roadmap to it security best practices

Roadmap to IT SecurityRoadmap to IT SecurityBest PracticesBest Practices

Justin CopelandJustin CopelandPresident, Triggerfish CorporationPresident, Triggerfish Corporation

1

OutlineOutline

• Why is it important? • How to start…• Best practices• Information you can use…– Remote Users – CMS Guidance–Meaningful Use – Security Risk Analysis– Systems Log Management– IT Security Roadmap

2

Objective of IT SecurityObjective of IT Security

• The ideal system will protect unauthorized use of information systems for one second longer than the maximum limits of frustration and tenacity of the worst hacker or until the information is no longer of value.

3

Why is it important? Why is it important?

• In a post HIPAA era, IT security is increasingly requiring us to operationalize many of the practices that have been contained in “policy” for several years.

• The risk of disclosure is quite real and the cost non-compliance is ever increasing.

• If it hasn’t already…IT Security will likely start showing up in your operating budget!

4

IT Security – How to start…IT Security – How to start…

1. Identify the protection needed

2. Select the methods to protect

3. Plan for detection recovery and

response

5

Step 1Step 1

• What to protect?

– Electronic Protected Health Information

(EPHI)

– Billing systems

– Proprietary business information

6

Step 2Step 2

• Identify most cost-effective methods

to protect critical assets.

– Role-based security

– Policies & operational procedures

– Intrusion Detection and Response

– Auditing

7

Step 3Step 3

• Pre-plan your response to an attack

– Identification of security breach

scenarios

– Response procedures after an attack

– Incident reporting and corrective actions

8

Best PracticesBest Practices

1. Strong Authentication of users

2. Enterprise-wide authentication

3. User access validation

4. Expanded audit trails

9

Best Practices…People SecurityBest Practices…People Security

• Background checks

• Auditing of system access

• Ensure credentials of system

administrators are retrievable in the

event of a separation

• Training10

Best Practices…Social EngineeringBest Practices…Social Engineering

• Use of non-technical means to get information that allows unauthorized access.– Forbid exchange of passwords among

employees for any reason– Train staff to deal with social techniques

used to gain unauthorized access to PHI

11

Best Practices…PoliciesBest Practices…Policies

• User Passwords

• Physical Security

• Intrusion Detection

• Disaster Recovery testing

12

Best Practices…Process Best Practices…Process SecuritySecurity• Integrate security into disaster

recovery plan• Regulatory requirements• Accidental disclosures, deletions or

alterations• Threat Analysis• Security Checklists• Change control processes

13

Info you can use…Info you can use…

Security Guidance for Remote Security Guidance for Remote

UsersUsershttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

remoteuse.pdf

14

Security Guidance for Remote Security Guidance for Remote UsersUsers

• CMS has offered additional guidance

related to safeguarding the

confidentiality, integrity and

availability of EPHI under the HIPAA

Security Rule.

15


•This guidance focuses on:1) The use of portable media/devices

(such as USB flash drives) that store EPHI

2) Offsite access or transport of EPHI via laptops, PDA’s, home computers or othernon corporate equipment

16


Risk AnalysisRisk Analysis

•Three groupings of risk:

1) Access

2) Storage

3) Transmission

17


Risk AnalysisRisk Analysis

•Policies require training

•Addressing security incidents and

noncompliance

•Discuss possible Risk Management

Strategies18


Access Access Risk Mitigation StrategiesRisk Mitigation Strategies

•Implement two-factor authentication

•Implement specific processes for

authorizing remote users

•Establish procedures for session

termination on inactive devices19


Access Risk Mitigation StrategiesAccess Risk Mitigation Strategies

•Install personal firewall software on

all devices that store EPHI

•Install, use and update virus-

protection software on all devices that

access EPHI20


Storing Risk Mitigation StrategiesStoring Risk Mitigation Strategies

•Implement process for maintaining

inventory and record of movement of

devices containing EPHI

•Require lock-down of unattended

laptops21



•Password protect files and devices

containing EPHI

•Require that portable devices

containing EPHI employ encryption

22



•Develop processes to rollout security

updates to portable devices

•Consider the use of biometrics on

portable devices

23



•Establish EPHI deletion and media

disposal policies

•Install virus-protection on devices that

store EPHI

24


Transmitting Risk Mitigation StrategiesTransmitting Risk Mitigation Strategies

•Prohibit transmission of EPHI via open

network

•Prohibit use of offsite devices or WAP

for non-secure access to email

25



•Use more secure connections for

email via SSL and the use of message-

level standards such as S/MIME, SET,

PEC, PGP, etc.

26



•Implement and mandate strong

encryption solutions for transmission

of EPHI (e.g. SSL, HTTPS, etc.)

27



•Install virus-protection software on

portable devices that can be used to

transmit EPHI

28


System Log File ManagementSystem Log File Managementhttp://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

29

System Log ManagementSystem Log Management

• Establish policies and procedures for

log management

• Prioritize Log Management

appropriately throughout the

organization

30

System Log ManagementSystem Log Management

• Create and maintain a log

management infrastructure

• Provide proper support for all staff

with log management responsibilities

31


Stage One Criteria for Meaningful UseStage One Criteria for Meaningful Use

Core MeasureCore Measure

“Protect electronic health information created or

maintained by the certified EHR technology through the

implementation of appropriate technical capabilities.”

32

Meaningful UseMeaningful Use

• While this is really nothing new, this initiative requires participants to further demonstrate compliance to 45 CRF 164.308 (a)(1) of the Final Rule (HIPAA Security)

33

Meaningful UseMeaningful Use

• Conduct or review a security risk analysis• Implement security updates as necessary

and correct identified security deficiencies as part of its risk management process

• This is not a “check the box” type of

activityhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

rafinalguidancepdf.pdf

34

Sample RoadmapSample Roadmap

35

ResourcesResources

• NIST– http://csrc.nist.gov

• HIMSS Privacy & Security Toolkit– http://www.himss.org

36

This PowerPoint was presented at the 2011 SuccessEHS Customer Conference.

www.successehs.com

37

roadmap to it security best practices

Technology