Doing Business on InternetSecurity and Privacy: HIPAA Challenge

Nick Krym 4/15/2008 2

HIPAA - Basics• The Health Insurance Portability and Accountability Act (HIPAA)

requires that institutions that create, use, store, and analyze identifiable health information for research, treatment or management functions comply with stringent privacy standards.

• The extend of a compliance effort varies based upon the institution’s status under the regulation.

• Penalties for failure to comply were set to:– $100 per violation– $25,000 for all violations for a single requirement

• Penalties for wrongful disclosure:– $50,000 and/or imprisonment for up to 1 year– $100,000 and/or imprisonment for up to 5 years if under false

pretenses

• Multiple state laws and regulations introduced even more stringent standards and more severe penalties.

Nick Krym 4/15/2008 3

Protecting Patients’ Privacy - Summary

• Organizational Commitment

• Defense in Depth / Layered Defense– Administrative Safeguards – Physical Safeguards– Technology Safeguards

• Applying reasonable commercial efforts

• Phased progress towards established goals

• Audit state – Reset Objectives

Nick Krym 4/15/2008 4

General Guidelines• Keep yourself to higher standards than those required by HIPAA (consider

ever increasing pressure for security and privacy)• Achieve compliance with reasonable efforts and budgets

– Centralize– Standardize– Use phased approach

• Keep the broad picture in view– Administrative Aspects– Physical Security– Technology

• It is not as hard as it might appear – Standard techniques will get you long way towards compliance– Best practices are well known and skills are available – Most complex aspects, such as intrusion detection, could be outsourced

• Never get complacent– Ever changing threats and vulnerabilities – Staff (in particular disgruntled employees) as the highest risk factor– Development is a trade maybe a science, information security is an art

Nick Krym 4/15/2008 5

General Security Goals• Confidentiality

– Authentication – you are who you say you are– Authorization – you can do what your “role” permits– Access on a need-to-know basis

• Integrity– Accuracy of data

• Availability– Access to data when it’s needed– Access to systems when it’s needed– Disaster Recovery and Business Continuity

Nick Krym 4/15/2008 6

Dimensions of Security• Administrative Safeguards

– Policy framework– Procedures– Awareness and other training

• Physical Safeguards– Facilities– Data Centers– DR & BC

• Technology Safeguards– Data Security– System Security– Network Security– Application Security– Development Safeguards

Nick Krym 4/15/2008 7

Becoming Compliant• Policies must be developed, communicated, maintained

and enforced• Process and procedures that support, implement and

illustrate Policy Framework must be developed, communicated, maintained and enforced

• Systems, Facilities and Applications must be built to adhere to polices and procedures

• People must understand their responsibilities in the light of security policies

• Periodic Audits are mandatory to control, verify and enforce all the items above

Nick Krym 4/15/2008 8

Getting There• Level 0 – Some Security is in place, no

consistency • Level 1 – Formally documented and

disseminated policy framework, responsibilities assigned, compliance identified

• Level 2 – Formally documented processes and procedures for implementing security controls identified in the policy framework

• Level 3 – Security processes and procedures and ongoing controls are implemented

Nick Krym 4/15/2008 9

Level 1 – Foundations • Establish Organizational Commitment

– Info Security Committee / Office– Chief InfoSec Officer– Policy Officer

• Policy Framework – start with ~5 and get to 50+ polices, e.g.:– InfoSec Philosophy– Acceptable Use– Cryptographic Security– Email Policy– Server Policy– Incident Response Policy– Audit Policy

• Basic technology steps, e.g.: – User Authentication and Authorization– Virus protection– Data Center Firewalls

Nick Krym 4/15/2008 10

Level 2 – Building upon Foundations• Firm Organizational Commitment

– InfoSec Office / Staff– InfoSec Budgets– Basic separation of duties

• Supporting processes and procedures for each of the policies –SOP and Standards, e.g.:– Firewall standard– Incident response SOP– DR SOP for each critical component– VPN standard – Email archiving SOP

• Advanced technology measures, e.g.:– Anti-virus / anti-spam centralized orchestration– Network segregation– Network access control list

Nick Krym 4/15/2008 11

Level 3 – Achieving Sustained Compliance• Establish InfoSec Operations

– InfoSec Office / Staff / Budgets– Sufficient separation of duties– Periodic external audits

• Implemented, controlled (audited / tested) SOP and Standards across organization, e.g.:– Core Polices, Processes and Procedures – Disaster Recovery – Business Continuity plans

• Established InfoSec operations across technology components, e.g.:– Common desktop environment– Tightly controlled access points– Personal firewalls and wireless security– Managed Security Monitoring– Regular system and application scanning– Regular InfoSec system audits including ethical hacking

Nick Krym 4/15/2008 12

Protecting Information• ePHI stands for Electronic Protected Health Information. It is any protected health information

(PHI) which is created, stored, transmitted, or received electronically. Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:

– The individual's past, present or future physical or mental health. – The provision of health care to the individual. – The past, present or future payment for health care.

• Data are “individually identifiable” if they include any of 18 types of identifiers (see notes for list), e.g.:

– Date of Birth – Social Security Number– License Plate

• Information Classification (e.g.: public, restricted, sensitive)

• Main Information dissemination principal – Need-to-Know Basis

• Information Lifecycle– Generation (data collection processes, devices, forms, screens, import, APIs, etc.)– Processing (on servers within data center, on personal equipment, reporting, analytics, etc.)– In transit (from server to server in data center, over Internet, between organizations, etc.)– Storage (on servers within data center, on personal equipment, on back up devices, in offsite storage, etc.)– Destruction (logical delete, physical delete, confirmed delete, physical device demolition)

Nick Krym 4/15/2008 13

People – The weakest link in the chain • Personnel Policies, e.g.:

– Hiring– Security awareness training (on-going)– Dismissal

• Never skip a Background Check

• SOPs, e.g.:– New employee checklist– Request for network access– Escalation of privileges / revoking privileges

• Audits e.g.:– Clean desk policy / audits– Drug testing– Training attendance audits

• Segregation of Duties

Nick Krym 4/15/2008 14

Defense in Depth: Technology Aspects • Layered Security

– If a specific layer was compromised that still doesn’t allow access to secured information• Data Security, e.g.:

– Encrypting fields in a database– HTTPS / SSL– Backup encryption

• Application Functionality, e.g.:– User ID rules (e.g. no all-numeric to avoid people using their SSN)– Password rules (e.g. Strong Passwords and Passphrases, note to keep balance between usability and

security)– Role based access (Need-to-Know)– Masking fields (e.g. passwords, CC Numbers)– Logging / Auditing / Notifications (e.g. email – your Personal health record has been changed)

• Building Secure Applications– Preventing known vulnerabilities (e.g. SQL injection, cross site scripting, etc.)– Code standards and strict SDLC– Audit and ethical hacking

• Network Security, e.g.:– Servers– Networking equipment– Network Segregation– Attack Prevention– Intrusion Detection

Nick Krym 4/15/2008 15

Availability: Technology Aspects • Robust Service Level Agreements with all constituencies on the network

– Application Service Providers– Hosting Centers– Key Vendors (H/W, S/W, N/W)

• Key support contracts in place– Maintenance– Software Assurance– Technical Support

• Redundancy– Low level: H/W, N/W, Internet Connectivity– System level: H/W, N/W, S/W– Operational level: Processes and Procedures

• Disaster Recovery– Low level: DR plan for each critical H/W and N/W component– System Level: Full system DR plan, Back up, Offsite storage– Operational: Processes and Procedures – Independent DR Data center,– Periodic testing of DR Plan, in particular back up audits and verification

• Business Continuity– BC Plan for each Critical Business Function– BC Plan to cover several levels / classes of disaster– Periodic testing of BC Plan

• Availability Monitoring– Redundant Internal Monitoring (Systems, application, hardware – Independent External Monitoring– Real time notifications / Dashboards