CSCU Module 12 Information Security and Legal Compliance PDF

Information Security and Legal
Compliance
Module 12
Simplifying Security.
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
WatchdogReports:SecurityCatalysts?
May19,2011
Thetimingoftwonewwatchdogreportsthathighlighttheneedto
protectthesecurityofelectronichealthrecordscouldhelpbuild
momentumforaction,someobserverssay.
Thisweek'sreportsfromtheDepartmentofHealthandHuman
Services'OfficeoftheInspectorGeneralcallforarampingupof
enforcementoftheHIPAASecurityRuleandtheinclusionofmore
securityrequirementsintheHITECHActelectronichealthrecord
incentiveprogram(see:WatchdogHitsHHSonRecordsSecurity).
TheHHSOfficeforCivilRights,whichenforcesHIPAA,recently
requesteda13.5percentincreaseinitsfiscal2012budgetfor,
amongotherthings,enforcementoftheHIPAASecurityRuleand
compliancereviewsofsmallerbreachincidents(see:MoreHIPAA
EnforcementFundingSought)."Soit'stimelytoraisetheissueof
HIPAAenforcementinthemiddleofthebudgetdiscussions,"says
DanRode,vicepresidentofpolicyandgovernmentrelationsatthe
AmericanHealthInformationManagementAssociation.
http://www.govinfosecurity.com
BusinessWorkshop:HITECHUshersinEraofHigher
PenaltiesUnderHIPAA
Monday,May23,2011
TworecentcasessuggestwehaveenteredaneweraofmorestringentenforcementofHIPAA'sprivacy
andsecuritystandards.
Forthefirsttime,theOfficeforCivilRights(OCR)attheDepartmentofHealthandHumanServices,
whichischargedwithenforcingHIPAA'sprivacyandsecuritystandards,hasimposedacivilmoney
penaltyunderHIPAA,ortheHealthInsurancePortabilityandAccountabilityAct.
InapressreleasefromFebruary,OCRannouncedthatCignet HealthofMarylandwasfinedatotalof
$4.3millionforignoringrequestsformedicalrecords
from41individualsandforfailingtocooperatewith
OCR'sinvestigationof27relatedcomplaints.
Twodayslater,OCRannounceda$1millionsettlement
withMassachusettsGeneralHospitalafteranemployeeleftdocumentscontainingpatients'health
informationonthesubway.OCR'sinvestigationindicatedthatthehospital"failedtoimplement
reasonable,appropriatesafeguardstoprotecttheprivacyofprotectedhealthinformation."
http://www.postgazette.com
Module Objectives
HIPPA(HealthInsurancePortability
andAccountabilityAct)
HIPPAChecklist
FERPA(FamilyEducationalRightsand
PrivacyAct)
FERPAChecklist
PCIDSS(PaymentCardIndustryData
SecurityStandard)
PCIDSSChecklist
Module Flow
Health Insurance
Portability and
Accountability Act
(HIPPA)
Family Educational
Rights and Privacy
Act (FERPA)
Payment Card
Industry Data
Security Standard
(PCI DSS)
HIPAA (Health Insurance Portability and

Accountability Act)
HIPPAisasecuritystandardtoprovidephysical,technical,andadministrativesafeguardstoprotect
theintegrity,availability,andconfidentialityofhealthinformation
Thepurposeofthissecuritystandardistopreventtheinappropriateuseanddisclosure of
individualshealthinformation
Itimposesrestrictionsonorganizationstoprotecthealthinformationandthesystemsthatstore,
transmit,andprocessit
ObjectivesofHIPPA
GroupandIndividualInsuranceReform
Itallowsforportabilityandcontinuityofhealth
insuranceandplaceslimitsonpreexisting
exclusionprovisions
Itreduces thepotentialforwaste,fraud,and
abuse
Newpenaltiesandsanctions willbeimposed
Itrequirestheapplicationofuniformstandardsto
electronicdatatransactionsinaconfidentialand
secureenvironment
Itsgoalistoimprovetheeffectivenessand
efficiencyofthehealthcaresystem
HIPAA Checklist
FileSecurity
Filecabinetsordrawersstoring
patientrecordsshouldbe
securelylocked,orifpossible,
theroomitself
Restrictaccesstocomputer
terminalstoonlyauthorized
personnelandsetuppasscodes
forelectronicfiles
Bealerttosecuritylapsesthat
mightallowillegitimateusersto
accesstherecords
EducationandSanctions
Professionalworkforceshouldbe
trainedwithHIPPArequirements,
bothonandoffthejob
Ensurethattheemployeesknow
abouttheendorsementstheycan
expectforviolatingHIPAA
restrictions
ViolatorsofHIPPAarepunished
tosendamessagetoother
employeesthatHIPAAis
consideredseriouslywithinthe
organization
AuthorizationProcedures
Ensurethatonlyauthorized
personnelhaveaccessto
theHIPAAprotected
information
Reviewthefilelogsor
computerrecordsregularly
toknowhowthe
authorizationisusedto
ensurethatitisnotabused
FERPA (Family Educational Rights

and Privacy Act)
TheFamilyEducationRightsandPrivacyAct
(FERPA)of1974alsoknownastheBuckley
Amendment,isafederallawthatismeant
toprotecttheaccuracyandprivacyof
studenteducationrecords
TherightsgiventostudentsbyFERPA
regardingtheeducationalrecordsinclude:
Righttoaccesseducationalrecordskeptby
theschool
Righttodemandthateducationalrecordsbe
disclosedonlywithstudentpermission
Thislawisapplicabletoallinstitutionsthat
arerecipientsoffederalservicedirectedby
theSecretaryofEducation
Righttoamendeducationalrecords
Righttofilecomplaintsagainsttheschoolfor
disclosingeducationalrecordsinviolationof
FERPA
FERPAgivescertainrightstoparentswith
respecttotheirchildrenseducational
records.Rightstransfertothestudentwhen
he/shereachestheageof18oraschool
beyondthehighschoollevel
Righttoknowaboutthepurpose,content,
andlocationofinformationkeptasapartof
theireducationalrecords
Individualstafforfacultysprivatenotes,campus
policerecords,medicalrecords,andstatistical
datacompilationsthatdonotcontainpersonally
identifiablestudentinformationarenot
consideredaseducationalrecordsunderFERPA
FERPA Checklist
Postthegradesusingsecuretechnology
Donotdiscusstheprogress ofanystudentwith
anyoneotherthanthestudent(including
parents/guardians)withouttheconsentofthe
student
Ensurethattheconfidential,nondirectory,and
sensitivestudentpersonalinformationis
encryptedwhereever itisstoredsuchaslaptops
andthumbdrives
Donot provideanyonewithlistsofstudents
enrolledinclassesforanycommercialpurpose
Donotusesocialsecuritynumbersforany
purposeunlessnecessary.ReplacethemwithUINs
(UniversalIdentificationNumber)
Institutionsmusthavewrittenpermissionfromthe
studenttoreleaseanyinformationfromthe
studentseducationalrecord
Donotleavegradedtestsorpapersinastackfor
studentstopickupbysortingthroughthetestsor
papersofallstudents
Onlystudentdirectoryinformationcanbedisclosed
bytheinstitutionswithoutthestudentspermission
butnotnondirectoryinformation
Donotprovideanyonewithstudentschedulesor
assistanyoneotherthanprofessionaluniversity
employeesinfindingastudentoncampus
Studentsshouldbenotifiedabouttheirrightsunder
FERPA byinstitutionsthroughannualpublications
Donotlinkthenameofastudentwiththat
studentssocialsecuritynumberoruniversal
identificationnumber(UIN)inanypublicmanner
PCI DSS (Payment Card Industry Data

Security Standard )
PaymentCardIndustryDataSecurityStandard(PCIDSS)isasetofguidelines,measures,andcontrols
thatwereestablishedtoassistmerchantsimplementstrongsecurityprecautionstoensuresafecredit
cardusageandsecureinformationstorage
Businesseswithmerchantidentificationthattakescreditcardpaymentswhetheronline,overthe
phone,orusingcreditcardmachinesorpaperformsneedtocomplywiththesestandards,evenif
theyuseapaymentserviceprovider
ObjectivesofPCIDSSincludethefollowing:
MaintainanInformationSecurityPolicy
BuildandMaintainaSecureNetwork
RegularlyMonitorandTest
Networks
ProtectCardholderData
ImplementStrongAccessControl
Measures
MaintainaVulnerabilityManagement
Program
10
PCI DSS Checklist

Installandmaintainafirewall
configurationtoprotectcardholderdata
Restrictaccesstocardholderdataby
businessneedtoknow
Protectstoredcardholderdata
AssignauniqueIDtoeachpersonwith
computeraccess
Donotusevendorsupplieddefaultsfor
systempasswordsandothersecurity
parameters
Restrictphysicalaccesstocardholder
data
Encrypttransmissionofcardholderdata
acrossopen,publicnetworks
Trackandmonitorallaccesstonetwork
resourcesandcardholderdata
Useandregularlyupdateantivirus
software
Regularlytestsecuritysystemsand
processes
Developandmaintainsecuresystems
andapplications
Maintainapolicythataddresses
informationsecurity
11
Module Summary
HIPPAisasecuritystandardtoprovidephysical,technical,andadministrative
safeguardstoprotecttheintegrity,availability,andconfidentialityofhealthinformation
ThepurposeofHIPPAistopreventtheinappropriateuseanddisclosureofindividuals
healthinformation
FERPAisafederallawthatismeanttoprotecttheaccuracyandprivacyofstudent
educationrecords
PCIDSSisasetofguidelines,measures,andcontrolsthatwereestablishedtoassist
merchantsimplementstrongsecurityprecautionstoensuresafecreditcardusageand
secureinformationstorage
Businesseswithmerchantidentificationthattakescreditcardpaymentswhether
online,overthephone,orusingcreditcardmachinesorpaperformsneedtocomply
withPCIDSSstandards
12

CSCU Module 12 Information Security and Legal Compliance PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CSCU Module 12 Information Security and Legal Compliance PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Information Security and Legal

HIPAA (Health Insurance Portability and

FERPA (Family Educational Rights

PCI DSS (Payment Card Industry Data

PCI DSS Checklist

S-ar putea să vă placă și