Right%20Sizing%20the%20HIPAA%20Security%20Program

1
Right Sizing the HIPAA Security Program

• Laurie Leer, CISSPManager Information Systems
  Security
• Shana Chung, CISSP Director Contract Management
  (HIPAA Compliance, Definition Evaluation)

2
Introductions and Agenda

• HIPAA Security Standards Project Requirements
• Covered Entity Deliverables
• Risk Assessment Key to Sizing the HIPAA Security
  Program
• Right Sizing
• Risk Assessment Getting Started
• Sample Risk Assessment Summary
• Risk Assessment as a Tool to Size a HIPAA
  Security Program
• Right Size Reasonable and Appropriate
• Survey Results
• Conclusions

3
HIPAA Security Standards Project Requirements

• Standards define project scope and approach
• Applies to electronic protected health
  information (EPHI). A covered entity must
• ensure the confidentiality, integrity, and
  availability of all EPHI it creates, receives,
  maintains or transmits
• protect against any reasonably anticipated
  threats or hazards to the security or integrity
  of such information
• protect against any reasonably anticipated uses
  or disclosures of such information that are not
  permitted or required under subpart E of this
  part
• ensure compliance with this subpart by its
  workforce
• The standards define required deliverables
• Standards describe high-level deliverables
• Policies, procedures, periodic reviews, etc.
• Specifications describe required content
• e.g., Procedures to regularly review records of
  system activity

4
Covered Entity Required Deliverables

• Document how the covered entity (CE) met each
  specification
• Criteria evaluated in choosing a solution for a
  given specification 164.306(b)
• Factors from 164.308(a)(1) - covered later
• Organizational and environmental factors
• Contracts or superceding state law
• Other constraints
• Solution implemented
• Solution description
• Policies and procedures to maintain the solution
• Audit trails or other mechanisms to assure
  ongoing effectiveness and workforce compliance
• Required vs. addressable specifications
• Required specifications must be implemented as
  stated
• An addressable specification must be implemented,
  or the CE must document why it was not and the
  equivalent measures implemented

5
Risk Assessment Key to Sizing a Security Program

• 164.308(a) (1) requires CEs to
• Conduct accurate and thorough assessments of EPHI
  potential risks and confidentiality, integrity,
  and availability vulnerabilities held by the CE
• Implement security measures to reduce risks and
  vulnerabilities to comply with 164.306(a)
• Risk is a compound value or judgment based on
  the following
• Threat
• Vulnerability to the threat
• Probability of exploiting the vulnerability
• Cost or other adverse effect if successfully
  exploited
• Apply sound business judgment
• Absolute security doesnt exist
• Management may make an informed judgment to
  accept risk

6
Accurate and Thorough Right Sizing

• 164.306(b) instructs us to consider
• (i) The size, complexity, and capabilities of the
  covered entity
• (ii) The covered entity's technical
  infrastructure, hardware and software security
  capabilities
• (iii) The costs of security measures
• (iv) The probability and criticality of potential
  risks to EPHI
• HIPAA Security program should scale against
  164.306(b)
• Number of different EPHI stores the organization
  has
• Size and/or location of the workforce
• Number of different EDI connections or Web
  services transporting EPHI
• Robustness of the baseline security program
• How probable and critical are more
  organization-specific
• What EPHI is critical to the organization mission
  or operations?
• What security and privacy risks have been
  identified?

7
Reasonable and Appropriate Right Sizing

• What is a reasonable and appropriate level of
  risk and vulnerability?
• Common practices for similar organizations
• Case law
• Source documents for HIPAA Security Rules
• NIST http//csrc.nist.gov/publications/nistpubs/in
  dex.html
• OMB Circulars http//www.whitehouse.gov/omb/circul
  ars/index.html
• Mapped standards in the 1998 Draft Rules ASTM,
  ANSI, IEEE, ISO, etc.
• Common practices for similar organizations
• Common practices are both human and technical
• Similar organizations similar business model
  and workforce size
• Case law
• Reasonable person standards have developed in
  other areas of law
• TriWest Healthcare Alliance suit
• National Academy of Science study (2002)
  recommends laws that hold system operators liable
  for security breaches

8
Reasonable and Appropriate Right Sizing (cont.)

• Some guidance available in NISTs Generally
  Accepted Principles and Practices for Secure
  Information Technology Systems
• Risk management requires the analysis of risk,
  relative to potential benefits, consideration of
  alternatives, and, finally, implementation of
  what management determines to be the best course
  of action.
• Management needs to decide if the operation of
  the IT system is acceptable, given the kind and
  severity of remaining risks.
• Best course of action decision should occur at
  the right management level
• If potential costs are known Approving manager
  should have authority for that amount
• If costs cant be estimated Approval comes from
  manager with responsibility over the system or
  vulnerable information
• If the risk spans departments Approval comes
  from all affected department heads or executive
  responsible overall

9
Risk Assessment Getting Started

• Common elements of risk management
• Formal, repeatable process
• Reliable metrics and probability algorithms
• Clear documentation and outputs
• Adequate training for assessment personnel
• Management authorization
• Missing link is often metrics and probability
• Some data about number of incidents very little
  predictive value
• Available data focuses on hacker-style attacks.
  No reliable metric sources around internal
  threats and vulnerabilities
• In many cases, management decisions are based on
  incomplete data
• Consider starting with the HIPAA Security Rules
  as assessment targets
• Identify reasonably anticipated threats
  affecting organizations ability to comply
• Assess organizations degree of vulnerability to
  the identified threats
• Use vulnerability data to set the scope of the
  HIPAA Security Program

10
Sample Risk Assessment Summary
11
Using Risk Assessment to Size the HIPAA Security
Program

• Set scope
• Zero probability is out-of-scope (e.g., if
  clearinghouse rules do not apply to your
  organization, you have no probability of being
  out of compliance with that rule)
• Set work priority
• 1. High probability and high cost of occurrence
• 2. Medium probability and high cost of
  occurrence
• 3. High probability and low cost of occurrence
• 4. Low probability and high cost of occurrence
• 5. All other combinations
• Define project plan and work schedule in priority
  order
• Standardize work breakdown structures
• Phases collect related groups of work
  (activities) along the critical path
• Activities collect related tasks along the
  critical path
• Milestones signal acceptance of major
  deliverables and completion of activities
• Use life cycle approach to activities
• Requirements ? Alternatives ? Solution Selection
  ? Build/Test ? Deploy ? Maintain

12
Right Size Reasonable and Appropriate

• Outputs from solution selection document the
  reasonableness and appropriateness of the
  selected security measures
• Standardize deliverables as much as feasible
• Document at least 2 alternatives
• Include factors from 164.306(b)
• Document the fit between requirements and each
  alternative
• Estimate cost time to implement
• Summarize reasons for recommending one
  alternative
• Document management approval for selected
  solution
• Outputs from maintenance determine ongoing costs
  and staffing needs
• Document maintenance oversight roles,
  responsibilities and procedures
• 164.306(e) Security measures . . . must be
  reviewed and modified as needed to continue
  provision of reasonable and appropriate
  protection of EPHI
• Document intersections with other processes
  required by HIPAA Security rules
• Risk analysis and management system activity
  review access authorization contingency
  planning evaluation etc.

13
Information Security Program Survey

• Our methodology
• Respondents
• Type
• Covered entity - plan, clearinghouse, provider
• Hybrid
• Other (includes business associate, consultant,
  vendor)
• Size
• Total employees
• Number of IT FTEs
• IT Security
• Number of IT Security FTEs
• Annual IT Security training budget
• Annual IT Security budget
• By confidence in meeting HIPAA Security
  compliance date

14
Respondents by Type of Organization
Other (vendor, consultant, attorney, etc.)
15
Respondents by Size of Organization- Total
Number of Employees
16
Respondents by Size of IT DepartmentTotal Number
of IT FTEs
1-50 IT Employees
51-500 IT Employees
501-1000 IT Employees
1001-5000 IT Employees
5000 IT Employees
17
Does Your Organization Have IT Security FTEs?
18
How Much Do You Spend AnnuallyOn IT Security
19
Is Organization Confident of Meeting HIPAA
Security Deadline?
20
Some of the Challenges

• Communication
• Does the right hand know what the left hand is
  doing?
• Prioritization
• Are dubious projects getting the money?
• Training
• NIST and others address this

21
Does Scalability Reality?

• Is bigger really better?
• Security spending doesnt necessarily scale to an
  organizations size
• HIPAA and GLB are acknowledged as contributing to
  policy/procedure infrastructure in larger
  organizations
• Damage to an organizations reputation is more of
  a concern
• Related surveys
• US Healthcare Industry Quarterly HIPAA Survey
  Results Winter 2003
• http//www.hipaadvisory.com
• Security remediation efforts are progressing
  slowly
• Does Company Size Really Matter?, Information
  Security, September 2002
• http//www.infosecuritymag.com/2002/sep/2002s
  urvey.pdf

22
Conclusions