SlideShare una empresa de Scribd logo

A project approach to HIPAA

Daniel P Wallace
Daniel P Wallace
TecnologíaEmpresariales
1 de 20
HIPAA Security A Management System Approach Dan Wallace dwallace@growforwardllc.com
2 Agenda 1) The Need for Security Awareness Programs 2) Security Awareness as a Product 3) Phase 1 – Identify Target Audiences and Product 4) Phase 2 – Identify Product Distribution Methods 5) Phase 3 – Obtain Management Support 6) Phase 4 – Product Launch 7) Phase 5 – Effectiveness Assessment 8) Ongoing Enhancements 9) Ideas for Customized Campaigns HIPAA Security Compliance Framework
3 Introduction to Management Systems HIPAA Security Compliance Framework
4 Management System Overview A management system is a mechanism to establish policy and objectives and to put in place the means achieve those objectives. Management systems are used by organizations to develop policies and to put these into effect via objectives and targets using: – Organizational structure – Systematic procedures – Measurement and evaluation – Quality control and continuous improvement structure, procedures & measurement are required by the HIPAA security regulation HIPAA Security Compliance Framework
5 Elements of a Management System Planning - identification of needs, resources, structure, responsibilities Policy - demonstration of commitment and principles for action Implementation and operation - awareness building and training Performance assessment - monitoring and measuring, handling non-conformities, audits Improvement - corrective and preventive action, continual improvement) Management review – oversight, governance and compliance HIPAA Security Compliance Framework
6 Information Security Management System ISMS That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security The Design and Implementation of the ISMS is influenced by business needs and objectives, resulting security requirements, the processes employed and the size and structure of the organization. The ISMS and the supporting systems are designed to change when necessary. HIPAA Security Compliance Framework
7 Management System Documentation Management framework policies relating to BS 7799-2 Clause 4 Security Manual Level 1 Policy, scope risk assessment, statement of applicability Procedure Define processes – who, s what, when, where Level 2 Work Describes how tasks and specific Instructions, activities are done checklists, Level forms, etc. 3 Provides objective evidence of compliance to HIPAA security requirements and required by Level BS7799 clause 3.6 4 Records HIPAA Security Compliance Framework
8 HIPAA Security Framework HIPAA Security Compliance Framework
Phase 1 Project Charter 9 Plan the Project Phase 2 Policies, Standards, Develop Procedures ISO/IEC 17799 Policies Phase 1 & Phase 3 Threats, Assess 2 Outputs Vulnerabilities & Impacts Risk Phase 4 Phase 3 Risk Tolerance Manage Outputs Degree of Compliance Risk OCTAVE Phase 5 Selected Remediation Implement Controls Plans Controls Phase 6 Compliance Control Objectives Guide Implemented Compliance Controls The Framework HIPAA Security Compliance Framework
10 Phase One: Project Planning Gain an understanding of the organization and technology environment Establish the objectives of the management system Develop project charter document Roll out methodology and obtain buy in Develop detailed project plans Address budget issues Obtain resource commitments HIPAA Security Compliance Framework
11 Phase Two: Policy Development POLICY DEFINITON: Develop a custom security policy document, based on ISO/IEC 17799 that is driven by business/clinical need, and prescribes management direction in meeting HIPAA security compliance objectives STANDARDS & PROCEDURE DEVELOPMENT: Each functional area or department develops the means to implement and enforce management’s policies HIPAA Security Compliance Framework
Policy Definition & Standard 12 Development Process Determine Map Identify Develop Policy Current Analyze Gaps Current Policies Required Policies Requirements to Required • Kickoff • Review • Review HIPAA • Identify Gaps • Kickoff Existing Security Regs • Interview Key • Identify • User Training Policies Personnel • Review New Areas • Review details ISO/IEC 17799 • Interview IT & • Assign Policy of Incidents security Ownership • Checkpoint • Consolidate Findings Policy Development tasks are the same for both policy definition and standards development HIPAA Security Compliance Framework
13 Procedure Development A Procedure is the organization of people, equipment, energy, procedures and material into the work activities needed to produce a specified end result (work product). Procedures are a sequence of repeatable activities that have measurable inputs, value- add activities and measurable outputs. Procedures have a functional focus as opposed to organizational focus, must have a specified owner, and use Critical Success Factors (CSF) to help focus process execution and maximize improvement efforts. Each functional area develops their own procedures consistent with policies. Methods for procedure development will vary however, management may elect to issue guidance on the form and format of documented procedures. HIPAA Security Compliance Framework
Required Procedures 14 164.308(a)(4)(ii)(B) Access Authorization (A) 164.310(a)(2)(iii) Access Control and Validation (A) 164.312(a)(1) Access Controls (S) 164.308(a)(4)(ii)(C) Access Establishment and Modification (A) 164.312(b) Audit Controls (S) 164.308(a)(3)(ii)(A) Authorization and/or Supervision (A) 164.312(a)(2)(iii) Automatic Logoff (A) 164.310(a)(2)(i) Contingency Operations (A) 164.308(a)(7)(i) Contingency Plan (S) 164.308(a)(7)(ii)(A) Data Backup Plan (R) 164.310(d)(1) Device and Media Controls (S) 164.308(a)(7)(ii)(B) Disaster Recovery Plan (R) 164.310(d)(2)(i) Disposal (R) 164.312(a)(2)(ii) Emergency Access (R) 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan (R) 164.310(a)(1) Facility Access Controls (S) 164.310(a)(2)(ii) Facility Security Plan (A) 164.308(a)(4)(i) Information Access Management (S) 164.308(a)(1)(ii)(D) Information System Activity Review (R) 164.312(c)(1) Integrity (S) 164.308(a)(4)(ii)(A) Isolating Health Care Clearinghouse Function (R) 164.308(a)(5)(ii)(C) Login Monitoring (A) 164.310(a)(2)(iv) Maintenance Records (A) 164.310(d)(2)(ii) Media Re-Use (R) 164.308(a)(5)(ii)(D) Password Management (A) 164.312(d) Person or Entity Authentication (S) 164.308(a)(5)(ii)(B) Protection from Malicious Software (A) 164.308(a)(6)(i) Security Incident Procedures (S) 164.308(a)(1)(i) Security Management Process (S) 164.308(a)(3)(ii)(C) Termination (A) 164.308(a)(7)(ii)(D) Testing and Revision (A) 164.308(a)(3)(ii)(B) Workforce Clearance (A) 164.308(a)(3)(i) Workforce Security (S) 164.310(b) Workstation Use (S) HIPAA Security Compliance Framework
15 Phase Three: Risk Assessment Overview of the OCTAVE Process OCTAVE PROCESS: a progressive series of self- directed workshops that results in an in-depth security analysis of business and computing infrastructure elements HIPAA Security Compliance Framework
16 Phase Three: Risk Assessment PREPARATION: Define scope of the risk assessment, select analysis teams, method orientation, schedule workshops. PHASE ONE: BUILD ASSET-BASED THREAT PROFILES An organizational evaluation. The analysis team determines what is important to the organization (information- related assets) and what is currently being done to protect those assets. PHASE TWO: IDENTIFY INFRASTRUCTURE VULNERABILITIES An evaluation of the information infrastructure. The analysis team examines network access paths, identifying classes of information technology components related to each critical asset. The team then determines the extent to which each class of component is resistant to network attacks. HIPAA Security Compliance Framework
17 Phase Four: Risk Management and Remediation PHASE THREE: DEVELOP SECURITY STRATEGY AND PLANS The analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. HIPAA Security Compliance Framework
18 Risk Assessment & Management HIPAA Security Compliance Framework
19 Phase Five: Implement Control Objectives and Controls PHASE THREE: DEVELOP SECURITY STRATEGY AND PLANS The analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. HIPAA Security Compliance Framework
20 Phase Six: Prepare the Statement of Applicability COMPLIANCE DOCUMENT Written evidence of the actions taken in the first five phases with regard to HIPAA compliance. MANAGEMENT FRAMEWORK SUMMARY A synopsis of the entire information security management framework including the policy, control objectives and implemented controls. PROCEDURE INVENTORY A catelogue of procedures implemented to support the management framework including responsibilities and relevant actions. MANAGEMENT SYSTEM PROCEDURES Administrative procedures covering the operation and management of the management system including responsibilities. HIPAA Security Compliance Framework

Recomendados

How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxMdMofijulHaque
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
IBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewIBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewnazeer325
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 

Recomendados

How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxMdMofijulHaque
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
IBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewIBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewnazeer325
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data SecurityCareer Communications Group
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskMighty Guides, Inc.
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityPECB
 
RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) Donald E. Hester
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Fortigate class1
Fortigate class1Fortigate class1
Fortigate class1RanjithKumar428
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
EC-Council Certification Roadmap and Course Catalog
EC-Council Certification Roadmap and Course CatalogEC-Council Certification Roadmap and Course Catalog
EC-Council Certification Roadmap and Course CatalogNetCom Learning
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk managementAEC Networks
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptxMohammedYaseen638128
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015Capgemini
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
HIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & OverviewHIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & OverviewBob Chaput
 

Más contenido relacionado

La actualidad más candente

Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskMighty Guides, Inc.
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityPECB
 
RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) Donald E. Hester
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
EC-Council Certification Roadmap and Course Catalog
EC-Council Certification Roadmap and Course CatalogEC-Council Certification Roadmap and Course Catalog
EC-Council Certification Roadmap and Course CatalogNetCom Learning
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk managementAEC Networks
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015Capgemini
 

La actualidad más candente (20)

Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity Risk
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
 
RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1)
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Fortigate class1
Fortigate class1Fortigate class1
Fortigate class1
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
EC-Council Certification Roadmap and Course Catalog
EC-Council Certification Roadmap and Course CatalogEC-Council Certification Roadmap and Course Catalog
EC-Council Certification Roadmap and Course Catalog
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
 

Destacado

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
HIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & OverviewHIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & OverviewBob Chaput
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
HIPAA Compliance Checklist
HIPAA Compliance ChecklistHIPAA Compliance Checklist
HIPAA Compliance ChecklistLeigh-Ann Renz
 
Sample Business Associate Agreement
Sample Business Associate AgreementSample Business Associate Agreement
Sample Business Associate AgreementJorge M. Abril, P.A.
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceTodd Merrill
 
HIPAA: Everything You Need to Know
HIPAA: Everything You Need to KnowHIPAA: Everything You Need to Know
HIPAA: Everything You Need to Knowbenefitexpress
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
Introduction To Business Ethics
Introduction To Business EthicsIntroduction To Business Ethics
Introduction To Business EthicsPaul Pajo
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Lance King
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 

Destacado (20)

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
 
HIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & OverviewHIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & Overview
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
HIPAA Compliance Checklist for Medical Practices
HIPAA Compliance Checklist for Medical PracticesHIPAA Compliance Checklist for Medical Practices
HIPAA Compliance Checklist for Medical Practices
 
ISSIP FUTURE SIG
ISSIP FUTURE SIGISSIP FUTURE SIG
ISSIP FUTURE SIG
 
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V12010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1
 
HIPAA Compliance Checklist
HIPAA Compliance ChecklistHIPAA Compliance Checklist
HIPAA Compliance Checklist
 
Sample Business Associate Agreement
Sample Business Associate AgreementSample Business Associate Agreement
Sample Business Associate Agreement
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA compliance
 
HIPAA: Everything You Need to Know
HIPAA: Everything You Need to KnowHIPAA: Everything You Need to Know
HIPAA: Everything You Need to Know
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12
 
Hawaii’s HIPAA Harmonization Law
Hawaii’s HIPAA Harmonization LawHawaii’s HIPAA Harmonization Law
Hawaii’s HIPAA Harmonization Law
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
Introduction To Business Ethics
Introduction To Business EthicsIntroduction To Business Ethics
Introduction To Business Ethics
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 

Similar a A project approach to HIPAA

Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodologylaurahees
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
A folder sysem for uks 2008 2011
A folder sysem for uks 2008 2011A folder sysem for uks 2008 2011
A folder sysem for uks 2008 2011Clive Burgess
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxMuhammadAbdullah311866
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxStevenTharp2
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Frameworkbarnetdh
 
Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Mohamad Khachab
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1Cheng Olayvar
 

Similar a A project approach to HIPAA (20)

Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
A folder sysem for uks 2008 2011
A folder sysem for uks 2008 2011A folder sysem for uks 2008 2011
A folder sysem for uks 2008 2011
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptx
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Framework
 
Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

A project approach to HIPAA

  • 1. HIPAA Security A Management System Approach Dan Wallace dwallace@growforwardllc.com
  • 2. 2 Agenda 1) The Need for Security Awareness Programs 2) Security Awareness as a Product 3) Phase 1 – Identify Target Audiences and Product 4) Phase 2 – Identify Product Distribution Methods 5) Phase 3 – Obtain Management Support 6) Phase 4 – Product Launch 7) Phase 5 – Effectiveness Assessment 8) Ongoing Enhancements 9) Ideas for Customized Campaigns HIPAA Security Compliance Framework
  • 3. 3 Introduction to Management Systems HIPAA Security Compliance Framework
  • 4. 4 Management System Overview A management system is a mechanism to establish policy and objectives and to put in place the means achieve those objectives. Management systems are used by organizations to develop policies and to put these into effect via objectives and targets using: – Organizational structure – Systematic procedures – Measurement and evaluation – Quality control and continuous improvement structure, procedures & measurement are required by the HIPAA security regulation HIPAA Security Compliance Framework
  • 5. 5 Elements of a Management System Planning - identification of needs, resources, structure, responsibilities Policy - demonstration of commitment and principles for action Implementation and operation - awareness building and training Performance assessment - monitoring and measuring, handling non-conformities, audits Improvement - corrective and preventive action, continual improvement) Management review – oversight, governance and compliance HIPAA Security Compliance Framework
  • 6. 6 Information Security Management System ISMS That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security The Design and Implementation of the ISMS is influenced by business needs and objectives, resulting security requirements, the processes employed and the size and structure of the organization. The ISMS and the supporting systems are designed to change when necessary. HIPAA Security Compliance Framework
  • 7. 7 Management System Documentation Management framework policies relating to BS 7799-2 Clause 4 Security Manual Level 1 Policy, scope risk assessment, statement of applicability Procedure Define processes – who, s what, when, where Level 2 Work Describes how tasks and specific Instructions, activities are done checklists, Level forms, etc. 3 Provides objective evidence of compliance to HIPAA security requirements and required by Level BS7799 clause 3.6 4 Records HIPAA Security Compliance Framework
  • 8. 8 HIPAA Security Framework HIPAA Security Compliance Framework
  • 9. Phase 1 Project Charter 9 Plan the Project Phase 2 Policies, Standards, Develop Procedures ISO/IEC 17799 Policies Phase 1 & Phase 3 Threats, Assess 2 Outputs Vulnerabilities & Impacts Risk Phase 4 Phase 3 Risk Tolerance Manage Outputs Degree of Compliance Risk OCTAVE Phase 5 Selected Remediation Implement Controls Plans Controls Phase 6 Compliance Control Objectives Guide Implemented Compliance Controls The Framework HIPAA Security Compliance Framework
  • 10. 10 Phase One: Project Planning Gain an understanding of the organization and technology environment Establish the objectives of the management system Develop project charter document Roll out methodology and obtain buy in Develop detailed project plans Address budget issues Obtain resource commitments HIPAA Security Compliance Framework
  • 11. 11 Phase Two: Policy Development POLICY DEFINITON: Develop a custom security policy document, based on ISO/IEC 17799 that is driven by business/clinical need, and prescribes management direction in meeting HIPAA security compliance objectives STANDARDS & PROCEDURE DEVELOPMENT: Each functional area or department develops the means to implement and enforce management’s policies HIPAA Security Compliance Framework
  • 12. Policy Definition & Standard 12 Development Process Determine Map Identify Develop Policy Current Analyze Gaps Current Policies Required Policies Requirements to Required • Kickoff • Review • Review HIPAA • Identify Gaps • Kickoff Existing Security Regs • Interview Key • Identify • User Training Policies Personnel • Review New Areas • Review details ISO/IEC 17799 • Interview IT & • Assign Policy of Incidents security Ownership • Checkpoint • Consolidate Findings Policy Development tasks are the same for both policy definition and standards development HIPAA Security Compliance Framework
  • 13. 13 Procedure Development A Procedure is the organization of people, equipment, energy, procedures and material into the work activities needed to produce a specified end result (work product). Procedures are a sequence of repeatable activities that have measurable inputs, value- add activities and measurable outputs. Procedures have a functional focus as opposed to organizational focus, must have a specified owner, and use Critical Success Factors (CSF) to help focus process execution and maximize improvement efforts. Each functional area develops their own procedures consistent with policies. Methods for procedure development will vary however, management may elect to issue guidance on the form and format of documented procedures. HIPAA Security Compliance Framework
  • 14. Required Procedures 14 164.308(a)(4)(ii)(B) Access Authorization (A) 164.310(a)(2)(iii) Access Control and Validation (A) 164.312(a)(1) Access Controls (S) 164.308(a)(4)(ii)(C) Access Establishment and Modification (A) 164.312(b) Audit Controls (S) 164.308(a)(3)(ii)(A) Authorization and/or Supervision (A) 164.312(a)(2)(iii) Automatic Logoff (A) 164.310(a)(2)(i) Contingency Operations (A) 164.308(a)(7)(i) Contingency Plan (S) 164.308(a)(7)(ii)(A) Data Backup Plan (R) 164.310(d)(1) Device and Media Controls (S) 164.308(a)(7)(ii)(B) Disaster Recovery Plan (R) 164.310(d)(2)(i) Disposal (R) 164.312(a)(2)(ii) Emergency Access (R) 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan (R) 164.310(a)(1) Facility Access Controls (S) 164.310(a)(2)(ii) Facility Security Plan (A) 164.308(a)(4)(i) Information Access Management (S) 164.308(a)(1)(ii)(D) Information System Activity Review (R) 164.312(c)(1) Integrity (S) 164.308(a)(4)(ii)(A) Isolating Health Care Clearinghouse Function (R) 164.308(a)(5)(ii)(C) Login Monitoring (A) 164.310(a)(2)(iv) Maintenance Records (A) 164.310(d)(2)(ii) Media Re-Use (R) 164.308(a)(5)(ii)(D) Password Management (A) 164.312(d) Person or Entity Authentication (S) 164.308(a)(5)(ii)(B) Protection from Malicious Software (A) 164.308(a)(6)(i) Security Incident Procedures (S) 164.308(a)(1)(i) Security Management Process (S) 164.308(a)(3)(ii)(C) Termination (A) 164.308(a)(7)(ii)(D) Testing and Revision (A) 164.308(a)(3)(ii)(B) Workforce Clearance (A) 164.308(a)(3)(i) Workforce Security (S) 164.310(b) Workstation Use (S) HIPAA Security Compliance Framework
  • 15. 15 Phase Three: Risk Assessment Overview of the OCTAVE Process OCTAVE PROCESS: a progressive series of self- directed workshops that results in an in-depth security analysis of business and computing infrastructure elements HIPAA Security Compliance Framework
  • 16. 16 Phase Three: Risk Assessment PREPARATION: Define scope of the risk assessment, select analysis teams, method orientation, schedule workshops. PHASE ONE: BUILD ASSET-BASED THREAT PROFILES An organizational evaluation. The analysis team determines what is important to the organization (information- related assets) and what is currently being done to protect those assets. PHASE TWO: IDENTIFY INFRASTRUCTURE VULNERABILITIES An evaluation of the information infrastructure. The analysis team examines network access paths, identifying classes of information technology components related to each critical asset. The team then determines the extent to which each class of component is resistant to network attacks. HIPAA Security Compliance Framework
  • 17. 17 Phase Four: Risk Management and Remediation PHASE THREE: DEVELOP SECURITY STRATEGY AND PLANS The analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. HIPAA Security Compliance Framework
  • 18. 18 Risk Assessment & Management HIPAA Security Compliance Framework
  • 19. 19 Phase Five: Implement Control Objectives and Controls PHASE THREE: DEVELOP SECURITY STRATEGY AND PLANS The analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. HIPAA Security Compliance Framework
  • 20. 20 Phase Six: Prepare the Statement of Applicability COMPLIANCE DOCUMENT Written evidence of the actions taken in the first five phases with regard to HIPAA compliance. MANAGEMENT FRAMEWORK SUMMARY A synopsis of the entire information security management framework including the policy, control objectives and implemented controls. PROCEDURE INVENTORY A catelogue of procedures implemented to support the management framework including responsibilities and relevant actions. MANAGEMENT SYSTEM PROCEDURES Administrative procedures covering the operation and management of the management system including responsibilities. HIPAA Security Compliance Framework