Post on 01-Feb-2018
Penetration Testing &
Regulatory Compliance
Related Chapters
• Chapter 30: Penetration Testing
• Chapter 31: What Is Vulnerability Assessment?
2
PENETRATION TESTING
3
What is Penetration Testing?
• Pen-test – helps determine which vulnerabilities are exploitable and the
degree of information exposure
• Vulnerability – a potential weakness in a system's security – might also exist due to a lack of company policies or
procedures or an employee’s failure to follow the policy or procedure
– two broad categories of vulnerabilities: • logical and • physical
4
What is Penetration Testing? (cont.)
• Logical vulnerabilities – Associated with computers, infrastructure, software, or
applications
– Can be discovered with manual or automated tools
• Physical vulnerabilities – Actual physical security of the organization (such as a door
that doesn’t always lock properly)
– Physical security of sensitive information
– The vulnerability of the organization’s employees to social engineering
5
Penetration Testing vs. Hacking
• Pen-test does not normally include reconnaissance
• Length of time to conduct all activities is shorter with pen-test
• Hackers are not limited by a code of ethics
– pen-test cannot break the law
• Hackers don’t care if they crash the system
• Pen-test often only done on a subset of systems
6
Penetration Testing vs. Hacking (cont.)
• No test will find everything,
– there are always things that can be missed; due to time constraints, or the team did not have the right conditions to find the weakness.
• No system is too critical to test.
– From a hacker’s perspective, there are no “off-limits” systems, just opportunities for attack.
7
Types of Penetration Testing
• Internal or external
• Based on amount of information given to the tester
– White box • Team is given same amount of information as a network
administrator
– Gray box • Provides some knowledge to the test team
– Black box • Test team starts with no knowledge
8
Types of Penetration Testing (cont.)
• Testing can be announced or unannounced
– In an announced testing, the penetration testing team works in “full cooperation” with the IT staff and the IT staff has “full knowledge” about the test.
• Often done annually
– Unannounced testing can be anticipated in this case
9
• Three phases of penetration testing
• Pre-attack phase – Passive reconnaissance
• Does not touch the network
– Active reconnaissance
• Gather information to create network map
10
Penetration Testing Phases
Pre-attack
Attack
Post-attack
Pre-attack
Passive reconnaisance
Active reconnaisance
Penetration Testing Phases: Attack Phase
• Team exploits a logical or physical vulnerability
– Discovered during pre-attack phase
• Team tries to exploit as many vulnerabilities as possible
• Escalate privileges, install applications, extend control to other systems.
• Eliminate evidence of attack
11
Figure 30.3
The attack phase
There is no knowing which vulnerability a hacker will exploit first.
The Attack Phase
12
Penetration Testing Phases: Post-Attack Phase
• Post-attack phase
– Return any modified system to the pre-test state • Includes removing files, reversing registry changes, etc.
• Restoration of the system, network devices, and network infrastructure to the state the network was in prior to the beginning of the test
• Test team documents each change made
– Allows changes to be reversed
– Ensures the test can be repeated
13
Penetration Testing Rules
• Rules of engagement – Rules for the penetration test
– Examples: which IP addresses may be tested, which techniques may be used
• Both client and penetration test company must define and agree on: – How sensitive information is handled
– Test schedule and duration
– How results will be reported
14
The Need for a Methodology
• A methodology – a way to ensure that a particular activity is conducted in a
standard manner, with documented and repeatable results. – a planning tool to help ensure that all mandatory aspects of an
activity are performed.
• Most penetration test companies have a baseline methodology – Team modifies to fit scope of the test
• Different clients subject to different regulatory requirements – Methodology must be flexible to adapt
15
A Good Methodology
• does not restrict the test team to a single way of compromising the network.
• allows the test team the leeway necessary to explore these “targets of opportunity” while still ultimately guiding them to the stated goals of the test.
16
Types of Methodologies
• Open-source methodologies
– Best known: Open Source Security Testing Methodology Manual
– Another example: Open Web Application Security Project
• Proprietary methodologies
– Details owned by the company and not shared
– Examples: IBM, ISS, EC Council Licensed Penetrator Tester Methodology
17
Example: EC Council LPT Methodology
• Information gathering • Vulnerability analysis • External penetration testing • Internal network penetration testing • Router penetration testing • Firewall penetration testing • IDS penetration testing • Wireless network penetration testing • Denial of service penetration testing
LPT: Licensed Penetration Tester
18
Example: EC Council LPT Methodology
• Password cracking penetration testing
• Social engineering penetration testing
• Stolen laptop, PDA, and cell phone penetration testing
• Application penetration testing
• Physical security penetration testing
• Database penetration testing
• VoIP penetration testing
• VPN penetration testing
19
Figure 30.4
Block representation of some of the major areas of the LPT methodology
Actual methodology depends on scope of the specific test.
20
Penetration Testing Risks
• Unintended consequences may occur
– Data loss
– Data corruption
– System crashes
• Company should back up all critical data
– Prior to beginning testing
• IT personnel should be available in case restoration is necessary
21
Liability Issues
• Documentation for the test should include a liability waiver
– The waiver should state that penetration testing company cannot be held liable for: • Damage to systems
• Unintentional denial-of-service conditions
• Data corruption
• System crashes or unavailability
• Loss of business income
22
Legal Consequences
• Company can become target of lawsuits by customers
• Penetration testers may become target of lawsuits by target company
• Senior member of the target company should authorize testing
• Have legal counsel review agreements
23
“Get Out of Jail Free Card”
• What if a team member is caught during the test? – Documentation that authorizes the tester’s actions is
required.
– Presented if detained or apprehended while performing duties
– Has a 24-hour contact number for verification
• Very sensitive documents – Must be returned to the company following test
completion
24
• Quality of the test depends on quality of the consultants
• Few benchmarks exist to test knowledge of penetration tester
• Can rely on word of mouth and reputation of the testing company – Ask for recommendations
• Required knowledge/skills – Networking concepts
– Hardware devices
– Ethical hacking techniques
– Databases
– Open-source technologies
– Operating systems
– Wireless protocols
– Applications
– Protocols
25
Penetration Testing Consultants
Accomplishments of Penetration Testers
26
Questions to Ask When Hiring a Tester
• Does the company offer a comprehensive suite of services?
• Do they have a methodology?
• Do they hire former hackers?
• How long have the consultants been practicing?
• What will the final report look like?
• Does the company have references available?
27
Responding to a Request for Proposal
• To have best chance at getting the job, highlight:
– Qualifications
– Work experience
– Cutting-edge technical skills
– Communication skills
– Attitude
– Team skills
– Company concerns
28
1. MetaSploit 2. Kali Linux (BackTrack)
• Based on Debian
• Preinstalled with
– nmap (port scanner),
– Wireshark (packet analyzer),
– John the Ripper (password cracker),
– Aircrack-ng (WiFi PenTester)
– many more
29
Open Source Pen-Test Tools
MetaSploit Framework (Launcher)
Attack Code (Payload)
WHAT IS VULNERABILITY ASSESSMENT?
30
Introduction
• Vulnerability is a weakness in a system
– Allows attacker to violate integrity of the system
• A security risk is classified as vulnerability if it is recognized as a possible means of attack.
• A security risk with one or more known instances of a working or fully implemented attack is classified as an exploit.
31
Introduction (cont.)
• Key parts of a vulnerability assessment
– Identification of vulnerabilities
– Risk rating of each vulnerability • Critical, high, medium, low
– Quantification of vulnerabilities
• One critical vulnerability
– Enough to put whole network at risk
32
Reporting Capability
• Flexible and prioritized reports are highly valued
• Sort and cross-reference data (organized data)
• Export data to other formats
• View data easily
• Compare results with previous results
• Good reports help justify cost of implementing security measures
33
“It Won’t Happen To Us”
• “Why would an attacker want to break into the network of Widgets, Inc., when they could go after the Department of Defense or Microsoft or someone else who’s much more interesting?”.
34
Why Vulnerability Assessment?
• No security measure can provide complete security
• Organizations provide easier user access to their information systems, thereby increasing potential exposure.
• Administrative errors can put systems at risk
35
Why Vulnerability Assessment?
• Routine use of vulnerability assessment tools can help alleviate risk
• Some industry standards require organizations to perform vulnerability assessments
– Example: Payment Card Industry Data Security Standard
• The main purpose of vulnerability assessment is to find out what systems have flaws and take action to mitigate the risk.
36
Penetration Testing vs. Vulnerability Testing
• Penetration testing
– Method for evaluating security of a computer system by simulating an attack
• Vulnerability assessment
– Process of identifying vulnerabilities without direct attack
– Has much in common with risk assessment
37
Figure 31.2
Vulnerability mitigation cycle
Assigning relative importance to each resource is an important step in the assessment.
Vulnerability Mitigation Cycle
38
Vulnerability Assessment Steps
1. Cataloging assets and capabilities (resources) in a system
2. Assigning quantifiable value and importance to the resources
3. Identifying the vulnerabilities or potential threats to each resource
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
39
Network Scanning Goal
• The theoretical goal of network scanning is elevated security on all systems or establishing a network-wide minimal operation standard.
40
Figure 31.3
Usefulness/Ubiquity relationship
Firewalls have become as ubiquitous as antivirus (AV), but firewalls have increased in usefulness while antivirus usefulness has decreased.
HIPS: Host-Based Intrusion Prevention System
NIDS: Network-Based Intrusion Detection System
AV: Antivirus
NIPS: Network-Based Intrusion Prevention System
Usefulness/Ubiquity Relationship
41
Mapping the Network
• Before we start scanning the network we have to find out what machines are alive on it.
• Nmap security scanner – Free, open-source utility
– Can determine: • What hosts are on a network
• What services each host offers
• What operating systems are in use
• What firewalls or packet scanners are in use
42
Figure 31.4
Nmap command line interface
Frequently used scans can be saved as profiles to make them easy to run repeatedly.
Nmap Command Line Interface
43
Figure 31.5 Zenmap graphical user interface
Zenmap is the official Nmap security scanner GUI
Zenmap Graphical User Interface
44
Selecting Scanners
• Why is it good practice to use more than one scanner?
– Compare the results between them
• Nessus
– Outstanding all purpose scanner
• HP Web Inspect or Hailstorm
– Better at scanning a Web application
45
Figure 31.6
Typical scanner architecture
The scanner relies on a database of known vulnerabilities.
Typical Scanner Architecture
46
Central Scans Versus Local Scans
• Should we scan locally or centrally?
– Central scans give an overall visibility into the network
– Local scans may have higher visibility into the local network.
– Centrally driven scans serve as the baseline.
– Locally-driven scans are the key to vulnerability reduction
• Scanning tools should support both methods
47
48
Who is the Target?
• Many people think that they don’t have anything to hide, they don’t have secrets, and thus nobody will hack them.
• Hackers are not only after secrets but after resources as well.
– They may want to use your machine for hosting files, use it as a source to attack other systems, or just try some new exploits against it.
49
Defense in Depth Strategy
• Multiple layers of defense should be placed throughout an IT system
• Types of security vulnerabilities to be addressed
– Personnel
– Technology
– Operations
• Strategy is designed to give organization time to detect and respond to an attack
50
Defense in Depth Layers
• Using more than one of the following layers constitutes defense in depth: – Physical security (deadbolt locks)
– Authentication and password security
– Antivirus software (host based and network based)
– Firewalls (hardware or software)
– Demilitarized zones (DMZs)
– Intrusion detection systems (IDSs)
– Intrusion prevention systems (IPSs)
51
Defense in Depth Layers (cont.)
• Using more than one of the following layers constitutes defense in depth: (cont.) – Packet filters (deep packet inspection appliances and stateful
firewalls) – Routers and switches – Proxy servers – Virtual private networks (VPNs) – Logging and auditing – Biometrics – Timed access control – Proprietary software/hardware not available to the public
52
Computer Network Defense
• In terms of computer network defense, defense-in-depth measures should not only prevent security breaches, they should give an organization time to detect and respond to an attack, thereby reducing and mitigating the impact of a breach.
53
• Nessus
• GFI LANguard
• Retina
• Core Impact
– Most powerful, and expensive
• ISS Internet Scanner
• Xscan
• SARA
• Qualysguard
• SAINT • MBSA • Technique to improve scanner
performance – Use multiple scanners
• Orphaned system – System that is not maintained
or updated – Should be treated as hostile
• Company should take steps to avoid being scanned by outsiders
54
Vulnerability Assessment Tools
Scanner Performance
• A vulnerability scanner can use a lot of network bandwidth.
– Tradeoff: the more vulnerabilities in the database and the more comprehensive the scan, the longer it will take.
• One way to increase performance is through the use of multiple scanners
– one system to aggregate the results
55
Scan Verification
• The best practice is to use few scanners during your vulnerability assessment, then use more than one scanning tool to find more vulnerabilities.
• Scan your networks with different scanners from different vendors and compare the results.
56
Network Scanning Countermeasures
• A company wants to scan its own networks, but at the same time the company should take countermeasures to protect itself from being scanned by hackers.
57
58
Vulnerability Disclosure Date
• Time of vulnerability disclosure
– Public disclosure of security information by a certain party
– Details are published on a security Website
– Security advisory is put out via email
• The method of appropriate disclosure is a subject of debate
– Full disclosure vs. security by obscurity
59
Discovering Security Holes
• Vulnerability categories
– Related to programmer errors in writing code
– Related to misconfiguration of software settings
• Vulnerability scanners can identify both types
• First scanners were designed as hacking tools
– Now tools are used against them
60
Proactive and Reactive Security
• Reactive security – Passive approach
– Respond to a breach when it occurs
– Damage control focus
• Proactive security – Active approach
– Identify vulnerabilities before a hacker does
• Best security uses both proactive and reactive approaches
61
Vulnerability Causes
• Password management flaws
• Fundamental operating system design flaws
• Software bugs
• Unchecked user input
– Risk: SQL injection
62
Figure 31.7
Vulnerabilities with the biggest impact
Vulnerabilities found in core devices (routers, firewalls) will have the biggest impact on the organization.
Vulnerabilities and Impact
63
DIY Vulnerability Assessment
• Tenable’s Nessus
– Widely used in vulnerability assessments
– Can be run with only IP addresses as input (default)
– Product is very well documented
– Compares responses received from network devices against database of known vulnerabilities
64
Cyber Security Regulatory Compliance
Cyber Security Regulation
• PCI DSS:
– Payment Card Industry Data Security Standard
• HIPAA:
– Health Insurance Portability and Accountability Act
• Others
66
REGULATORY COMPLIANCE: PCI DSS
67
• Standard that is applied to: – Merchants – Service Providers (Third Third-party vendor, gateways) – Systems (Hardware, software)
• That: – Stores cardholder data – Transmits cardholder data – Processes cardholder data
• Applies to: – Electronic Transactions – Paper Transactions
68
PCI DSS: Payment Card Industry Data Security Standard
PCI DSS 12 Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data. 2. Do not use vendor-supplied defaults for system passwords and other security
parameters. Protect Cardholder Data 3. Protect stored data. 4. Encrypt transmission of cardholder data and sensitive information across public
networks. Maintain a Vulnerability Management Program 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications
69
PCI DSS: 12 Requirements in 6 Groups Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Routinely test security systems and processes. Maintain an Information Security Policy 12. Establish high-level security principles and procedures.
70
Compliance vs Validation
• Compliance – Means adherence to the standard
– Applies to every merchant regardless of volume
– Technical and business practices
• Validation – Verification that merchant (including its services providers) is compliant with the standard
– Applies based on Level assigned to merchant, based on transaction volume
– Two types of Validation • Self-Assessment
• Certified by a Qualified Security Assessor (QSA)
• Attestation – Letter to Visa signed by both merchant and acquirer bank attesting that validation has been performed
71
2 Components to Validate • Annual Assessment Questionnaire
– Required of all merchants – regardless of level – Self Self-Assessment or performed by Qualified Security Assessor (QSA) – Must not have any “No” answers – it’s Fail or Pass – Applies to both technical and business
• Security Vulnerability Scan - Quarterly – Required for External facing IP addresses
• Web applications • POS Software and databases on networks • Applies even if there is a re-direction link to third third-party
– Must be performed by Approved Scanning Vendor (ASV) – Validation based on Level assigned to merchant, based on transaction
volume • Visa & MC schedules are different • Visa’s schedule is what most go by
72
Levels of Merchants
Tier Transactions per Year Types of Targets
1 More than $6 million
Merchants, Merchant Agents, Processors,
Direct Connects
2 $1 – 6 million Merchants, Merchant Agents, Processors
3 $20K – 1million eCommerce Merchants
4 All other Merchants Merchants
73
• All merchants must perform external network scanning to achieve compliance.
• The new program, released in May 2007, requires acquirers to develop and submit a formal written compliance plan to Visa, which "identifies, prioritizes and manages overall risk within their Level 4 merchant populations," according to the CISP Bulletin.
Visa and MasterCard Validation Requirements • Level 1-Visa/MasterCard-- Annual onsite review by merchant's internal
auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV).
• Level 2-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
• Level 3-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
• Level 4-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
• If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements.
74
For Level 4, by Acquirer
• Timeline of Critical Events • Timeline of completion dates and milestones, for overall strategy.
• Risk-Profiling Strategy • Prioritization of Level 4 merchants into subgroups, from merchants that post the greatest risk, to
those that post little risk at all. Factors such as merchant category transaction volume, market segment, acceptance channel, number of locations can help the acquirer target compliance efforts for each subgroup.
• Merchant Education Strategy • Strategy designed to eliminate prohibited data from being stored; protect stored data, and
securing the environment in accordance with PCI DSS. This includes ensuring that merchants are only storing data they truly require, by complying with PCI DSSs, and by making sure payment applications are compliant and any third-party agents are on Visa's list of CISP-Compliant Service Providers.
• Compliance Reporting • Monthly compliance reporting to executive or board management. Visa may also periodically
request that the acquirer produce these reports 75
Merchant Levels: Based On Visa Transaction Volumes over past 12 months
• For Visa, Inc., the merchant's transaction volume is based on the aggregate number of Visa transactions-credit cards, debit cards, prepaid cards - from a merchant Doing Business As ("DBA").
• For merchants and/or merchant corporations who operate more than one DBA, the aggregate volume of stored, processed or transmitted transactions by the corporate entity must be considered, to determine the validation level.
• If the corporate entity does not store, process or transmit cardholder data on behalf of the multiple DBAs, members will continue to consider the DBA's individual transaction volume to determine the validation level 76
Fines for Security Breaches • Not levied by PCI Security Council
– Fines levied by Card Associations – Against merchant bank, which passes fines on to merchant
• Fines for security breach – Visa - Up to $500,000 per occurrence – MC – Up to $500,000 per occurrence
• Amount of fines dependent upon – Number of card numbers stolen – Circumstances surrounding incident – Whether Track Data was stored or not – Timeliness of reporting incident
• Safe Harbor – Could limit fine amount if had been validated as compliant by a QSA – But validation is point in time – Don’t count on
77
Other Security Breach Costs
• Fines levied by card associations to make notifications to all card holders and replace cards
• Costs of notifying customers of incident • Forensic Investigation Costs
– Required by card associations – Must used approved firm (QSA) – Cost approximately $10,000
• Cost associated with discontinuing accepting cards • Cost of an annual on-site security audit
– Once a breach has occurred, elevated to a Level 1 merchant – Cost approximately $15,000 - $20,000
78
79
$50,000,000
$10,000,000
Combined fines for all three
$60,590,000
$590,000
PCI Compliance ≠ Security!
• "Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach." Gregg Steinhafel Target CEO, Chairman, and President
80
REGULATORY COMPLIANCE: HIPAA
81
What is HIPAA?
• In 1996 President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA).
• HIPAA has two primary purposes – to provide continuous insurance coverage for workers who
change jobs, and
– to “reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper"
82
What does HIPAA do?
• Protects the privacy of a client’s personal and health information
• Provides for electronic and physical security of personal and health information
• Simplifies billing and other transactions
83
Overview of HIPAA
Title I
Portability
Adm inistrative
Requirem ents
Indivdual
Rights
U se and D isclosure
of PH I
PRIVACY
Identifiers
Cod e
Sets
Transactions
EDI
Technical
Security
M echanism s
Technical
Security
Services
Physical
Safeguards
Adm inistrative
Procedure s
SECURITY
Title II
Adm inistrative
Sim plification
Title III
M edical Savings
Accounts
Title IV
Group H ealth Plan
Provision s
Title V
Revenue Offse t
Provision
H IPAA
H ealth Insurance and Portability Act of 1996
84
Definitions
• Privacy – state of being concealed; secret
• Confidentiality – containing secret information (medical record)
• Authorization – to give permission for; to grant power to
• Breach Confidentiality – to break an agreement, to violate a promise
85
HIPAA is Timely
• Much of the patient’s health information is documented in a computerized format. Protecting this information has become vitally important.
• The first federal legislation (effective April 14, 2003) that attempts to protect a patient’s right to privacy, and the security and access of personal medical information and usage.
86
HIPAA
• Privacy Rule
– Imposes restrictions on the use/disclosure of personal health information
– Gives patients greater protection of their medical records
– Hopefully provides patients with greater peace of mind related to the security of their information
87
Confidentiality
• Deals with: – Communication or in-formation given to you without fear
of disclosure
– Legitimate Need to Know & Informed Consent
• Potential breeches
of confidentiality can occur
88
Protected Health Information
• When a patient gives personal health information to a healthcare provider, that becomes Protected Health Information (PHI)
89
Protected Health Information
PHI Includes: Verbal information
Information on paper
Recorded information
Electronic information faxes,
e-mails
…
90
Protected Health Information
• Examples of patients information
– Patients name or address
– Social Security or other ID numbers
– Doctor’s/ Nurse’s personal notes
– Billing information
91
Rules for the Use & Disclosure of PHI
• PHI can be used or disclosed for
– Treatment, payment, and healthcare operations
– With authorization/agreement from patient
– For disclosure to patient
92
Rules for the Use & Disclosure of PHI
• Healthcare provider is required to release PHI – When requested/authorized by the patient (some
exceptions apply)
– When required by the Department Health and Human Services
• Patients can request a list of persons who viewed their PHI, but they too must sign a consent
93
Authorization Guidelines
• Patient authorization for release of PHI must be obtained in the following situations:
– Use/disclosure of psychotherapy notes
– For research purposes
– For use/disclosure to third parties for making activities
94
Authorization Guidelines
• PHI can be used/disclosed without authorization for the following reasons:
To inform appropriate agencies
Public health activities related to disease prevention/control
To report victims of abuse, neglect or domestic violence
To funeral homes, tissue/organ banks
To avert a serious threat to health/safety
95
• The Notice of Privacy Practices must contain the patient’s rights and the covered entities’ legal duties
• Patients have the right to adequate notice concerning the use/disclosure of their PHI
• Patients are required to sign a statement that they were informed of and understand the privacy practices
96
Notice of Privacy Practices
97
Minimum Necessary
• What are the Minimum Necessary requirements?
– Use/disclosure of PHI is limited to the minimum amount of health information required to do the job
• It means:
– Development of polices/practices on sharing health information
• Identify employees who regularly access PHI.
• Identify the types of PHI needed and the conditions for access.
• Grant only that access necessary to perform the job.
98
Minimum Necessary
Protections for Health Information
• Important Safeguards
– Physical Safeguards • Computer terminals are not placed in public areas
– Technical Safeguards • Every associate must keep his/her password confidential
– Administrative Safeguards • Policy and procedure for release of patient information
99
Patients Rights
• The hospital demonstrates respect for the following patient needs: – Confidentiality – Privacy – Security – Resolution of complaints – Records and information are protected against LOSS, destruction,
tampering and UNAUTHORIZED ACCESS or use – Patients have a right to confidentiality of all information that is
provided to the healthcare professional and institution – Health care professionals ensure that patient information is secured
at all times and if there are any complaints, those complaints will be resolved in a timely
100
Faxing Guidelines
101
• Located in non-public areas. • Centralized fax machines:
Pick up information immediately • DO NOT FAX the following
records/results: – HIV results – Alcohol abuse – Mental Health – Substance abuse – Narcotic prescriptions – Child abuse
When you fax to outside offices:
Check the transmission print out
Verify that the correct number was dialed
102
Faxing Guidelines
• No photographs or recordings of any type are to be taken of patients in the clinical setting.
• No cameras, tablets, smartphones or any electronic devices with photography capabilities are permitted in the clinical environment.
Protect the Patient!
103
Privacy
Office for Civil Rights
-A patient may complain to the Privacy Officer in a hospital …
OR
-The Director of Health and Human Services (HHS)
104
Enforcement of the Medical Privacy Regulations
• It’s your job to make sure patients know they have the right to: – To see and copy their PHI
– Protect patient’s privacy and confidentiality
– Contact your hospital’s privacy administrator for any privacy concerns
105
Patient Privacy Rights
• Health Information Technology for Economic and Clinical Health Act
• a Federal Law, part of the American Reinvestment and Recovery Act (ARRA) Effective September 23, 2009
• Updated the HIPAA rule to include protections against identity theft
HITECH
106
Purpose • Applies to covered health care entities
and business associates. Makes massive changes to privacy and security laws
• Creates a nationwide electronic health record
• Increases penalties for privacy and security violations
• Breach Notification requirements (Patient, Department of Health and Human Services, and Media)
Criminal Penalties
• Criminal provisions
• Penalties
• Sharing of civil monetary penalties with harmed individuals
107
HITECH
• Sarbanes–Oxley Act (2002)
– Require senior management to certify the accuracy of the reported financial statement
– Require management and auditors establish internal controls and reporting methods on the adequacy of those controls
• Gramm–Leach–Bliley Act (1999)
– Require disclosure of security breaches by financial institutions
• Patriot Act (2001)
– Surveillance of communication & financial transactions, and more
• Fair and Accurate Credit Transactions Act (2003)
• SEC Rule 17a-4 – For data retention, indexing, and
accessibility for companies which deal in the trade or brokering of financial securities such as stocks, bonds, and futures
• Personal Information Protection and Electronic Documents Act (PIPEDA, Canada)
• EU Data Retention Directive (2006)
108
Other Regulatory Compliance Issues