Documente Academic
Documente Profesional
Documente Cultură
Compliance
Module 12
Simplifying Security.
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
WatchdogReports:SecurityCatalysts?
May19,2011
Thetimingoftwonewwatchdogreportsthathighlighttheneedto
protectthesecurityofelectronichealthrecordscouldhelpbuild
momentumforaction,someobserverssay.
Thisweek'sreportsfromtheDepartmentofHealthandHuman
Services'OfficeoftheInspectorGeneralcallforarampingupof
enforcementoftheHIPAASecurityRuleandtheinclusionofmore
securityrequirementsintheHITECHActelectronichealthrecord
incentiveprogram(see:WatchdogHitsHHSonRecordsSecurity).
TheHHSOfficeforCivilRights,whichenforcesHIPAA,recently
requesteda13.5percentincreaseinitsfiscal2012budgetfor,
amongotherthings,enforcementoftheHIPAASecurityRuleand
compliancereviewsofsmallerbreachincidents(see:MoreHIPAA
EnforcementFundingSought)."Soit'stimelytoraisetheissueof
HIPAAenforcementinthemiddleofthebudgetdiscussions,"says
DanRode,vicepresidentofpolicyandgovernmentrelationsatthe
AmericanHealthInformationManagementAssociation.
http://www.govinfosecurity.com
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
BusinessWorkshop:HITECHUshersinEraofHigher
PenaltiesUnderHIPAA
Monday,May23,2011
TworecentcasessuggestwehaveenteredaneweraofmorestringentenforcementofHIPAA'sprivacy
andsecuritystandards.
Forthefirsttime,theOfficeforCivilRights(OCR)attheDepartmentofHealthandHumanServices,
whichischargedwithenforcingHIPAA'sprivacyandsecuritystandards,hasimposedacivilmoney
penaltyunderHIPAA,ortheHealthInsurancePortabilityandAccountabilityAct.
InapressreleasefromFebruary,OCRannouncedthatCignet HealthofMarylandwasfinedatotalof
$4.3millionforignoringrequestsformedicalrecords
from41individualsandforfailingtocooperatewith
OCR'sinvestigationof27relatedcomplaints.
Twodayslater,OCRannounceda$1millionsettlement
withMassachusettsGeneralHospitalafteranemployeeleftdocumentscontainingpatients'health
informationonthesubway.OCR'sinvestigationindicatedthatthehospital"failedtoimplement
reasonable,appropriatesafeguardstoprotecttheprivacyofprotectedhealthinformation."
http://www.postgazette.com
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Module Objectives
HIPPA(HealthInsurancePortability
andAccountabilityAct)
HIPPAChecklist
FERPA(FamilyEducationalRightsand
PrivacyAct)
FERPAChecklist
PCIDSS(PaymentCardIndustryData
SecurityStandard)
PCIDSSChecklist
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Module Flow
Health Insurance
Portability and
Accountability Act
(HIPPA)
Family Educational
Rights and Privacy
Act (FERPA)
Payment Card
Industry Data
Security Standard
(PCI DSS)
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
ObjectivesofHIPPA
GroupandIndividualInsuranceReform
Itallowsforportabilityandcontinuityofhealth
insuranceandplaceslimitsonpreexisting
exclusionprovisions
Itreduces thepotentialforwaste,fraud,and
abuse
Newpenaltiesandsanctions willbeimposed
Itrequirestheapplicationofuniformstandardsto
electronicdatatransactionsinaconfidentialand
secureenvironment
Itsgoalistoimprovetheeffectivenessand
efficiencyofthehealthcaresystem
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
HIPAA Checklist
FileSecurity
Filecabinetsordrawersstoring
patientrecordsshouldbe
securelylocked,orifpossible,
theroomitself
Restrictaccesstocomputer
terminalstoonlyauthorized
personnelandsetuppasscodes
forelectronicfiles
Bealerttosecuritylapsesthat
mightallowillegitimateusersto
accesstherecords
EducationandSanctions
Professionalworkforceshouldbe
trainedwithHIPPArequirements,
bothonandoffthejob
Ensurethattheemployeesknow
abouttheendorsementstheycan
expectforviolatingHIPAA
restrictions
ViolatorsofHIPPAarepunished
tosendamessagetoother
employeesthatHIPAAis
consideredseriouslywithinthe
organization
AuthorizationProcedures
Ensurethatonlyauthorized
personnelhaveaccessto
theHIPAAprotected
information
Reviewthefilelogsor
computerrecordsregularly
toknowhowthe
authorizationisusedto
ensurethatitisnotabused
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
TherightsgiventostudentsbyFERPA
regardingtheeducationalrecordsinclude:
Righttoaccesseducationalrecordskeptby
theschool
Righttodemandthateducationalrecordsbe
disclosedonlywithstudentpermission
Thislawisapplicabletoallinstitutionsthat
arerecipientsoffederalservicedirectedby
theSecretaryofEducation
Righttoamendeducationalrecords
Righttofilecomplaintsagainsttheschoolfor
disclosingeducationalrecordsinviolationof
FERPA
FERPAgivescertainrightstoparentswith
respecttotheirchildrenseducational
records.Rightstransfertothestudentwhen
he/shereachestheageof18oraschool
beyondthehighschoollevel
Righttoknowaboutthepurpose,content,
andlocationofinformationkeptasapartof
theireducationalrecords
Individualstafforfacultysprivatenotes,campus
policerecords,medicalrecords,andstatistical
datacompilationsthatdonotcontainpersonally
identifiablestudentinformationarenot
consideredaseducationalrecordsunderFERPA
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
FERPA Checklist
Postthegradesusingsecuretechnology
Donotdiscusstheprogress ofanystudentwith
anyoneotherthanthestudent(including
parents/guardians)withouttheconsentofthe
student
Ensurethattheconfidential,nondirectory,and
sensitivestudentpersonalinformationis
encryptedwhereever itisstoredsuchaslaptops
andthumbdrives
Donot provideanyonewithlistsofstudents
enrolledinclassesforanycommercialpurpose
Donotusesocialsecuritynumbersforany
purposeunlessnecessary.ReplacethemwithUINs
(UniversalIdentificationNumber)
Institutionsmusthavewrittenpermissionfromthe
studenttoreleaseanyinformationfromthe
studentseducationalrecord
Donotleavegradedtestsorpapersinastackfor
studentstopickupbysortingthroughthetestsor
papersofallstudents
Onlystudentdirectoryinformationcanbedisclosed
bytheinstitutionswithoutthestudentspermission
butnotnondirectoryinformation
Donotprovideanyonewithstudentschedulesor
assistanyoneotherthanprofessionaluniversity
employeesinfindingastudentoncampus
Studentsshouldbenotifiedabouttheirrightsunder
FERPA byinstitutionsthroughannualpublications
Donotlinkthenameofastudentwiththat
studentssocialsecuritynumberoruniversal
identificationnumber(UIN)inanypublicmanner
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
MaintainanInformationSecurityPolicy
BuildandMaintainaSecureNetwork
RegularlyMonitorandTest
Networks
ProtectCardholderData
ImplementStrongAccessControl
Measures
MaintainaVulnerabilityManagement
Program
10
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Restrictaccesstocardholderdataby
businessneedtoknow
Protectstoredcardholderdata
AssignauniqueIDtoeachpersonwith
computeraccess
Donotusevendorsupplieddefaultsfor
systempasswordsandothersecurity
parameters
Restrictphysicalaccesstocardholder
data
Encrypttransmissionofcardholderdata
acrossopen,publicnetworks
Trackandmonitorallaccesstonetwork
resourcesandcardholderdata
Useandregularlyupdateantivirus
software
Regularlytestsecuritysystemsand
processes
Developandmaintainsecuresystems
andapplications
Maintainapolicythataddresses
informationsecurity
11
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Module Summary
HIPPAisasecuritystandardtoprovidephysical,technical,andadministrative
safeguardstoprotecttheintegrity,availability,andconfidentialityofhealthinformation
ThepurposeofHIPPAistopreventtheinappropriateuseanddisclosureofindividuals
healthinformation
FERPAisafederallawthatismeanttoprotecttheaccuracyandprivacyofstudent
educationrecords
PCIDSSisasetofguidelines,measures,andcontrolsthatwereestablishedtoassist
merchantsimplementstrongsecurityprecautionstoensuresafecreditcardusageand
secureinformationstorage
Businesseswithmerchantidentificationthattakescreditcardpaymentswhether
online,overthephone,orusingcreditcardmachinesorpaperformsneedtocomply
withPCIDSSstandards
12
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.