Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSIA 412 Final Project 10 July 2015 By: Brandon D. Waugh

Published byCornelia Bogaerts Modified over 6 years ago

Similar presentations

Presentation on theme: "CSIA 412 Final Project 10 July 2015 By: Brandon D. Waugh"— Presentation transcript:

1 CSIA 412 Final Project 10 July 2015 By: Brandon D. Waugh
The Department of Veteran Affairs Security and Improvement Recommendations Welcome to my presentation about my chosen organization The Department of Veteran Affairs (VA). The presentation will provide information on VA’s security as well as improvement recommendations. This final project is submitted in partial fulfillment of the course requirements for UMUC Course CSIA 412, Security Policy Analysis, summer semester 2015, Professor Sharp. This presentation was completed on approximately 8 July Please sit back and enjoy the presentation! CSIA 412 Final Project 10 July 2015 By: Brandon D. Waugh

2 Agenda Legislative Impact on The Department of Veteran Affairs
Information Security Standards of The Department of Veteran Affairs The Department of Veteran Affairs Cybersecurity Profile Summary/Conclusion References I will be covering the following major topics in regards to the Department of Veteran Affairs security. First, I will discuss the legislative impact on the VA. The legislations discussed will be the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA). Next, I will cover information standards of the VA. I will follow the standards described in National Institute of Standards and Technology (NIST) SP as well as FIPS 200/199. We will also cover the Department of Veteran Affairs cybersecurity profile. The cybersecurity profile will touch on the Government Accountability Office (GAO) 10-4 which lists the vulnerabilities of VA and its information security program. Finally, I will sum up the final thoughts in a summary in addition to a listing of all references used to complete this presentation.

3 Legislative Impacts Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act Executive Orders

4 FISMA The Federal Security Management Act (FISMA), directs the National Institute of Standards and Technology (NIST) to create and formalize a publication that introduces a means necessary for agencies to create information security policies. These publications introduce standards, guidelines, techniques, and best practices for private sectors, government, and other agencies. These publications are public and require no cost. So, in other words NIST is not a law, not a regulation, or an executive order per say. However, NIST was mandated by legislation, and works along the side of the executive office. NIST collaborates with the United States Office of Management (OMB), the U.S. Government Accountability Office (GAO), and other information technology agencies to develop standards both internally and international partners. FISMA is responsible for auditing agencies annually to ensure that these practices and standards are being followed.

5 HIPPA HIPPA consist of four rules that must be followed by the VA which are; the HIPAA Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule. Within these rules, thee are safeguards/practices that are subcategories of the work that needs to be done to protect health information (PHI). HIPAA Security Rule Within the security rule there are three subcategory safeguards that protect health information. Those safeguards are, “technical safeguards, physical safeguards, and administrative safeguards” (Wang, J. 2013, October 30). Technical safeguards comprise of, “access controls, audit, controls, integrity, authentication, and transmission security” (Wang, J. 2013, October 30). Basically, these controls are the technology that the company uses to safeguard its information which includes software, hardware, encryption, and monitoring tools. Physical safeguards comprise of, “facility access controls, workstation use, workstation security, device and media controls” (Wang, J. 2013, October 30). Essentially, these topics cover a variety of security procedures and policies to include disaster recovery planning, emergency planning, incident response planning, conducting security risk assessments, developing technical infrastructure to deploy policies and track compliance, the disposal of media, maintaining records, and validating security procedures. This safeguard ensures that tampering, theft, and physical unauthorized access to the facility doesn’t occur. Administrative safeguards consist of; “security management process, assigned security responsibility, workforce security, information access management, security awareness/training, security incident procedures, contingency planning, evaluation, and business associate contracts” (HIPAA). Administrative safeguards maintain all documented security controls, technical, physical, or administrative. This process maintains currency, accuracy, redundancy, and compliance. More importantly, administrative safeguards keep the company trained, informed, and alerted with current information that could possibly affect the loss of protected health information. HIPAA Privacy Rule HIPAA privacy rule protects the customer’s privacy, and it protects the health care providers. The privacy rule readdresses all the safeguards that were mentioned above. Jason Wang, a researcher that works for Truevault.com summarized HIPAA privacy rule in six statements. These statements are brief; however, they do provide guidance on how to get started. Recommend that your company still dissect all requirements, but use these statements to get started. Jason Wang’s six statements in regards to the HIPAA privacy rule are as follows: “Do not allow any impermissible uses or disclosures of PHI.” “Provide breach notification to the covered entity” “Provide either the individual or the covered entity access to PHI” “Disclose PHI to the Secretary of HHS, if compelled to do so.” “Provide an accounting of disclosers” “Comply with the requirements of the HIPAA Security Rule” (Wang, J. 2013, October 30) HIPAA Enforcement Rule It’s important for your new business to understand that there are legal ramifications for not following HIPAA privacy rule, security rule, administrative, and breach notification rule. Your company must read HIPAA enforcement rules outlined in 45 CFR Part 160, Subparts C, D, and E. These rules are not there to punish the business associate or the health care practice, however, the rules are written in order to maintain protected health information. Again, HIPAA was enacted to protect both the customer and health care providers. HIPAA is a federal standard that requires compliance, discloser, and safeguards. HIPAA Breach Notification Rule Maintaining communication with your patients is crucial. Anytime there is a breach of the customer’s medical information, it is the duty as the health care provider to notify the customer or client immediately that you’re working to locate their data. If you fail to notify the customer it could possibly cost your company civil money penalties or resolution agreements. In return this could financially harm your business. Summary and Conclusions The amount of information can become overwhelming, however, when you have a high performance teams that are all trained and understand your companies’ security standing operating procedures and mission intent, the amount of tasks will diminish. Your primary goal once compliant is to maintain compliance with enforcement, and ensuring that all HIPAA requirements are being met with current reports. In fact, if you broke down all the information/ requirements HIPAA demands, it’s really is stating four main objectives. These objectives are important because, they are based on the four security requirements as discussed in each paragraph outlines above. “Put safeguards in place to protect patient health information.” “Reasonably limit uses and sharing to the minimum necessary to accomplish your intended purpose.” “Have agreements in place with any service providers that perform covered functions or activities for you. These agreements (BAAs) are to ensure that these services providers (Business Associates) only use and disclose patient health information properly and safeguard it appropriately.” “Have procedures in place to limit who can access patient health information, and implement a training program for you and your employees about how to protect your patient health information.” (Wang, J. 2013, October 30) Again, these requirements are in place to protect health information. Security has to constantly advance due to the growing number of tools being developed to attack information security systems. That is why it is essential to always maintain the CIA triad when developing new procedures.

6 References

Download ppt "CSIA 412 Final Project 10 July 2015 By: Brandon D. Waugh"

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works

Similar presentations

Ads by Google