1 / 23

HIPAA Overview

HIPAA Overview. Overview of Technologies in the Health Care Organization. Security is a Balance. Risk vs. Access Tightest Security (not useful) Write-only databases Passwords too complex to remember Weakest Security (not protected) No logins or passwords Systems available to the public

talon
Télécharger la présentation

HIPAA Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Overview Overview of Technologies in the Health Care Organization

  2. Security is a Balance • Risk vs. Access • Tightest Security (not useful) • Write-only databases • Passwords too complex to remember • Weakest Security (not protected) • No logins or passwords • Systems available to the public • Full privileges for all!

  3. Establishing A Balance • Risk Assessment • Identify critical systems and data • Determine the threats • Analyze the risks • Assess the impact of the threats • Question: Do you think the risks in healthcare are similar to other industries? • Risk Management • Take pro-active measures to reduce risk • Make policy decisions • Have a plan for mitigation for security incidents

  4. HIPAA Security • Governs health care “covered” entities and now Business Associates as well • Requires certain levels of security and documentation • Strong emphasis on control processes and audits • Few technical “rules” or methods • HIPAA Security covers: • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  5. HIPAA • Administrative Safeguards • Risk analysis and management • Workforce (user) management • Security awareness training • Contingency planning • Physical safeguards • Facility access • Workstation use and security • Device and media controls

  6. HIPAA • Technical Safeguards • Unique user IDs • Automatic log-off • Encryption • Auditing • Data integrity controls

  7. HIPAA(New regulations) • Were effective January 25, 2013 but compliance with most of this is not required until September 23, 2013. In the case of Business Associate and Data Use agreements the date is September 23, 2014 unless they are updated in the interim. • Breach Notification • HHS has eliminated the harm threshold that provided notice of a security breach would only be required if the breach posed a significant risk of harm to affected individuals. • Business Associates • Much of the Privacy Rule and all of the Security Rule now apply directly to business associates and their subcontractors. • Enforcement and Penalties • HHS has retained the high penalty structure currently in effect, meaning that penalties can range from $100 to $50,000 per violation depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis.

  8. HIPAA(New regulations) • Privacy Requirements • The final rules address multiple privacy issues related to uses and disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient's care or payment for care, and disclosures of student immunization records. • Genetic Information • To implement the Genetic Information Nondiscrimination Act, HHS has included “genetic information” as a type of health information subject to HIPAA rules, and has imposed restrictions that will prohibit health plans from using genetic information for underwriting purposes.

  9. HIPAA Considerations • HIPAA is a “floor” for security • Most of the language in the regulation is very vague and open to interpretation • Organizations must assess how to meet the requirements and addressable items • The Department of Health and Human Services Office of Civil Rights has been performing audits of healthcare organizations since November, 2011

  10. Security Areas • Physical Security • System Security • Application and Data Security • Operational Security

  11. Physical Security • Protect computers, media and data • High risk areas: • Computer room • Network closets • Telephone closets • Facility Security • Keys, lighting, keypad locks, etc. • Visitor control

  12. System Security • Network • Firewalls • Intrusion Detection • Network Monitoring • Signature-based virus detection • Controlling Internet access by proxy servers (outbound) and creating a DMZ (inbound) • Servers • Software firewalls • Virus protection • Limiting system administrators • Controlling vendor access

  13. System Security • Workstations • Physical location • Virus protection • Spyware/Malware • Software firewalls • Limiting elevated privileges • Question: How much more likely are systems to be infected when users have elevated privileges? • PDA’s and Smart Phones • Known as the BYOD (Bring Your Own Device) issue • Really are workstations

  14. Application & Data Security • Authentication • Effective user authentication and passwords • Password complexity increases greatly with additional characters or length • Two factor vs. single factor authentication • Single factor: Something you know (password) or something you have (key) • Two factor: Something you know plus something you have (ATM card plus PIN) • Biometrics • Such as fingerprint, retinal scan, voice matching, etc. • Characteristic of someone which is really something you “have”

  15. Application & Data Security • Authentication (continued) • Deterministic vs. Probabilistic • Deterministic – Can be determined to be true with mathematical certainty • Probabilistic – Likely to be true using probability • Question: Biometrics are? Passwords are? • Question: What is the best security? • Single sign-on • Single user authentication which then allows for immediate access to other applications • Applications must either cooperate on security or “connectors” must be written

  16. Application & Data Security • System Parameters • Automatic timeout • Application lockout after x login attempts • Audit capabilities • User Roles and Privileges • Ability to view, add, modify or delete data • Question: Which privilege requires the most scrutiny? • Privileges • Restrict access to certain functions • Restrict access to certain data sets • System administration • Update dictionaries • Manage security

  17. Application & Data Security • Security Management • Centralized vs. Decentralized? • Depends on the application • Best Practice: Centralized control with decentralized authorization

  18. Application & Data Security • Encryption • Early cryptography led to the development of computers! • WWII Era • German Enigma • Bombe • Turing Machine • Colossus • Depends on algorithms (ciphers) and keys (string of bytes) • Ciphers: Triple DES, AES, etc. • Keys: Size in bits

  19. Application & Data Security • Symmetrical vs. Asymmetrical Keys • Symmetric: Encrypting key is used for decrypting • Asymmetrical: Key pair is created, one for encryption and another for decryption • Public Key Infrastructure (PKI) • Third parties that issue public-private key pairs and publish the public keys • Public keys are used to encrypt and private keys to decrypt messages • At Rest vs. In Transit • Password protecting a file = At rest • Secure web site transactions (SSL) = In transit • Question: How many credit card numbers have been stolen from SSL protected sites while in transit?

  20. Operational Security • Policies and Procedures • Foundation for good security practice • Clearly states organizational guidelines • FAHC has several security policies • Security Standards • Remote Access • HIPAA Security Compliance • Workstation Use and Security • Back and Disaster Recovery • Audit and Review • Risk Analysis and Management • Risk Assessment • Think like the “enemy” • Identify critical information or systems • Analyze threats • Analyze vulnerabilities • Assess risk • Apply countermeasures

  21. Operational Security • Personnel Security • One of the highest threats • Question: Why? • Background checks • Security awareness & training • Auditing and monitoring capabilities

  22. Conclusion • Balancing risk vs. ease of use • Physical Security – Lock it up! • System Security • Gets most of the attention • Most technical • Application & Data Security • Authentication • Single factor vs. Two factor • Deterministic vs. Probabilistic • Managing User Roles and Privileges • Cryptography • Operational Security • Policies • Risk Assessments • Personnel

  23. QUESTIONS?

More Related