html5-img
1 / 31

HIPAA SECURITY

HIPAA SECURITY. Implementing an Authentication Model September, 2005 AAMC W. Thompson, VP Information Systems and Technologies, UMDNJ. Warning !!.

veata
Télécharger la présentation

HIPAA SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA SECURITY Implementing an Authentication Model September, 2005 AAMC W. Thompson, VP Information Systems and Technologies, UMDNJ

  2. Warning !! • This presentation is intended only for Academic Medical Centers who have budget constraints, staffing below desired levels, independently-minded units and faculty, and at least moderate levels of bureaucracy and politics. All others should leave immediately !

  3. The Team • Denise Romano, Director of Core Systems and Technologies • Marykate Noonan, Office of Business Conduct

  4. Agenda • Organizational Profile • Overview of the UMDNJ Approach • Monitoring HIPAA Compliance • Implementing Authentication • Changing the Culture

  5. UMDNJ Organizational Profile • State-wide Health Sciences University • 8 Schools • 6 Campuses • 1 Hospital • 3 Multi-specialty Practice Plans • 1 Dental Practice Plan • 1 Behavioral Health Practice Plan • 15,000 faculty staff and students • Tripartite Mission • Education • Research • Healthcare

  6. Philosophical Approach • A close collaboration with the organization’s compliance entity (Office of Business Conduct). • “Reasonable” efforts to achieve compliance. • A combination of policy, tools, and behavior modification. • Ignore/de-emphasize access methods and devices in favor of managing information.

  7. Major HIPAA Security Plan Activities • Communications Plan (ongoing) • Risk Assessment (completed) • Policy Analysis (completed) • New/Revised Policy adoption (completed) • Security risk reduction (ongoing) • Training (ongoing) • Periodic Review/Assessment (ongoing)

  8. HIPAA Security Structure • The “Data Steward” Concept • Responsibility for safeguards at the lowest levels • Responsibility for reporting and escalation • Policy Excerpt : • Sensitive Electronic Information (SEI) – includes electronic information that is protected by state or federal regulations. As such, it includes Protected Health Information (PHI) as defined under HIPAA regulations, as well as information governed by GLB, FERPA, and other applicable regulations. • Data Steward - a person who creates, maintains, transmits, receives, or stores SEI • HIPAA Coordinator • Unit level responsibilities for compliance • A team combined with a technical liaison • Compliance Hotline • Anonymity • Tracking, and followup • Direct links to the IT organization • Escalation to HIPAA Privacy or Security Officer

  9. Data Steward Pledge • I readily agree and promise to assume a new burden in addition to my already full plate of duties. I understand that this burden comes with no additional resources, is difficult to execute successfully, and comes with the risk of federal fines and imprisonment.

  10. Monitoring HIPAA Compliance • Internal Audit • Integrate into annual internal audit cycle • External Audit/Accreditation • Already building in SOX and HIPAA • JCAHO, etc • Internal Review Boards • Process and policy modified to reflect HIPAA obligations • Information Systems and Technologies • Incident response • Periodic review of high risk areas • Office of Business Conduct (Compliance) • Chart audit process, general compliance audits

  11. Implementing Authentication

  12. Authentication - Overview • Challenges • Network Access • Enterprise Servers and Domains • Enterprise Applications • Local Resources

  13. Authentication Challenges • “System A does not have sufficient security granularity, so we use a group or role-based login that is shared” • “The security mechanism on System B is very inconvenient, so we disabled authentication, but you have to be in room A563 to access the system so it is pretty secure” • “It takes too long to get credentials for System C, so we keep some IDs and passwords from people who left to give out while we wait. It works so well that sometimes we forget to apply for new credentials, but that’s ok because people are always leaving” • “Trust me, I have my own security methodology” • “Yes, those 112 people do need root access to the box !” • “The guy who set up the box was Dr Smith’s nephew who went back to college. Thank god he had guest access turned on because otherwise the 84 people using it would never be able to work” • “I’ve never had a problem with anonymous FTP or my guest login” • “I refuse to be monitored and tracked by Big Brother” • “I thought you guys take care of all that stuff !”

  14. Authentication Levels • Network/Perimeter • Domain • Application • Remote Access

  15. Application • Application or database level authentication • Mostly User Id and Password • Strong passwords • Cycling • Certificates for select applications • Role-based authorization once authenticated • We don’t know what we don’t know

  16. Domain • Active Directory • Comprehensive Directory • Authoritative source for people fed by several systems (HR, Volunteer Faculty database, etc) • Single point of turn-on/disconnect

  17. Network/Perimeter • Firewalls • VPN • Virtual Local Area Network (VLAN) • Most clinical applications • Some confidential resources • bradfordnetworks.com Campus Manager • Work across disparate network nodes • Intercept any IP requests (wired or wireless)

  18. Authentication Map

  19. Network Authentication 1 Authentication Server UMDNJ Active Directory • Request for connection

  20. Network Authentication 2 Authentication Server UMDNJ Active Directory 2. Prompt for Authentication

  21. Network Authentication 3 Authentication Server UMDNJ Active Directory 3. Username and password provided

  22. Network Authentication 4 Authentication Server UMDNJ Active Directory 4. Username and password verified

  23. Network Authentication 5 Authentication Server UMDNJ Active Directory 5a. Username and password correct

  24. Network Authentication 6 Authentication Server UMDNJ Active Directory 6a. Connection will be made to Internal network

  25. Network Authentication 7 Authentication Server UMDNJ Active Directory 5b. Username and password incorrect, no username or guest account used

  26. Network Authentication 8 Authentication Server UMDNJ Active Directory 6b. Connection will be made to Public network (throttled web access only)

  27. Status • High risk areas completed • Eg: clinical systems, financial aid, etc • Low hanging fruit completed • Remainder scheduled • MAC and alternative platforms are a work in progress

  28. The vehicle is still moving….. • Provisioning strategy (high priority IT) • “Reduced Sign-on” and context management (high priority constituents) • Timely processing of transfers and terminations (high priority audit/compliance/legal)

  29. Changing the Culture

  30. Changing the Culture • “Shock and Awe !” • “Culture eats strategy for lunch !” • Training and awareness to reinforce the responsibilities at all levels

  31. HIPAA SECURITY Implementing an Authentication Model September, 2005 AAMC W. Thompson, VP Information Systems and Technologies, UMDNJ

More Related