hipaa security: case studies for small to medium health organizations (compliance methods) jeff...
TRANSCRIPT
HIPAA Security: Case Studies for Small to Medium Health Organizations (Compliance Methods)
Jeff Bardin, CISSP, CISM, NSA IAM, OCTAVESM
Principal & CSO
Treadstone 71
www.treadstone71.com
Agenda
From Threat Agent to Safeguard The NSA IAM Method
Criticality of Information Matrix Systems Criticality Matrix
OCTAVESM Method Human Actors Using Network Access Threat Profile: System Problems Basic Risk Profile
Initial Findings Scorecards HIPAA & ISO17799 Roadmap Q&A
ThreatAgent
Threat
Vulnerability
Risk
Asset(ePHI)
Exposure
Safeguard
Gives rise to
Exploits
Leads to
Can damage
And causes an
Can be countermeasured by
Directly affects
Confidentiality Integrity Availability
Patient Records
Medical Staff Records
Employee Records
Vendor Contracts
Employee Health Records
Legal Files (lawsuit information)
Contracts w/Agency People
Meeting Minutes (Board)
Survey Reports (Joint Commission (Medicare/Medicaid)
Docs – Security Eng Tests & Inspections
Patient Accounts
Financial Audits
Planning Documents (Strategic/Master Facility Plan)
Payroll Records
Psych/Drug/Alcohol/HIV
Criticality of Information Matrix
H
M
MM
M
MM
M
M
M
H
H
H
H
H
H
H
HH
H
H
H
H
H
H
M
H
H
H
H
M
MM
M
MM
M
M
M
H
H
H
H
M M
National Security AgencyInformation Assurance Methodology