legal obligations. what is hipaa? health insurance portability and accountability act a...
TRANSCRIPT
What is HIPAA?
Health Insurance Portability and Accountability Act
A comprehensive federal law passed in 1996 that institutes major medical reform
HIPAA’s main theme:
KEEP INDIVIDUALS’ HEALTH
INFORMATION SECURE AND CONFIDENTIAL
HIPAA Structure
HIPAA
Title II: Administrative Simplification
Title I: Insurance Portability
Security Rule
Privacy Rule
Other Standards
HIPAA Security Rule
Ensure Confidentiality (only the right people see it) Integrity (the information is what it is supposed to be –
it hasn’t been changed) Availability (the information can be obtained when
needed ) Covers what safeguards must be in place to protect
health information from unauthorized access, alteration, deletion, or transmission.
Applies only to electronic health information Compliance data: April 21, 2005
HIPAA Security Rule Provisions
Three types:
Administrative – relates primarily to policies, procedures and organizational practices
Physical – physical measures, policies and procedures to protect electronic information systems, buildings and equipment from natural, man-made and environmental hazards, and unauthorized access
Technical – relates to the processes that must be put in place to protect, control and monitor information access; mechanisms to be employed to guard data integrity, confidentiality and availability
HIPAA Privacy Rule
The Privacy Rule covers what patient health information is to be
protected, the use and disclosures of this information, and what
rights patients have with respect to their information
Rule applies to health information in any form (electronic or
paper based)
Compliance date: April 14, 2003
Privacy Rule Provisions
Designation of a privacy officer Privacy training for all employees
Reasonable safeguards to prevent intentional or
incidental disclosure or misuse of PHI Formal sanctions for employee violations. Provide individuals “Notice of Privacy Practices”
statement Provide written authorization for the disclosure of any
medical information
Cost of HIPAA Non-Compliance
$100 for each violation Maximum of $25,000 per year per incident
Penalties up to $250,000 Prison time up to 10 years
Non-Compliance Non-Compliance (Civil Penalty)(Civil Penalty)Non-Compliance Non-Compliance (Civil Penalty)(Civil Penalty)
Unauthorized Disclosure Unauthorized Disclosure oror Misuse Misuse ofof Patient Information Patient Information (Criminal Penalty)(Criminal Penalty)
Unauthorized Disclosure Unauthorized Disclosure oror Misuse Misuse ofof Patient Information Patient Information (Criminal Penalty)(Criminal Penalty)
Penalties may apply to the individual violator but they
may also apply to the organization or even to its officers
Penalties may apply to the individual violator but they
may also apply to the organization or even to its officers
Costs of HIPAA Compliance
•The government made 5-year, “conservative” cost estimates of the privacy regulation alone at $3.8 BILLION
•The American Hospital Association estimates that hospitals alone may spend up to $20 BILLION over 5 years on information systems changes & upgrades
•In the long run, however, significant savings may be realized due to industry standardization, automation, and lower overhead
•For example, a PAPERPAPER-based claim costs $6.00 to $8.00 to process… The same claim in ELECTRONICELECTRONIC form costs $0.17 to process
Gramm-Leach Bliley (GLB) Act
GLB Act is a 1999 Federal law which requires “financial institutions” to ensure the security and confidentiality of customer personal information
Financial institutions include mortgage lenders, loan brokers, financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors
College’s and Universities are considered financial institutions under the Act
Has two main provisions Privacy Rule, Safeguards Rule
What is “Customer Information”?
Social security numbers Bank account numbers Credit card account numbers Date and/or location of birth Account balances; payment histories; credit
ratings; income histories Drivers license information ACH (Automated Clearing House) numbers Tax return information
Safeguards Rule
The Safeguards Rule requires “financial institutions” to develop an information security program that includes these components: Designate a Security Program Coordinator
responsible for coordinating the program Conduct a risk assessment to identify reasonably
foreseeable security and privacy risks. Ensure that safeguards are employed to control
the identified risks; regularly test and monitor the effectiveness of these safeguards.
Objectives of the Safeguards Rule
1. to ensure the security and confidentiality of customer records and information.
2. to protect against any anticipated threats or hazards to the security or integrity of such records.
3. to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
GLB Safeguards
There are three types of safeguards that must be considered as part of the safeguards rule: Administrative Physical Technical
Administrative Safeguards
Reference checks for potential employees Confidentiality agreements that include standards for
handling customer information Training employees on basic steps they must take to
protect customer information Assure employees are knowledgeable about
applicable policies and expectations Limit access to customer information to employees
who have a business need to see it Impose disciplinary measures where appropriate
Physical Safeguards
Locking rooms and file cabinets where customer information is kept
Using password activated screensavers Using strong passwords Changing passwords periodically and not writing
them down Encrypting sensitive customer information transmitted
electronically Referring calls or requests for customer information
to staff trained to respond to such requests Being alert to fraudulent attempts to obtain customer
information and reporting these to management for referral to appropriate law enforcement agencies
Technical Safeguards Storing electronic customer information on a secure server that
is accessible only with a password -or has other security protections -and is kept in a physically-secure area
Avoiding storage of customer information on machines with an Internet connection
Maintaining secure backup media and securing archived data Using anti-virus software that updates automatically Obtaining and installing patches that resolve software
vulnerabilities Following written contingency plans to address breaches of
safeguards Maintaining up-to-date firewalls particularly with broadband
Internet access or allows staff to connect to the network from home
Providing central management of security tools and keep employees informed of security risks and breaches
FISMA
Federal Information Security Management Act
Title III of the Electronic Government Act of 2002
Applies to Federal Agencies, including government contractors
Purpose is to secure Information Infrastructure used in all of the Federal Agencies
FISMA Requirements for Federal Agencies Plan for security Ensure that appropriate officials are assigned
security responsibility Review periodically the security controls in
their information systems Annual security reporting to Office of
Management and Budget Security awareness training Follow guidelines issued by NIST for
information security controls
FISMA Requirements continued
Report to Congress provides: A summary of government-wide performance
in the area of information technology security management
An analysis of government-wide weaknesses in information technology security practices, and,
A plan of action to improve information technology security performance
FISMA Requirements continued
Report to congress includes: Certification and accreditation of systems Security costs Annual testing of system controls Contingency planning Implementation of security configuration
requirement
Patch Management*
Standards, Baselines & Config*
Security within System Lifecycle Management*
Contractor Assessments*
C&A Process Management*
Risk Management*
Document Management*
Policy Management & Integration*
Security Roles & Responsibilities*
Congressional Reporting*
Performance Measurements*
Sec within CPIC (Funding)*
ISSO Management*
Contractor Compliance*
Computer Incident Response Capability*
Sec Awareness, Training, & Education*
Critical Infrastructure Protection*
Security Response (COOP)*
Physical Security (IT)*
FISMA Areas
IS ProgramIS ProgramManagementManagement
(Strategic)(Strategic)
IS ProgramIS ProgramManagementManagement
(Strategic)(Strategic)
Information Information Security Security OperationsOperations
Policy & Policy & Compliance Compliance MgmtMgmt
System System Integration, Integration, Configuration, & Configuration, & Lifecycle MgmtLifecycle Mgmt
Vulnerability, Vulnerability, Certification & Certification & Accreditation Accreditation MgmtMgmt
Inspector General
Roles and Responsibilities for IT Security Management Team
Verify that security program elements exist
Validate Plan of Action & Milestones
Identify all known security weaknesses and that a robust process exists for maintaining the POA&M
Agency Head
Held accountable ultimately for the protection of an agency’s systems
Expected to include security as a part of strategic and operational planning
Assign CIOs compliance responsibility
ISSO
Chief Information Officer
Designate a senior information security officer who reports directly to the CIO
Held accountable for agency-wide security program
Develop and implement policies, procedures and controls
Report on progress quarterly to OMB
Carry out responsibilities of the CIO
Security is the ISSO’s primary responsibility, not an other duty as assigned
Maintain professional qualifications
Program Officials and System Owners
Assess risk and test controls
Update system documentation
Ensure systems are certified and accredited
SOX IT Impact
If top executives are liable for the data they sign off on, they will make sure that data is accurate and protected: Confidentiality: no one except financial officers,
auditors, and executives should have access to it Integrity: better make sure it hasn’t been tampered
with, or else jail Authentication, non-repudiation, etc
Availability: obligated to disclose this data to SEC and Public Company Accounting Oversight Board (PCAOB) within 2 days
SOX IT Impact
Data retention policy and the mechanisms to implement it correctly: How do you collect and store all data relating
to financial and audit reviews, reports, electronic and voice communications, and other documents that contain analysis, reports, or opinions that served as basis in creating the financial and audit records.
With respect to confidentiality, integrity, and availability
SOX IT Impact
How do top executives know/ensure the data they sign was accurate to begin with?
Internal Controls design, implement, and monitor complete, fast, reliable, and effective methods, mechanisms, and procedures to prevent, find, and correct inaccurate, incomplete, and/or fraudulent documents and activities within the company
SOX Impact
Smaller companies may be affected when trading with a larger SOX compliant company
SOX allegedly tends to increase quantity but not quality of financial reports.
Companies have to think twice before going public: some stay private.
Some private companies comply with SOX voluntarily as a measure of security and a show of industry competitiveness.
CEOs, CFOs, directors, and auditors are much more cautious and concerned.
Restored image of “greater corporate integrity” and “honest enterprise”
SOX: Guidance on Compliance
COSO (Committee of Sponsoring Organizations of the Treadway Commission) Enterprise Risk Management Framework:www.erm.coso.org assess control environment, determine objectives, prepare
risk assessment, monitor controls CobiT (Control Objectives for Information and related
Technology) more at www.isaca.org/cobit.htm
ISO-17799 http://www.iso.ch/iso/en/prods-services/ISOstore/store.html
Information Systems Audit and Control Association (ISACA) American Institute of Certified Public Accountants (AICPA)
USA PATRIOT Act: IT Sections Title IX: Improved intelligence
Sec. 903. Sense of Congress on the establishment and maintenance of intelligence relationships to acquire information on terrorists and terrorist organizations.
Title X: Miscellaneous Sec. 1003. Definition of `electronic surveillance'. Sec. 1008. Feasibility study on use of biometric identifier scanning system
with access to the FBI integrated automated fingerprint identification system at overseas consular posts and points of entry to the United States.
Sec. 1015. Expansion and reauthorization of the crime identification technology act for antiterrorism grants to States and localities.
California Security Breach Information Act (SB 1386) SB 1386 effective July 1, 2003 Applies to any person or company “conducting business” with unencrypted computerized personal information on
CA residents first name or initial and last name, and one of the following SSN, driver license, account/card number, code/password,
other access granting information must notify the people of the security breach
publicly (reputations at stake), via mail (expensive), or via email (inexpensive, but comply with e-Sign Law).
“in the most expedient time possible, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
California Security Breach Information Act (SB 1386) (continued) Intent: timely alert people about a possible
occurrence of identity theft Motivation: Having to disclose breaches will push
companies to review systems and policies in preparation to
comply. to improve their network/computer security. to reduce the amount of personal information stored. to use encryption to secure their data. to use intrusion detection/prevention software to
respond timely.
California Security Breach Information Act (SB 1386) (continued) Impact:
Potentially high cost of compliance. Some companies are required to go public (ex. Over 500,000
records). Victims of violation of SB 1386 can/will/do take civil action.
Think about 30,000 simultaneous cases against your company and the cost involved.
Similar legislation may soon appear in other states and/or on the federal level. Notification of Risk to Personal Data Act (Senator Dianne
Feinstein) Gray areas:
Do CA companies notify non-CA residents? Do out-of-state companies have to comply? Law does not apply if data is encrypted with no minimum
strength requirement. What if they use the Caesar’s cipher?
Examples on SB 1386
ChoicePoint Inc. had a breach in October 2004 Company database contains 19 billion records personal records on 30,000+ consumers stolen by
social engineering means Names, SSNs, credit histories, criminal records,
etc People outside CA are concerned they did not get
the letter when they should have.
Examples on SB 1386
SAIC had a break-in in January 2005 Several desktops were stolen containing stockholders’ data Names, SSNs, address, phone numbers, shares
bought/sold/held 45,000 current and former employees affected
Other recent similar incidents (see references): Bank of America lost tapes (records on 1 million customers) LexisNexis break-in (records on 32,000 U.S. citizens) Boston College (records on 120,000 alumni) CSU Chico break-in (records on ~60,000 students/faculty)
Child Online Protection Act (COPA)
Purpose: “protecting children from harmful sexual material on the Internet”
COPA originally consists of two parts Children’s Online Privacy Protection Act (coming up) COPA (partial restatement of a broader Communications
Decency Act) Concerns:
U.S. law enforceable only on U.S. companies Law may violate adults’ freedom of speech
History 1998: Child Online Protection Act is passed. 1998: Injunction blocking the law from enforcement is obtained. 1999: 3rd Circuit Court of Appeal struck the law down. 2002: Supreme Court finds reasons for struck down insufficient. 2003: 3rd Circuit Court of Appeal upheld the 2002 decision. 2004: Supreme Court upheld law as unconstitutional.
(Ashcroft vs. American Civil Liberties Union)
Children’s Online Privacy Protection Act (COPPA) U.S. legislation in effect since April 21, 2000
The law applies to children under the age of 13. “Web site operator” must include a policy on how to
obtain “verifiable” consent from a parent. Outlines how the “Web site operator” must protect the
safety and privacy of children online. High cost of compliance. Impact:
“Web site operators” choose to shutdown or to stop providing child contents and services rather than comply.
Practically very few cases for COPPA violations.
Example on legal liability
Currently open question of legal liability: “who is responsible for securing a consumer’s data – even
on the consumer’s own computer” Joe Lopez (Miami) filed a lawsuit against Bank of
America on Feb 7 His home PC was compromised by a trojan/keylogger
(Coreflood) Resulting in loss of $90,348 in wire transfers to Latvia
The argument: Joe Lopez: Bank of America had not alerted him about
malicious code the could infect his computer Bank of America: customers “need to have reasonable
computer security”
Example on legal liability
Who is liable? The customer failed to secure his computer system. The bank failed to secure their customer’s system/instruct
him to do so. The bank is responsible for accepting fraudulent ID.
Implications E-commerce, Online shopping, Internet banking, etc
The right answer Currently being decided in court of law Possible solution: awareness and education Discussion
System Engineering Process Integration
Mission NeedCONOPS
SystemArch.
PrimarySec Rqmts
LegalRqmnts
Assets atRisk
Corp/OrgPolicy
SecurityArch
ThreatAnalysis
Vulner.Analysis
SystemDesign
SecurityDesign
DerivedSec Rqmts
OtherRqmts
Prelim. RiskAnalysis
FunctionalRqmts
RiskAnalysis
Assess
Assess
Courtesy of Dr. Hery