Escolar Documentos
Profissional Documentos
Cultura Documentos
Presented by:
About Redspin
Penetration Testing
External Infrastructure Internal Infrastructure Web Applications
IT Security Controls
HIPAA FFIEC/GLBA PCI NERC
Social Engineering
Why now?
Meaningful use core objective (protecting ePHI) HIPAA Compliance Risk management
Flexibility on RA Approach
Security Rule does not prescribe a specific risk analysis methodology Methods will vary dependent on the size, complexity, and capabilities of the organization There are numerous methods of performing risk analysis There is no single method or 'best practice' that guarantees compliance with the Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, 2010 -http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
Expected Outcomes
IT transparency Executive understanding of current state of security Prioritized view of risk Provide data needed to create IT action plan
Source: ISO 27001, NIST SP 800-39, PCI DSS, FFIEC, COBIT, HIPAA - Administrative Safeguards (164.308), ...
Risk Analysis
Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.
Budget
Variables
Depends on complexity, satellite locations, Web application and network penetration testing Social engineering Business associate risk
What is needed for analysis? Liaison ePHI inventory Critical business associates ISO person responsible for security Security policy Documentation (whatever is available)
- Network diagrams, audit results, system docs
1
Pitfall
2
Pitfall
3
Pitfall
4
Pitfall
5
Pitfall
(i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.