HIPAA Security Rule

1
HIPAA Security Rule

• November 16th, 2004
• ISSA/ISC² Secure SD Security Conference, San
  Diego, CA
• Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA,
  SSCP, TICSA, CCSA,
• Security
• Lead Consultant (Southern California)
• Verisign Global Security Consulting

2
VeriSign

• Publicly Traded Company
• gt 3000 Employees
• 1 Billion in Revenues
• Operate critical DNS Infrastructure that enables
  over 10B transactions/Day
• Secure the information assets of over 400,000
  websites and 1,000 large enterprises
• Largest SS7 Telecommunications network 2
  Billion messages per day
• 2.8B SS7 signals/day
• Enable over 1,000 carriers to interconnect
• Support over 30 of North American e-commerce
• Over 100 Million E-Commerce Payment Transactions
  Per Quarter
• Largest MSSP with over 3000 devices under
  management

3
Drivers behind HIPAA

• Efficiency and interoperability between payers,
  providers, clearinghouses (covered entities)
• Patients Bill of Rights
• Enhanced medical record privacy
• Enhanced medical record security

4
Medical Mistakes kill 98,000/year in the USA
5
Data valuation whats gone wrong in healthcare?

• What is your medical record worth to you?
• How much do you trust your healthcare provider to
  keep your medical record private secure?
• How many of your friends or neighbors work in a
  healthcare organization?
• How many of your enemies?
• We spend billions protecting financial
  information, what about health information?

6
(No Transcript)
7
Do I need to comply?

• The security rule applies to all IIHI
  (individually identifiable health information) in
  electronic form
• ePHI (electronic Protected Health Information)
  that is stored and/or transmitted is covered
• Health information on paper or divulged orally is
  not covered!
• The rule is intended to set a minimum level of
  security for covered entities
• Covered entities and business associates (through
  a chain of trust agreement) of those entities are
  required to comply

8
Whats the business / security value-add?

• Increased level of confidence from your customers
• Expansion into healthcare markets for
  non-healthcare centric services (e.g. managed
  security services)
• Integration of sound security practices to
  fulfill HIPAA requirements (e.g. standardized
  risk assessment methodology, quantifiable
  security metrics for measuring process
  improvement)
• Covered entities MUST comply, of course!

9
Nuts and bolts of the rule

• Covered entities are required to
• Assess potential risks and vulnerabilities
• Protect against threats to information security
  or integrity, and against unauthorized use or
  disclosure
• Implement and maintain security measures that are
  appropriate to their needs, capabilities and
  circumstances
• Ensure compliance with these safeguards by all
  staff

10
How is the rule structured?

• The rule is broken into three sections
  administrative safeguards, technical safeguards
  and physical safeguards
• There are 18 standards that encompass the 3 types
  of safeguards
• Almost every standard has several implementation
  specifications that are specific requirements
  within the standard
• Each implementation specification is either
  required or addressable

11
Required vs. Addressable

• Required
• Implementation Specification must be met by
  Covered Entity. Most of the required
  Implementation Specifications scale to meet
  covered entity requirements, large or small

• Addressable
• Implementation Specification may not always be
  appropriate and scale to different covered
  entity sizes. A risk assessment must be performed
  by the covered entity to surmise what controls
  are feasible to implement

12
Administrative safeguards

• Security Management Process
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness Training
• Security Incident Procedures
• Contingency Planning
• Evaluation
• Business Associate Contracts Other Arrangements

• Information Security Program
• Assigning responsibility (CSO / CISO)
• Acceptable Use of Computing Resources for staff
• Access Control (AAA)
• Training and Education
• Incident Response
• Disaster Recovery / Business Resumption Planning
• Risk Assessment and quantifiable measurement
• Contracts

13
Physical Safeguards

• Facility Access Controls
• Workstation Use
• Workstation Security
• Device Media Controls

• Physical security of information processing
  facilities
• Acceptable Use control of access to
  workstations
• Physical Security of assets (each separate device
  type is classified as a workstation)
• Computer Operations 101 (tape labeling and
  archiving, tape rotation, back-up logs kept up to
  date, control of removable media containing ePHI)

14
Technical Safeguards

• Access Control
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

• Unique User ID, Emergency Access, Automatic
  Logoff
• Activity review (application operating system)
• Verifying data integrity (at rest and in transit)
• Robust authentication strategy (two-factor)
• Safeguarding ePHI in transmission (encryption)
  and verifying integrity (digital signatures)

15
FAILING TO PREPARE IS PREPARING TO FAIL
16
Maximizing investment on compliance

• Perform regular security assessments on critical
  assets that contain or may participate in the
  transmission or storage of ePHI (consider an
  annual third party assessment to free internal
  resources up for remediation)
• Make sure you are effective where the rubber
  meets the road does a procedure that a
  particular business unit performs actually match
  whats documented as far as step by step actions?
  What is the variance?
• Outsource routine Information Security tasks to
  free up resources - constant Intrusion Detection
  alerts and System Activity Review may cost you
  more in labor to tune and monitor 24x7 in a month
  than an MSSP may charge for a year contract

17
What are the pitfalls to avoid?

• The HIPAA Security rule contains a great deal of
  documentation requirements, but dont just focus
  on documentation!
• Dont make mountains out of molehills
• Dont wait until the 11th hour to ask for money
  (especially for awareness and training
  requirements)
• Dont attempt to achieve compliance without a
  plan (decentralized workgroups work very well)
• Not leveraging your resources and skill-sets is a
  recipe for disaster

18
Compliance Tips

• Establish a formal security program with a
  designated security officer
• Establish a standardized risk assessment strategy
  to prioritize work
• Implement a security program mapped to best
  practice security standards, not to a specific
  regulation
• Make use of community standard guidelines to
  make sure youre keeping pace with other
  providers
• Collaborate with other providers on how you
  develop strategies to address the HIPAA Security
  Rule

19
Reading Room

• NIST DRAFT SP 800-66 An Introductory Guide for
  implementing the Health Insurance Portability and
  Accountability Act (HIPAA) Security Rule
  http//csrc.nist.gov/publications/drafts/DRAFT-sp8
  00-66.pdf
• Health Insurance Portability and Accountability
  Act (HIPAA) Home Page
• http//www.hhs.gov/ocr/hipaa/
• Health Hippo
• http//hippo.findlaw.com/hipaa.html

20
Questions Answers
VeriSign Security Services