In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,

Slides:

Advertisements

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

David Assee BBA, MCSE Florida International University

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.

Security Controls – What Works

Information Security Policies and Standards

Security+ Guide to Network Security Fundamentals

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Session 3 – Information Security Policies

Network security policy: best practices

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

New Data Regulation Law 201 CMR TJX Video.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Information Security Technological Security Implementation and Privacy Protection.

Security Core Training Presented by: DHHS HIPAA PMO Security Team and DIRM Networking Services.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA COMPLIANCE WITH DELL

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Confidentiality Integrity Accountability Communications Data Hardware Software Next.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

DIGITAL SIGNATURE.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Security and Ethics Safeguards and Codes of Conduct.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

IS3220 Information Technology Infrastructure Security

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

The Health Insurance Portability and Accountability Act

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

HIPAA Security Standards Final Rule

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Mohammad Alauthman Computer Security Mohammad Alauthman

Presentation transcript:

In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission.

2 Facts about Proposed Security Regulations Language is Technology Neutral Broad Applicability –[§ (d)(2)] Network Controls. If an entity uses network controls (to protect sensitive communication that is transmitted electronically over open or private networks so that it cannot be easily intercepted and interpreted by parties other than the intended recipient) Good Business Practice

3 Key Security Terms PKI = Public key infrastructure –The technology, legal practices, operational procedures and related infrastructure that support (digital certificate) management, generation and usage IDS = Intrusion Detection System –Network and Host based Digital Signature –Integrity- detects changes in content –Authentication- establishes identity of the signer –Non-Repudiation- Signer cannot deny signing the message

4 Key Security Terms SMTP = Simple Mail Transfer Protocol TCP/IP = Transmit ion Control Protocol/ Internet Protocol SSL = Secure Sockets Layer VPN = Virtual Private Network ACL = Access Control List DOS Attacks = Denial of service attacks Packet Sniffing - Copy and read clear text network transmit ion Port Scanning- Identify open TCP/IP communication ports BIA – Business Impact Analysis

5 Principles of the Security Regulations Administrative –Policies procedures and training Authentication –Be sure only authorized personnel can access the PHI Privacy (confidentiality) –Keep PHI confidential Authorization –Insure users do not exceed their allowed authority Non-Repudiation –Have evidence in the event of dispute (litigation) Integrity –Be sure nothing is changed behind your back

6 Keeping PHI Secure (10 basics) Security Policies and Procedures Training (awareness) Disaster Recovery Physical Plant Security Internet Security (Internet = Encryption) Security (use digital certificates) Password Policy Access Control Administration Network Vulnerability Analysis (Penetration Analysis) Security Enforcement Points (control communications)

7 The Proposed HIPAA Security Standards: Four Subject Areas Administrative Procedures [45 CFR § (a)] Physical Safeguards [45 CFR § (b)] Technical Security Services [45 CFR § (c)] Technical Security Mechanisms [45 CFR § (d)] Electronic Signature Standard § [ ]

8 Characteristics of Security Rules General Guidance –Deliberate “The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements.” Federal Register, August 12, 1998 [43250]

9 Administrative Procedures Certification Process and Program Development [45 CFR § (a)(1)] – Internal or external Chain of Trust Partner Agreement Development [45 CFR § (a)(2)] –Electronic exchange of data Contingency Program Development [45 CFR § (a)(3)] –Must include: Applications and Data Criticality Analysis –Data Backup Plan –Disaster Recovery Plan for the Entire Enterprise –Emergency Mode of Operation –Testing and Revision Procedures

10 Administrative Procedures (continued) Records Processing Policies and Procedures Development [45 CFR § (a)(4)] –Receipt, manipulation, storage, dissemination, transmission, disposal of PHI Information Access Control Policies and Procedures [45 CFR § (a)(5)] –Access Authorization (overall access procedures) –Access Establishment (Initial right of access) –Access Modification (job change or termination)

11 Administrative Procedures (continued) Internal Audit Policies and Procedures Development [45 CFR § (a)(6)] In house review of: –System Activity Logging –Security Incident –Forensic Capability

12 Administrative Procedures (continued) Personnel Security [45 CFR § (a)(7)] –Procedure for Maintenance Personnel Oversight –Ongoing Review of Levels of Access Granted to Users –Proper Level of Access Authorization if on or Near PHI –Establish Personnel Clearance Procedures –Procedures to insure that authority to access is equal to clearance level –Assure security awareness training for system users

13 Administrative Procedures (continued) Security Configuration Management Policies [45 CFR § (a)(8)] –Documentation (written security plans, rules, procedures, and instructions concerning all components of an entity’s security) –Hardware and software installation and maintenance review and testing –Hardware and software inventory –Security Testing (host and network component penetration testing) Protocols and Services FTP,Telnet, Trojans (Netbus, Back Orifice, PC Anywhere –Virus Protection

14 Administrative Procedures (continued) Security Incident Procedures Development [45 CFR § (a)(9)] –Incident Report Procedures –Incident Response Procedures Security Management Process Development [45 CFR § (a)(10)] Person in charge of Security –Risk Analysis (cost vs. loss) –Risk Management (reduce and maintain level of risk reduction) –Sanction Policies and Procedures (notification of law enforcement, disciplinary action, removal of system access) –Security Policy (Acceptable use)

15 Administrative Procedures (continued) Termination Procedures [45 CFR § (a)(11)] –Change Locks –Remove from Access List –Remove User Account –Turn in Physical Access Mechanisms (keys, badge, etc.)

16 Administrative Procedures (continued) Training Program Development [45 CFR § (a)(12)] –Security Awareness Training for ALL Personnel –Periodic Reminders –Virus Protection Education –Log in Access Education –Password Management Education

17 Physical Safeguards Assigned Security Responsibility [45 CFR § (b)(1)] (must understand all aspects of information security) Media Control Process Development [45 CFR § (b)(2)] Receipt and removal of diskettes and tapes into and out of the facility –Access Control to Media (physical access) –Accountability –Data Backup –Data Storage –Disposal (final disposition)

18 Physical Safeguards Physical Access Controls [45 CFR § (b)(3)] –Disaster Recovery Plan (event of fire,natural disaster ect). –Emergency Mode of Operation –Equipment Control (into and out of the site) –Facility Security Plan (safeguard the premises) –Procedures for Verifying Access Authorization Before Access is Given –Facility repair and maintenance records –Need to Know Policy –Procedures for Sign in and Escort –Procedures to Restrict Testing and Revision

19 Physical Safeguards Policy and Guidelines on Workstation use [45 CFR § (b)(4)] A Secure Workstation Location [45 CFR § (b)(5)] Security Awareness Training [45 CFR § (b)(6)] all employees, agents, and contractors must participate

20 Technical Security Systems Access Control [45 CFR § (c)(1)(i)] –Procedure for emergency access (admin, supervisor, root passwords) –Implementation Features - at least one of the following: Context-based Role-based User-based Audit controls [45 CFR (c)(1)(ii)] –Mechanisms to record and examine system activity (IDS)

21 Technical Security Services Authorization control [45 CFR § (c)(1)(iii)] –Mechanism for obtaining consent for the use and disclosure (at least one) Role-based User-based Data authentication [45 CFR § (c)(1)(iv)] –The corroboration that data has not been altered or destroyed (Digital Certificates PKI)

22 Technical Security Services Entity authentication [45 CFR § (c)(1)(v)] –Automatic Log Off (session termination) –Unique User ID –Authentication (at least one) Biometric Password PIN (use with something you have) Callback Token

23 Technical Security Mechanisms Network Controls –Integrity controls [45 CFR § (d)(1)(i)(A)] Validation (Digital Certificates) PKI –Message authentication [45 CFR § (d)(1)(i)(B)] Message Received = Message Sent (Integrity of the message) (Digital signatures) PKI Implementation Feature (Technically Neutral) –[§ (d)(1)(ii)(A)] Access controls Protection of PHI Transitions over Open or Private Networks so that it can not easily be intercepted and interpreted by parties other than the intended (VPN) –[§ (d)(1)(ii)(B)] Encryption

24 Technical Security Mechanisms Network Controls [45 CFR § (d)(2)] –Alarm (IDS) –Audit Trail (IDS) or other logging and reporting systems –Entity Authentication (Digital Signature) PKI –Event Reporting (IDS)