building a risk management framework for hipaa & fisma ... › media › medialibrary ›...
TRANSCRIPT
BuildingaRiskManagementFrameworkforHIPAA&FISMA
ComplianceAnuragShankar
CenterforAppliedCybersecurityResearchIndianaUniversity
2015TechnologyExchangeOctober6,2015
Outline
1. Introduction2. HIPAA&FISMADemystified3. CyberCompliance:TheIUApproach4. Building&LeveragingaRiskManagementFramework5. Conclusion
1.Introduction
Whyatalkoncompliance?
• Wehaveanewusercommunity- clinicalresearchers.• TheirresearchITaregrowingtoHPC,HPN,andHPS*scales.• MedicalschoolITcannotkeepup.• Theirdataislacedwithregulations(HIPAA,FISMA).
• Complianceisaforeignlanguage(tomostofus).• Wedealwiththeusualsuspects– physicalscientistsandengineers.• Regulationsarenotourforte.
*Highperformancecomputing,networkingandstorage
Compliancechallenges
• Fear,uncertainty,doubt.• Languagebarrier.• Lackofresources.• Localrisktolerance.• Riskownership.• Policy.
Thegoalsthismorning
• Learntospeakcompliance.• Bringregulationstoapractical,actionableplane.
2.Regulations- HIPAAandFISMA
HIPAA
WhatisHIPAA?
• HealthInsurance Portability &Accountability Act.• ProvidestheabilitytotransferandcontinuehealthinsurancecoverageforAmericanworkersandtheirfamilieswhentheychangeorlosetheirjobs.
• EnforcedbytheOfficeforCivilRights(OCR)intheU.S.DepartmentofHealth&HumanServices(HHS).
HIPAATimeline
• Passedin1996,becamelawin2001.TheHIPAASecurityRulecameoutin2003.
• TheHealthInformationTechnologyforEconomic&ClinicalHealth(HITECH)Actof2006.
• TheHIPAAOmnibusFinalRuleof2013includedprovisionsfromHITECH&the2008GeneticInformationNondiscriminationAct(GINA).
IsHIPAAallaboutpatientprivacy?
• No.Therearemanyothercomponents.• PrivacyisaddressedthroughtheHIPAAPrivacyRule,theHIPAASecurityRule,and breachnotificationrequirement.
• ThePrivacyRuledefineswhoHIPAAappliesto(acoveredentity),whatisprotected(protectedhealthinformation orPHI),andcoversdisclosuresofPHI.
• TheSecurityRulefocusesexclusivelyonprotectingelectronicPHI(ePHI)inanyform– atrest,intransit,underanalysis,etc.
WhatconstitutesPHI*?Patientinformationinanyform(paper,verbal,electronic)containinganyofthefollowing18identifiers:
1. Names2. Allgeographicsubdivisionssmallerthanastate,includingstreetaddress,city,county,precinct,zipcode,andtheir
equivalentgeocodes,exceptfortheinitialthreedigitsofazipcodeif,accordingtothecurrentpubliclyavailabledatafromtheBureauoftheCensus:(1)thegeographicunitformedbycombiningallzipcodeswiththesamethreeinitialdigitscontainsmorethan20,000people;and(2)theinitialthreedigitsofazipcodeforallsuchgeographicunitscontaining20,000orfewerpeopleischangedto000.
3. Allelementsofdates(exceptyear) fordatesdirectlyrelatedtoanindividual,includingbirthdate,admissiondate,dischargedate,dateofdeath;andallagesover89andallelementsofdates(includingyear)indicativeofsuchage,exceptthatsuchagesandelementsmaybeaggregatedintoasinglecategoryofage90orolder.
4. Telephonenumbers5. Faxnumbers6. Electronicmailaddresses7. SocialSecuritynumbers8. Medicalrecordnumbers9. Healthplanbeneficiarynumbers10. Accountnumbers11. Certificate/licensenumbers12. Vehicleidentifiersandserialnumbers,includinglicenseplatenumbers
PHI,whenproperlyde-identified,isnolongersubjecttoHIPAA
13. Deviceidentifiersandserialnumbers14. Webuniversalresourcelocators(URLs)15. Internetprotocol(IP)addressnumbers16. Biometricidentifiers,includingfingerandvoiceprints17. Fullfacephotographicimagesandanycomparableimages18. Anyotheruniqueidentifyingnumber, characteristicorcode
*Youmayalsohearthetermspersonallyidentifiableinformation(PII),individuallyidentifiablehealthinformation(IIHI), healthinformation,etc.,buttheyarenotcreatedequal.
IsallidentifiablehealthinformationPHI?
• No,onlywhenitiswithinthehealthcarecontext.• Forinstance,
• identifiablehealthinformation(yoursorsomeoneelse’s)yousharepubliclyonFacebookisnotPHI(itisnotsubjecttoHIPAA).
• However,ifamedicalprofessional(doctor,nurse,etc.)sharesitpubliclyonFacebook,itisPHI andthussubjecttoHIPAA.SuchadisclosurewouldbeconsideredabreachunderHIPAA.
WhodoesHIPAAapplyto?
• AHIPAA coveredentity (CE).• Onlyhealthcareproviders,healthplans,andhealthclearinghousesareconsideredcoveredentities.
• Universitiesareoftenhybrid coveredentities,meaningtheyhavebothnon-covered(e.g.theEnglishdept.)andcoveredcomponents(e.g.theStudentHealthCenter,SchoolofMedicine).
• HIPAAappliestotheentireCE(thelegalentity).ItistheCEthatfacespenaltieswhenaHIPAAviolationoccurs,notitsemployeesorsubunits.
DoesHIPAAapplytome?
• Yes,if youserveacoveredentity,• eitherasaunitofyourcoveredentityor• asaBusinessAssociate,AND• youcreate,receive,transmit,ormaintainPHI.
• Youcannotsay“Ididn’tknowwehadPHI”.PlausibledeniabilitycanbequiteexpensiveunderHIPAA.
• Yourorganizationisnotacoveredentityifitisnotinvolvedinhealthcareoperationsdirectly.
Checkwithyourcompliancefolksorcounsel
WhatisaBusinessAssociate(BA)?
• A“apersonororganization,otherthanamemberofacoveredentity'sworkforce,thatperformscertainfunctionsoractivitiesonbehalfof,orprovidescertainservicesto,acoveredentitythatinvolvetheuseordisclosureofindividuallyidentifiablehealthinformation.”
• However,thereisa“conduitexception”whichexcludes”…thoseentitiesprovidingmerecourierservices,suchastheU.S.PostalServiceorUnitedParcelServiceandtheirelectronicequivalents,suchasinternetserviceproviders(ISPs)providingmeredatatransmissionservices.”
BusinessAssociateAgreements
• HIPAAmandatesyoutohaveaBusinessAssociateAgreement(BAA)withBAs(sinceit’sadisclosureofPHI).TheBAsmusthaveBAAswiththeirBAs,andsoon.
• TheBAAmustincludelanguagestatingthattheBAwillprotectyourPHIandabidebyHIPAA.(SampleBAAsareatHHSsite.)
• YouareexpectedtododuediligencetoensurethattheBAcanprotectyourPHIasperHIPAA.
• TheBAsaresubjecttoHIPAAindependentlyiftheyhavePHI.SoaretheirBAs,allthewaydownthechain.
BreachNotification
• HIPAAmandatesabreachofPHItobereportedtotheOCR&thoseaffectedwithin60days.
• Forbreachesinvolving>500individuals,localmediaoutletsmustalsobenotified.
• Itisforyoutodecidewhetherasecurityincidentrisestothelevelofabreach.
Enforcement
• HIPAAviolationscanresultincivilmonetarypenaltiesagainstacoveredentityand/orcriminalpenaltiesagainstindividuals,withimprisonmentupto10years.
• Anauditmayoccurifthereisabreach.However,abreachisnotautomaticallyaHIPAAviolation.
• Auditsusedtooccuronlyinresponsetoabreachoracomplaint.TheOCRhasreceivedfundingtoinstitutearandomauditprogramnow.Theyaregettingreadyforthefirstroundofsuchaudits.
WhenisabreachaHIPAAviolation?
ViolationsoccurswhentheCEisnotdoingduediligencerequiredunderHIPAAorignoringHIPAAaltogether:
• NotrespondingtotheOCRdespiterepeatedrequests.• Havingnoinformationsecurityprocesswhatsoever.• Noriskassessmentandmitigation.• Noincidentresponse.• Nodocumentation.• Notfollowingdocumentedpoliciesandprocedures.
TheOCRexpectsbreaches;thatisnotthepoint
CivilMonetaryPenalties
*=Anactofomission inwhichacoveredentityorbusiness associateknew,orbyexercisingreasonablediligencewouldhaveknown,thattheactoromission violatedanadministrativesimplification(HIPAA)provision, butinwhichthecoveredentityorbusiness associatedidnotactwithwillfulneglect.
Thecostof“Ididn’tknowwehadPHI”.
*
Abreachof100patientrecords=100violations
Maximum“DidNotKnow”costofabreachof100patientrecords=$50Kx100=$5million!
EnforcementinAction
TheCorrectiveActionPlan(CAP)signedby IdahoStateUniversity
Breachesreportedbyuniversitiesì
Thepenaltiesarebad;reputationaldamage isworse
CorrectiveActionPlanforISU
WhatdoesHIPAAmeanforanITprovider?
• ToprotectePHIaspertheHIPAASecurityRule.
TheHIPAASecurityRule
• TheSecurityRulerequires1.Administrative,2.Physical,and3.Technicalsafeguards to
• Ensuretheconfidentiality,integrity,and availabilityofallePHIcreated,received,maintainedortransmitted;
• Identifyandprotectagainstreasonablyanticipatedthreatstothesecurityor integrityoftheinformation;
• Protectagainstreasonablyanticipated,impermissibleusesordisclosures;
• Ensure compliancebytheworkforce;and• Provideameansformanagingriskinanongoingfashion.
SecurityRuleSafeguards
• Administrative– securitymanagement/officer,workforcesecurity,incidentresponse,disasterplanning,evaluations,etc.
• Physical – facilitiesaccess,workstationuse/security,device/mediacontrols,etc.
• Technical – access/auditcontrol,integrity,authentication,transmissionsecurity,etc.
+organizational/policies/documentationrequirements
RequiredandAddressable
• TheSecurityRulesafeguardsareeitherrequired oraddressable.• Required=whatitsays.• Addressable=mustbeinplace,butokifyouexplainwhyyoudon’thaveitinplaceand/orhowyouwillotherwiseaddresstherisk.
HIPAASafeHarbor
• Ifthedataisencryptedatrestandtheencryptionkeyisstoredseparatelyfromthedataandsecured,abreachneednotbereportedtotheOCR.
• ThisiscalledHIPAAsafeharbor.
CanIbecertifiedHIPAAcompliant?
• No,HIPAAdoesn’tdefineathresholdwhereyouaresuddenlycompliant.
• TheOCRhasnotauthorizedanyonetocertifycompliance.• YoucangetthirdpartycertificationbuttheOCRdoesnotrecognizethem.Theymaystillfindyoulacking.
• Allyoucandoisexerciseduediligence- continuouslyassessandmitigaterisk.HIPAAcomplianceiseitherselfassertedorblessedbylocalauthorities.
HowdoIhandleHIPAAthen?
• Basedonyourenvironment,budget,andrisktolerance.• CheckifyourlocalHIPAAComplianceorInformationSecurityfolksalreadyhaveaprocessinplaceorhaverecommendations.Usetheirexpertise.
• SecuringtheePHIanddocumentationisstillyourtask.
FISMA
WhatisFISMA?
FederalInformationSecurityManagementActof2002.
“Eachfederalagencyshalldevelop,document,andimplementanagencywideinformationsecurityprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency…”
WhodoesFISMAapplyto?
• Governmentagencies,theirsubcontractors,orothersourcesthatservetheagencies.
WhendoesFISMAapply?
• Whenyouuseagencysystemstomanageinformationonbehalfofanagency.
• Whenyouuseoroperateinformationsystemsonbehalfofanagency.• Ifyourcontractsaysitdoes.
HHSguidance
“FISMA'srequirementsfollowagencyinformationintoanysystemwhichusesitorprocessesitonbehalfoftheagency.Thatis,whentheultimateresponsibilityandaccountabilityforcontroloftheinformationcontinuestoresidewiththeagency,FISMAapplies.”
• Theterm"onbehalfof"indicatesthatonlythoseentitiesthatareacting,underagencyprinciples,asagents,whereHHS(oracomponent)istheprincipal,arecoveredbyFISMA.
DoesFISMAapplytome?
• Probably,ifyouhaveacontractwithagovt.agency,e.g.NIH.• Checkthecontract;itwillexplicitlystateFISMArequirements.• CheckifFISMAlanguagehasbeenaddedtoexistingcontractswhentheyarerenewed.
• ItissometimespossibletonegotiateFISMAout.
WhatdoesFISMArequire?
• AdoptingtheNISTRiskManagementFramework(RMF).• Accreditation.• Regularreportingandreviews.
TheFISMAWorkflow
Definesystemboundaries
AssessRisk(NIST800-30,37,39)
ApplyControls(NIST800-53)
EvaluateControls(NIST800-53A)
AuthoritytoOperate(ATO)
DefineSystemBoundaries
• Alsoknownastheaccreditationboundaries.• Defineswherethe“system”beginsandends.• Asystemcanbeapartofanetwork,anapplication,alogicalcollectionofdisparatecomponents,etc.
• Aconceptualboundaryextendstoalldirectandindirectusersofthesystemthatreceiveoutput.
• RequiresITprofessionals.
AssessRisk
• GuidancefromNISTdocumentsNIST800-30,37,and39isusedtoconductariskassessment.
• Individualrisksandseverityareidentified.• Aprioritizedlistofrisksiscreated.
SelectControls
• TheresultsoftheriskassessmentandtheNISTcontrolcatalogNIST800-53areusedtoselectcontrolsthatmitigaterisk.
• Existingcontrolswillmitigatesomeoftherisk.Residualriskisaddressedbyaddingmissingcontrols.
• TheFISMAcontractwillspecifytherequiredsecuritycontrolbaseline(High,Medium,orLow).
EvaluateControls
• Requiresregularassessments.• Involvestestingthecontrolsinplacetogaugetheireffectivenessinmitigatingrisk.
• Evaluationscanbeinternalorexternal.• TheNIST800-53AdocumentcoversevaluatingNIST800-53controls.
AuthoritytoOperate(ATO)
• Thecompliancepaperworkissubmittedtotheagency.• AnATOletterisissuedbytheagencyauthorizingtheoperationofthesystem.
• Ifremediationisrequired,theagencymayissueanInterimAuthorityToOperate(IATO)withadefinedenddate.
+continuousmonitoringandregularreportingrequirements.
WhatdoesittaketodoFISMA?
• Asignificantamountofeffortand$$.• DukeMedicine,oneacademicFISMAimplementation,estimatesthat,foreachPIcontract,ittakesthem~25hourstoreviewallthedocumentation,makesuggestedcontractualchangesforagencynegotiation,andcreateaFISMAmanagementplan.
• AseparatebudgetlineitemhastobeincludedinthecontracttocoverFISMAcosts.
• Manyuseacompletelywalledgarden.
3.CyberCompliance:TheIUApproach
History
• IUhasamatureresearchcyberinfrastructure (CI),servingbothlocalandnationalusers.
• ItisprovisionedthroughIU’scentralITorganization.• Itdeliverssupercomputing,datastorage/archival,visualization,applicationdevelopment&optimization,datamanagement,etc.
• Priorto2000,itwasusedalmostexclusivelybytheusualsuspects-physicalscientistsandengineers.
HIPAAintervenes
• ALillyEndowmentgrantin2000toaccelerategenomicsresearchatIUincludedusingtheexistingCIforIUSchoolofMedicineresearchers.
• HIPAAcomplianceforresearchsystemsbecamearequirement.• ForcedustolearnHIPAAandhowitaffectstheresearchworkflow.
Themostimportantcompliancestep
• WecreatedanoversightcommitteetooverseeourHIPAAeffortandputeverystakeholderonit– theComplianceOfficers,Counsel,CISO,SchoolofMedicinefaculty/ITstaff/CIO,CentralITseniormanagement,etc.
• Theybecameourambassadorsandstartedsendingclinicalresearchers,NIHgrantmoney,reflectedgloryourway.
Researchworkflow&compliance
Pre-Grant
•Prelim.Investigation• IRB•CIDesign
Proposal
•ProposalPreparation•BudgetPreparation•ProposalFunding
Execution
• DataAcquisition• DataAnalysis• Simulation• DataManagement• DataSharing• DataVisualization• DataPublishing
Post-Grant
• DataArchival•DataDisposal
Itwasusefultofollowtheresearchdataendtoend,throughitsentirelifecycle tounderstandwherecompliancetouchesit.
Stepsinredinvolvecompliance.
Evolution
• WeinitiatedaHIPAAspecific,homegrowncomplianceprocessin2008.• Itworkedwellinitially,butwastoorigidtoaccommodateotherrulesandregulationsappearingonthehorizon(e.g.FISMA).
• Thismotivatedsearchforastandards based,regulationneutralprocess.
• Theobviouschoicewasthewidelyused,highlyflexibleNIST standard.• Resultedinthecreationofasingle,reusable frameworkforcybercomplianceingeneral.
Howdoesitwork?
1. EstablishthebaseNISTRiskManagementFramework(RMF)2. Align withtheNISTstandard(notindividualregulation)3. Map theregulationtoNIST4. Addmissing*regulatorycontrols
Thisallowsscalinglaterallytocoveranyregulationorpotentialregulationchanges;allthatchangesaresteps2and3
*Regulatorycontrolsmissing fromNIST
HandlingHIPAA
1. AlignwiththeNISTlowsecuritybaseline2. MapHIPAAtoNISTusingNIST800-663. AddHIPAAsafeguardsmissingfromNIST
HIPAAtoNISTMapping (fromNIST800-66)
4.BuildingandLeveragingtheNISTRiskManagementFramework
Whatismanagingcyberrisk?
• Identify,assess,prioritize,andmitigaterisktoassetsonanongoingbasis.
• Focusesonrisk,calculatedasfollows.Risk={Threat/VulnerabilityxLikelihoodxImpact}
• Soabigthreatfromanexistingvulnerabilitythatishighlyunlikelytobeexploited/haslittleimpactislowrisk.Youdon’tkillyourselfoverit.
• Riskassessmentsharplyfocusesattentionandoptimizesresources.
Aren’tfirewalls,encryption,etc.enough?
• No.Technicalcontrolsareonlyonecomponentofcyberriskmanagement.Itrequiresamoreholisticapproach.
• WhynotencryptitallatrestandhaveHIPAAsafeharbor?Becauseit’snotalwayspossible,andyoustillhavetoprotectthekeyserver.
• TheNISTriskmanagementframeworkgivesuspreciselythat.
TheNISTRMF
• Comprisesofthefollowing:
• Goodgovernance=institutionalsecurityorganization,policies,sanctions,enforcement
• Riskmanagement=assessment,mitigationthroughappropriatephysical,administrative,technicalcontrols
• Review =regularmonitoring,reviews,assessment,andmitigation• Awarenessandtraining• Documentation
NISTSecurityLifecycle
ButIdon’thaveresourcestodoallthat
• Youlikelyhavesomeorallofthese:• Aninformationsecurityoffice• InstitutionalITpolicies• Manysecuritycontrolsalreadyinplace• Documentation
• Thisisplentytostartwith.ItmeansthatyouhavethebasicelementsoftheNISTRMFinplacealready.
• Therestisaone-timeefforttoestablishtheRMF.Muchofitisdocumentation.
• Ariskassessmentenablesfurthereconomies.
RiskAssessment
• Thebeginningoftheroadincyberriskmanagement.Youcannotmanageriskunlessyouknowwhatriskyouhave.
• Therearemanywaystoassessrisk,rangingallthewayfrompedestrian(&cheap)tohighlycomplex(&expensive).
• Youreffortshouldbecommensuratewithbudget,risktolerance,andorganizationalcomplexity.
ImplementationSteps
1.AssignResources 2.Develop
tools3.Developprocess
4.Applyprocessto
newsystems
5.Migrateexisting
systemstonewprocess
Developprocess
1. Inventory2.
Documentation of System &
Controls
3. Risk Assessment
4. Risk Response
5. Awareness & Training
6. Oversight & Approval
7. Authority to Operate
8. Ongoing Risk
Management
Inventorywhatyouhave
• Systemdetails,ePHIlocation,securitysettings,BAAs,scaninfo,accessmethods,disposalinformation,etc.
• Software,version,patchlevel,BAAs,scaninfo,etc.• Privilegedaccessinventory- names,roles,datesauthorized,etc.• Incidentlog– incidentsummary,response.
Theinventorytemplate
Documentthesystemandcontrols
• ControlsaredocumentedintheSystemSecurityPlanorSSP.• IUtemplatebasedonwhatDHHS,NASA,etc.usetosatisfyFISMA.• Describessystemname,categorization,contacts,purpose,components,interconnections,boundaries,dependencies,andallNIST800-53security&privacycontrolsinplace.
TheSSPtemplate
Documententerprisecommoncontrols
• IndividualSSPsdescribeNIST800-53controlsyouhaveinplace.• Manyofthesewillbeinheritedfromyourorganization.Theywillapplytoallsystems.Wecallthementerprisecommoncontrols(ECC).
• ItiswastefultoincludethemeverytimeineachSSP.• SodocumentECCsseparatelyandhaveindividualSSPssimplypointtotheECCdocs.
TheECCdocumentisliterally
NIST800-53with
responses
Assessrisk
• Doriskself-assessments;theyarecheap• Havemanagers&systemadministratorssitdownandbrainstorm.• Identifyareasofvulnerabilitiesandriskforthesystem.• Documentriskareas,controlsthataddressthoserisks,residualrisks,andriskseverity.
• Haveexternal,thirdpartyassessmentseveryonceinawhileifyoucanaffordthem.
TheRiskAssessmentReportTemplate
Documentriskresponse
• DocumenthowyouwillrespondtoresidualriskinaPlanofAction&MilestonesorPOA&M document.
• Itstateswhethertheriskwasaccepted,transferred,addressed,ortobemitigated,andreasons,timelinesandplannedmitigationactivities/controls.
• Validreasonsforacceptingariskisbudget,resourceconstraints,etc.Youcanoftenstilladdressthemthroughtraining.
ThePOA&Mtemplate
Trainstaff
• Mandateannualtrainingforbothmanagementandstaffresponsibleforthesystem.
• AtIUthreee-trainingmodulesmustbecompleted:1. ThestandardIUHIPAAtraining(coveringthelawandIUpolicies&
procedures)2. IUHumanSubjectstraining3. UITSspecificinformationonhowHIPAAappliestotheIT
organizationspecifically,ourpolicies&NISTprocedures
• Documentallsecurityrelatedtraininginatraininglog.
Trainusersandraiseawareness
• Provideonlinetrainingandawarenessviaaknowledgebase,YouTubevideosorothermedia,inpersonclasses,andemailalerts.
• Candothingslikelaunchingyourownphishingattack.• Workindividuallywithusers,trainthemasyouhelpthem.• Helpthemcreatetheirown(HIPAA)documentationdescribinghowtheyareprotectingtheirend.
Instituteoversight/approval
• Haveyourauthoritiesprovideoversight(whichmayberequiredatyourinstitution)andapprovalorassignsomeonewithinyourorganization.
• AtIUthecompletedcompliancedocumentationpackageissenttotheIUHIPAAComplianceOffice,theUniversityInformationSecurityOffice,andInternalAudit.
Instituteongoingriskmanagement
• Instituteregular,ongoingriskmanagementthrough:• Regularreviews,riskre-assessments,anddocumentationupdates.• Continuous,automaticmonitoringofsystems.• Annualtraining&awareness.• Oversight.• Externalassessments.• Penetrationtesting.• Campaigns(phishing,etc.)
4.Conclusion
Complianceisdoable
• Thegovernmentdoesnotexpectyoutoundertakeherculeanmeasuresorbuildwalledgardens.
• Cybercompliancerequirementsareallaboutbestpractices,somethingweshouldbedoinganyway(andare,mostly).
• Youlikelyhavesufficientlygoodinformationsecurityinplacealready.Itdoesn’ttakeagargantuanefforttogoalltheway.
Benefits
• AstandardsbasedRMFimplementationmakesyourule/regulationproof.
• Customerswithsensitivedatawilltrustyourshop,bringinginnewbusinessandfunding.
• Yourcompliancefolkswillsendpeopleyourway(oursdo).
• Youwillbetterserveresearchers/yourmission.
Theevolutionofcybersecurity
• Noonethinkscybersecurityisasolvableproblem;Thefixesaren’tworkingdespitehugecybersecuritybudgets.
• Anewapproachcalled“resilience”isemerging.• Ittreatsthesituationjustlikethemedicalestablishmentdoeshumandisease.Youwillbesick.Youwillbehacked.Period.
• Thegoalistosurvivebeinghacked,beresilient.• How?Prevent(defend,detect,remediate- baselineriskmanagement),Respond(incidentresponse),Recover(DR),andRefine(learn,adapt).
Links
• TheHIPAASecurityRule• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
• NIST800-66:GuidetoImplementing theHIPAASecurityRule• http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
• NIST800-53:RecommendedSecurityControls• http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
• NIST800-53A:GuideforAssessingSecurityControls• http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf
• NISTHIPAASecurityRuleToolkit• http://scap.nist.gov/hipaa/
• NISTTemplates(emailme)
Contact