SlideShare une entreprise Scribd logo

IT security panel - moeshesh

Télécharger en tant que PPT, PDF
Mohamed Shishtawy
Mohamed Shishtawy
Technologie
1  sur  29
UNC CAUSE November 2006 Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP Sharon McLawhorn John Baines, CISSP McNeil IAS-Information Assurance & Security ITCS-Security ETSS-Enterprise Technology Services & Department of ITCS Support North Carolina State University East Carolina University
What’s it all about, Webster?  Defalcation – Pronunciation:*d*-*fal-*k*-sh*n, – Date:15th century – 1 archaic : DEDUCTION – 2 : the act or an instance of embezzling – 3 : a failure to meet a promise or an expectation  Malfeasance – Pronunciation:*mal-*f*-z*n(t)s – Date:1696 : – wrongdoing or misconduct especially by a public official  Two twenty dollar words – Fraud and criminal business acts – Reaction to the excesses of the 80’s and 90’s "Planning for Security and HIPAA Compliance" NCSU and ECU 2
Increasingly Complicated Compliance Constraints Statute Type of requirement University Example data location FERPA Federal law Student Faculty PC or records server HIPAA Federal law Health records Athletics dept. GLBA Federal law Financial data Financial Aid PCI DSS Payment Card Industry Credit card Bookstore -Data Security Std. data server SB 1048 State Identity Theft law SSN , etc. R&R State Employee Personal Staff data Payroll Information Privacy law Federal Contract requirements Research Lab PC Grants materials "Planning for Security and HIPAA Compliance" NCSU and ECU 3
Educational Institutes Seen as Easy Marks  Los Angeles Times article - May 30, 2006 ‘Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.’  ‘we were adding on another university every week to look into’ - Michael C. Zweiback, assistant U.S. attorney "Planning for Security and HIPAA Compliance" NCSU and ECU 4
Information Security Planning High level tasks  Make a conscious decision to plan for security and compliance for improved efficiency and effectiveness  Understand the business goals and objectives  Conduct a risk assessment; factor in compliance!  Develop the plan "Planning for Security and HIPAA Compliance" NCSU and ECU 5
Data Classification Standard, DCS forms the foundation  3 classification levels -  Identification High, Moderate, Normal  Confidentiality  Based on data business and sensitivity value, financial  Classification implications, legal  Protection obligations  Consistency "Planning for Security and HIPAA Compliance" NCSU and ECU 6
Data Management Procedures, DMP assigns ownership and accountability R o le re la tio n s h ip s D a ta T ru s te e O v e r s ig h t r e s p o n s ib ility D a ta S te w a rd A c c e s s w i t h i n h i s o r h e r u n it a c c u r a c y , p riv a c y , a n d s e c u r ity U ser D a ta C u s to d ia n s S e c u r ity A d m is tr a to r R e s p o n s ib ilit e s P h y s ic a l d a t a m a n a g e m e n t e . g . A p p l i c a t i o n S e c u r i t y U n it M a n a g e a c c e s s r ig h ts A u t h o r iz e s u s e rs b a s e d o n G u id e lin e s "Planning for Security and HIPAA Compliance" NCSU and ECU 7
Seven Steps RMIS Information System Security Plan, RISSP Leo Howell Information Security Analyst  "Planning for Security and HIPAA Compliance" NCSU and ECU 8
STEP ONE – Understand the Asset  Effective security  Philosophically, we begins with a solid believe that “security understanding of the should follow data” protected asset and  But we know that not its value all data were created  At NC State we have equal identified DATA as our primary asset "Planning for Security and HIPAA Compliance" NCSU and ECU 9
STEP TWO – Identify and prioritize Threats  Governance:  Infrastructure & – policy breach Application: – rebellion – theft  Physical: – disclosure – data theft – equipment – DoS theft/damage – unauthorized access  Endpoint:  Data: – theft – unauthorized access – social engineering – corruption/destruction "Planning for Security and HIPAA Compliance" NCSU and ECU 10
STEP THREE – Identify and rank Vulnerabilities  Governance:  Infrastructure & – policy loopholes Application:  Physical: – “open” network – weak perimeter – unpatched systems/OS – open access – misconfiguration  Endpoint:  Data: – ignorance – unencrypted storage – insecure transmission "Planning for Security and HIPAA Compliance" NCSU and ECU 11
STEP FOUR – Quantify Relative Risk, R  The greater the number of vulnerabilities the bigger the risk R = µVAT  The greater the value of the asset the bigger V = vulnerability A = asset the risk T = threat µ = likelihood of T  The greater the threat the bigger the risk "Planning for Security and HIPAA Compliance" NCSU and ECU 12
STEP FIVE – Develop a strategy 3 virtual operational protection zones, OPZ based on Data Classification High Moderate - Significantly business impact - adversely affects - financial loss business and reputation - regulatory compliance Normal - minimal adverse effect on business Laptop with - authorization required Server with High data to modify or copy Moderate data Types of data stored, Higher Classification implies accessed, processed or Increased Security transmitted dictates OPZ "Planning for Security and HIPAA Compliance" NCSU and ECU 13
STEP SIX – Establish target standards  Seven layers of protection per zone based on COBIT, ISO 17799 and NIST 800-53 Amount and stringency of 1.Management & Governance security 2.Access control controls at 3.Physical security each level 4.Endpoint security varies with data 5.Infrastructure security classification 6.Application security 7.Data security "Planning for Security and HIPAA Compliance" NCSU and ECU 14
Snippet from Data Security Standard Security Red Zone Yellow Zone Green Zone Control Encrypt stored Mandatory Recommended Optional data Limit data Mandatory Recommended Optional stored to external media Encrypt Mandatory Mandatory Recommended transmitted data "Planning for Security and HIPAA Compliance" NCSU and ECU 15
STEP SEVEN – Document the plan  Create a list of action items for the next 3 to 5 Identify realistic years solutions for  Prioritize the list based on applying the risk and reality appropriate  Forecast investment security controls at  Beg, kick and scream to each level. get funding  Implement the plan over time "Planning for Security and HIPAA Compliance" NCSU and ECU 16
Quick takes  Planning paves the way for effectiveness and efficiency for security and compliance  Understand the business the goals  Conduct a risk assessment  Establish a strategy based on data classification and industry standards  Develop a prioritized realistic plan  Go for the long haul! "Planning for Security and HIPAA Compliance" NCSU and ECU 17
Key Elements of the HIPAA Security Rule: And how to comply Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University "Planning for Security and HIPAA Compliance" NCSU and ECU 18
Introduction HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule:  To allow better access to health insurance  Reduce fraud and abuse  Lower the overall cost of health care. "Planning for Security and HIPAA Compliance" NCSU and ECU 19
What is the HIPAA Security Rule? The rule applies to electronic protected health information (EPHI), which is individually identifiable health information in electronic form. Identifiable health information is:  Your past, present, or future physical or mental health or condition,  Your type of health care, or  Past, present, or future payment methods for the type of health care received. "Planning for Security and HIPAA Compliance" NCSU and ECU 20
Who Must Comply? Covered Entities (CEs) must comply with the Security Rule. Covered Entities are health plans, health care clearinghouses, and health care providers who transmit any EPHI. Health care plans - HMOs, group health plans, etc. Health care clearinghouses - billing and repricing companies, etc. Health care providers - doctors, dentists, hospitals, etc. "Planning for Security and HIPAA Compliance" NCSU and ECU 21
How Does One Comply? Covered Entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of patient information. "Planning for Security and HIPAA Compliance" NCSU and ECU 22
Administrative Safeguards To comply with the Administrative Safeguards portion of the regulation, the covered entity must implement the following "Required" security management activities:  Conduct a Risk Analysis.  Implement Risk Management Actions.  Develop a Sanction Policy to deal with violators.  Conduct an Information System Activity Review. "Planning for Security and HIPAA Compliance" NCSU and ECU 23
Physical Safeguards The physical safeguards are a series of requirements meant to protect a Covered Entity's computer systems, network and EPHI from unauthorized access. The recommended and required physical safeguards are designed to provide facility access controls to limit access to the organization's computer systems, network, and the facility in which it is housed. "Planning for Security and HIPAA Compliance" NCSU and ECU 24
Technical Safeguards Technical safeguards refers to the technology and the procedures used to protect the EPHI and access to it. The goal of technical safeguards is to protect patient data by allowing access only by individuals or software programs that have been granted access rights to the information. "Planning for Security and HIPAA Compliance" NCSU and ECU 25
Key Elements of Compliance 1. Obtain and Maintain Senior Management Support 2. Develop and Implement Security Policies 3. Conduct and Maintain Inventory of EPHI 4. Be Aware of Political and Cultural Issues Raised by HIPAA 5. Conduct Regular and Detailed Risk Analysis 6. Determine What is Appropriate and Reasonable 7. Documentation 8. Prepare for ongoing compliance "Planning for Security and HIPAA Compliance" NCSU and ECU 26
Penalties  Civil penalties are $100 per violation, up to $25,000 per year for each violation.  Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.  Additional Negatives:  Negative publicity  Loss of Customers  Loss of Business Partners  Legal Liability "Planning for Security and HIPAA Compliance" NCSU and ECU 27
Conclusion  Compliance will require Covered Entities to:  Identify the risks to their EPHI  Implement security best practices  Complying with the Security Rule can require significant time and resources  Compliance efforts should be currently underway "Planning for Security and HIPAA Compliance" NCSU and ECU 28
Contacts NC State University East Carolina University Leo Howell, CISSP CEH CCSP CBRM Sharon McLawhorn McNeil Information Security Analyst IT-Security Analyst IAS-Information Assurance and Security McLawhorns@ecu.edu ETSS-Enterprise Technology Services and Support 252-328-9112 leo_howell@ncsu.edu (919) 513-1169 NC State University John Baines, CISSP Assistant Director IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support john_baines@ncsu.edu "Planning for Security and HIPAA Compliance" NCSU and ECU 29

Recommandé

Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
Did you know v2
Did you know v2Did you know v2
Did you know v2pmyers80
 
Contribution(s) des Shifters au back-office COP21 du Shift
Contribution(s) des Shifters au back-office COP21 du ShiftContribution(s) des Shifters au back-office COP21 du Shift
Contribution(s) des Shifters au back-office COP21 du ShiftThe Shift Project
 
Guión de la programación
Guión de la programación Guión de la programación
Guión de la programación Alberto Herranz Peris
 
Netherlands
NetherlandsNetherlands
NetherlandsLexi34
 
2010-06-26 Open-Access Textbooks (Text and Academic Authors Association Confe...
2010-06-26 Open-Access Textbooks (Text and Academic Authors Association Confe...2010-06-26 Open-Access Textbooks (Text and Academic Authors Association Confe...
2010-06-26 Open-Access Textbooks (Text and Academic Authors Association Confe...Nicole Allen
 
Melo&wolf2007
Melo&wolf2007Melo&wolf2007
Melo&wolf2007Caty Garcia
 

Recommandé

Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)Shawn Tuma
 
Did you know v2
Did you know v2Did you know v2
Did you know v2pmyers80
 
Contribution(s) des Shifters au back-office COP21 du Shift
Contribution(s) des Shifters au back-office COP21 du ShiftContribution(s) des Shifters au back-office COP21 du Shift
Contribution(s) des Shifters au back-office COP21 du ShiftThe Shift Project
 
Guión de la programación
Guión de la programación Guión de la programación
Guión de la programación Alberto Herranz Peris
 
Netherlands
NetherlandsNetherlands
NetherlandsLexi34
 
2010-06-26 Open-Access Textbooks (Text and Academic Authors Association Confe...
2010-06-26 Open-Access Textbooks (Text and Academic Authors Association Confe...2010-06-26 Open-Access Textbooks (Text and Academic Authors Association Confe...
2010-06-26 Open-Access Textbooks (Text and Academic Authors Association Confe...Nicole Allen
 
Melo&wolf2007
Melo&wolf2007Melo&wolf2007
Melo&wolf2007Caty Garcia
 
Social media updates oct (comms day)
Social media updates oct (comms day)Social media updates oct (comms day)
Social media updates oct (comms day)Ashleey Leong
 
как человек изменил землю
как человек изменил землюкак человек изменил землю
как человек изменил землюАндрей Манеров
 
Evaluation
EvaluationEvaluation
Evaluationbilly-sav
 
Simt advertment
Simt advertmentSimt advertment
Simt advertmentShyam Institute of Management & Technology
 
Mapping Domain Names to Categories
Mapping Domain Names to CategoriesMapping Domain Names to Categories
Mapping Domain Names to CategoriesGene Chuang
 
лекственное лечение диссеминированной меланомы кожи
лекственное лечение диссеминированной меланомы кожилекственное лечение диссеминированной меланомы кожи
лекственное лечение диссеминированной меланомы кожиАлексей Новик
 
Moodle as a community of learning or practice or not raymond watson open trai...
Moodle as a community of learning or practice or not raymond watson open trai...Moodle as a community of learning or practice or not raymond watson open trai...
Moodle as a community of learning or practice or not raymond watson open trai...Social Care Ireland
 
Business in the future
Business in the futureBusiness in the future
Business in the futureryuuzaki Ghifari
 
Digestion game
Digestion gameDigestion game
Digestion gameuLt1mAt3_5n1p3r
 
Tutvustus üliõpilasfirma programm TTÜs
Tutvustus üliõpilasfirma programm TTÜsTutvustus üliõpilasfirma programm TTÜs
Tutvustus üliõpilasfirma programm TTÜsYF_Programm
 
Penn State #OERSummit16 Keynote
Penn State #OERSummit16 KeynotePenn State #OERSummit16 Keynote
Penn State #OERSummit16 KeynoteNicole Allen
 
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...Azimut Yacht Club
 
Performance Super-hype Márkaépítés Konferencia
Performance Super-hype Márkaépítés KonferenciaPerformance Super-hype Márkaépítés Konferencia
Performance Super-hype Márkaépítés KonferenciaCarnation Group
 
Cenaclu literar
Cenaclu literarCenaclu literar
Cenaclu literarAdela Negura
 
о диасофт рус финал
о диасофт рус финало диасофт рус финал
о диасофт рус финалDmitriy Kalenykh, MBA, ICP-APM, -ATF, SAFe SA
 
Accommodation
AccommodationAccommodation
AccommodationJane Wolff
 
Desenho Parte Mecânica TID 3
Desenho Parte Mecânica TID 3Desenho Parte Mecânica TID 3
Desenho Parte Mecânica TID 3Sgtmuniz15
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)Amy Stowers
 
HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Information Systems
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council
 
Polinter09
Polinter09Polinter09
Polinter09Jeffrey Hart
 
Big Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy ImplicationsBig Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy ImplicationsAntigone Peyton
 

Contenu connexe

En vedette

Social media updates oct (comms day)
Social media updates oct (comms day)Social media updates oct (comms day)
Social media updates oct (comms day)Ashleey Leong
 
Mapping Domain Names to Categories
Mapping Domain Names to CategoriesMapping Domain Names to Categories
Mapping Domain Names to CategoriesGene Chuang
 
лекственное лечение диссеминированной меланомы кожи
лекственное лечение диссеминированной меланомы кожилекственное лечение диссеминированной меланомы кожи
лекственное лечение диссеминированной меланомы кожиАлексей Новик
 
Moodle as a community of learning or practice or not raymond watson open trai...
Moodle as a community of learning or practice or not raymond watson open trai...Moodle as a community of learning or practice or not raymond watson open trai...
Moodle as a community of learning or practice or not raymond watson open trai...Social Care Ireland
 
Tutvustus üliõpilasfirma programm TTÜs
Tutvustus üliõpilasfirma programm TTÜsTutvustus üliõpilasfirma programm TTÜs
Tutvustus üliõpilasfirma programm TTÜsYF_Programm
 
Penn State #OERSummit16 Keynote
Penn State #OERSummit16 KeynotePenn State #OERSummit16 Keynote
Penn State #OERSummit16 KeynoteNicole Allen
 
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...Azimut Yacht Club
 
Performance Super-hype Márkaépítés Konferencia
Performance Super-hype Márkaépítés KonferenciaPerformance Super-hype Márkaépítés Konferencia
Performance Super-hype Márkaépítés KonferenciaCarnation Group
 
Desenho Parte Mecânica TID 3
Desenho Parte Mecânica TID 3Desenho Parte Mecânica TID 3
Desenho Parte Mecânica TID 3Sgtmuniz15
 

En vedette (17)

Social media updates oct (comms day)
Social media updates oct (comms day)Social media updates oct (comms day)
Social media updates oct (comms day)
 
как человек изменил землю
как человек изменил землюкак человек изменил землю
как человек изменил землю
 
Evaluation
EvaluationEvaluation
Evaluation
 
Simt advertment
Simt advertmentSimt advertment
Simt advertment
 
Mapping Domain Names to Categories
Mapping Domain Names to CategoriesMapping Domain Names to Categories
Mapping Domain Names to Categories
 
лекственное лечение диссеминированной меланомы кожи
лекственное лечение диссеминированной меланомы кожилекственное лечение диссеминированной меланомы кожи
лекственное лечение диссеминированной меланомы кожи
 
Moodle as a community of learning or practice or not raymond watson open trai...
Moodle as a community of learning or practice or not raymond watson open trai...Moodle as a community of learning or practice or not raymond watson open trai...
Moodle as a community of learning or practice or not raymond watson open trai...
 
Business in the future
Business in the futureBusiness in the future
Business in the future
 
Digestion game
Digestion gameDigestion game
Digestion game
 
Tutvustus üliõpilasfirma programm TTÜs
Tutvustus üliõpilasfirma programm TTÜsTutvustus üliõpilasfirma programm TTÜs
Tutvustus üliõpilasfirma programm TTÜs
 
Penn State #OERSummit16 Keynote
Penn State #OERSummit16 KeynotePenn State #OERSummit16 Keynote
Penn State #OERSummit16 Keynote
 
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...
AZIMUT Azimut 68S, 2007, 1.200.000 € For Sale Brochure. Presented By azimut-y...
 
Performance Super-hype Márkaépítés Konferencia
Performance Super-hype Márkaépítés KonferenciaPerformance Super-hype Márkaépítés Konferencia
Performance Super-hype Márkaépítés Konferencia
 
Cenaclu literar
Cenaclu literarCenaclu literar
Cenaclu literar
 
о диасофт рус финал
о диасофт рус финало диасофт рус финал
о диасофт рус финал
 
Accommodation
AccommodationAccommodation
Accommodation
 
Desenho Parte Mecânica TID 3
Desenho Parte Mecânica TID 3Desenho Parte Mecânica TID 3
Desenho Parte Mecânica TID 3
 

Similaire à IT security panel - moeshesh

Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)Amy Stowers
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council
 
Big Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy ImplicationsBig Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy ImplicationsAntigone Peyton
 
ISO/IEC 27001, ISO/IEC 27701, and Data Privacy Laws: Key threats in 2022
ISO/IEC 27001, ISO/IEC 27701, and Data Privacy Laws: Key threats in 2022ISO/IEC 27001, ISO/IEC 27701, and Data Privacy Laws: Key threats in 2022
ISO/IEC 27001, ISO/IEC 27701, and Data Privacy Laws: Key threats in 2022PECB
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a SciencePankaj Rane
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Bob Radvanovsky
 
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...CREST @ University of Adelaide
 
SplunkLive! Nashville Texas Roadhouse
SplunkLive! Nashville Texas RoadhouseSplunkLive! Nashville Texas Roadhouse
SplunkLive! Nashville Texas RoadhouseJohn Miller
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016FitCEO, Inc. (FCI)
 
Data Management - NA CACS 2009
Data Management - NA CACS 2009Data Management - NA CACS 2009
Data Management - NA CACS 2009CISA1567
 
Data Science at Intersection of Security and Privacy
Data Science at Intersection of Security and PrivacyData Science at Intersection of Security and Privacy
Data Science at Intersection of Security and PrivacyTarun Chopra
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDPriyanka Aash
 
·  Identify the stakeholders and how they were affected by Heene.docx
·  Identify the stakeholders and how they were affected by Heene.docx·  Identify the stakeholders and how they were affected by Heene.docx
·  Identify the stakeholders and how they were affected by Heene.docxodiliagilby
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
 

Similaire à IT security panel - moeshesh (20)

Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
 
HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
 
Polinter09
Polinter09Polinter09
Polinter09
 
Big Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy ImplicationsBig Data, Cloud Computing, and Privacy Implications
Big Data, Cloud Computing, and Privacy Implications
 
ISO/IEC 27001, ISO/IEC 27701, and Data Privacy Laws: Key threats in 2022
ISO/IEC 27001, ISO/IEC 27701, and Data Privacy Laws: Key threats in 2022ISO/IEC 27001, ISO/IEC 27701, and Data Privacy Laws: Key threats in 2022
ISO/IEC 27001, ISO/IEC 27701, and Data Privacy Laws: Key threats in 2022
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016
 
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
Privacy Engineering: Enabling Mobility of Mental Health Services with Data Pr...
 
SplunkLive! Nashville Texas Roadhouse
SplunkLive! Nashville Texas RoadhouseSplunkLive! Nashville Texas Roadhouse
SplunkLive! Nashville Texas Roadhouse
 
ke-1.pptx
ke-1.pptxke-1.pptx
ke-1.pptx
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
 
Data Management - NA CACS 2009
Data Management - NA CACS 2009Data Management - NA CACS 2009
Data Management - NA CACS 2009
 
Data Science at Intersection of Security and Privacy
Data Science at Intersection of Security and PrivacyData Science at Intersection of Security and Privacy
Data Science at Intersection of Security and Privacy
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
 
Cobit 2
Cobit 2Cobit 2
Cobit 2
 
Main Menu
Main MenuMain Menu
Main Menu
 
·  Identify the stakeholders and how they were affected by Heene.docx
·  Identify the stakeholders and how they were affected by Heene.docx·  Identify the stakeholders and how they were affected by Heene.docx
·  Identify the stakeholders and how they were affected by Heene.docx
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
 

Dernier

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

IT security panel - moeshesh

  • 1. UNC CAUSE November 2006 Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP Sharon McLawhorn John Baines, CISSP McNeil IAS-Information Assurance & Security ITCS-Security ETSS-Enterprise Technology Services & Department of ITCS Support North Carolina State University East Carolina University
  • 2. What’s it all about, Webster?  Defalcation – Pronunciation:*d*-*fal-*k*-sh*n, – Date:15th century – 1 archaic : DEDUCTION – 2 : the act or an instance of embezzling – 3 : a failure to meet a promise or an expectation  Malfeasance – Pronunciation:*mal-*f*-z*n(t)s – Date:1696 : – wrongdoing or misconduct especially by a public official  Two twenty dollar words – Fraud and criminal business acts – Reaction to the excesses of the 80’s and 90’s "Planning for Security and HIPAA Compliance" NCSU and ECU 2
  • 3. Increasingly Complicated Compliance Constraints Statute Type of requirement University Example data location FERPA Federal law Student Faculty PC or records server HIPAA Federal law Health records Athletics dept. GLBA Federal law Financial data Financial Aid PCI DSS Payment Card Industry Credit card Bookstore -Data Security Std. data server SB 1048 State Identity Theft law SSN , etc. R&R State Employee Personal Staff data Payroll Information Privacy law Federal Contract requirements Research Lab PC Grants materials "Planning for Security and HIPAA Compliance" NCSU and ECU 3
  • 4. Educational Institutes Seen as Easy Marks  Los Angeles Times article - May 30, 2006 ‘Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.’  ‘we were adding on another university every week to look into’ - Michael C. Zweiback, assistant U.S. attorney "Planning for Security and HIPAA Compliance" NCSU and ECU 4
  • 5. Information Security Planning High level tasks  Make a conscious decision to plan for security and compliance for improved efficiency and effectiveness  Understand the business goals and objectives  Conduct a risk assessment; factor in compliance!  Develop the plan "Planning for Security and HIPAA Compliance" NCSU and ECU 5
  • 6. Data Classification Standard, DCS forms the foundation  3 classification levels -  Identification High, Moderate, Normal  Confidentiality  Based on data business and sensitivity value, financial  Classification implications, legal  Protection obligations  Consistency "Planning for Security and HIPAA Compliance" NCSU and ECU 6
  • 7. Data Management Procedures, DMP assigns ownership and accountability R o le re la tio n s h ip s D a ta T ru s te e O v e r s ig h t r e s p o n s ib ility D a ta S te w a rd A c c e s s w i t h i n h i s o r h e r u n it a c c u r a c y , p riv a c y , a n d s e c u r ity U ser D a ta C u s to d ia n s S e c u r ity A d m is tr a to r R e s p o n s ib ilit e s P h y s ic a l d a t a m a n a g e m e n t e . g . A p p l i c a t i o n S e c u r i t y U n it M a n a g e a c c e s s r ig h ts A u t h o r iz e s u s e rs b a s e d o n G u id e lin e s "Planning for Security and HIPAA Compliance" NCSU and ECU 7
  • 8. Seven Steps RMIS Information System Security Plan, RISSP Leo Howell Information Security Analyst  "Planning for Security and HIPAA Compliance" NCSU and ECU 8
  • 9. STEP ONE – Understand the Asset  Effective security  Philosophically, we begins with a solid believe that “security understanding of the should follow data” protected asset and  But we know that not its value all data were created  At NC State we have equal identified DATA as our primary asset "Planning for Security and HIPAA Compliance" NCSU and ECU 9
  • 10. STEP TWO – Identify and prioritize Threats  Governance:  Infrastructure & – policy breach Application: – rebellion – theft  Physical: – disclosure – data theft – equipment – DoS theft/damage – unauthorized access  Endpoint:  Data: – theft – unauthorized access – social engineering – corruption/destruction "Planning for Security and HIPAA Compliance" NCSU and ECU 10
  • 11. STEP THREE – Identify and rank Vulnerabilities  Governance:  Infrastructure & – policy loopholes Application:  Physical: – “open” network – weak perimeter – unpatched systems/OS – open access – misconfiguration  Endpoint:  Data: – ignorance – unencrypted storage – insecure transmission "Planning for Security and HIPAA Compliance" NCSU and ECU 11
  • 12. STEP FOUR – Quantify Relative Risk, R  The greater the number of vulnerabilities the bigger the risk R = µVAT  The greater the value of the asset the bigger V = vulnerability A = asset the risk T = threat µ = likelihood of T  The greater the threat the bigger the risk "Planning for Security and HIPAA Compliance" NCSU and ECU 12
  • 13. STEP FIVE – Develop a strategy 3 virtual operational protection zones, OPZ based on Data Classification High Moderate - Significantly business impact - adversely affects - financial loss business and reputation - regulatory compliance Normal - minimal adverse effect on business Laptop with - authorization required Server with High data to modify or copy Moderate data Types of data stored, Higher Classification implies accessed, processed or Increased Security transmitted dictates OPZ "Planning for Security and HIPAA Compliance" NCSU and ECU 13
  • 14. STEP SIX – Establish target standards  Seven layers of protection per zone based on COBIT, ISO 17799 and NIST 800-53 Amount and stringency of 1.Management & Governance security 2.Access control controls at 3.Physical security each level 4.Endpoint security varies with data 5.Infrastructure security classification 6.Application security 7.Data security "Planning for Security and HIPAA Compliance" NCSU and ECU 14
  • 15. Snippet from Data Security Standard Security Red Zone Yellow Zone Green Zone Control Encrypt stored Mandatory Recommended Optional data Limit data Mandatory Recommended Optional stored to external media Encrypt Mandatory Mandatory Recommended transmitted data "Planning for Security and HIPAA Compliance" NCSU and ECU 15
  • 16. STEP SEVEN – Document the plan  Create a list of action items for the next 3 to 5 Identify realistic years solutions for  Prioritize the list based on applying the risk and reality appropriate  Forecast investment security controls at  Beg, kick and scream to each level. get funding  Implement the plan over time "Planning for Security and HIPAA Compliance" NCSU and ECU 16
  • 17. Quick takes  Planning paves the way for effectiveness and efficiency for security and compliance  Understand the business the goals  Conduct a risk assessment  Establish a strategy based on data classification and industry standards  Develop a prioritized realistic plan  Go for the long haul! "Planning for Security and HIPAA Compliance" NCSU and ECU 17
  • 18. Key Elements of the HIPAA Security Rule: And how to comply Sharon McLawhorn McNeil ITCS-Security Department of ITCS East Carolina University "Planning for Security and HIPAA Compliance" NCSU and ECU 18
  • 19. Introduction HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule:  To allow better access to health insurance  Reduce fraud and abuse  Lower the overall cost of health care. "Planning for Security and HIPAA Compliance" NCSU and ECU 19
  • 20. What is the HIPAA Security Rule? The rule applies to electronic protected health information (EPHI), which is individually identifiable health information in electronic form. Identifiable health information is:  Your past, present, or future physical or mental health or condition,  Your type of health care, or  Past, present, or future payment methods for the type of health care received. "Planning for Security and HIPAA Compliance" NCSU and ECU 20
  • 21. Who Must Comply? Covered Entities (CEs) must comply with the Security Rule. Covered Entities are health plans, health care clearinghouses, and health care providers who transmit any EPHI. Health care plans - HMOs, group health plans, etc. Health care clearinghouses - billing and repricing companies, etc. Health care providers - doctors, dentists, hospitals, etc. "Planning for Security and HIPAA Compliance" NCSU and ECU 21
  • 22. How Does One Comply? Covered Entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of patient information. "Planning for Security and HIPAA Compliance" NCSU and ECU 22
  • 23. Administrative Safeguards To comply with the Administrative Safeguards portion of the regulation, the covered entity must implement the following "Required" security management activities:  Conduct a Risk Analysis.  Implement Risk Management Actions.  Develop a Sanction Policy to deal with violators.  Conduct an Information System Activity Review. "Planning for Security and HIPAA Compliance" NCSU and ECU 23
  • 24. Physical Safeguards The physical safeguards are a series of requirements meant to protect a Covered Entity's computer systems, network and EPHI from unauthorized access. The recommended and required physical safeguards are designed to provide facility access controls to limit access to the organization's computer systems, network, and the facility in which it is housed. "Planning for Security and HIPAA Compliance" NCSU and ECU 24
  • 25. Technical Safeguards Technical safeguards refers to the technology and the procedures used to protect the EPHI and access to it. The goal of technical safeguards is to protect patient data by allowing access only by individuals or software programs that have been granted access rights to the information. "Planning for Security and HIPAA Compliance" NCSU and ECU 25
  • 26. Key Elements of Compliance 1. Obtain and Maintain Senior Management Support 2. Develop and Implement Security Policies 3. Conduct and Maintain Inventory of EPHI 4. Be Aware of Political and Cultural Issues Raised by HIPAA 5. Conduct Regular and Detailed Risk Analysis 6. Determine What is Appropriate and Reasonable 7. Documentation 8. Prepare for ongoing compliance "Planning for Security and HIPAA Compliance" NCSU and ECU 26
  • 27. Penalties  Civil penalties are $100 per violation, up to $25,000 per year for each violation.  Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.  Additional Negatives:  Negative publicity  Loss of Customers  Loss of Business Partners  Legal Liability "Planning for Security and HIPAA Compliance" NCSU and ECU 27
  • 28. Conclusion  Compliance will require Covered Entities to:  Identify the risks to their EPHI  Implement security best practices  Complying with the Security Rule can require significant time and resources  Compliance efforts should be currently underway "Planning for Security and HIPAA Compliance" NCSU and ECU 28
  • 29. Contacts NC State University East Carolina University Leo Howell, CISSP CEH CCSP CBRM Sharon McLawhorn McNeil Information Security Analyst IT-Security Analyst IAS-Information Assurance and Security McLawhorns@ecu.edu ETSS-Enterprise Technology Services and Support 252-328-9112 leo_howell@ncsu.edu (919) 513-1169 NC State University John Baines, CISSP Assistant Director IAS-Information Assurance and Security ETSS-Enterprise Technology Services and Support john_baines@ncsu.edu "Planning for Security and HIPAA Compliance" NCSU and ECU 29