1. UNC CAUSE November 2006
Planning for Information Security
and HIPAA Compliance
“Security should follow data”
Leo Howell, CISSP Sharon McLawhorn
John Baines, CISSP McNeil
IAS-Information Assurance & Security ITCS-Security
ETSS-Enterprise Technology Services & Department of ITCS
Support North Carolina State University East Carolina University
2. What’s it all about, Webster?
Defalcation
– Pronunciation:*d*-*fal-*k*-sh*n,
– Date:15th century
– 1 archaic : DEDUCTION
– 2 : the act or an instance of embezzling
– 3 : a failure to meet a promise or an expectation
Malfeasance
– Pronunciation:*mal-*f*-z*n(t)s
– Date:1696 :
– wrongdoing or misconduct especially by a public official
Two twenty dollar words
– Fraud and criminal business acts
– Reaction to the excesses of the 80’s and 90’s
"Planning for Security and HIPAA Compliance" NCSU and ECU 2
3. Increasingly Complicated
Compliance Constraints
Statute Type of requirement University Example
data location
FERPA Federal law Student Faculty PC or
records server
HIPAA Federal law Health records Athletics dept.
GLBA Federal law Financial data Financial Aid
PCI DSS Payment Card Industry Credit card Bookstore
-Data Security Std. data server
SB 1048 State Identity Theft law SSN , etc. R&R
State Employee Personal Staff data Payroll
Information Privacy law
Federal Contract requirements Research Lab PC
Grants materials
"Planning for Security and HIPAA Compliance" NCSU and ECU 3
4. Educational Institutes Seen as Easy
Marks
Los Angeles Times article - May 30, 2006
‘Since January, 2006
at least 845,000 people
have had sensitive information jeopardized
in 29 security failures
at colleges nationwide.’
‘we were adding on another university every
week to look into’
- Michael C. Zweiback, assistant U.S. attorney
"Planning for Security and HIPAA Compliance" NCSU and ECU 4
5. Information Security Planning
High level tasks
Make a conscious decision to plan for security
and compliance for improved efficiency and
effectiveness
Understand the business goals and objectives
Conduct a risk assessment; factor in compliance!
Develop the plan
"Planning for Security and HIPAA Compliance" NCSU and ECU 5
6. Data Classification Standard, DCS
forms the foundation
3 classification levels - Identification
High, Moderate, Normal Confidentiality
Based on data business and sensitivity
value, financial Classification
implications, legal Protection
obligations
Consistency
"Planning for Security and HIPAA Compliance" NCSU and ECU 6
7. Data Management Procedures, DMP
assigns ownership and accountability
R o le re la tio n s h ip s
D a ta T ru s te e
O v e r s ig h t r e s p o n s ib ility
D a ta S te w a rd
A c c e s s w i t h i n h i s o r h e r u n it
a c c u r a c y , p riv a c y , a n d s e c u r ity
U ser D a ta C u s to d ia n s S e c u r ity A d m is tr a to r
R e s p o n s ib ilit e s P h y s ic a l d a t a m a n a g e m e n t e . g . A p p l i c a t i o n S e c u r i t y U n it
M a n a g e a c c e s s r ig h ts A u t h o r iz e s u s e rs
b a s e d o n G u id e lin e s
"Planning for Security and HIPAA Compliance" NCSU and ECU 7
8. Seven Steps
RMIS Information System Security
Plan, RISSP
Leo Howell
Information Security Analyst
"Planning for Security and HIPAA Compliance" NCSU and ECU 8
9. STEP ONE – Understand the Asset
Effective security Philosophically, we
begins with a solid believe that “security
understanding of the should follow data”
protected asset and But we know that not
its value all data were created
At NC State we have equal
identified DATA as
our primary asset
"Planning for Security and HIPAA Compliance" NCSU and ECU 9
10. STEP TWO – Identify and prioritize
Threats
Governance: Infrastructure &
– policy breach Application:
– rebellion
– theft
Physical:
– disclosure
– data theft
– equipment – DoS
theft/damage – unauthorized access
Endpoint: Data:
– theft
– unauthorized access
– social engineering
– corruption/destruction
"Planning for Security and HIPAA Compliance" NCSU and ECU 10
11. STEP THREE – Identify and rank
Vulnerabilities
Governance: Infrastructure &
– policy loopholes Application:
Physical: – “open” network
– weak perimeter – unpatched systems/OS
– open access
– misconfiguration
Endpoint:
Data:
– ignorance
– unencrypted storage
– insecure transmission
"Planning for Security and HIPAA Compliance" NCSU and ECU 11
12. STEP FOUR – Quantify Relative Risk, R
The greater the
number of
vulnerabilities the
bigger the risk
R = µVAT The greater the value
of the asset the bigger
V = vulnerability
A = asset
the risk
T = threat
µ = likelihood of T The greater the threat
the bigger the risk
"Planning for Security and HIPAA Compliance" NCSU and ECU 12
13. STEP FIVE – Develop a strategy
3 virtual operational protection zones, OPZ
based on Data Classification
High Moderate
- Significantly business impact - adversely affects
- financial loss business and reputation
- regulatory compliance
Normal
- minimal adverse effect
on business
Laptop with - authorization required Server with
High data to modify or copy Moderate data
Types of data stored, Higher Classification implies
accessed, processed or Increased Security
transmitted dictates OPZ
"Planning for Security and HIPAA Compliance" NCSU and ECU 13
14. STEP SIX – Establish target standards
Seven layers of protection per
zone based on COBIT, ISO
17799 and NIST 800-53 Amount and
stringency of
1.Management & Governance security
2.Access control controls at
3.Physical security each level
4.Endpoint security varies with
data
5.Infrastructure security
classification
6.Application security
7.Data security
"Planning for Security and HIPAA Compliance" NCSU and ECU 14
15. Snippet from Data Security Standard
Security Red Zone Yellow Zone Green Zone
Control
Encrypt stored Mandatory Recommended Optional
data
Limit data Mandatory Recommended Optional
stored to
external media
Encrypt Mandatory Mandatory Recommended
transmitted
data
"Planning for Security and HIPAA Compliance" NCSU and ECU 15
16. STEP SEVEN – Document the plan
Create a list of action
items for the next 3 to 5
Identify realistic
years solutions for
Prioritize the list based on applying the
risk and reality appropriate
Forecast investment
security
controls at
Beg, kick and scream to each level.
get funding
Implement the plan over
time
"Planning for Security and HIPAA Compliance" NCSU and ECU 16
17. Quick takes
Planning paves the way for effectiveness
and efficiency for security and compliance
Understand the business the goals
Conduct a risk assessment
Establish a strategy based on data
classification and industry standards
Develop a prioritized realistic plan
Go for the long haul!
"Planning for Security and HIPAA Compliance" NCSU and ECU 17
18. Key Elements of the HIPAA
Security Rule:
And how to comply
Sharon McLawhorn McNeil
ITCS-Security
Department of ITCS
East Carolina University
"Planning for Security and HIPAA Compliance" NCSU and ECU 18
19. Introduction
HIPAA is the Health Insurance Portability and
Accountability Act. There are thousands of
organizations that must comply with the HIPAA
Security Rule. The Security Rule is just one part of
the federal legislation that was passed into law in
August 1996.
The purpose the Security Rule:
To allow better access to health insurance
Reduce fraud and abuse
Lower the overall cost of health care.
"Planning for Security and HIPAA Compliance" NCSU and ECU 19
20. What is the HIPAA Security Rule?
The rule applies to electronic protected health
information
(EPHI), which is individually identifiable health
information in electronic form.
Identifiable health information is:
Your past, present, or future physical or mental health
or condition,
Your type of health care, or
Past, present, or future payment methods for the type of
health care received.
"Planning for Security and HIPAA Compliance" NCSU and ECU 20
21. Who Must Comply?
Covered Entities (CEs) must comply with the Security
Rule. Covered Entities are health plans, health care
clearinghouses, and health care providers who transmit
any EPHI.
Health care plans - HMOs, group health plans, etc.
Health care clearinghouses - billing and repricing
companies, etc.
Health care providers - doctors, dentists, hospitals,
etc.
"Planning for Security and HIPAA Compliance" NCSU and ECU 21
22. How Does One Comply?
Covered Entities must maintain reasonable and
appropriate administrative, physical, and
technical safeguards to protect the
confidentiality,
integrity, and availability of patient information.
"Planning for Security and HIPAA Compliance" NCSU and ECU 22
23. Administrative Safeguards
To comply with the Administrative Safeguards
portion of the regulation, the covered entity must
implement the following "Required" security
management activities:
Conduct a Risk Analysis.
Implement Risk Management Actions.
Develop a Sanction Policy to deal with violators.
Conduct an Information System Activity Review.
"Planning for Security and HIPAA Compliance" NCSU and ECU 23
24. Physical Safeguards
The physical safeguards are a series of
requirements meant to protect a Covered
Entity's computer systems, network and EPHI
from unauthorized access. The recommended
and required physical safeguards are designed
to provide facility access controls to limit
access to the organization's computer systems,
network, and the facility in which it is housed.
"Planning for Security and HIPAA Compliance" NCSU and ECU 24
25. Technical Safeguards
Technical safeguards refers to the technology
and the procedures used to protect the EPHI
and access to it.
The goal of technical safeguards is to protect
patient data by allowing access only by
individuals or software programs that have
been granted access rights to the information.
"Planning for Security and HIPAA Compliance" NCSU and ECU 25
26. Key Elements of Compliance
1. Obtain and Maintain Senior Management
Support
2. Develop and Implement Security Policies
3. Conduct and Maintain Inventory of EPHI
4. Be Aware of Political and Cultural Issues Raised
by HIPAA
5. Conduct Regular and Detailed Risk Analysis
6. Determine What is Appropriate and Reasonable
7. Documentation
8. Prepare for ongoing compliance
"Planning for Security and HIPAA Compliance" NCSU and ECU 26
27. Penalties
Civil penalties are $100 per violation, up to $25,000
per year for each violation.
Criminal penalties range from $50,000 in fines and
one year in prison up to $250,000 in fines and 10
years in jail.
Additional Negatives:
Negative publicity
Loss of Customers
Loss of Business Partners
Legal Liability
"Planning for Security and HIPAA Compliance" NCSU and ECU 27
28. Conclusion
Compliance will require Covered Entities to:
Identify the risks to their EPHI
Implement security best practices
Complying with the Security Rule can require
significant time and resources
Compliance efforts should be currently underway
"Planning for Security and HIPAA Compliance" NCSU and ECU 28
29. Contacts
NC State University East Carolina University
Leo Howell, CISSP CEH CCSP CBRM Sharon McLawhorn McNeil
Information Security Analyst IT-Security Analyst
IAS-Information Assurance and Security
McLawhorns@ecu.edu
ETSS-Enterprise Technology Services and Support
252-328-9112
leo_howell@ncsu.edu
(919) 513-1169
NC State University
John Baines, CISSP
Assistant Director
IAS-Information Assurance and Security
ETSS-Enterprise Technology Services and Support
john_baines@ncsu.edu
"Planning for Security and HIPAA Compliance" NCSU and ECU 29