Risk vs. Access Tightest Security (not useful)

› Write-only databases

› Passwords too complex to remember Weakest Security (not protected)

› No logins or passwords

› Systems available to the public

› Full privileges for all!

Risk Assessment› Identify critical systems and data› Determine the threats› Analyze the risks› Assess the impact of the threats› Question: Do you think the risks in healthcare are

similar to other industries? Risk Management

› Take pro-active measures to reduce risk› Make policy decisions› Have a plan for mitigation for security incidents

Governs health care “covered” entities and now Business Associates as well

Requires certain levels of security and documentation

Strong emphasis on control processes and audits

Few technical “rules” or methods HIPAA Security covers:

› Administrative Safeguards› Physical Safeguards› Technical Safeguards

Administrative Safeguards› Risk analysis and management› Workforce (user) management› Security awareness training› Contingency planning

Physical safeguards› Facility access› Workstation use and security› Device and media controls

Technical Safeguards› Unique user IDs

› Automatic log-off

› Encryption

› Auditing

› Data integrity controls

Were effective January 25, 2013 but compliance with most of this is not required until September 23, 2013. In the case of Business Associate and Data Use agreements the date is September 23, 2014 unless they are updated in the interim.

Breach Notification › HHS has eliminated the harm threshold that provided notice of a

security breach would only be required if the breach posed a significant risk of harm to affected individuals.

Business Associates › Much of the Privacy Rule and all of the Security Rule now apply

directly to business associates and their subcontractors. Enforcement and Penalties

› HHS has retained the high penalty structure currently in effect, meaning that penalties can range from $100 to $50,000 per violation depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis.

Privacy Requirements › The final rules address multiple privacy issues related to uses and

disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient's care or payment for care, and disclosures of student immunization records.

Genetic Information › To implement the Genetic Information Nondiscrimination Act, HHS

has included “genetic information” as a type of health information subject to HIPAA rules, and has imposed restrictions that will prohibit health plans from using genetic information for underwriting purposes.

HIPAA is a “floor” for security Most of the language in the regulation is

very vague and open to interpretation Organizations must assess how to meet

the requirements and addressable items The Department of Health and Human

Services Office of Civil Rights has been performing audits of healthcare organizations since November, 2011

Physical Security System Security Application and Data Security Operational Security

Protect computers, media and data High risk areas:

› Computer room

› Network closets

› Telephone closets Facility Security

› Keys, lighting, keypad locks, etc.

› Visitor control

Network› Firewalls› Intrusion Detection› Network Monitoring› Signature-based virus detection› Controlling Internet access by proxy servers

(outbound) and creating a DMZ (inbound) Servers

› Software firewalls› Virus protection› Limiting system administrators› Controlling vendor access

Workstations› Physical location› Virus protection› Spyware/Malware› Software firewalls› Limiting elevated privileges› Question: How much more likely are systems to

be infected when users have elevated privileges? PDA’s and Smart Phones

› Known as the BYOD (Bring Your Own Device) issue

› Really are workstations

Authentication› Effective user authentication and passwords

♦ Password complexity increases greatly with additional characters or length

› Two factor vs. single factor authentication♦ Single factor: Something you know (password) or

something you have (key)♦ Two factor: Something you know plus something

you have (ATM card plus PIN)› Biometrics

♦ Such as fingerprint, retinal scan, voice matching, etc.

♦ Characteristic of someone which is really something you “have”

Authentication (continued) › Deterministic vs. Probabilistic

♦ Deterministic – Can be determined to be true with mathematical certainty

♦ Probabilistic – Likely to be true using probability♦ Question: Biometrics are? Passwords are?♦ Question: What is the best security?

› Single sign-on♦ Single user authentication which then allows for

immediate access to other applications♦ Applications must either cooperate on security or

“connectors” must be written

System Parameters› Automatic timeout› Application lockout after x login attempts› Audit capabilities

User Roles and Privileges› Ability to view, add, modify or delete data› Question: Which privilege requires the most scrutiny?› Privileges

♦ Restrict access to certain functions♦ Restrict access to certain data sets

› System administration♦ Update dictionaries♦ Manage security

Security Management› Centralized vs. Decentralized?

› Depends on the application Best Practice: Centralized control with

decentralized authorization

Encryption› Early cryptography led to the development of

computers!› WWII Era

♦ German Enigma♦ Bombe♦ Turing Machine♦ Colossus

› Depends on algorithms (ciphers) and keys (string of bytes)

♦ Ciphers: Triple DES, AES, etc.♦ Keys: Size in bits

› Symmetrical vs. Asymmetrical Keys♦ Symmetric: Encrypting key is used for decrypting♦ Asymmetrical: Key pair is created, one for

encryption and another for decryption› Public Key Infrastructure (PKI)

♦ Third parties that issue public-private key pairs and publish the public keys

♦ Public keys are used to encrypt and private keys to decrypt messages

› At Rest vs. In Transit♦ Password protecting a file = At rest♦ Secure web site transactions (SSL) = In transit♦ Question: How many credit card numbers have

been stolen from SSL protected sites while in transit?

Policies and Procedures› Foundation for good security practice› Clearly states organizational guidelines› FAHC has several security policies

♦ Security Standards♦ Remote Access♦ HIPAA Security Compliance♦ Workstation Use and Security♦ Back and Disaster Recovery♦ Audit and Review♦ Risk Analysis and Management

Risk Assessment› Think like the “enemy”› Identify critical information or systems› Analyze threats› Analyze vulnerabilities› Assess risk› Apply countermeasures

Personnel Security› One of the highest threats

› Question: Why?

› Background checks

› Security awareness & training

› Auditing and monitoring capabilities

Balancing risk vs. ease of use Physical Security – Lock it up! System Security

› Gets most of the attention› Most technical

Application & Data Security› Authentication

♦ Single factor vs. Two factor♦ Deterministic vs. Probabilistic

› Managing User Roles and Privileges› Cryptography

Operational Security› Policies› Risk Assessments› Personnel

QUESTIONS?