roadmap to it security best practices
DESCRIPTION
One of the core Meaningful use measures requires providers to perform a security audit to ensure the protection of patient information. Learn more about what a security audit should entail, as well as potential risks and how configuration options within the SuccessEHS solution can be used to protect patient data.TRANSCRIPT
Roadmap to IT SecurityRoadmap to IT SecurityBest PracticesBest Practices
Justin CopelandJustin CopelandPresident, Triggerfish CorporationPresident, Triggerfish Corporation
1
OutlineOutline
• Why is it important? • How to start…• Best practices• Information you can use…– Remote Users – CMS Guidance–Meaningful Use – Security Risk Analysis– Systems Log Management– IT Security Roadmap
2
Objective of IT SecurityObjective of IT Security
• The ideal system will protect unauthorized use of information systems for one second longer than the maximum limits of frustration and tenacity of the worst hacker or until the information is no longer of value.
3
Why is it important? Why is it important?
• In a post HIPAA era, IT security is increasingly requiring us to operationalize many of the practices that have been contained in “policy” for several years.
• The risk of disclosure is quite real and the cost non-compliance is ever increasing.
• If it hasn’t already…IT Security will likely start showing up in your operating budget!
4
IT Security – How to start…IT Security – How to start…
1. Identify the protection needed
2. Select the methods to protect
3. Plan for detection recovery and
response
5
Step 1Step 1
• What to protect?
– Electronic Protected Health Information
(EPHI)
– Billing systems
– Proprietary business information
6
Step 2Step 2
• Identify most cost-effective methods
to protect critical assets.
– Role-based security
– Policies & operational procedures
– Intrusion Detection and Response
– Auditing
7
Step 3Step 3
• Pre-plan your response to an attack
– Identification of security breach
scenarios
– Response procedures after an attack
– Incident reporting and corrective actions
8
Best PracticesBest Practices
1. Strong Authentication of users
2. Enterprise-wide authentication
3. User access validation
4. Expanded audit trails
9
Best Practices…People SecurityBest Practices…People Security
• Background checks
• Auditing of system access
• Ensure credentials of system
administrators are retrievable in the
event of a separation
• Training10
Best Practices…Social EngineeringBest Practices…Social Engineering
• Use of non-technical means to get information that allows unauthorized access.– Forbid exchange of passwords among
employees for any reason– Train staff to deal with social techniques
used to gain unauthorized access to PHI
11
Best Practices…PoliciesBest Practices…Policies
• User Passwords
• Physical Security
• Intrusion Detection
• Disaster Recovery testing
12
Best Practices…Process Best Practices…Process SecuritySecurity• Integrate security into disaster
recovery plan• Regulatory requirements• Accidental disclosures, deletions or
alterations• Threat Analysis• Security Checklists• Change control processes
13
Info you can use…Info you can use…
Security Guidance for Remote Security Guidance for Remote
UsersUsershttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
remoteuse.pdf
14
Security Guidance for Remote Security Guidance for Remote UsersUsers
• CMS has offered additional guidance
related to safeguarding the
confidentiality, integrity and
availability of EPHI under the HIPAA
Security Rule.
15
Security Guidance for Remote Security Guidance for Remote UsersUsers
•This guidance focuses on:1) The use of portable media/devices
(such as USB flash drives) that store EPHI
2) Offsite access or transport of EPHI via laptops, PDA’s, home computers or othernon corporate equipment
16
Security Guidance for Remote Security Guidance for Remote UsersUsers
Risk AnalysisRisk Analysis
•Three groupings of risk:
1) Access
2) Storage
3) Transmission
17
Security Guidance for Remote Security Guidance for Remote UsersUsers
Risk AnalysisRisk Analysis
•Policies require training
•Addressing security incidents and
noncompliance
•Discuss possible Risk Management
Strategies18
Security Guidance for Remote Security Guidance for Remote UsersUsers
Access Access Risk Mitigation StrategiesRisk Mitigation Strategies
•Implement two-factor authentication
•Implement specific processes for
authorizing remote users
•Establish procedures for session
termination on inactive devices19
Security Guidance for Remote Security Guidance for Remote UsersUsers
Access Risk Mitigation StrategiesAccess Risk Mitigation Strategies
•Install personal firewall software on
all devices that store EPHI
•Install, use and update virus-
protection software on all devices that
access EPHI20
Security Guidance for Remote Security Guidance for Remote UsersUsers
Storing Risk Mitigation StrategiesStoring Risk Mitigation Strategies
•Implement process for maintaining
inventory and record of movement of
devices containing EPHI
•Require lock-down of unattended
laptops21
Security Guidance for Remote Security Guidance for Remote UsersUsers
Storing Risk Mitigation StrategiesStoring Risk Mitigation Strategies
•Password protect files and devices
containing EPHI
•Require that portable devices
containing EPHI employ encryption
22
Security Guidance for Remote Security Guidance for Remote UsersUsers
Storing Risk Mitigation StrategiesStoring Risk Mitigation Strategies
•Develop processes to rollout security
updates to portable devices
•Consider the use of biometrics on
portable devices
23
Security Guidance for Remote Security Guidance for Remote UsersUsers
Storing Risk Mitigation StrategiesStoring Risk Mitigation Strategies
•Establish EPHI deletion and media
disposal policies
•Install virus-protection on devices that
store EPHI
24
Security Guidance for Remote Security Guidance for Remote UsersUsers
Transmitting Risk Mitigation StrategiesTransmitting Risk Mitigation Strategies
•Prohibit transmission of EPHI via open
network
•Prohibit use of offsite devices or WAP
for non-secure access to email
25
Security Guidance for Remote Security Guidance for Remote UsersUsers
Transmitting Risk Mitigation StrategiesTransmitting Risk Mitigation Strategies
•Use more secure connections for
email via SSL and the use of message-
level standards such as S/MIME, SET,
PEC, PGP, etc.
26
Security Guidance for Remote Security Guidance for Remote UsersUsers
Transmitting Risk Mitigation StrategiesTransmitting Risk Mitigation Strategies
•Implement and mandate strong
encryption solutions for transmission
of EPHI (e.g. SSL, HTTPS, etc.)
27
Security Guidance for Remote Security Guidance for Remote UsersUsers
Transmitting Risk Mitigation StrategiesTransmitting Risk Mitigation Strategies
•Install virus-protection software on
portable devices that can be used to
transmit EPHI
28
Info you can use…Info you can use…
System Log File ManagementSystem Log File Managementhttp://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
29
System Log ManagementSystem Log Management
• Establish policies and procedures for
log management
• Prioritize Log Management
appropriately throughout the
organization
30
System Log ManagementSystem Log Management
• Create and maintain a log
management infrastructure
• Provide proper support for all staff
with log management responsibilities
31
Info you can use…Info you can use…
Stage One Criteria for Meaningful UseStage One Criteria for Meaningful Use
Core MeasureCore Measure
“Protect electronic health information created or
maintained by the certified EHR technology through the
implementation of appropriate technical capabilities.”
32
Meaningful UseMeaningful Use
• While this is really nothing new, this initiative requires participants to further demonstrate compliance to 45 CRF 164.308 (a)(1) of the Final Rule (HIPAA Security)
33
Meaningful UseMeaningful Use
• Conduct or review a security risk analysis• Implement security updates as necessary
and correct identified security deficiencies as part of its risk management process
• This is not a “check the box” type of
activityhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
rafinalguidancepdf.pdf
34
Sample RoadmapSample Roadmap
35
ResourcesResources
• NIST– http://csrc.nist.gov
• HIMSS Privacy & Security Toolkit– http://www.himss.org
36
This PowerPoint was presented at the 2011 SuccessEHS Customer Conference.
www.successehs.com
37