1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007

2

3

4

5

6 Information assurance (IA) is the practice of managing information- related risks. IA practitioners seek to protect the confidentiality, integrity, and availability of data and their delivery systems.

7 Integrity: Ensuring that data is Not altered or Destroyed. Availability: Ensuring that data is Available in when It is needed. Confidentiality: Ensuring that only Authorized personnel Have access to Data.

8 IA’s Swiss Army Knife skill set Inter-personal Negotiation and Diplomacy Project management Technical Business

9 IA Camp Counselor (conflict mitigation) Ease Cost Likelihood Impact (frustration, security conscience) Maintenance

10 Information Assurance To Do: Ensure “Rules of Use” Ensure procedures follow policies Ensure 3 rd parties follow policy Measure, monitor & report Change management Process Vulnerability Assessments Non-compliance issues Security Awareness

11 Information Assurance Tasks: Create and implement plans Develop baselines Ensure processes address security Ensure compliance of IT Integrate Security into organization Review end user impacts from policies Hold business end accountable Establish governance framework Determine appropriate resources inside/out

12 Risk Assessments (NIST SP method) Define the scope (issues faced by our agency) Identify the Risks (unique data and addressables) Analyze the risks (probability of occurrence multiplied by severity to quantify hazards) Mitigation Proposal (using cost & benefit analysis) Evaluate recommended control options (feasibility and effectiveness) Review and address concerns Communicate & Consult Monitor/review as needed & periodically

13 45 Code of Federal Regs 160, 162, and 164

14 Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) Required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. The final rule for HIPAA security was published in the Federal Register on February 20, 2003.

15 Who are the covered entities? Standards for the security of electronic protected health information (PHI) are to be implemented by –health plans –health care clearinghouses –certain health care providers.

16 What is PHI? Under HIPAA, there are 18 pieces of information that are considered identifiable of a patient. 1.Name 2.Postal address (geographic subdivisions smaller than state) 3.All elements of dates, except year 4.Phone number 5.Fax number 6. address 7.Social Security number 8.Medical Record number 9.Health Plan number 10.Account numbers 11.Certificate/license numbers 12.URL 13.IP address 14.Vehicle identifiers 15.Device ID 16.Biometric ID 17.Full face/identifying photo 18.Any other unique identifying number, characteristic, or code

17 What is a health care clearinghouse? Health care clearinghouse means a public or private entity, including billing services, repricing companies, community health management information systems or community health information systems, and “value-added” networks and switches, that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

18 What were the deadlines? Covered entities, with the exception of small health plans, must have complied with the requirements of this final rule by April 21, Small health plans must have complied with the requirements of this final rule by April 21, 2006.

19 What is a small health plan? Small health plan means a health plan with annual receipts of $5 million or less. (The Small Business Administration (SBA) promulgates size standards that indicate the maximum number of employees or annual receipts allowed for a concern)

20 Information Assurance – it’s not just HIPAA Identity Theft is big business Electronic Authentication Act WA State Security Breach Notification Law SB6043 Required to notify if personal information stored in an unencrypted electronic format is acquired, or reasonably believed to have been acquired by an unauthorized person

21 HIPAA Violation Penalties a person who knowingly uses a unique health identifier, or causes one to be used; obtains individually identifiable health information relating to an individual; or discloses individually identifiable health information to another person; is in violation of HIPAA regulations. Such persons are subject to the following penalties: a fine of up to $50,000, or up to 1 year in prison, or both; if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both; if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both. HIPAA also provide for civil fines to be imposed by the Secretary of DHHS "on any person" who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year.

22 HIPAA PRIVACYSECURITY Standards: Administrative Controls Physical Controls Technical Controls

23 Administrative Safeguards 45CFR Security Management Process (a)(1) Assigned Security Responsibility (a)(2) Work Security (a)(3) Information Access Management (a)(4) Security Awareness & Training (a)(5) Security Incident Procedures (a)(6) Contingency Plan (a)(7) Evaluation (a)(8) Business Associate Contracts (b)(1)

24 Physical Safeguards 45CFR Facility Access Controls (a)(1) Workstation Use (b) Workstation Security (c) Device and Media Controls (d)(1) Technical Safeguards 45CFR Access Control (a)(1) Audit Controls (b) Integrity (c)(1) Person or Entity Authentication (d) Transmission Security (e)(1)

25 Organization Requirements 45CFR Business Associate Contracts (a)(1) Group Health Plan requirements (b)(1) Policies, Procedures, & Documentation 45CFR Policies and Procedures (a) Documentation (b)(1)

26 “Required” and “Addressable” Safeguards (a) If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must implement it. (b) If a given addressable implementation specification is determined to be an inappropriate and/or unreasonable security measure for the covered entity, but the standard cannot be met without implementation of an additional security safeguard, the covered entity may implement an alternate measure (c) A covered entity may also decide that a given implementation specification is simply not applicable (that is, neither reasonable nor appropriate) to its situation

27 Administrative Safeguards (R)=Required, (A)=Addressable SecurityManagementProcess (a)(1) –Risk Analysis (R) –Risk Management (R) –Sanction Policy (R) –Information System Activity Review (R) Assigned Security Responsibility (a)(2) Work Security (a)(3) –Authorization and/or Supervisor (A) –Workforce Clearance Procedure (A) –Termination Procedure (A)

28 Information Access Management (a)(4) § Isolating Health Care Clearinghouse Functions (R) § Access Authorization (A) § Access Establishment and Modification (A) Security Awareness and Training (a)(5) § Security Reminders (A) § Protection from Malicious Software (A) § Log-in Monitoring (A) § Password Management (A) Security IncidentProcedures (a)(6) § Response and Reporting (R) Administrative Safeguards (R)=Required, (A)=Addressable

29 Contingency Plan (a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) Applications and Date Criticality Analysis (A) Evaluation (a)(8) Business Associate Contracts and Other Arrangements (b)(1) Written Contract or Other Arrangement (R) Administrative Safeguards (R)=Required, (A)=Addressable

30 Facility Access Controls (a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use (b) Workstation Security (c) Device and Media Controls (d)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A) Physical Safeguards (R)=Required, (A)=Addressable

31 Access Control (a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Integrity (c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication (d) Transmission Security (e)(1) Integrity Controls(A)Encryption (A) Technical Safeguards (R)=Required, (A)=Addressable

32 Security: Areas of Focus Security Risk Management program Computing Device Use & Password Management Software Vulnerability Protection Remote Access & overall Access Management Back-up and Storage Encryption and Decryption Information Asset Classification Information Systems Risk Management & Incident Tracking Entity and Person Authentication Audit Controls Contingency Planning

33 Recommended resources om/ om/

34 Questions