Transcript Overview of Proposed HIPAA Security Regulations

© Copyright eB Networks All rights reserved. No part of this presentation may be reproduced, stored in a retrieval system or transmitted in any form by any
means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission.
In Depth Security Review
Martin Rogers
Computer Horizons Corp.
Facts about Proposed Security
Regulations
• Language is Technology Neutral
• Broad Applicability
– [§ 142.308(d)(2)] Network Controls. If an entity uses
network controls (to protect sensitive communication
that is transmitted electronically over open or private
networks so that it cannot be easily intercepted and
interpreted by parties other than the intended
recipient)
• Good Business Practice
2
Key Security Terms
• PKI = Public key infrastructure
– The technology, legal practices, operational procedures
and related infrastructure that support (digital certificate)
management, generation and usage
• IDS = Intrusion Detection System
– Network and Host based
• Digital Signature
– Integrity- detects changes in content
– Authentication- establishes identity of the signer
– Non-Repudiation- Signer cannot deny signing the
message
3
Key Security Terms
• SMTP = Simple Mail Transfer Protocol
• TCP/IP = Transmit ion Control Protocol/ Internet Protocol
• SSL = Secure Sockets Layer
• VPN = Virtual Private Network
• ACL = Access Control List
• DOS Attacks = Denial of service attacks
• Packet Sniffing - Copy and read clear text network transmit ion
• Port Scanning- Identify open TCP/IP communication ports
• BIA – Business Impact Analysis
4
Principles of the Security Regulations
• Administrative
– Policies procedures and
training
• Authentication
– Be sure only authorized
personnel can access
the PHI
• Privacy (confidentiality)
– Keep PHI confidential
• Authorization
– Insure users do not
exceed their allowed
authority
• Non-Repudiation
– Have evidence in the
event of dispute (litigation)
• Integrity
– Be sure nothing is
changed behind your back
5
Keeping PHI Secure (10 basics)
• Security Policies and
Procedures
• Training (awareness)
• Disaster Recovery
• Password Policy
• Access Control
Administration
• Physical Plant Security
• Network Vulnerability
Analysis (Penetration
Analysis)
• Internet Security (Internet =
Encryption)
• Security Enforcement Points
(control communications)
• Email Security (use digital
certificates)
6
The Proposed HIPAA Security
Standards: Four Subject Areas
• Administrative Procedures [45 CFR §142.308(a)]
• Physical Safeguards [45 CFR §142.308(b)]
• Technical Security Services [45 CFR §142.308(c)]
• Technical Security Mechanisms [45 CFR §142.308(d)]
• Electronic Signature Standard § [142.310]
7
Characteristics of Security Rules
• General Guidance
– Deliberate
• “The standard does not address the extent to which
a particular entity should implement the specific
features. Instead, we would require that each
affected entity assess its own security needs and
risks and devise, implement, and maintain
appropriate security to address its business
requirements.” Federal Register, August 12, 1998
[43250]
8
Administrative Procedures
• Certification Process and Program Development
[45 CFR §142.308(a)(1)]
–
Internal or external
• Chain of Trust Partner Agreement Development
[45 CFR §142.308(a)(2)]
– Electronic exchange of data
• Contingency Program Development [45 CFR §142.308(a)(3)]
– Must include: Applications and Data Criticality Analysis
– Data Backup Plan
– Disaster Recovery Plan for the Entire Enterprise
– Emergency Mode of Operation
– Testing and Revision Procedures
9
Administrative Procedures (continued)
• Records Processing Policies and Procedures Development
[45 CFR §142.308(a)(4)]
– Receipt, manipulation, storage, dissemination,
transmission, disposal of PHI
• Information Access Control Policies and Procedures
[45 CFR §142.308(a)(5)]
– Access Authorization (overall access procedures)
– Access Establishment (Initial right of access)
– Access Modification (job change or termination)
10
Administrative Procedures (continued)
• Internal Audit Policies and Procedures Development
[45 CFR §142.308(a)(6)]
• In house review of:
– System Activity Logging
– Security Incident
– Forensic Capability
11
Administrative Procedures (continued)
• Personnel Security [45 CFR §142.308(a)(7)]
– Procedure for Maintenance Personnel Oversight
– Ongoing Review of Levels of Access Granted to Users
– Proper Level of Access Authorization if on or Near PHI
– Establish Personnel Clearance Procedures
– Procedures to insure that authority to access is equal
to clearance level
– Assure security awareness training for system users
12
Administrative Procedures (continued)
• Security Configuration Management Policies
[45 CFR §142.308(a)(8)]
– Documentation (written security plans, rules, procedures,
and instructions concerning all components of an entity’s
security)
– Hardware and software installation and maintenance review
and testing
– Hardware and software inventory
– Security Testing (host and network component penetration
testing) Protocols and Services
• FTP ,Telnet, Trojans (Netbus, Back Orifice, PC Anywhere
– Virus Protection
13
Administrative Procedures (continued)
• Security Incident Procedures Development
[45 CFR §142.308(a)(9)]
– Incident Report Procedures
– Incident Response Procedures
• Security Management Process Development
[45 CFR §142.308(a)(10)] Person in charge of Security
– Risk Analysis (cost vs. loss)
– Risk Management (reduce and maintain level of risk
reduction)
– Sanction Policies and Procedures (notification of law
enforcement, disciplinary action, removal of system access)
– Security Policy (Acceptable use)
14
Administrative Procedures (continued)
• Termination Procedures [45 CFR §142.308(a)(11)]
– Change Locks
– Remove from Access List
– Remove User Account
– Turn in Physical Access Mechanisms
(keys, badge, etc.)
15
Administrative Procedures (continued)
• Training Program Development
[45 CFR §142.308(a)(12)]
– Security Awareness Training for ALL Personnel
– Periodic Reminders
– Virus Protection Education
– Log in Access Education
– Password Management Education
16
Physical Safeguards
• Assigned Security Responsibility [45 CFR §142.308(b)(1)]
(must understand all aspects of information security)
• Media Control Process Development [45 CFR
§142.308(b)(2)] Receipt and removal of diskettes and tapes
into and out of the facility
– Access Control to Media (physical access)
– Accountability
– Data Backup
– Data Storage
– Disposal (final disposition)
17
Physical Safeguards
• Physical Access Controls [45 CFR §142.308(b)(3)]
– Disaster Recovery Plan (event of fire,natural disaster ect).
– Emergency Mode of Operation
– Equipment Control (into and out of the site)
– Facility Security Plan (safeguard the premises)
– Procedures for Verifying Access Authorization Before Access
is Given
– Facility repair and maintenance records
– Need to Know Policy
– Procedures for Sign in and Escort
– Procedures to Restrict Testing and Revision
18
Physical Safeguards
• Policy and Guidelines on Workstation use
[45 CFR §142.308(b)(4)]
• A Secure Workstation Location [45 CFR §142.308(b)(5)]
• Security Awareness Training [45 CFR §142.308(b)(6)] all
employees, agents, and contractors must participate
19
Technical Security Systems
• Access Control [45 CFR §142.308(c)(1)(i)]
– Procedure for emergency access (admin, supervisor, root
passwords)
– Implementation Features - at least one of the following:
• Context-based
• Role-based
• User-based
• Audit controls [45 CFR 42.308(c)(1)(ii)]
– Mechanisms to record and examine system activity (IDS)
20
Technical Security Services
• Authorization control
[45 CFR §142.308(c)(1)(iii)]
– Mechanism for obtaining consent for the use and
disclosure (at least one)
• Role-based
• User-based
• Data authentication
[45 CFR §142.308(c)(1)(iv)]
– The corroboration that data has not been altered or
destroyed (Digital Certificates PKI)
21
Technical Security Services
• Entity authentication
[45 CFR §142.308(c)(1)(v)]
– Automatic Log Off (session termination)
– Unique User ID
– Authentication (at least one)
• Biometric
• Password
• PIN (use with something you have)
• Callback
• Token
22
Technical Security Mechanisms
• Network Controls
– Integrity controls [45 CFR §142.308(d)(1)(i)(A)]
• Validation (Digital Certificates) PKI
– Message authentication [45 CFR §142.308(d)(1)(i)(B)]
• Message Received = Message Sent (Integrity of the
message) (Digital signatures) PKI
• Implementation Feature (Technically Neutral)
– [§ 142.308(d)(1)(ii)(A)] Access controls Protection of PHI
Transitions over Open or Private Networks so that it can
not easily be intercepted and interpreted by parties other
than the intended (VPN)
– [§ 142.308(d)(1)(ii)(B)] Encryption
23
Technical Security Mechanisms
• Network Controls [45 CFR §142.308(d)(2)]
– Alarm (IDS)
– Audit Trail (IDS) or other logging and reporting
systems
– Entity Authentication (Digital Signature) PKI
– Event Reporting (IDS)
24