Security Core Training Presented by: DHHS HIPAA PMO Security Team and DIRM Networking Services

Objectives  Obtain a basic understanding of the proposed HIPAA Security Standard  Obtain a general understanding of how health care components will be effected  Obtain an understanding of the security assessment process  Obtain an understanding of the health care component’s general roles and responsibilities during the assessment process

Definitions Hybrid Entity - A single entity that is a covered entity and whose covered functions are not its primary functions. Health Care Component - Components of a covered entity that perform covered functions are part of the health care component. As a hybrid entity, HIPAA requirements apply only to the health care component. Covered Function - Those functions of a covered entity which makes the entity a health plan, healthcare provider, or health care clearinghouse.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification Security and Electronic Signature Standard

HIPAA Overview Intended to improve “the efficiency and effectiveness of health information systems through establishment of standards and requirements for the electronic transmission of health information” Establishes Federal regulation of: Transactions and Code Sets Transactions and Code Sets Health care identifiers Health care identifiers Confidentiality health information (Privacy) Confidentiality health information (Privacy) Security of electronically maintained / communicated health information (Security) Security of electronically maintained / communicated health information (Security)

Security Objective To minimize the risk of intentional or accidental disclosure or misuse, or the loss or corruption of individually identifiable health information (IIHI)* *IIHI - Any information, including demographic information collected from an individual that a) is created or received by a health care provider, health plan, employer, or health care clearing house; and b) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Applicability and Scope Applies to: All health plans All health plans All clearinghouses All clearinghouses Any health care provider that electronically maintains or transmits any health information relating to an individual. Any health care provider that electronically maintains or transmits any health information relating to an individual. Ensures privacy and confidentiality of all individually identifiable health information that is electronically stored, maintained, or transmitted

Time Frame Proposed Rules published in 1998: Basis of today’s presentation Basis of today’s presentation Publication of Final rules pending: Likely to be published in first quarter of 2002 Likely to be published in first quarter of 2002 Compliance required 2 years from the date the Final Rule is published Compliance required 2 years from the date the Final Rule is published

Concepts on Which the Security Standard is Based Comprehensive “Unifies” existing guidelines and standards Technology “neutral” - Choose your own technical solutions Scalable – The standard must be able to be implemented by all affected entities

General Approach The standard does not reference or advocate specific technology Covered entity should: Assess its own security needs and risks Assess its own security needs and risks Ensure that appropriate security is devised, implemented and maintained to address its business requirements. Ensure that appropriate security is devised, implemented and maintained to address its business requirements. The regulatory requirements must be addressed but how that is done should be based on business decisions of the covered entity There should be a balance between the need to secure health data and the economic cost of doing so

Security Standard Defined Set of requirements with implementation features that covered entities must include in their operations to assure that electronic health information pertaining to an individual remains secure.

Security Standards Reasonable and appropriate requirements: Administrative Procedures Administrative Procedures Physical Safeguards Physical Safeguards Technical Services Technical Services Technical Mechanisms Technical Mechanisms to ensure: Integrity Integrity Confidentiality Confidentiality Availability Availability of electronic data.

Administrative Procedures ( a) Documented, formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data. Requirements: Certification Certification Chain of Trust Partner Agreement Chain of Trust Partner Agreement Contingency Planning Contingency Planning Information access control Information access controlImplementation: Applications and data criticality analysis Data backup plan Disaster recovery plan Emergency mode operation plan Testing and revision Access authorization Access establishment Access modification

Administrative Procedures ( a) continued Requirements Internal audit Internal audit Personnel Security Personnel Security Security Configuration & Management Security Configuration & Management Implementation Assure supervision of maintenance personnel by authorized, knowledgeable person Maintenance of record of access authorizations Operating and in some cases, maintenance personnel have proper access authorization Personnel clearance procedures Personnel security policy/procedure System Users, including maintenance personnel, trained in security. Hardware/Software installation & maintenance review and testing for security features Inventory Security Testing Virus Checking

Administrative Procedures ( a) continued Requirements Security Incident Response & Reporting Security Incident Response & Reporting Security Management Process Security Management Process Termination Procedures Termination Procedures Implementation Report procedures Response procedures Risk analysis Risk management Sanction policy Security policy Combination locks changed Removal from access lists Removal of user accounts Turn in keys, token or cards that allow access

Administrative Procedures ( a) continued Requirements Training Training Formal Mechanism for Processing Records Formal Mechanism for Processing RecordsImplementation Awareness training Periodic security reminders User education concerning virus protection User education in importance of monitoring log in success/failure, and how to report discrepancies User education in password management

Physical Safeguards ( b) Physical Safeguards ( b) The protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion The use of locks, keys, and administrative measures used to control access to computer systems and facilities. Examples: Assigned Security Responsibility Assigned Security Responsibility Media Controls Media Controls Physical Access Controls Physical Access Controls

Physical Safeguards ( b) Requirements Media Controls Media Controls Physical Access Controls Physical Access Controls Implementation Accountability Data backup Data storage Disposal Disaster recovery Emergency mode operation Equipment control Facility security plan Procedures for verifying access authorizations prior to physical access Maintenance records Need-to-Know procedures for personnel access Sign-in for visitors and escort, if appropriate Testing and revision

Physical Safeguards ( b) continued Requirements Assigned Security Responsibility Assigned Security Responsibility Policy/guideline on work station use Policy/guideline on work station use Secure work station location Secure work station location Security Awareness Training Security Awareness TrainingImplementation None stated

Technical Security Services ( c) Processes that are put in place to: protect information protect information control individual access to information control individual access to informationExamples: Access ControlAccess Control Audit ControlsAudit Controls Data AuthenticationData Authentication Entity AuthenticationEntity Authentication

Technical Security Services ( c) continued Requirements Access Control Access Control Audit Controls Audit Controls Authorization Control Authorization Control Data Authentication Data Authentication Entity Authentication Entity Authentication Implementation Context based access Encryption Procedure for emergency access Role-based access User-based access Role-based access User-based access Automatic logoff Biometric Password PIN Telephone callback Token Unique user identification

Technical Security Mechanisms ( d) Processes that are put in place to guard against unauthorized access to data that is transmitted over a communications network Examples: Integrity Controls Integrity Controls Message Authentication Message Authentication Encryption Encryption Audit Trail Audit Trail

Technical Security Mechanisms ( d) continued Requirements Communications/Network controls Communications/Network controlsImplementation Access Control Alarm Audit trail Encryption Entity authentication Event reporting Integrity controls Message authentication

Electronic Signature ( ) The use of Electronic Signature is not required. If used, the same legal weight associated with an original signature on a paper document will be needed for electronic data. Use of an electronic signature refers to the act of attaching a signature by electronic means. Digital Signature Note: The Electronic Signature standard may be pulled from the final Security Regulation and published at a later time.

Electronic Signature ( ) Requirements Digital Signature Digital SignatureImplementation Ability to add attribute Continuity of signature capability Countersignatures Independent verifiability Interoperability Message integrity Multiple signatures Nonrepudiation Transportability User authentication

Privacy & Security, the common link (c) - Safeguards Administrative Administrative Technical Technical Physical Physical Use and Disclosure Consent Consent Authorization Authorization Minimum Necessary Minimum Necessary

Non-Compliance Penalties Financial penalties for failure to comply: Section 1176 of the Act establishes civil monetary penalty for violation Section 1176 of the Act establishes civil monetary penalty for violation $100 per occurrence, $25k max a year Section 1177 of the Act establishes penalties for knowing misuse of unique health identifiers and individually identifiable health information: Section 1177 of the Act establishes penalties for knowing misuse of unique health identifiers and individually identifiable health information: Not more than $50,000 and/or imprisonment of not more than one year. Misuse “under false pretenses” a fine not more than 100,000 and/or imprisonment of not more than five years. Misuse with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.

How will you be affected? Ensure that all business practices are aligned with the HIPAA Security Standard Ensure or if necessary develop policies and procedures that adequately cover all aspects of the HIPAA Security Standard Ensure the technical environment is secure and protects health information Ensure applications that store or transmit health information meet the requirements of the HIPAA Security Standard Develop security management practice

Critical Steps Organizational Awareness Conduct Baseline Assessment Conduct Risk Assessment Prioritize Risks and Make Risk Management Decisions Develop and Revise Security P&Ps Implement Security Program Implement Maintenance Program

UnderstandingHIPAAUnderstandingHIPAA BaseliningtheOrganizationBaseliningtheOrganization Planning ComplianceStrategiesPlanning Strategies RemediatingtheOrganizationRemediatingtheOrganization ValidatingComplianceValidatingCompliance MaintainingComplianceMaintainingCompliance * This assumes that the Final Security Regulations will be published by  Regulation review (Jan Dec. 2004)  Legal review (Nov Apr. 2002)  Core training (Nov Mar. 2002)  Covered entities determination (Nov May 2002)  Assessment methodology (Aug Apr. 2002)  Pre-assessment inventory (Dec Apr. 2002)  Discover & inventory network environment (July May 2002)  Technical Assessment (Apr Dec. 2002)  Administrative Assessment (Apr Dec. 2002)  Division risk analysis (Apr Feb. 2003)  Potential Enterprise-level solutions (May Feb. 2003)  Remediation guidelines (Jan Mar. 2003)  Enterprise remediation (Sept Oct. 2004)  Intermediate training (Feb Apr. 2003)  Division remediation (Jan Dec. 2004)  Security officer training (Jan Jun. 2003)  Self-validation (Jan Dec. 2004) SECURITY COMPLAINCE PROJECT APPROACH

Establishing a Security Baseline What security capabilities are in place today? What additional security will be needed to comply with the HIPAA regulations?

Phase 1 - Pre-Assessment Determine conflicting and existing laws Determine conflicting and existing laws Collect information from covered components as well as through independent research conducted by the PMO Security Team. Analyze existing laws and compare to HIPAA Security Standards to determine the more stringent requirements. Inventory security policy and procedures Inventory security policy and procedures A Security Policy and Procedure Matrix has been sent to the HIPAA Coordinators for completion. The PMO will analyze the completed matrix and accompanying policies and procedures against a list of HIPAA requirements to determine where gaps may exist. The analysis results will provide preliminary information for the on-site interview and will be incorporated into the overall assessment report. Assessment Phases

Assessment Phases (cont.) Identify ITS and DHHS Information Technology Efforts Identify ITS and DHHS Information Technology Efforts An interview will be conducted that will determine what current and future security projects are under development or consideration. Enterprise-Wide Technical Solutions Enterprise-Wide Technical Solutions Enterprise-Wide Administrative Solutions Enterprise-Wide Administrative Solutions

Router Local LAN Dial In/Out, Leased Lines WAN (State Network) Connections to External Partners Mainframe Internet Network Discovery The HIPAA Security effort will require a detailed discovery & documentation of the DHHS network infrastructure. What are we trying to discover? Data at Rest Data in Motion

Network Discovery, how will it be performed? Utilizing “network discovery” software from a central location, NWS will identify network devices and categorize by division & facility. A comparison of discovery results with all existing network inventory information will be made. For example, Y2K data and Asset Insight inventory information. All results will be documented in a secure database to be used for further HIPAA initiatives. A comprehensive network diagram will be developed. Upon completion, IT personnel at each facility will be contacted to verify discovery results and collect additional information as required. In some cases, site visits may be needed.

Data Collection Phase 2 - Assessment Technical data collection (remote) Technical data collection (remote) Vulnerability scanning entails scanning systems and determining vulnerabilities that exist within the network devices The configuration data will allow for individualized analysis of systems and devices to determine their current level of security Administrative data collection (on-site interviews) Administrative data collection (on-site interviews) This includes information relating to security processes, audit controls, physical environment, security management, and regulation compliance measurements

Assessment Completion Phase 3 - Post Assessment Evaluate Data Evaluate Data Vulnerability Report Gap Analysis Risk Assessment Develop Remediation Guidelines Develop Remediation Guidelines Enterprise Level Facility Specific

HCC’s Role in Assessment Process Complete matrices and questionnaires Policy and procedure matrix Policy and procedure matrix Pre-assessment questionnaire Pre-assessment questionnaire Provide appropriate personnel to participate in on-site interviews Provide appropriate technical personnel to provide information regarding network discovery and assessment activities

Deliverables Assessment Report (includes) Vulnerability Report Vulnerability Report Gap Analysis Gap Analysis Risk Assessment Risk Assessment Remediation Guidelines

Why Start Now? 6-12 months for initial awareness, baseline assessment, and gap analysis 6 months for risk assessment and risk management decisions 6-12 months for policy, process, architecture development, and product selection 6-12 months for implementation, testing, and training

Questions?