NIST HIPAA Security Rule Toolkit Association of American Medical Colleges (AAMC) February 15, 2012 Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology NIST’s Mission To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology … Credit: R. Rathe … in ways that enhance economic security and improve our quality of life. Credit: NIST NIST Laboratories NIST’s work enables • Science • Technology innovation • Trade • Public benefit NIST works with • Industry • Academia • Government agencies • Measurement labs • Standards organizations Computer Security Division A division within the Information Technology Lab, CSD conducts research, development and outreach necessary to provide standards and guidelines, mechanisms, tools, metrics and practices to protect information and information systems. Some Major Activities Cryptographic Algorithms, Secure Hash Competition, Authentication, Key Management, Crypto Transitions, DNSSEC, Post-Quantum Crypto, BIOS Security FISMA, Health IT, Smart Grid, Supply Chain, NICE, Crypto Validation Programs, Outreach and Awareness, Cyber Physical Systems, Voting Identity Management, Access Control, Biometric Standards, Cloud and Virtualization Technologies, Security Automation, Infrastructure Services and Protocols Types of NIST Publications Federal Information Processing Standards (FIPS) • Developed by NIST; Approved and promulgated by Secretary of Commerce • Per FISMA, compulsory and binding for all federal agencies; not waiverable • Voluntary adoption by non-Federal organizations (e.g., state, local, tribal governments; foreign governments; industry; academia) Special Publications (SP 800 series) • Per OMB policy, Federal agencies must follow NIST guidelines • Voluntary adoption by non-Federal organizations Other security-related publications • NIST Interagency Reports 5 A Framework for Managing Risk Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries PROCESS OVERVIEW Starting Point Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Repeat as necessary Step 1 CATEGORIZE Step 6 Information System Step 2 MONITOR SELECT Security Controls Security Controls RISK MANAGEMENT Step 5 FRAMEWORK AUTHORIZE Information System Step 3 IMPLEMENT Step 4 Security Controls ASSESS Security Controls 6 Agenda • • • • • HIPAA Security Rule Overview Toolkit Project Content Development The Toolkit Application Additional Information HIPAA Security Rule (HSR) Overview HSR establishes national standards for a covered entity to protect individuals’ electronic personal health information (ephi) HSR Overview Who? From nationwide health plan with vast resources … … to small provider practices with limited access to IT expertise and resources What? Standards and implementation specifications covering… • • • • Basic practices Security failures Risk management Personnel issues How? It depends… on the size and scale of your organization HSR Toolkit Project The purpose of this toolkit project is to help organizations … • better understand the requirements of the HIPAA Security Rule (HSR) • implement those requirements • assess those implementations in their operational environments HSR Toolkit Project What it IS… What it is NOT… • • • • • A self-contained, OS-independent application to support various environments (hardware/OS) Support for security content that other organizations can reuse over and over A useful resource among a set of tools and processes that an organization may use to assist in reviewing their HSR risk profile A freely available resource from NIST It is NOT a tool that produces a statement of compliance • NIST is not a regulatory or enforcement authority • Compliance is the responsibility of the covered entity Intended Uses of the HSR Toolkit • Supplement existing risk assessment processes conducted by Covered Entities and Business Associates • Assist organizations in aligning security practices across multiple operating units • Serve as input into an action plan for HSR Security implementation improvements HSR Toolkit Project The Toolkit project consists of three parallel efforts: Content Development Security Automation Desktop Application Development Multiple Iterations Content Development Using the HIPAA Security Rule, and NIST Special Publications (800-66, 800-53, 80053A), we developed questions designed to assist in the implementation of the Security Rule. § HIPAA Security Rule Maps Specific Question to Address Rule Content Development §164.308(a)(3)(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Maps Question: HSR.A53 Has your organization established chains of command and lines of authority for work force security? Boolean Yes: If yes – do you have an organizational chart? No: If no – provide explanation text Content Development This effort has resulted in … • Two sets of questions • an “Enterprise” set with nearly 900 questions • a “Standard” set with about 600 questions (a subset) • With dependence and parent-child relationship mappings • Covering all HSR standards and implementation specifications Content Development Security Automation • Utilizing standards-based security automation specifications – such as XCCDF, OVAL, OCIL – to implement those questions into a toolkit application that is “loosely coupled” • Enables existing commercial tools that process security automation content to use the content (not locked down) • Provides consistent and repeatable processes Associated HSR Toolkit Resources • A comprehensive User Guide • Examples of how to use and operate the Toolkit Partner entities that are assisting in defining functionality and usability: • • • • A state Medicaid Office A specialty clearinghouse A community hospital A non-profit regional hospital Toolkit: Download the Application Toolkit: Create a Profile Toolkit: Organized by Safeguard Family Toolkit: Explore the Application Interface Selected Question References Navigation Menu Responses Flag Level Attachments Comments Progress Bar Toolkit: Answer Questions Toolkit: Generate Reports A Framework for Managing Risk Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries PROCESS OVERVIEW Starting Point Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Repeat as necessary Step 1 CATEGORIZE Step 6 Information System Step 2 MONITOR SELECT Security Controls Security Controls RISK MANAGEMENT Step 5 FRAMEWORK AUTHORIZE Information System Step 3 IMPLEMENT Step 4 Security Controls ASSESS Security Controls 26 Useful Resources • HIPAA Security Rule Toolkit • http://scap.nist.gov/hipaa • Computer Security Resource Center (CSRC) • http://csrc.nist.gov • NIST Information Security Standards and Guidelines • http://csrc.nist.gov/publications/index.html Questions Thank You Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Computer Security Resource Center: http://csrc.nist.gov HSRtoolkit@nist.gov