Presentation is loading. Please wait.

Presentation is loading. Please wait.

In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,

Published byHenry Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,"— Presentation transcript:

1 In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission.

2 2 Facts about Proposed Security Regulations Language is Technology Neutral Broad Applicability –[§ 142.308(d)(2)] Network Controls. If an entity uses network controls (to protect sensitive communication that is transmitted electronically over open or private networks so that it cannot be easily intercepted and interpreted by parties other than the intended recipient) Good Business Practice

3 3 Key Security Terms PKI = Public key infrastructure –The technology, legal practices, operational procedures and related infrastructure that support (digital certificate) management, generation and usage IDS = Intrusion Detection System –Network and Host based Digital Signature –Integrity- detects changes in content –Authentication- establishes identity of the signer –Non-Repudiation- Signer cannot deny signing the message

4 4 Key Security Terms SMTP = Simple Mail Transfer Protocol TCP/IP = Transmit ion Control Protocol/ Internet Protocol SSL = Secure Sockets Layer VPN = Virtual Private Network ACL = Access Control List DOS Attacks = Denial of service attacks Packet Sniffing - Copy and read clear text network transmit ion Port Scanning- Identify open TCP/IP communication ports BIA – Business Impact Analysis

5 5 Principles of the Security Regulations Administrative –Policies procedures and training Authentication –Be sure only authorized personnel can access the PHI Privacy (confidentiality) –Keep PHI confidential Authorization –Insure users do not exceed their allowed authority Non-Repudiation –Have evidence in the event of dispute (litigation) Integrity –Be sure nothing is changed behind your back

6 6 Keeping PHI Secure (10 basics) Security Policies and Procedures Training (awareness) Disaster Recovery Physical Plant Security Internet Security (Internet = Encryption) Email Security (use digital certificates) Password Policy Access Control Administration Network Vulnerability Analysis (Penetration Analysis) Security Enforcement Points (control communications)

7 7 The Proposed HIPAA Security Standards: Four Subject Areas Administrative Procedures [45 CFR §142.308(a)] Physical Safeguards [45 CFR §142.308(b)] Technical Security Services [45 CFR §142.308(c)] Technical Security Mechanisms [45 CFR §142.308(d)] Electronic Signature Standard § [142.310]

8 8 Characteristics of Security Rules General Guidance –Deliberate “The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements.” Federal Register, August 12, 1998 [43250]

9 9 Administrative Procedures Certification Process and Program Development [45 CFR §142.308(a)(1)] – Internal or external Chain of Trust Partner Agreement Development [45 CFR §142.308(a)(2)] –Electronic exchange of data Contingency Program Development [45 CFR §142.308(a)(3)] –Must include: Applications and Data Criticality Analysis –Data Backup Plan –Disaster Recovery Plan for the Entire Enterprise –Emergency Mode of Operation –Testing and Revision Procedures

10 10 Administrative Procedures (continued) Records Processing Policies and Procedures Development [45 CFR §142.308(a)(4)] –Receipt, manipulation, storage, dissemination, transmission, disposal of PHI Information Access Control Policies and Procedures [45 CFR §142.308(a)(5)] –Access Authorization (overall access procedures) –Access Establishment (Initial right of access) –Access Modification (job change or termination)

11 11 Administrative Procedures (continued) Internal Audit Policies and Procedures Development [45 CFR §142.308(a)(6)] In house review of: –System Activity Logging –Security Incident –Forensic Capability

12 12 Administrative Procedures (continued) Personnel Security [45 CFR §142.308(a)(7)] –Procedure for Maintenance Personnel Oversight –Ongoing Review of Levels of Access Granted to Users –Proper Level of Access Authorization if on or Near PHI –Establish Personnel Clearance Procedures –Procedures to insure that authority to access is equal to clearance level –Assure security awareness training for system users

13 13 Administrative Procedures (continued) Security Configuration Management Policies [45 CFR §142.308(a)(8)] –Documentation (written security plans, rules, procedures, and instructions concerning all components of an entity’s security) –Hardware and software installation and maintenance review and testing –Hardware and software inventory –Security Testing (host and network component penetration testing) Protocols and Services FTP,Telnet, Trojans (Netbus, Back Orifice, PC Anywhere –Virus Protection

14 14 Administrative Procedures (continued) Security Incident Procedures Development [45 CFR §142.308(a)(9)] –Incident Report Procedures –Incident Response Procedures Security Management Process Development [45 CFR §142.308(a)(10)] Person in charge of Security –Risk Analysis (cost vs. loss) –Risk Management (reduce and maintain level of risk reduction) –Sanction Policies and Procedures (notification of law enforcement, disciplinary action, removal of system access) –Security Policy (Acceptable use)

15 15 Administrative Procedures (continued) Termination Procedures [45 CFR §142.308(a)(11)] –Change Locks –Remove from Access List –Remove User Account –Turn in Physical Access Mechanisms (keys, badge, etc.)

16 16 Administrative Procedures (continued) Training Program Development [45 CFR §142.308(a)(12)] –Security Awareness Training for ALL Personnel –Periodic Reminders –Virus Protection Education –Log in Access Education –Password Management Education

17 17 Physical Safeguards Assigned Security Responsibility [45 CFR §142.308(b)(1)] (must understand all aspects of information security) Media Control Process Development [45 CFR §142.308(b)(2)] Receipt and removal of diskettes and tapes into and out of the facility –Access Control to Media (physical access) –Accountability –Data Backup –Data Storage –Disposal (final disposition)

18 18 Physical Safeguards Physical Access Controls [45 CFR §142.308(b)(3)] –Disaster Recovery Plan (event of fire,natural disaster ect). –Emergency Mode of Operation –Equipment Control (into and out of the site) –Facility Security Plan (safeguard the premises) –Procedures for Verifying Access Authorization Before Access is Given –Facility repair and maintenance records –Need to Know Policy –Procedures for Sign in and Escort –Procedures to Restrict Testing and Revision

19 19 Physical Safeguards Policy and Guidelines on Workstation use [45 CFR §142.308(b)(4)] A Secure Workstation Location [45 CFR §142.308(b)(5)] Security Awareness Training [45 CFR §142.308(b)(6)] all employees, agents, and contractors must participate

20 20 Technical Security Systems Access Control [45 CFR §142.308(c)(1)(i)] –Procedure for emergency access (admin, supervisor, root passwords) –Implementation Features - at least one of the following: Context-based Role-based User-based Audit controls [45 CFR 42.308(c)(1)(ii)] –Mechanisms to record and examine system activity (IDS)

21 21 Technical Security Services Authorization control [45 CFR §142.308(c)(1)(iii)] –Mechanism for obtaining consent for the use and disclosure (at least one) Role-based User-based Data authentication [45 CFR §142.308(c)(1)(iv)] –The corroboration that data has not been altered or destroyed (Digital Certificates PKI)

22 22 Technical Security Services Entity authentication [45 CFR §142.308(c)(1)(v)] –Automatic Log Off (session termination) –Unique User ID –Authentication (at least one) Biometric Password PIN (use with something you have) Callback Token

23 23 Technical Security Mechanisms Network Controls –Integrity controls [45 CFR §142.308(d)(1)(i)(A)] Validation (Digital Certificates) PKI –Message authentication [45 CFR §142.308(d)(1)(i)(B)] Message Received = Message Sent (Integrity of the message) (Digital signatures) PKI Implementation Feature (Technically Neutral) –[§ 142.308(d)(1)(ii)(A)] Access controls Protection of PHI Transitions over Open or Private Networks so that it can not easily be intercepted and interpreted by parties other than the intended (VPN) –[§ 142.308(d)(1)(ii)(B)] Encryption

24 24 Technical Security Mechanisms Network Controls [45 CFR §142.308(d)(2)] –Alarm (IDS) –Audit Trail (IDS) or other logging and reporting systems –Entity Authentication (Digital Signature) PKI –Event Reporting (IDS)

Download ppt "In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,"

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.

HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.

Similar presentations

Ads by Google