presented to ouhsc policies and procedures workshop
DESCRIPTION
IT Information Security Services. Presented to OUHSC Policies and Procedures Workshop. Agenda:. Information Security Program. Business Value Business Drivers Managing Risk Building Trust. Business Value of Information Security:. Protection of mission critical information. - PowerPoint PPT PresentationTRANSCRIPT
Slide 1
Presented to OUHSC Policies and Procedures Workshop
IT Information Security Services
1Why is Information Security important to you?
What would happen if you lost the use of your computer or information for 1 day, 1 week, forever?
Information Security can help protect your computer and data from cyber threats. Our goal is to Keep you safe online by showing you how to protect your information from common threats.Agenda:Information Security ProgramBusiness ValueBusiness DriversManaging RiskBuilding TrustBusiness Value of Information Security:Protection of mission critical information
Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.Information Security allows us to maintain important business affiliate agreements:Secure email between business associates St. Francis, etc.
3Protection of mission critical information:
Electronic Health RecordsProtection of mission critical information:
Credit Card NumbersProtection of mission critical information:
Student RecordsProtection of mission critical information:
Personally Identifiable InformationInformation Security provides:Confidentiality
Availability
Integrity Confidentiality(Information is disclosed only to those authorized)
AvailabilityInformation is accessible when required
Integrity Information is accurate, authentic, complete and reliable
8Information Security provides:The right data
to the right people
at the right timeBusiness Value of information Security:Maximize Business Opportunities
Business opportunity: $19.2 billion from ARRA Incentives:Payments of $44,000 - $64,000 Per Physicianto Providers whoDemonstrate proper implementation of EHR
American Recovery and Reinvestment Act
To providers who:
Demonstrate proper implementation of EHRsComplianceManage risks
11Business opportunity: Electronic commerce100,000 cc transactions$17,500,000 annual amount
12Business Value of Information Security:Protection of mission critical information
In order to:
Minimize RiskSupport academic, research and health care business continuity and opportunities Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.Information Security allows us to maintain important business affiliate agreements:VA and HCA Network Connectivity AgreementsSecure email transmission between HCA & OUHSC
13Business value:
A reputation that took decades to build can be threatened by a single event.Information SecurityBusiness Drivers
Business Drivers
Clinical systems(managed university computer, protected network)Business DriversResearch systems(semi-managed computer, open network)
17Business DriversBusiness/Financial/Legal systems (managed university computer, protected network)
18Business DriversClassroom/library systems (managed and unmanaged computers, open network)
19Business DriversStudent systems(unmanaged computer, open network)
Business DriversMobile systems(managed and unmanaged computer, open network)
21Business DriversHome systems(unmanaged computer, open network)
Business DriversCriminal systems
Business Drivers: Our diverse IT environment
Different management, connectivity needs, risksITs a jungle out there!
24Business Drivers:
Increasing risks of doing businessRisks increase as threats, consequences, complexity, inter-dependencies are increased for information systems.
25Business Drivers: RegulationsThe government responds:
HIPAA
Health Information Technology for Economic and Clinical Health (HITECH) Act
Payment Card Industry (PCI) Data Security Standard
eDiscovery Rules of Civil Procedure
State Data Breach Notification
FTC Red Flag Identity Theft Prevention
Family Educational Rights and Privacy Act (FERPA)- rev x
Regulations: HIPAA
Health Insurance Portability and Accountability ActRegulations: HIPAAHealth Insurance Portability and Accountability Act Encourage use of Electronic Health Record (EHR)Ensure the privacy and security of the EHR
HIPAAs requirements are meant to encourage healthcare organizations to move patient information handling activities from manual to electronic systems in order to improve security, lower costs, and lower the error rate
For virtually all healthcare-related organizations (especially providers, payers and IT vendors), becoming HIPAA compliant will be a multi-year, large cost, institution-wide effort.
Failure to comply will result in significant monetary penalties and, in the case of patient privacy breaches, criminal penalties (100%)
HIPAA compliance is better focused as a business issue than as an IT issue, although IT will play a major role in implementing compliant systems.
Large and medium sized organizations will need a full-time high-level person to head the HIPAA compliance effort and other FTEs will be required. 28HIPAA: General RulesImplement safeguards that reasonably and appropriately protectConfidentialityIntegrityAvailabilityof Electronic Protected Health Information (ePHI)Letting the good guys in and keeping the bad out
Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.
Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system
29HIPAA: Security CategoriesAdministrative safeguardsPhysical safeguardsTechnical safeguards
30HIPAA: Security CategoriesAdministrative safeguards:
Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entitys workforce in relation to the protection of ePHI.31HIPAA: Administrative SafeguardsSecurity Management ProcessAssigned Security ResponsibilityWorkforce SecurityInformation Access ManagementSecurity Awareness and TrainingSecurity Incident ProceduresContingency PlanEvaluationBusiness Associate Contracts and other arrangements
Administrative safeguards are designed to ensure formal policies for overseeing the implementation and management of security measures are established and implemented.
32HIPAA: Administrative SafeguardsSecurity Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations.
Risk analysis (R)Risk management (R)Sanction Policy (R)Information system activity review (R)Risk analysis (R) Conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the CIA of our ePHI.Risk management (R) Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.Sanction Policy (R) Apply appropriate penalties against workforce members who fail to comply with the entitys security policies and procedures.Information system activity review (R) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident reports.
33HIPAA: Security CategoriesPhysical safeguards:
Physical measures, policies, and procedures to protect a covered entitys electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion.34HIPAA: Physical SafeguardsFacility Access ControlsWorkstation UseWorkstation SecurityDevice and Media Controls
Physical safeguards are to ensure that the facilities where electronic information systems are stored are protected from intrusions and other hazards35HIPAA: Security CategoriesTechnical safeguards:
The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it.36HIPAA: Technical SafeguardsAccess ControlsAudit ControlsIntegrityPerson or Entity AuthenticationTransmission Security
Technical safeguards to ensure that only authorized access to EPHI is permitted, through the creation of firewalls and passwords, among other things.
HIPAAs mandates will require updates of all information systems that use or collect patient data and will require the introduction of new features and functions
37Information Security: HIPAA/HITECH UpdateHealth Information Technology for Economic and Clinical Health
American Recovery and Reinvestment Act
To providers who:
Demonstrate proper implementation of EHRsComplianceManage risks
38Information Security: HIPAA/HITECH UpdateHITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA)Enacted on February 17, 2009
Compliant on February 17, 2010
Health Information Technology for Economic and Clinical Health (HITECH) ActTitle XIII of Division A and Title IV of Division B American Recovery and Reinvestment Act of 2009(enacted on February 17, 2009)(compliant on February 17, 2010)
39Information Security: HIPAA/HITECH UpdateGoal :Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians
HITECH affects HIPAAHITECH directly regulates business associates for the first time
40Not subject to privacy noticesRequires business associates to comply with the HIPAA security rule provisionsIncludes restrictions on the use and disclosure of protected health informationEffective one year after HITECHs enactment (Feb. 17, 2010)
Information Security: HIPAA/HITECH UpdatePenaltiesEstablishes a tiered system of civil penaltiesCivil penalties on a covered entity if the violation is due to willful neglectCovered entities may not know it violated HIPAACurrent max. penalty of $100 per violation, up to $25,000 per year for each type of violationViolation due to reasonable cause$1,000/$100,000Violation due to willful neglect$500,000/$1.5 million
HITECH Act (Effective immediately)Breach notification (for unsecured PHI)
You are required to notify each individual affected by a security breachBreach the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
Effective immediately:You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.If you dont have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.For breaches involving more than 500 residents in one area, you must notify a prominent media outlet.You must also contact the Department of Health and Human Services. DHSS is establishing a website listing these breaches.
42Information Security: HIPAA/HITECH UpdateBreach NotificationNotify individuals without unreasonable delay500 individuals in a state, prominent media outletsNotify HHS listed on their website43Information Security: HIPAA/HITECH Updateunsecured PHR identifiable information :
Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretarys guidance.
HITECH Act (encryption and destruction)Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals:
Encryption Destruction
See NIST standards 800-111Guide to Storage Encryption Technologies for End User Devices800-88Guidelines for Media Sanitization.
45Information Security: PCI DSSPayment Card Industry Data Security Standards
46Information Security: PCI DSSPayment Card Industry Data Security Standards (PCI DSS)
Technical and operational requirementsAny entity that stores, transmits, or processes cardholder data must comply with the PCI DSSNon-complianceLarge finesLegal contract breachLoss of ability to accept payments via credit cards
American ExpressDiscoverJCB InternationalMasterCardVISAThe standard was introduced in 2004Merchant compliance to be complete by June 2005Compliance date was extended to June 2007
47Payment Card Industry Data Security Standard (PCI-DSS)Annual assessment process required for 100+ business units on OUHSC and Tulsa campuses
Establish firewall and router configuration standardsthat include the following:1.1.1 A formal process for approving and testing allexternal network connections and changes tothe firewall and router configurationsA policy and process for approving and testing all connections and changes tothe firewalls and routers will help prevent security problems caused bymisconfiguration of the network, router, or firewall.1.1.2 Current network diagram with all connectionsto cardholder data, including any wirelessnetworks48Regulations:What do they all have in common?
Adopt security to minimize risks to InformationManaging Risk: Bryan starts hereManaging Risk
50Managing Risk:Risk = Vulnerability + Threat + Impact
What is a Vulnerability?
Managing Risk: Vulnerability Error in the programming code inside an application Improperly configured system settings Minimally implemented security controls Weak or easily guessed passwords Lack of security awareness among computer users52Risk Management: Software vulnerabilities484 Vulnerabilities identified in 1 month
These stats are from the National Vulnerability Database sponsored by the National Institute of Standards and Technology and the Office of Homeland Security
Question: Do you know if your server and workstations are running the latest software security patches. For the operating system and all software applications?
You can use MS Internet ExplorerToolWindows updates to check and see if your computer has the latest MS security patches
Several years ago we had several distance education programs and some College of Medicine servers that were knocked out by a vulnerability that had a patch available for months but they had neglected to apply the patch.September, 2006 Severity level: High or Medium Is exploited remotely
53Common threats
Managing Risk: Threats Viruses, worms, and other malware Malicious persons outside the organization Insiders with approved access to systems Denial of Service attacks Social Engineering54Managing Risk: Threat - Malicious code134,625 viruses detected at gateway
7,876 at desktop
1st quarter of FY10
55Managing Risk: Threat - Malicious software from the webMalicious software downloads from the webSpywareTrojan HorseKey Loggers
1 in 10 web sites attempt to download software without permission
OUHSC Threat LevelSpyware and other malicious software from the web may be the most prevalent threat to our desktop computers. Note that 1 in 10 web sites attempt to download software without your permission or knowledge. These programs can spy on you. Key loggers watch as you type and send back passwords to a remote computer on the Internet. Trojan Horse programs can remotely control your computer from the Internet.
What are some Safe Practices for use of the Internet:
56
Managing Risk: Organizational RisksCompromise of critical dataDestruction of critical dataBreach of complianceLoss of accessCostly recovery effortsDamage to reputation
57Data lossHardware failureTheftAccidental deletionFireTornadoFlood
Managing Risk: Data breaches (up 69% in 2008)
Managing Risk: Data breach costsData Breach Costs$202 eachcompromisedrecord$282 eachcompromisedhealthcare record
59Mobile Devices: Minimize Risks Limits on stored dataPasswordsEncryption
60 Laptops and PDAs such as iPhones and Blackberry devices introduce a greater risk Because these devices leave the protected network, they loose much of the defense in depth security Other controls such as limitations on data stored on these devices and required encryption ensure these devices are protected
Action items (review Portable Computing Device Security)PCDs should not be used to store Sensitive Data unless data is encrypted. PCDs that connect to the OU network or store OU data must use a device password. PCDs that store Sensitive Data must use encryption. Appropriate physical security measures should be taken to prevent theft of PCDs and their media or data. Report the theft or loss of a PCD containing Sensitive Data with this form .
Review and modify HIPAA Privacy Policies SafeguardsReview and modify the current policies and standards:Access to Sensitive DataBusiness Associate Contracts Electronic Data Disposal Portable Computing Device Security Transmission of Sensitive DataTransportation of Media61Defense in DepthManaging Risk: Best Practices Implement a multi-tiered security architecture
Layered Network Security- Zones of Trust
Classify and protect data based on risk62Implement a multi-tiered approach to security by creating security protocols at various levels of system architecture Classify and protect data based on the criticality of and cost of its loss or exposure Install compensating or tertiary controls to prevent any one single point of failure
Building Trust: Layered Network Security- Zones of Trust
Subzones PositionShould the organization create subzones within zones? (choose only one)
IF business, contractual, or regulatory requirements mandate that certain information or systems be separated from other systems in the same zoneOR IF enabling connectivity among all the systems in the zone would exceed risk aggregation thresholdsTHEN create subzones
OTHERWISE do not create subzones
IF the organization has a set of systems that is not required to accept connections directly from the untrusted zone and that should only be used by known, relatively trusted users or systemsTHEN create a trusted zone
IF the organization has systems that should only be available to a subset of employees OR that contain especially sensitive information or capabilitiesTHEN create a restricted zone
63
Solution Approach
Define a consistent policyBy defining a consistent policy for each set of resources with similar requirements (for communication and protection), an enterprise can increase the efficiency and effectiveness of business appropriate protection functions.
Group resources according to policyAs IT environments, threats, attacks and the network topologies in which they exist have become more complex, the need for explicitly grouping resources in terms of their communication and protection requirements has increased.
64
Zones Support Layered Application Architectures
Best PracticesManaging Risk: Best PracticesSecure network resourcesPatch computer systemsEducate computer users66Secure network resources by identifying and implementing appropriate safeguards Patch computer systems to ensure security flaws are corrected in the application Educate computer users by creating an awareness program that outlines and advises users on all facets of Information Security
Information Security - Programs and Services:
Risk Management
Regulatory Compliance
Policy Development
Training Education and Awareness
Disaster Recovery and Business Continuity
Incident Management
67Risk Management processesIdentify information assetsClassifyAssess risksMitigate risks
68Risk Management process examples:C. Assess risksNetwork vulnerability scanningTechnology Product Review http://it.ouhsc.edu/forms/purchasereview.aspBusiness Impact Assessments (BIA)PCI Self Assessment Questionnaire (SAQ)
69Risk Management process examples:D. Mitigate risks
TechnologyLayered Network Security ArchitecturePerimeter firewallData center firewallSecure data center for Sensitive informationGateway and desktop anti-virus Email encryption70Risk Management process examples:D. Mitigate risks
People: Training Education and Awareness
Process: Policies and Procedures
71Regulatory Compliance:Health Information Technology for Economic and Clinical Health (HITECH) ActPayment Card Industry Data Security Standard (PCI-DSS)State Breach Notification eDiscovery / Preservation of ESIFTC Red Flag Rules for Identity TheftFDA Rule on Electronic Records State of Oklahoma Security Policy State HB for Risk AssessmentNational Institute of StandardsGramm Leach Bliley (GLB) Act FERPA
HIPAA is only the tip of the regulatory icebergHealth Information Technology for Economic and Clinical Health (HITECH) ActPayment Card Industry Data Security Standard (PCI-DSS)State Breach Notification FDA Rule on Electronic Records (21 C.F.R. Part 11)Federal Information Security Management Act (FISMA)State of Oklahoma Security Policy State HB for Risk AssessmentGram Leach Bliley ActNational Institute of StandardsFERPA
72Holistic approach to regulatory complianceUnderstand business value and driversDetermine applicable regulations/best practicesFind the GapsDevelop a holistic treatment plan
Understand our business drivers
Health care, education, researchIdentify key factors to maintain organizational health
Mission critical information systems?Determine applicable regulations and best practicesWhat do they all have in common?Find the GapsRisk AssessmentDevelop a treatment plan that considers all factorsOne set of high level organizational policies with flexibility for different business units
Identify key factors of organizational healthWhat are the mission critical information systems that keep the business running?Applicable regulations and best practicesWhat do they all have in common?Understand our business driversFind the Gaps assessment examining existing practices, policies, procedures and systemsDevelop a treatment plan that considers all factorsOne set of policies to cover all regulations
Provide business valueUnderstand our business driversHolistic approach to a multiplicity of regulationsGood information security is good HIPAA security is good FERPA security is good PCI security is goodOne size does not fit all
Begin with assessment of organizational risks
73Policy DevelopmentFollowing organization policies and best practices = regulatory compliancehttp://it.ouhsc.edu/policies/
Business manager viewhttp://it.ouhsc.edu/policies/fordataowners_busadmins.asp
IV. Training Education and Awareness ProgramHIPAA online coursesNew employee orientationsNew resident orientationsNew student orientationsIRB Education dayCyber Security dayDepartmental presentations
V. Disaster Recovery and Business ContinuityAnnual Disaster Recovery Plan for OSF
National Incident Management System (NIMS), Incident Command System (ICS) Tabletop Exercise (TTX)
Business Impact Assessment for key areas
VI. Incident ManagementDetectionResponseReportingRemediation
Information Security Incident Reporting Procedureshttp://it.ouhsc.edu/services/infosecurity/IncidentReporting.asp
Consider your riskWhere is your information stored?Is it safe from common threats?
78Action items:Review current technologies that can protect information:
Data in motionData at restData in use deletedData disposalReview current technologies that can protect (encrypt) data, this includes:Data in motion (data that is moving through a network, including wireless transmission)Data at rest (data that resides in databases, file systems, and other structured storage methods)Data in use (data in the process of being created, retrieved, updated, or deleted)Data disposal (discarded paper records or recycled electronic media)Create procedure and log to document breaches (if necessary)
79Information Security: Safe Practice- Follow PoliciesFollow policies to help protect your data
Technology Purchase Review http://it.ouhsc.edu/forms/purchasereview.asp
See http://it.ouhsc.edu/policies/
Information Security Services Staff:Greg BosticRandy MooreSteve Payne Bryan SmithRobyne Rhode
[email protected]://it.ouhsc.edu/services/infosecurity/
81Questions?82The end.