Information Security Technological Security Implementation and Privacy Protection.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

Ethics, Privacy and Information Security

David Assee BBA, MCSE Florida International University

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

Mr C Johnston ICT Teacher

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

Security Controls – What Works

Information Security Policies and Standards

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Information Security Information Technology and Computing Services Information Technology and Computing Services

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Storage Security and Management: Security Framework

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Confidentiality Integrity Accountability Communications Data Hardware Software Next.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Design of Health Technologies lecture 22 John Canny 11/28/05.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

HIPAA Security Best Practices Clint Davies Principal BerryDunn

2015Computer Services – Information Security| Information Security Training Budget Officers.

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

ISSeG Integrated Site Security for Grids WP2 - Methodology

Security Standard: “reasonable security”

Business Risks of Insecure Networks

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

The Practical Side of Meaningful Use:

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

How to Mitigate the Consequences What are the Countermeasures?

HIPAA Security Standards Final Rule

Introduction to the PACS Security

Presentation transcript:

Information Security Technological Security Implementation and Privacy Protection

Agenda Security Theory Administrative Security Basic Security Technologies Potential Attacks HIPAA Security Rule Overview Challenges of a Changing World

Information Security Theory

Technological Security is… Fluid Imperfect Difficult Tedious Inconvenient

C.I.A. Triad Basic Premise of InfoSec Confidentiality Secret information remains secret Integrity Information is not altered or destroyed Availability Information is not inaccessible when needed

Authentication vs. Authorization Two parts of the cliché, “who are you and what are you doing here?” Authentication Proving Identity Authorization Allowing or Disallowing Actions

Least Privilege and Need-to-Know Basic tenets of information or system access control Least Privilege Possessing the least amount of access necessary to perform job function Need-to-Know Access to information based only on job requirements

States of Data Data in Transit Information being transmitted between systems Data at Rest Information stored in any location, such as hard drive or flash drive

Administrative Functions of Security Policy Implementations

Risk Management Program Identify Risks Risk to information, systems, facilities, personnel, reputation Determine Probability of Occurrence Determine Impact on Confidentiality, Integrity, and Availability Accept Risk or Mitigate Risk Document and Reevaluate

Security Incidents Any occurrence with potential security impact is an incident Malware infection, unauthorized access, data breach, and many more Incident management plan required From HIPAA: Breach means the acquisition, access, use, or disclosure of protected health information in a manner...which compromises the security or privacy of the protected health information. Breach disclosure laws vary from state to state

Account and Access Management Policies Documented methodology for managing access Provisioning, altering, revoking, and reviewing access Unique identifiers = usernames Role-based access control Users or systems given access based on role in an organization Doctors have access to more health information than administrative assistants

Auditing and Logging Various levels and types of logging Recording activities, particularly security events Monitoring logs Identifying areas of concern

Basics of Security Technology

Authentication Mechanisms Passwords Single-use tokens Certificates Biometric

Multi-Factor Authentication Use of multiple authentication mechanisms to establish identity

Encryption Obfuscation of information Data appears completely random while encrypted Many different types and implementation matters Common Uses Securing websites through SSL/TLS: any website beginning in “ Whole-Disk Encryption

Potential Attacks

Malware Any type of malicious program Viruses, Trojans, Adware, Spyware, and more No anti-virus program is 100% effective Malware is no longer destructive for the fun of it Malware used for profit and data theft Extensive organized crime involvement According to the 2013 Verizon Data Breach Investigations Report, malware was involved in 40% of data breaches in 2012

Social Engineering Convincing a person within an organization to take a certain action Reveal private information Click a link People are wired to help each other Phishing and Spear-Phishing

Vulnerability of Media and Mobile Devices Any method of transporting information represents risk Mobile Devices (Smartphones, Tablets, Laptops) Access to organization’s network Contain sensitive information Convenient but dangerous Media (CDs, DVDs, USB Flash Drives, etc.) All types of information can be carelessly stored on media Easy to lose

HIPAA Security Rule Overview

Administrative Safeguards Access establishment and modification process Process for establishing, documenting, modifying, and reviewing access Security Awareness and Training Program Protection from Malicious software Log-in monitoring -- reporting discrepancies Password management policy Setting, changing passwords and password requirements Security Incident Management procedures

Contingency Planning Data backup Disaster recovery Emergency mode operation Procedure for continuous operation despite adverse conditions Testing and evaluating plan Determine criticality of systems for contingency operations

Technical Safeguards Access Control and Emergency Access Procedure Automatic Logoff Encryption/Decryption of ePHI Audit Controls Integrity Controls Method of authenticating information Person or entity Authentication Transmission Security Controls Integrity Controls Encryption

Challenges of a Changing World

Looking Ahead Cloud Computing and Cloud Storage Mobile Malware Moving Beyond Anti-Virus Bring Your Own Device

Christopher J. Morgan