Slide 1

Slide 2 Presented to OUHSC Policies and Procedures Workshop IT Information Security Services Slide 3 Agenda: Information Security Program 1.Business Value 2.Business Drivers 3.Managing Risk 4.Building Trust 1.Business Value 2.Business Drivers 3.Managing Risk 4.Building Trust Slide 4 Business Value of Information Security: Protection of mission critical information Slide 5 Protection of mission critical information: Electronic Health Records Slide 6 Protection of mission critical information: Credit Card Numbers Slide 7 Protection of mission critical information: Student Records Slide 8 Protection of mission critical information: Personally Identifiable Information Slide 9 Information Security provides: ConfidentialityAvailabilityIntegrity Slide 10 The right data to the right people at the right time at the right time Slide 11 Business Value of information Security: Maximize Business Opportunities Slide 12 Business opportunity: $19.2 billion from ARRA Incentives: Payments of $44,000 - $64,000 Per Physician to Providers who Demonstrate proper implementation of EHR Incentives: Payments of $44,000 - $64,000 Per Physician to Providers who Demonstrate proper implementation of EHR Slide 13 Business opportunity: Electronic commerce 100,000 cc transactions $17,500,000 annual amount 100,000 cc transactions $17,500,000 annual amount Slide 14 Business Value of Information Security: Protection of mission critical information In order to: Minimize RiskMinimize Risk Support academic, research and health care business continuity and opportunitiesSupport academic, research and health care business continuity and opportunities Slide 15 Business value: A reputation that took decades to build can be threatened by a single event.A reputation that took decades to build can be threatened by a single event. Slide 16 Information Security 2.Business Drivers Slide 17 Business Drivers Clinical systems (managed university computer, protected network) Slide 18 Business Drivers Research systems (semi-managed computer, open network) Slide 19 Business Drivers Business/Financial/Legal systems (managed university computer, protected network) Business/Financial/Legal systems (managed university computer, protected network) Slide 20 Business Drivers Classroom/library systems (managed and unmanaged computers, open network) Classroom/library systems (managed and unmanaged computers, open network) Slide 21 Business Drivers Student systems (unmanaged computer, open network) Student systems (unmanaged computer, open network) Slide 22 Business Drivers Mobile systems (managed and unmanaged computer, open network ) Mobile systems (managed and unmanaged computer, open network ) Slide 23 Business Drivers Home systems (unmanaged computer, open network) Home systems (unmanaged computer, open network) Slide 24 Business Drivers Criminal systems Slide 25 Business Drivers: Our diverse IT environment Different management, connectivity needs, risks ITs a jungle out there! Slide 26 Business Drivers: Increasing risks of doing business Slide 27 Business Drivers: Regulations The government responds: HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry (PCI) Data Security Standard eDiscovery Rules of Civil Procedure State Data Breach Notification FTC Red Flag Identity Theft Prevention Family Educational Rights and Privacy Act (FERPA)- rev x The government responds: HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry (PCI) Data Security Standard eDiscovery Rules of Civil Procedure State Data Breach Notification FTC Red Flag Identity Theft Prevention Family Educational Rights and Privacy Act (FERPA)- rev x Slide 28 Regulations: HIPAA Health Insurance Portability and Accountability Act Slide 29 Regulations: HIPAA Health Insurance Portability and Accountability Act Encourage use of Electronic Health Record (EHR) Ensure the privacy and security of the EHR Health Insurance Portability and Accountability Act Encourage use of Electronic Health Record (EHR) Ensure the privacy and security of the EHR Slide 30 HIPAA: General Rules Implement safeguards that reasonably and appropriately protect Confidentiality Integrity Availability of Electronic Protected Health Information (ePHI) Implement safeguards that reasonably and appropriately protect Confidentiality Integrity Availability of Electronic Protected Health Information (ePHI) Slide 31 HIPAA: Security Categories Administrative safeguards Physical safeguards Technical safeguards Administrative safeguards Physical safeguards Technical safeguards Slide 32 HIPAA: Security Categories Administrative safeguards: Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entitys workforce in relation to the protection of ePHI. Administrative safeguards: Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entitys workforce in relation to the protection of ePHI. Slide 33 HIPAA: Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and other arrangements Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and other arrangements Slide 34 HIPAA: Administrative Safeguards Security Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations. Risk analysis (R) Risk management (R) Sanction Policy (R) Information system activity review (R) Security Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations. Risk analysis (R) Risk management (R) Sanction Policy (R) Information system activity review (R) Slide 35 HIPAA: Security Categories Physical safeguards: Physical measures, policies, and procedures to protect a covered entitys electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion. Physical safeguards: Physical measures, policies, and procedures to protect a covered entitys electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion. Slide 36 HIPAA: Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Facility Access Controls Workstation Use Workstation Security Device and Media Controls Slide 37 HIPAA: Security Categories Technical safeguards: The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it. Technical safeguards: The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it. Slide 38 HIPAA: Technical Safeguards Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security Slide 39 Information Security: HIPAA/HITECH Update Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health Slide 40 Information Security: HIPAA/HITECH Update HITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA) Enacted on February 17, 2009 Compliant on February 17, 2010 HITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA) Enacted on February 17, 2009 Compliant on February 17, 2010 Slide 41 Information Security: HIPAA/HITECH Update Goal : Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians HITECH affects HIPAA HITECH directly regulates business associates for the first time Goal : Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians HITECH affects HIPAA HITECH directly regulates business associates for the first time Slide 42 Information Security: HIPAA/HITECH Update Penalties Establishes a tiered system of civil penalties Civil penalties on a covered entity if the violation is due to willful neglect Covered entities may not know it violated HIPAA Current max. penalty of $100 per violation, up to $25,000 per year for each type of violation Violation due to reasonable cause $1,000/$100,000 Violation due to willful neglect $500,000/$1.5 million Penalties Establishes a tiered system of civil penalties Civil penalties on a covered entity if the violation is due to willful neglect Covered entities may not know it violated HIPAA Current max. penalty of $100 per violation, up to $25,000 per year for each type of violation Violation due to reasonable cause $1,000/$100,000 Violation due to willful neglect $500,000/$1.5 million Slide 43 HITECH Act (Effective immediately) Breach notification (for unsecured PHI) You are required to notify each individual affected by a security breach Breach notification (for unsecured PHI) You are required to notify each individual affected by a security breach Slide 44 Information Security: HIPAA/HITECH Update Breach Notification Notify individuals without unreasonable delay 500 individuals in a state, prominent media outlets Notify HHS listed on their website Breach Notification Notify individuals without unreasonable delay 500 individuals in a state, prominent media outlets Notify HHS listed on their website Slide 45 Information Security: HIPAA/HITECH Update unsecured PHR identifiable information : Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretarys guidance. unsecured PHR identifiable information : Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretarys guidance. Slide 46 HITECH Act (encryption and destruction) Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1.Encryption 2.Destruction Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1.Encryption 2.Destruction Slide 47 Information Security: PCI DSS Payment Card Industry Data Security Standards Slide 48 Information Security: PCI DSS Payment Card Industry Data Security Standards (PCI DSS) Technical and operational requirements Any entity that stores, transmits, or processes cardholder data must comply with the PCI DSS Non-compliance Large fines Legal contract breach Loss of ability to accept payments via credit cards Payment Card Industry Data Security Standards (PCI DSS) Technical and operational requirements Any entity that stores, transmits, or processes cardholder data must comply with the PCI DSS Non-compliance Large fines Legal contract breach Loss of ability to accept payments via credit cards Slide 49 Payment Card Industry Data Security Standard (PCI-DSS) Annual assessment process required for 100+ business units on OUHSC and Tulsa campuses Slide 50 Regulations: What do they all have in common? Adopt security to minimize risks to Information What do they all have in common? Adopt security to minimize risks to Information Slide 51 Managing Risk: Bryan starts here 3.Managing Risk Slide 52 Managing Risk: Risk = Vulnerability + Threat + Impact Slide 53 What is a Vulnerability? Managing Risk: Vulnerability Error in the programming code inside an application Improperly configured system settings Minimally implemented security controls Weak or easily guessed passwords Lack of security awareness among computer users Slide 54 Risk Management: Software vulnerabilities 484 Vulnerabilities identified in 1 month Slide 55 Common threats Managing Risk: Threats Viruses, worms, and other malware Malicious persons outside the organization Insiders with approved access to systems Denial of Service attacks Social Engineering Slide 56 Managing Risk: Threat - Malicious code 134,625 viruses detected at gateway 7,876 at desktop 1st quarter of FY10 134,625 viruses detected at gateway 7,876 at desktop 1st quarter of FY10 Slide 57 Managing Risk: Threat - Malicious software from the web Malicious software downloads from the web Spyware Trojan Horse Key Loggers 1 in 10 web sites attempt to download software without permission Malicious software downloads from the web Spyware Trojan Horse Key Loggers 1 in 10 web sites attempt to download software without permission OUHSC Threat Level Slide 58 Managing Risk: Organizational Risks Compromise of critical data Destruction of critical data Breach of compliance Loss of access Costly recovery efforts Damage to reputation Slide 59 Managing Risk: Data breaches (up 69% in 2008) Slide 60 Managing Risk: Data breach costs Data Breach Costs $202 each compromised record $282 each compromised healthcare record Data Breach Costs $202 each compromised record $282 each compromised healthcare record Slide 61 Mobile Devices: Minimize Risks Limits on stored data Passwords Encryption Slide 62 Action items (review Portable Computing Device Security) PCDs should not be used to store Sensitive Data unless data is encrypted.Sensitive Data PCDs that connect to the OU network or store OU data must use a device password. PCDs that store Sensitive Data must use encryption. Appropriate physical security measures should be taken to prevent theft of PCDs and their media or data. Report the theft or loss of a PCD containing Sensitive Data with this form.form PCDs should not be used to store Sensitive Data unless data is encrypted.Sensitive Data PCDs that connect to the OU network or store OU data must use a device password. PCDs that store Sensitive Data must use encryption. Appropriate physical security measures should be taken to prevent theft of PCDs and their media or data. Report the theft or loss of a PCD containing Sensitive Data with this form.form Slide 63 Defense in Depth Managing Risk: Best Practices Implement a multi-tiered security architecture Layered Network Security- Zones of Trust Classify and protect data based on risk Slide 64 Building Trust: Layered Network Security- Zones of Trust Slide 65 Solution Approach Define a consistent policy By defining a consistent policy for each set of resources with similar requirements (for communication and protection), an enterprise can increase the efficiency and effectiveness of business appropriate protection functions. Group resources according to policy As IT environments, threats, attacks and the network topologies in which they exist have become more complex, the need for explicitly grouping resources in terms of their communication and protection requirements has increased. Define a consistent policy By defining a consistent policy for each set of resources with similar requirements (for communication and protection), an enterprise can increase the efficiency and effectiveness of business appropriate protection functions. Group resources according to policy As IT environments, threats, attacks and the network topologies in which they exist have become more complex, the need for explicitly grouping resources in terms of their communication and protection requirements has increased. Slide 66 Zones Support Layered Application Architectures Slide 67 Best Practices Managing Risk: Best Practices Secure network resources Patch computer systems Educate computer users Slide 68 Information Security - Programs and Services: I.Risk Management II.Regulatory Compliance III.Policy Development IV.Training Education and Awareness V.Disaster Recovery and Business Continuity VI.Incident Management Slide 69 I.Risk Management processes A.Identify information assets B.Classify C.Assess risks D.Mitigate risks A.Identify information assets B.Classify C.Assess risks D.Mitigate risks Slide 70 I.Risk Management process examples: C. Assess risks Network vulnerability scanning Technology Product Review http://it.ouhsc.edu/forms/purchasereview.asp Business Impact Assessments (BIA) PCI Self Assessment Questionnaire (SAQ) C. Assess risks Network vulnerability scanning Technology Product Review http://it.ouhsc.edu/forms/purchasereview.asp Business Impact Assessments (BIA) PCI Self Assessment Questionnaire (SAQ) Slide 71 I.Risk Management process examples: D. Mitigate risks Technology Layered Network Security Architecture Perimeter firewall Data center firewall Secure data center for Sensitive information Gateway and desktop anti-virus Email encryption D. Mitigate risks Technology Layered Network Security Architecture Perimeter firewall Data center firewall Secure data center for Sensitive information Gateway and desktop anti-virus Email encryption Slide 72 I.Risk Management process examples: D. Mitigate risks People: Training Education and Awareness Process: Policies and Procedures D. Mitigate risks People: Training Education and Awareness Process: Policies and Procedures Slide 73 Regulatory Compliance: Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) Act Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Data Security Standard (PCI-DSS) State Breach Notification State Breach Notification eDiscovery / Preservation of ESI eDiscovery / Preservation of ESI FTC Red Flag Rules for Identity Theft FDA Rule on Electronic Records FDA Rule on Electronic Records State of Oklahoma Security Policy State of Oklahoma Security Policy State HB for Risk Assessment State HB for Risk Assessment National Institute of Standards National Institute of Standards Gramm Leach Bliley (GLB) Act FERPA FERPA Health Information Technology for Economic and Clinical Health Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) Act Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Data Security Standard (PCI-DSS) State Breach Notification State Breach Notification eDiscovery / Preservation of ESI eDiscovery / Preservation of ESI FTC Red Flag Rules for Identity Theft FDA Rule on Electronic Records FDA Rule on Electronic Records State of Oklahoma Security Policy State of Oklahoma Security Policy State HB for Risk Assessment State HB for Risk Assessment National Institute of Standards National Institute of Standards Gramm Leach Bliley (GLB) Act FERPA FERPA HIPAA is only the tip of the regulatory iceberg Slide 74 Holistic approach to regulatory compliance 1.Understand business value and drivers 2.Determine applicable regulations/best practices 3.Find the Gaps 4.Develop a holistic treatment plan 1.Understand business value and drivers 2.Determine applicable regulations/best practices 3.Find the Gaps 4.Develop a holistic treatment plan Slide 75 II.Policy Development Following organization policies and best practices = regulatory compliance http://it.ouhsc.edu/policies/ Business manager view http://it.ouhsc.edu/policies/fordataowners_busadmi ns.asphttp://it.ouhsc.edu/policies/fordataowners_busadmi ns.asp Following organization policies and best practices = regulatory compliance http://it.ouhsc.edu/policies/ Business manager view http://it.ouhsc.edu/policies/fordataowners_busadmi ns.asphttp://it.ouhsc.edu/policies/fordataowners_busadmi ns.asp Slide 76 IV. Training Education and Awareness Program HIPAA online courses New employee orientations New resident orientations New student orientations IRB Education day Cyber Security day Departmental presentations HIPAA online courses New employee orientations New resident orientations New student orientations IRB Education day Cyber Security day Departmental presentations Slide 77 Disaster Recovery and Business Continuity V. Disaster Recovery and Business Continuity Annual Disaster Recovery Plan for OSF National Incident Management System (NIMS), Incident Command System (ICS) Tabletop Exercise (TTX) Business Impact Assessment for key areas Annual Disaster Recovery Plan for OSF National Incident Management System (NIMS), Incident Command System (ICS) Tabletop Exercise (TTX) Business Impact Assessment for key areas Slide 78 Incident Management VI. Incident Management Detection Response Reporting Remediation Information Security Incident Reporting Procedures http://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asphttp://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asp Detection Response Reporting Remediation Information Security Incident Reporting Procedures http://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asphttp://it.ouhsc.edu/services/infosecurity/IncidentRep orting.asp Slide 79 Consider your risk Where is your information stored? Is it safe from common threats? Where is your information stored? Is it safe from common threats? Slide 80 Action items: Review current technologies that can protect information: Data in motion Data at rest Data in use deleted Data disposal Review current technologies that can protect information: Data in motion Data at rest Data in use deleted Data disposal Slide 81 Information Security: Safe Practice- Follow Policies Follow policies to help protect your dataFollow policies to help protect your data Technology Purchase Review http://it.ouhsc.edu/forms/purchasereview.asp http://it.ouhsc.edu/forms/purchasereview.asp See http://it.ouhsc.edu/policies/See http://it.ouhsc.edu/policies/http://it.ouhsc.edu/policies/ Slide 82 Information Security Services Staff: o Greg Bostic o Randy Moore o Steve Payne o Bryan Smith o Robyne Rhode o 405-271-2476 o IT-Security@ouhsc.edu IT-Security@ouhsc.edu o http://it.ouhsc.edu/services/infosecurity/ http://it.ouhsc.edu/services/infosecurity/ o Greg Bostic o Randy Moore o Steve Payne o Bryan Smith o Robyne Rhode o 405-271-2476 o IT-Security@ouhsc.edu IT-Security@ouhsc.edu o http://it.ouhsc.edu/services/infosecurity/ http://it.ouhsc.edu/services/infosecurity/ Slide 83 Questions ? ?