HIPAA & Information SecurityYOU CAN’T HAVE ONE WITHOUT THE OTHER

KNOW THE HIPAA SECURITY RULE

The rule is defined as:

• The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.

• The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

• The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.

• The Security Rule calls this information “electronic protected health information” (e-PHI)

• The Security Rule does not apply to PHI transmitted orally or in writing.

Who Does The Security Rule Apply To?

The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).

Business Associates:• A third party administrator who assists a health plan with claims processing.

• A CPA firm whose accounting services to a health care provider involve access to protected health information.

• An attorney whose legal services to a health plan involve access to protected health information.

USING ISO 27002 TO ASSIST WITH HIPAA COMPLIANCE

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques –Code of practice for information security management.

Section 4 / 164.308 (a)(1)(ii)(A)• Risk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and

objectives relevant to the organization.

• The results should guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks.

• The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.

Security Management Process - Section 5.1/164.308(a)(1)Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization

Assigned Security Responsibility Section 6.1.3/164.308(a)(2)Allocation of information security responsibilities should be done in accordance with the information security policy (see clause 4). Responsibilities for the protection of individual assets and for carrying out specific security processes should be clearly identified.

This responsibility should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities.

Workforce Security Section 10.1.3/164.308(a)(3)(i)Segregation of duties is a method for reducing the risk of accidental or deliberate system misuse.Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls.

Information Security Awareness, Education, & Training Section 8.2.2 /164.308(a)(5)All employees of the organization and, where relevant, contractors and third party users, should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.

Access Authorization Section 10.6.2 / 164.308(a)(5)(ii)(B)Security features, service levels, and management requirements of all network services should be identified and included in any network services agreement, whether these services are provided in- house or outsourced.

Sanction Policy Section 11.2.1 / 164.308(a)(1)(ii)(C)There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.

Access Authorization Section 11.3.1 / 164.308(a)(4)(ii)(B)Users should be required to follow good security practices in the selection and use of passwords.

Access Authorization Section 11.4.5 / 164.308(a)(4)(ii)(B)Groups of information services, users, and information systems should be segregated on networks.

Information System Activity Review Section 13.1.1 / 164.308(a)(1)(ii)(D)Information security events should be reported through appropriate management channels as quickly as possible.

“Employees &

negligence

are the leading cause of security incidents but remain the least reported issue.”

Experian 2015 Second Annual Data Breach Industry Forecast

RISK ASSESSMENTS

Why Start with a Risk Assessment?A risk assessment is a formalized process that determines:

• What assets are to be protected

• Where those assets reside

• Which threats affect those assets

• How the threats can affect those assets

• What cost will be incurred if the assets are affected

• How to deal with the threat Mitigate, Transfer, Defer, Accept

• A risk assessment is NOT the same as a vulnerability assessment. A vulnerability assessment considers the likelihood that a threat could affect a given technology; it does NOT consider the cost of that effect or how to remediate the threat

• A risk assessment takes into account the threat, the cost and the mitigation Vulnerability x Threat (x Cost/Value) = Risk

“Breaches have cost the healthcare system

an estimated$50 billion.”-19 Latest Healthcare Data Breaches: Health & CIO Review

THE OCTAVE® APPROACH

The OCTAVE method is an approach used to assess an organization’s information security needs. The OCTAVE method is self-directed, flexible, and evolved. Using OCTAVE, small teams across business units and IT work together to address the security needs of the organization.

The method can be tailored to the organization’s unique risk environment, security and resilience objectives, and skill level. OCTAVE moves an organization toward an operational risk-based view of security and addresses technology in a business context.

Benefits of this method:

• Business-oriented and self-directed

• Defines a more structured method for evaluating risks

• Led by multi-disciplinary analysis team

• Leverages people’s knowledge of their organization’s security-related practices to capture the current state of security within the organization

• Improves the ease-of-use, adoption and repeatability

• Reduces resource commitment

• Performed in 8 steps

• Developed specifically for HIPAA Risk Assessments

Terms to Becomes Familiar With Information Asset Information in any form that is important to the organization. Information used in processes to achieve goals and mission.

Asset Container Where information assets are stored, transported, or processed. It can be internal or external to the organization. There are 3 types of containers: Physical, Technical and People.

Area of Concern/Threat ScenarioAn area of concern characterizes a threat that is unique to your organization and its unique operating conditions. Concerns are real world threats. During assessment, threats are turned into a scenario.

ConsequenceThe effects on the organization (in terms of Criteria defined) if the threat scenario is realized.

RISK ASSESSMENTS PROCESS

Before getting started with the process here are a few questions to consider:

• Where does the information exist (internal and external)?

• How does information flow within the organization?

• What worries you about the information?

• What policies and procedures exist within the organization?

The risk assessment process will take proper planning and a calculated approach. As you get to closer to a point of execution keep the following in mind:

• Risk Assessment is an on going, recurring process

• No easy one-time fix

• Time commitments

• Most risk assessments take 2-3 days PER information asset

• Changing environments

• Risk Assessments must be done when significant changes occur or new technologies are used

• Staffing

• Risk assessments should be performed by a representative group of employees at all levels of the organization

• No single person or office has all the answers

• Management Buy-In

• Risk assessment will fail if management doesn’t endorse and support the process

Risk Assessment ComponentsTeam Composition

• Representative of entire organization Senior Management Demonstrates corporate buy-in

• Senior Technical Staff Provides technical skills

• Senior Non-Technical Staff Provides insight into final usage of asset

• New Hires Validates training

Remediation Development: Solution to threat may be technical or non-technical

Cost to remediate should be less than cost of loss

Tracking Status Must be able to demonstrate progress in reducing / mitigating threat

Failure to act on known threat is, in itself, a threat to the organization

Data Gathering• Entire Organization

All parties using the asset, regardless of form or duration, must provide input into the risk assessment process

• Should be gathered in a defined and repeatable process Form based systems are effective

Risk Assessment Failure:• Lack of Corporate Buy-in

• Examiners are giving findings for Lack of follow-up Failure to appoint primary POC Failure to provide adequate budget to do assessment Failure to provide adequate budget to do remediation

Asset AnalysisDetermine Threats

Internal vs. External

Technical vs. Non-Technical

Natural vs. Man-Made

Evaluate Costs

Disclosure

Loss or Destruction

Modification

Inaccessibility

CONCLUSION

Whether you’re a small organization or a large healthcare organization, there is a universal truth… new network vulnerabilities are being discovered every day and it’s imperative to find them before someone else does. Vulnerability scanning is the cornerstone element to defend against the ever-increasing incidence of data breaches. Comprehensive security awareness education ensures that you and your staff can detect threats and protect your organization and its critical information assets. Combined, these two efforts provide you with actionable security intelligence and provide you a holistic view of the threats your organization is facing on a day-to-day basis.

Digital Defense, Inc. (DDI) is a premier provider of managed security risk assessment solutions protecting billions in assets for small businesses to Fortune companies in over 65 countries. DDI’s dedicated team of experts helps organizations establish a culture of security through regular information security assessments, awareness education and decisive security intelligence, helping our clients become better prepared to reduce risk and keep their information, intellectual property and reputations secure.

9000 Tesoro Drive, Suite 100 San Antonio, TX 78217 | 888.273.1412 | www.ddifrontline.com