Presentation is loading. Please wait.

Presentation is loading. Please wait.

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

Published byVirgil Hill Modified over 5 years ago

Similar presentations

Presentation on theme: "Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP"— Presentation transcript:

1 Thursday, June 5 10:45 - 11:45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications – Are you Correctly Addressing Them? Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP Copyright © 2003, Tom Walsh Consulting, LLC

2 Copyright © 2003, Tom Walsh Consulting, LLC
Certified Information Systems Security Professional (CISSP) Invited speaker at national conferences Former information security manager for large healthcare system in Kansas City, MO DOE-certified safeguards and security instructor A little nerdy, but overall, a nice guy  Copyright © 2003, Tom Walsh Consulting, LLC

3 HIPAA Security Standards
Administrative Safeguards (55%) 12 Required, 11 Addressable Physical Safeguards (24%) 4 Required, 6 Addressable Technical Safeguards (21%) 4 Requirements, 5 Addressable Flexibility, Scalability, and Technology Neutral Covered entities must assess if an implementation specification is reasonable and appropriate Copyright © 2003, Tom Walsh Consulting, LLC

4 Addressable Implementation Specifications
“In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: Implement one or more of the addressable implementation specifications; Implement one or more alternative security measures; Implement a combination of both; or Not implement either an addressable implementation specification or an alternative security measure.” Copyright © 2003, Tom Walsh Consulting, LLC

5 Administrative Safeguards
Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) “Risk Analysis” is listed before “Assigned Security Responsibility” Copyright © 2003, Tom Walsh Consulting, LLC

6 Risk Assessment / Analysis
Each covered entity: Assesses its own security risks Determines its risk tolerance or risk aversion Devises, implements, and maintains appropriate security to address its business requirements Does not imply that organizations are given complete discretion to make their own rules Documents its security decisions Copyright © 2003, Tom Walsh Consulting, LLC

7 Copyright © 2003, Tom Walsh Consulting, LLC
Risk Analysis Two types: Qualitative – (Easiest and most common) Rating risks on a scale such as: Quantitative – (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations High Medium Low $ Copyright © 2003, Tom Walsh Consulting, LLC

8 Copyright © 2003, Tom Walsh Consulting, LLC
Risk Calculations Impact Probability of Occurrence H M L L M H The higher the number, the greater your risks. Copyright © 2003, Tom Walsh Consulting, LLC

9 Administrative Safeguards
Assigned Security Responsibility Responsibility must rest with one individual to ensure accountability Information Security Officer (ISO) Large organizations may have site-security coordinators working with the ISO Security standards extends to the members of a covered entity’s workforce even if they work at home such as transcriptionists Copyright © 2003, Tom Walsh Consulting, LLC

10 Administrative Safeguards
Workforce Security Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Authorization controls to verify the identity of the workforce member Types of background checks that will be conducted for workforce members (Does not imply background checks on everyone.) Termination – Collecting access control devices or changing door locks, etc. Copyright © 2003, Tom Walsh Consulting, LLC

11 Administrative Safeguards
Information Access Management Isolating Healthcare Clearinghouse Function (R) Access authorization (A) Access Establishment and Modification (A) Isolating Healthcare Clearinghouse Function – New requirement Requirement for “User-based, role-based, or context-based” was removed However – Compliance with the Privacy Rule’s “Minimum necessary” and JCAHO IM standards may drive role-based access controls Copyright © 2003, Tom Walsh Consulting, LLC

12 Administrative Safeguards
Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) What is the difference between: Training, Education and Awareness? What other information security content should be covered in workforce training? “Security awareness training is a critical activity, regardless of an organization’s size.” Copyright © 2003, Tom Walsh Consulting, LLC

13 Administrative Safeguards
Security Incident Procedures Response and Reporting (R) Provides a way for users to report unusual occurrences in security or breaches to patient confidentiality Goals: Identify Contain Correct Prevent Copyright © 2003, Tom Walsh Consulting, LLC

14 Administrative Safeguards
Contingency Plan Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Documented procedure for the secure, off-site storage and rotation of backups Work in conjunction with Data Owners to determine the organization’s Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for all other applications as part of a Business Impact Analysis (BIA). Copyright © 2003, Tom Walsh Consulting, LLC

15 Administrative Safeguards
Evaluation Periodic review of technical controls and procedural review of the entity’s security program Non-Technical review – Self assessment, readiness assessment, or gap analysis Certification of systems Compliance documentation Audit logs and incident reports Technical review – Vulnerability scan Testing of security controls Copyright © 2003, Tom Walsh Consulting, LLC

16 Administrative Safeguards
Business Associate Contracts and Other Arrangement Written Contract or Other Arrangement (R) Identify all business associates who receive or have access to electronic PHI Tie efforts with the Privacy initiative. Leverage the opportunity to establish rules for remote access for vendors to limit downstream liability. Copyright © 2003, Tom Walsh Consulting, LLC

17 Copyright © 2003, Tom Walsh Consulting, LLC
Physical Safeguards Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) To protect buildings, equipment, and media from natural and environmental hazards and unauthorized intrusions Track maintenance records for door lock repairs or changes Copyright © 2003, Tom Walsh Consulting, LLC

18 Copyright © 2003, Tom Walsh Consulting, LLC
Physical Safeguards Workstation Use Workstation Security Could address both standards in a single policy Verify workstations are located to prevent unauthorized, casual viewing by others Conduct a random audit of computer workstations to verify they have been updated with the latest version of virus definitions (Process for standalone PCs and laptops) Copyright © 2003, Tom Walsh Consulting, LLC

19 Copyright © 2003, Tom Walsh Consulting, LLC
Physical Safeguards Device and Media controls Disposal (R) Media Re-use (R) Accountability (A) Data backup and Storage (A) “Device” added to media controls to address other storage devices such as PDAs Media Re-use – New requirement; Sanitization of media (Overwriting the disk with random patterns of “1s” and “0s” Copyright © 2003, Tom Walsh Consulting, LLC

20 Copyright © 2003, Tom Walsh Consulting, LLC
Technical Safeguards Access Control Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Unique UserID for accountability – Most important for clinical applications Automatic logoff also permits an equivalent measure to restrict access Encryption is an acceptable method of access control (data at rest) Copyright © 2003, Tom Walsh Consulting, LLC

21 Copyright © 2003, Tom Walsh Consulting, LLC
Technical Safeguards Audit Controls Use risk assessment and analysis to determine how intensive audit trails need to be Events that trigger an audit trail need to be jointly determined by the Data Owners, the Privacy and Security Officers Check with vendors on audit capability Store audit logs on a separate server System administrators should not have access to the audit logs Copyright © 2003, Tom Walsh Consulting, LLC

22 Copyright © 2003, Tom Walsh Consulting, LLC
Technical Safeguards Integrity Mechanism to Authenticate Electronic PHI (A) Document any integrity controls that will be employed especially for transmissions outside of the internal network to ensure the validity of the data being sent or the sender of the data Examples: Check sum, encryption, PKI, digital signature, etc. Copyright © 2003, Tom Walsh Consulting, LLC

23 Copyright © 2003, Tom Walsh Consulting, LLC
Technical Safeguards Person or Entity Authentication Person or entity authentication is primarily accomplished through UserID and passwords Consider two-factor authentication for remote access to systems Copyright © 2003, Tom Walsh Consulting, LLC

24 Copyright © 2003, Tom Walsh Consulting, LLC
Technical Safeguards Transmission Security Integrity Controls (A) Encryption (A) “…When electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.” Recognition that there is not a simple and interoperable solution to encrypting containing PHI Copyright © 2003, Tom Walsh Consulting, LLC

25 Copyright © 2003, Tom Walsh Consulting, LLC
Thanks for Attending! Tom Walsh, CISSP Copyright © 2003, Tom Walsh Consulting, LLC

Download ppt "Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013.

HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

Similar presentations

Ads by Google