1 / 20

Operating System Approaches to HIPAA Compliance

Operating System Approaches to HIPAA Compliance. Randall J. Sandone President & CEO Argus Systems Group. Agenda. Overview of HIPAA Security Assurance Requirements Evolving Computing Architectures Limitations of Traditional Security Methods Operating System Security Solutions

kalyca
Download Presentation

Operating System Approaches to HIPAA Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Operating System Approaches to HIPAA Compliance Randall J. Sandone President & CEO Argus Systems Group

  2. Agenda • Overview of HIPAA Security Assurance Requirements • Evolving Computing Architectures • Limitations of Traditional Security Methods • Operating System Security Solutions • Benefits of Certified, High-Assurance Systems

  3. HIPAA Security Requirements • Provides for Access Controls, Audit Controls, Authorization Controls, and Data & Entity Authentication • To guard integrity, confidentiality, and availability of patient data and medical records • Combination of policies, procedures, and technology implementation & management • Provides for civil and criminal penalties for failure to comply; breaches to compliance

  4. Evolving Computing Landscape • Collaborative Environments • Need for dispersed groups of individuals to gain access and modification rights to data and network resources • Classes of Data and Users • Patient records and histories, laboratory results, financial and insurance information all need to be accessed by specific and different groups of people • Ensure segregation of data while maintaining economies of server/application consolidation

  5. Evolving Computing Landscape • Open Networks • Concept of “insiders” has been extended to employees, partners, clients, patients • Everyone’s an insider and has potential to access sensitive data and computing resources! • Multi-Networked Machines • Complex network architectures have led to persons and systems requiring access to more than one network • Public networks connected to machines connected to private internal networks

  6. Evolving Computing Landscape • Multiple Use Machines • Server consolidation trend allows realization of significant economic benefits • Also raises security issues related to corruption of data and interaction between multiple applications

  7. Limitations of Traditional Approaches • Perimeter Defenses • Who’s an Insider? Who’s an Outsider? • Where is the Perimeter? • What Happens Once Inside the Perimeter?

  8. Limitations of Traditional Approaches • System Monitoring • What’s Acceptable Use? • How to Compensate for Collaboration? • How to Deal with Flood of Data? • New patterns of attacks, viruses, application holes introduced daily! • Monitoring Doesn’t Halt Activity!

  9. Limitations of Traditional Approaches • “Patch and Pray” • Patch applications “as soon as patches are released” • Ex post facto protection! • What protects against new holes? • How to effectively manage patch compatibility and updates to applications?

  10. A New Approach Is Needed • Minimal (if any) reliance upon system activity monitoring • No reliance on fore-knowledge of holes or patch updates • Extend from network connections to data resources • Ability to enforce security policy on all users (even administrators) • Ability to differentiate and segregate classes of users and classes of data

  11. What Is This New Approach? Operating System Level Security Secure Application Environments

  12. What is OS Security? • New security features and functionality added to standard operating systems • Control application access to files, networks, and other applications • Applies regardless of who user is or how they attempt access • Cannot be overridden by any means or process • Security at the point of decision

  13. OS Security and HIPAA • Solves variety of HIPAA requirements • Access Controls • Audit Trails • Data Authentication • Prevention of Unauthorized Access to Electronic Records

  14. Access Controls • Mandatory Access Controls • Ensure Authorized Users can not perform Unauthorized Activities • Allows for division of Administrative Responsibility • Admins can be prevented from accessing any data • No one user can have total control • Can not be circumvented by any means • Delivers high-assurance protection

  15. Audit Trails • Reduced information within audit trails • No need to monitor all activities, look for patterns, match signatures • Records can be protected from access or modification by OS-level controls • Can log user information, access information, date and time stamp

  16. Data Authentication • No file, program, or command can be surreptitiously accessed, modified, or executed • No Trojan Horse or backdoors can be implanted • A priori virus protection

  17. Protection of Networked Information Assets • Controls extend from network level through to data resources • Can be configured to disallow information dissemination based on entry, exit point • Can ensure read-only traffic based on entry, exit point

  18. Benefits of Operating System Security • Reduces risk in new architectures • Protects where other approaches are deficient – ‘point of decision’ • Satisfies multiple HIPAA requirements with one solution • Allows realization of cost economies • Demonstrates due care • Reduces liability concerns

  19. Benefits of Certified, High-Assurance • US government NIAP – credibility! • Scalable security criteria • Independent validation & verification • Stringent certification testing • Demonstrates due care • Reduce/mitigate legal liabilities • Basis for lower insurance premiums • Easy ‘pass-through’ requirement to partners

  20. Questions? Thank You!

More Related