nist hipaa security rule toolkit
DESCRIPTION
NIST HIPAA Security Rule Toolkit. Association of American Medical Colleges (AAMC) February 15, 2012. Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology. NIST’s Mission. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/1.jpg)
NIST HIPAA Security Rule Toolkit
Kevin StineComputer Security Division
Information Technology LaboratoryNational Institute of Standards and Technology
Association of American Medical Colleges (AAMC)February 15, 2012
![Page 2: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/2.jpg)
NIST’s Mission
To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology …
Credit: NIST
Credit: R. Rathe
… in ways that enhance economic security and improve our quality of life.
![Page 3: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/3.jpg)
NIST’s work enables• Science
• Technology innovation
• Trade
• Public benefit
NIST works with• Industry
• Academia
• Government agencies
• Measurement labs
• Standards organizations
NIST Laboratories
![Page 4: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/4.jpg)
Computer Security Division
A division within the Information Technology Lab, CSD conducts research, development and outreach necessary to provide standards and guidelines, mechanisms, tools, metrics and practices to protect information and information systems.
Some Major ActivitiesCryptographic Algorithms, Secure Hash Competition, Authentication, Key Management, Crypto Transitions, DNSSEC, Post-Quantum Crypto, BIOS Security
FISMA, Health IT, Smart Grid, Supply Chain, NICE, Crypto Validation Programs, Outreach and Awareness, Cyber Physical Systems, Voting
Identity Management, Access Control, Biometric Standards, Cloud and Virtualization Technologies, Security Automation, Infrastructure Services and Protocols
![Page 5: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/5.jpg)
5
Types of NIST Publications
Federal Information Processing Standards (FIPS)• Developed by NIST; Approved and promulgated by Secretary of
Commerce• Per FISMA, compulsory and binding for all federal agencies; not
waiverable• Voluntary adoption by non-Federal organizations (e.g., state, local,
tribal governments; foreign governments; industry; academia)
Special Publications (SP 800 series)• Per OMB policy, Federal agencies must follow NIST guidelines• Voluntary adoption by non-Federal organizations
Other security-related publications• NIST Interagency Reports
![Page 6: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/6.jpg)
6
A Framework for Managing Risk
Starting Point
RISKMANAGEMENTFRAMEWORK
PROCESS
OVERVIEWArchitecture DescriptionArchitecture Reference Models
Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries
Organizational InputsLaws, Directives, Policy Guidance
Strategic Goals and ObjectivesPriorities and Resource Availability
Supply Chain Considerations
Repeat as necessary
Step 6MONITOR
Security Controls
Step 2SELECT
Security Controls
Step 3IMPLEMENT
Security ControlsStep 4ASSESS
Security Controls
Step 5AUTHORIZE
Information System
Step 1CATEGORIZE
Information System
![Page 7: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/7.jpg)
• HIPAA Security Rule Overview• Toolkit Project• Content Development• The Toolkit Application• Additional Information
Agenda
![Page 8: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/8.jpg)
HSR establishes national standards for a covered entity to protect individuals’ electronic personal health information (ephi)
HIPAA Security Rule (HSR) Overview
![Page 9: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/9.jpg)
Who?From nationwide health plan with vast resources …
… to small provider practices with limited access to IT expertise and resources
What?
Standards and implementation specifications covering…
• Basic practices• Security failures• Risk management• Personnel issues
How?
It depends…
on the size and scale of your organization
HSR Overview
![Page 10: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/10.jpg)
The purpose of this toolkit project is to help organizations …
• better understand the requirements of the HIPAA Security Rule (HSR)
• implement those requirements • assess those implementations in their operational
environments
HSR Toolkit Project
![Page 11: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/11.jpg)
What it IS…
• A self-contained, OS-independent application to support various environments (hardware/OS)
• Support for security content that other organizations can reuse over and over
• A useful resource among a set of tools and processes that an organization may use to assist in reviewing their HSR risk profile
• A freely available resource from NIST
What it is NOT…
• It is NOT a tool that produces a statement of compliance• NIST is not a regulatory or
enforcement authority• Compliance is the
responsibility of the covered entity
HSR Toolkit Project
![Page 12: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/12.jpg)
• Supplement existing risk assessment processes conducted by Covered Entities and Business Associates
• Assist organizations in aligning security practices across multiple operating units
• Serve as input into an action plan for HSR Security implementation improvements
Intended Uses of the HSR Toolkit
![Page 13: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/13.jpg)
The Toolkit project consists of three parallel efforts:
Content Development
Desktop Application Development
Security Automation Multiple Iterations
HSR Toolkit Project
![Page 14: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/14.jpg)
Using the HIPAA Security Rule, and NIST Special Publications (800-66, 800-53, 800-53A), we developed questions designed to assist in the implementation of the Security Rule.
Content Development
§ HIPAA Security Rule Specific Question to Address RuleMaps
![Page 15: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/15.jpg)
§164.308(a)(3)(A) Authorization and/or supervision (Addressable).
Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Maps
Question: HSR.A53Has your organization established chains of command and lines of authority for work force security?
Boolean
Yes: If yes – do you have an organizational chart?
No: If no – provide explanation text
Content Development
![Page 16: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/16.jpg)
This effort has resulted in …
• Two sets of questions• an “Enterprise” set with nearly 900 questions• a “Standard” set with about 600 questions (a subset)
• With dependence and parent-child relationship mappings
• Covering all HSR standards and implementation specifications
Content Development
![Page 17: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/17.jpg)
Content Development
![Page 18: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/18.jpg)
Security Automation
• Utilizing standards-based security automation specifications – such as XCCDF, OVAL, OCIL – to implement those questions into a toolkit application that is “loosely coupled”
• Enables existing commercial tools that process security automation content to use the content (not locked down)
• Provides consistent and repeatable processes
![Page 19: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/19.jpg)
• A comprehensive User Guide
• Examples of how to use and operate the Toolkit
Partner entities that are assisting in defining functionality and usability:
• A state Medicaid Office• A specialty clearinghouse• A community hospital• A non-profit regional hospital
Associated HSR Toolkit Resources
![Page 20: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/20.jpg)
Toolkit: Download the Application
![Page 21: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/21.jpg)
Toolkit: Create a Profile
![Page 22: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/22.jpg)
Toolkit: Organized by Safeguard Family
![Page 23: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/23.jpg)
Navigation Menu
Selected Question
References
Responses
Attachments
Flag Level
Progress Bar
Comments
Toolkit: Explore the Application Interface
![Page 24: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/24.jpg)
Toolkit: Answer Questions
![Page 25: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/25.jpg)
Toolkit: Generate Reports
![Page 26: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/26.jpg)
26
A Framework for Managing Risk
Starting Point
RISKMANAGEMENTFRAMEWORK
PROCESS
OVERVIEWArchitecture DescriptionArchitecture Reference Models
Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries
Organizational InputsLaws, Directives, Policy Guidance
Strategic Goals and ObjectivesPriorities and Resource Availability
Supply Chain Considerations
Repeat as necessary
Step 6MONITOR
Security Controls
Step 2SELECT
Security Controls
Step 3IMPLEMENT
Security ControlsStep 4ASSESS
Security Controls
Step 5AUTHORIZE
Information System
Step 1CATEGORIZE
Information System
![Page 27: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/27.jpg)
• HIPAA Security Rule Toolkit• http://scap.nist.gov/hipaa
• Computer Security Resource Center (CSRC)• http://csrc.nist.gov
• NIST Information Security Standards and Guidelines• http://csrc.nist.gov/publications/index.html
Useful Resources
![Page 28: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/28.jpg)
Questions
![Page 29: NIST HIPAA Security Rule Toolkit](https://reader036.vdocuments.us/reader036/viewer/2022062400/56816869550346895dded4d5/html5/thumbnails/29.jpg)
Thank You
Kevin StineComputer Security Division
Information Technology LaboratoryNational Institute of Standards and Technology
Computer Security Resource Center: http://csrc.nist.gov