UNC CAUSE November 2006
Planning for Information Security
and HIPAA Compliance
“Security should follow data”
Leo Howell, CISSP
John Baines, CISSP
IAS-Information Assurance & Security
ETSS-Enterprise Technology Services &
Support North Carolina State University
Sharon McLawhorn
McNeil
ITCS-Security
Department of ITCS
East Carolina University
What’s it all about, Webster?

Defalcation
–
–
–
–
–

Pronunciation:*d*-*fal-*k*-sh*n,
Date:15th century
1 archaic : DEDUCTION
2 : the act or an instance of embezzling
3 : a failure to meet a promise or an expectation
Malfeasance
– Pronunciation:*mal-*f*-z*n(t)s
– Date:1696 :
– wrongdoing or misconduct especially by a public official

Two twenty dollar words
– Fraud and criminal business acts
– Reaction to the excesses of the 80’s and 90’s
"Planning for Security and HIPAA
Compliance" NCSU and ECU
2
Increasingly Complicated
Compliance Constraints
Statute
Type of requirement
University
data
Example
location
FERPA
Federal law
Student
records
Faculty PC or
server
HIPAA
Federal law
Health records
Athletics dept.
GLBA
Federal law
Financial data
Financial Aid
PCI DSS
Payment Card Industry
-Data Security Std.
Credit card
data
Bookstore
server
SB 1048
State Identity Theft law
SSN , etc.
R&R
State Employee Personal
Information Privacy law
Staff data
Payroll
Federal
Grants
Research
materials
Lab PC
Contract requirements
"Planning for Security and HIPAA
Compliance" NCSU and ECU
3
Educational Institutes Seen as Easy
Marks

Los Angeles Times article - May 30, 2006
‘Since January, 2006
at least 845,000 people
have had sensitive information jeopardized
in 29 security failures
at colleges nationwide.’

‘we were adding on another university every
week to look into’
- Michael C. Zweiback, assistant U.S. attorney
"Planning for Security and HIPAA
Compliance" NCSU and ECU
4
Information Security Planning
High level tasks
Make a conscious decision to plan for security
and compliance for improved efficiency and
effectiveness
 Understand the business goals and objectives
 Conduct a risk assessment; factor in compliance!
 Develop the plan

"Planning for Security and HIPAA
Compliance" NCSU and ECU
5
Data Classification Standard, DCS
forms the foundation
3 classification levels High, Moderate, Normal
 Based on data business
value, financial
implications, legal
obligations






"Planning for Security and HIPAA
Compliance" NCSU and ECU
Identification
Confidentiality
and sensitivity
Classification
Protection
Consistency
6
Data Management Procedures, DMP
assigns ownership and accountability
Role relationships
Data Trustee
Oversight responsibility
Data Steward
Access within his or her unit
accuracy, privacy, and security
User
Data Custodians
Security Admistrator
Responsibilites
Physical data management
Manage access rights
e.g. Application Security Unit
Authorizes users
based on Guidelines
"Planning for Security and HIPAA
Compliance" NCSU and ECU
7
Seven Steps
RMIS Information System Security
Plan, RISSP
Leo Howell
Information Security Analyst

"Planning for Security and HIPAA
Compliance" NCSU and ECU
8
STEP ONE – Understand the Asset
Effective security
begins with a solid
understanding of the
protected asset and
its value
 At NC State we have
identified DATA as
our primary asset


Philosophically, we
believe that “security
should follow data”

But we know that not
all data were created
equal
"Planning for Security and HIPAA
Compliance" NCSU and ECU
9
STEP TWO – Identify and prioritize
Threats

Governance:

– policy breach
– rebellion

– theft
Physical:
– disclosure
– data theft
– equipment
theft/damage

Infrastructure &
Application:
– DoS
– unauthorized access
Endpoint:
– theft
– social engineering

Data:
– unauthorized access
– corruption/destruction
"Planning for Security and HIPAA
Compliance" NCSU and ECU
10
STEP THREE – Identify and rank
Vulnerabilities

Governance:

– policy loopholes

Physical:
– “open” network
– weak perimeter
– open access

Endpoint:
– ignorance
Infrastructure &
Application:
– unpatched systems/OS
– misconfiguration

Data:
– unencrypted storage
– insecure transmission
"Planning for Security and HIPAA
Compliance" NCSU and ECU
11
STEP FOUR – Quantify Relative Risk, R
R = µVAT
V = vulnerability
A = asset
T = threat
µ = likelihood of T

The greater the
number of
vulnerabilities the
bigger the risk

The greater the value
of the asset the bigger
the risk

The greater the threat
the bigger the risk
"Planning for Security and HIPAA
Compliance" NCSU and ECU
12
STEP FIVE – Develop a strategy
3 virtual operational protection zones, OPZ
based on Data Classification
High
- Significantly business impact
- financial loss
- regulatory compliance
Laptop with
High data
Moderate
- adversely affects
business and reputation
Normal
- minimal adverse effect
on business
- authorization required
to modify or copy
Types of data stored,
accessed, processed or
transmitted dictates OPZ
Server with
Moderate data
Higher Classification implies
Increased Security
"Planning for Security and HIPAA
Compliance" NCSU and ECU
13
STEP SIX – Establish target standards

Seven layers of protection per
zone based on COBIT, ISO
17799 and NIST 800-53
1.Management & Governance
2.Access control
3.Physical security
4.Endpoint security
5.Infrastructure security
6.Application security
7.Data security
"Planning for Security and HIPAA
Compliance" NCSU and ECU
Amount and
stringency of
security
controls at
each level
varies with
data
classification
14
Snippet from Data Security Standard
Security
Control
Red Zone
Yellow Zone
Green Zone
Encrypt stored
data
Mandatory
Recommended
Optional
Limit data
stored to
external media
Mandatory
Recommended
Optional
Encrypt
transmitted
data
Mandatory
Mandatory
Recommended
"Planning for Security and HIPAA
Compliance" NCSU and ECU
15
STEP SEVEN – Document the plan
Create a list of action
items for the next 3 to 5
years
 Prioritize the list based on
risk and reality
 Forecast investment
 Beg, kick and scream to
get funding
 Implement the plan over
time

"Planning for Security and HIPAA
Compliance" NCSU and ECU
Identify realistic
solutions for
applying the
appropriate
security
controls at
each level.
16
Quick takes
Planning paves the way for effectiveness
and efficiency for security and compliance
 Understand the business the goals
 Conduct a risk assessment
 Establish a strategy based on data
classification and industry standards
 Develop a prioritized realistic plan
 Go for the long haul!

"Planning for Security and HIPAA
Compliance" NCSU and ECU
17
Key Elements of the HIPAA
Security Rule:
And how to comply
Sharon McLawhorn McNeil
ITCS-Security
Department of ITCS
East Carolina University
"Planning for Security and HIPAA
Compliance" NCSU and ECU
18
Introduction
HIPAA is the Health Insurance Portability and
Accountability Act. There are thousands of
organizations that must comply with the HIPAA
Security Rule. The Security Rule is just one part of
the federal legislation that was passed into law in
August 1996.
The purpose the Security Rule:
 To allow better access to health insurance
 Reduce fraud and abuse
 Lower the overall cost of health care.
"Planning for Security and HIPAA
Compliance" NCSU and ECU
19
What is the HIPAA Security Rule?
The rule applies to electronic protected health
information
(EPHI), which is individually identifiable health
information in electronic form.
Identifiable health information is:



Your past, present, or future physical or mental health or
condition,
Your type of health care, or
Past, present, or future payment methods for the type of
health care received.
"Planning for Security and HIPAA
Compliance" NCSU and ECU
20
Who Must Comply?
Covered Entities (CEs) must comply with the Security
Rule. Covered Entities are health plans, health care
clearinghouses, and health care providers who transmit
any EPHI.
Health care plans - HMOs, group health plans, etc.
Health care clearinghouses - billing and repricing
companies, etc.
Health care providers - doctors, dentists, hospitals, etc.
"Planning for Security and HIPAA
Compliance" NCSU and ECU
21
How Does One Comply?
Covered Entities must maintain reasonable and
appropriate administrative, physical, and
technical safeguards to protect the
confidentiality,
integrity, and availability of patient information.
"Planning for Security and HIPAA
Compliance" NCSU and ECU
22
Administrative Safeguards
To comply with the Administrative Safeguards
portion of the regulation, the covered entity must
implement the following "Required" security
management activities:

Conduct a Risk Analysis.
 Implement Risk Management Actions.
 Develop a Sanction Policy to deal with violators.

Conduct an Information System Activity Review.
"Planning for Security and HIPAA
Compliance" NCSU and ECU
23
Physical Safeguards
The physical safeguards are a series of
requirements meant to protect a Covered
Entity's computer systems, network and EPHI
from unauthorized access. The recommended
and required physical safeguards are designed
to provide facility access controls to limit
access to the organization's computer systems,
network, and the facility in which it is housed.
"Planning for Security and HIPAA
Compliance" NCSU and ECU
24
Technical Safeguards
Technical safeguards refers to the technology
and the procedures used to protect the EPHI
and access to it.
The goal of technical safeguards is to protect
patient data by allowing access only by
individuals or software programs that have
been granted access rights to the information.
"Planning for Security and HIPAA
Compliance" NCSU and ECU
25
Key Elements of Compliance
1. Obtain and Maintain Senior Management
Support
2. Develop and Implement Security Policies
3. Conduct and Maintain Inventory of EPHI
4. Be Aware of Political and Cultural Issues Raised
by HIPAA
5. Conduct Regular and Detailed Risk Analysis
6. Determine What is Appropriate and Reasonable
7. Documentation
8. Prepare for ongoing compliance
"Planning for Security and HIPAA
Compliance" NCSU and ECU
26
Penalties
 Civil penalties are $100 per violation, up to $25,000
per year for each violation.
 Criminal penalties range from $50,000 in fines and
one year in prison up to $250,000 in fines and 10
years in jail.
Additional Negatives:
 Negative publicity
 Loss of Customers
 Loss of Business Partners
 Legal Liability
"Planning for Security and HIPAA
Compliance" NCSU and ECU
27
Conclusion
 Compliance will require Covered Entities to:
 Identify the risks to their EPHI
 Implement security best practices
 Complying with the Security Rule can require
significant time and resources
 Compliance efforts should be currently underway
"Planning for Security and HIPAA
Compliance" NCSU and ECU
28
Contacts
NC State University
Leo Howell, CISSP CEH CCSP CBRM
Information Security Analyst
IAS-Information Assurance and Security
ETSS-Enterprise Technology Services and Support
leo_howell@ncsu.edu
(919) 513-1169
East Carolina University
Sharon McLawhorn McNeil
IT-Security Analyst
McLawhorns@ecu.edu
252-328-9112
NC State University
John Baines, CISSP
Assistant Director
IAS-Information Assurance and Security
ETSS-Enterprise Technology Services and Support
john_baines@ncsu.edu
"Planning for Security and HIPAA
Compliance" NCSU and ECU
29