first hipaa privacy-security officer€¦ · 2011-08-25 · concerning the life of men, in my...

"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets."

- Hippocratic Oath, 4th Century, B.C.E.Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance

First HIPAA Privacy-Security Officer

How to Implement Reasonable and

Appropriate Controls in Your Organization

WEBINAR

…Welcome to …

Today’s Presenters

Bob Chaput615-656-4299 or 800-704-3394bob.chaput@ClearwaterCompliance.comClearwater Compliance LLC

Pete Niner917-363-5892pete@techumen.com Techumen, LLC

Our Passion

… And, keeping those same organizations off the Wall of Shame…!

…we’re helping organizations safeguard the very personal and private healthcare information of millions of fellow Americans…

We’re excited about what we do because…

Join Us! - HIPAA HITECH Blue Ribbon Panel™

• Industry Security, Privacy and Regulatory Experts

• Next Event: 9/8/2011, 5pm ET / 4pm CT / 2pm CT

About HIPAA-HITECH Compliance1. We are not attorneys!

2. HIPAA and HITECH is dynamic!

3. Lots of different interpretations!

So there!

Reasonable and Appropriate

• Phrase “reasonable and appropriate” appears 11 times in the HIPAA Security Final Rule

• Describes:– Controls and Safeguards– Alternatives– Protection– Levels of risk– Security measures– Implementation Specifications– Policies and Procedures

The Challenge

• Providers must implement “reasonable and appropriate” controls around their management of ePHI.

• OCR has not defined what “reasonable and appropriate” controls are, or how to determine if a given set of controls is “reasonable and appropriate”.

• What is “reasonable and appropriate”?

Reasonable and Appropriate

• Kaiser has an information security staff of over 150.

• A recent client, a solo practice, didn’t have the administrative password to their network

• Financial, technical, and organizational resources vary widely across entities

• Peer comparisons can be useful, but are not decisive

Start with a Risk Analysis

• Risk Analysis is a requirement for both HIPAA and Meaningful Use

• Should be updated annually• High and low risks can be treated differently,

if you’ve done your analysis• Show your work!

A Good Risk Analysis

• Is quantitative• Is objective• Is up-to-date• Follows NIST 800-30• Is actionable, not theoretical

The Importance of Risk Acceptance• Not all risks can or will be managed• Even managed risks will not cease to exist• Part of risk management is knowing what

must be lived with, for various reasons• The right level in the organization needs to

make an informed decision• Write this down!

Controls

Controls are mechanisms that either:• Lower the likelihood of a risk occurring

(Preventative), • Lessen the impact of the risk’s occurring

(Compensating), or • Aid in realization that a risk has or is occurring

(Detective).

Control Types

• Technical: Anti-virus, firewall, encryption• Operational: Procedures, Processes, Methods• Managerial: Policies, Plans, and Standards

Safeguards and Standards

• HIPAA Security Rule identifies 18 safeguards and 42 implementation standards that covered entities should comply with

• “Addressable” does not mean “optional”

• The standards are prescriptive, not descriptive. CMS has stated there are many ways to meet them

The Outcome

• For each safeguard, a statement of how we meet it

• Some form of supporting evidence• A risk-based rationale for each addressable

safeguard we’re not implementing• Greater understanding at a high organizational

level of the risks that are accepted

The Safeguards

Safeguards and Standards

• Some are “yes/no” standards – designated security officer, contingency plan, physical safeguards – that we’ll skip over

• The more scalable standards are the ones we’re focusing on today

• If you’ve had incidents in the past, this should be reflected in your risk assessment and the corresponding safeguard strengthened

Administrative Safeguards

Security Management Process

Risk management (R): The organization must implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Your operational history will show if risks are reduced enough: If no incidents occur, and you can show attacks stopped, and demonstrate control effectiveness, it’s a strong case.

164.308 (a)(1)(i)

Security Management Process

Information system activity review (R): The organization must implement procedures to regularly review records of information system activity (for example, audit logs, access reports and security incident tracking reports).

• How often do you review?• How many entities you review?• How many actions you review?• How manual is your review?

Workforce Security

Authorization and/or supervision (A): The organization must implement procedures for the authorization and/or supervision of employees who work with EPHI or in locations where it might be accessed.

Employees are typically supervised; the second clause is not a problem

Authorization can be at an individual level, a role level, at a facility level, or an organizational level

Have a plan, document actions, and stick to it

Workforce Security

Workforce clearance procedures (A): The organization must implement procedures to determine that an employee’s access to EPHI is appropriate.

The authorization plan can suffice; be sure to review it annually

Access reviews of certain applications can be performed periodically

Keep a record! (This applies to all safeguards)

Workforce Security

Termination procedures (A): The organization must implement procedures for terminating access to EPHI when employment ends or it is determined that access is no longer necessary.

Some merely turn off remote access and the main authentication store (AD)

Coupled with a periodic access review (prior slide), this can work well

A better way is to have a checklist of applications to scrub when a person leaves

Using roles or another authorization plan makes removal easier

Information Access Management

Access establishment and modification (A): The organization must implement policies and procedures that, based on its access authorization policies, establish, document, review and modify a user's right of access to a workstation, transaction, program, or process.

Not all procedures will be followed all the time. Emergencies and patient care must take precedence.

An Exception Policy, and register of exceptions granted, can help manage this risk

Security Awareness and Training

Security reminders (A): This requires periodic security updates to employees so that they understand their organization’s unique processes and procedures and their responsibilities under the law.

Security training should be part of NEOQuarterly emails - brief – to keep some mindshareSecurity refresher training as part of JCAHO or

other regulated trainingBase reminders on recent or relevant events –

social engineering, “don’t share passwords”, what to do in an outage, e.g.

Protection from malicious software (A): The organization must have procedures for guarding against, detecting and reporting malicious software, such as viruses.

Antivirus needs to update at least dailyAV should scan USBs and other portable media

Login monitoring (A): This includes procedures for monitoring login attempts and reporting discrepancies.

Turn on authentication loggingDefine a log retention period, rather than “when we

run out of space”Enable account lockouts on authentication failure,

and tune until you get an acceptable rateCentralize logging (with syslog or an SIEM) and

script failure or suspicious activity alerts

Password management (A): This requires procedures for creating, changing and safeguarding passwords.

Write down little-used passwords, seal in an envelope and sign it, and store in a safe place – ideally off-site

Every 90 days, change them and resign the envelope

Google “Password generator” for some useful utilities

Security Incident Procedures

Response and reporting (R): Organizations must identify and respond to suspected or known security incidents; mitigate, to the extent they can, harmful effects of security incidents that are known; and document security incidents and their outcomes.

Have an incident response plan. Include who will lead the response, what resources (organizational, technical, outside vendors) they will have, what information they need to determine, and a “Lessons Learned” session.

Evaluation

This standard requires the performance of a periodic technical and nontechnical evaluation to establish the extent to which an entity's security policies and procedures continue to meet the requirements of the law in response to environmental or operational changes affecting the security of EPHI.

Review your Risk Analysis annually. This can be done in-house or outsourced.

Document any changes or updates you decide to make to your security posture.

Physical Safeguards

Device and Media Controls

Disposal (R): Organizations must address the final disposition of EPHI or the hardware or electronic media on which it is stored.

DIY Options: Darik’s Boot-n-nuke or KillDisk will wipe a drive clean.

Physical destruction is also acceptableThird-party options such as Iron Mountain are

expensive, but full-serviceKeep a log!

Device and Media Controls

Media reuse (R). Organizations must implement procedures for removal of EPHI from electronic media before the media are made available for reuse.

Controls for disposition also apply to re-use.

Technical Safeguards

Access Control

Unique user identification (R): Unique names and/or numbers for identifying and tracking user identities must be assigned.

Preventing sharing of passwords is a challenge. Disable simultaneous logins and frequent

reminders is a combination that seems to work.

Access Control

Automatic logoff (A): Electronic procedures that terminate an electronic session after a predetermined time of inactivity must be implemented.

Use both screen locking and idle session timeouts, where appropriate.

High-traffic areas: Screen lockingRemote access: Idle-session timeouts

Access Control

Encryption and decryption (A): Organizations must implement a mechanism to encrypt and decrypt EPHI.

Encrypt data in motion outside your network perimeter – including USB keys.

Data in motion inside your perimeter does not need to be encrypted, unless you’ve had problems in the past.

Encryption of data at rest in your data center is overkill, unless you’re in national security.

Integrity

Mechanism to authenticate electronic protected health information (A): Organizations must implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner.

It is reasonable and appropriate to rely on the built-in integrity checking of operating systems, applications, databases, and network protocols.

Validate your backups, however.

Person or Entity Authentication

This standard requires implementing procedures to verify that a person or entity seeking access to EPHI is the one claimed.

One, two, or three factor authentication?Badges or keys to get into an office, plus a

username/password, form two factors.Remote access with RSA or other key fobs also offer two-factor.

Three factor (biometric) isn’t really needed, outside of national security.

Transmission Security

Integrity controls (A): Organizations must implement security measures to ensure that electronically transmitted EPHI is not improperly modified.

SSL or other encryption techniques perform integrity checking as part of the encryption process.

Why do a Security Assessment?

1. Prepare for Mandatory Audits

2. Build Solid Educational Foundation

3. Meet 45 CFR 164.308(a)(8) - Evaluation

4. Jump – Start Overall Security Compliance Program

5. Develop / Execute Preliminary Remediation Plan

6. Objective, Independent 3rd Party Audit

42Demonstrate Good Faith Effort

Quick Demo

https://www.hipaasecurityassessment.com

1. Serves as Assessment Wizard and Advisory Guide

2. Auto-creates Remediation Plan and Provides Management Tool

44http://HIPAASecurityAssessment.com

Clearwater Security Assessment Tool Benefits

3. Dynamically Updates Executive Dashboard

4. Established Baseline Score for Progress Monitoring5. Serves as “Living Compliance Manual” and 6. Creates “Single Source of the Truth” and Document

Repository7. Establishes Step 1 in Roadmap to Compliance

High Value – High Impact

HIPAA-HITECH Compliance WorkShop™

I. PREPARATIONA. Plan / GatherB. Read AheadC. Complete QuickScreen™

II. ONSITE ASSESSMENTA. FacilitateB. EducateC. Evaluate

III. WRITTEN REPORTA. Findings B. ObservationsC. Recommendations

½ Day

AboutHIPAA.com Resources

“On Demand” HIPAA HITECH RESOURCES, IF NEEDED: 1. http://AboutHIPAA.com/about-hipaa/resources/2. http://AboutHIPAA.com/webinars/

Today’s Presenters

Bob Chaput615-656-4299 or 800-704-3394bob.chaput@ClearwaterCompliance.comClearwater Compliance LLC

Pete Niner917-363-5892pete@techumen.com Techumen, LLC

first hipaa privacy-security officer€¦ · 2011-08-25 · concerning the life of men, in my...

Documents

ought' conversationally implies 'can

system for harvesting seaweed and generating ethanol...

t file · web viewfirst, the resolutional “ought” is an...

cellulite information you ought to know about

sentimentalism and the is-ought problem

subtracting “ought” from “is”: descriptivism versus...

the way church ought to be

modal verbs must should ought to

department of...

you ought to be in pictures

you ought to read this...!!!

what every disciple ought to know!

gewirth is ought gap

what ought probably means, and why you can’t detach...

process for making pen/pet blends and transparent articles...

system for harvesting seaweed and generating ethanol...

everybody ought to know everybody ought to know everybody...

a fair reading of ought implies can - lunds universitet ·...

improvising msn and psnr for finger-print image noised by...

what every hindu ought to know