HIPAA and Beyond

1
HIPAA and Beyond

• Security Protection in Healthcare Environments
• Corey D. King, CISSP
• cking_at_symantec.com

2
The Graph of Everything!
Stuff
Time
3
US Healthcare Market

• IDC projects 30 billion yearly IT spending by
  2006
• Greatest growth
• Software 12.2 CAGR
• IT Services 11.0 CAGR
• Security product and services sales least
  impacted by economic downturn

4
Business Trends in Healthcare

• Increasing importance of e-business
• Regulatory requirement for electronic workflow
  and information exchange
• Disappearing enterprise perimeter
• Focus on business continuity
• Increasing concern over information attack
• Frequency
• Complexity/Virulence
• Cost

5
Blended Threats A Deadly Combination

• Blended threats combine hacking, DoS, and
  worm-like propagation
• Can rapidly compromise millions of machines
• Often spread without human interaction
• Importance
• Create confidentiality breaches
• Corrupt system integrity
• Impact availability of data and systems,
  compromise patient care

sql Slammer
Nimda
sadmind
CodeRed
Klez
BugBear
6
HIPAA

• Health Insurance Portability And Accountability
  Act of 1996
• Bill passed into law on 21 August 1996
• Standards for Privacy of Individually
  Identifiable Health Information Final Rule (45
  CFR Parts 160 and 164) issued on August 14, 2002
  Effective April 14, 2003
• Security and Electronic Signature Standards
  Final Rule (45 CFR Part 142) is still pending
• Overseen by the U.S. Department of Health and
  Human Services (DHHS)

Source http//aspe.hhs.gov/admnsimp/Index.htm
7
Who is Bound by HIPAA?

• Affects over 600,000 entities and virtually every
  American

8
Why Comply with HIPAA?

• Based on sound business principles for security
• Reduces administrative expense with electronic
  workflow
• Reduces risk exposure, limits liability
• Improves operational performance
• Slammer, Bugbear, Klez, Nimda, Code Red, sadmind
  worm, hackers for hire, the next dirty trick
• AND
• ITS THE LAW
• Civil and criminal penalties for failure to comply

9
Compliance

• Based on demonstrated due diligence
• Agencies available to assist in complying with
  HIPAA
• Electronic Healthcare Network Accreditation
  Commission (EHNAC)
• Joint Commission on Accreditation of Healthcare
  Organizations (JCAHO) ,
• National Committee for Quality Assurance (NCQA)
• HIPAA compliance auditor DHHS, Civil Rights
  Office
• The good news adherence to sound security
  management principles leads toward HIPAA
  compliance

10
Security Technology SolutionsHIPAA Security
Standard

• Major Categories
• Administrative Procedures A
• Physical Safeguards P
• Technical Security Services TS
• Technical Mechanisms TM
• Opportunities in each major category for
• Security product sales (hardware and software)
• Security services

11
Rule Categories
Physical Safeguards
Administrative
Technical Security Mechanisms
Certification Chain of Trust Agreements Contingenc
y Plan Formal Mechanisms Records Info Access
Control Internal Audit Personnel
Security Security Configuration Security Incident
Procedures Security Mgmt. Process Termination
Procedures Training
Assigned Security Responsibility Media
Controls Physical Access Controls Policy -
Workstation Use -Secure Workstation
Location Security Awareness Training
Communications/Network Controls Integrity
Controls Message Authentication
12
Security Technology SolutionsHIPAA Regulations

• HIPAA requires that all health plans, health
  care providers, and health care clearinghouses
  that maintain or transmit health information
  electronically establish and maintain reasonable
  and appropriate administrative, technical, and
  physical safeguards to ensure integrity,
  confidentiality, and availability of the
  information
• The safeguards also protect the information
  against any reasonably anticipated threats or
  hazards to the security or integrity of the
  information and protect it against unauthorized
  use or disclosure
• The message not just healthcare providers, but
  also their business partners who touch patient
  data, are affected

13
Impacts on Small Healthcare Providers

• Many will be applying security protection for the
  first time
• Baseline best practices not in place
• Configuration management and service control
• Patch management
• Access control and authentication (password
  policies)
• Minimum effective security systems (firewalls, AV
  systems, IDS)
• Policy foundation not in place
• For many, first steps are
• Baseline policy review and development
• Vulnerability assessment
• Deployment of new/modified security technology
  comes after

14
Example Small Healthcare Provider

• Identify and qualify need sell security
  management as a business requirement, partially
  due to HIPAA
• Recommend tailored vulnerability assessment and
  policy review
• Develop policy where required, complete gap
  analysis
• Select and deploy security systems and processes
  to fill gaps
• Offer managed services for monitoring and
  management of security systems (minimizes
  in-house staff burden)
• Provide awareness training to users
• Arrange for regular reviews as audit readiness
  mechanism

15
Things to Ask Healthcare Customers

• Awareness of and compliance status with HIPAA
• Existing security capabilities and ability to
  protect patient data
• Recent security events
• Tolerance for extended downtime
• Sensitivity to customer/colleague perception
  shifts
• Management and systems administration
  capabilities (services lead-in)
• Status of organizational policy for security

16
Securing The Enterprise

• Alert
• Early awareness of threats in the wild
• Listening posts

• Protect
• Preventing unwanted attacks
• Detect physical breaches
• Privacy of information assets

• Respond
• Internal
• Workflow
• Auto-configuration
• Disaster recovery
• External
• Signature updates
• Hotline

• Manage
• Environment
• Policies Vulnerabilities
• Device Configuration
• User Access
• Identity Management
• Information
• - Events and incidents

17
Layered Defense Strategy
18
Characteristics of a Successful Security VAR
Sales

• Effective relationships with security vendors
• Choose carefully, minimize low-value
  relationships
• Best-of-breed mentality is fading look for
  infrastructure, support, knowledge, staying power
• Solution-oriented selling
• Consultative techniques
• Hardware, software, services, support
• Know who buys what
• Network vs. desktop, software/hardware vs.
  services
• Knowledge, trust, credibility
• Certifications
• Subject area knowledge
• Know the language

19
Characteristics of a Successful Security VAR -
Technical

• Pre- and post-sales engineering capability
• Technically competent
• Product-specific certifications
• Industry certifications
• General networking knowledge
• Broad range of experience
• Consultative problem-solving
• Customer-facing skills a must

20
Training and Certification

• Sales
• Vendor training courses (product and general
  knowledge)
• Self-study
• SANS (www.sans.org)
• Computer Security Institute (www.gocsi.com)
• ISSA (www.issa.org)
• ASIS (www.asisonline.org)
• Certification
• CISSP (www.isc2.org)
• Selling methodology
• Solution Selling (www.solutionselling.com)
• Powerbase Selling (Jim Holden)

21
Training and Certification (cont)

• Technical
• Networking/OS certs
• Sun System Admininstrator (suned.sun.com)
• Cisco (CCIE, CCNP, CCNA) (www.cisco.com)
• Security
• CISSP, SSCP (www.isc2.org)
• SANS GIAC (www.sans.org)
• RSA CSP (www.rsasecurity.com)
• Symantec SCSE (www.symantec.com/education/certific
  ation)

22
Panel DiscussionVAR Success Factors -Financial
and Organizational
23
Conclusion

• Preparing for HIPAA compliance brings tangible
  benefits in hostile environment
• Perimeter is disappearing, threats are 360
  degrees
• Exploits and hacking tools are readily available
• Skills required to exploit threats are low and
  dropping
• Blended threats will become more sophisticated
• Defense in depth across entire network is key
• Vulnerability management
• Firewalls and VPNs
• Antivirus
• Intrusion detection
• Support and alerting services
• HIPAA guideline compliance support is available
• Software
• Expertise
• Implement process to manage policy and incidents
• Top management support and awareness training are
  key