Information Security Compliance System Owner Training

1
Information Security ComplianceSystem Owner
Training

• Richard Gadsden
• Information Security Office
• Office of the CIO Information Services
• Sharon Knowles
• Information Assurance Compliance
• MUSC Medical Center

2
Overview

• Information Security Fundamentals
• HIPAA Security vs. HIPAA Privacy
• How the two regulations differ
• MUSC's compliance strategy
• New Security Responsibilities
• Enterprise
• Covered Entities
• System Owners
• Other individuals

3
Information Security Process

• The goal protection of information assets from
  threats to their
• availability
• integrity
• confidentiality
• Security is a process...
• not a product
• not really a state either
• not set it and forget it

4
Information SecurityA Risk Management Process

• Risk management
• the process for making security decisions
• Steps in the process
• identify significant risks
• evaluate possible controls
• implement the most cost-effective set of controls
  that will keep risks within acceptable levels
• Caveat zero risk is not attainable

5
MUSC's Information Security PolicySystem Owners
Are Responsible For...

• Ensuring that accurate and thorough risk
  assessments are conducted and documented at
  appropriate points in the lifecycle of the
  System, beginning prior to the System's
  implementation, and that the findings are applied
  to the effective management of risks over the
  entire life of the System.
• Ensuring that appropriate System-specific
  policies, procedures and safeguards are developed
  and implemented, to comply with all applicable
  MUSC policies, any applicable Entity policies,
  and all applicable laws and regulations.

6
Information Assurance

• Standard of Due Care
• duty is to protect against all reasonably
  anticipated threats by implementing reasonable
  and appropriate safeguards
• Reasonable and appropriate
• ideally, minimum but sufficient controls
• must avoid unacceptable risks
• must avoid unnecessary expense

7
Reasonable and Appropriate

• How to achieve?
• the risk management process
• assessment of risk
• evaluation and selection of controls
• approval, funding, implementation, operation
• How to verify?
• the compliance process
• documentation
• audits and other reviews

8
Information AssuranceCompliance Process

• Document the level of assurance
• Are all security responsibilities clearly defined
  and understood?
• Is a sound (risk-based and cost-conscious)
  decision-making process being followed?
• Are security procedures documented?
• Are procedures being followed?
• Are controls working as intended?

9
HIPAA Security Rule vs. Privacy Rule

• Security is more than just privacy
• confidentiality, integrity, availability
• PHI vs. ePHI
• all electronic (computerized) PHI is subject to
  both the Privacy Rule and the Security Rule
• telephone and fax communications are subject to
  the Privacy Rule, but not the Security Rule
• Covered Entities (CEs)
• responsible for compliance with both regulations

10
Security vs. Privacy MUSC

• Overall HIPAA compliance strategy
• Organizational MUSC OHCA comprised of 4 CEs
• Privacy Rule strategy
• policies were set by each MUSC Entity
• Security Rule strategy
• One set of enterprise-wide security policies
• these policies apply to all MUSC Entities
• not just for HIPAA/ePHI, but for all types of
  protected information
• 16 new policies and 1 updated policy were issued
  by the Office of the President in Feb 2005

11
MUSC's Security Policies

• Computer Use Policy (updated)
• Information Security Policies (new)
• Information Security, Risk Management,
  Evaluation, Workforce Security, Awareness and
  Training, Incident Response, Contingency Plan,
  Workstation Use, Device and Media Controls,
  Access Control, Network Access, Audit Controls,
  Person or Entity Authentication, Data Integrity,
  Encryption, Documentation

12
New Security Responsibilities

• Enterprise (Office of the CIO)
• Covered Entities (CEs)
• System Owners and System Administrators
• Managers and Supervisors
• Workforce members

13
Responsibilities OCIO

• Information Security Office (ISO) will
• Document security architecture and plans
• Coordinate development of enterprise policies,
  standards, guidelines
• Manage Enterprise-level safeguards
• Develop shared tools and services
• Direct MUSC's incident response team
• Conduct vulnerability assessments

14
Covered Entities

• Each Entity will designate an Information
  Assurance Compliance Officer (IACO), who will
• Monitor compliance (system owners, system
  administrators, managers, supervisors, workforce
  members)
• Report violations of policy to appropriate
  enforcement authorities
• Ensure access to documentation and training

15
System Owners

• Each System must have a designated System Owner,
  who will
• Assess and manage security risks
• Risk assessments and risk management plans must
  be documented if the system contains protected
  information (e.g. ePHI)
• Ensure that appropriate safeguards are
  implemented
• Some safeguards are required only if the System
  contains protected information (e.g. ePHI)
• Also, designate a System Administrator

16
MUSC Risk Management Standards

• Standards established for managing risk at 4
  stages in the System life cycle
• Initiation
• Development/Procurement
• Implementation
• Post-Implementation
• aka Existing Systems

17
Existing Systemsi.e. Post-Implementation Stage

• Have you...
• Registered your system?
• Designated a System Administrator?
• Conducted a System risk assessment?
• Implemented appropriate safeguards?
• administrative measures
• physical security measures
• technical measures
• document, document, document...

18
Step 1.0 Review MUSC Policies, Standards and
Guidelines

• URL http//www.musc.edu/security

19
Step 2.0 Document Current System Environment and
Personnel

• Deliverable Security Documentation, Section 2
  (System Identification)
• System Name
• Key System Personnel
• Functional Description
• Key Components
• System Boundaries
• Relationships with other systems
• interfaces, interdependencies

20
Step 3.0 Document Current System-Specific
Security Procedures and Other Controls

• Deliverable Security Documentation, Section 3
  (Current System Procedures)
• Use the MUSC Information Security Policy
  Compliance Checklist for System Owners as a guide
• http//www.musc.edu/security/tools

21
Step 4.0 Identify and Analyze Potential Issues

• Deliverable Risk Analysis Worksheet
• http//www.musc.edu/security/tools
• Priorities
• Address policy compliance gaps identified using
  the Policy Checklist, or any other assessments
• Decide how to address other risks identified
  through formal risk analysis process

22
Step 5.0 Develop Security Plan

• Deliverable Security Plan Summary
• http//www.musc.edu/security/tools
• Document your plan for resolving all known
  compliance gaps
• who
• what
• when

23
Step 6.0 Execute Security Plan

• Deliverables
• Document changes made to system procedures and
  other controls (Section 3, Current System
  Procedures)
• Progress and status reports as required by your
  Entity's IACO

24
Are We There Yet?

• Security is never finished
• Repeat the risk management cycle as warranted by
  conditions
• respond to environmental, operational, policy,
  and/or regulatory changes
• Evaluate the effectiveness of your System's
  security measures
• until your System is retired
• Set it and forget it? Not an option!