View
1.740
Download
3
Category
Preview:
DESCRIPTION
Brief introduction into security challanges for Web companies working in Health Care space
Citation preview
Doing Business on InternetSecurity and Privacy: HIPAA Challenge
Nick Krym 4/15/2008 2
HIPAA - Basics• The Health Insurance Portability and Accountability Act (HIPAA)
requires that institutions that create, use, store, and analyze identifiable health information for research, treatment or management functions comply with stringent privacy standards.
• The extend of a compliance effort varies based upon the institution’s status under the regulation.
• Penalties for failure to comply were set to:– $100 per violation– $25,000 for all violations for a single requirement
• Penalties for wrongful disclosure:– $50,000 and/or imprisonment for up to 1 year– $100,000 and/or imprisonment for up to 5 years if under false
pretenses
• Multiple state laws and regulations introduced even more stringent standards and more severe penalties.
Nick Krym 4/15/2008 3
Protecting Patients’ Privacy - Summary
• Organizational Commitment
• Defense in Depth / Layered Defense– Administrative Safeguards – Physical Safeguards– Technology Safeguards
• Applying reasonable commercial efforts
• Phased progress towards established goals
• Audit state – Reset Objectives
Nick Krym 4/15/2008 4
General Guidelines• Keep yourself to higher standards than those required by HIPAA (consider
ever increasing pressure for security and privacy)• Achieve compliance with reasonable efforts and budgets
– Centralize– Standardize– Use phased approach
• Keep the broad picture in view– Administrative Aspects– Physical Security– Technology
• It is not as hard as it might appear – Standard techniques will get you long way towards compliance– Best practices are well known and skills are available – Most complex aspects, such as intrusion detection, could be outsourced
• Never get complacent– Ever changing threats and vulnerabilities – Staff (in particular disgruntled employees) as the highest risk factor– Development is a trade maybe a science, information security is an art
Nick Krym 4/15/2008 5
General Security Goals• Confidentiality
– Authentication – you are who you say you are– Authorization – you can do what your “role” permits– Access on a need-to-know basis
• Integrity– Accuracy of data
• Availability– Access to data when it’s needed– Access to systems when it’s needed– Disaster Recovery and Business Continuity
Nick Krym 4/15/2008 6
Dimensions of Security• Administrative Safeguards
– Policy framework– Procedures– Awareness and other training
• Physical Safeguards– Facilities– Data Centers– DR & BC
• Technology Safeguards– Data Security– System Security– Network Security– Application Security– Development Safeguards
Nick Krym 4/15/2008 7
Becoming Compliant• Policies must be developed, communicated, maintained
and enforced• Process and procedures that support, implement and
illustrate Policy Framework must be developed, communicated, maintained and enforced
• Systems, Facilities and Applications must be built to adhere to polices and procedures
• People must understand their responsibilities in the light of security policies
• Periodic Audits are mandatory to control, verify and enforce all the items above
Nick Krym 4/15/2008 8
Getting There• Level 0 – Some Security is in place, no
consistency • Level 1 – Formally documented and
disseminated policy framework, responsibilities assigned, compliance identified
• Level 2 – Formally documented processes and procedures for implementing security controls identified in the policy framework
• Level 3 – Security processes and procedures and ongoing controls are implemented
Nick Krym 4/15/2008 9
Level 1 – Foundations • Establish Organizational Commitment
– Info Security Committee / Office– Chief InfoSec Officer– Policy Officer
• Policy Framework – start with ~5 and get to 50+ polices, e.g.:– InfoSec Philosophy– Acceptable Use– Cryptographic Security– Email Policy– Server Policy– Incident Response Policy– Audit Policy
• Basic technology steps, e.g.: – User Authentication and Authorization– Virus protection– Data Center Firewalls
Nick Krym 4/15/2008 10
Level 2 – Building upon Foundations• Firm Organizational Commitment
– InfoSec Office / Staff– InfoSec Budgets– Basic separation of duties
• Supporting processes and procedures for each of the policies –SOP and Standards, e.g.:– Firewall standard– Incident response SOP– DR SOP for each critical component– VPN standard – Email archiving SOP
• Advanced technology measures, e.g.:– Anti-virus / anti-spam centralized orchestration– Network segregation– Network access control list
Nick Krym 4/15/2008 11
Level 3 – Achieving Sustained Compliance• Establish InfoSec Operations
– InfoSec Office / Staff / Budgets– Sufficient separation of duties– Periodic external audits
• Implemented, controlled (audited / tested) SOP and Standards across organization, e.g.:– Core Polices, Processes and Procedures – Disaster Recovery – Business Continuity plans
• Established InfoSec operations across technology components, e.g.:– Common desktop environment– Tightly controlled access points– Personal firewalls and wireless security– Managed Security Monitoring– Regular system and application scanning– Regular InfoSec system audits including ethical hacking
Nick Krym 4/15/2008 12
Protecting Information• ePHI stands for Electronic Protected Health Information. It is any protected health information
(PHI) which is created, stored, transmitted, or received electronically. Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:
– The individual's past, present or future physical or mental health. – The provision of health care to the individual. – The past, present or future payment for health care.
• Data are “individually identifiable” if they include any of 18 types of identifiers (see notes for list), e.g.:
– Date of Birth – Social Security Number– License Plate
• Information Classification (e.g.: public, restricted, sensitive)
• Main Information dissemination principal – Need-to-Know Basis
• Information Lifecycle– Generation (data collection processes, devices, forms, screens, import, APIs, etc.)– Processing (on servers within data center, on personal equipment, reporting, analytics, etc.)– In transit (from server to server in data center, over Internet, between organizations, etc.)– Storage (on servers within data center, on personal equipment, on back up devices, in offsite storage, etc.)– Destruction (logical delete, physical delete, confirmed delete, physical device demolition)
Nick Krym 4/15/2008 13
People – The weakest link in the chain • Personnel Policies, e.g.:
– Hiring– Security awareness training (on-going)– Dismissal
• Never skip a Background Check
• SOPs, e.g.:– New employee checklist– Request for network access– Escalation of privileges / revoking privileges
• Audits e.g.:– Clean desk policy / audits– Drug testing– Training attendance audits
• Segregation of Duties
Nick Krym 4/15/2008 14
Defense in Depth: Technology Aspects • Layered Security
– If a specific layer was compromised that still doesn’t allow access to secured information• Data Security, e.g.:
– Encrypting fields in a database– HTTPS / SSL– Backup encryption
• Application Functionality, e.g.:– User ID rules (e.g. no all-numeric to avoid people using their SSN)– Password rules (e.g. Strong Passwords and Passphrases, note to keep balance between usability and
security)– Role based access (Need-to-Know)– Masking fields (e.g. passwords, CC Numbers)– Logging / Auditing / Notifications (e.g. email – your Personal health record has been changed)
• Building Secure Applications– Preventing known vulnerabilities (e.g. SQL injection, cross site scripting, etc.)– Code standards and strict SDLC– Audit and ethical hacking
• Network Security, e.g.:– Servers– Networking equipment– Network Segregation– Attack Prevention– Intrusion Detection
Nick Krym 4/15/2008 15
Availability: Technology Aspects • Robust Service Level Agreements with all constituencies on the network
– Application Service Providers– Hosting Centers– Key Vendors (H/W, S/W, N/W)
• Key support contracts in place– Maintenance– Software Assurance– Technical Support
• Redundancy– Low level: H/W, N/W, Internet Connectivity– System level: H/W, N/W, S/W– Operational level: Processes and Procedures
• Disaster Recovery– Low level: DR plan for each critical H/W and N/W component– System Level: Full system DR plan, Back up, Offsite storage– Operational: Processes and Procedures – Independent DR Data center,– Periodic testing of DR Plan, in particular back up audits and verification
• Business Continuity– BC Plan for each Critical Business Function– BC Plan to cover several levels / classes of disaster– Periodic testing of BC Plan
• Availability Monitoring– Redundant Internal Monitoring (Systems, application, hardware – Independent External Monitoring– Real time notifications / Dashboards
Recommended