What is HIPAA?• The Health Insurance Portability and Accountability Act enacted by the U.S. Congress• Uses electronically exchangeable data to effectively help in healthcare• Standards are used to monitor confidentiality and security of the patient data
What information is covered underHIPPA?• Patient Health Information (PHI) is covered under HIPPA• Any information related to the physical and mental health of the patient in the past, present or future is considered a PHI• PHI is either created or received by the organization in order to properly care for the patient
Why is this important?• Almost all healthcare units started using electronic medical records to make care more efficient• This leads to breaches from both outside and within the organization• One’s health information can be used as a commercial advantage, personal gain, or malicious harms
Security in HIPPA• Patients have the right to obtain and amend their PHI• They also have the right to know how PHI is used and who it is disclosed to• Administrative measures must do detail record keeping and procedure compliance
About the Act• Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act• Passed in Oct.2001 by then president Mr. George Bush Jr.• Mother of all acts
Effect of PATRIOT act on E-commerce Indirect repercussions Stringent measures for B2B and B2C transactions Wire transfer of money became difficult Increased interference of government in financial activities of Institutions
Effect on E-Governance• Establishment of financial crime network (FinCNE)• Increased data sharing• Increased screening of foreign nationals• Greater emphasis on knowledge management
STOP ONLINE PIRACY ACT (2012)• Introduced by U.S. Representative Lamar S. Smith in 2011• Stack holders of SOPA ▫ Hollywood Production Houses e.g. Warner Brothers, Columbia Motion Picture ▫ Recording Industry e.g. Recording Industry Association of America ▫ Broadcasting Association
Organization opposing the act• Wikipedia• Google• Online video hosting websites• Websites providing Torrent facility• Facebook• Twitter• Flicker
Implications of SOPA• Domain name system (DNS) will be affected• Internal networks-VPN• Different from PROTECT IP• Blocking of websites with copyright content• Blocking the IP addresses
• The Child Online Protection Act (COPA)was a law in the United States of America, passed in 1998.• The law, however, never took effect, as three separate rounds of litigation led to a permanent injunction against the law in 2009
COPPA• Children’s Online Privacy Protection Act• Passed on 22nd April 2000• Protects the privacy of the children• Destroy the data collected from children of age less than 13 within 1 year• To have verifiable consent of the parents• display the information collected on the website
PROTECT(Prosecutorial Remedies and Other Tools to endthe Exploitation of Children Today)Act• The PROTECT Act of 2003 is a United States law with the stated intent of preventing child abuse.• Authorizes wiretapping and monitoring of other communications in all cases related to child abuse or kidnapping.• Provides for mandatory life imprisonment of sex offenses against a minor if the offender has had a prior conviction of abuse against a minor, with some exceptions.
Effects of PROTECT Act• Bars pre-trial release of persons charged with specified offenses against or involving children.• Establishes a program to obtain criminal history background checks for volunteer organizations.• Eliminates statutes of limitations for child abduction or child abuse.• Assigns a national AMBER Alert Coordinator.• Prohibits drawings, sculptures, and pictures of such drawings and sculptures depicting minors in actions or situations that meet the Miller test of being obscene.
Sarbanes Oxley Act• Enron and WorldCom Collapse - Financial frauds – led to the formation of Sarbanes Oxley act• Key Implications Independence of audit committee CE and CFO certification of financial statements – SOX 906 SOX 302 – Corporate responsibility for financial reports SOX 409 – Real time disclosure – disclose information on material changes in finance on rapid and current basis Whistle-Blower Protection - Document Destruction
Key sections related to the Act• SOX 404 – Management assessment of Internal controls over financial reporting – Role of IT Management create reliable internal financial controls• Destruction of documents – Periodic policy needed• Responsibilities IT representatives on SOX teams Understanding organization’s internal control program and financial reporting process Mapping the two to find financial statements Designing and implementing controls Documenting and testing the controls designed to mitigate risk – continuous monitoring
Contd .. • Strong IT controls needed External auditors – rely on process approach- Evaluation based on manual/automated controls Inherent security and control risk – due to virtual corporate and ecommerce Large corporate spending on IT - Greater return expected • Entry level It securities needed Trusted Path Firewall Architectures and Connections with Public Network – denial of services and unauthorized access to internal resources Identification, Authentication, and Access User account management
Case – Retail Chain• The Scenario IT process used for creation, update and manipulation of financial data Own database – ERP for creation of all financial data and reports for SEC filings• Audit findings Variety of database tools used to insert/delete/modify (unmitigated) data from underlying ERP databases User id/password for internal authentication No controls in org. beyond basic authentication.
Solutions• Controls on data access and updating of underlying financial databases - ERP system access and any other access• Automated provisioning process - segregation of duties to approve the creation of system user IDs and access privileges, as well as modification and removal.• Audit logging and reporting infrastructure for reporting system - conformance to the organization’s internal policies and standards.
How did FISMA originate? • FISMA was introduced by replacing GISRA, title III of the Electronic Government Act of 2002 • The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation of USA.
Need for FISMA?The need to secure information infrastructure used in all federalagencies.OBJECTIVES: ▫ For the implementation of a cost-effective, risk-based information security programs ▫ For the establishment of a level of security due diligence for federal agencies and contractors supporting the federal government ▫ To create a more consistent and cost-effective application of security controls across the federal information technology infrastructure ▫ To create a more consistent, comparable, and repeatable security control assessments
Contd..▫ To generate a better understanding of enterprise-wide mission risks resulting from the operation of information systems▫ Lastly, to create a more complete, reliable, and trustworthy information for authorizing officials--facilitating more informed security authorization decisions▫ And also to make sure that there are more secure information systems within the federal government including the critical infrastructure of the United States
Requirements of FISMA• Appropriate officials should be assigned• Periodical review of the security controls of the information system• Security awareness training should be done• Guidelines laid by NSIT for information security control should be followed• Lastly, plan for security should be followed
How to implement FISMA?• Generally, CIO’s are given the responsibility in compliance with the CISO• Then the IG’s review the process and reporting• Reports are sent to the OMB by the end of each financial year.• Reporting standards are governed by OMB 130 and NSIT special publication 800-26 with changes including of 800-53
Advantages of FISMA• Its considered the best approach to ensure that sensitive government systems and data are secure• Helps manage government systems and information, include insurance companies, e.g. Medicare claims, and out sourcecing companies which manage federal systems, such as Lockheed Martin, Northrop Grumman• FISMA reports by mandating a standard interface and follow a format for entering FISMA data. The OMB then provides this data via reports to other agencies.