1 / 29

NIST HIPAA Security Rule Toolkit

NIST HIPAA Security Rule Toolkit. Association of American Medical Colleges (AAMC) February 15, 2012. Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology. NIST’s Mission.

clare
Download Presentation

NIST HIPAA Security Rule Toolkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIST HIPAA Security Rule Toolkit Association of American Medical Colleges (AAMC) February 15, 2012 Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology

  2. NIST’s Mission To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology … Credit: R. Rathe … in ways that enhance economic security and improve our quality of life. Credit: NIST

  3. NIST Laboratories • NIST’s work enables • Science • Technology innovation • Trade • Public benefit • NIST works with • Industry • Academia • Government agencies • Measurement labs • Standards organizations

  4. Computer Security Division A division within the Information Technology Lab, CSD conducts research, development and outreach necessary to provide standards and guidelines, mechanisms, tools, metrics and practices to protect information and information systems.

  5. Types of NIST Publications Federal Information Processing Standards (FIPS) • Developed by NIST; Approved and promulgated by Secretary of Commerce • Per FISMA, compulsory and binding for all federal agencies; not waiverable • Voluntary adoption by non-Federal organizations (e.g., state, local, tribal governments; foreign governments; industry; academia) Special Publications (SP 800 series) • Per OMB policy, Federal agencies must follow NIST guidelines • Voluntary adoption by non-Federal organizations Other security-related publications • NIST Interagency Reports

  6. PROCESS OVERVIEW Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Starting Point Repeat as necessary Step 1 CATEGORIZE Information System Step 2 SELECT Security Controls Step 6 MONITOR Security Controls RISK MANAGEMENT FRAMEWORK Step 5 AUTHORIZE Information System Step 3 IMPLEMENT Security Controls Step 4 ASSESS Security Controls A Framework for Managing Risk

  7. Agenda • HIPAA Security Rule Overview • Toolkit Project • Content Development • The Toolkit Application • Additional Information

  8. HIPAA Security Rule (HSR) Overview • HSR establishes national standards for a covered entity to protect individuals’ electronic personal health information (ephi)

  9. HSR Overview • Who? • From nationwide health plan with vast resources … • … to small provider practices with limited access to IT expertise and resources • What? • Standards and implementation specifications covering… • Basic practices • Security failures • Risk management • Personnel issues How? It depends… on the size and scale of your organization

  10. HSR Toolkit Project • The purpose of this toolkit project is to help organizations … • better understand the requirements of the HIPAA Security Rule (HSR) • implement those requirements • assess those implementations in their operational environments

  11. HSR Toolkit Project • What it IS… • A self-contained, OS-independent application to support various environments (hardware/OS) • Support for security content that other organizations can reuse over and over • A useful resource among a set of tools and processes that an organization may use to assist in reviewing their HSR risk profile • A freely available resource from NIST • What it is NOT… • It is NOT a tool that produces a statement of compliance • NIST is not a regulatory or enforcement authority • Compliance is the responsibility of the covered entity

  12. Intended Uses of the HSR Toolkit • Supplement existing risk assessment processes conducted by Covered Entities and Business Associates • Assist organizations in aligning security practices across multiple operating units • Serve as input into an action plan for HSR Security implementation improvements

  13. HSR Toolkit Project The Toolkit project consists of three parallel efforts: Content Development Security Automation Multiple Iterations Desktop Application Development

  14. Content Development Using the HIPAA Security Rule, and NIST Special Publications (800-66, 800-53, 800-53A), we developed questions designed to assist in the implementation of the Security Rule. Maps Specific Question to Address Rule § HIPAA Security Rule

  15. Content Development Question: HSR.A53 Has your organization established chains of command and lines of authority for work force security? §164.308(a)(3)(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Maps Boolean Yes: If yes – do you have an organizational chart? No: If no – provide explanation text

  16. Content Development • This effort has resulted in … • Two sets of questions • an “Enterprise” set with nearly 900 questions • a “Standard” set with about 600 questions (a subset) • With dependence and parent-child relationship mappings • Covering all HSR standards and implementation specifications

  17. Content Development

  18. Security Automation • Utilizing standards-based security automation specifications – such as XCCDF, OVAL, OCIL – to implement those questions into a toolkit application that is “loosely coupled” • Enables existing commercial tools that process security automation content to use the content (not locked down) • Provides consistent and repeatable processes

  19. Associated HSR Toolkit Resources • A comprehensive User Guide • Examples of how to use and operate the Toolkit • Partner entities that are assisting in defining functionality and usability: • A state Medicaid Office • A specialty clearinghouse • A community hospital • A non-profit regional hospital

  20. Toolkit: Download the Application

  21. Toolkit: Create a Profile

  22. Toolkit: Organized by Safeguard Family

  23. Toolkit: Explore the Application Interface Selected Question References Navigation Menu Responses Flag Level Attachments Comments Progress Bar

  24. Toolkit: Answer Questions

  25. Toolkit: Generate Reports

  26. PROCESS OVERVIEW Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Starting Point Repeat as necessary Step 1 CATEGORIZE Information System Step 2 SELECT Security Controls Step 6 MONITOR Security Controls RISK MANAGEMENT FRAMEWORK Step 5 AUTHORIZE Information System Step 3 IMPLEMENT Security Controls Step 4 ASSESS Security Controls A Framework for Managing Risk

  27. HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa Computer Security Resource Center (CSRC) http://csrc.nist.gov NIST Information Security Standards and Guidelines http://csrc.nist.gov/publications/index.html Useful Resources

  28. Questions

  29. Thank You Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Computer Security Resource Center: http://csrc.nist.gov HSRtoolkit@nist.gov

More Related