Upload
tbeckwith
View
434
Download
3
Embed Size (px)
DESCRIPTION
Fishnet Security\'s managed service around HIPAA Compliance
Citation preview
Securely Enabling Business
ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services
ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
Securely Enabling Business
ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services
2
Copyright
The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability.
Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial, contractual and special marketing information, ideas, technical data and concepts originated by the disclosing party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public, not previously available without restriction to the receiving party or others, nor normally furnished to others without compensation, and which the disclosing party desires to protect against unrestricted disclosure or competitive use, and which is furnished pursuant to this document and appropriately identified as being pro-prietary when furnished.
Copyright © 2012 FishNet Security, Inc. All rights reserved. The FishNet Security logo is a registered trademark of FishNet Security. All other products and company names mentioned herein are trademarks or registered trademarks of their respective owners.
Version Control
Incident ResponseDocument Issue Number 1.0 (Draft)
Document Creator Brian Rohlena
Delivery Date 2.6.2012
Data Classification Public
ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
Securely Enabling Business
ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services
3
Table of Contents
ThreatDetect and HIPAA Compliance..................................................................................3 4.1 Security Management Process .............................................................................................................5 4.6 Security Incident Procedures.................................................................................................................6 4.14 Access Control ....................................................................................................................................7 4.14 Access Control ....................................................................................................................................7 4.16 Integrity ..............................................................................................................................................8
ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
Securely Enabling Business
ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services
4
ThreatDetect and HIPAA Compliance
The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure that personal information stored, accessed or processed adheres to a set of guidelines or “security rules.” These rules outline security measures that should be implemented to adequately secure all electronic protected health information (EPHI). The Secretary of Health and Human Services enforces this law. Noncompliance can lead to civil monetary penalties and public distrust.
The collection, management and analysis of log data is integral to meeting many HIPAA requirements. The use of ThreatDetect directly meets some requirements and decreases the cost of complying with others. IT environments consist of heterogeneous devices, systems and applications all reporting log data. Millions of individual log entries can be generated daily if not hourly. The task of organizing this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly.
ThreatDetect can help. Log collection, archiving and recovery is fully automated across the entire IT infrastructure. ThreatDetect automatically performs the first level of log analysis. Log data is categorized, identified and normalized for easy analysis and reporting. ThreatDetect’s powerful alerting capability automatically identifies the most critical issues and notifies relevant personnel. With the click of a mouse, ThreatDetect’s out-of-the-box HIPAA-reporting packages ensure you meet your reporting requirements.
The National Institute of Standards and Technology (NIST) Special Publication 800-66 provides guidance for meeting HIPAA Standards. The remainder of this paper lists the applicable standards ThreatDetect can help address. For each standard, an explanation of how ThreatDetect supports compliance is provided.
Learn how ThreatDetect’s comprehensive log management and analysis solution can help your organization meet or exceed HIPAA regulatory requirements.
ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
Securely Enabling Business
ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services
5
ThreatDetect Compliance Support for HIPAAThe table below outlines each HIPAA Standard and associated Security Rule that ThreatDetect helps to address. The “Compliance Requirements” were taken directly from NIST Special Publication 800-66 titled “An Introductory Resource Guide for Implementing the HIPAA Security Rule.” These columns briefly describe the “key activities” and “descriptions” that are necessary to reach compliance. The “How ThreatDetect Supports Compliance” column describes the capabilities ThreatDetect provides that help a company achieve compliance. In some cases, ThreatDetect can be used to directly meet the compliance requirement; in others, ThreatDetect helps verify the compliance requirement is met and/or reduces the cost of meeting the requirement.
Administrative Safeguards4.1 Security Management Process § 164.308(a)(1)HIPAA Standard: Implement policies and procedures to prevent, detect, contain and correct security violations.
Compliance Requirements How ThreatDetect Supports Compliance
Develop and Deploy the Information System Activity Review Process
Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
ThreatDetect provides centralized monitoring, analysis and reporting of audit activity across the entire IT infrastructure. ThreatDetect automates the process of identifying high-risk activity and prioritizes based on asset risk. High-risk activity can be monitored in real-time or alerted on. ThreatDetect reports provide easy and standard review of inappropriate, unusual and suspicious activity.
Example Reports: • Audit Failures by User• Audit Failures by Host• Suspicious Activity by User• Suspicious Activity by Host• Top Suspicious Users• Top Targeted Hosts• Top Targeted Applications
Develop Appropriate
Standard Operating Procedures
Implement the Information System Activity Review and
Audit Process
• Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports.
• Activate the necessary review process and begin auditing and logging activity.
ThreatDetect collects and analyzes log data from operating systems, applications and databases. This includes logs from intrusion detection/ prevention systems, anti-virus systems, firewalls and other security devices. All log data is normalized and centrally stored and secured for easy exception-based reporting. ThreatDetect can correlate activity across user, origin host, impacted host, application and more. ThreatDetect reports provide easy and standard review of inappropriate, unusual and suspicious activity.
Example Reports: • Audit Failures by User• Audit Failures by Host• Suspicious Activity by User• Suspicious Activity by Host• Top Suspicious Users• Top Targeted Hosts• Top Targeted Applications
ThreatDetect’s Personal Dashboard provides customized real-time monitoring of event activity and alerts. ThreatDetect’s Investigator provides deep forensic analysis of intrusion-related activity. ThreatDetect’s integrated knowledge base provides information and references useful in responding to and resolving intrusions.
ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
Securely Enabling Business
ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services
6
Administrative Safeguards4.6 Security Incident Procedures (§ 164.308(a)(6))HIPAA Standard: Implement policies and procedures to address security incidents.
Compliance Requirements How ThreatDetect Supports Compliance
Determine Goals ofIncident Response
Develop and Implement
Procedures to Respond to and Report Security
Incidents
Gain an understanding of what constitutes a true security incident. Under the HIPAA Security Rule, a security incident is the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. (45 CFR § 164.304)
• Determine how the organization will respond to a security incident.
• Establish a reporting mechanism and a process to coordinate responses to the security incident.
• Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups as needed.
• Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
• Document incident response procedures that can provide a single point of reference to guide the day-to-day operations of the incident response team.
• Review incident response procedures with staff with roles and responsibilities related to incident response, solicit suggestions for improvements, and make changes to reflect input if reasonable and appropriate.
ThreatDetect’s alerting capability can detect and notify individuals of activity that may constitute an incident. ThreatDetect’s analysis capabilities provide quick and easy analysis of activity to determine root cause and impact.
ThreatDetect’s notification capabilities can route alerts to the appropriate individual based on group membership or relationship to the impacted system. ThreatDetect reports provide summary and detail-level reporting of incident-based alerts.
ThreatDetect’s Investigator and reporting capabilities facilitate the documentation efforts for incident response procedures. ThreatDetect’s integrated knowledge base provides information useful in responding to and resolving the incident.
ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
Securely Enabling Business
ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services
7
Technical Safeguards4.14 Access Control (§ 164.312(a)(1))HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information (EPHI) to allow access only to those persons or software programs that have been granted access rights.
Compliance Requirements How ThreatDetect Supports Compliance
Review and Update User Access
• Enforce policy and procedures as a matter of ongoing operations.
• Determine if any changes are needed for access control mechanisms.
• Establish procedures for updating access when users require the following: o Initial access. o Increased access. o Access to different systems or applications than those they currently have.
ThreatDetect reports provide easy review of permissions granted to ensure access rights have been terminated and/or appropriately modified.
Example Reports:
• Access Granted/Revoked by User• Access Granted/Revoked by Host• Access Granted/Revoked by Application
Terminate Access if it is No Longer
Required
• Ensure access to EPHI is terminated if the access is no longer authorized.
ThreatDetect reports provide easy review of terminated personnel to ensure access rights have been removed. ThreatDetect alerts can detect the use of accounts that should have been terminated.
Example Reports:
• Disabled/Removed Account Summary• Disabled/Removed Accounts by Host• Disabled/Removed Accounts by Application
Technical Safeguards4.15 Audit Controls (§ 164.312(b))HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Compliance Requirements How ThreatDetect Supports Compliance
Develop Appropriate
Standard OperatingProcedures
Implement the Audit/System
Activity Review Process
• Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports.
• Activate the necessary audit system.
• Begin logging and auditing procedures.
ThreatDetect can collect logs from intrusion detection/prevention systems, anti-virus systems, firewalls and other security devices. ThreatDetect provides central analysis and monitoring of intrusion-related activity across the IT infrastructure. ThreatDetect can correlate activity across user, origin host, impacted host, application and more. ThreatDetect can be configured to identify known bad hosts and networks. ThreatDetect’s Personal Dashboard provides customized real-time monitoring of event activity and alerts. ThreatDetect’s Investigator provides deep forensic analysis of intrusion-related activity. ThreatDetect’s integrated knowledge base provides information and references useful in responding to and resolving intrusions. ThreatDetect reports enable easy and standard review of exceptions.
Example Reports:
• Access Granted/Revoked by User• Access Granted/Revoked by Object• Successful/Failed File Access by User• Successful/Failed Host Access by User• Successful/Failed Application Access by User
ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406
Securely Enabling Business
About FishNet SecurityWe focus on the threat so you can focus on the opportunity.FishNet Security, the No. 1 provider of information security solutions that combine technology, services, support and training, enables clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. For more information about FishNet Security, visit www.fishnetsecurity.com, www.facebook.com/fishnetsecurity and www.twitter.com/fishnetsecurity.
ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services
Technical Safeguards4.16 Integrity (§ 164.312(c)(1))HIPAA Standard: Implement policies and procedures to protect electronic protected health information (EPHI) from improper alteration or destruction.
Compliance Requirements How ThreatDetect Supports Compliance
Identify All Users Who Have Been
Authorized to Access EPHI
• Identify all approved users with the ability to alter or destroy data, if reasonable and appropriate.
• Address this Key Activity in conjunction with the identification of unauthorized sources in Key Activity 2, below.
ThreatDetect collects all access activity and changes to access controls. ThreatDetect reports provide easy and independent review of access control settings and enforcement.
Example Reports:
• Access Granted/Revoked by User• Access Granted/Revoked by Object• Successful/Failed File Access by User• Successful/Failed Host Access by User• Successful/Failed Application Access by User
Implement Procedures to Address these Requirements
• Identify and implement methods that will be used to protect the information from modification.
• Identify and implement tools and techniques to be developed or procured that support the assurance of integrity.
ThreatDetect’s file integrity monitoring capability can be used to detect, report and/or alert on the following changes to the file system: • Additions• Modifications• Deletions• Permissions
This capability can be used to detect unauthorized alteration and destruction of information.