SlideShare une entreprise Scribd logo
1  sur  20
HIPAA Security
A Management System Approach




              Dan Wallace
              dwallace@growforwardllc.com
2



Agenda
1) The Need for Security Awareness
   Programs
2) Security Awareness as a Product
3) Phase 1 – Identify Target Audiences and
   Product
4) Phase 2 – Identify Product Distribution
   Methods
5) Phase 3 – Obtain Management Support
6) Phase 4 – Product Launch
7) Phase 5 – Effectiveness Assessment
8) Ongoing Enhancements
9) Ideas for Customized Campaigns




                  HIPAA Security Compliance Framework
3




Introduction to
Management Systems




        HIPAA Security Compliance Framework
4
Management System
Overview


   A management system is a mechanism
to establish policy and objectives and to put in
place the means achieve those objectives.
   Management systems are used by
organizations to develop policies and to put
these into effect via objectives and targets
using:
    –   Organizational structure
    –   Systematic procedures
    –   Measurement and evaluation
    –   Quality control and continuous
        improvement         structure, procedures
                            & measurement are
                            required by the HIPAA
                            security regulation
                  HIPAA Security Compliance Framework
5

Elements of a Management
System

   Planning - identification of needs,
resources, structure, responsibilities
   Policy - demonstration of commitment and
principles for action
  Implementation and operation -
awareness building and training
  Performance assessment - monitoring
and measuring, handling non-conformities,
audits
  Improvement - corrective and preventive
action, continual improvement)
  Management review – oversight,
governance and compliance




                  HIPAA Security Compliance Framework
6

Information Security
Management System


   ISMS That part of the overall management
system, based on a business risk approach, to
establish, implement, operate, monitor,
review, maintain and improve information
security
   The Design and Implementation of
the ISMS is influenced by business needs
and objectives, resulting security
requirements, the processes employed and
the size and structure of the organization.
  The ISMS and the supporting systems are
designed to change when necessary.




                  HIPAA Security Compliance Framework
7

 Management System
 Documentation
Management framework
  policies relating to
      BS 7799-2
       Clause 4                       Security Manual


                            Level 1
                          Policy, scope
                        risk assessment,
                    statement of applicability
                                                   Procedure
                    Define processes – who,        s
                       what, when, where
               Level
                 2                                         Work
                Describes how tasks and specific    Instructions,
                       activities are done            checklists,
          Level
                                                        forms, etc.
            3
           Provides objective evidence of compliance to
           HIPAA security requirements and required by
  Level                 BS7799 clause 3.6
    4
                                                         Records




                         HIPAA Security Compliance Framework
8




HIPAA Security
Framework




          HIPAA Security Compliance Framework
Phase 1                         Project
                                          Charter           9
                         Plan the
                         Project

           Phase 2                  Policies, Standards,

                         Develop        Procedures
  ISO/IEC 17799
                         Policies
                                          Phase 1 &
            Phase 3
        Threats,         Assess           2 Outputs
    Vulnerabilities &
        Impacts
                           Risk
            Phase 4                        Phase 3
     Risk Tolerance
                         Manage            Outputs
       Degree of
      Compliance           Risk
  OCTAVE
      Phase 5                            Selected
     Remediation
                        Implement        Controls
       Plans
                         Controls

           Phase 6                      Compliance
Control Objectives                        Guide
  Implemented           Compliance
    Controls




The Framework
                           HIPAA Security Compliance Framework
10

Phase One: Project Planning



  Gain an understanding of the
organization and technology environment
  Establish the objectives of the
management system
  Develop project charter document
  Roll out methodology and obtain buy in
  Develop detailed project plans
  Address budget issues
  Obtain resource commitments




                HIPAA Security Compliance Framework
11

Phase Two: Policy
Development


  POLICY DEFINITON: Develop a custom
security policy document, based on ISO/IEC
17799 that is driven by business/clinical need,
and prescribes management direction in
meeting HIPAA security compliance objectives
  STANDARDS & PROCEDURE
DEVELOPMENT: Each functional area or
department develops the means to implement
and enforce management’s policies




                  HIPAA Security Compliance Framework
Policy Definition & Standard                                                                12

     Development Process
 Determine                                        Map
                         Identify                                                   Develop
   Policy                                       Current        Analyze Gaps
                     Current Policies                                            Required Policies
Requirements                                  to Required


•   Kickoff          •   Review           •    Review HIPAA    •   Identify Gaps •     Kickoff
                         Existing              Security Regs
•   Interview Key                                              •   Identify        •   User Training
                         Policies
    Personnel                             •    Review              New Areas
                     •   Review details        ISO/IEC 17799
•   Interview IT &                                             •   Assign Policy
                         of Incidents
    security                                                       Ownership

•   Checkpoint                                                 •   Consolidate
                                                                   Findings




    Policy Development tasks are the same
    for both policy definition and
    standards development




                                          HIPAA Security Compliance Framework
13



Procedure Development

   A Procedure is the organization of people,
equipment, energy, procedures and material
into the work activities needed to produce a
specified end result (work product).
  Procedures are a sequence of repeatable
activities that have measurable inputs, value-
add activities and measurable outputs.
  Procedures have a functional focus as
opposed to organizational focus, must have a
specified owner, and use Critical Success
Factors (CSF) to help focus process
execution and maximize improvement efforts.
   Each functional area develops their own
procedures consistent with policies. Methods
for procedure development will vary however,
management may elect to issue guidance on
the form and format of documented
procedures.
                  HIPAA Security Compliance Framework
Required Procedures                                                       14

164.308(a)(4)(ii)(B)   Access Authorization (A)
164.310(a)(2)(iii)     Access Control and Validation (A)
164.312(a)(1)          Access Controls (S)
164.308(a)(4)(ii)(C)   Access Establishment and Modification (A)
164.312(b)             Audit Controls (S)
164.308(a)(3)(ii)(A)   Authorization and/or Supervision (A)
164.312(a)(2)(iii)     Automatic Logoff (A)
164.310(a)(2)(i)       Contingency Operations (A)
164.308(a)(7)(i)       Contingency Plan (S)
164.308(a)(7)(ii)(A)   Data Backup Plan (R)
164.310(d)(1)          Device and Media Controls (S)
164.308(a)(7)(ii)(B)   Disaster Recovery Plan (R)
164.310(d)(2)(i)       Disposal (R)
164.312(a)(2)(ii)      Emergency Access (R)
164.308(a)(7)(ii)(C)   Emergency Mode Operation Plan (R)
164.310(a)(1)          Facility Access Controls (S)
164.310(a)(2)(ii)      Facility Security Plan (A)
164.308(a)(4)(i)       Information Access Management (S)
164.308(a)(1)(ii)(D)   Information System Activity Review (R)
164.312(c)(1)          Integrity (S)
164.308(a)(4)(ii)(A)   Isolating Health Care Clearinghouse Function (R)
164.308(a)(5)(ii)(C)   Login Monitoring (A)
164.310(a)(2)(iv)      Maintenance Records (A)
164.310(d)(2)(ii)      Media Re-Use (R)
164.308(a)(5)(ii)(D)   Password Management (A)
164.312(d)             Person or Entity Authentication (S)
164.308(a)(5)(ii)(B)   Protection from Malicious Software (A)
164.308(a)(6)(i)       Security Incident Procedures (S)
164.308(a)(1)(i)       Security Management Process (S)
164.308(a)(3)(ii)(C)   Termination (A)
164.308(a)(7)(ii)(D)   Testing and Revision (A)
164.308(a)(3)(ii)(B)   Workforce Clearance (A)
164.308(a)(3)(i)       Workforce Security (S)
164.310(b)             Workstation Use (S)


                              HIPAA Security Compliance Framework
15

  Phase Three: Risk
  Assessment
        Overview of the OCTAVE
               Process




OCTAVE PROCESS: a
progressive series of self-
directed workshops that results in
an in-depth security analysis of
business and computing
infrastructure elements
                            HIPAA Security Compliance Framework
16

Phase Three: Risk
Assessment
  PREPARATION: Define scope of the risk
assessment, select analysis teams, method
orientation, schedule workshops.
  PHASE ONE: BUILD ASSET-BASED
THREAT PROFILES An organizational
evaluation. The analysis team determines what
is important to the organization (information-
related assets) and what is currently being
done to protect those assets.
  PHASE TWO: IDENTIFY
INFRASTRUCTURE VULNERABILITIES
An evaluation of the information infrastructure.
The analysis team examines network access
paths, identifying classes of information
technology components related to each critical
asset. The team then determines the extent to
which each class of component is resistant to
network attacks.
                   HIPAA Security Compliance Framework
17
Phase Four: Risk
Management and
Remediation
  PHASE THREE: DEVELOP
SECURITY STRATEGY AND PLANS The
analysis team identifies risks to the
organization’s critical assets and decides what
to do about them. The team creates a
protection strategy for the organization and
mitigation plans to address the risks to the
critical assets, based upon an analysis of the
information gathered.




                   HIPAA Security Compliance Framework
18

Risk Assessment &
Management




         HIPAA Security Compliance Framework
19
Phase Five: Implement
Control Objectives and
Controls
  PHASE THREE: DEVELOP
SECURITY STRATEGY AND PLANS The
analysis team identifies risks to the
organization’s critical assets and decides what
to do about them. The team creates a
protection strategy for the organization and
mitigation plans to address the risks to the
critical assets, based upon an analysis of the
information gathered.




                   HIPAA Security Compliance Framework
20

Phase Six: Prepare the
Statement of Applicability
   COMPLIANCE DOCUMENT Written
evidence of the actions taken in the first five
phases with regard to HIPAA compliance.
  MANAGEMENT FRAMEWORK
SUMMARY A synopsis of the entire
information security management framework
including the policy, control objectives and
implemented controls.
  PROCEDURE INVENTORY A catelogue
of procedures implemented to support the
management framework including
responsibilities and relevant actions.
  MANAGEMENT SYSTEM
PROCEDURES Administrative procedures
covering the operation and management of the
management system including responsibilities.
                    HIPAA Security Compliance Framework

Contenu connexe

Tendances

Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMDenitsa Dimova
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfshyedshahriar
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnairePriyanka Aash
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsDam Frank
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 

Tendances (20)

Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
LogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEMLogSentinel Next-Gen SIEM
LogSentinel Next-Gen SIEM
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Security audit
Security auditSecurity audit
Security audit
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
ISO 27701
ISO 27701ISO 27701
ISO 27701
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
Security policy
Security policySecurity policy
Security policy
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 

En vedette

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
HIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & OverviewHIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & OverviewBob Chaput
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
HIPAA Compliance Checklist
HIPAA Compliance ChecklistHIPAA Compliance Checklist
HIPAA Compliance ChecklistLeigh-Ann Renz
 
Sample Business Associate Agreement
Sample Business Associate AgreementSample Business Associate Agreement
Sample Business Associate AgreementJorge M. Abril, P.A.
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceTodd Merrill
 
HIPAA: Everything You Need to Know
HIPAA: Everything You Need to KnowHIPAA: Everything You Need to Know
HIPAA: Everything You Need to Knowbenefitexpress
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
Introduction To Business Ethics
Introduction To Business EthicsIntroduction To Business Ethics
Introduction To Business EthicsPaul Pajo
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Lance King
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 

En vedette (20)

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
 
HIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & OverviewHIPAA Security Assessment Intro & Overview
HIPAA Security Assessment Intro & Overview
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
HIPAA Compliance Checklist for Medical Practices
HIPAA Compliance Checklist for Medical PracticesHIPAA Compliance Checklist for Medical Practices
HIPAA Compliance Checklist for Medical Practices
 
ISSIP FUTURE SIG
ISSIP FUTURE SIGISSIP FUTURE SIG
ISSIP FUTURE SIG
 
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V12010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1
 
HIPAA Compliance Checklist
HIPAA Compliance ChecklistHIPAA Compliance Checklist
HIPAA Compliance Checklist
 
Sample Business Associate Agreement
Sample Business Associate AgreementSample Business Associate Agreement
Sample Business Associate Agreement
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA compliance
 
HIPAA: Everything You Need to Know
HIPAA: Everything You Need to KnowHIPAA: Everything You Need to Know
HIPAA: Everything You Need to Know
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12
 
Hawaii’s HIPAA Harmonization Law
Hawaii’s HIPAA Harmonization LawHawaii’s HIPAA Harmonization Law
Hawaii’s HIPAA Harmonization Law
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
Introduction To Business Ethics
Introduction To Business EthicsIntroduction To Business Ethics
Introduction To Business Ethics
 
Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016Leading your HIPAA Compliance Culture in 2016
Leading your HIPAA Compliance Culture in 2016
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 

Similaire à A project approach to HIPAA

Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodologylaurahees
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
A folder sysem for uks 2008 2011
A folder sysem for uks 2008   2011A folder sysem for uks 2008   2011
A folder sysem for uks 2008 2011Clive Burgess
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxStevenTharp2
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Frameworkbarnetdh
 
Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Mohamad Khachab
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 

Similaire à A project approach to HIPAA (20)

Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 -  Security Architecture Ver1 0TOGAF 9 -  Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
A folder sysem for uks 2008 2011
A folder sysem for uks 2008   2011A folder sysem for uks 2008   2011
A folder sysem for uks 2008 2011
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptx
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Framework
 
Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 

Dernier

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 

Dernier (20)

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 

A project approach to HIPAA

  • 1. HIPAA Security A Management System Approach Dan Wallace dwallace@growforwardllc.com
  • 2. 2 Agenda 1) The Need for Security Awareness Programs 2) Security Awareness as a Product 3) Phase 1 – Identify Target Audiences and Product 4) Phase 2 – Identify Product Distribution Methods 5) Phase 3 – Obtain Management Support 6) Phase 4 – Product Launch 7) Phase 5 – Effectiveness Assessment 8) Ongoing Enhancements 9) Ideas for Customized Campaigns HIPAA Security Compliance Framework
  • 3. 3 Introduction to Management Systems HIPAA Security Compliance Framework
  • 4. 4 Management System Overview A management system is a mechanism to establish policy and objectives and to put in place the means achieve those objectives. Management systems are used by organizations to develop policies and to put these into effect via objectives and targets using: – Organizational structure – Systematic procedures – Measurement and evaluation – Quality control and continuous improvement structure, procedures & measurement are required by the HIPAA security regulation HIPAA Security Compliance Framework
  • 5. 5 Elements of a Management System Planning - identification of needs, resources, structure, responsibilities Policy - demonstration of commitment and principles for action Implementation and operation - awareness building and training Performance assessment - monitoring and measuring, handling non-conformities, audits Improvement - corrective and preventive action, continual improvement) Management review – oversight, governance and compliance HIPAA Security Compliance Framework
  • 6. 6 Information Security Management System ISMS That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security The Design and Implementation of the ISMS is influenced by business needs and objectives, resulting security requirements, the processes employed and the size and structure of the organization. The ISMS and the supporting systems are designed to change when necessary. HIPAA Security Compliance Framework
  • 7. 7 Management System Documentation Management framework policies relating to BS 7799-2 Clause 4 Security Manual Level 1 Policy, scope risk assessment, statement of applicability Procedure Define processes – who, s what, when, where Level 2 Work Describes how tasks and specific Instructions, activities are done checklists, Level forms, etc. 3 Provides objective evidence of compliance to HIPAA security requirements and required by Level BS7799 clause 3.6 4 Records HIPAA Security Compliance Framework
  • 8. 8 HIPAA Security Framework HIPAA Security Compliance Framework
  • 9. Phase 1 Project Charter 9 Plan the Project Phase 2 Policies, Standards, Develop Procedures ISO/IEC 17799 Policies Phase 1 & Phase 3 Threats, Assess 2 Outputs Vulnerabilities & Impacts Risk Phase 4 Phase 3 Risk Tolerance Manage Outputs Degree of Compliance Risk OCTAVE Phase 5 Selected Remediation Implement Controls Plans Controls Phase 6 Compliance Control Objectives Guide Implemented Compliance Controls The Framework HIPAA Security Compliance Framework
  • 10. 10 Phase One: Project Planning Gain an understanding of the organization and technology environment Establish the objectives of the management system Develop project charter document Roll out methodology and obtain buy in Develop detailed project plans Address budget issues Obtain resource commitments HIPAA Security Compliance Framework
  • 11. 11 Phase Two: Policy Development POLICY DEFINITON: Develop a custom security policy document, based on ISO/IEC 17799 that is driven by business/clinical need, and prescribes management direction in meeting HIPAA security compliance objectives STANDARDS & PROCEDURE DEVELOPMENT: Each functional area or department develops the means to implement and enforce management’s policies HIPAA Security Compliance Framework
  • 12. Policy Definition & Standard 12 Development Process Determine Map Identify Develop Policy Current Analyze Gaps Current Policies Required Policies Requirements to Required • Kickoff • Review • Review HIPAA • Identify Gaps • Kickoff Existing Security Regs • Interview Key • Identify • User Training Policies Personnel • Review New Areas • Review details ISO/IEC 17799 • Interview IT & • Assign Policy of Incidents security Ownership • Checkpoint • Consolidate Findings Policy Development tasks are the same for both policy definition and standards development HIPAA Security Compliance Framework
  • 13. 13 Procedure Development A Procedure is the organization of people, equipment, energy, procedures and material into the work activities needed to produce a specified end result (work product). Procedures are a sequence of repeatable activities that have measurable inputs, value- add activities and measurable outputs. Procedures have a functional focus as opposed to organizational focus, must have a specified owner, and use Critical Success Factors (CSF) to help focus process execution and maximize improvement efforts. Each functional area develops their own procedures consistent with policies. Methods for procedure development will vary however, management may elect to issue guidance on the form and format of documented procedures. HIPAA Security Compliance Framework
  • 14. Required Procedures 14 164.308(a)(4)(ii)(B) Access Authorization (A) 164.310(a)(2)(iii) Access Control and Validation (A) 164.312(a)(1) Access Controls (S) 164.308(a)(4)(ii)(C) Access Establishment and Modification (A) 164.312(b) Audit Controls (S) 164.308(a)(3)(ii)(A) Authorization and/or Supervision (A) 164.312(a)(2)(iii) Automatic Logoff (A) 164.310(a)(2)(i) Contingency Operations (A) 164.308(a)(7)(i) Contingency Plan (S) 164.308(a)(7)(ii)(A) Data Backup Plan (R) 164.310(d)(1) Device and Media Controls (S) 164.308(a)(7)(ii)(B) Disaster Recovery Plan (R) 164.310(d)(2)(i) Disposal (R) 164.312(a)(2)(ii) Emergency Access (R) 164.308(a)(7)(ii)(C) Emergency Mode Operation Plan (R) 164.310(a)(1) Facility Access Controls (S) 164.310(a)(2)(ii) Facility Security Plan (A) 164.308(a)(4)(i) Information Access Management (S) 164.308(a)(1)(ii)(D) Information System Activity Review (R) 164.312(c)(1) Integrity (S) 164.308(a)(4)(ii)(A) Isolating Health Care Clearinghouse Function (R) 164.308(a)(5)(ii)(C) Login Monitoring (A) 164.310(a)(2)(iv) Maintenance Records (A) 164.310(d)(2)(ii) Media Re-Use (R) 164.308(a)(5)(ii)(D) Password Management (A) 164.312(d) Person or Entity Authentication (S) 164.308(a)(5)(ii)(B) Protection from Malicious Software (A) 164.308(a)(6)(i) Security Incident Procedures (S) 164.308(a)(1)(i) Security Management Process (S) 164.308(a)(3)(ii)(C) Termination (A) 164.308(a)(7)(ii)(D) Testing and Revision (A) 164.308(a)(3)(ii)(B) Workforce Clearance (A) 164.308(a)(3)(i) Workforce Security (S) 164.310(b) Workstation Use (S) HIPAA Security Compliance Framework
  • 15. 15 Phase Three: Risk Assessment Overview of the OCTAVE Process OCTAVE PROCESS: a progressive series of self- directed workshops that results in an in-depth security analysis of business and computing infrastructure elements HIPAA Security Compliance Framework
  • 16. 16 Phase Three: Risk Assessment PREPARATION: Define scope of the risk assessment, select analysis teams, method orientation, schedule workshops. PHASE ONE: BUILD ASSET-BASED THREAT PROFILES An organizational evaluation. The analysis team determines what is important to the organization (information- related assets) and what is currently being done to protect those assets. PHASE TWO: IDENTIFY INFRASTRUCTURE VULNERABILITIES An evaluation of the information infrastructure. The analysis team examines network access paths, identifying classes of information technology components related to each critical asset. The team then determines the extent to which each class of component is resistant to network attacks. HIPAA Security Compliance Framework
  • 17. 17 Phase Four: Risk Management and Remediation PHASE THREE: DEVELOP SECURITY STRATEGY AND PLANS The analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. HIPAA Security Compliance Framework
  • 18. 18 Risk Assessment & Management HIPAA Security Compliance Framework
  • 19. 19 Phase Five: Implement Control Objectives and Controls PHASE THREE: DEVELOP SECURITY STRATEGY AND PLANS The analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. HIPAA Security Compliance Framework
  • 20. 20 Phase Six: Prepare the Statement of Applicability COMPLIANCE DOCUMENT Written evidence of the actions taken in the first five phases with regard to HIPAA compliance. MANAGEMENT FRAMEWORK SUMMARY A synopsis of the entire information security management framework including the policy, control objectives and implemented controls. PROCEDURE INVENTORY A catelogue of procedures implemented to support the management framework including responsibilities and relevant actions. MANAGEMENT SYSTEM PROCEDURES Administrative procedures covering the operation and management of the management system including responsibilities. HIPAA Security Compliance Framework