Information Security ComplianceSystem Owner Training

Richard Gadsden

Information Security Office

Office of the CIO – Information Services

Sharon Knowles

Information Assurance Compliance

MUSC Medical Center

Overview

➲ Information Security Fundamentals➲ HIPAA Security vs. HIPAA Privacy

● How the two regulations differ● MUSC's compliance strategy

➲ New Security Responsibilities● Enterprise● Covered Entities● System Owners● Other individuals

Information Security Process

➲ The goal: protection of information assets from threats to their:

● availability● integrity● confidentiality

➲ Security is a process...● not a product● not really a state either● not “set it and forget it”

Information SecurityA Risk Management Process

➲ Risk management ● the process for making security decisions

➲ Steps in the process● identify significant risks● evaluate possible controls● implement the most cost-effective set of controls that

will keep risks within acceptable levels➲ Caveat: zero risk is not attainable

MUSC's Information Security PolicySystem Owners Are Responsible For...

➲ Ensuring that accurate and thorough risk assessments are conducted

and documented at appropriate points in the lifecycle of the System,

beginning prior to the System's implementation, and that the findings

are applied to the effective management of risks over the entire life of

the System.

➲ Ensuring that appropriate System-specific policies, procedures and

safeguards are developed and implemented, to comply with all

applicable MUSC policies, any applicable Entity policies, and all

applicable laws and regulations.

Information Assurance

➲ Standard of Due Care● duty is to protect against “all reasonably

anticipated threats” by implementing

“reasonable and appropriate” safeguards➲ Reasonable and appropriate

● ideally, minimum but sufficient controls● must avoid unacceptable risks● must avoid unnecessary expense

Reasonable and Appropriate

➲ How to achieve?● the risk management process

● assessment of risk● evaluation and selection of controls● approval, funding, implementation, operation

➲ How to verify?● the compliance process

● documentation● audits and other reviews

Information AssuranceCompliance Process

➲ Document the level of assurance● Are all security responsibilities clearly defined

and understood?● Is a sound (risk-based and cost-conscious)

decision-making process being followed?● Are security procedures documented?● Are procedures being followed?● Are controls working as intended?

HIPAA: Security Rule vs. Privacy Rule

➲ Security is more than just privacy● confidentiality, integrity, availability

➲ PHI vs. ePHI● all electronic (“computerized”) PHI is subject to both

the Privacy Rule and the Security Rule● telephone and fax communications are subject to the

Privacy Rule, but not the Security Rule ➲ Covered Entities (CEs)

● responsible for compliance with both regulations

Security vs. Privacy: MUSC

➲ Overall HIPAA compliance strategy● Organizational: MUSC OHCA comprised of 4 CEs

➲ Privacy Rule strategy● policies were set by each MUSC Entity

➲ Security Rule strategy● One set of enterprise-wide security policies

● these policies apply to all MUSC Entities● not just for HIPAA/ePHI, but for all types of protected

information

● 16 new policies and 1 updated policy were issued by

the Office of the President in Feb 2005

MUSC's Security Policies

➲ Computer Use Policy (updated)➲ Information Security Policies (new)

● Information Security, Risk Management, Evaluation,

Workforce Security, Awareness and Training, Incident

Response, Contingency Plan, Workstation Use,

Device and Media Controls, Access Control, Network

Access, Audit Controls, Person or Entity

Authentication, Data Integrity, Encryption,

Documentation

New Security Responsibilities

➲ Enterprise (Office of the CIO)➲ Covered Entities (CEs)➲ System Owners and System Administrators➲ Managers and Supervisors➲ Workforce members

Responsibilities: OCIO

➲ Information Security Office (ISO) will:● Document security architecture and plans● Coordinate development of enterprise policies,

standards, guidelines● Manage Enterprise-level safeguards● Develop shared tools and services● Direct MUSC's incident response team● Conduct vulnerability assessments

Covered Entities

➲ Each Entity will designate an Information Assurance Compliance Officer (IACO), who will:

● Monitor compliance (system owners, system

administrators, managers, supervisors,

workforce members)● Report violations of policy to appropriate

enforcement authorities● Ensure access to documentation and training

System Owners

➲ Each System must have a designated System Owner, who will:

● Assess and manage security risks● Risk assessments and risk management plans must be

documented if the system contains protected information (e.g.

ePHI)

● Ensure that appropriate safeguards are

implemented● Some safeguards are required only if the System contains

protected information (e.g. ePHI)

● Also, designate a System Administrator

MUSC Risk Management Standards

➲ Standards established for managing risk at 4 stages in the System life cycle

● Initiation● Development/Procurement● Implementation● Post-Implementation

● aka “Existing Systems”

Existing Systemsi.e. “Post-Implementation Stage”

➲ Have you...● Registered your system?● Designated a System Administrator?● Conducted a System risk assessment?● Implemented appropriate safeguards?

● administrative measures● physical security measures● technical measures● document, document, document...

Step 1.0: Review MUSC Policies, Standards and

Guidelines

➲ URL: http://www.musc.edu/security

Step 2.0: Document Current System Environment

and Personnel

➲ Deliverable: Security Documentation, Section 2 (System Identification)

● System Name● Key System Personnel● Functional Description● Key Components● System Boundaries● Relationships with other systems

● interfaces, interdependencies

Step 3.0: Document Current System-Specific

Security Procedures and Other Controls

➲ Deliverable: Security Documentation, Section 3 (Current System Procedures)

➲ Use the MUSC Information Security Policy Compliance Checklist for System Owners as a guide

➲ http://www.musc.edu/security/tools

Step 4.0: Identify and Analyze Potential Issues

➲ Deliverable: Risk Analysis Worksheet➲ http://www.musc.edu/security/tools➲ Priorities

● Address policy compliance gaps identified using

the Policy Checklist, or any other assessments● Decide how to address other risks identified

through formal risk analysis process

Step 5.0: Develop Security Plan

➲ Deliverable: Security Plan Summary➲ http://www.musc.edu/security/tools➲ Document your plan for resolving all known

compliance gaps● who● what● when

Step 6.0: Execute Security Plan

➲ Deliverables● Document changes made to system procedures

and other controls (Section 3, Current System

Procedures)● Progress and status reports as required by your

Entity's IACO

Are We There Yet?

➲ Security is never finished➲ Repeat the risk management cycle as

warranted by conditions● respond to environmental, operational, policy,

and/or regulatory changes➲ Evaluate the effectiveness of your System's

security measures● until your System is retired

➲ Set it and forget it? Not an option!