Copyright2001TheMarbleheadGroup

1、Healthcare andNew Federal Security Protections (HIPAA)1Contact info:Kate Borten, CISSPPresident, The Marblehead GroupOne Martin TerraceMarblehead, MA 01945Tel: 781 639-0532Fax: 781 639-05622AgendaHIPAA: What? When? Why?HIPAAs Security and Privacy RulesImplications for vendors and productsBusiness co

2、ntractsTechnical featuresHealthcare Resources3HIPAA4HIPAAHealth Insurance Portability and Accountability Act of 1996aka the Kennedy-Kassebaum billTo assure health insurance after leaving job (“insurance portability”)Congress added “Administrative Simplification” /admnsimpPOW!5“Administra

3、tive Simplification”Goal: Save moneyMeans: Standard electronic transactionsStandard record formats, code sets, and identifiersFor common transactions such as enrollment, claims, remittance, eligibility, and referralsCompliance date: October 20026Downside to Electronic StandardizationIncreased risk t

4、o information security and patient privacySo Congress added HIPAA requirementsUS Dept. of Health and Human Services (HHS) to develop security regulationsCongress to pass health privacy law (but they missed their deadline in 1999, so HHS wrote privacy regulations)7“Security” vs. “Privacy”Security = A

5、ssurance of Confidentiality, Integrity, and AvailabilityPrivacy = a personal “right” (wed like to think) to control info about oneselfOrganizations have formal infosec programs in order to assure patients or members privacyNo privacy without security!8Fair Information PracticesWhen you think privacy

6、, think Fair Info Practices (HHS Secy Shalala):Security (obligation to protect)Boundaries (limit use of info)Consumer Control (right to copy, correct, review audit trail.)Accountability (penalties)Public Responsibility (balance public good vs. individual privacy rights)9Scope: Whos CoveredRules appl

7、y directly to health care plans, providers, and clearinghouses - called “covered entities”Rules apply only indirectly to “business associates” of those covered (until a broader privacy law is passed)Rules do not apply to life insurers, workers comp, etc. (until a broader privacy law is passed)10Scop

8、e: Whats CoveredPrivacy Rule covers all individually-identifiable health data in any formincludes demographic data, even if in public realmincludes data unless thoroughly de-identifiedProposed Security Rule covers subset of above - only electronic data11Compliance DeadlinesPrivacy Rule compliance da

9、te: Feb. 26, 2003 (for all but smallest plans which have until 2004)Expect Security Rule compliance date shortly thereafter 12Why Comply? Penalties!Civil penalty for “failure to comply”: up to $100/person/violation; maximum of $25,000/person/violation/year (can add up!)Criminal penalties for “wrongf

10、ul disclosure” “knowingly and in violation of HIPAA” up to $50,000 and/or 1 year prison for knowing misuseup to $100,000 and/or 5 years prison when under false pretensesup to $250,000 and/or 10 years prison when intent to sell, use for personal gain or commercial advantage, malicious harm13Why Compl

11、y?HIPAA penalties for health plans, providers, and clearinghouses onlyBut their “business associates” will be bound by contract (indemnified?)Vendors could be out of business if their products dont meet basic requirements!14Security & Privacy Rules15Patient RightsReceive copy of own recordRequest re

12、cord amendment/correctionVoluntarily authorize and revoke secondary uses of own dataReceive report of certain disclosuresReceive Notice of Privacy Practices of non-compliance16Privacy Rule RequirementsSecurity safeguardsPrivacy OfficerUse/disclosure policies and procedureswhen OK, when not, when aut

13、horization reqd, etc.de-identification; minimum necessary dataverification of requestor identity, authorityAudit/reporting of secondary disclosuresWorkforce training and certificationStringent business contractsSanctionsNotice of Privacy Practices17Security Rule RequirementsA comprehensive, formal i

14、nfosec program:“Administrative Procedures”PoliciesProceduresEducation of workforcePhysical SafeguardsTechnical controlsInformation Security Officer18“Administrative Procedures”CertificationChain-of-trust partner agreementContingency planRecord processing controlsAccess controlsAuditingPersonnel secu

15、rityConfiguration mgmtSecurity incident proceduresSecurity mgmt processTermination processTraining19Physical SafeguardsMedia controlsPhysical access controlsWorkstation use policy, guidelinesSecure workstation location/positionSecurity awareness training20Technical ControlsAccess controlsAudit contr

16、olsAuthorization controlsData “authentication” (integrity)Entity authenticationEvent reporting, alarms21Implications for Vendorsand Products22Business Associate ContractsApplies to business associates (BA) who may have access to patient-identifiable data, even inadvertentlyHealthcare organization ma

17、y terminateContracts likely to require BA to have appropriate infosec programsBA required to report breach/improper disclosureaudit certain re-disclosurespermit access by Secy of HHS 23Explicit Technical RequirementsIdentification - unique userIDsAuthentication -Password or PIN or token or smartcard

18、 or biometric (or call-back?)If over “open” network (at least the Net), must be “irrefutable” (2-factor)24Explicit Technical RequirementsAuthorization - at least necessary levelRole- or user-basedOptionally modified by location, by date/timeOrganization must be able to periodically review who has ac

19、cess and with what privileges, so systems must be able to provide reports25Explicit Technical RequirementsAutomatic logoff (inactivity timeout)to “cause electronic session to terminate” (i.e., not suspend)(Healthcare organizations will look for intelligent implementation - preferably allowing variab

20、le timeouts based on different risks in different environments. Ex: Emergency room 2 mins vs. private office 180 mins)26Explicit Technical RequirementsData integritySuggested mechanisms includecheck sumsdouble keyingmessage authentication codedigital signature (providing message hash.)(Healthcare or

21、ganizations may look more closely at software edits. Implement “double keying” in s/w for critical fields?)27Explicit Technical RequirementsProtections for data in transit Integrity controlsMessage authenticationAccess controls and/or encryption28Explicit Technical RequirementsPlus, when in transit

22、over “open” networksAlarms (“signal of abnormality”)Audit trailsEntity authenticationEvent reporting (of “operational irregularities in physical elements of network . or response to occurrence of a significant task, e.g., completion of request for information”)Encryption29Use Standards Wherever You

23、Can Find Them!HCFA Internet Security Policy (1998)Intended for HCFA, but expected to meet HIPAA: minimum encryption standards -Symmetric: 3DES with 112 bit keyAsymmetric: RSA-type with 1024 bit keyElliptic Curve: 160 bit key(Assume AES also acceptable)Common examples: SSL (3.0+); S-MIME30Explicit Te

24、chnical RequirementsSecure remote accessProtection of “remote access points” and “external electronic communications”(HIPAA leaves it up to the organization to figure out what this means! But HIPAA does expect firewalls.)31Explicit Technical RequirementsSecurity event auditingHIPAA non-specific, but

25、 gives example of logon attempts(Healthcare organizations will want to audit security parameter changes, security-related events, other suspicious or unusual activity. Will need tools to do this.)32Explicit Technical RequirementsSecurity event auditing (contd)Security Rule implies also auditing at t

26、he patient level, i.e., internal to the application(This level of audit is not uncommon in healthcare as a deterrent to “snooping” and includes read-only access. Requires good tools for reviewing audit log to identify inappropriate patient access.) 33Explicit Technical RequirementsSystem (and networ

27、k if applicable) certificationCan be done internally or externally(Healthcare organizations will look for guidance on secure configuration of each platform, database, application.)34Explicit Technical RequirementsDisaster recovery/business continuity planHardware/software inventory and criticality a

28、nalysisBackups/restoresPlan tested regularlyVirus protection35Optional or Implicit Technical RequirementsDe-identification of dataAudit of some disclosuresLimiting access by reason, and depending on voluntary patient authorization Amendment of records36Implicit Technical ControlsEven though HIPAA do

29、esnt discuss password features, they should be considered implicitly required, e.g.:Password minimum length controlPassword agingPassword encrypted and never displayed in clear textMany other security features arent mentioned, but should be available37Healthcare Resources38“Common Criteria”Applying ISO standards to healt