oxley Act </li></ul></ul><ul><ul><li>Safe Harbor </li></ul></ul><ul><ul><li>FISMA </li></ul></ul>
  7. 7. HIPAA <ul><li>Health Insurance Portability and Accountability Act </li></ul><ul><li>Formerly known as the Kennedy/ Kassebaum Act </li></ul><ul><li>Was enacted by the Congress in 1996 </li></ul><ul><li>Primary purpose: </li></ul><ul><ul><li>Improve health insurance accessibility for people changing employers or leaving the workforce </li></ul></ul><ul><ul><li>(Source:,2,Overview ) </li></ul></ul><ul><ul><li>Provide “Administrative Simplification” provisions </li></ul></ul>
  8. 8. HIPAA (cont’d) <ul><li>Administrative Simplification provisions: </li></ul><ul><ul><li>National standards </li></ul></ul><ul><ul><li>Unique health identifiers </li></ul></ul><ul><ul><li>Security standards </li></ul></ul><ul><ul><li>Privacy and confidentiality </li></ul></ul>
  9. 9. HIPAA (cont’d) <ul><li>Objectives of Administrative Simplification provisions: </li></ul><ul><ul><li>Improve efficiency of NHS </li></ul></ul><ul><ul><li>Reduce cost </li></ul></ul><ul><ul><li>Reduce fraud </li></ul></ul><ul><ul><li>Protect patient rights </li></ul></ul><ul><ul><li>Access to consistent clinical data </li></ul></ul><ul><ul><li>Information availability </li></ul></ul><ul><ul><li>Security standards for web-based technology </li></ul></ul>
  10. 10. HIPAA (cont’d) <ul><li>Who must comply with HIPAA: </li></ul><ul><ul><li>Health care providers </li></ul></ul><ul><ul><li>Health plans </li></ul></ul><ul><ul><li>Health care clearinghouses </li></ul></ul><ul><li>Key points to note: </li></ul><ul><ul><li>HIPAA does not say how compliance will be achieved </li></ul></ul><ul><ul><li>Requirements are too broad </li></ul></ul><ul><ul><li>A lot of room for interpretation </li></ul></ul>
  11. 11. GLBA <ul><li>Gramm-Leach-Bliley Act </li></ul><ul><li>Was signed into law in 1999, and was in effect as of July 2001 </li></ul><ul><li>GLBA repealed the Glass-Steagall Act </li></ul><ul><li>Primary purpose: </li></ul><ul><ul><li>Provide customers with privacy notice </li></ul></ul><ul><ul><li>Privacy notice must be given to customer BEFORE any business agreement </li></ul></ul><ul><ul><li>Customers may “opt-out” </li></ul></ul>
  12. 12. GLBA (cont’d) <ul><li>GLBA security requirements: </li></ul><ul><ul><li>Information security program </li></ul></ul><ul><ul><li>Coordination of Information Security program </li></ul></ul><ul><ul><li>Regular risk analysis </li></ul></ul><ul><ul><li>Implementation of controls to mitigate risks </li></ul></ul><ul><ul><li>Overseeing the service providers </li></ul></ul><ul><ul><li>Evaluation and adjustment </li></ul></ul>
  13. 13. GLBA (cont’d) <ul><li>Penalties for noncompliance with GLBA: </li></ul><ul><ul><li>Financial institutions: </li></ul></ul><ul><ul><ul><li>Up to $100,000.00 for each violation </li></ul></ul></ul><ul><ul><li>Officers and directors: </li></ul></ul><ul><ul><ul><li>Up to $10,000.00 for each violation </li></ul></ul></ul>
  14. 14. Sarbanes-Oxley Act <ul><li>Was enacted in July 30, 2002 </li></ul><ul><li>Answer to a series of corporate financial scandals, e.g. Enron, Tyco International, WorldCom </li></ul><ul><li>Named after Senator Paul Sarbanes, and Representative Michael Oxley </li></ul>
  15. 15. Sarbanes-Oxley Act (cont’d) <ul><li>Some key provisions </li></ul><ul><ul><li>CEO and CFO must certify financial reports (Section 302) </li></ul></ul><ul><ul><li>Ban on personal loans to executive officers (Section 402-A) </li></ul></ul><ul><ul><li>Prohibition on internal trades (Section 306) </li></ul></ul><ul><ul><li>Public reporting of CEO and CFO compensation (Section 304) </li></ul></ul><ul><ul><li>Criminal and civil penalties (Title IX) </li></ul></ul><ul><ul><li>Results of management testing and evaluation (Section 404) </li></ul></ul>
  16. 16. Sarbanes-Oxley Act (cont’d) <ul><li>Cost of Sarbanes-Oxley compliance: </li></ul><ul><li>“ FEI surveyed 224 public companies with average revenues of $2.5 billion to gauge Section 404 compliance cost estimates. Results showed the total cost of compliance is now estimated at $3.14 million, or 62% more than the $1.93 million estimate identified in FEI’s January 2004 survey. The companies surveyed expect to pay their auditors $823,200 in fees for attestation of their internal controls, in addition to the annual audit fees. This compares to the $590,100 companies expected auditors would charge for attestation in January 2004.” </li></ul><ul><li>Source: Financial Executive Internationals ( </li></ul>
  17. 17. Safe Harbor <ul><li>Result of European Commission’s Directive of Data Protection </li></ul><ul><li>Was enacted in October 1998 </li></ul><ul><li>Primary purpose: </li></ul><ul><ul><li>Personal data cannot be transmitted between European companies and non-European companies that do not meet the EC’s privacy standard </li></ul></ul>
  18. 18. Safe Harbor (cont’d) <ul><li>EU Safe Harbor Principles: </li></ul><ul><ul><li>Notice to individuals about the specific purposes of the data collection </li></ul></ul><ul><ul><li>Choice to opt-out of disclosure to third-parties or additional uses (opt-in for sensitive information) </li></ul></ul><ul><ul><li>Require third-party agents who receive personal information to provide the same level of privacy protection </li></ul></ul>
  19. 19. Safe Harbor (cont’d) <ul><li>EU Safe Harbor Principles (cont’d): </li></ul><ul><ul><li>Allow means for an individual to access personal information held </li></ul></ul><ul><ul><li>Take reasonable precautions from loss, misuse or unauthorized access </li></ul></ul><ul><ul><li>Keep data reliable for its intended use </li></ul></ul><ul><ul><li>Provide a readily available recourse mechanism </li></ul></ul><ul><ul><li>Provide procedures verifying implementation of principles </li></ul></ul>
  20. 20. FISMA <ul><li>Federal Information Security Management Act </li></ul><ul><li>Was enacted in 2002 </li></ul><ul><li>Primary purpose: </li></ul><ul><ul><li>To strengthen information security programs at federal agencies </li></ul></ul><ul><ul><li>Provide a information security framework </li></ul></ul><ul><ul><li>Does not provide any hard standards or guidelines </li></ul></ul>
  21. 21. FISMA (cont’d) <ul><li>Key responsibilities: </li></ul><ul><ul><li>Provide information security commensurate with the associated risk </li></ul></ul><ul><ul><li>Perform a risk assessment </li></ul></ul><ul><ul><li>Implement policies and procedures </li></ul></ul><ul><ul><li>Conduct periodic test </li></ul></ul><ul><ul><li>Have a CISO </li></ul></ul><ul><ul><li>Conduct ongoing evaluation and adjustment </li></ul></ul>
  22. 22. <ul><ul><li>A </li></ul></ul><ul><ul><li>Final </li></ul></ul><ul><ul><li>Thought </li></ul></ul>