Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Similar documents
Applying ISO and NIST to Address Compliance Mandates The Four Laws of Information Security

New! Checklist for HIPAA & HITECH Compliance Pabrai

Art of Performing Risk Assessments

Establishing a Credible Cybersecurity Program. September 2016

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

HIPAA Security and Privacy Policies & Procedures

Putting It All Together:

HIPAA Compliance Checklist

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Compliance with NIST

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Vendor Security Questionnaire

Healthcare Privacy and Security:

Support for the HIPAA Security Rule

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Information Technology General Control Review

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

The Common Controls Framework BY ADOBE

CCISO Blueprint v1. EC-Council

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

Checklist: Credit Union Information Security and Privacy Policies

01.0 Policy Responsibilities and Oversight

2015 HFMA What Healthcare Can Learn from the Banking Industry

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Healthcare Security Professional Roundtable. The Eighth National HIPAA Summit Monday, March 8, 2004

HIPAA Compliance & Privacy What You Need to Know Now

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

ISO Training Consulting Certification. Exec Brief. Services. 1-Day Workshop. Policy Templates CSCS. Testimonials.

Data Security and Privacy Principles IBM Cloud Services

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Protecting your data. EY s approach to data privacy and information security

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA Federal Security Rule H I P A A

locuz.com SOC Services

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

NW NATURAL CYBER SECURITY 2016.JUNE.16

TEL2813/IS2820 Security Management

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Security Management Models And Practices Feb 5, 2008

SECURITY & PRIVACY DOCUMENTATION

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Data Backup and Contingency Planning Procedure

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

The simplified guide to. HIPAA compliance

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISO & ISO & ISO Cloud Documentation Toolkit

HIPAA Security Checklist

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

HIPAA Security Checklist

HIPAA AND SECURITY. For Healthcare Organizations

HIPAA COMPLIANCE AND

All Aboard the HIPAA Omnibus An Auditor s Perspective

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Employee Security Awareness Training Program

Altius IT Policy Collection

Department of Public Health O F S A N F R A N C I S C O

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

The Honest Advantage

Department of Public Health O F S A N F R A N C I S C O

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Agency Guide for FedRAMP Authorizations

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Not Just Another Day of HIPAA

HIPAA Summit Day II Afternoon Plenary Session: HIPAA Security

Total Security Management PCI DSS Compliance Guide

Apex Information Security Policy

HITRUST CSF: One Framework

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

How to Ensure Continuous Compliance?

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Version 1/2018. GDPR Processor Security Controls

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

EXHIBIT A. - HIPAA Security Assessment Template -

Executive Order 13556

HIPAA SECURITY RISK ASSESSMENT

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

The Relationship Between HIPAA Compliance and Business Associates

Transcription:

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations & Standards HIPAA Privacy HIPAA Security HITECH Act Meaningful Use, Breach Notification FACTA (Red Flags Rule) Clarification Act 2010 Signed! U.S. State Regulations PCI DSS v2.0 Released! Your security plan must identify regulations that impact your organization! 2 2011. All Rights Reserved. ecfirst. 1

California Fines for Breaches Partial List - Entities That Were Fined 1. Community Hospital of San Bernardino: $250,000 fine; unauthorized access of 204 patients medical information by 1 employee 2. Community Hospital of San Bernardino: $75,000 fine; unauthorized access of 3 patients medical information by 1 employee 3. Enloe Medical Center: $130,000 fine; unauthorized access of 1 patient s medical information by 7 employees 4. Rideout Memorial Hospital: $100,000 fine; unauthorized access of 33 patients medical information by 17 employees 5. Ronald Reagan UCLA Medical Center: $95,000 fine; unauthorized access of 1 patient s medical information by 4 employees 6. San Joaquin Community Hospital: $25,000 fine; unauthorized access of 3 patients medical information by 2 employees Over $1.3 million in fines for unauthorized access! 3 State Regulations Connecticut All insurance companies doing business in Connecticut must report information breaches to state authorities within five calendar days, even if the data involved was encrypted The new state insurance breach reporting policy applies to health maintenance organizations, preferred provider organizations, and other health insurers, as well as property and casualty insurers, pharmacy benefit managers and medical discount plans It does not apply to hospitals and physicians A tough regulation which applies to paper and electronic records 4 2011. All Rights Reserved. ecfirst. 2

Massachusetts 201 CMR 17.00 Comprehensive Written Information Security Program Required! Establishes minimal standards for safeguarding personal information contained in both paper and electronic records Requires each covered business to develop, implement, maintain and monitor a comprehensive written information security program that applies to records that contain Massachusetts residents personal information Security program must include administrative, technical and physical safeguards to protect such records Regulations also require businesses that store or transmit personal information about Massachusetts residents to (201 CMR 17.00): Restrict access by use of passwords Deploy updated malware protection Encrypt information transmitted across public or wireless networks Monitor all systems to detect unauthorized access Encrypt information stored on laptops Incorporate firewalls 5 ISO 27000: An International Security Standard A comprehensive set of controls comprising best practices in information security Comprised of: A code of practice A specification for an information security management system Intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce Organizations are looking at the ISO 27000 as a security framework to address federal and state mandates 6 2011. All Rights Reserved. ecfirst. 3

ISO 27001 ISO 27001 covers all types of organizations The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size, and nature Can easily adapt to be organization-specific The ISMS for any organization is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to all interested parties 7 ISO 27002 Security Clauses 0. Risk Assessment & Treatment (Introductory Clause) 1. Security Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information Systems Acquisition, Development and Maintenance 9. Information Security Incident Management 10. Business Continuity Management 11. Compliance 8 2011. All Rights Reserved. ecfirst. 4

Risk Assessment & Treatment Introductory Clause 0 (4) The information security risk assessment should have a clearly defined scope in order to be effective The results should guide and determine appropriate management action and priorities for managing risks and for implementing controls selected to protect against these risks Consists of two categories: Assessing Security Risks Treating Security Risks 9 Risk Assessment & Treatment Introductory Clause 0 (4) 10 2011. All Rights Reserved. ecfirst. 5

Security Policy Clause 1 (5) Establishes the dial-tone for security in the organization Critical elements include: Establishing management direction for information security Regular updates and reviews Consists of 1 category Information Security Policy (5.1) 11 Information Security Incident Management Clause 9 (13) This clause provides guidance for the development and maintenance of a comprehensive strategy for responding to a security violation Consists of two categories: Reporting Information Security Events and Weaknesses Management of Information Security Incidents and Improvements HITECH Data Breach Notification & HIPAA Security Rule Incident Copyright. 2011. Procedures All Rights Reserved. Valuable ecfirst. Reference. 12 2011. All Rights Reserved. ecfirst. 6

Business Continuity Management Clause 10 (14) This clause provides guidance for the development and implementation of a comprehensive strategy to ensure continued business operation in the event of a catastrophic failure of systems of facilities Key parts of a comprehensive strategy include: Procedures for failover to backup systems Recovery of failed systems Relocation of workforce members to alternate locations The only category defined in this clause is: 1. Information Security Aspects of Business Continuity Management 13 PCI DSS v2.0 A Global Data Security Standard 1. Build and Maintain a Secure Network Firewall configuration Vendor defaults 2. Protect Cardholder Data Protect stored cardholder data Encrypt transmission 3. Maintain a Vulnerability Management Program Update anti-virus software Maintain secure systems and applications 4. Implement Strong Access Control Measures Restrict access need to know Assign unique ID s Restrict physical access 5. Regularly Monitor and Test Networks Track and monitor all access Regularly test security processes 6. Maintain an Information Security Policy Maintain policies A Terrific Reference Even If Your Organization is Not Required to Comply 14 2011. All Rights Reserved. ecfirst. 7

NIST The National Institute of Standards & Technology (NIST) has a critical role to play in ensuring federal agencies comply with FISMA The NIST s FISMA-related responsibilities are: Development of standards, guidelines and associated methods and techniques Development of standards and guidelines, including establishment of minimum requirements for information systems Development of standards and guidelines for providing adequate information for all agency operations & assets 15 NIST 800-37 Rev 1 Developed by NIST to comply with FISMA responsibility Guide for Security Authorization of Federal Information Systems (NIST SP 800-37 Rev 1) A Security Life Cycle Approach A common security authorization process for federal information systems A well-defined and comprehensive security authorization process that helps ensure appropriate entities are assigned responsibility and are accountable for managing information system-related security risks 16 2011. All Rights Reserved. ecfirst. 8

FIPS 199 FIPS 199 defines three levels of potential impact on organizations or individuals should there be a breach of security Breach of security is loss of confidentiality, integrity or availability The three levels of potential impact are: Low Moderate High FIPS 199 is the standard to categorize information and information systems 17 FIPS 200 FIPS 200 establishes the minimum security requirements for federal information and information systems This standard establishes the minimal requirements in eighteen security-related areas Federal agencies are required to meet the minimal requirements through the use of security controls in accordance with NIST SP 800-53 FIPS 199 and FIPS 200 are the first of two mandatory standards required by the FISMA legislation 18 2011. All Rights Reserved. ecfirst. 9

NIST SP 800-34 Rev 1 Contingency Planning 1. Develop a Contingency Planning Policy 2. Conduct Business Impact Analysis (BIA) When did you conduct and complete a BIA exercise? 3. Identify preventative measures 4. Develop recovery strategy 5. Develop the Contingency Plan 6. Conduct testing and training 7. Review and maintenance Contingency Plan A HIPAA Security Rule Standard Valuable Reference 19 NIST SP 800-88 Rev 1 Media Sanitization Organizations need to develop policies and procedures for: Reuse of media Disposal of media Establish requirements for media: Disposal Clearing Purging Destruction Physical Security A HIPAA Security Rule Standard Device & Media Controls 20 2011. All Rights Reserved. ecfirst. 10

NIST SP 800-111 Storage Encryption for End Devices 1. Develop comprehensive policy and conduct training 2. Consider solutions that use existing capabilities 3. Securely store and manage all keys 4. Select appropriate authenticators 5. Implement additional controls as needed Confidential data at rest is a significant risk to organizations! 21 HITECH Meaningful Use U.S. Healthcare Information Security Mandate Ensure adequate privacy and security protections for personal health information Through use of policies, procedures, and technologies Meaningful Use Stage 1 Objective (Final Rule) Protect EHR created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Meaningful Use Stage 1 Measure (Final Rule) Conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of the risk management process 22 2011. All Rights Reserved. ecfirst. 11

HIPAA, HITECH & More Your Checklist for Compliance 2009. All Rights Reserved. ecfirst. 23 State of Compliance: Exec Dashboard 2011. All Rights Reserved. ecfirst. 12

Information Security Program Strategy Core to the Edge and the Cloud Physical Security Firewall Systems IDS/IPS Identity Management Encryption Critical Info & Vital Assets Security Strategy Must be Risk-based, Pro-active, Integrated! 25 Compliance & Security Priorities A Checklist Conduct a formal risk analysis to establish baseline when is the last time this was completed? Use Corrective Action Plan (CAP) to Prioritize and Budget Update Security Policies Develop Contingency Plans (e.g. Disaster Recovery Plan) Implement Security Controls Deploy Encryption Across Laptops, Backups, Removable Media Deploy Single Sign-On (SSO) Solution Activate Auditing Capabilities to Manage/Track Access Schedule Regular Scans of the Infrastructure Conduct Security Training & Awareness Ensure Risk Analysis is Budgeted & Conducted on a Regular Copyright. 2011. Schedule! All Rights Reserved. ecfirst. 26 2011. All Rights Reserved. ecfirst. 13

About ecfirst Compliance & Security Over 1,600 Clients served including Microsoft, Cerner, McKesson, HP, IBM, PNC Bank and hundreds of hospitals, government agencies 27 About Pabrai Control Your Excitement! Blog with Pabrai www.pabrai.com Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Healthcare Information Security & Compliance Expert Created bizshield TM an ecfirst Signature Methodology - to address compliance and information security priorities Featured speaker at compliance and security conferences worldwide Presented at Microsoft, Intuit, E&Y, Federal & State Government agencies & hundreds of other organizations Consults extensively with technology firms, government agencies & healthcare organizations Established the HIPAA Academy and CSCS Program gold standard for HIPAA, HITECH compliance solutions Member, InfraGard Follow Pabrai on Twitter, LinkedIn 28 2011. All Rights Reserved. ecfirst. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback