hipaa security: case studies for small to medium health organizations (compliance methods) jeff...

HIPAA Security: Case Studies for Small to Medium Health Organizations (Compliance Methods)

Jeff Bardin, CISSP, CISM, NSA IAM, OCTAVESM

Principal & CSO

Treadstone 71

www.treadstone71.com

jbardin@treadstone71.com

Agenda

From Threat Agent to Safeguard The NSA IAM Method

Criticality of Information Matrix Systems Criticality Matrix

OCTAVESM Method Human Actors Using Network Access Threat Profile: System Problems Basic Risk Profile

Initial Findings Scorecards HIPAA & ISO17799 Roadmap Q&A

ThreatAgent

Threat

Vulnerability

Risk

Asset(ePHI)

Exposure

Safeguard

Gives rise to

Exploits

Leads to

Can damage

And causes an

Can be countermeasured by

Directly affects

  Confidentiality Integrity Availability

Patient Records

Medical Staff Records

Employee Records

Vendor Contracts

Employee Health Records

Legal Files (lawsuit information)

Contracts w/Agency People

Meeting Minutes (Board)

Survey Reports (Joint Commission (Medicare/Medicaid)

Docs – Security Eng Tests & Inspections

Patient Accounts

Financial Audits

Planning Documents (Strategic/Master Facility Plan)

Payroll Records

Psych/Drug/Alcohol/HIV

Criticality of Information Matrix

H

M

MM

M

MM

M

M

M

H

H

H

H

H

H

H

HH

H

H

H

H

H

H

M

H

H

H

H

M

MM

M

MM

M

M

M

H

H

H

H

M M

National Security AgencyInformation Assurance Methodology