Slide 1

Presented to OUHSC Policies and Procedures Workshop

IT Information Security Services

1Why is Information Security important to you?

What would happen if you lost the use of your computer or information for 1 day, 1 week, forever?

Information Security can help protect your computer and data from cyber threats. Our goal is to Keep you safe online by showing you how to protect your information from common threats.Agenda:Information Security ProgramBusiness ValueBusiness DriversManaging RiskBuilding TrustBusiness Value of Information Security:Protection of mission critical information

Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.Information Security allows us to maintain important business affiliate agreements:Secure email between business associates St. Francis, etc.

3Protection of mission critical information:

Electronic Health RecordsProtection of mission critical information:

Credit Card NumbersProtection of mission critical information:

Student RecordsProtection of mission critical information:

Personally Identifiable InformationInformation Security provides:Confidentiality

Availability

Integrity Confidentiality(Information is disclosed only to those authorized)

AvailabilityInformation is accessible when required

Integrity Information is accurate, authentic, complete and reliable

8Information Security provides:The right data

to the right people

at the right timeBusiness Value of information Security:Maximize Business Opportunities

Business opportunity: $19.2 billion from ARRA Incentives:Payments of $44,000 - $64,000 Per Physicianto Providers whoDemonstrate proper implementation of EHR

American Recovery and Reinvestment Act

To providers who:

Demonstrate proper implementation of EHRsComplianceManage risks

11Business opportunity: Electronic commerce100,000 cc transactions$17,500,000 annual amount

12Business Value of Information Security:Protection of mission critical information

In order to:

Minimize RiskSupport academic, research and health care business continuity and opportunities Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.Information Security allows us to maintain important business affiliate agreements:VA and HCA Network Connectivity AgreementsSecure email transmission between HCA & OUHSC

13Business value:

A reputation that took decades to build can be threatened by a single event.Information SecurityBusiness Drivers

Business Drivers

Clinical systems(managed university computer, protected network)Business DriversResearch systems(semi-managed computer, open network)

17Business DriversBusiness/Financial/Legal systems (managed university computer, protected network)

18Business DriversClassroom/library systems (managed and unmanaged computers, open network)

19Business DriversStudent systems(unmanaged computer, open network)

Business DriversMobile systems(managed and unmanaged computer, open network)

21Business DriversHome systems(unmanaged computer, open network)

Business DriversCriminal systems

Business Drivers: Our diverse IT environment

Different management, connectivity needs, risksITs a jungle out there!

24Business Drivers:

Increasing risks of doing businessRisks increase as threats, consequences, complexity, inter-dependencies are increased for information systems.

25Business Drivers: RegulationsThe government responds:

HIPAA

Health Information Technology for Economic and Clinical Health (HITECH) Act

Payment Card Industry (PCI) Data Security Standard

eDiscovery Rules of Civil Procedure

State Data Breach Notification

FTC Red Flag Identity Theft Prevention

Family Educational Rights and Privacy Act (FERPA)- rev x

Regulations: HIPAA

Health Insurance Portability and Accountability ActRegulations: HIPAAHealth Insurance Portability and Accountability Act Encourage use of Electronic Health Record (EHR)Ensure the privacy and security of the EHR

HIPAAs requirements are meant to encourage healthcare organizations to move patient information handling activities from manual to electronic systems in order to improve security, lower costs, and lower the error rate

For virtually all healthcare-related organizations (especially providers, payers and IT vendors), becoming HIPAA compliant will be a multi-year, large cost, institution-wide effort.

Failure to comply will result in significant monetary penalties and, in the case of patient privacy breaches, criminal penalties (100%)

HIPAA compliance is better focused as a business issue than as an IT issue, although IT will play a major role in implementing compliant systems.

Large and medium sized organizations will need a full-time high-level person to head the HIPAA compliance effort and other FTEs will be required. 28HIPAA: General RulesImplement safeguards that reasonably and appropriately protectConfidentialityIntegrityAvailabilityof Electronic Protected Health Information (ePHI)Letting the good guys in and keeping the bad out

Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.

Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.

Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system

29HIPAA: Security CategoriesAdministrative safeguardsPhysical safeguardsTechnical safeguards

30HIPAA: Security CategoriesAdministrative safeguards:

Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entitys workforce in relation to the protection of ePHI.31HIPAA: Administrative SafeguardsSecurity Management ProcessAssigned Security ResponsibilityWorkforce SecurityInformation Access ManagementSecurity Awareness and TrainingSecurity Incident ProceduresContingency PlanEvaluationBusiness Associate Contracts and other arrangements

Administrative safeguards are designed to ensure formal policies for overseeing the implementation and management of security measures are established and implemented.

32HIPAA: Administrative SafeguardsSecurity Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations.

Risk analysis (R)Risk management (R)Sanction Policy (R)Information system activity review (R)Risk analysis (R) Conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the CIA of our ePHI.Risk management (R) Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.Sanction Policy (R) Apply appropriate penalties against workforce members who fail to comply with the entitys security policies and procedures.Information system activity review (R) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident reports.

33HIPAA: Security CategoriesPhysical safeguards:

Physical measures, policies, and procedures to protect a covered entitys electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion.34HIPAA: Physical SafeguardsFacility Access ControlsWorkstation UseWorkstation SecurityDevice and Media Controls

Physical safeguards are to ensure that the facilities where electronic information systems are stored are protected from intrusions and other hazards35HIPAA: Security CategoriesTechnical safeguards:

The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it.36HIPAA: Technical SafeguardsAccess ControlsAudit ControlsIntegrityPerson or Entity AuthenticationTransmission Security

Technical safeguards to ensure that only authorized access to EPHI is permitted, through the creation of firewalls and passwords, among other things.

HIPAAs mandates will require updates of all information systems that use or collect patient data and will require the introduction of new features and functions

37Information Security: HIPAA/HITECH UpdateHealth Information Technology for Economic and Clinical Health

American Recovery and Reinvestment Act

To providers who:

Demonstrate proper implementation of EHRsComplianceManage risks

38Information Security: HIPAA/HITECH UpdateHITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA)Enacted on February 17, 2009

Compliant on February 17, 2010

Health Information Technology for Economic and Clinical Health (HITECH) ActTitle XIII of Division A and Title IV of Division B American Recovery and Reinvestment Act of 2009(enacted on February 17, 2009)(compliant on February 17, 2010)

39Information Security: HIPAA/HITECH UpdateGoal :Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians

HITECH affects HIPAAHITECH directly regulates business associates for the first time

40Not subject to privacy noticesRequires business associates to comply with the HIPAA security rule provisionsIncludes restrictions on the use and disclosure of protected health informationEffective one year after HITECHs enactment (Feb. 17, 2010)

Information Security: HIPAA/HITECH UpdatePenaltiesEstablishes a tiered system of civil penaltiesCivil penalties on a covered entity if the violation is due to willful neglectCovered entities may not know it violated HIPAACurrent max. penalty of $100 per violation, up to $25,000 per year for each type of violationViolation due to reasonable cause$1,000/$100,000Violation due to willful neglect$500,000/$1.5 million

HITECH Act (Effective immediately)Breach notification (for unsecured PHI)

You are required to notify each individual affected by a security breachBreach the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

Effective immediately:You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.If you dont have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.For breaches involving more than 500 residents in one area, you must notify a prominent media outlet.You must also contact the Department of Health and Human Services. DHSS is establishing a website listing these breaches.

42Information Security: HIPAA/HITECH UpdateBreach NotificationNotify individuals without unreasonable delay500 individuals in a state, prominent media outletsNotify HHS listed on their website43Information Security: HIPAA/HITECH Updateunsecured PHR identifiable information :

Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretarys guidance.

HITECH Act (encryption and destruction)Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals:

Encryption Destruction

See NIST standards 800-111Guide to Storage Encryption Technologies for End User Devices800-88Guidelines for Media Sanitization.

45Information Security: PCI DSSPayment Card Industry Data Security Standards

46Information Security: PCI DSSPayment Card Industry Data Security Standards (PCI DSS)

Technical and operational requirementsAny entity that stores, transmits, or processes cardholder data must comply with the PCI DSSNon-complianceLarge finesLegal contract breachLoss of ability to accept payments via credit cards

American ExpressDiscoverJCB InternationalMasterCardVISAThe standard was introduced in 2004Merchant compliance to be complete by June 2005Compliance date was extended to June 2007

47Payment Card Industry Data Security Standard (PCI-DSS)Annual assessment process required for 100+ business units on OUHSC and Tulsa campuses

Establish firewall and router configuration standardsthat include the following:1.1.1 A formal process for approving and testing allexternal network connections and changes tothe firewall and router configurationsA policy and process for approving and testing all connections and changes tothe firewalls and routers will help prevent security problems caused bymisconfiguration of the network, router, or firewall.1.1.2 Current network diagram with all connectionsto cardholder data, including any wirelessnetworks48Regulations:What do they all have in common?

Adopt security to minimize risks to InformationManaging Risk: Bryan starts hereManaging Risk

50Managing Risk:Risk = Vulnerability + Threat + Impact

What is a Vulnerability?

Managing Risk: Vulnerability Error in the programming code inside an application Improperly configured system settings Minimally implemented security controls Weak or easily guessed passwords Lack of security awareness among computer users52Risk Management: Software vulnerabilities484 Vulnerabilities identified in 1 month

These stats are from the National Vulnerability Database sponsored by the National Institute of Standards and Technology and the Office of Homeland Security

Question: Do you know if your server and workstations are running the latest software security patches. For the operating system and all software applications?

You can use MS Internet ExplorerToolWindows updates to check and see if your computer has the latest MS security patches

Several years ago we had several distance education programs and some College of Medicine servers that were knocked out by a vulnerability that had a patch available for months but they had neglected to apply the patch.September, 2006 Severity level: High or Medium Is exploited remotely

53Common threats

Managing Risk: Threats Viruses, worms, and other malware Malicious persons outside the organization Insiders with approved access to systems Denial of Service attacks Social Engineering54Managing Risk: Threat - Malicious code134,625 viruses detected at gateway

7,876 at desktop

1st quarter of FY10

55Managing Risk: Threat - Malicious software from the webMalicious software downloads from the webSpywareTrojan HorseKey Loggers

1 in 10 web sites attempt to download software without permission

OUHSC Threat LevelSpyware and other malicious software from the web may be the most prevalent threat to our desktop computers. Note that 1 in 10 web sites attempt to download software without your permission or knowledge. These programs can spy on you. Key loggers watch as you type and send back passwords to a remote computer on the Internet. Trojan Horse programs can remotely control your computer from the Internet.

What are some Safe Practices for use of the Internet:

56

Managing Risk: Organizational RisksCompromise of critical dataDestruction of critical dataBreach of complianceLoss of accessCostly recovery effortsDamage to reputation

57Data lossHardware failureTheftAccidental deletionFireTornadoFlood

Managing Risk: Data breaches (up 69% in 2008)

Managing Risk: Data breach costsData Breach Costs$202 eachcompromisedrecord$282 eachcompromisedhealthcare record

59Mobile Devices: Minimize Risks Limits on stored dataPasswordsEncryption

60 Laptops and PDAs such as iPhones and Blackberry devices introduce a greater risk Because these devices leave the protected network, they loose much of the defense in depth security Other controls such as limitations on data stored on these devices and required encryption ensure these devices are protected

Action items (review Portable Computing Device Security)PCDs should not be used to store Sensitive Data unless data is encrypted. PCDs that connect to the OU network or store OU data must use a device password. PCDs that store Sensitive Data must use encryption. Appropriate physical security measures should be taken to prevent theft of PCDs and their media or data. Report the theft or loss of a PCD containing Sensitive Data with this form .

Review and modify HIPAA Privacy Policies SafeguardsReview and modify the current policies and standards:Access to Sensitive DataBusiness Associate Contracts Electronic Data Disposal Portable Computing Device Security Transmission of Sensitive DataTransportation of Media61Defense in DepthManaging Risk: Best Practices Implement a multi-tiered security architecture

Layered Network Security- Zones of Trust

Classify and protect data based on risk62Implement a multi-tiered approach to security by creating security protocols at various levels of system architecture Classify and protect data based on the criticality of and cost of its loss or exposure Install compensating or tertiary controls to prevent any one single point of failure

Building Trust: Layered Network Security- Zones of Trust

Subzones PositionShould the organization create subzones within zones? (choose only one)

IF business, contractual, or regulatory requirements mandate that certain information or systems be separated from other systems in the same zoneOR IF enabling connectivity among all the systems in the zone would exceed risk aggregation thresholdsTHEN create subzones

OTHERWISE do not create subzones

IF the organization has a set of systems that is not required to accept connections directly from the untrusted zone and that should only be used by known, relatively trusted users or systemsTHEN create a trusted zone

IF the organization has systems that should only be available to a subset of employees OR that contain especially sensitive information or capabilitiesTHEN create a restricted zone

63

Solution Approach

Define a consistent policyBy defining a consistent policy for each set of resources with similar requirements (for communication and protection), an enterprise can increase the efficiency and effectiveness of business appropriate protection functions.

Group resources according to policyAs IT environments, threats, attacks and the network topologies in which they exist have become more complex, the need for explicitly grouping resources in terms of their communication and protection requirements has increased.

64

Zones Support Layered Application Architectures

Best PracticesManaging Risk: Best PracticesSecure network resourcesPatch computer systemsEducate computer users66Secure network resources by identifying and implementing appropriate safeguards Patch computer systems to ensure security flaws are corrected in the application Educate computer users by creating an awareness program that outlines and advises users on all facets of Information Security

Information Security - Programs and Services:

Risk Management

Regulatory Compliance

Policy Development

Training Education and Awareness

Disaster Recovery and Business Continuity

Incident Management

67Risk Management processesIdentify information assetsClassifyAssess risksMitigate risks

68Risk Management process examples:C. Assess risksNetwork vulnerability scanningTechnology Product Review http://it.ouhsc.edu/forms/purchasereview.aspBusiness Impact Assessments (BIA)PCI Self Assessment Questionnaire (SAQ)

69Risk Management process examples:D. Mitigate risks

TechnologyLayered Network Security ArchitecturePerimeter firewallData center firewallSecure data center for Sensitive informationGateway and desktop anti-virus Email encryption70Risk Management process examples:D. Mitigate risks

People: Training Education and Awareness

Process: Policies and Procedures

71Regulatory Compliance:Health Information Technology for Economic and Clinical Health (HITECH) ActPayment Card Industry Data Security Standard (PCI-DSS)State Breach Notification eDiscovery / Preservation of ESIFTC Red Flag Rules for Identity TheftFDA Rule on Electronic Records State of Oklahoma Security Policy State HB for Risk AssessmentNational Institute of StandardsGramm Leach Bliley (GLB) Act FERPA

HIPAA is only the tip of the regulatory icebergHealth Information Technology for Economic and Clinical Health (HITECH) ActPayment Card Industry Data Security Standard (PCI-DSS)State Breach Notification FDA Rule on Electronic Records (21 C.F.R. Part 11)Federal Information Security Management Act (FISMA)State of Oklahoma Security Policy State HB for Risk AssessmentGram Leach Bliley ActNational Institute of StandardsFERPA

72Holistic approach to regulatory complianceUnderstand business value and driversDetermine applicable regulations/best practicesFind the GapsDevelop a holistic treatment plan

Understand our business drivers

Health care, education, researchIdentify key factors to maintain organizational health

Mission critical information systems?Determine applicable regulations and best practicesWhat do they all have in common?Find the GapsRisk AssessmentDevelop a treatment plan that considers all factorsOne set of high level organizational policies with flexibility for different business units

Identify key factors of organizational healthWhat are the mission critical information systems that keep the business running?Applicable regulations and best practicesWhat do they all have in common?Understand our business driversFind the Gaps assessment examining existing practices, policies, procedures and systemsDevelop a treatment plan that considers all factorsOne set of policies to cover all regulations

Provide business valueUnderstand our business driversHolistic approach to a multiplicity of regulationsGood information security is good HIPAA security is good FERPA security is good PCI security is goodOne size does not fit all

Begin with assessment of organizational risks

73Policy DevelopmentFollowing organization policies and best practices = regulatory compliancehttp://it.ouhsc.edu/policies/

Business manager viewhttp://it.ouhsc.edu/policies/fordataowners_busadmins.asp

IV. Training Education and Awareness ProgramHIPAA online coursesNew employee orientationsNew resident orientationsNew student orientationsIRB Education dayCyber Security dayDepartmental presentations

V. Disaster Recovery and Business ContinuityAnnual Disaster Recovery Plan for OSF

National Incident Management System (NIMS), Incident Command System (ICS) Tabletop Exercise (TTX)

Business Impact Assessment for key areas

VI. Incident ManagementDetectionResponseReportingRemediation

Information Security Incident Reporting Procedureshttp://it.ouhsc.edu/services/infosecurity/IncidentReporting.asp

Consider your riskWhere is your information stored?Is it safe from common threats?

78Action items:Review current technologies that can protect information:

Data in motionData at restData in use deletedData disposalReview current technologies that can protect (encrypt) data, this includes:Data in motion (data that is moving through a network, including wireless transmission)Data at rest (data that resides in databases, file systems, and other structured storage methods)Data in use (data in the process of being created, retrieved, updated, or deleted)Data disposal (discarded paper records or recycled electronic media)Create procedure and log to document breaches (if necessary)

79Information Security: Safe Practice- Follow PoliciesFollow policies to help protect your data

Technology Purchase Review http://it.ouhsc.edu/forms/purchasereview.asp

See http://it.ouhsc.edu/policies/

Information Security Services Staff:Greg BosticRandy MooreSteve Payne Bryan SmithRobyne Rhode

405-271-2476IT-Security@ouhsc.eduhttp://it.ouhsc.edu/services/infosecurity/

81Questions?82The end.