NIST HIPAA Security Rule Toolkit

Kevin StineComputer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

Shared Assessments Member Forum

February 14, 2012

NIST’s Mission

To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology …

Credit: NIST

Credit: R. Rathe

… in ways that enhance economic security and improve our quality of life.

NIST’s work enables

• Science

• Technology innovation

• Trade

• Public benefit

NIST works with

• Industry

• Academia

• Government agencies

• Measurement labs

• Standards organizations

NIST Laboratories

Computer Security Division

A division within the Information Technology Lab, CSD conducts research, development and outreach necessary to provide standards and guidelines, mechanisms, tools, metrics and practices to protect information and information systems.

Some Major Activities

Cryptographic Algorithms, Secure Hash Competition, Authentication, Key Management, Crypto Transitions, DNSSEC, Post-Quantum Crypto, BIOS Security

FISMA, Health IT, Smart Grid, Supply Chain, NICE, Crypto Validation Programs, Outreach and Awareness, Cyber Physical Systems, Voting

Identity Management, Access Control, Biometric Standards, Cloud and Virtualization Technologies, Security Automation, Infrastructure Services and Protocols

5

Types of NIST Publications

Federal Information Processing Standards (FIPS)• Developed by NIST; Approved and promulgated by Secretary of

Commerce

• Per FISMA, compulsory and binding for all federal agencies; not waiverable

• Voluntary adoption by non-Federal organizations (e.g., state, local, tribal governments; foreign governments; industry; academia)

Special Publications (SP 800 series)• Per OMB policy, Federal agencies must follow NIST guidelines

• Voluntary adoption by non-Federal organizations

Other security-related publications• NIST Interagency Reports

6

A Framework for Managing Risk

Starting Point

RISK

MANAGEMENT

FRAMEWORK

PROCESS

OVERVIEWArchitecture DescriptionArchitecture Reference Models

Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries

Organizational InputsLaws, Directives, Policy Guidance

Strategic Goals and ObjectivesPriorities and Resource Availability

Supply Chain Considerations

Repeat as necessary

Step 6

MONITOR

Security Controls

Step 2

SELECT

Security Controls

Step 3

IMPLEMENT

Security ControlsStep 4

ASSESS

Security Controls

Step 5

AUTHORIZE

Information System

Step 1

CATEGORIZE

Information System

• HIPAA Security Rule Overview• Toolkit Project• Content Development• The Toolkit Application• Additional Information

Agenda

HSR establishes national standards for a covered entity to protect individuals’ electronic personal health information (ephi)

HIPAA Security Rule (HSR) Overview

Who?

From nationwide health plan with vast resources …

… to small provider practices with limited access to IT expertise and resources

What?

Standards and implementation specifications covering…

• Basic practices• Security failures• Risk management• Personnel issues

How?

It depends…

on the size and scale of your organization

HSR Overview

The purpose of this toolkit project is to help organizations …

• better understand the requirements of the HIPAA Security Rule (HSR)

• implement those requirements • assess those implementations in their operational

environments

HSR Toolkit Project

What it IS…

• A self-contained, OS-independent application to support various environments (hardware/OS)

• Support for security content that other organizations can reuse over and over

• A useful resource among a set of tools and processes that an organization may use to assist in reviewing their HSR risk profile

• A freely available resource from NIST

What it is NOT…

• It is NOT a tool that produces a statement of compliance• NIST is not a regulatory or

enforcement authority• Compliance is the

responsibility of the covered entity

HSR Toolkit Project

• Supplement existing risk assessment processes conducted by Covered Entities and Business Associates

• Assist organizations in aligning security practices across multiple operating units

• Serve as input into an action plan for HSR Security implementation improvements

Intended Uses of the HSR Toolkit

The Toolkit project consists of three parallel efforts:

Content Development

Desktop Application Development

Security Automation Multiple Iterations

HSR Toolkit Project

Using the HIPAA Security Rule, and NIST Special Publications (800-66, 800-53, 800-53A), we developed questions designed to assist in the implementation of the Security Rule.

Content Development

§ HIPAA Security RuleSpecific Question to Address RuleMaps

§164.308(a)(3)(A) Authorization and/or supervision (Addressable).

Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Maps

Question: HSR.A53Has your organization established chains of command and lines of authority for work force security?

Boolean

Yes: If yes – do you have an organizational chart?

No: If no – provide explanation text

Content Development

This effort has resulted in …

• Two sets of questions• an “Enterprise” set with nearly 900 questions• a “Standard” set with about 600 questions (a subset)

• With dependence and parent-child relationship mappings

• Covering all HSR standards and implementation specifications

Content Development

Content Development

Security Automation

• Utilizing standards-based security automation specifications – such as XCCDF, OVAL, OCIL – to implement those questions into a toolkit application that is “loosely coupled”

• Enables existing commercial tools that process security automation content to use the content (not locked down)

• Provides consistent and repeatable processes

• A comprehensive User Guide

• Examples of how to use and operate the Toolkit

Partner entities that are assisting in defining functionality and usability:

• A state Medicaid Office• A specialty clearinghouse• A community hospital• A non-profit regional hospital

Associated HSR Toolkit Resources

Toolkit: Download the Application

Toolkit: Create a Profile

Toolkit: Organized by Safeguard Family

Navigation Menu

Selected Question

References

Responses

Attachments

Flag Level

Progress Bar

Comments

Toolkit: Explore the Application Interface

Toolkit: Answer Questions

Toolkit: Generate Reports

26

A Framework for Managing Risk

Starting Point

RISK

MANAGEMENT

FRAMEWORK

PROCESS

OVERVIEWArchitecture DescriptionArchitecture Reference Models

Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries

Organizational InputsLaws, Directives, Policy Guidance

Strategic Goals and ObjectivesPriorities and Resource Availability

Supply Chain Considerations

Repeat as necessary

Step 6

MONITOR

Security Controls

Step 2

SELECT

Security Controls

Step 3

IMPLEMENT

Security ControlsStep 4

ASSESS

Security Controls

Step 5

AUTHORIZE

Information System

Step 1

CATEGORIZE

Information System

• HIPAA Security Rule Toolkit• http://scap.nist.gov/hipaa

• Computer Security Resource Center (CSRC)• http://csrc.nist.gov

• NIST Information Security Standards and Guidelines• http://csrc.nist.gov/publications/index.html

Useful Resources

Questions

Thank You

Kevin StineComputer Security Division

Information Technology LaboratoryNational Institute of Standards and Technology

Computer Security Resource Center: http://csrc.nist.gov

HSRtoolkit@nist.gov