Applying ISO and NIST to Address Compliance Mandates The Four Laws of Information Security

Similar documents
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

New! Checklist for HIPAA & HITECH Compliance Pabrai

Art of Performing Risk Assessments

Establishing a Credible Cybersecurity Program. September 2016

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

HIPAA Security and Privacy Policies & Procedures

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

01.0 Policy Responsibilities and Oversight

CCISO Blueprint v1. EC-Council

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Healthcare Security Professional Roundtable. The Eighth National HIPAA Summit Monday, March 8, 2004

Vendor Security Questionnaire

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Compliance Checklist

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Checklist: Credit Union Information Security and Privacy Policies

2015 HFMA What Healthcare Can Learn from the Banking Industry

All Aboard the HIPAA Omnibus An Auditor s Perspective

Data Backup and Contingency Planning Procedure

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Cybersecurity in Higher Ed

Information Technology General Control Review

HIPAA Federal Security Rule H I P A A

Putting It All Together:

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Apex Information Security Policy

The Common Controls Framework BY ADOBE

ISO Training Consulting Certification. Exec Brief. Services. 1-Day Workshop. Policy Templates CSCS. Testimonials.

Support for the HIPAA Security Rule

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

HIPAA Summit Day II Afternoon Plenary Session: HIPAA Security

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA-HITECH: Privacy & Security Updates for 2015

Department of Public Health O F S A N F R A N C I S C O

Department of Public Health O F S A N F R A N C I S C O

The simplified guide to. HIPAA compliance

TEL2813/IS2820 Security Management

Healthcare Privacy and Security:

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Security Management Models And Practices Feb 5, 2008

Security and Privacy Governance Program Guidelines

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Protecting your data. EY s approach to data privacy and information security

HIPAA Compliance & Privacy What You Need to Know Now

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Introduction to the HITRUST CSF. Version 8.1

Data Security and Privacy Principles IBM Cloud Services

NW NATURAL CYBER SECURITY 2016.JUNE.16

The Impact of Cybersecurity, Data Privacy and Social Media

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Employee Security Awareness Training Program

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

_isms_27001_fnd_en_sample_set01_v2, Group A

SYSTEMS ASSET MANAGEMENT POLICY

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Altius IT Policy Collection

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

The ABCs of HIPAA Security

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

How to Ensure Continuous Compliance?

What It Takes to be a CISO in 2017

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DETAILED POLICY STATEMENT

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

John Snare Chair Standards Australia Committee IT/12/4

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Cybersecurity and Hospitals: A Board Perspective

Internet of Things Toolkit for Small and Medium Businesses

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Data Compromise Notice Procedure Summary and Guide

HITRUST CSF: One Framework

HCISPP HealthCare Information Security and Privacy Practitioner

HIPAA AND SECURITY. For Healthcare Organizations

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Effective Strategies for Managing Cybersecurity Risks

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Compliance with NIST

Why you should adopt the NIST Cybersecurity Framework

Transcription:

Applying ISO 27000 and NIST to Address Compliance Mandates The Four Laws of Information Security Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, FBI InfraGard

Challenges PHI Is @ Significant Risk! Healthcare - Complex Computing Environment Too many servers, too many applications Too many credentials across multiple systems to manage Too many end systems to support and maintain Mobility of devices is rapidly increasing Storage demands are rising fast Highly specialized technical skills required Serious lack of redundancy in infrastructure Struggle with resources to monitor and audit Security Struggling with fast, secure access to patient information Generic accounts still in active use Struggling with password management Need to uniquely identify who accessed what, when, how Audit controls are not consolidated not automated; not complete 2

Breach Reports - OCR 1. State: Tennessee Approx. # of Individuals Affected: 1,711 Date of Breach: 7/15/10 Type of Breach: Loss Location of Breached Information: Portable Electronic Device, Other 2. State: Ohio Approx. # of Individuals Affected: 13, 867 Date of Breach: 6/7/10 Type of Breach: Theft Location of Breached Information: Laptop 3. State: Illinois Approx. # of Individuals Affected: 657 Date of Breach: 6/5/10 Type of Breach: Theft, Loss Location of Breached Information: Paper Records 4. State: Texas Approx. # of Individuals Affected: 600 Date of Breach: 5/29/10 Type of Breach: Theft Location of Breached Information: Network Server 5. State: Arizona Approx. # of Individuals Affected: 5,893 Date of Breach: 5/15/10 Type of Breach: Theft Location of Breached Information: Laptop 6. State: Michigan Approx. # of Individuals Affected: 2,300 Date of Breach: 5/02/10 Type of Breach: Theft Location of Breached Information: Laptop 3

Breaches in CA OCR 1. Loma Linda University School of Dentistry Approx. # of Individuals Affected: 10,100 Date of Breach: 6/13/10 Type of Breach: Theft Location of Breached Information: Desktop Computer 2. Children's Hospital & Research Center at Oakland Approx. # of Individuals Affected: 1,000 Date of Breach: 5/25/10 and 5/26/2010 Type of Breach: Other Location of Breached Information: Paper 3. Loma Linda University Health Care Approx. # of Individuals Affected: 584 Date of Breach: 4/04/10 Type of Breach: Theft Location of Breached Information: Desktop Computer 4. Silicon Valley Eyecare Optometry and Contact Lenses Approx. # of Individuals Affected: 40,000 Date of Breach: 4/02/10 Type of Breach: Theft Location of Breached Information: Network Server 5. St. Joseph Heritage Healthcare Approx. # of Individuals Affected: 22,012 Date of Breach: 3/06/10 Type of Breach: Theft Location of Breached Information: Desktop Computer 6. John Muir Physician Network Approx. # of Individuals Affected: 5,450 Date of Breach: 2/04/10 Type of Breach: Theft Location of Breached Information: Laptop 4

Compliance Mandates Key Regulations & Standards HIPAA Privacy HIPAA Security HITECH Act FACTA (Red Flags Rule) State Regulations PCI DSS 5

Meaningful Use Stage 1 Core Set Mandate Ensure adequate privacy and security protections for personal health information Through use of policies, procedures, and technologies Meaningful Use Stage 1 Objective (Final Rule) Protect EHR created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Meaningful Use Stage 1 Measure (Final Rule) Conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of the risk management process 6

Massachusetts 201 CMR 17.00 Comprehensive Written Information Security Program Required Establishes minimal standards for safeguarding personal information contained in both paper and electronic records Requires each covered business to develop, implement, maintain and monitor a comprehensive written information security program that applies to records that contain Massachusetts residents personal information Security program must include administrative, technical and physical safeguards to protect such records Regulations also require businesses that store or transmit personal information about Massachusetts residents to (201 CMR 17.04): Restrict access by use of passwords Deploy updated malware protection Encrypt information transmitted across public or wireless networks Monitor all systems to detect unauthorized access Encrypt information stored on laptops Incorporate firewalls 7

State of Connecticut IC-25 All insurance companies doing business in Connecticut must report information breaches to state authorities within five calendar days, even if the data involved was encrypted The new state insurance breach reporting policy applies to health maintenance organizations, preferred provider organizations, and other health insurers, as well as property and casualty insurers, pharmacy benefit managers and medical discount plans It does not apply to hospitals and physicians A tough regulation which applies to paper and electronic records 8

PCI DSS A Global Data Security Standard 1. Build and Maintain a Secure Network 1. Firewall configuration 2. Vendor defaults 2. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission 3. Maintain a Vulnerability Management Program 5. Update anti-virus software 6. Maintain secure systems and applications 4. Implement Strong Access Control Measures 7. Restrict access need to know 8. Assign unique ID s 9. Restrict physical access 5. Regularly Monitor and Test Networks 10. Track and monitor all access 11. Regularly test security processes 6. Maintain an Information Security Policy 12. Maintain policies A Terrific Reference Even If Your Organization is Not Required to Comply 9

ISO 27000: An International Security Standard A comprehensive set of controls comprising best practices in information security Comprised of: A code of practice A specification for an information security management system Intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce Organizations are looking at the ISO 27000 as a security framework to address HIPAA, HITECH, PCI DSS, State mandates 10

Process Approach ISO 27001 adopts the Plan-Do-Check-Act (PDCA) model A) Plan - Understanding an organization s information security requirements and the need to establish policy and objectives for information security B) Do - Implementing and operating controls to manage an organization s information security risks in the context of the organization s overall business risks C) Check - Monitoring and reviewing the performance and effectiveness of the ISMS D) Act - Continual improvement based on the objective measurement 11

Application ISO 27001 covers all types of organizations The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size, and nature Can easily adapt to be organization-specific The ISMS for any organization is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to all interested parties 12

ISO 27002 Security Clauses 0. Risk Assessment & Treatment (Introductory Clause) 1. Security Policy 2. Organization of Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information Systems Acquisition, Development and Maintenance 9. Information Security Incident Management 10. Business Continuity Management 11. Compliance 13

Risk Assessment & Treatment Introductory Clause 0 (4) The information security risk assessment should have a clearly defined scope in order to be effective The results should guide and determine appropriate management action and priorities for managing risks and for implementing controls selected to protect against these risks Consists of two categories: Assessing Security Risks Treating Security Risks 14

Assessing Security Risks Category (4.1) Risk assessment should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization A systematic approach of estimating the magnitude of risks (risk analysis) The process of comparing the estimated risks against risk criteria to determine the significance of the risks (risk evaluation) For each risk identified, a risk treatment decision needs to be made 15

Treating Security Risks Category (4.2) Possible options for risk treatment include: a) Applying appropriate controls to reduce the risks b) Knowingly and objectively accepting risks, providing they clearly satisfy the organization s policy and criteria for risk acceptance c) Avoiding risks by not allowing actions that would cause the risks to occur d) Transferring the associated risks to other parties, e.g. insurance or suppliers 16

Risk Assessment & Treatment Introductory Clause 0 (4) 17

Security Policy Clause 1 (5) Establishes the dial-tone for security in the organization Critical elements include: Establishing management direction for information security Regular updates and reviews Consists of 1 category Information Security Policy (5.1) 18

Information Security Incident Management Clause 9 (13) This clause provides guidance for the development and maintenance of a comprehensive strategy for responding to a security violation Consists of two categories: Reporting Information Security Events and Weaknesses Management of Information Security Incidents and Improvements 19

Business Continuity Management Clause 10 (14) This clause provides guidance for the development and implementation of a comprehensive strategy to ensure continued business operation in the event of a catastrophic failure of systems of facilities Key parts of a comprehensive strategy include: Procedures for failover to backup systems Recovery of failed systems Relocation of workforce members to alternate locations The only category defined in this clause is: 1. Information Security Aspects of Business Continuity Management 20

ISO 27799 Health Informatics: Information Security Management in Health Using ISO 27002 Defines guidelines to support the interpretation and implementation in health informatics of ISO 27002 and is a companion to that standard ISO 27799 specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines By implementing the ISO 27799, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information 21

NIST NIST SP 800-66 Rev 1 Is A Valuable Reference The National Institute of Standards & Technology (NIST) has a critical role to play in ensuring federal agencies comply with FISMA The NIST s FISMA-related responsibilities are: Development of standards, guidelines and associated methods and techniques Development of standards and guidelines, including establishment of minimum requirements for information systems Development of standards and guidelines for providing adequate information for all agency operations & assets 22

NIST 800-37 Rev 1 Developed by NIST to comply with FISMA responsibility Guide for Security Authorization of Federal Information Systems (NIST SP 800-37 Rev 1) A Security Life Cycle Approach A common security authorization process for federal information systems A well-defined and comprehensive security authorization process that helps ensure appropriate entities are assigned responsibility and are accountable for managing information system-related security risks 23

FIPS 199 FIPS 199 defines three levels of potential impact on organizations or individuals should there be a breach of security Breach of security is loss of confidentiality, integrity or availability The three levels of potential impact are: Low Moderate High FIPS 199 is the standard to categorize information and information systems 24

FIPS 200 FIPS 200 establishes the minimum security requirements for federal information and information systems This standard establishes the minimal requirements in eighteen security-related areas Federal agencies are required to meet the minimal requirements through the use of security controls in accordance with NIST SP 800-53 FIPS 199 and FIPS 200 are the first of two mandatory standards required by the FISMA legislation 25

NIST SP 800-34 Contingency Planning 1. Develop a Contingency Planning Policy 2. Conduct Business Impact Analysis (BIA) 3. Identify preventative measures 4. Develop recovery strategy 5. Develop the Contingency Plan 6. Conduct testing and training 7. Review and maintenance Contingency Plan A HIPAA Security Rule Standard Organizations are struggling to address! Organizations Copyright. 2010. All Rights are Reserved. struggling ecfirst. to address! 26

NIST SP 800-111 Storage Encryption for End Devices 1. Develop comprehensive policy and conduct training 2. Consider solutions that use existing capabilities 3. Securely store and manage all keys 4. Select appropriate authenticators 5. Implement additional controls as needed Centralize the Deployment of Storage Encryption! 27

NIST SP 122 - It s About PII. Personally Identifiable Information Until now, it has been about Protected Health Information (PHI) HIPAA Privacy Electronic Protected Health Information (EPHI) HIPAA Security Unsecured PHI HITECH Act Cardholder information PCI DSS Personal data or information State Regulations 2010 and beyond it is about PII What PII does your organization come into contact with? Where is PII in your organization? How is the PII secured in your organization? 28

NIST SP 122 PII A Checklist of What You Must Address 1. Has the organization clearly identified all PII residing in the enterprise? 2. Has the organization categorized PII? 3. Are you applying appropriate safeguards based on confidentiality impact level? 4. Is the collection and retention of PII limited to what is strictly necessary? 5. Have you developed an incident response plan to handle breach of PII? 6. Has the organization established a forum to enable close coordination between privacy officers, CIO, security officers and legal? This checklist must be completed on a regular schedule 29

Information Security Program Strategy Core to the Edge and the Cloud Physical Security Firewall Systems IDS/IPS Identity Management Encryption Critical Info & Vital Assets Security Strategy Must be Risk-based, Pro-active, Integrated! 30

Checklist for Compliance Preparing for Audits Entity-wide Security Plan Risk Analysis (last time conducted was?) Technical Vulnerability Assessment (align with Risk Analysis) Risk Management Plan (addressing risks identified in the Risk Analysis) - this is your Corrective Action Plan (CAP) Security violation monitoring reports (incident management) Contingency Plans (last time BIA conducted was?) List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI Policies updated, approved and communicated Training for all members of the workforce 31

Pabrai s Laws of Information Security Is Your Security Kismet or Karma? 1. There is no such thing as a 100% secure environment 2. Security is only as strong as your weakest link 3. Security defenses must be integrated and include robust (passive) and roving (active) controls to ensure a resilient enterprise 4. Security incidents provide the foundation for security intelligence Is Your Enterprise Security? Kismet A Reactive Security Framework Karma A Proactive Security Framework 32

About ecfirst Compliance & Security Over 1,600 Clients served including Microsoft, Cerner, McKesson, HP, PNC Bank and hundreds of hospitals, government agencies Contact: John.Schelewitz@ecfirst.com Phone: +1.480.663.3225 33

Your Speaker Control Your Excitement! Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Healthcare Information Security & Compliance Expert Created BizShield TM an ecfirst Signature Methodology - to address compliance and information security priorities Featured speaker at compliance and security conferences worldwide Presented at Microsoft, Intuit, E&Y, Federal & State Government agencies & hundreds of other organizations Consults extensively with healthcare organizations and business associates Established the HIPAA Academy and CSCS Program gold standard for HIPAA, HITECH compliance solutions Member, FBI InfraGard Follow Pabrai on Twitter, LinkedIn Pabrai@ecfirst.com Download Cyber Security Strategy Exec Brief PDF @ www.ecfirst.com Free to HIPAA Summit Attendees 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback