Presentation is loading. Please wait.

Presentation is loading. Please wait.

CASC Regulated Data Working Group Meeting: HIPAA Round Table Ralph Zottola, PhD CTO – Strategy, Research and Communications University of Massachusetts.

Published byHubert Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "CASC Regulated Data Working Group Meeting: HIPAA Round Table Ralph Zottola, PhD CTO – Strategy, Research and Communications University of Massachusetts."— Presentation transcript:

1 CASC Regulated Data Working Group Meeting: HIPAA Round Table Ralph Zottola, PhD CTO – Strategy, Research and Communications University of Massachusetts President’s Office October 14, 2015

2 Context I am not an information security officer… AND I don’t usually pretend to be one, especially at conferences… BUT

3 I am told that I am well past the tin-foil hat stage of awareness…. …and thus need help so I am fortunate that some of my best friends are information security officers!

4 Today, Two Short Stories How we managed to build a clinical data warehouse when we were not the HIPAA covered entity Building a cybersecurity program at the University of Massachusetts President’s Office

5 UMassMed CDW Context UMass Medical School and UMass Memorial Health Care are separate legal entities Began as a Medical school initiative driven by our CTSA planning UMassMed is not a HIPAA covered entity Today, this is a shared strategic priority of UMassMed and UMMHC

6 UMassMed CDW Sell a Big Vision Know your audience Align with partner priorities Be flexible

7 TIDE Architecture aka Fort Knox Critical component to secure data access agreement and BAA with UMMHC The Trusted Independent Data Environment is the repository for all identified data Medical School functions as an “Honest Broker” Highly secure Dedicated firewalls, IDS, two factor authentication Limited number of users No “internet access” – all transfers via VPN secure FTP Human Subjects training (CITI) and background checks for all IT staff that have access Regular audits of traffic and system usage SOPs for data management Another secure zone created for transactional regulated data (i.e. REDCap, IRB authorized marts…)

8 Keys to Success & Lessons Learned 20% Technology -- 80% Policy & Procedure relationships Since the school is not the HIPAA covered entity, it took a year of review by legal, privacy and compliance, risk management, etc Do NOT dismiss any issue/concern NEED Executive Sponsorship Establish shared governance Expect to repeatedly address “resolved” issues Incremental builds to establish culture of success

9 UMPO Cybersecurity Program Led by Lawrence Wilson, CISO, UMPO A special acknowledgement for sharing slides UMass A federation of five campuses and the President’s Office Five Chancellors and a President Six CIOs, six CISOs Focus here on UMPO which manages the ERP, WAN, IdM services across the system

10 CISO’s View Of The Problem: Unmanaged Assets Our Managed Assets ARE protected Our managed assets  We need to understand why security breaches occur  And the steps to take to prevent them  And build a program to protect our organization’s assets Our unmanaged assets  There are undetected problems – not seen, not reported  Our unmanaged assets become easy targets  And lead to a breach from missing or ineffective controls Our Unmanaged Assets ARE NOT protected Design and build a security program to protect IT resources and information assets

11 So Many Standards Control Objectives for Information and Related Technology (COBIT) Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC) ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program: ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels: ISO/IEC 27001, Information technology --Security techniques -- Information security management systems --Requirements: NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014). We found that ISO is more process oriented—good for management and operations but difficult for IT people to understand. CCS is more technical— better suite for IT staff

12 The CISO Solution: Managed Assets Build layers of controls to protect your organization’s assets MGT – Management Controls TEC – Technical Controls OPS – Operational Controls Identify Protect Detect Respond Recover The NIST C Framework 3

13 The CISO Model: Controls Factory Technology Design Controls Framework Controls Standards Technology Architecture Design Office Technology Center Operations Center Controls Design Technology Build or Buy Security Administration Security Operations Program Management Incident Response Input Output The Current Profile (Before the Factory) The Target Profile (After the Factory) Program Delivery Program Planning Program Roadmap Testing Center Technology Testing Controls Testing Operations Testing Vulnerabilities & Defects Threats & Threat Actors Attack Chain Threat Office Unmanaged Assets Program Risk Management Factory Governance Program Compliance Management Factory Management Engineering Area Operations AreaBusiness Area Managed Assets 1 234 5 6 7

14 The Deliverables: Cybersecurity Programs Crown Jewels Program (Deliverables: Managed Critical Assets) Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements) Data Governance Program (Deliverables: Managed Information) Application Security Program (Deliverables: Managed Applications) Engineerin g Office Technology Center Operations Center Testing Center Program Manageme nt Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases) Threat Office Input Unmanaged Assets Output Managed Assets Factory Manageme nt Controls Design Technology Build Operations Run Controls Test Program Deliverables Attack Models Factory Deliverables 123 4 5 6 7

15 The Approach: Factory in a Box From academic to early adopter to regulated environments Implementation Blueprint Research, Lab Environments (Academic, Cybersecurity Organizations) Dev, Test, Prod Environments (Early Adopters) Cloud, MSSP, Enterprise Environments (Regulated Entities) Feedback Loop Implementation Blueprint Feedback Loop Implementation Blueprint Feedback Loop 1 2 3

16 Thank you

Download ppt "CASC Regulated Data Working Group Meeting: HIPAA Round Table Ralph Zottola, PhD CTO – Strategy, Research and Communications University of Massachusetts."

Similar presentations

© Pearson Prentice Hall 2009

© Pearson Prentice Hall 2009
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
© 2004 Visible Systems Corporation. All rights reserved. 1 (800) 6VISIBLE www.visible.com Holistic View of the Enterprise Business Development Operations.

© 2004 Visible Systems Corporation. All rights reserved. 1 (800) 6VISIBLE Holistic View of the Enterprise Business Development Operations.
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Information Security for the Data Management Professional Micheline Casey Chief Data Officer Federal Reserve Board.

Information Security for the Data Management Professional Micheline Casey Chief Data Officer Federal Reserve Board.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google