Security Core Training Presented by: DHHS HIPAA PMO Security Team and DIRM Networking Services.

Security Core TrainingSecurity Core Training

Presented by: DHHS HIPAA PMO Security Presented by: DHHS HIPAA PMO Security Team and DIRM Networking ServicesTeam and DIRM Networking Services

ObjectivesObjectives

Obtain a basic understanding of the proposed HIPAA Obtain a basic understanding of the proposed HIPAA Security StandardSecurity Standard

Obtain a general understanding of how health care Obtain a general understanding of how health care components will be effectedcomponents will be effected

Obtain an understanding of the security assessment Obtain an understanding of the security assessment processprocess

Obtain an understanding of the health care Obtain an understanding of the health care component’s general roles and responsibilities during component’s general roles and responsibilities during the assessment processthe assessment process

DefinitionsDefinitions

Hybrid EntityHybrid Entity - - A single entity that is a covered entity A single entity that is a covered entity and whose covered functions are not its primary and whose covered functions are not its primary functions.functions.

Health Care ComponentHealth Care Component - - Components of a Components of a covered entity that perform covered functions are part of covered entity that perform covered functions are part of the health care component. As a hybrid entity, HIPAA the health care component. As a hybrid entity, HIPAA requirements apply only to the health care component.requirements apply only to the health care component.

Covered FunctionCovered Function - - Those functions of a covered Those functions of a covered entity which makes the entity a health plan, healthcare entity which makes the entity a health plan, healthcare provider, or health care clearinghouse.provider, or health care clearinghouse.

Health Insurance Portability and Health Insurance Portability and Accountability Act of 1996 (HIPAA)Accountability Act of 1996 (HIPAA)

Administrative SimplificationAdministrative SimplificationSecurity and Electronic Signature Security and Electronic Signature

StandardStandard

HIPAA OverviewHIPAA Overview

Intended to improve “the efficiency and effectiveness Intended to improve “the efficiency and effectiveness of health information systems through establishment of health information systems through establishment of standards and requirements for the electronic of standards and requirements for the electronic transmission of health information”transmission of health information”

Establishes Federal regulation of:Establishes Federal regulation of: Transactions and Code Sets Transactions and Code Sets Health care identifiers Health care identifiers Confidentiality health information (Privacy)Confidentiality health information (Privacy) Security of electronically maintained / Security of electronically maintained /

communicated health information (Security)communicated health information (Security)

Security ObjectiveSecurity Objective

To minimize the risk of intentional or accidental To minimize the risk of intentional or accidental disclosure or misuse, or the loss or corruption of disclosure or misuse, or the loss or corruption of individually identifiable health information (IIHI)* individually identifiable health information (IIHI)*

*IIHI - Any information, including demographic information collected from an individual that a) is created *IIHI - Any information, including demographic information collected from an individual that a) is created or received by a health care provider, health plan, employer, or health care clearing house; and b) or received by a health care provider, health plan, employer, or health care clearing house; and b) relates to the past, present or future physical or mental health or condition of an individual, the relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual, or (ii) with respect to which there is a health care to an individual, and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.reasonable basis to believe that the information can be used to identify the individual.

Applicability and ScopeApplicability and Scope

Applies to:Applies to: All health plansAll health plans All clearinghousesAll clearinghouses Any health care provider that electronically Any health care provider that electronically

maintains or transmits any health information maintains or transmits any health information relating to an individual.relating to an individual.

Ensures privacy and confidentiality of all Ensures privacy and confidentiality of all individually identifiable health information that is individually identifiable health information that is electronically stored, maintained, or transmittedelectronically stored, maintained, or transmitted

Time FrameTime Frame

Proposed Rules published in 1998:Proposed Rules published in 1998: Basis of today’s presentationBasis of today’s presentation

Publication of Final rules pending:Publication of Final rules pending: Likely to be published in first quarter of 2002Likely to be published in first quarter of 2002 Compliance required 2 years from the date the Final Compliance required 2 years from the date the Final

Rule is publishedRule is published

Concepts on Which the Security Concepts on Which the Security Standard is BasedStandard is Based

ComprehensiveComprehensive

““Unifies” existing guidelines and standardsUnifies” existing guidelines and standards

Technology “neutral” - Choose your own Technology “neutral” - Choose your own technical solutionstechnical solutions

Scalable – The standard must be able to be Scalable – The standard must be able to be implemented by all affected entitiesimplemented by all affected entities

General ApproachGeneral Approach

The standard does not reference or advocate specific The standard does not reference or advocate specific technologytechnology

Covered entity should:Covered entity should: Assess its own security needs and risks Assess its own security needs and risks Ensure that appropriate security is devised, implemented and Ensure that appropriate security is devised, implemented and

maintained to address its business requirements.maintained to address its business requirements.

The regulatory requirements must be addressed but how The regulatory requirements must be addressed but how that is done should be based on business decisions of that is done should be based on business decisions of the covered entitythe covered entity

There should be a balance between the need to secure There should be a balance between the need to secure health data and the economic cost of doing sohealth data and the economic cost of doing so

Security Standard DefinedSecurity Standard Defined

Set of Set of requirementsrequirements with with implementationimplementation featuresfeatures that that covered entities must include in their operations to covered entities must include in their operations to assure that electronic health information pertaining assure that electronic health information pertaining

to an individual remains secure.to an individual remains secure.

Security StandardsSecurity Standards

Reasonable and appropriate requirements:Reasonable and appropriate requirements: Administrative ProceduresAdministrative Procedures Physical SafeguardsPhysical Safeguards Technical ServicesTechnical Services Technical MechanismsTechnical Mechanisms

to ensure:to ensure: IntegrityIntegrity ConfidentialityConfidentiality AvailabilityAvailability

of electronic data.of electronic data.

Administrative Procedures Administrative Procedures (142.308a)(142.308a) Documented, formal practices to manage the selection and execution Documented, formal practices to manage the selection and execution

of security measures to protect data and the conduct of personnel in of security measures to protect data and the conduct of personnel in relation to the protection of data.relation to the protection of data.

Requirements:Requirements: CertificationCertification Chain of Trust Partner Chain of Trust Partner

AgreementAgreement

Contingency PlanningContingency Planning

Information access controlInformation access control

Implementation:Implementation:

Applications and data criticality analysisApplications and data criticality analysis Data backup planData backup plan Disaster recovery planDisaster recovery plan Emergency mode operation planEmergency mode operation plan Testing and revisionTesting and revision

Access authorizationAccess authorization Access establishmentAccess establishment Access modificationAccess modification

Administrative Procedures Administrative Procedures (142.308a) (142.308a) continuedcontinued

RequirementsRequirements Internal auditInternal audit Personnel SecurityPersonnel Security

Security Configuration & Security Configuration & ManagementManagement

ImplementationImplementation

Assure supervision of maintenance Assure supervision of maintenance personnel by authorized, knowledgeable personnel by authorized, knowledgeable personperson

Maintenance of record of access Maintenance of record of access authorizationsauthorizations

Operating and in some cases, maintenance Operating and in some cases, maintenance personnel have proper access authorizationpersonnel have proper access authorization

Personnel clearance proceduresPersonnel clearance procedures Personnel security policy/procedurePersonnel security policy/procedure System Users, including maintenance System Users, including maintenance

personnel, trained in security.personnel, trained in security.

Hardware/Software installation & Hardware/Software installation & maintenance review and testing for security maintenance review and testing for security featuresfeatures

InventoryInventory Security TestingSecurity Testing Virus CheckingVirus Checking

Administrative Procedures Administrative Procedures (142.308a)(142.308a)continuedcontinued

RequirementsRequirements

Security Incident Response Security Incident Response & Reporting& Reporting

Security Management Security Management ProcessProcess

Termination ProceduresTermination Procedures


Report proceduresReport procedures Response proceduresResponse procedures

Risk analysisRisk analysis Risk managementRisk management Sanction policySanction policy Security policySecurity policy

Combination locks changedCombination locks changed Removal from access listsRemoval from access lists Removal of user accountsRemoval of user accounts Turn in keys, token or cards that allow Turn in keys, token or cards that allow

accessaccess

Administrative Procedures Administrative Procedures (142.308a) (142.308a) continuedcontinued


TrainingTraining

Formal Mechanism for Formal Mechanism for Processing RecordsProcessing Records


Awareness trainingAwareness training Periodic security remindersPeriodic security reminders User education concerning virus User education concerning virus

protectionprotection User education in importance of User education in importance of

monitoring log in success/failure, and monitoring log in success/failure, and how to report discrepancieshow to report discrepancies

User education in password User education in password managementmanagement

Physical SafeguardsPhysical Safeguards (142.308b)(142.308b)

The protection of physical computer systems and related The protection of physical computer systems and related buildings and equipment from fire and other natural and buildings and equipment from fire and other natural and environmental hazards, as well as from intrusionenvironmental hazards, as well as from intrusion

The use of locks, keys, and administrative measures The use of locks, keys, and administrative measures used to control access to computer systems and used to control access to computer systems and facilities. facilities.

Examples:Examples:Assigned Security ResponsibilityAssigned Security ResponsibilityMedia ControlsMedia ControlsPhysical Access ControlsPhysical Access Controls

Physical SafeguardsPhysical Safeguards (142.308b)(142.308b)

RequirementsRequirements Media ControlsMedia Controls

Physical Access ControlsPhysical Access Controls

ImplementationImplementation AccountabilityAccountability Data backupData backup Data storageData storage DisposalDisposal

Disaster recoveryDisaster recovery Emergency mode operationEmergency mode operation Equipment controlEquipment control Facility security planFacility security plan Procedures for verifying access Procedures for verifying access

authorizations prior to physical accessauthorizations prior to physical access Maintenance recordsMaintenance records Need-to-Know procedures for Need-to-Know procedures for

personnel accesspersonnel access Sign-in for visitors and escort, if Sign-in for visitors and escort, if

appropriateappropriate Testing and revisionTesting and revision

Physical SafeguardsPhysical Safeguards (142.308b)(142.308b)continuedcontinued

RequirementsRequirements Assigned Security Assigned Security

ResponsibilityResponsibility

Policy/guideline on work Policy/guideline on work station usestation use

Secure work station locationSecure work station location

Security Awareness Security Awareness TrainingTraining


None statedNone stated

Technical Security ServicesTechnical Security Services (142.308c)(142.308c)

Processes that are put in place to: Processes that are put in place to: protect informationprotect information control individual access to control individual access to

informationinformation

Examples:Examples:• Access ControlAccess Control• Audit ControlsAudit Controls• Data AuthenticationData Authentication• Entity Authentication Entity Authentication

Technical Security ServicesTechnical Security Services (142.308c)(142.308c)continuedcontinued


Access ControlAccess Control

Audit ControlsAudit Controls

Authorization ControlAuthorization Control

Data AuthenticationData Authentication

Entity AuthenticationEntity Authentication


Context based accessContext based access EncryptionEncryption Procedure for emergency accessProcedure for emergency access Role-based accessRole-based access User-based accessUser-based access

Role-based accessRole-based access User-based accessUser-based access

Automatic logoffAutomatic logoff BiometricBiometric PasswordPassword PINPIN Telephone callbackTelephone callback TokenToken Unique user identificationUnique user identification

Technical Security Mechanisms Technical Security Mechanisms (142.308d)(142.308d)

Processes that are put in place to guard against Processes that are put in place to guard against unauthorized access to data that is transmitted unauthorized access to data that is transmitted over a communications networkover a communications network

Examples:Examples:• Integrity ControlsIntegrity Controls• Message AuthenticationMessage Authentication• EncryptionEncryption• Audit TrailAudit Trail

Technical Security Mechanisms (142.308d)Technical Security Mechanisms (142.308d) continuedcontinued


Communications/Network Communications/Network controlscontrols


Access ControlAccess Control AlarmAlarm Audit trailAudit trail EncryptionEncryption Entity authenticationEntity authentication Event reportingEvent reporting Integrity controlsIntegrity controls Message authenticationMessage authentication

Electronic SignatureElectronic Signature (142.310)(142.310)

The use of Electronic Signature is not required.The use of Electronic Signature is not required.

If used, the same legal weight associated with an original signature If used, the same legal weight associated with an original signature on a paper document will be needed for electronic data. on a paper document will be needed for electronic data.

Use of an electronic signature refers to the act of attaching a Use of an electronic signature refers to the act of attaching a signature by electronic means.signature by electronic means.

Digital SignatureDigital Signature

Note: The Electronic Signature standard may be pulled from the final Security Regulation Note: The Electronic Signature standard may be pulled from the final Security Regulation and published at a later time.and published at a later time.

Electronic SignatureElectronic Signature (142.310)(142.310)


Digital SignatureDigital Signature


Ability to add attributeAbility to add attribute Continuity of signature capabilityContinuity of signature capability CountersignaturesCountersignatures Independent verifiabilityIndependent verifiability InteroperabilityInteroperability Message integrityMessage integrity Multiple signaturesMultiple signatures NonrepudiationNonrepudiation TransportabilityTransportability User authenticationUser authentication

Privacy & Security, the common linkPrivacy & Security, the common link

164.530(c) - Safeguards164.530(c) - Safeguards AdministrativeAdministrative TechnicalTechnical PhysicalPhysical

164.506 - 164.514 - Use and Disclosure164.506 - 164.514 - Use and Disclosure ConsentConsent AuthorizationAuthorization Minimum NecessaryMinimum Necessary

Non-Compliance PenaltiesNon-Compliance Penalties

Financial penalties for failure to comply:Financial penalties for failure to comply: Section 1176 of the Act establishes civil monetary Section 1176 of the Act establishes civil monetary

penalty for violationpenalty for violation$100 per occurrence, $25k max a year$100 per occurrence, $25k max a year

Section 1177 of the Act establishes penalties for Section 1177 of the Act establishes penalties for knowing misuse of unique health identifiers and knowing misuse of unique health identifiers and individually identifiable health information:individually identifiable health information:

Not more than $50,000 and/or imprisonment of not more than one year.Not more than $50,000 and/or imprisonment of not more than one year.

Misuse “under false pretenses” a fine not more than 100,000 and/or Misuse “under false pretenses” a fine not more than 100,000 and/or imprisonment of not more than five years.imprisonment of not more than five years.

Misuse with intent to sell, transfer, or use IIHI for commercial Misuse with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, a fine of not more than advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.$250,000 and/or imprisonment of not more than 10 years.

How will you be affected?How will you be affected?

Ensure that all business practices are aligned with the Ensure that all business practices are aligned with the HIPAA Security StandardHIPAA Security Standard

Ensure or if necessary develop policies and procedures that Ensure or if necessary develop policies and procedures that adequately cover all aspects of the HIPAA Security Standardadequately cover all aspects of the HIPAA Security Standard

Ensure the technical environment is secure and protects Ensure the technical environment is secure and protects health informationhealth information

Ensure applications that store or transmit health information Ensure applications that store or transmit health information meet the requirements of the HIPAA Security Standardmeet the requirements of the HIPAA Security Standard

Develop security management practice Develop security management practice

Critical StepsCritical Steps

Organizational AwarenessOrganizational Awareness

Conduct Baseline AssessmentConduct Baseline Assessment

Conduct Risk AssessmentConduct Risk Assessment

Prioritize Risks and Make Risk Management Prioritize Risks and Make Risk Management DecisionsDecisions

Develop and Revise Security P&PsDevelop and Revise Security P&Ps

Implement Security ProgramImplement Security Program

Implement Maintenance ProgramImplement Maintenance Program

UnderstandingUnderstanding HIPAAHIPAA

UnderstandingUnderstanding HIPAAHIPAA

BaseliningBaseliningthethe

OrganizationOrganization

BaseliningBaseliningthethe


PlanningPlanningCompliance

StrategiesStrategies

PlanningPlanningCompliance

StrategiesStrategies

RemediatingRemediating thethe


RemediatingRemediating thethe


ValidatingValidatingComplianceCompliance

ValidatingValidatingComplianceCompliance

MaintainingMaintainingComplianceCompliance

MaintainingMaintainingComplianceCompliance

* This assumes that the Final Security Regulations will be published by 12-31-02

Regulation review (Jan. 2002 - Dec. 2004)

Legal review (Nov. 2001 - Apr. 2002)

Core training (Nov. 2001 - Mar. 2002)

Covered entities determination (Nov. 2001 - May 2002)

Assessment methodology (Aug. 2001 - Apr. 2002)

Pre-assessment inventory (Dec. 2001 - Apr. 2002)

Discover & inventory network environment (July 2001 - May 2002)

Technical Assessment (Apr. 2002 - Dec. 2002)

Administrative Assessment (Apr. 2002 - Dec. 2002)

Division risk analysis (Apr. 2002 - Feb. 2003)

Potential Enterprise-level solutions (May 2002 - Feb. 2003)

Remediation guidelines (Jan. 2003 - Mar. 2003)

Enterprise remediation (Sept. 2002 - Oct. 2004)

Intermediate training (Feb. 2003 - Apr. 2003)

Division remediation (Jan. 2003 - Dec. 2004)

Security officer training (Jan. 2003 - Jun. 2003)

Self-validation (Jan. 2003 - Dec. 2004)

Understanding HIPAA

Baselining the organization

Planning compliance

Remediating the organization

Validating compliance

Maintaining compliance

2005 ===>2001 2002 2003 2004 *

SECURITY COMPLAINCE PROJECT APPROACHSECURITY COMPLAINCE PROJECT APPROACH

Establishing a Security BaselineEstablishing a Security Baseline

What security capabilities are in place What security capabilities are in place today?today?

What additional security will be needed to What additional security will be needed to comply with the HIPAA regulations?comply with the HIPAA regulations?

Phase 1 - Pre-AssessmentPhase 1 - Pre-Assessment

Determine conflicting and existing lawsDetermine conflicting and existing lawsCollect information from covered components as well as Collect information from covered components as well as through independent research conducted by the PMO through independent research conducted by the PMO Security Team. Security Team.

Analyze existing laws and compare to HIPAA Security Analyze existing laws and compare to HIPAA Security Standards to determine the more stringent requirements.Standards to determine the more stringent requirements.

Inventory security policy and proceduresInventory security policy and proceduresA Security Policy and Procedure Matrix has been sent to the A Security Policy and Procedure Matrix has been sent to the HIPAA Coordinators for completion. HIPAA Coordinators for completion.

The PMO will analyze the completed matrix and The PMO will analyze the completed matrix and accompanying policies and procedures against a list of HIPAA accompanying policies and procedures against a list of HIPAA requirements to determine where gaps may exist.requirements to determine where gaps may exist.

The analysis results will provide preliminary information for the The analysis results will provide preliminary information for the on-site interview and will be incorporated into the overall on-site interview and will be incorporated into the overall assessment report.assessment report.

Assessment Phases

Assessment Phases (cont.)Assessment Phases (cont.)

Identify ITS and DHHS Information Technology Identify ITS and DHHS Information Technology EffortsEfforts

An interview will be conducted that will determine what current and An interview will be conducted that will determine what current and future security projects are under development or consideration.future security projects are under development or consideration.

Enterprise-Wide Technical SolutionsEnterprise-Wide Technical Solutions Enterprise-Wide Administrative SolutionsEnterprise-Wide Administrative Solutions

Router

Local LAN Dial In/Out, Leased

Lines

WAN (State Network)Connections to External Partners

File & Print Services

SUN

Mainframe

Database

Web Services

Internet

Network Discovery

The HIPAA Security effort will require a detailed discovery & documentation of the DHHS network infrastructure.

What are we trying to discover?

• Data at Rest

• Data in Motion

Network Discovery, how will it be performed?

Utilizing “network discovery” software from a central location, NWS will identify network devices and categorize by division & facility.

A comparison of discovery results with all existing network inventory information will be made. For example, Y2K data and Asset Insight inventory information.

All results will be documented in a secure database to be used for further HIPAA initiatives.

A comprehensive network diagram will be developed. Upon completion, IT personnel at each facility will be contacted

to verify discovery results and collect additional information as required. In some cases, site visits may be needed.

Data CollectionData Collection

Phase 2 - AssessmentPhase 2 - Assessment

Technical data collection (remote)Technical data collection (remote)

Vulnerability scanning entails scanning systems and Vulnerability scanning entails scanning systems and determining vulnerabilities that exist within the network devicesdetermining vulnerabilities that exist within the network devices

The configuration data will allow for individualized analysis of The configuration data will allow for individualized analysis of systems and devices to determine their current level of securitysystems and devices to determine their current level of security

Administrative data collection (on-site interviews)Administrative data collection (on-site interviews)This includes information relating to security processes, audit This includes information relating to security processes, audit controls, physical environment, security management, and regulation controls, physical environment, security management, and regulation compliance measurementscompliance measurements

Assessment CompletionAssessment Completion

Phase 3 - Post AssessmentPhase 3 - Post Assessment Evaluate DataEvaluate Data

Vulnerability ReportVulnerability Report

Gap AnalysisGap Analysis

Risk AssessmentRisk Assessment

Develop Remediation GuidelinesDevelop Remediation GuidelinesEnterprise LevelEnterprise Level

Facility SpecificFacility Specific

HCC’s Role in Assessment ProcessHCC’s Role in Assessment Process

Complete matrices and questionnairesComplete matrices and questionnaires Policy and procedure matrixPolicy and procedure matrix Pre-assessment questionnairePre-assessment questionnaire

Provide appropriate personnel to participate in Provide appropriate personnel to participate in on-site interviewson-site interviews

Provide appropriate technical personnel to Provide appropriate technical personnel to provide information regarding network discovery provide information regarding network discovery and assessment activitiesand assessment activities

DeliverablesDeliverables

Assessment ReportAssessment Report (includes)(includes) Vulnerability ReportVulnerability Report Gap AnalysisGap Analysis Risk AssessmentRisk Assessment

Remediation GuidelinesRemediation Guidelines

Why Start Now?Why Start Now?

6-12 months for initial awareness, baseline 6-12 months for initial awareness, baseline assessment, and gap analysisassessment, and gap analysis

6 months for risk assessment and risk 6 months for risk assessment and risk management decisionsmanagement decisions

6-12 months for policy, process, 6-12 months for policy, process, architecture development, and product architecture development, and product selectionselection

6-12 months for implementation, testing, 6-12 months for implementation, testing, and trainingand training

Questions?Questions?

[email protected]@ncmail.net

Security Core Training Presented by: DHHS HIPAA PMO Security Team and DIRM Networking Services.

Documents

Transcript of Security Core Training Presented by: DHHS HIPAA PMO Security Team and DIRM Networking Services.