NIST HIPAA Security Rule Toolkit

advertisement
NIST HIPAA Security Rule Toolkit
Association of American Medical Colleges (AAMC)
February 15, 2012
Kevin Stine
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
NIST’s Mission
To promote U.S. innovation
and industrial competitiveness
by advancing measurement
science, standards, and
technology …
Credit: R. Rathe
… in ways that enhance
economic security and
improve our quality of life.
Credit: NIST
NIST Laboratories
NIST’s work enables
• Science
• Technology innovation
• Trade
• Public benefit
NIST works with
• Industry
• Academia
• Government agencies
• Measurement labs
• Standards organizations
Computer Security Division
A division within the Information
Technology Lab, CSD conducts
research, development and
outreach necessary to provide
standards and guidelines,
mechanisms, tools, metrics and
practices to protect information and
information systems.
Some Major Activities
Cryptographic Algorithms, Secure Hash Competition, Authentication, Key Management, Crypto
Transitions, DNSSEC, Post-Quantum Crypto, BIOS Security
FISMA, Health IT, Smart Grid, Supply Chain, NICE, Crypto Validation Programs, Outreach and
Awareness, Cyber Physical Systems, Voting
Identity Management, Access Control, Biometric Standards, Cloud and Virtualization
Technologies, Security Automation, Infrastructure Services and Protocols
Types of NIST Publications
Federal Information Processing Standards (FIPS)
• Developed by NIST; Approved and promulgated by Secretary of
Commerce
• Per FISMA, compulsory and binding for all federal agencies; not
waiverable
• Voluntary adoption by non-Federal organizations (e.g., state,
local, tribal governments; foreign governments; industry;
academia)
Special Publications (SP 800 series)
• Per OMB policy, Federal agencies must follow NIST guidelines
• Voluntary adoption by non-Federal organizations
Other security-related publications
• NIST Interagency Reports
5
A Framework for Managing Risk
Architecture Description
Architecture Reference Models
Segment and Solution Architectures
Mission and Business Processes
Information System Boundaries
PROCESS
OVERVIEW
Starting Point
Organizational Inputs
Laws, Directives, Policy Guidance
Strategic Goals and Objectives
Priorities and Resource Availability
Supply Chain Considerations
Repeat as necessary
Step 1
CATEGORIZE
Step 6
Information System
Step 2
MONITOR
SELECT
Security Controls
Security Controls
RISK
MANAGEMENT
Step 5
FRAMEWORK
AUTHORIZE
Information System
Step 3
IMPLEMENT
Step 4
Security Controls
ASSESS
Security Controls
6
Agenda
•
•
•
•
•
HIPAA Security Rule Overview
Toolkit Project
Content Development
The Toolkit Application
Additional Information
HIPAA Security Rule (HSR) Overview
HSR establishes national
standards for a covered
entity to protect individuals’
electronic personal health
information (ephi)
HSR Overview
Who?
From nationwide
health plan with vast
resources …
… to small provider
practices with
limited access to IT
expertise and
resources
What?
Standards and
implementation
specifications
covering…
•
•
•
•
Basic practices
Security failures
Risk management
Personnel issues
How?
It depends…
on the size
and scale of
your
organization
HSR Toolkit Project
The purpose of this toolkit project is to help
organizations …
• better understand the requirements of the HIPAA
Security Rule (HSR)
• implement those requirements
• assess those implementations in their operational
environments
HSR Toolkit Project
What it IS…
What it is NOT…
•
•
•
•
•
A self-contained, OS-independent
application to support various
environments (hardware/OS)
Support for security content that
other organizations can reuse
over and over
A useful resource among a set of
tools and processes that an
organization may use to assist in
reviewing their HSR risk profile
A freely available resource from
NIST
It is NOT a tool that produces a
statement of compliance
• NIST is not a regulatory or
enforcement authority
• Compliance is the
responsibility of the covered
entity
Intended Uses of the HSR Toolkit
• Supplement existing risk assessment processes
conducted by Covered Entities and Business
Associates
• Assist organizations in aligning security practices
across multiple operating units
• Serve as input into an action plan for HSR Security
implementation improvements
HSR Toolkit Project
The Toolkit project consists of three parallel
efforts:
Content Development
Security Automation
Desktop Application Development
Multiple Iterations
Content Development
Using the HIPAA Security Rule, and NIST
Special Publications (800-66, 800-53, 80053A), we developed questions designed to
assist in the implementation of the Security
Rule.
§ HIPAA Security Rule
Maps
Specific Question
to Address Rule
Content Development
§164.308(a)(3)(A)
Authorization and/or
supervision (Addressable).
Implement procedures for
the authorization and/or
supervision of workforce
members who work with
electronic protected health
information or in locations
where it might be accessed.
Maps
Question: HSR.A53
Has your organization
established chains of
command and lines of
authority for work force
security?
Boolean
Yes: If yes – do you have
an organizational chart?
No: If no – provide
explanation text
Content Development
This effort has resulted in …
• Two sets of questions
• an “Enterprise” set with nearly 900 questions
• a “Standard” set with about 600 questions (a subset)
• With dependence and parent-child relationship
mappings
• Covering all HSR standards and
implementation specifications
Content Development
Security Automation
•
Utilizing standards-based security automation
specifications – such as XCCDF, OVAL, OCIL –
to implement those questions into a toolkit
application that is “loosely coupled”
•
Enables existing commercial tools that process
security automation content to use the content
(not locked down)
•
Provides consistent and repeatable processes
Associated HSR Toolkit Resources
• A comprehensive User Guide
• Examples of how to use and operate the Toolkit
Partner entities that are assisting in defining functionality and usability:
•
•
•
•
A state Medicaid Office
A specialty clearinghouse
A community hospital
A non-profit regional hospital
Toolkit: Download the Application
Toolkit: Create a Profile
Toolkit: Organized by Safeguard Family
Toolkit: Explore the Application Interface
Selected
Question
References
Navigation
Menu
Responses
Flag Level
Attachments
Comments
Progress Bar
Toolkit: Answer Questions
Toolkit: Generate Reports
A Framework for Managing Risk
Architecture Description
Architecture Reference Models
Segment and Solution Architectures
Mission and Business Processes
Information System Boundaries
PROCESS
OVERVIEW
Starting Point
Organizational Inputs
Laws, Directives, Policy Guidance
Strategic Goals and Objectives
Priorities and Resource Availability
Supply Chain Considerations
Repeat as necessary
Step 1
CATEGORIZE
Step 6
Information System
Step 2
MONITOR
SELECT
Security Controls
Security Controls
RISK
MANAGEMENT
Step 5
FRAMEWORK
AUTHORIZE
Information System
Step 3
IMPLEMENT
Step 4
Security Controls
ASSESS
Security Controls
26
Useful Resources
• HIPAA Security Rule Toolkit
• http://scap.nist.gov/hipaa
• Computer Security Resource Center (CSRC)
• http://csrc.nist.gov
• NIST Information Security Standards and
Guidelines
• http://csrc.nist.gov/publications/index.html
Questions
Thank You
Kevin Stine
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Computer Security Resource Center: http://csrc.nist.gov
HSRtoolkit@nist.gov
Download