A Practical Risk-Based Approach

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Auditing, Assurance and Governance in Local Government
Lisanne Sison Director ERM Bickmore
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Enterprise Resource Planning
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
IT Governance and Management
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
The Information Systems Audit Process
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Patch Management Strategy
Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Information Technology Audit
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Evolving IT Framework Standards (Compliance and IT)
GRC - Governance, Risk MANAGEMENT, and Compliance
The Challenge of IT-Business Alignment
Roles and Responsibilities
Challenges in Infosecurity Practices at IT Organizations
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
DRAFT – For Discussion Only HHSC IT Governance Executive Briefing Materials DRAFT April 2013.
© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
Holistic Approach to Security
Environmental Management System Definitions
普 华 永 道 Phase 1: Project Preparation Phase 1: Project Preparation Phase Overview Phase Overview.
Eliza de Guzman HTM 520 Health Information Exchange.
Enterprise Architecture, Enterprise Data Management, and Data Standardization Efforts at the U.S. Department of Education May 2006 Joe Rose, Chief Architect.
1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The Evolution, Development & Training of HIPAA Policies and Procedures in a Decentralized Health Care Environment Presented By: Sharon A. Budman, M.S.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
1 COSO ERM Framework Update Our Next Challenge and Opportunity September 2015.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Sourcing Evaluation Life Cycle Go/No Go decision points Competition Alignment Discovery Con tract Modification Project Initiation Vendor Capabilities Contract.
Strategic planning A Tool to Promote Organizational Effectiveness
Mgt Project Portfolio Management and the PMO Module 8 - Fundamentals of the Program Management Office Dr. Alan C. Maltz Howe School of Technology.
Sample Fit-Gap Kick-off
Office 365 Security Assessment Workshop
Data Minimization Framework
Data Architecture World Class Operations - Impact Workshop.
Description of Revision
IS4680 Security Auditing for Compliance
2017 Health care Preparedness and Response Draft Capabilities
Privacy Project Framework & Structure
Cybersecurity ATD technical
HIPAA Security Standards Final Rule
Outline What is governance and what does it comprise?
ISO management systems
Portfolio, Programme and Project
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
Presentation transcript:

A Practical Risk-Based Approach April 23, 2003

Today’s Speakers Ken DeJarnette Jody Noon Rena Mears Brian Geffert

Today’s Agenda Polling Questions <not available in printed document> Final Rule Overview Applicability Common Language Key Points An Approach to HIPAA Security Enterprise Security Program Lessons Learned Interactive Questions & Answers

Final Rule Overview Administrative, Physical, Technical Safeguards Adds Required Specification Safeguards that must be implemented Adds Addressable Specification Assess whether an implementation specification is a reasonable and appropriate safeguard in its environment More flexible and less prescriptive than the draft security rules Requires organizations to document the decision process (e.g. framework) used to determine how to implement the required and addressable specifications Removes Electronic Signature Standard Compliance date is April 21, 2005 The Final HIPAA rules have simplified the rules and aligned the security rules with the privacy rules. In addition, the final rules removed the Electronic Security Standards. The final rules are more flexible and less prescriptive, but requires a organizations to document their decision process.

Applicability “Enterprise Security needs to take into account both Security and Privacy”

Common Language

Key Points “Not a New Approach” Security Standards are not novel or exhaustive (i.e. ISO 17799, Common Criteria, etc.) Risk-based Approach is similar to what is happening in other industries (i.e. GLBA in Financial Services)

“Flexibility is Opportunity” Key Points “Flexibility is Opportunity” Less prescriptive means organizations have more choices to address implementation specifications based on the risks faced by their organization Allows organizations to balance their risks against the costs of implementing safeguards

An Approach to HIPAA Security “Do not start with a Gap Analysis”

An Approach to HIPAA Security “How do you implement and manage HIPAA security for your organization?”

An Approach to HIPAA Security “Establishing a Security Decision Framework” “Starting Point for an Enterprise Security Program Requirement and Implementation Process”

An Approach to HIPAA Security “Alignment with Enterprise Security Program (ESP) while maintaining linkage to the individual regulations”

Enterprise Security Program “Incorporating HIPAA Security into a Holistic and Process-Oriented Approach to Manage Enterprise Security” Perimeter Network Internal Network Applications Facilities Specialized Architectures BUSINESS ENABLEMENT STRATEGIC ALIGNMENT SECURITY FOUNDATION PROCESS ENHANCEMENT System Development Lifecycle Project Management Change Control Production Readiness Architecture Standards Help Desk Incident Response Compliance Performance Dashboard SECURITY EFFECTIVENESS IT Strategies Strategic Business Drivers Security Strategy & Policy Legal/Regulatory Requirements Desired Risk Profile Privacy Blueprint Identity Management Blueprint Application Integrity Blueprint Infrastructure Blueprint Logging, Monitoring & Reporting Systems & Network Infrastructure Physical & Environmental Information & Asset Baseline Management Blueprint ISO/IEC 17799 Industry Standards TAILORED BEST PRACTICES Business Continuity Management Blueprint

“Everyone is on the same page through a common risk language” Strategic Alignment “Everyone is on the same page through a common risk language” Perimeter Network Internal Network Applications Facilities Specialized Architectures BUSINESS ENABLEMENT STRATEGIC ALIGNMENT SECURITY FOUNDATION PROCESS ENHANCEMENT System Development Lifecycle Project Management Change Control Production Readiness Architecture Standards Help Desk Incident Response Compliance Performance Dashboard SECURITY EFFECTIVENESS IT Strategies Strategic Business Drivers Security Strategy & Policy Legal/Regulatory Requirements Desired Risk Profile Privacy Blueprint Identity Management Blueprint Application Integrity Blueprint Infrastructure Blueprint Logging, Monitoring & Reporting Systems & Network Infrastructure Physical & Environmental Information & Asset Baseline Management Blueprint ISO/IEC 17799 Industry Standards TAILORED BEST PRACTICES Business Continuity Management Blueprint

“Core security program and standards established” Security Foundation “Core security program and standards established” Perimeter Network Internal Network Applications Facilities Specialized Architectures BUSINESS ENABLEMENT STRATEGIC ALIGNMENT SECURITY FOUNDATION PROCESS ENHANCEMENT System Development Lifecycle Project Management Change Control Production Readiness Architecture Standards Help Desk Incident Response Compliance Performance Dashboard SECURITY EFFECTIVENESS IT Strategies Strategic Business Drivers Security Strategy & Policy Legal/Regulatory Requirements Desired Risk Profile Privacy Blueprint Identity Management Blueprint Application Integrity Blueprint Infrastructure Blueprint Logging, Monitoring & Reporting Systems & Network Infrastructure Physical & Environmental Information & Asset Baseline Management Blueprint ISO/IEC 17799 Industry Standards TAILORED BEST PRACTICES Business Continuity Management Blueprint

Process Enhancement “Evolutionary integration and consistent execution of security across the enterprise” Perimeter Network Internal Network Applications Facilities Specialized Architectures BUSINESS ENABLEMENT STRATEGIC ALIGNMENT SECURITY FOUNDATION PROCESS ENHANCEMENT System Development Lifecycle Project Management Change Control Production Readiness Architecture Standards Help Desk Incident Response Compliance Performance Dashboard SECURITY EFFECTIVENESS IT Strategies Strategic Business Drivers Security Strategy & Policy Legal/Regulatory Requirements Desired Risk Profile Privacy Blueprint Identity Management Blueprint Application Integrity Blueprint Infrastructure Blueprint Logging, Monitoring & Reporting Systems & Network Infrastructure Physical & Environmental Information & Asset Baseline Management Blueprint ISO/IEC 17799 Industry Standards TAILORED BEST PRACTICES Business Continuity Management Blueprint

“End-to-end transaction integrity achieved” Business Enablement “End-to-end transaction integrity achieved” Perimeter Network Internal Network Applications Facilities Specialized Architectures BUSINESS ENABLEMENT STRATEGIC ALIGNMENT SECURITY FOUNDATION PROCESS ENHANCEMENT System Development Lifecycle Project Management Change Control Production Readiness Architecture Standards Help Desk Incident Response Compliance Performance Dashboard SECURITY EFFECTIVENESS IT Strategies Strategic Business Drivers Security Strategy & Policy Legal/Regulatory Requirements Desired Risk Profile Privacy Blueprint Identity Management Blueprint Application Integrity Blueprint Infrastructure Blueprint Logging, Monitoring & Reporting Systems & Network Infrastructure Physical & Environmental Information & Asset Baseline Management Blueprint ISO/IEC 17799 Industry Standards TAILORED BEST PRACTICES Business Continuity Management Blueprint

Security Effectiveness “Is everything ok?” Perimeter Network Internal Network Applications Facilities Specialized Architectures BUSINESS ENABLEMENT STRATEGIC ALIGNMENT SECURITY FOUNDATION PROCESS ENHANCEMENT System Development Lifecycle Project Management Change Control Production Readiness Architecture Standards Help Desk Incident Response Compliance Performance Dashboard SECURITY EFFECTIVENESS IT Strategies Strategic Business Drivers Security Strategy & Policy Legal/Regulatory Requirements Desired Risk Profile Privacy Blueprint Identity Management Blueprint Application Integrity Blueprint Infrastructure Blueprint Logging, Monitoring & Reporting Systems & Network Infrastructure Physical & Environmental Information & Asset Baseline Management Blueprint ISO/IEC 17799 Industry Standards TAILORED BEST PRACTICES Business Continuity Management Blueprint

Enterprise Security Program Everyone is on the same page through a common risk language Core security program and standards established Security Foundation Evolutionary integration and consistent execution of security across the enterprise Process Enhancement End-to-end transaction integrity achieved Business Enablement Is everything ok? Security Effectiveness Strategic Alignment

Lessons Learned Involve the Business and key stakeholders Risk tolerance is a key component in determining information security end state during HIPAA Assessment Maintain a tight linkage between the regulatory requirements, business requirements and proposed information security processes and solutions Use an Enterprise Security Framework Facilitate a common method for evaluating security requirements and deploying security solutions across the organization Providing for consistent security decisions, planning and investments Develop reasonable and practical interpretations of the HIPAA Security Regulations HIPAA tells you “what to do”, but gives latitude on “how to do it”

Lessons Learned An organizational Risk Management and Planning process is essential Gain consensus around threats, risks and defining acceptable risk Develop repeatable, traceable Risk Management process Develop actionable projects that tie back to the original requirements and address the identified security gaps Aggregate and prioritize projects into an overall program plan Develop strong, sustainable linkages that can trace project justification to original gaps/findings Privacy is a key element to process Privacy stakeholders and subject matter experts need to be actively involved in the process

Interactive Q&A Ken DeJarnette Jody Noon Rena Mears Brian Geffert Thank you for participating! For more information, please contact the team by calling (800) 877-1298 or sending an email to HIPAAHC@deloitte.com. You can also access all of our HIPAA materials at www.deloitte.com/us/healthcare.

Speakers’ Bios Ken DeJarnette, Principal, Deloitte & Touche, Privacy Practice (415) 783-4316 or kdejarnette@deloitte.com Mr. DeJarnette is a Principal in Deloitte & Touche, specializing in the areas of security and privacy. In addition to practicing law for several years, Ken has over ten years experience in product development and management, and security and privacy consulting. Ken has lead security and privacy projects in regulated industries, including the development of enterprise security programs, the development of security risk frameworks for analyzing processes, systems and applications, the development of security polices and procedures, and the design and implementation of secure infrastructures. Ken is also a member of several ABA committees, including the Information Security Committee (where he is listed as a contributor to the development of the PKI Assessment Guidelines), and the Privacy and Computer Crimes Committee (where he is the co-chair for the Corporate Privacy Handbook). He is also a member of the International Privacy Officers Association and speaks frequently on the topic of information security programs and data protection in financial institutions.

Speakers’ Bios Jody Noon, <Title> (503) 727-5207 or jodynoon@deloitte.com <Insert Bio here>

Speakers’ Bios Rena Mears, Partner, Deloitte & Touche, Privacy Practice (415) 783-5662 or renamears@deloitte.com Rena Mears is a partner in Deloitte’s privacy practice. She has more than fifteen years experience in management consulting, with an emphasis on the design and implementation of privacy architectures. For our clients, Rena has been the partner-in-charge of significant privacy projects involving privacy assessments, the design of methodologies for surveying and inventorying personally identifiable information across large entities, the development of privacy risk frameworks for analyzing businesses and processes, and the design and implementation of secure infrastructures. In addition, she has advised her clients on issues involving the European Union Data Protection Directive, Safe Harbor, Gramm-Leach-Bliley, and HIPAA. Rena regularly presents at conferences and workshops, speaking on subjects related to Data Privacy, Privacy Architecture and Public Key Infrastructure Implementation. Rena is a member of the American Bar Association Information Security Committee, the American Institute of Certified Public Accountants Information Technology Committee, and the IBM Privacy Management Council (Founding Member).

Speakers’ Bios Brian Geffert, Senior Manager, Deloitte & Touche, Security Services (415) 783-4162 or bgeffert@deloitte.com Mr. Geffert specializes in health care information systems controls and technology risk assessments. Mr. Geffert has worked on the development of HIPAA assessment tools and services for health care industry clients to determine the level of readiness with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. In addition, Mr. Geffert conducts HIPAA awareness training related to the security and privacy requirements for health care organizations. Finally, Mr. Geffert has developed plans and implemented solutions to address health care clients HIPAA security requirements. Mr. Geffert has presented and participated in panel discussions on HIPAA at health care industry conferences and meetings. Also, Mr. Geffert has served as a member of the executive committee of the HIPAA Security Summit, which is an industry lead group, to develop the implementation guides for the HIPAA security standards. Mr. Geffert has served a member of the steering committee for the Strategic National Implementation Process (SNIP), sponsored by WEDI, which is addressing implementation related issues surrounding the HIPAA regulations. Finally, Mr. Geffert is the co-author of “HIPAA 201: A Framework Approach to HIPAA Security Readiness”. Mr. Geffert is a member of the Information Systems Audit & Control Association (ISACA) and a Certified Information Systems Auditor (CISA). In addition, Mr. Geffert is a Certified Information Systems Security Professional (CISSP). Finally, he is a member of the Health Information Systems Security Association (ISSA).