Penetration Testing &

Regulatory Compliance

Related Chapters

• Chapter 30: Penetration Testing

• Chapter 31: What Is Vulnerability Assessment?

2

PENETRATION TESTING

3

What is Penetration Testing?

• Pen-test – helps determine which vulnerabilities are exploitable and the

degree of information exposure

• Vulnerability – a potential weakness in a system's security – might also exist due to a lack of company policies or

procedures or an employee’s failure to follow the policy or procedure

– two broad categories of vulnerabilities: • logical and • physical

4

What is Penetration Testing? (cont.)

• Logical vulnerabilities – Associated with computers, infrastructure, software, or

applications

– Can be discovered with manual or automated tools

• Physical vulnerabilities – Actual physical security of the organization (such as a door

that doesn’t always lock properly)

– Physical security of sensitive information

– The vulnerability of the organization’s employees to social engineering

5

Penetration Testing vs. Hacking

• Pen-test does not normally include reconnaissance

• Length of time to conduct all activities is shorter with pen-test

• Hackers are not limited by a code of ethics

– pen-test cannot break the law

• Hackers don’t care if they crash the system

• Pen-test often only done on a subset of systems

6

Penetration Testing vs. Hacking (cont.)

• No test will find everything,

– there are always things that can be missed; due to time constraints, or the team did not have the right conditions to find the weakness.

• No system is too critical to test.

– From a hacker’s perspective, there are no “off-limits” systems, just opportunities for attack.

7

Types of Penetration Testing

• Internal or external

• Based on amount of information given to the tester

– White box • Team is given same amount of information as a network

administrator

– Gray box • Provides some knowledge to the test team

– Black box • Test team starts with no knowledge

8

Types of Penetration Testing (cont.)

• Testing can be announced or unannounced

– In an announced testing, the penetration testing team works in “full cooperation” with the IT staff and the IT staff has “full knowledge” about the test.

• Often done annually

– Unannounced testing can be anticipated in this case

9

• Three phases of penetration testing

• Pre-attack phase – Passive reconnaissance

• Does not touch the network

– Active reconnaissance

• Gather information to create network map

10

Penetration Testing Phases

Pre-attack

Attack

Post-attack

Pre-attack

Passive reconnaisance

Active reconnaisance

Penetration Testing Phases: Attack Phase

• Team exploits a logical or physical vulnerability

– Discovered during pre-attack phase

• Team tries to exploit as many vulnerabilities as possible

• Escalate privileges, install applications, extend control to other systems.

• Eliminate evidence of attack

11

Figure 30.3

The attack phase

There is no knowing which vulnerability a hacker will exploit first.

The Attack Phase

12

Penetration Testing Phases: Post-Attack Phase

• Post-attack phase

– Return any modified system to the pre-test state • Includes removing files, reversing registry changes, etc.

• Restoration of the system, network devices, and network infrastructure to the state the network was in prior to the beginning of the test

• Test team documents each change made

– Allows changes to be reversed

– Ensures the test can be repeated

13

Penetration Testing Rules

• Rules of engagement – Rules for the penetration test

– Examples: which IP addresses may be tested, which techniques may be used

• Both client and penetration test company must define and agree on: – How sensitive information is handled

– Test schedule and duration

– How results will be reported

14

The Need for a Methodology

• A methodology – a way to ensure that a particular activity is conducted in a

standard manner, with documented and repeatable results. – a planning tool to help ensure that all mandatory aspects of an

activity are performed.

• Most penetration test companies have a baseline methodology – Team modifies to fit scope of the test

• Different clients subject to different regulatory requirements – Methodology must be flexible to adapt

15

A Good Methodology

• does not restrict the test team to a single way of compromising the network.

• allows the test team the leeway necessary to explore these “targets of opportunity” while still ultimately guiding them to the stated goals of the test.

16

Types of Methodologies

• Open-source methodologies

– Best known: Open Source Security Testing Methodology Manual

– Another example: Open Web Application Security Project

• Proprietary methodologies

– Details owned by the company and not shared

– Examples: IBM, ISS, EC Council Licensed Penetrator Tester Methodology

17

Example: EC Council LPT Methodology

• Information gathering • Vulnerability analysis • External penetration testing • Internal network penetration testing • Router penetration testing • Firewall penetration testing • IDS penetration testing • Wireless network penetration testing • Denial of service penetration testing

LPT: Licensed Penetration Tester

18

Example: EC Council LPT Methodology

• Password cracking penetration testing

• Social engineering penetration testing

• Stolen laptop, PDA, and cell phone penetration testing

• Application penetration testing

• Physical security penetration testing

• Database penetration testing

• VoIP penetration testing

• VPN penetration testing

19

Figure 30.4

Block representation of some of the major areas of the LPT methodology

Actual methodology depends on scope of the specific test.

20

Penetration Testing Risks

• Unintended consequences may occur

– Data loss

– Data corruption

– System crashes

• Company should back up all critical data

– Prior to beginning testing

• IT personnel should be available in case restoration is necessary

21

Liability Issues

• Documentation for the test should include a liability waiver

– The waiver should state that penetration testing company cannot be held liable for: • Damage to systems

• Unintentional denial-of-service conditions

• Data corruption

• System crashes or unavailability

• Loss of business income

22

Legal Consequences

• Company can become target of lawsuits by customers

• Penetration testers may become target of lawsuits by target company

• Senior member of the target company should authorize testing

• Have legal counsel review agreements

23

“Get Out of Jail Free Card”

• What if a team member is caught during the test? – Documentation that authorizes the tester’s actions is

required.

– Presented if detained or apprehended while performing duties

– Has a 24-hour contact number for verification

• Very sensitive documents – Must be returned to the company following test

completion

24

• Quality of the test depends on quality of the consultants

• Few benchmarks exist to test knowledge of penetration tester

• Can rely on word of mouth and reputation of the testing company – Ask for recommendations

• Required knowledge/skills – Networking concepts

– Hardware devices

– Ethical hacking techniques

– Databases

– Open-source technologies

– Operating systems

– Wireless protocols

– Applications

– Protocols

25

Penetration Testing Consultants

Accomplishments of Penetration Testers

26

Questions to Ask When Hiring a Tester

• Does the company offer a comprehensive suite of services?

• Do they have a methodology?

• Do they hire former hackers?

• How long have the consultants been practicing?

• What will the final report look like?

• Does the company have references available?

27

Responding to a Request for Proposal

• To have best chance at getting the job, highlight:

– Qualifications

– Work experience

– Cutting-edge technical skills

– Communication skills

– Attitude

– Team skills

– Company concerns

28

1. MetaSploit 2. Kali Linux (BackTrack)

• Based on Debian

• Preinstalled with

– nmap (port scanner),

– Wireshark (packet analyzer),

– John the Ripper (password cracker),

– Aircrack-ng (WiFi PenTester)

– many more

29

Open Source Pen-Test Tools

MetaSploit Framework (Launcher)

Attack Code (Payload)

WHAT IS VULNERABILITY ASSESSMENT?

30

Introduction

• Vulnerability is a weakness in a system

– Allows attacker to violate integrity of the system

• A security risk is classified as vulnerability if it is recognized as a possible means of attack.

• A security risk with one or more known instances of a working or fully implemented attack is classified as an exploit.

31

Introduction (cont.)

• Key parts of a vulnerability assessment

– Identification of vulnerabilities

– Risk rating of each vulnerability • Critical, high, medium, low

– Quantification of vulnerabilities

• One critical vulnerability

– Enough to put whole network at risk

32

Reporting Capability

• Flexible and prioritized reports are highly valued

• Sort and cross-reference data (organized data)

• Export data to other formats

• View data easily

• Compare results with previous results

• Good reports help justify cost of implementing security measures

33

“It Won’t Happen To Us”

• “Why would an attacker want to break into the network of Widgets, Inc., when they could go after the Department of Defense or Microsoft or someone else who’s much more interesting?”.

34

Why Vulnerability Assessment?

• No security measure can provide complete security

• Organizations provide easier user access to their information systems, thereby increasing potential exposure.

• Administrative errors can put systems at risk

35

Why Vulnerability Assessment?

• Routine use of vulnerability assessment tools can help alleviate risk

• Some industry standards require organizations to perform vulnerability assessments

– Example: Payment Card Industry Data Security Standard

• The main purpose of vulnerability assessment is to find out what systems have flaws and take action to mitigate the risk.

36

Penetration Testing vs. Vulnerability Testing

• Penetration testing

– Method for evaluating security of a computer system by simulating an attack

• Vulnerability assessment

– Process of identifying vulnerabilities without direct attack

– Has much in common with risk assessment

37

Figure 31.2

Vulnerability mitigation cycle

Assigning relative importance to each resource is an important step in the assessment.

Vulnerability Mitigation Cycle

38

Vulnerability Assessment Steps

1. Cataloging assets and capabilities (resources) in a system

2. Assigning quantifiable value and importance to the resources

3. Identifying the vulnerabilities or potential threats to each resource

4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources

39

Network Scanning Goal

• The theoretical goal of network scanning is elevated security on all systems or establishing a network-wide minimal operation standard.

40

Figure 31.3

Usefulness/Ubiquity relationship

Firewalls have become as ubiquitous as antivirus (AV), but firewalls have increased in usefulness while antivirus usefulness has decreased.

HIPS: Host-Based Intrusion Prevention System

NIDS: Network-Based Intrusion Detection System

AV: Antivirus

NIPS: Network-Based Intrusion Prevention System

Usefulness/Ubiquity Relationship

41

Mapping the Network

• Before we start scanning the network we have to find out what machines are alive on it.

• Nmap security scanner – Free, open-source utility

– Can determine: • What hosts are on a network

• What services each host offers

• What operating systems are in use

• What firewalls or packet scanners are in use

42

Figure 31.4

Nmap command line interface

Frequently used scans can be saved as profiles to make them easy to run repeatedly.

Nmap Command Line Interface

43

Figure 31.5 Zenmap graphical user interface

Zenmap is the official Nmap security scanner GUI

Zenmap Graphical User Interface

44

Selecting Scanners

• Why is it good practice to use more than one scanner?

– Compare the results between them

• Nessus

– Outstanding all purpose scanner

• HP Web Inspect or Hailstorm

– Better at scanning a Web application

45

Figure 31.6

Typical scanner architecture

The scanner relies on a database of known vulnerabilities.

Typical Scanner Architecture

46

Central Scans Versus Local Scans

• Should we scan locally or centrally?

– Central scans give an overall visibility into the network

– Local scans may have higher visibility into the local network.

– Centrally driven scans serve as the baseline.

– Locally-driven scans are the key to vulnerability reduction

• Scanning tools should support both methods

47

48

Who is the Target?

• Many people think that they don’t have anything to hide, they don’t have secrets, and thus nobody will hack them.

• Hackers are not only after secrets but after resources as well.

– They may want to use your machine for hosting files, use it as a source to attack other systems, or just try some new exploits against it.

49

Defense in Depth Strategy

• Multiple layers of defense should be placed throughout an IT system

• Types of security vulnerabilities to be addressed

– Personnel

– Technology

– Operations

• Strategy is designed to give organization time to detect and respond to an attack

50

Defense in Depth Layers

• Using more than one of the following layers constitutes defense in depth: – Physical security (deadbolt locks)

– Authentication and password security

– Antivirus software (host based and network based)

– Firewalls (hardware or software)

– Demilitarized zones (DMZs)

– Intrusion detection systems (IDSs)

– Intrusion prevention systems (IPSs)

51

Defense in Depth Layers (cont.)

• Using more than one of the following layers constitutes defense in depth: (cont.) – Packet filters (deep packet inspection appliances and stateful

firewalls) – Routers and switches – Proxy servers – Virtual private networks (VPNs) – Logging and auditing – Biometrics – Timed access control – Proprietary software/hardware not available to the public

52

Computer Network Defense

• In terms of computer network defense, defense-in-depth measures should not only prevent security breaches, they should give an organization time to detect and respond to an attack, thereby reducing and mitigating the impact of a breach.

53

• Nessus

• GFI LANguard

• Retina

• Core Impact

– Most powerful, and expensive

• ISS Internet Scanner

• Xscan

• SARA

• Qualysguard

• SAINT • MBSA • Technique to improve scanner

performance – Use multiple scanners

• Orphaned system – System that is not maintained

or updated – Should be treated as hostile

• Company should take steps to avoid being scanned by outsiders

54

Vulnerability Assessment Tools

Scanner Performance

• A vulnerability scanner can use a lot of network bandwidth.

– Tradeoff: the more vulnerabilities in the database and the more comprehensive the scan, the longer it will take.

• One way to increase performance is through the use of multiple scanners

– one system to aggregate the results

55

Scan Verification

• The best practice is to use few scanners during your vulnerability assessment, then use more than one scanning tool to find more vulnerabilities.

• Scan your networks with different scanners from different vendors and compare the results.

56

Network Scanning Countermeasures

• A company wants to scan its own networks, but at the same time the company should take countermeasures to protect itself from being scanned by hackers.

57

58

Vulnerability Disclosure Date

• Time of vulnerability disclosure

– Public disclosure of security information by a certain party

– Details are published on a security Website

– Security advisory is put out via email

• The method of appropriate disclosure is a subject of debate

– Full disclosure vs. security by obscurity

59

Discovering Security Holes

• Vulnerability categories

– Related to programmer errors in writing code

– Related to misconfiguration of software settings

• Vulnerability scanners can identify both types

• First scanners were designed as hacking tools

– Now tools are used against them

60

Proactive and Reactive Security

• Reactive security – Passive approach

– Respond to a breach when it occurs

– Damage control focus

• Proactive security – Active approach

– Identify vulnerabilities before a hacker does

• Best security uses both proactive and reactive approaches

61

Vulnerability Causes

• Password management flaws

• Fundamental operating system design flaws

• Software bugs

• Unchecked user input

– Risk: SQL injection

62

Figure 31.7

Vulnerabilities with the biggest impact

Vulnerabilities found in core devices (routers, firewalls) will have the biggest impact on the organization.

Vulnerabilities and Impact

63

DIY Vulnerability Assessment

• Tenable’s Nessus

– Widely used in vulnerability assessments

– Can be run with only IP addresses as input (default)

– Product is very well documented

– Compares responses received from network devices against database of known vulnerabilities

64

Cyber Security Regulatory Compliance

Cyber Security Regulation

• PCI DSS:

– Payment Card Industry Data Security Standard

• HIPAA:

– Health Insurance Portability and Accountability Act

• Others

66

REGULATORY COMPLIANCE: PCI DSS

67

• Standard that is applied to: – Merchants – Service Providers (Third Third-party vendor, gateways) – Systems (Hardware, software)

• That: – Stores cardholder data – Transmits cardholder data – Processes cardholder data

• Applies to: – Electronic Transactions – Paper Transactions

68

PCI DSS: Payment Card Industry Data Security Standard

PCI DSS 12 Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data. 2. Do not use vendor-supplied defaults for system passwords and other security

parameters. Protect Cardholder Data 3. Protect stored data. 4. Encrypt transmission of cardholder data and sensitive information across public

networks. Maintain a Vulnerability Management Program 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications

69

PCI DSS: 12 Requirements in 6 Groups Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Routinely test security systems and processes. Maintain an Information Security Policy 12. Establish high-level security principles and procedures.

70

Compliance vs Validation

• Compliance – Means adherence to the standard

– Applies to every merchant regardless of volume

– Technical and business practices

• Validation – Verification that merchant (including its services providers) is compliant with the standard

– Applies based on Level assigned to merchant, based on transaction volume

– Two types of Validation • Self-Assessment

• Certified by a Qualified Security Assessor (QSA)

• Attestation – Letter to Visa signed by both merchant and acquirer bank attesting that validation has been performed

71

2 Components to Validate • Annual Assessment Questionnaire

– Required of all merchants – regardless of level – Self Self-Assessment or performed by Qualified Security Assessor (QSA) – Must not have any “No” answers – it’s Fail or Pass – Applies to both technical and business

• Security Vulnerability Scan - Quarterly – Required for External facing IP addresses

• Web applications • POS Software and databases on networks • Applies even if there is a re-direction link to third third-party

– Must be performed by Approved Scanning Vendor (ASV) – Validation based on Level assigned to merchant, based on transaction

volume • Visa & MC schedules are different • Visa’s schedule is what most go by

72

Levels of Merchants

Tier Transactions per Year Types of Targets

1 More than $6 million

Merchants, Merchant Agents, Processors,

Direct Connects

2 $1 – 6 million Merchants, Merchant Agents, Processors

3 $20K – 1million eCommerce Merchants

4 All other Merchants Merchants

73

• All merchants must perform external network scanning to achieve compliance.

• The new program, released in May 2007, requires acquirers to develop and submit a formal written compliance plan to Visa, which "identifies, prioritizes and manages overall risk within their Level 4 merchant populations," according to the CISP Bulletin.

Visa and MasterCard Validation Requirements • Level 1-Visa/MasterCard-- Annual onsite review by merchant's internal

auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV).

• Level 2-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.

• Level 3-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.

• Level 4-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.

• If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements.

74

For Level 4, by Acquirer

• Timeline of Critical Events • Timeline of completion dates and milestones, for overall strategy.

• Risk-Profiling Strategy • Prioritization of Level 4 merchants into subgroups, from merchants that post the greatest risk, to

those that post little risk at all. Factors such as merchant category transaction volume, market segment, acceptance channel, number of locations can help the acquirer target compliance efforts for each subgroup.

• Merchant Education Strategy • Strategy designed to eliminate prohibited data from being stored; protect stored data, and

securing the environment in accordance with PCI DSS. This includes ensuring that merchants are only storing data they truly require, by complying with PCI DSSs, and by making sure payment applications are compliant and any third-party agents are on Visa's list of CISP-Compliant Service Providers.

• Compliance Reporting • Monthly compliance reporting to executive or board management. Visa may also periodically

request that the acquirer produce these reports 75

Merchant Levels: Based On Visa Transaction Volumes over past 12 months

• For Visa, Inc., the merchant's transaction volume is based on the aggregate number of Visa transactions-credit cards, debit cards, prepaid cards - from a merchant Doing Business As ("DBA").

• For merchants and/or merchant corporations who operate more than one DBA, the aggregate volume of stored, processed or transmitted transactions by the corporate entity must be considered, to determine the validation level.

• If the corporate entity does not store, process or transmit cardholder data on behalf of the multiple DBAs, members will continue to consider the DBA's individual transaction volume to determine the validation level 76

Fines for Security Breaches • Not levied by PCI Security Council

– Fines levied by Card Associations – Against merchant bank, which passes fines on to merchant

• Fines for security breach – Visa - Up to $500,000 per occurrence – MC – Up to $500,000 per occurrence

• Amount of fines dependent upon – Number of card numbers stolen – Circumstances surrounding incident – Whether Track Data was stored or not – Timeliness of reporting incident

• Safe Harbor – Could limit fine amount if had been validated as compliant by a QSA – But validation is point in time – Don’t count on

77

Other Security Breach Costs

• Fines levied by card associations to make notifications to all card holders and replace cards

• Costs of notifying customers of incident • Forensic Investigation Costs

– Required by card associations – Must used approved firm (QSA) – Cost approximately $10,000

• Cost associated with discontinuing accepting cards • Cost of an annual on-site security audit

– Once a breach has occurred, elevated to a Level 1 merchant – Cost approximately $15,000 - $20,000

78

79

$50,000,000

$10,000,000

Combined fines for all three

$60,590,000

$590,000

PCI Compliance ≠ Security!

• "Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach." Gregg Steinhafel Target CEO, Chairman, and President

80

REGULATORY COMPLIANCE: HIPAA

81

What is HIPAA?

• In 1996 President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA).

• HIPAA has two primary purposes – to provide continuous insurance coverage for workers who

change jobs, and

– to “reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper"

82

What does HIPAA do?

• Protects the privacy of a client’s personal and health information

• Provides for electronic and physical security of personal and health information

• Simplifies billing and other transactions

83

Overview of HIPAA

Title I

Portability

Adm inistrative

Requirem ents

Indivdual

Rights

U se and D isclosure

of PH I

PRIVACY

Identifiers

Cod e

Sets

Transactions

EDI

Technical

Security

M echanism s

Technical

Security

Services

Physical

Safeguards

Adm inistrative

Procedure s

SECURITY

Title II

Adm inistrative

Sim plification

Title III

M edical Savings

Accounts

Title IV

Group H ealth Plan

Provision s

Title V

Revenue Offse t

Provision

H IPAA

H ealth Insurance and Portability Act of 1996

84

Definitions

• Privacy – state of being concealed; secret

• Confidentiality – containing secret information (medical record)

• Authorization – to give permission for; to grant power to

• Breach Confidentiality – to break an agreement, to violate a promise

85

HIPAA is Timely

• Much of the patient’s health information is documented in a computerized format. Protecting this information has become vitally important.

• The first federal legislation (effective April 14, 2003) that attempts to protect a patient’s right to privacy, and the security and access of personal medical information and usage.

86

HIPAA

• Privacy Rule

– Imposes restrictions on the use/disclosure of personal health information

– Gives patients greater protection of their medical records

– Hopefully provides patients with greater peace of mind related to the security of their information

87

Confidentiality

• Deals with: – Communication or in-formation given to you without fear

of disclosure

– Legitimate Need to Know & Informed Consent

• Potential breeches

of confidentiality can occur

88

Protected Health Information

• When a patient gives personal health information to a healthcare provider, that becomes Protected Health Information (PHI)

89

Protected Health Information

PHI Includes: Verbal information

Information on paper

Recorded information

Electronic information faxes,

e-mails

…

90

Protected Health Information

• Examples of patients information

– Patients name or address

– Social Security or other ID numbers

– Doctor’s/ Nurse’s personal notes

– Billing information

91

Rules for the Use & Disclosure of PHI

• PHI can be used or disclosed for

– Treatment, payment, and healthcare operations

– With authorization/agreement from patient

– For disclosure to patient

92

Rules for the Use & Disclosure of PHI

• Healthcare provider is required to release PHI – When requested/authorized by the patient (some

exceptions apply)

– When required by the Department Health and Human Services

• Patients can request a list of persons who viewed their PHI, but they too must sign a consent

93

Authorization Guidelines

• Patient authorization for release of PHI must be obtained in the following situations:

– Use/disclosure of psychotherapy notes

– For research purposes

– For use/disclosure to third parties for making activities

94

Authorization Guidelines

• PHI can be used/disclosed without authorization for the following reasons:

To inform appropriate agencies

Public health activities related to disease prevention/control

To report victims of abuse, neglect or domestic violence

To funeral homes, tissue/organ banks

To avert a serious threat to health/safety

95

• The Notice of Privacy Practices must contain the patient’s rights and the covered entities’ legal duties

• Patients have the right to adequate notice concerning the use/disclosure of their PHI

• Patients are required to sign a statement that they were informed of and understand the privacy practices

96

Notice of Privacy Practices

97

Minimum Necessary

• What are the Minimum Necessary requirements?

– Use/disclosure of PHI is limited to the minimum amount of health information required to do the job

• It means:

– Development of polices/practices on sharing health information

• Identify employees who regularly access PHI.

• Identify the types of PHI needed and the conditions for access.

• Grant only that access necessary to perform the job.

98

Minimum Necessary

Protections for Health Information

• Important Safeguards

– Physical Safeguards • Computer terminals are not placed in public areas

– Technical Safeguards • Every associate must keep his/her password confidential

– Administrative Safeguards • Policy and procedure for release of patient information

99

Patients Rights

• The hospital demonstrates respect for the following patient needs: – Confidentiality – Privacy – Security – Resolution of complaints – Records and information are protected against LOSS, destruction,

tampering and UNAUTHORIZED ACCESS or use – Patients have a right to confidentiality of all information that is

provided to the healthcare professional and institution – Health care professionals ensure that patient information is secured

at all times and if there are any complaints, those complaints will be resolved in a timely

100

Faxing Guidelines

101

• Located in non-public areas. • Centralized fax machines:

Pick up information immediately • DO NOT FAX the following

records/results: – HIV results – Alcohol abuse – Mental Health – Substance abuse – Narcotic prescriptions – Child abuse

When you fax to outside offices:

Check the transmission print out

Verify that the correct number was dialed

102

Faxing Guidelines

• No photographs or recordings of any type are to be taken of patients in the clinical setting.

• No cameras, tablets, smartphones or any electronic devices with photography capabilities are permitted in the clinical environment.

Protect the Patient!

103

Privacy

Office for Civil Rights

-A patient may complain to the Privacy Officer in a hospital …

OR

-The Director of Health and Human Services (HHS)

104

Enforcement of the Medical Privacy Regulations

• It’s your job to make sure patients know they have the right to: – To see and copy their PHI

– Protect patient’s privacy and confidentiality

– Contact your hospital’s privacy administrator for any privacy concerns

105

Patient Privacy Rights

• Health Information Technology for Economic and Clinical Health Act

• a Federal Law, part of the American Reinvestment and Recovery Act (ARRA) Effective September 23, 2009

• Updated the HIPAA rule to include protections against identity theft

HITECH

106

Purpose • Applies to covered health care entities

and business associates. Makes massive changes to privacy and security laws

• Creates a nationwide electronic health record

• Increases penalties for privacy and security violations

• Breach Notification requirements (Patient, Department of Health and Human Services, and Media)

Criminal Penalties

• Criminal provisions

• Penalties

• Sharing of civil monetary penalties with harmed individuals

107

HITECH

• Sarbanes–Oxley Act (2002)

– Require senior management to certify the accuracy of the reported financial statement

– Require management and auditors establish internal controls and reporting methods on the adequacy of those controls

• Gramm–Leach–Bliley Act (1999)

– Require disclosure of security breaches by financial institutions

• Patriot Act (2001)

– Surveillance of communication & financial transactions, and more

• Fair and Accurate Credit Transactions Act (2003)

• SEC Rule 17a-4 – For data retention, indexing, and

accessibility for companies which deal in the trade or brokering of financial securities such as stocks, bonds, and futures

• Personal Information Protection and Electronic Documents Act (PIPEDA, Canada)

• EU Data Retention Directive (2006)

108

Other Regulatory Compliance Issues