NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.

Slides:

Advertisements

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

BENEFITS OF SUCCESSFUL IT MODERNIZATION

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

DHS, National Cyber Security Division Overview

Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.

Jim Seligman Chief Information Officer Welcome & Opening Remarks.

Produce Safety Rule Phase 2 Workgroup 1.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

National Cybersecurity Management System

1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”

An Overview of the NIST’s Cyber Security Program Donna F. Dodson Deputy Chief Cyber Advisor October 2009.

Complying With The Federal Information Security Act (FISMA)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

US NITRD LSN-MAGIC Coordinating Team – Organization and Goals Richard Carlson NGNS Program Manager, Research Division, Office of Advanced Scientific Computing.

Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Highlights NIST Cloud Computing.

Technical Regulations – U.S. Procedures and Practices U.S.-Brazil Commercial Dialogue Digital Video Conference Series August 22, 2006 Mary Saunders Chief,

NIST Special Publication Revision 1

0 Presentation to: Health IT HIPPA Workshop Presented by: Stacey Harris, Director of Health IT Innovation September 26, 2014 Division of Health Information.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

Utilizing the CMS Security Risk Assessment Tool Liz Hansen, PCMH CEC, ICD-10 PMC Special Consultant, GA-HITEC Member Manager, GaHIN

“Commercialization and enforcement of intellectual property rights” - Skopje, April 2009 UNECE ‘Recommendation M’ on the Use of Market Surveillance.

Managing Global Research and Development (R&D)

Crosswalk of Public Health Accreditation and the Public Health Code of Ethics Highlighted items relate to the Water Supply case studied discussed in the.

National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Next Steps NIST Mission: To promote.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Environmental Management System Definitions

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

NOAA Science Advisory Board …advises the Secretary of Commerce for Oceans and Atmosphere on long- and short- range strategies for research, education,

Seeking a National Standard for Security: Developing a Systematic Crosswalk of the Final HIPAA Security Rule, the NIST SP , NIST SP Security.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society.

Chapter Thirteen Copyright, John Wiley and Sons, Inc. Chapter Thirteen three Learning Concepts – Chapter Understand the increasing benefits and challenges.

National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based security technologies Mid-Atlantic Federal Lab Consortium.

1 Strategic Plan Review. 2 Process Planning and Evaluation Committee will be discussing 2 directions per meeting. October meeting- Finance and Governance.

Public Safety and Homeland Security Bureau 2006 Annual Report January 17, 2007.

OMB Circular A-16 Supplemental Guidance (Endorsed) Ivan DeLoatch, Staff Director Lew Sanford Jr. & Wendy Blake-Coleman NGAC Meeting, February 4, 2009.

Government and Industry IT: one vision, one community Vice Chairs April Meeting Agenda Welcome and Introductions GAPs welcome meeting with ACT Board (John.

Presented by Eliot Christian, USGS Accessibility, usability, and preservation of government information (Section 207 of the E-Government Act) April 28,

National Geospatial Enterprise Architecture N S D I National Spatial Data Infrastructure An Architectural Process Overview Presented by Eliot Christian.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Federal Health Architecture Roadmap and Work Products Mary Forbes Office of the National Coordinator for Health IT August 5, 2004.

V Global Forum on Fighting Corruption and Safeguarding Integrity – South Africa Trade and Customs Partnership to fight against corruption and safeguard.

National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based security technologies Bill Fisher Security Engineer National.

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

Financial Services Sector Coordinating Council (FSSCC) 2011 KEY FSSCC INITIATIVES 2011 Key FSSCC Initiatives Project Name: Project Description: All-Hazards.

National Emergency Communications Plan Update National Association of Regulatory Utility Commissioners Winter Committee Meeting February 16, 2015 Ron Hewitt.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

National Cybersecurity Center of Excellence Increasing the deployment and use of standards-based security technologies NIST Industry Day February 10, 2016.

Standards Coordination Office NIST presentation to the FGDC September 25, 2014.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Presenter: Mohammed Jalaluddin

NIST Cybersecurity Framework

Interoperability of Data Systems Administration for Children & Families Office of Planning, Research & Evaluation Robert (Bob) Garcia Regional Administrator,

Cybersecurity ATD technical

Presentation transcript:

NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Shared Assessments Member Forum February 14, 2012

NIST’s Mission To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology … Credit: NIST Credit: R. Rathe … in ways that enhance economic security and improve our quality of life.

NIST’s work enables Science Technology innovation Trade Public benefit NIST works with Industry Academia Government agencies Measurement labs Standards organizations NIST Laboratories

Computer Security Division A division within the Information Technology Lab, CSD conducts research, development and outreach necessary to provide standards and guidelines, mechanisms, tools, metrics and practices to protect information and information systems. Some Major Activities Cryptographic Algorithms, Secure Hash Competition, Authentication, Key Management, Crypto Transitions, DNSSEC, Post-Quantum Crypto, BIOS Security FISMA, Health IT, Smart Grid, Supply Chain, NICE, Crypto Validation Programs, Outreach and Awareness, Cyber Physical Systems, Voting Identity Management, Access Control, Biometric Standards, Cloud and Virtualization Technologies, Security Automation, Infrastructure Services and Protocols

5 Types of NIST Publications Federal Information Processing Standards (FIPS) Developed by NIST; Approved and promulgated by Secretary of Commerce Per FISMA, compulsory and binding for all federal agencies; not waiverable Voluntary adoption by non-Federal organizations (e.g., state, local, tribal governments; foreign governments; industry; academia) Special Publications (SP 800 series) Per OMB policy, Federal agencies must follow NIST guidelines Voluntary adoption by non-Federal organizations Other security-related publications NIST Interagency Reports

6 A Framework for Managing Risk Starting Point RISK MANAGEMENT FRAMEWORK PROCESS OVERVIEW Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Repeat as necessary Step 6 MONITOR Security Controls Step 2 SELECT Security Controls Step 3 IMPLEMENT Security Controls Step 4 ASSESS Security Controls Step 5 AUTHORIZE Information System Step 1 CATEGORIZE Information System

HIPAA Security Rule Overview Toolkit Project Content Development The Toolkit Application Additional Information Agenda

HSR establishes national standards for a covered entity to protect individuals’ electronic personal health information (ephi) HIPAA Security Rule (HSR) Overview

Who? From nationwide health plan with vast resources … … to small provider practices with limited access to IT expertise and resources What? Standards and implementation specifications covering… Basic practices Security failures Risk management Personnel issues How? It depends… on the size and scale of your organization HSR Overview

The purpose of this toolkit project is to help organizations … better understand the requirements of the HIPAA Security Rule (HSR) implement those requirements assess those implementations in their operational environments HSR Toolkit Project

What it IS… A self-contained, OS-independent application to support various environments (hardware/OS) Support for security content that other organizations can reuse over and over A useful resource among a set of tools and processes that an organization may use to assist in reviewing their HSR risk profile A freely available resource from NIST What it is NOT… It is NOT a tool that produces a statement of compliance NIST is not a regulatory or enforcement authority Compliance is the responsibility of the covered entity HSR Toolkit Project

Supplement existing risk assessment processes conducted by Covered Entities and Business Associates Assist organizations in aligning security practices across multiple operating units Serve as input into an action plan for HSR Security implementation improvements Intended Uses of the HSR Toolkit

The Toolkit project consists of three parallel efforts: Content Development Desktop Application Development Security Automation Multiple Iterations HSR Toolkit Project

Using the HIPAA Security Rule, and NIST Special Publications (800-66, , A), we developed questions designed to assist in the implementation of the Security Rule. Content Development § HIPAA Security Rule Specific Question to Address Rule Maps

§ (a)(3)(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Maps Question: HSR.A53 Has your organization established chains of command and lines of authority for work force security? Boolean Yes: If yes – do you have an organizational chart? No: If no – provide explanation text Content Development

This effort has resulted in … Two sets of questions an “Enterprise” set with nearly 900 questions a “Standard” set with about 600 questions (a subset) With dependence and parent-child relationship mappings Covering all HSR standards and implementation specifications Content Development

Security Automation Utilizing standards-based security automation specifications – such as XCCDF, OVAL, OCIL – to implement those questions into a toolkit application that is “loosely coupled” Enables existing commercial tools that process security automation content to use the content (not locked down) Provides consistent and repeatable processes

A comprehensive User Guide Examples of how to use and operate the Toolkit Partner entities that are assisting in defining functionality and usability: A state Medicaid Office A specialty clearinghouse A community hospital A non-profit regional hospital Associated HSR Toolkit Resources

Toolkit: Download the Application

Toolkit: Create a Profile

Toolkit: Organized by Safeguard Family

Navigation Menu Selected Question References Responses Attachments Flag Level Progress Bar Comments Toolkit: Explore the Application Interface

Toolkit: Answer Questions

Toolkit: Generate Reports

26 A Framework for Managing Risk Starting Point RISK MANAGEMENT FRAMEWORK PROCESS OVERVIEW Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Repeat as necessary Step 6 MONITOR Security Controls Step 2 SELECT Security Controls Step 3 IMPLEMENT Security Controls Step 4 ASSESS Security Controls Step 5 AUTHORIZE Information System Step 1 CATEGORIZE Information System

HIPAA Security Rule Toolkit Computer Security Resource Center (CSRC) NIST Information Security Standards and Guidelines Useful Resources

Questions

Thank You Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Computer Security Resource Center: