SlideShare une entreprise Scribd logo
1  sur  35
Télécharger pour lire hors ligne
Navigating Business Associate
IT Security Risk
John Abraham – Redspin Security Evangelist
Part 1
New Responsibilities
For business associates and covered entities
under HIPAA / HITECH Act
Expanded Definitions
   Work for CE + Access PHI = BA
   Data transmission providers
   Subcontractors to BA
HIPAA Security Rule...
Applies to:
    A)   Covered Entities
    B)   Business Associates
    C)   Subcontractors
    D)   All of the above
Oops, I didn't know
“lack of knowledge” is not a defense*


            AKA
     what you don't know
             {about BAs}
          can hurt you

             * 75 Federal Register 40878, July 14 , 2010
                                                th
                                                           NPRM
BAs Dual Risk
   Liability to government (HIPAA)
   Liability to CE (BAA)
CEs Dual Risk
   Liability to government (HIPAA)
   Liability to government (BA security)
Penalties throughout
PHI supply chain
   CEs
   BAs
   Subcontractors
Part 2
What's This Means
Active Enforcement
   Fines
   State budget crisis
   State Attorney's General
Recent Enforcement Actions*
   Cignet $4.3million
       Failure to provide 41 patient records, ignore subpoena
   Mass. General Hospital $1million
       192 patient records left on subway
       CAP: Policies, procedures, training, auditing, reporting,
        security controls




                                            * http://www.hhs.gov/news/
Transparency
   Right-to-audit clause in BAA
HIPAA Security Rule
   Everyone needs to be compliant
   Everyone needs sound risk management
Part 3
Effectively Manage
Your Own Risk
Three rules
   Focus
   Existence != Effective
   Compliance != Security
1
                  Rule:



Everyone has risk.
 Focus on critical.
Systematic Risk Management

                 Focus,
                 focus,
                 focus
Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT,
HIPAA - Administrative Safeguards (§164.308), ...
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
Focus                    1
                                       Rule:
Systematic risk management
   Everyone has lots of risk → focus
   Let risk drive controls → focus
   Avoid over spending/implementing → focus
2
                    Rule:



Existence
  do es not equal


Effective
Redspin Webinar Business Associate Risk
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
...
access-list out permit tcp any host 10.0.0.15 eq smtp
access-list out permit tcp any host 10.0.0.15 eq www
access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0
access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtp
access-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq https
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37
access-list in permit udp 172.16.0.0 255.255.255.0 any eq time
access-list in permit udp 172.16.0.0 255.255.255.0 any eq domain
access-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq ssh
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytime
access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq www
access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https
...
ip address outside 10.0.0.2 255.255.255.0
ip address inside 172.16.0.2 255.255.255.0
ip address dmz 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 10.0.0.3
nat (inside) 1 172.16.0.0 255.255.255.0 0 0
static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0
access-group out in interface outside
access-group in in interface inside
access-group dmz in interface dmz
...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
...
access-list out permit tcp any host 10.0.0.15 eq smtp
access-list out permit tcp any host 10.0.0.15 eq www
access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0
access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtp
access-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq https
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37
access-list in permit udp 172.16.0.0 255.255.255.0 any eq time
access-list in permit udp 172.16.0.0 255.255.255.0 any eq domain
access-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq ssh
access-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytime
access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq www
access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https
...
ip address outside 10.0.0.2 255.255.255.0
ip address inside 172.16.0.2 255.255.255.0
ip address dmz 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 10.0.0.3
nat (inside) 1 172.16.0.0 255.255.255.0 0 0
static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0
access-group out in interface outside
access-group in in interface inside
access-group dmz in interface dmz
...
Redspin Webinar Business Associate Risk
2Rule:



Don't just assume a
control is working.
3
                     Rule:



Compliance
  does not eq ua l


 Security
Redspin Webinar Business Associate Risk
Part 4
Effectively Manage
Business Associate Risk
Systematic Approach
1.   Identify
2.   Classify
3.   Prioritize
4.   Additional Evaluation
5.   Monitor
Systematic Approach
1.   Identify
2.   Classify            Matrix
3.   Prioritize
4.   Additional Evaluation
5.   Monitor
Systematic Approach
1.   Identify
2.   Classify
3.   Prioritize
4.   Additional Evaluation
5.   Monitor

                             Questionnaire


                             HIPAA Risk Analysis
Summary
For BAs & CEs
   New responsibilities (HIPAA Sec. Rule)
   Increased accountability / scrutiny
   Need effective (true) risk management
   BAs need to be ready to be audited by CEs
   CEs need to be ready to audit BAs
{   thank you!   }

John Abraham
jabraham@redspin.com
805-705-8040 (mobile)

Contenu connexe

Tendances

Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsPYA, P.C.
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
Hipaa in the era of ehr mo dept hss
Hipaa in the era of ehr  mo dept hssHipaa in the era of ehr  mo dept hss
Hipaa in the era of ehr mo dept hsslearfield
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016Compliancy Group
 
Business Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to KnowBusiness Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to Knowdata brackets
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and RequirementsBusiness Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirementsdata brackets
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud Compliancy Group
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 

Tendances (20)

Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future Expectations
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
 
Hipaa in the era of ehr mo dept hss
Hipaa in the era of ehr  mo dept hssHipaa in the era of ehr  mo dept hss
Hipaa in the era of ehr mo dept hss
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
 
Business Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to KnowBusiness Associate Assurance: What Covered Entities Need to Know
Business Associate Assurance: What Covered Entities Need to Know
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and RequirementsBusiness Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rule
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 

Similaire à Redspin Webinar Business Associate Risk

Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security riskRedspin, Inc.
 
2010 Secure World Boston Nist
2010 Secure World Boston Nist2010 Secure World Boston Nist
2010 Secure World Boston Nistcandy_alexander
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
How to Use the NIST CSF to Recover from a Healthcare Breach
 How to Use the NIST CSF to Recover from a Healthcare Breach  How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach Symantec
 
aPersona-HIPAA-HITECH-Compliance-v2
aPersona-HIPAA-HITECH-Compliance-v2aPersona-HIPAA-HITECH-Compliance-v2
aPersona-HIPAA-HITECH-Compliance-v2Chris Reese
 
Building HIPPA Compliant Websites Using Joomla
Building HIPPA Compliant Websites Using JoomlaBuilding HIPPA Compliant Websites Using Joomla
Building HIPPA Compliant Websites Using Joomlajoomla-chicago
 
Company And Preliminary Accounting Analysis
Company And Preliminary Accounting AnalysisCompany And Preliminary Accounting Analysis
Company And Preliminary Accounting AnalysisJennifer Moore
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 
Attack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainAttack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainIBM Security
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectivessombat nirund
 
Healthcare/HIPAA Cybersecurity best practices
Healthcare/HIPAA Cybersecurity best practicesHealthcare/HIPAA Cybersecurity best practices
Healthcare/HIPAA Cybersecurity best practicesJack Shaffer
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfElyes ELEBRI
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security ChallengesJorge Sebastiao
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 

Similaire à Redspin Webinar Business Associate Risk (20)

Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
2010 Secure World Boston Nist
2010 Secure World Boston Nist2010 Secure World Boston Nist
2010 Secure World Boston Nist
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
 
B3948
B3948B3948
B3948
 
How to Use the NIST CSF to Recover from a Healthcare Breach
 How to Use the NIST CSF to Recover from a Healthcare Breach  How to Use the NIST CSF to Recover from a Healthcare Breach
How to Use the NIST CSF to Recover from a Healthcare Breach
 
aPersona-HIPAA-HITECH-Compliance-v2
aPersona-HIPAA-HITECH-Compliance-v2aPersona-HIPAA-HITECH-Compliance-v2
aPersona-HIPAA-HITECH-Compliance-v2
 
Building HIPPA Compliant Websites Using Joomla
Building HIPPA Compliant Websites Using JoomlaBuilding HIPPA Compliant Websites Using Joomla
Building HIPPA Compliant Websites Using Joomla
 
Company And Preliminary Accounting Analysis
Company And Preliminary Accounting AnalysisCompany And Preliminary Accounting Analysis
Company And Preliminary Accounting Analysis
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.
 
Attack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainAttack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack Chain
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectives
 
Healthcare/HIPAA Cybersecurity best practices
Healthcare/HIPAA Cybersecurity best practicesHealthcare/HIPAA Cybersecurity best practices
Healthcare/HIPAA Cybersecurity best practices
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 

Plus de Redspin, Inc.

HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateRedspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedRedspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security PolicyRedspin, Inc.
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineRedspin, Inc.
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin, Inc.
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felonyRedspin, Inc.
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationRedspin, Inc.
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Redspin, Inc.
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityRedspin, Inc.
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management  - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management  - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Redspin, Inc.
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Redspin, Inc.
 

Plus de Redspin, Inc. (20)

HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management  - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management  - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
 

Dernier

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 

Dernier (20)

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 

Redspin Webinar Business Associate Risk

  • 1. Navigating Business Associate IT Security Risk John Abraham – Redspin Security Evangelist
  • 2. Part 1 New Responsibilities For business associates and covered entities under HIPAA / HITECH Act
  • 3. Expanded Definitions  Work for CE + Access PHI = BA  Data transmission providers  Subcontractors to BA
  • 4. HIPAA Security Rule... Applies to:  A) Covered Entities  B) Business Associates  C) Subcontractors  D) All of the above
  • 5. Oops, I didn't know “lack of knowledge” is not a defense* AKA what you don't know {about BAs} can hurt you * 75 Federal Register 40878, July 14 , 2010 th NPRM
  • 6. BAs Dual Risk  Liability to government (HIPAA)  Liability to CE (BAA)
  • 7. CEs Dual Risk  Liability to government (HIPAA)  Liability to government (BA security)
  • 8. Penalties throughout PHI supply chain  CEs  BAs  Subcontractors
  • 10. Active Enforcement  Fines  State budget crisis  State Attorney's General
  • 11. Recent Enforcement Actions*  Cignet $4.3million  Failure to provide 41 patient records, ignore subpoena  Mass. General Hospital $1million  192 patient records left on subway  CAP: Policies, procedures, training, auditing, reporting, security controls * http://www.hhs.gov/news/
  • 12. Transparency  Right-to-audit clause in BAA
  • 13. HIPAA Security Rule  Everyone needs to be compliant  Everyone needs sound risk management
  • 15. Three rules  Focus  Existence != Effective  Compliance != Security
  • 16. 1 Rule: Everyone has risk. Focus on critical.
  • 17. Systematic Risk Management Focus, focus, focus
  • 18. Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, HIPAA - Administrative Safeguards (§164.308), ...
  • 21. Focus 1 Rule: Systematic risk management  Everyone has lots of risk → focus  Let risk drive controls → focus  Avoid over spending/implementing → focus
  • 22. 2 Rule: Existence do es not equal Effective
  • 24. PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ... access-list out permit tcp any host 10.0.0.15 eq smtp access-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0 access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtp access-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq www access-list in permit tcp 172.16.0.0 255.255.255.0 any eq https access-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37 access-list in permit udp 172.16.0.0 255.255.255.0 any eq time access-list in permit udp 172.16.0.0 255.255.255.0 any eq domain access-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq ssh access-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytime access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq www access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https ... ip address outside 10.0.0.2 255.255.255.0 ip address inside 172.16.0.2 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 10.0.0.3 nat (inside) 1 172.16.0.0 255.255.255.0 0 0 static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0 access-group out in interface outside access-group in in interface inside access-group dmz in interface dmz ...
  • 25. PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ... access-list out permit tcp any host 10.0.0.15 eq smtp access-list out permit tcp any host 10.0.0.15 eq www access-list dmz permit ip host 192.168.0.13 172.16.0.0 255.255.255.0 access-list dmz deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0 access-list dmz permit tcp host 192.168.0.13 172.16.0.0 255.255.255.0 eq smtp access-list in deny tcp host 172.16.0.2 host 192.168.0.13 eq ftp access-list in permit tcp 172.16.0.0 255.255.255.0 any eq www access-list in permit tcp 172.16.0.0 255.255.255.0 any eq https access-list in permit tcp 172.16.0.0 255.255.255.0 any eq 37 access-list in permit udp 172.16.0.0 255.255.255.0 any eq time access-list in permit udp 172.16.0.0 255.255.255.0 any eq domain access-list in permit udp 172.16.0.0 255.255.255.0 any eq telnet access-list in permit tcp 172.16.0.0 255.255.255.0 any eq ssh access-list in permit tcp 172.16.0.0 255.255.255.0 any eq daytime access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq www access-list in permit tcp 172.16.0.0 255.255.255.0 host 192.168.0.13 eq https ... ip address outside 10.0.0.2 255.255.255.0 ip address inside 172.16.0.2 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 10.0.0.3 nat (inside) 1 172.16.0.0 255.255.255.0 0 0 static (dmz,outside) 10.0.0.15 192.168.0.13 netmask 255.255.255.255 0 0 access-group out in interface outside access-group in in interface inside access-group dmz in interface dmz ...
  • 27. 2Rule: Don't just assume a control is working.
  • 28. 3 Rule: Compliance does not eq ua l Security
  • 31. Systematic Approach 1. Identify 2. Classify 3. Prioritize 4. Additional Evaluation 5. Monitor
  • 32. Systematic Approach 1. Identify 2. Classify Matrix 3. Prioritize 4. Additional Evaluation 5. Monitor
  • 33. Systematic Approach 1. Identify 2. Classify 3. Prioritize 4. Additional Evaluation 5. Monitor Questionnaire HIPAA Risk Analysis
  • 34. Summary For BAs & CEs  New responsibilities (HIPAA Sec. Rule)  Increased accountability / scrutiny  Need effective (true) risk management  BAs need to be ready to be audited by CEs  CEs need to be ready to audit BAs
  • 35. { thank you! } John Abraham jabraham@redspin.com 805-705-8040 (mobile)