Upload
shanonnasoni
View
309
Download
2
Embed Size (px)
DESCRIPTION
Security Risk Assessment and Disaster Recovery Plan
Citation preview
Implementing Security for HIPAA Privacy Compliancy
e
Ferre Institute Security Management
Security Controls, Plans, and Procedures
Concerns
World events have drawn attention to the need for technical and physical security. A culture that is increasingly litigious regarding privacy rights has raised awareness of the liabilities associated with failure to implement both physical and information security.
HIPAA
The US government has enacted federal legislation to regulate how private health information is handled and stored, including the transmission of email.
What Assets do We Need to Protect?
Ideally every single organizational asset should be examined and every conceivable risk should be evaluated.Physical infrastructure (doors, windows,
building perimeter, etc.)
Data Storage (paper/digital
files, hard drives, file cabinets, etc.)
Communications (email)
Dollar Amount of Losses by Type of Crime
How Should We Implement Security?
We will look at all risks but address only a
portion of them.
We already have many security features in
place but they are not enough.
Can we financially afford this? Expenditures on
resources to reduce risks will be proportional to
the potential costs to the organization if the risks
were to occur.
Concerns will be addressed systematically over
time.
Everyone will be involved and will understand
and be comfortable with all new security
implementations.
Types of Security Available
Security Breaches
The following slides depict what can go wrong when security is overlooked.
Data Storage Issue
Dr. Evil has a plan to make one million dollars. He is going to break into Ferre Institute and steal the laptops and computers. He has decided to post the information he finds on the “HIPAAwikileaks” site. He is blackmailing us for one million dollars.
How did this happen?
How could this have been prevented?
•Locked doors, security system, better
lighting, shades on the windows, and
better perimeter security.
•Robust password authentication on each
component
•Encrypted data
What will happen now?
We have three options: We must pay Dr. Evil one million
dollars. Or The information is leaked and we
face the possibility of steep fines, jail time, and loss of reputation.
Or We contact the authorities and
face harsh public criticism, steep fines, jail time, and loss of reputation.
HIPAA Violations
HIPAA imposed penalties can range from $100 per violation, up to $25,000 per year for each requirement violated. These can include both civil and penal violations that include up to $250,000 fines and imprisonment for up to 10 years.
Locks work...why bother with the rest?
Diane is called away from her desk to go over billing with a patient. She leaves her computer on but logs off, and walks away. In the meantime, our new employee Frau, who works undercover for Dr. Evil, gets onto Diane’s computer, guesses her easy password, and downloads all of the files. She then erases all of the drives, sabotages the hard drive, and changes the password.
How did this happen?
We trusted an imposter and took security for granted.
We did not utilize best practices in maintaining the appropriate local security policy features on our computers.
Passwords should never be easy enough to guess.
We did not encrypt any of our digital data.
So...All We Need To Do Is.....
Encrypt our data. Secure the physical perimeter with locks
and various security methods. Password protect our computers and use
additional authentication features that protect against unauthorized viewing.
Right?
Wrong!
Again, Diane has left her desk and gone upstairs. This time she knows that she has a difficult password and feels confident logging off of her computer, she closes all the encrypted data files, and locks the door when no one is in the office. However, there are many files sitting in various locations that need to be scanned or are stacked up for Luba to take with her in the morning.
Frau
Although disappointed with our new security features, Frau sees another BIG opportunity to make Dr. Evil happy. Upon entering the office, she gathers all of the files together and takes them with her. We find out later that our patients’ identities have been stolen because we allowed Frau to steal that information so easily.
How did this Happen?
We thought we had done some critical security upgrades. We employed encryption and upgraded authentication. We put locks on the doors and windows.
However, we forgot to train everyone in “good housekeeping” skills. The simplest and least expensive process was completely overlooked.
Concept of in-the-clear Email Communication
This is similar to the postal mailing of a postcard. Both the sender and receiver can view the message, as well as anyone that intercepts it. This is as easy to do as reaching into a mailbox and taking the postcard.
Intercepting Email Transmissions
A mail message bound for an external client may cross 3 to 10 or more ISP’s before reaching its final destination. A message can be intercepted at any one of these points. This means that anyone can view, edit, or copy the message prior to it reaching its final destination.
Bob, Sue, and Victor
Bob sends Sue an email instructing her that he will meet her at the airport at 3pm on Sunday for a business trip. Victor (the evil hacker) is able to intercept the message while it travels through several relay points, and prior to it being received in Sue’s message box.
Victor changes the message to inform Sue that the trip was cancelled and to take the week off. Sue receives the message, unaware that it has been altered.
On Sunday Bob misses his flight while he waits for Sue.
CIA and Why it is Important
Confidentiality, Integrity, and Authentication
Bob and Sue now understand the importance of encrypting email messages. The message confidentiality was compromised when Victor was able to view it. The integrity of the message was damaged when Victor was able to change the message and send it on to Sue. The message authenticity was also compromised since Sue assumed it was genuine and sent from Bob; she had no way of knowing that the message was tampered with by Victor, who leaves no footprint behind.
Why do we need encryption?Does anyone know why we would
need encryption in this circumstance?
Mark receives an email from Jane through our online PRN form. Jane is worried about how her prescribed use of oxycontin will affect her unborn child. Jane does not list an address, last name, or any other personally identifiable information.
Email Tracing
There are many ways to trace back an email, and locate an individual. Today’s criminal uses a variety of technological tools and expertise to commit common crimes such as robbery, burglary, and murder.
How safe do you think Jane is now, especially after explaining that she has a prescription for oxycontin?
The chance happening for a crime to occur is remote, but still exists.
What can be done?
Email Encryption
There are several email encryption models that can be utilized to meet HIPAA compliancy. We will investigate desktop applications, Bluehost domain mail server options, and an ASP service option, which is a subscription based service provider.
In a Nutshell....
There is a need for access controls, integrity checks, authentication, and related control processes that ensure confidentiality, integrity, and authentication of email and stored data.
What is this all about?
We are embarking on an organizational security analysis project for the purpose of creating a Security Policy and Disaster Recovery Policy. The Security Policy will cover physical and technological infrastructure security necessary for meeting HIPAA compliancy. The Disaster Recovery Policy is a necessary component of the Security Policy and will provide provisions for operating under a disaster and recovery situation.
The Challenges
Government mandates have made security a stated priority in the healthcare industry.
There is often a culture of status quo within healthcare settings making cooperation in addressing security issues hard to manage.
Additional to data security, there is a great need for physical security since healthcare settings have a number of publicly accessible areas.
There is no recognized single standard component that integrates security making this a multi-dimensional project that will require the cooperation of everyone.
Team Effort
Particular individuals with specific knowledge required for the scope of this security process will be appointed. Chief Information Officer, CIO (Shanon Nasoni) Information Security Officer, ISO (Adrienne
Sullivan) The Security Steering Committee should be
comprised of personnel who are members of departments in the primary areas concerned with HIPAA......in our case this will be the whole organization.
•Formal risk assessment• Physical safeguards- facility access
control, workstation use and security, device and media controls
• Technical safeguards- access control, audit control, data authentication and integrity, and encryption
Implementation
Threat Assessment Plan
Set up a steering committee
Obtain information and assistance
Identify all possible threats
Determine likelihood of each threat
Approximate direct costs
Consider cascading costs (costs of fire-extinguishers in building vs. cost of fire)
Prioritize the threats Complete the threat
assessment report
Prioritization Scale
Determine how best to address action items.
Consider costs, benefits, and evaluate
risk
Test various applications and
procedures and make recommendations
Develop timeline and address
immediate concerns first
Disaster Recovery Plan
As part of this project, a Disaster Recovery Plan will be implemented. This is a considerably large project that will be time-consuming. Rather than addressing this project in its entirety now, we will only address a few critical aspects that are essential to building our security policy and then move on to finish the Disaster Recovery Policy last.
Essential Elements of Disaster Recovery That We Need to Think about Now.
Who will store the data? What data will be
stored? Where will the data be
stored? When will it be stored? Why is it being stored? How is data being
stored?
Who will store hardware/software backups?
What equipment and software should be used for back up?
Where will it be stored?
When will it be stored? Why should it be
stored? How is it going to be
stored?
Data
Who, what, where, when, why and howHardware/softwareWho, what, where, when, why, and how
Conclusion
By Implementing both a Security Policy and Disaster Recovery Policy we are embarking on a joint effort in raising the operational standards of Ferre Institute. These standards will serve as a benchmark for future policy implementations and will also demonstrate a renewed dedication to our clients, employees, and funding sources.
This project will also serve as a valuable learning experience for the staff and has the potential to raise our awareness of physical security, data security, and the use of new technologies, while also providing a macro view of the Institute.