Upload
hosting
View
272
Download
0
Tags:
Embed Size (px)
Citation preview
1
Assessing Your Hosting Environment for HIPAA
Compliance
#HOSTINGHIPAA
• Confusion Surrounding HIPAA Audits
• What are the different assessments
• How to truly understand your provider’s
capabilities
• Strong tools for comparing providers’
control environments
• Q&A
2
SUMMARY
In January 2013, the U.S. Department of Health and Human Services
(HHS) Office for Civil Rights announced a final omnibus rule that
implements a number of provisions of the Health Information
Technology for Economic and Clinical Health (HITECH) Act, enacted as
part of the American Recovery and Reinvestment Act of 2009, to
strengthen the privacy and security protections for health information
established under the Health Insurance Portability and Accountability
Act of 1996 (HIPAA).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/
3
OMNIBUS RULE
4
HIPAA RISK ASSESSMENT SCHIZOPHRENIA
✔
Standard What Is It?
Proprietary Unique risk assessment standard
created by the auditing company
HITRUST Common Security
Framework
Framework of frameworks – a bunch of
security standards merged into one
umbrella standard
HIPPA OCR Audit Protocol Official HHS audit process for HIPAA
compliance
5
HIPAA ASSESSMENTS TODAY
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
6
HIPAA RISK ASSESSMENT BREAKDOWN
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
7
HIPAA RISK ASSESSMENT BREAKDOWN
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
8
HIPAA RISK ASSESSMENT BREAKDOWN
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
9
HIPAA RISK ASSESSMENT BREAKDOWN
Prescriptive Addresses
IT
Controls
Designed
for MSPs
Assessed
by 3rd Party
Recognized
by HHS
Provides Safe
Harbour
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
10
HIPAA RISK ASSESSMENT BREAKDOWN
Prescriptive Addresses
IT Controls
Designed
for MSPs
Assessed
by 3rd Party
Recognized
by HHS
Provides Safe
Harbor
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA OCR Yes No No Sometimes Yes No
11
HIPAA RISK ASSESSMENT BREAKDOWN
• Scope of managed security services (what does the provider do and what do I have to do)
• Explicit demarcation of responsibilities
• Committing to obligations in a BAA
• Consistency of managed security services across compute platforms
• 3rd party assessment of platform and managed services against accepted prescriptive security framework
• HIPAA assessment guarantee
12
PROVIDER ASSESSMENT CHECKLIST
Compliance Controls HOSTING Customer
Physical Security X
Network Security X
Platform Security X
Storage Security X
Threat Monitoring X
Policy and Governance X X
Application Security X X
Change Control X X
Incident Response X X
Transit Security X X
Risk Assessment X X
Custom App Security X
13
COMPLIANCE CONTROLS FOR HIPAA
• Will the cloud service provider sign a Business Associate Agreement (BAA) with us?
• Is the cloud service provider even aware of its obligation to sign a BAA?
• Is the BAA more than three pages?
• If the BAA is more than three pages, is the cloud service provider willing to pay the legal fees necessary for excessive review?
• Does the BAA closely track the sample provisions published by the U.S. Dept. of Health & Human Services?
14
BAA CHECKLIST
• Official HIPAA audit checklist from HHS
• 3rd parties are starting to build assessment services around it
• Assessments are non-binding, not regulated and provide absolutely no Safe Harbor from a breach
• No audit program in place – impossible to be certified HIPAA compliant
15
HIPAA OCR AUDIT PROTOCOL
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
“HHS does not endorse or otherwise recognize
private organizations’ ‘certifications’ regarding the
Security Rule, and such certifications do not
absolve covered entities of their legal obligations
under the Security Rule. Moreover, performance of
a ‘certification’ by an external organization does
not preclude HHS from subsequently finding a
security violation.”
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2003.html
HIPAA regulations
Firewall
Antivirus
VPN
IDS
Patching
Cloud
Encryption
45 CFR 160
0
0
0
0
0
0
0
45 CFR 164
0
0
0
0
0
0
5
Prescriptive Addresses
IT
Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognize
d by HHS
Provides
Safe
Harbor
Proprietary Sometimes Sometimes No Yes No No
HITRUST Yes Yes No Sometimes No No
HIPAA
OCR
Yes No No Sometimes Yes No
18
FRAMEWORK COMPARISON
Prescriptive Addresses
IT
Controls
Designed
for MSPs
Assessed
by 3rd
Party
Recognized
by HHS
Provides
Safe Harbor
SOC 1 No Sometimes No Yes No No
SOC 2 Yes Yes Yes Yes No No
PCI DSS Yes Yes Yes Yes No Yes (CC only)
• SOC 1
• Formerly SAS-70, aka SSAE-16
• Focused on financial report accuracy, not technical, no standard or minimum control set
• SOC 2
• Often confused with SSAE-16
• Officially recognized AICPA review of MSP control environment
• Mapped to the Trust Service Principles – prescriptive standard for IT service provider security and privacy controls
19
COMMON PROVIDER ASSESSMENTS
• PCI DSS
• Explicitly prescriptive
• Over 220 unique IT controls
• Same purpose as HIPAA Security Rule: protect against unauthorized access to sensitive data
• Explicitly addresses service providers and cloud environments
• The most widely utilized security framework
• A decade of evolution
20
COMMON PROVIDER ASSESSMENTS
21
PCI/SOC to HIPAA MAPPING
• Providers can choose which portions of
infrastructure, data center locations,
services and even which controls from the
standard they will assess
• Get a responsibilities matrix written by the
3rd party
22
READ THE REPORT!
Document What is it? 3rd Party
Assessment
Expect to Sign
NDA
SAQ Self assessment
questionnaire
No Yes
AOC Attestation of
Compliance
Maybe – look at
party that signed
No
ROC Report on
Compliance
Yes Absolutely
23
PCI DSS REPORTS
Document What is it? 3rd Party
Assessment
Expect to Sign
NDA
SAQ Self assessment
questionnaire
No Yes
AOC Attestation of
Compliance
Maybe – look at
party that signed
No
ROC Report on
Compliance
Yes Absolutely
Control Mapping Explicit mapping
of responsibilities
Maybe – look at
issuing party
No
24
PCI DSS REPORTS
Document What is it? 3rd Party
Assessment
Expect to Sign
NDA
SAQ Self assessment
questionnaire
No Yes
AOC Attestation of
Compliance
Maybe – look at
party that signed
No
ROC Report on
Compliance
Yes Absolutely
Control Mapping Explicit mapping
of responsibilities
Maybe – look at
issuing party
No
25
PCI DSS REPORTS
Document What is it? 3rd Party
Assessme
nt
Expect to
Sign NDA
SOC 1 Type I Financial accuracy assessment
– policy review only, no
evidence
Yes Yes
SOC 1 Type I Financial accuracy assessment
– >=6mo effectiveness review
Yes Yes
SOC 2 Type I IT service provider controls –
policy review only, no evidence
Yes Yes
SOC 2 Type II IT service provider controls –
>=6mo effectiveness review
Yes Yes
SOC 3 Stamp used to publicly assert
that provider successfully
completed SOC 2 Type II, no
details
Yes No
26
SOC REPORTS
Document What is it? 3rd Party
Assessme
nt
Expect to
Sign NDA
SOC 1 Type I Financial accuracy assessment
– policy review only, no
evidence
Yes Yes
SOC 1 Type I Financial accuracy assessment
– >=6mo effectiveness review
Yes Yes
SOC 2 Type I IT service provider controls –
policy review only, no evidence
Yes Yes
SOC 2 Type II IT service provider controls –
>=6mo effectiveness review
Yes Yes
SOC 3 Stamp used to publicly assert
that provider successfully
completed SOC 2 Type II, no
details
Yes No
27
SOC REPORTS
View the on-demand
webinar here!
28
29
Q&ASean Bruton | Vice President of Product Management
For more information about compliant solution packages by HOSTING, please
contact Mark Click at 302.444.6511 or [email protected].