Presentation is loading. Please wait.

Presentation is loading. Please wait.

NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.

Published byOctavia Wilkerson Modified over 9 years ago

Similar presentations

Presentation on theme: "NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology."— Presentation transcript:

1 NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Shared Assessments Member Forum February 14, 2012

2 NIST’s Mission To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology … Credit: NIST Credit: R. Rathe … in ways that enhance economic security and improve our quality of life.

3 NIST’s work enables Science Technology innovation Trade Public benefit NIST works with Industry Academia Government agencies Measurement labs Standards organizations NIST Laboratories

4 Computer Security Division A division within the Information Technology Lab, CSD conducts research, development and outreach necessary to provide standards and guidelines, mechanisms, tools, metrics and practices to protect information and information systems. Some Major Activities Cryptographic Algorithms, Secure Hash Competition, Authentication, Key Management, Crypto Transitions, DNSSEC, Post-Quantum Crypto, BIOS Security FISMA, Health IT, Smart Grid, Supply Chain, NICE, Crypto Validation Programs, Outreach and Awareness, Cyber Physical Systems, Voting Identity Management, Access Control, Biometric Standards, Cloud and Virtualization Technologies, Security Automation, Infrastructure Services and Protocols

5 5 Types of NIST Publications Federal Information Processing Standards (FIPS) Developed by NIST; Approved and promulgated by Secretary of Commerce Per FISMA, compulsory and binding for all federal agencies; not waiverable Voluntary adoption by non-Federal organizations (e.g., state, local, tribal governments; foreign governments; industry; academia) Special Publications (SP 800 series) Per OMB policy, Federal agencies must follow NIST guidelines Voluntary adoption by non-Federal organizations Other security-related publications NIST Interagency Reports

6 6 A Framework for Managing Risk Starting Point RISK MANAGEMENT FRAMEWORK PROCESS OVERVIEW Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Repeat as necessary Step 6 MONITOR Security Controls Step 2 SELECT Security Controls Step 3 IMPLEMENT Security Controls Step 4 ASSESS Security Controls Step 5 AUTHORIZE Information System Step 1 CATEGORIZE Information System

7 HIPAA Security Rule Overview Toolkit Project Content Development The Toolkit Application Additional Information Agenda

8 HSR establishes national standards for a covered entity to protect individuals’ electronic personal health information (ephi) HIPAA Security Rule (HSR) Overview

9 Who? From nationwide health plan with vast resources … … to small provider practices with limited access to IT expertise and resources What? Standards and implementation specifications covering… Basic practices Security failures Risk management Personnel issues How? It depends… on the size and scale of your organization HSR Overview

10 The purpose of this toolkit project is to help organizations … better understand the requirements of the HIPAA Security Rule (HSR) implement those requirements assess those implementations in their operational environments HSR Toolkit Project

11 What it IS… A self-contained, OS-independent application to support various environments (hardware/OS) Support for security content that other organizations can reuse over and over A useful resource among a set of tools and processes that an organization may use to assist in reviewing their HSR risk profile A freely available resource from NIST What it is NOT… It is NOT a tool that produces a statement of compliance NIST is not a regulatory or enforcement authority Compliance is the responsibility of the covered entity HSR Toolkit Project

12 Supplement existing risk assessment processes conducted by Covered Entities and Business Associates Assist organizations in aligning security practices across multiple operating units Serve as input into an action plan for HSR Security implementation improvements Intended Uses of the HSR Toolkit

13 The Toolkit project consists of three parallel efforts: Content Development Desktop Application Development Security Automation Multiple Iterations HSR Toolkit Project

14 Using the HIPAA Security Rule, and NIST Special Publications (800-66, 800-53, 800- 53A), we developed questions designed to assist in the implementation of the Security Rule. Content Development § HIPAA Security Rule Specific Question to Address Rule Maps

15 § 164.308(a)(3)(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Maps Question: HSR.A53 Has your organization established chains of command and lines of authority for work force security? Boolean Yes: If yes – do you have an organizational chart? No: If no – provide explanation text Content Development

16 This effort has resulted in … Two sets of questions an “Enterprise” set with nearly 900 questions a “Standard” set with about 600 questions (a subset) With dependence and parent-child relationship mappings Covering all HSR standards and implementation specifications Content Development

17

18 Security Automation Utilizing standards-based security automation specifications – such as XCCDF, OVAL, OCIL – to implement those questions into a toolkit application that is “loosely coupled” Enables existing commercial tools that process security automation content to use the content (not locked down) Provides consistent and repeatable processes

19 A comprehensive User Guide Examples of how to use and operate the Toolkit Partner entities that are assisting in defining functionality and usability: A state Medicaid Office A specialty clearinghouse A community hospital A non-profit regional hospital Associated HSR Toolkit Resources

20 Toolkit: Download the Application

21 Toolkit: Create a Profile

22 Toolkit: Organized by Safeguard Family

23 Navigation Menu Selected Question References Responses Attachments Flag Level Progress Bar Comments Toolkit: Explore the Application Interface

24 Toolkit: Answer Questions

25 Toolkit: Generate Reports

26 26 A Framework for Managing Risk Starting Point RISK MANAGEMENT FRAMEWORK PROCESS OVERVIEW Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Repeat as necessary Step 6 MONITOR Security Controls Step 2 SELECT Security Controls Step 3 IMPLEMENT Security Controls Step 4 ASSESS Security Controls Step 5 AUTHORIZE Information System Step 1 CATEGORIZE Information System

27 HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa Computer Security Resource Center (CSRC) http://csrc.nist.gov NIST Information Security Standards and Guidelines http://csrc.nist.gov/publications/index.html Useful Resources

28 Questions

29 Thank You Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Computer Security Resource Center: http://csrc.nist.gov HSRtoolkit@nist.gov

Download ppt "NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology."

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.

EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.

Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.
Jim Seligman Chief Information Officer Welcome & Opening Remarks.

Jim Seligman Chief Information Officer Welcome & Opening Remarks.
Produce Safety Rule Phase 2 Workgroup 1.

Produce Safety Rule Phase 2 Workgroup 1.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
National Cybersecurity Management System

National Cybersecurity Management System
1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.

1 Dan Steinberg, JD Portland, OR May 4, 2011 Speaking Notes Privacy and Security for Research Repositories Please do not reuse or republish without attribution.
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
An Overview of the NIST’s Cyber Security Program Donna F. Dodson Deputy Chief Cyber Advisor October 2009.

An Overview of the NIST’s Cyber Security Program Donna F. Dodson Deputy Chief Cyber Advisor October 2009.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Similar presentations

Ads by Google