building a risk management framework for hipaa & fisma ... › media › medialibrary ›...
TRANSCRIPT
![Page 1: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/1.jpg)
BuildingaRiskManagementFrameworkforHIPAA&FISMA
ComplianceAnuragShankar
CenterforAppliedCybersecurityResearchIndianaUniversity
2015TechnologyExchangeOctober6,2015
![Page 2: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/2.jpg)
Outline
1. Introduction2. HIPAA&FISMADemystified3. CyberCompliance:TheIUApproach4. Building&LeveragingaRiskManagementFramework5. Conclusion
![Page 3: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/3.jpg)
1.Introduction
![Page 4: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/4.jpg)
Whyatalkoncompliance?
• Wehaveanewusercommunity- clinicalresearchers.• TheirresearchITaregrowingtoHPC,HPN,andHPS*scales.• MedicalschoolITcannotkeepup.• Theirdataislacedwithregulations(HIPAA,FISMA).
• Complianceisaforeignlanguage(tomostofus).• Wedealwiththeusualsuspects– physicalscientistsandengineers.• Regulationsarenotourforte.
*Highperformancecomputing,networkingandstorage
![Page 5: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/5.jpg)
Compliancechallenges
• Fear,uncertainty,doubt.• Languagebarrier.• Lackofresources.• Localrisktolerance.• Riskownership.• Policy.
![Page 6: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/6.jpg)
Thegoalsthismorning
• Learntospeakcompliance.• Bringregulationstoapractical,actionableplane.
![Page 7: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/7.jpg)
2.Regulations- HIPAAandFISMA
![Page 8: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/8.jpg)
HIPAA
![Page 9: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/9.jpg)
WhatisHIPAA?
• HealthInsurance Portability &Accountability Act.• ProvidestheabilitytotransferandcontinuehealthinsurancecoverageforAmericanworkersandtheirfamilieswhentheychangeorlosetheirjobs.
• EnforcedbytheOfficeforCivilRights(OCR)intheU.S.DepartmentofHealth&HumanServices(HHS).
![Page 10: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/10.jpg)
HIPAATimeline
• Passedin1996,becamelawin2001.TheHIPAASecurityRulecameoutin2003.
• TheHealthInformationTechnologyforEconomic&ClinicalHealth(HITECH)Actof2006.
• TheHIPAAOmnibusFinalRuleof2013includedprovisionsfromHITECH&the2008GeneticInformationNondiscriminationAct(GINA).
![Page 11: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/11.jpg)
IsHIPAAallaboutpatientprivacy?
• No.Therearemanyothercomponents.• PrivacyisaddressedthroughtheHIPAAPrivacyRule,theHIPAASecurityRule,and breachnotificationrequirement.
• ThePrivacyRuledefineswhoHIPAAappliesto(acoveredentity),whatisprotected(protectedhealthinformation orPHI),andcoversdisclosuresofPHI.
• TheSecurityRulefocusesexclusivelyonprotectingelectronicPHI(ePHI)inanyform– atrest,intransit,underanalysis,etc.
![Page 12: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/12.jpg)
WhatconstitutesPHI*?Patientinformationinanyform(paper,verbal,electronic)containinganyofthefollowing18identifiers:
1. Names2. Allgeographicsubdivisionssmallerthanastate,includingstreetaddress,city,county,precinct,zipcode,andtheir
equivalentgeocodes,exceptfortheinitialthreedigitsofazipcodeif,accordingtothecurrentpubliclyavailabledatafromtheBureauoftheCensus:(1)thegeographicunitformedbycombiningallzipcodeswiththesamethreeinitialdigitscontainsmorethan20,000people;and(2)theinitialthreedigitsofazipcodeforallsuchgeographicunitscontaining20,000orfewerpeopleischangedto000.
3. Allelementsofdates(exceptyear) fordatesdirectlyrelatedtoanindividual,includingbirthdate,admissiondate,dischargedate,dateofdeath;andallagesover89andallelementsofdates(includingyear)indicativeofsuchage,exceptthatsuchagesandelementsmaybeaggregatedintoasinglecategoryofage90orolder.
4. Telephonenumbers5. Faxnumbers6. Electronicmailaddresses7. SocialSecuritynumbers8. Medicalrecordnumbers9. Healthplanbeneficiarynumbers10. Accountnumbers11. Certificate/licensenumbers12. Vehicleidentifiersandserialnumbers,includinglicenseplatenumbers
PHI,whenproperlyde-identified,isnolongersubjecttoHIPAA
13. Deviceidentifiersandserialnumbers14. Webuniversalresourcelocators(URLs)15. Internetprotocol(IP)addressnumbers16. Biometricidentifiers,includingfingerandvoiceprints17. Fullfacephotographicimagesandanycomparableimages18. Anyotheruniqueidentifyingnumber, characteristicorcode
*Youmayalsohearthetermspersonallyidentifiableinformation(PII),individuallyidentifiablehealthinformation(IIHI), healthinformation,etc.,buttheyarenotcreatedequal.
![Page 13: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/13.jpg)
IsallidentifiablehealthinformationPHI?
• No,onlywhenitiswithinthehealthcarecontext.• Forinstance,
• identifiablehealthinformation(yoursorsomeoneelse’s)yousharepubliclyonFacebookisnotPHI(itisnotsubjecttoHIPAA).
• However,ifamedicalprofessional(doctor,nurse,etc.)sharesitpubliclyonFacebook,itisPHI andthussubjecttoHIPAA.SuchadisclosurewouldbeconsideredabreachunderHIPAA.
![Page 14: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/14.jpg)
WhodoesHIPAAapplyto?
• AHIPAA coveredentity (CE).• Onlyhealthcareproviders,healthplans,andhealthclearinghousesareconsideredcoveredentities.
• Universitiesareoftenhybrid coveredentities,meaningtheyhavebothnon-covered(e.g.theEnglishdept.)andcoveredcomponents(e.g.theStudentHealthCenter,SchoolofMedicine).
• HIPAAappliestotheentireCE(thelegalentity).ItistheCEthatfacespenaltieswhenaHIPAAviolationoccurs,notitsemployeesorsubunits.
![Page 15: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/15.jpg)
DoesHIPAAapplytome?
• Yes,if youserveacoveredentity,• eitherasaunitofyourcoveredentityor• asaBusinessAssociate,AND• youcreate,receive,transmit,ormaintainPHI.
• Youcannotsay“Ididn’tknowwehadPHI”.PlausibledeniabilitycanbequiteexpensiveunderHIPAA.
• Yourorganizationisnotacoveredentityifitisnotinvolvedinhealthcareoperationsdirectly.
Checkwithyourcompliancefolksorcounsel
![Page 16: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/16.jpg)
WhatisaBusinessAssociate(BA)?
• A“apersonororganization,otherthanamemberofacoveredentity'sworkforce,thatperformscertainfunctionsoractivitiesonbehalfof,orprovidescertainservicesto,acoveredentitythatinvolvetheuseordisclosureofindividuallyidentifiablehealthinformation.”
• However,thereisa“conduitexception”whichexcludes”…thoseentitiesprovidingmerecourierservices,suchastheU.S.PostalServiceorUnitedParcelServiceandtheirelectronicequivalents,suchasinternetserviceproviders(ISPs)providingmeredatatransmissionservices.”
![Page 17: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/17.jpg)
BusinessAssociateAgreements
• HIPAAmandatesyoutohaveaBusinessAssociateAgreement(BAA)withBAs(sinceit’sadisclosureofPHI).TheBAsmusthaveBAAswiththeirBAs,andsoon.
• TheBAAmustincludelanguagestatingthattheBAwillprotectyourPHIandabidebyHIPAA.(SampleBAAsareatHHSsite.)
• YouareexpectedtododuediligencetoensurethattheBAcanprotectyourPHIasperHIPAA.
• TheBAsaresubjecttoHIPAAindependentlyiftheyhavePHI.SoaretheirBAs,allthewaydownthechain.
![Page 18: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/18.jpg)
BreachNotification
• HIPAAmandatesabreachofPHItobereportedtotheOCR&thoseaffectedwithin60days.
• Forbreachesinvolving>500individuals,localmediaoutletsmustalsobenotified.
• Itisforyoutodecidewhetherasecurityincidentrisestothelevelofabreach.
![Page 19: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/19.jpg)
Enforcement
• HIPAAviolationscanresultincivilmonetarypenaltiesagainstacoveredentityand/orcriminalpenaltiesagainstindividuals,withimprisonmentupto10years.
• Anauditmayoccurifthereisabreach.However,abreachisnotautomaticallyaHIPAAviolation.
• Auditsusedtooccuronlyinresponsetoabreachoracomplaint.TheOCRhasreceivedfundingtoinstitutearandomauditprogramnow.Theyaregettingreadyforthefirstroundofsuchaudits.
![Page 20: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/20.jpg)
WhenisabreachaHIPAAviolation?
ViolationsoccurswhentheCEisnotdoingduediligencerequiredunderHIPAAorignoringHIPAAaltogether:
• NotrespondingtotheOCRdespiterepeatedrequests.• Havingnoinformationsecurityprocesswhatsoever.• Noriskassessmentandmitigation.• Noincidentresponse.• Nodocumentation.• Notfollowingdocumentedpoliciesandprocedures.
TheOCRexpectsbreaches;thatisnotthepoint
![Page 21: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/21.jpg)
CivilMonetaryPenalties
*=Anactofomission inwhichacoveredentityorbusiness associateknew,orbyexercisingreasonablediligencewouldhaveknown,thattheactoromission violatedanadministrativesimplification(HIPAA)provision, butinwhichthecoveredentityorbusiness associatedidnotactwithwillfulneglect.
Thecostof“Ididn’tknowwehadPHI”.
*
Abreachof100patientrecords=100violations
Maximum“DidNotKnow”costofabreachof100patientrecords=$50Kx100=$5million!
![Page 22: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/22.jpg)
EnforcementinAction
![Page 23: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/23.jpg)
TheCorrectiveActionPlan(CAP)signedby IdahoStateUniversity
Breachesreportedbyuniversitiesì
Thepenaltiesarebad;reputationaldamage isworse
CorrectiveActionPlanforISU
![Page 24: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/24.jpg)
WhatdoesHIPAAmeanforanITprovider?
• ToprotectePHIaspertheHIPAASecurityRule.
![Page 25: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/25.jpg)
TheHIPAASecurityRule
• TheSecurityRulerequires1.Administrative,2.Physical,and3.Technicalsafeguards to
• Ensuretheconfidentiality,integrity,and availabilityofallePHIcreated,received,maintainedortransmitted;
• Identifyandprotectagainstreasonablyanticipatedthreatstothesecurityor integrityoftheinformation;
• Protectagainstreasonablyanticipated,impermissibleusesordisclosures;
• Ensure compliancebytheworkforce;and• Provideameansformanagingriskinanongoingfashion.
![Page 26: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/26.jpg)
SecurityRuleSafeguards
• Administrative– securitymanagement/officer,workforcesecurity,incidentresponse,disasterplanning,evaluations,etc.
• Physical – facilitiesaccess,workstationuse/security,device/mediacontrols,etc.
• Technical – access/auditcontrol,integrity,authentication,transmissionsecurity,etc.
+organizational/policies/documentationrequirements
![Page 27: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/27.jpg)
RequiredandAddressable
• TheSecurityRulesafeguardsareeitherrequired oraddressable.• Required=whatitsays.• Addressable=mustbeinplace,butokifyouexplainwhyyoudon’thaveitinplaceand/orhowyouwillotherwiseaddresstherisk.
![Page 28: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/28.jpg)
HIPAASafeHarbor
• Ifthedataisencryptedatrestandtheencryptionkeyisstoredseparatelyfromthedataandsecured,abreachneednotbereportedtotheOCR.
• ThisiscalledHIPAAsafeharbor.
![Page 29: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/29.jpg)
CanIbecertifiedHIPAAcompliant?
• No,HIPAAdoesn’tdefineathresholdwhereyouaresuddenlycompliant.
• TheOCRhasnotauthorizedanyonetocertifycompliance.• YoucangetthirdpartycertificationbuttheOCRdoesnotrecognizethem.Theymaystillfindyoulacking.
• Allyoucandoisexerciseduediligence- continuouslyassessandmitigaterisk.HIPAAcomplianceiseitherselfassertedorblessedbylocalauthorities.
![Page 30: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/30.jpg)
HowdoIhandleHIPAAthen?
• Basedonyourenvironment,budget,andrisktolerance.• CheckifyourlocalHIPAAComplianceorInformationSecurityfolksalreadyhaveaprocessinplaceorhaverecommendations.Usetheirexpertise.
• SecuringtheePHIanddocumentationisstillyourtask.
![Page 31: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/31.jpg)
FISMA
![Page 32: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/32.jpg)
WhatisFISMA?
FederalInformationSecurityManagementActof2002.
“Eachfederalagencyshalldevelop,document,andimplementanagencywideinformationsecurityprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency…”
![Page 33: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/33.jpg)
WhodoesFISMAapplyto?
• Governmentagencies,theirsubcontractors,orothersourcesthatservetheagencies.
![Page 34: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/34.jpg)
WhendoesFISMAapply?
• Whenyouuseagencysystemstomanageinformationonbehalfofanagency.
• Whenyouuseoroperateinformationsystemsonbehalfofanagency.• Ifyourcontractsaysitdoes.
![Page 35: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/35.jpg)
HHSguidance
“FISMA'srequirementsfollowagencyinformationintoanysystemwhichusesitorprocessesitonbehalfoftheagency.Thatis,whentheultimateresponsibilityandaccountabilityforcontroloftheinformationcontinuestoresidewiththeagency,FISMAapplies.”
• Theterm"onbehalfof"indicatesthatonlythoseentitiesthatareacting,underagencyprinciples,asagents,whereHHS(oracomponent)istheprincipal,arecoveredbyFISMA.
![Page 36: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/36.jpg)
DoesFISMAapplytome?
• Probably,ifyouhaveacontractwithagovt.agency,e.g.NIH.• Checkthecontract;itwillexplicitlystateFISMArequirements.• CheckifFISMAlanguagehasbeenaddedtoexistingcontractswhentheyarerenewed.
• ItissometimespossibletonegotiateFISMAout.
![Page 37: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/37.jpg)
WhatdoesFISMArequire?
• AdoptingtheNISTRiskManagementFramework(RMF).• Accreditation.• Regularreportingandreviews.
![Page 38: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/38.jpg)
TheFISMAWorkflow
Definesystemboundaries
AssessRisk(NIST800-30,37,39)
ApplyControls(NIST800-53)
EvaluateControls(NIST800-53A)
AuthoritytoOperate(ATO)
![Page 39: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/39.jpg)
DefineSystemBoundaries
• Alsoknownastheaccreditationboundaries.• Defineswherethe“system”beginsandends.• Asystemcanbeapartofanetwork,anapplication,alogicalcollectionofdisparatecomponents,etc.
• Aconceptualboundaryextendstoalldirectandindirectusersofthesystemthatreceiveoutput.
• RequiresITprofessionals.
![Page 40: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/40.jpg)
AssessRisk
• GuidancefromNISTdocumentsNIST800-30,37,and39isusedtoconductariskassessment.
• Individualrisksandseverityareidentified.• Aprioritizedlistofrisksiscreated.
![Page 41: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/41.jpg)
SelectControls
• TheresultsoftheriskassessmentandtheNISTcontrolcatalogNIST800-53areusedtoselectcontrolsthatmitigaterisk.
• Existingcontrolswillmitigatesomeoftherisk.Residualriskisaddressedbyaddingmissingcontrols.
• TheFISMAcontractwillspecifytherequiredsecuritycontrolbaseline(High,Medium,orLow).
![Page 42: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/42.jpg)
EvaluateControls
• Requiresregularassessments.• Involvestestingthecontrolsinplacetogaugetheireffectivenessinmitigatingrisk.
• Evaluationscanbeinternalorexternal.• TheNIST800-53AdocumentcoversevaluatingNIST800-53controls.
![Page 43: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/43.jpg)
AuthoritytoOperate(ATO)
• Thecompliancepaperworkissubmittedtotheagency.• AnATOletterisissuedbytheagencyauthorizingtheoperationofthesystem.
• Ifremediationisrequired,theagencymayissueanInterimAuthorityToOperate(IATO)withadefinedenddate.
+continuousmonitoringandregularreportingrequirements.
![Page 44: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/44.jpg)
WhatdoesittaketodoFISMA?
• Asignificantamountofeffortand$$.• DukeMedicine,oneacademicFISMAimplementation,estimatesthat,foreachPIcontract,ittakesthem~25hourstoreviewallthedocumentation,makesuggestedcontractualchangesforagencynegotiation,andcreateaFISMAmanagementplan.
• AseparatebudgetlineitemhastobeincludedinthecontracttocoverFISMAcosts.
• Manyuseacompletelywalledgarden.
![Page 45: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/45.jpg)
3.CyberCompliance:TheIUApproach
![Page 46: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/46.jpg)
History
• IUhasamatureresearchcyberinfrastructure (CI),servingbothlocalandnationalusers.
• ItisprovisionedthroughIU’scentralITorganization.• Itdeliverssupercomputing,datastorage/archival,visualization,applicationdevelopment&optimization,datamanagement,etc.
• Priorto2000,itwasusedalmostexclusivelybytheusualsuspects-physicalscientistsandengineers.
![Page 47: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/47.jpg)
HIPAAintervenes
• ALillyEndowmentgrantin2000toaccelerategenomicsresearchatIUincludedusingtheexistingCIforIUSchoolofMedicineresearchers.
• HIPAAcomplianceforresearchsystemsbecamearequirement.• ForcedustolearnHIPAAandhowitaffectstheresearchworkflow.
![Page 48: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/48.jpg)
Themostimportantcompliancestep
• WecreatedanoversightcommitteetooverseeourHIPAAeffortandputeverystakeholderonit– theComplianceOfficers,Counsel,CISO,SchoolofMedicinefaculty/ITstaff/CIO,CentralITseniormanagement,etc.
• Theybecameourambassadorsandstartedsendingclinicalresearchers,NIHgrantmoney,reflectedgloryourway.
![Page 49: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/49.jpg)
Researchworkflow&compliance
Pre-Grant
•Prelim.Investigation• IRB•CIDesign
Proposal
•ProposalPreparation•BudgetPreparation•ProposalFunding
Execution
• DataAcquisition• DataAnalysis• Simulation• DataManagement• DataSharing• DataVisualization• DataPublishing
Post-Grant
• DataArchival•DataDisposal
Itwasusefultofollowtheresearchdataendtoend,throughitsentirelifecycle tounderstandwherecompliancetouchesit.
Stepsinredinvolvecompliance.
![Page 50: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/50.jpg)
Evolution
• WeinitiatedaHIPAAspecific,homegrowncomplianceprocessin2008.• Itworkedwellinitially,butwastoorigidtoaccommodateotherrulesandregulationsappearingonthehorizon(e.g.FISMA).
• Thismotivatedsearchforastandards based,regulationneutralprocess.
• Theobviouschoicewasthewidelyused,highlyflexibleNIST standard.• Resultedinthecreationofasingle,reusable frameworkforcybercomplianceingeneral.
![Page 51: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/51.jpg)
Howdoesitwork?
1. EstablishthebaseNISTRiskManagementFramework(RMF)2. Align withtheNISTstandard(notindividualregulation)3. Map theregulationtoNIST4. Addmissing*regulatorycontrols
Thisallowsscalinglaterallytocoveranyregulationorpotentialregulationchanges;allthatchangesaresteps2and3
*Regulatorycontrolsmissing fromNIST
![Page 52: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/52.jpg)
HandlingHIPAA
1. AlignwiththeNISTlowsecuritybaseline2. MapHIPAAtoNISTusingNIST800-663. AddHIPAAsafeguardsmissingfromNIST
![Page 53: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/53.jpg)
HIPAAtoNISTMapping (fromNIST800-66)
![Page 54: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/54.jpg)
4.BuildingandLeveragingtheNISTRiskManagementFramework
![Page 55: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/55.jpg)
Whatismanagingcyberrisk?
• Identify,assess,prioritize,andmitigaterisktoassetsonanongoingbasis.
• Focusesonrisk,calculatedasfollows.Risk={Threat/VulnerabilityxLikelihoodxImpact}
• Soabigthreatfromanexistingvulnerabilitythatishighlyunlikelytobeexploited/haslittleimpactislowrisk.Youdon’tkillyourselfoverit.
• Riskassessmentsharplyfocusesattentionandoptimizesresources.
![Page 56: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/56.jpg)
Aren’tfirewalls,encryption,etc.enough?
• No.Technicalcontrolsareonlyonecomponentofcyberriskmanagement.Itrequiresamoreholisticapproach.
• WhynotencryptitallatrestandhaveHIPAAsafeharbor?Becauseit’snotalwayspossible,andyoustillhavetoprotectthekeyserver.
• TheNISTriskmanagementframeworkgivesuspreciselythat.
![Page 57: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/57.jpg)
TheNISTRMF
• Comprisesofthefollowing:
• Goodgovernance=institutionalsecurityorganization,policies,sanctions,enforcement
• Riskmanagement=assessment,mitigationthroughappropriatephysical,administrative,technicalcontrols
• Review =regularmonitoring,reviews,assessment,andmitigation• Awarenessandtraining• Documentation
![Page 58: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/58.jpg)
NISTSecurityLifecycle
![Page 59: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/59.jpg)
ButIdon’thaveresourcestodoallthat
• Youlikelyhavesomeorallofthese:• Aninformationsecurityoffice• InstitutionalITpolicies• Manysecuritycontrolsalreadyinplace• Documentation
• Thisisplentytostartwith.ItmeansthatyouhavethebasicelementsoftheNISTRMFinplacealready.
• Therestisaone-timeefforttoestablishtheRMF.Muchofitisdocumentation.
• Ariskassessmentenablesfurthereconomies.
![Page 60: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/60.jpg)
RiskAssessment
• Thebeginningoftheroadincyberriskmanagement.Youcannotmanageriskunlessyouknowwhatriskyouhave.
• Therearemanywaystoassessrisk,rangingallthewayfrompedestrian(&cheap)tohighlycomplex(&expensive).
• Youreffortshouldbecommensuratewithbudget,risktolerance,andorganizationalcomplexity.
![Page 61: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/61.jpg)
ImplementationSteps
1.AssignResources 2.Develop
tools3.Developprocess
4.Applyprocessto
newsystems
5.Migrateexisting
systemstonewprocess
![Page 62: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/62.jpg)
Developprocess
1. Inventory2.
Documentation of System &
Controls
3. Risk Assessment
4. Risk Response
5. Awareness & Training
6. Oversight & Approval
7. Authority to Operate
8. Ongoing Risk
Management
![Page 63: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/63.jpg)
Inventorywhatyouhave
• Systemdetails,ePHIlocation,securitysettings,BAAs,scaninfo,accessmethods,disposalinformation,etc.
• Software,version,patchlevel,BAAs,scaninfo,etc.• Privilegedaccessinventory- names,roles,datesauthorized,etc.• Incidentlog– incidentsummary,response.
![Page 64: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/64.jpg)
Theinventorytemplate
![Page 65: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/65.jpg)
Documentthesystemandcontrols
• ControlsaredocumentedintheSystemSecurityPlanorSSP.• IUtemplatebasedonwhatDHHS,NASA,etc.usetosatisfyFISMA.• Describessystemname,categorization,contacts,purpose,components,interconnections,boundaries,dependencies,andallNIST800-53security&privacycontrolsinplace.
![Page 66: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/66.jpg)
TheSSPtemplate
![Page 67: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/67.jpg)
Documententerprisecommoncontrols
• IndividualSSPsdescribeNIST800-53controlsyouhaveinplace.• Manyofthesewillbeinheritedfromyourorganization.Theywillapplytoallsystems.Wecallthementerprisecommoncontrols(ECC).
• ItiswastefultoincludethemeverytimeineachSSP.• SodocumentECCsseparatelyandhaveindividualSSPssimplypointtotheECCdocs.
![Page 68: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/68.jpg)
TheECCdocumentisliterally
NIST800-53with
responses
![Page 69: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/69.jpg)
Assessrisk
• Doriskself-assessments;theyarecheap• Havemanagers&systemadministratorssitdownandbrainstorm.• Identifyareasofvulnerabilitiesandriskforthesystem.• Documentriskareas,controlsthataddressthoserisks,residualrisks,andriskseverity.
• Haveexternal,thirdpartyassessmentseveryonceinawhileifyoucanaffordthem.
![Page 70: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/70.jpg)
TheRiskAssessmentReportTemplate
![Page 71: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/71.jpg)
Documentriskresponse
• DocumenthowyouwillrespondtoresidualriskinaPlanofAction&MilestonesorPOA&M document.
• Itstateswhethertheriskwasaccepted,transferred,addressed,ortobemitigated,andreasons,timelinesandplannedmitigationactivities/controls.
• Validreasonsforacceptingariskisbudget,resourceconstraints,etc.Youcanoftenstilladdressthemthroughtraining.
![Page 72: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/72.jpg)
ThePOA&Mtemplate
![Page 73: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/73.jpg)
Trainstaff
• Mandateannualtrainingforbothmanagementandstaffresponsibleforthesystem.
• AtIUthreee-trainingmodulesmustbecompleted:1. ThestandardIUHIPAAtraining(coveringthelawandIUpolicies&
procedures)2. IUHumanSubjectstraining3. UITSspecificinformationonhowHIPAAappliestotheIT
organizationspecifically,ourpolicies&NISTprocedures
• Documentallsecurityrelatedtraininginatraininglog.
![Page 74: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/74.jpg)
Trainusersandraiseawareness
• Provideonlinetrainingandawarenessviaaknowledgebase,YouTubevideosorothermedia,inpersonclasses,andemailalerts.
• Candothingslikelaunchingyourownphishingattack.• Workindividuallywithusers,trainthemasyouhelpthem.• Helpthemcreatetheirown(HIPAA)documentationdescribinghowtheyareprotectingtheirend.
![Page 75: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/75.jpg)
Instituteoversight/approval
• Haveyourauthoritiesprovideoversight(whichmayberequiredatyourinstitution)andapprovalorassignsomeonewithinyourorganization.
• AtIUthecompletedcompliancedocumentationpackageissenttotheIUHIPAAComplianceOffice,theUniversityInformationSecurityOffice,andInternalAudit.
![Page 76: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/76.jpg)
Instituteongoingriskmanagement
• Instituteregular,ongoingriskmanagementthrough:• Regularreviews,riskre-assessments,anddocumentationupdates.• Continuous,automaticmonitoringofsystems.• Annualtraining&awareness.• Oversight.• Externalassessments.• Penetrationtesting.• Campaigns(phishing,etc.)
![Page 77: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/77.jpg)
4.Conclusion
![Page 78: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/78.jpg)
Complianceisdoable
• Thegovernmentdoesnotexpectyoutoundertakeherculeanmeasuresorbuildwalledgardens.
• Cybercompliancerequirementsareallaboutbestpractices,somethingweshouldbedoinganyway(andare,mostly).
• Youlikelyhavesufficientlygoodinformationsecurityinplacealready.Itdoesn’ttakeagargantuanefforttogoalltheway.
![Page 79: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/79.jpg)
Benefits
• AstandardsbasedRMFimplementationmakesyourule/regulationproof.
• Customerswithsensitivedatawilltrustyourshop,bringinginnewbusinessandfunding.
• Yourcompliancefolkswillsendpeopleyourway(oursdo).
• Youwillbetterserveresearchers/yourmission.
![Page 80: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/80.jpg)
Theevolutionofcybersecurity
• Noonethinkscybersecurityisasolvableproblem;Thefixesaren’tworkingdespitehugecybersecuritybudgets.
• Anewapproachcalled“resilience”isemerging.• Ittreatsthesituationjustlikethemedicalestablishmentdoeshumandisease.Youwillbesick.Youwillbehacked.Period.
• Thegoalistosurvivebeinghacked,beresilient.• How?Prevent(defend,detect,remediate- baselineriskmanagement),Respond(incidentresponse),Recover(DR),andRefine(learn,adapt).
![Page 81: Building a Risk Management Framework for HIPAA & FISMA ... › media › medialibrary › ... · • The Security Rule safeguards are either requiredor addressable. • Required =](https://reader033.vdocuments.mx/reader033/viewer/2022060322/5f0d8bea7e708231d43ae5bb/html5/thumbnails/81.jpg)
Links
• TheHIPAASecurityRule• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
• NIST800-66:GuidetoImplementing theHIPAASecurityRule• http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
• NIST800-53:RecommendedSecurityControls• http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
• NIST800-53A:GuideforAssessingSecurityControls• http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf
• NISTHIPAASecurityRuleToolkit• http://scap.nist.gov/hipaa/
• NISTTemplates(emailme)