Transcript Agenda - VeroTek

HIPAA Security Rule
November 16th, 2004
ISSA/ISC² Secure SD Security Conference, San Diego, CA
Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA, CCSA,
Security+
Lead Consultant (Southern California)
Verisign Global Security Consulting
VeriSign
Publicly Traded Company
> 3000 Employees
$1 Billion in Revenues
Operate critical DNS Infrastructure that enables over 10B
transactions/Day
Secure the information assets of over 400,000 websites and 1,000
large enterprises
Largest SS7 Telecommunications network – 2 Billion messages per
day
2.8B SS7 signals/day
Enable over 1,000 carriers to interconnect
Support over 30% of North American e-commerce
Over 100 Million E-Commerce Payment Transactions Per Quarter
Largest MSSP with over 3000 devices under management
Drivers behind HIPAA
Efficiency and interoperability between payers,
providers, clearinghouses (“covered entities”)
“Patient’s Bill of Rights”
Enhanced medical record privacy
Enhanced medical record security
Medical Mistakes kill 98,000/year in the USA
Data valuation – what’s gone wrong in healthcare?
What is your medical record
worth to you?
How much do you trust your
healthcare provider to keep
your medical record private &
secure?
How many of your friends or
neighbors work in a
healthcare organization?
How many of your enemies?
We spend billions
protecting financial
information, what about
health information?
Do I need to comply?
The security rule applies to all IIHI (individually
identifiable health information) in electronic form
ePHI (electronic Protected Health Information) that is
stored and/or transmitted is covered
Health information on paper or divulged orally is not
covered!
The rule is intended to set a minimum level of security
for covered entities
Covered entities and business associates (through a
chain of trust agreement) of those entities are required
to comply
What’s the business / security value-add?
Increased level of confidence from your customers
Expansion into healthcare markets for non-healthcare
centric services (e.g.: managed security services)
Integration of sound security practices to fulfill HIPAA
requirements (e.g.: standardized risk assessment
methodology, quantifiable security metrics for
measuring process improvement)
Covered entities MUST comply, of course!
Nuts and bolts of the rule
Covered entities are required to:
Assess potential risks and
vulnerabilities
Protect against threats to
information security or
integrity, and against
unauthorized use or
disclosure
Implement and maintain
security measures that are
appropriate to their needs,
capabilities and
circumstances
Ensure compliance with these
safeguards by all staff
How is the rule structured?
The rule is broken into three
sections: administrative
safeguards, technical
safeguards and physical
safeguards
There are 18 standards that
encompass the 3 types of
safeguards
Almost every standard has
several implementation
specifications that are specific
requirements within the
standard
Each implementation
specification is either
required or addressable
Required vs. Addressable
Required:
Implementation Specification
must be met by Covered
Entity. Most of the required
Implementation Specifications
scale to meet covered entity
requirements, large or small
Addressable:
Implementation Specification may
not always be appropriate
and “scale” to different
covered entity sizes. A risk
assessment must be
performed by the covered
entity to surmise what
controls are feasible to
implement
Administrative safeguards
Security Management
Process
Assigned Security
Responsibility
Workforce Security
Information Access
Management
Security Awareness &
Training
Security Incident Procedures
Contingency Planning
Evaluation
Business Associate Contracts
& Other Arrangements
Information Security Program
Assigning responsibility (CSO
/ CISO)
Acceptable Use of Computing
Resources for staff
Access Control (AAA)
Training and Education
Incident Response
Disaster Recovery / Business
Resumption Planning
Risk Assessment and
quantifiable measurement
Contracts
Physical Safeguards
Facility Access Controls
Physical security of
information processing
facilities
Workstation Use
Acceptable Use & control of
access to workstations
Workstation Security
Physical Security of assets
(each separate device type is
classified as a workstation)
Device & Media Controls
Computer Operations 101
(tape labeling and archiving,
tape rotation, back-up logs
kept up to date, control of
removable media containing
ePHI)
Technical Safeguards
Access Control
Audit Controls
Unique User ID, Emergency
Access, Automatic Logoff
Activity review (application &
operating system)
Integrity
Verifying data integrity (at rest
and in transit)
Person or Entity
Authentication
Robust authentication
strategy (two-factor)
Transmission Security
Safeguarding ePHI in
transmission (encryption) and
verifying integrity (digital
signatures)
FAILING TO PREPARE IS PREPARING TO FAIL
Maximizing investment on compliance
Perform regular security assessments on critical assets
that contain or may participate in the transmission or
storage of ePHI (consider an annual third party
assessment to free internal resources up for
remediation)
Make sure you are effective where the rubber meets the
road – does a procedure that a particular business unit
performs actually match what’s documented as far as
step by step actions? What is the variance?
Outsource routine Information Security tasks to free up
resources - constant Intrusion Detection alerts and
System Activity Review may cost you more in labor to
tune and monitor 24x7 in a month than an MSSP may
charge for a year contract
What are the pitfalls to avoid?
The HIPAA Security rule contains a great deal of documentation
requirements, but don’t just focus on documentation!
Don’t make mountains out of molehills
Don’t wait until the 11th hour to ask for money (especially for awareness
and training requirements)
Don’t attempt to achieve compliance without a plan (decentralized
workgroups work very well)
Not leveraging your resources and skill-sets is a recipe for disaster
Compliance Tips
Establish a formal security program with a designated
security officer
Establish a standardized risk assessment strategy to
prioritize work
Implement a security program mapped to best practice
security standards, not to a specific regulation
Make use of “community standard” guidelines to make
sure you’re keeping pace with other providers
Collaborate with other providers on how you develop
strategies to address the HIPAA Security Rule
Reading Room
NIST DRAFT SP 800-66 “An Introductory Guide for
implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule:
http://csrc.nist.gov/publications/drafts/DRAFTsp800-66.pdf
Health Insurance Portability and Accountability Act
(HIPAA) Home Page:
http://www.hhs.gov/ocr/hipaa/
Health Hippo:
http://hippo.findlaw.com/hipaa.html
Questions & Answers
VeriSign Security Services