This document provides an overview of healthcare information security and compliance with HIPAA regulations. It discusses the state of information security threats in 2001, an introduction to HIPAA, implications for organizations, typical gaps found in HIPAA compliance reviews, and why organizations should comply with security standards. The document promotes healthcare security services from KentTrust to help organizations assess risks, identify gaps, and implement compliant security solutions to protect patient information.

1. Healthcare InfoSec Overview
HIPAA
Compliance
Solutions
Joseph Patrick Schorr, CISSP, MCSE, CCDA
Security Consulting Practice Leader

2. Agenda
• The KentTrust Story
• The state of InfoSec - 2001
• HIPAA to-Date
• Privacy Standards
• Implications on Your Organization
• Your Needs
• Why Should You Comply?
• KentTrust Security Services Approach

3. KentTrust Mission
“To provide professional and
innovative Information Security
solutions to industry, government,
and society through leading edge
knowledge, skill set, and technologies”

4. Why KentTrust Security Solutions?
• Our security consultants are seasoned security
professionals- 6 CISSP’s, 5 CCSE’s, 1 CISA, 7 MCSE’s
– Industry recognized certifications
• We have provided solutions for all types of
organizations
– Private Industry (health care, banking, commerce, etc.)
– Government (Federal, State, Local)
• Experience with the full spectrum of InfoSec
– Security Policy, Penetration testing and probing,
Vulnerability assessments, HIPAA reviews, PKI, E-
Commerce, Security architecture reviews, Intrusion
detection, etc.

5. Engagement Methodology
5-Phase KentTrusted™ Cycle
I Security Architecture Review
II Security Posture Assessment
III Security Solutions Deployment
IV Security Operations Program
V Security Awareness Program

6. 2001 – The State of InfoSec
Attacks and Abuses on the Rise
• 40% of respondents detected external system
penetrations and probings
• 38% of respondents detected Denial of
Service (DoS) attacks
• 91% of respondents detected abuse of
Internet access privileges
• 94% of respondents detected computer
viruses
Source: Computer Security Institute, 2001

7. 2001 – The State of InfoSec
• 85% of large corporations and government agencies
detected computer security breaches
• 64% acknowledged financial losses due to breaches
• The respondents reported $377,828,700 in financial
losses
• 69% of respondents cited their Internet connection
as the point of attack, 31% cited an internal point of
attack
• External attacks rose from 59% in 2000 to 69% in
2001
Source: Computer Security Institute, 2001

8. Attack Sophistication
EXPERTISE REQUIRED Stealth / Advanced
Scanning Techniques
Denial of Service
Packet Spoofing
Sniffers DDoS Attacks
Sweepers WWW Attacks
Automated Probes/Scans
Back Doors
Disabling Audits GUI
Network Management Diagnostics
Burglaries
SOPHISTICATION Hijacking Sessions
Of TOOLS Exploiting Known Vulnerabilities
Password Cracking
Self-Replicating Code
Password Guessing
1980 1985 1990 1995 1999 2000
InformationWeek > Security > Cisco Warns Of IOS Security Flaw > June 29, 2001

9. Sources of Attack
Foreign Government
8%
Foreign Corporations
10% Disgruntled Employees
33%
US Competitors
18%
Independent
Hackers
30%

10. Proof Positive
Financial Losses Due to Cyber-attacks
Denial of
Service
($8,247,500)
Virus
($29,171,700)
Internal Millions
Abuse
($29,171,700)
System
Penetration
($7,104,000) 0 10 20 30
Source: Federal Bureau of Investigation, 2000
(243 Respondents)

11. HIPAA Introduction
• One of the most high-impact pieces of
legislation to affect the health care industry!
• The Industry generally agrees that HIPAA
impact will be more extensive than the Year
2000 Problem
• Healthcare experts predict that large
healthcare providers and/or payers will have
to spend $50 to $200 million to become
HIPAA compliant

12. Introduction (cont.)
• Affects nearly everyone in healthcare
– Payers, employers, providers, clearinghouses,
health care information systems vendors, billing
agents, and service organizations
• Impacts nearly every business process
– All individually identifiable information relating
to patients or any person receiving services.
– Past, present, or future health conditions,
treatment or payment for treatment
– Demographic data collected by plans or providers

13. Who Does This Affect?
• Health Plans:
– Individual or group plans that provide for or pays the cost
of medical care
– Employers who self-insure
• Providers
– Hospitals, Medical Groups, Physician’s LLPs, Clinics,
Emergency Care Facilities and any other person furnishing
health care services or supplies
• Health Care Clearinghouse
– Any public or private organization that processes or
facilitates the processing of health information
• Other Affected Entities
– Employers who want to utilize medical information do data
mining
– Pharmaceutical companies conducting clinical research

14. HIPAA to date
• Health Insurance Portability &
Accountability Act of 1996 (HIPAA)
• Public Law 104-191
• Based on Kennedy-Kassebaum
• Designed to:
– Assure health insurance portability
– Reduce health care fraud and abuse
– Guarantee security and privacy of health information
– Enforce standards for health information
• HIPAA-Sec Effective 4/14/2001
• 2 Years to Achieve Compliance (October 2002)
ARE YOU AWAKE ???

15. Security Categories
1. Administrative Procedures to Guard Data
Integrity, Confidentiality, and Availability
2. Physical Safeguards to Guard Data Integrity,
Confidentiality, and Availability
3. Technical Security Services to Guard Data
Integrity, Confidentiality, and Availability
4. Technical Security Mechanisms to Guard Data
Integrity, Confidentiality, and Availability

16. Privacy Categories
Administrative Procedures
Sets standards for:
• Certification - Personal Security
• Chain of Trust Agreements - Training
• Contingency Planning - Termination Procedures
• Record Processing - Security Incident
Response
• Information Access Control - Security Configuration
• Internal Audit - Management
• Security Management

17. Privacy Categories
Physical Safeguards
– Governs physical security and org. issues:
• Assigned Security Responsibility
• Media controls
• Physical access controls
• PC Policy/guideline
• Secure work station location
• Security awareness training
• Business Continuity & Disaster Recovery Plans

18. Privacy Categories
Technical Security Services
– Dictate general security safeguards
– Standards Covered:
• Access Control
• Audit Controls
– Authorization Control
• Data Authentication (Integrity)
– Entity Authentication

19. Privacy Categories
Technical Security Mechanisms
• Communications/Network Controls
– Basic networking safeguards (alarms, access
controls, audit trails, event reporting & etc.)
– Network security issues
• Integrity (message corruption) and confidentiality
(message interception)
• Protection from unauthorized remote access
– Digital Signatures

20. HIPAA - Your Needs
• Need to know where you are today and where you
need to go to gain compliance
• Need additional information security technology
solutions may be required (e.g., Public Key
Infrastructure, Virtual Private Network, Improved
Logging, Business Continuity Plans)
• Business processes may need major enhancements
to ensure that security and privacy requirements
are met

21. Your needs
• Organizations may need to undergo significant
cultural transformation in the way patient
information is handled, used, communicated and
shared
• Policies and procedures may have to be developed
and existing ones modified
• Proposed regulations require staffing of a “Privacy
Official”
• Budgeting and staffing for next two years will be
impacted -- need to understand how much

22. Your needs (cont.)
• Need to meet Short Timeframe
• Most health care organizations will have only
2 years to comply
• Broad Scope (need expertise)
– HIPAA will impact all functions, processes and
systems that store, handle or generate health
information
– Mainframes - Servers - Workstations
– Policies and Procedures
– Training Staff

23. Implications for your organization
• Acute Impact
– Requires health care organizations to completely
rethink the way in which they protect the
security and privacy of patients and consumers
information
– Mandates standard formats for the most common
transactions between health care organizations
– In many cases requires replacement or
substantial change to providers’ current systems
and processes to comply with HIPAA regulations

24. Implications for your organization
Strategic Impact
HIPAA electronic
standards and
security
requirements
become key
enablers in
moving forward

25. more “implications”…
• Cost Savings
– Reduction in processing costs
– Simplification of manual processing
• Improved Customer Service
– Reduced Errors
– Quicker turnaround
• Mobilizes the industry
• Gives direction
• Gives timetable
• Not prescriptive
• Shows the public we care

26. more “implications”…
• Non-compliance
– $100 for each violation, total for each requirement in
calendar year not more than $25,000
• Wrongful disclosure of individually identifiable health
information
– Uses or causes to be used a unique health identifier
– Obtains individually identifiable health information
– Discloses individually identifiable health information
– $50,000 and/or 1 yr imprisonment
– $100,000 and/or 5 yrs imprisonment for false pretenses
– $250,000 and/or 10 yrs imprisonment for intent to sell

27. Getting from Point “A” to “B”
The final regulations will not
mandate specific security
practices and technology…
Health care entities must assess
potential risks to their data and
develop, implement, and maintain
appropriate security measures

28. Security Services Approach
• Help prepare an organization for HIPAA
regulations and standards
• Awareness training to better understand
the implications of the new standards and
their effects on the organization.

29. HIPAA Compliance Review
• A simple and meaningful Security Gap Analysis Audit
– determine the magnitude of the regulatory impact on your
organization and establish the scope of your compliance
effort.
• Network Vulnerability Assessments
• Provide extensive documentation supporting the
recommended HIPAA compliance of the organization
• Implement and deploy the HIPAA compliant
recommended solutions

30. Commonalities
Typical Gaps Found During HIPAA Gap Analysis Audits
• Out-of-Date or Non-existent Disaster Recovery or
Business Continuity Plans in Place
• Current Computing Systems Cannot Meet HIPAA
standards for Security
– OS Versions Cannot be Upgraded
– OS Simply Lacks Security Capabilities
• HIPAA Compliant Policies and Procedures not in Place
or Not Being Followed
• Inadequate Data Backup Plan in Place
• Infrastructure (Network or Systems) Vulnerable

31. Homework!!!
Think about your environment…
• Consistent security policy definitions?
• Information architecture
– Business process definitions
• Who shares information? and why?
– Information content definitions
• What information is shared?
– Computational definitions
• How is information shared?
– Engineering/Technical
• The last thing consider

32. Pithy Quote
“If you reveal your secrets to the wind you
should not blame the wind for revealing
them to the trees.”
Khalil Gibran

33. Questions

34. Contact us to Secure your Information
Security Solutions
Division of Kent Technologies
5911-K Breckenridge Park Drive
Tampa, Florida 33610
(614)766-8482
www.KentTrust.com