nist hipaa security rule toolkit
DESCRIPTION
NIST HIPAA Security Rule Toolkit. Association of American Medical Colleges (AAMC) February 15, 2012. Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology. NIST’s Mission. - PowerPoint PPT PresentationTRANSCRIPT
NIST HIPAA Security Rule Toolkit
Kevin StineComputer Security Division
Information Technology LaboratoryNational Institute of Standards and Technology
Association of American Medical Colleges (AAMC)February 15, 2012
NIST’s Mission
To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology …
Credit: NIST
Credit: R. Rathe
… in ways that enhance economic security and improve our quality of life.
NIST’s work enables• Science
• Technology innovation
• Trade
• Public benefit
NIST works with• Industry
• Academia
• Government agencies
• Measurement labs
• Standards organizations
NIST Laboratories
Computer Security Division
A division within the Information Technology Lab, CSD conducts research, development and outreach necessary to provide standards and guidelines, mechanisms, tools, metrics and practices to protect information and information systems.
Some Major ActivitiesCryptographic Algorithms, Secure Hash Competition, Authentication, Key Management, Crypto Transitions, DNSSEC, Post-Quantum Crypto, BIOS Security
FISMA, Health IT, Smart Grid, Supply Chain, NICE, Crypto Validation Programs, Outreach and Awareness, Cyber Physical Systems, Voting
Identity Management, Access Control, Biometric Standards, Cloud and Virtualization Technologies, Security Automation, Infrastructure Services and Protocols
5
Types of NIST Publications
Federal Information Processing Standards (FIPS)• Developed by NIST; Approved and promulgated by Secretary of
Commerce• Per FISMA, compulsory and binding for all federal agencies; not
waiverable• Voluntary adoption by non-Federal organizations (e.g., state, local,
tribal governments; foreign governments; industry; academia)
Special Publications (SP 800 series)• Per OMB policy, Federal agencies must follow NIST guidelines• Voluntary adoption by non-Federal organizations
Other security-related publications• NIST Interagency Reports
6
A Framework for Managing Risk
Starting Point
RISKMANAGEMENTFRAMEWORK
PROCESS
OVERVIEWArchitecture DescriptionArchitecture Reference Models
Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries
Organizational InputsLaws, Directives, Policy Guidance
Strategic Goals and ObjectivesPriorities and Resource Availability
Supply Chain Considerations
Repeat as necessary
Step 6MONITOR
Security Controls
Step 2SELECT
Security Controls
Step 3IMPLEMENT
Security ControlsStep 4ASSESS
Security Controls
Step 5AUTHORIZE
Information System
Step 1CATEGORIZE
Information System
• HIPAA Security Rule Overview• Toolkit Project• Content Development• The Toolkit Application• Additional Information
Agenda
HSR establishes national standards for a covered entity to protect individuals’ electronic personal health information (ephi)
HIPAA Security Rule (HSR) Overview
Who?From nationwide health plan with vast resources …
… to small provider practices with limited access to IT expertise and resources
What?
Standards and implementation specifications covering…
• Basic practices• Security failures• Risk management• Personnel issues
How?
It depends…
on the size and scale of your organization
HSR Overview
The purpose of this toolkit project is to help organizations …
• better understand the requirements of the HIPAA Security Rule (HSR)
• implement those requirements • assess those implementations in their operational
environments
HSR Toolkit Project
What it IS…
• A self-contained, OS-independent application to support various environments (hardware/OS)
• Support for security content that other organizations can reuse over and over
• A useful resource among a set of tools and processes that an organization may use to assist in reviewing their HSR risk profile
• A freely available resource from NIST
What it is NOT…
• It is NOT a tool that produces a statement of compliance• NIST is not a regulatory or
enforcement authority• Compliance is the
responsibility of the covered entity
HSR Toolkit Project
• Supplement existing risk assessment processes conducted by Covered Entities and Business Associates
• Assist organizations in aligning security practices across multiple operating units
• Serve as input into an action plan for HSR Security implementation improvements
Intended Uses of the HSR Toolkit
The Toolkit project consists of three parallel efforts:
Content Development
Desktop Application Development
Security Automation Multiple Iterations
HSR Toolkit Project
Using the HIPAA Security Rule, and NIST Special Publications (800-66, 800-53, 800-53A), we developed questions designed to assist in the implementation of the Security Rule.
Content Development
§ HIPAA Security Rule Specific Question to Address RuleMaps
§164.308(a)(3)(A) Authorization and/or supervision (Addressable).
Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Maps
Question: HSR.A53Has your organization established chains of command and lines of authority for work force security?
Boolean
Yes: If yes – do you have an organizational chart?
No: If no – provide explanation text
Content Development
This effort has resulted in …
• Two sets of questions• an “Enterprise” set with nearly 900 questions• a “Standard” set with about 600 questions (a subset)
• With dependence and parent-child relationship mappings
• Covering all HSR standards and implementation specifications
Content Development
Content Development
Security Automation
• Utilizing standards-based security automation specifications – such as XCCDF, OVAL, OCIL – to implement those questions into a toolkit application that is “loosely coupled”
• Enables existing commercial tools that process security automation content to use the content (not locked down)
• Provides consistent and repeatable processes
• A comprehensive User Guide
• Examples of how to use and operate the Toolkit
Partner entities that are assisting in defining functionality and usability:
• A state Medicaid Office• A specialty clearinghouse• A community hospital• A non-profit regional hospital
Associated HSR Toolkit Resources
Toolkit: Download the Application
Toolkit: Create a Profile
Toolkit: Organized by Safeguard Family
Navigation Menu
Selected Question
References
Responses
Attachments
Flag Level
Progress Bar
Comments
Toolkit: Explore the Application Interface
Toolkit: Answer Questions
Toolkit: Generate Reports
26
A Framework for Managing Risk
Starting Point
RISKMANAGEMENTFRAMEWORK
PROCESS
OVERVIEWArchitecture DescriptionArchitecture Reference Models
Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries
Organizational InputsLaws, Directives, Policy Guidance
Strategic Goals and ObjectivesPriorities and Resource Availability
Supply Chain Considerations
Repeat as necessary
Step 6MONITOR
Security Controls
Step 2SELECT
Security Controls
Step 3IMPLEMENT
Security ControlsStep 4ASSESS
Security Controls
Step 5AUTHORIZE
Information System
Step 1CATEGORIZE
Information System
• HIPAA Security Rule Toolkit• http://scap.nist.gov/hipaa
• Computer Security Resource Center (CSRC)• http://csrc.nist.gov
• NIST Information Security Standards and Guidelines• http://csrc.nist.gov/publications/index.html
Useful Resources
Questions
Thank You
Kevin StineComputer Security Division
Information Technology LaboratoryNational Institute of Standards and Technology
Computer Security Resource Center: http://csrc.nist.gov