Right Sizing
the
HIPAA Security Program
Laurie Leer, CISSP;Manager Information Systems Security
Shana Chung, CISSP; Director Contract Management (HIPAA Compliance,
Definition & Evaluation)
An Independent Licensee of the
Blue Cross Blue Shield Association
Introductions and Agenda
2
•
HIPAA Security Standards = Project Requirements
•
Covered Entity Deliverables
•
Risk Assessment: Key to Sizing the HIPAA Security Program
•
Right Sizing
•
Risk Assessment: Getting Started
•
Sample Risk Assessment Summary
•
Risk Assessment as a Tool to Size a HIPAA Security Program
•
Right Size = Reasonable and Appropriate
•
Survey Results
•
Conclusions
HIPAA Security Standards = Project Requirements
•
Standards define project scope and approach
– Applies to electronic protected health information (EPHI). A covered entity
must:
• ensure the confidentiality, integrity, and availability of all EPHI it creates, receives,
maintains or transmits
• protect against any reasonably anticipated threats or hazards to the security or
integrity of such information
• protect against any reasonably anticipated uses or disclosures of such information
that are not permitted or required under subpart E of this part
• ensure compliance with this subpart by its workforce
•
The standards define required deliverables
– Standards describe high-level deliverables
• Policies, procedures, periodic reviews, etc.
– Specifications describe required content
• e.g., “Procedures to regularly review records of system activity”
3
Covered Entity Required Deliverables
•
Document how the covered entity (CE) met each specification
– Criteria evaluated in choosing a solution for a given specification [164.306(b)]
• Factors from 164.308(a)(1) - covered later
• Organizational and environmental factors
• Contracts or superceding state law
• Other constraints
–
Solution implemented
• Solution description
• Policies and procedures to maintain the solution
• Audit trails or other mechanisms to assure ongoing effectiveness and workforce
compliance
– Required vs. addressable specifications
• Required specifications must be implemented as stated
• An addressable specification must be implemented, or the CE must document why it
was not and the equivalent measures implemented
4
Risk Assessment: Key to Sizing a Security Program
• 164.308(a) (1) requires CEs to:
– Conduct accurate and thorough assessments of EPHI potential risks
and confidentiality, integrity, and availability vulnerabilities held by the
CE
– Implement security measures to reduce risks and vulnerabilities to
comply with §164.306(a)
•
Risk is a compound value or judgment based on the following:
–
–
–
–
Threat
Vulnerability to the threat
Probability of exploiting the vulnerability
Cost or other adverse effect if successfully exploited
• Apply sound business judgment
– Absolute security doesn’t exist
– Management may make an informed judgment to accept risk
5
“Accurate and Thorough” Right Sizing
• 164.306(b) instructs us to consider:
– (i) The size, complexity, and capabilities of the covered entity
– (ii) The covered entity's technical infrastructure, hardware and software
security capabilities
– (iii) The costs of security measures
– (iv) The probability and criticality of potential risks to EPHI
• HIPAA Security program should scale against 164.306(b)
–
–
–
–
Number of different EPHI stores the organization has
Size and/or location of the workforce
Number of different EDI connections or Web services transporting EPHI
Robustness of the baseline security program
• How “probable and critical” are more organization-specific
– What EPHI is critical to the organization mission or operations?
– What security and privacy risks have been identified?
6
“Reasonable and Appropriate” Right Sizing
• What is a “reasonable and appropriate level” of risk and vulnerability?
– Common practices for similar organizations
– Case law
– Source documents for HIPAA Security Rules
• NIST http://csrc.nist.gov/publications/nistpubs/index.html
• OMB Circulars http://www.whitehouse.gov/omb/circulars/index.html
• Mapped standards in the 1998 Draft Rules: ASTM, ANSI, IEEE, ISO, etc.
• Common practices for similar organizations
– Common practices are both human and technical
– Similar organizations = similar business model and workforce size
• Case law
– “Reasonable person” standards have developed in other areas of law
– TriWest Healthcare Alliance suit
– National Academy of Science study (2002) recommends laws that hold system
operators liable for security breaches
7
“Reasonable and Appropriate” Right Sizing
(cont.)
• Some guidance available in NIST’s “Generally Accepted Principles and
Practices for Secure Information Technology Systems”
– “Risk management requires the analysis of risk, relative to potential benefits,
consideration of alternatives, and, finally, implementation of what management
determines to be the best course of action.”
– “Management needs to decide if the operation of the IT system is acceptable,
given the kind and severity of remaining risks.”
• ‘Best course of action’ decision should occur at the right management level
– If potential costs are known: Approving manager should have authority for that
amount
– If costs can’t be estimated: Approval comes from manager with responsibility
over the system or vulnerable information
– If the risk spans departments: Approval comes from all affected department
heads or executive responsible overall
8
Risk Assessment: Getting Started
• Common elements of risk management
–
–
–
–
–
Formal, repeatable process
Reliable metrics and probability algorithms
Clear documentation and outputs
Adequate training for assessment personnel
Management authorization
• Missing link is often “metrics and probability”
– Some data about number of incidents; very little predictive value
– Available data focuses on hacker-style attacks. No reliable metric sources around
internal threats and vulnerabilities
– In many cases, management decisions are based on incomplete data
• Consider starting with the HIPAA Security Rules as assessment targets
– Identify ‘reasonably anticipated threats’ affecting organization’s ability to comply
– Assess organization’s degree of vulnerability to the identified threats
– Use vulnerability data to set the scope of the HIPAA Security Program
9
Sample Risk Assessment Summary
Rule
Standard
Reasonably
Anticipated Threats to
Compliance
1.
Procedures for
preventing or
detecting violations
may not be
consistently
followed by all
personnel.
2.
Containment and
correction of
violations may not
be authorized by
management if costbenefit cannot be
calculated.
Implement
policies and
procedures to
prevent,
detect, contain
and correct
security
violations
10
Estimated Probability
of Occurrence
High. Records for
other interdepartmental
procedures (HR
notification, etc.)
reflect several
instances per week
of inconsistent
process.
2. High. Management
has consistently
requested
cost/benefit or ROI
information before
approving changes
to systems and
procedures.
1.
Estimated Vulnerability to
the Threats
High. Current lack of
security awareness
results in violations of
existing security
standards and underreporting of violations.
2. Low. When incident
response procedures are
followed correctly, the
resulting
documentation contains
clear business rationale
for corrective actions
and management
decision to proceed or
accept risk.
1.
Estimated Risk to the
Organization
High. Undetected violations
of security standards, either
by personnel or during
system development and
configuration. Possible
exposure to previously
mitigated threats. Negative
audit findings. Possible
breach of contracts or
statute. Cost of occurrence
$0 to $5M.
2. Low. Security incident
reports go to personnel who
are well trained on incident
investigation and response.
Resulting documentation
should be sufficient to meet
the standard.
1.
Using Risk Assessment to Size
the HIPAA Security Program
• Set scope
– Zero probability is out-of-scope (e.g., if clearinghouse rules do not
apply to your organization, you have no probability of being out of
compliance with that rule)
– Set work priority
1. High probability and high cost of occurrence
2. Medium probability and high cost of occurrence
3. High probability and low cost of occurrence
4. Low probability and high cost of occurrence
5. All other combinations
• Define project plan and work schedule in priority order
– Standardize work breakdown structures




Phases collect related groups of work (activities) along the critical path
Activities collect related tasks along the critical path
Milestones signal acceptance of major deliverables and completion of
activities
Use life cycle approach to activities
» Requirements  Alternatives  Solution Selection  Build/Test  Deploy 
Maintain
11
Right Size = Reasonable and Appropriate
• Outputs from solution selection document the reasonableness and
appropriateness of the selected security measures
• Standardize deliverables as much as feasible
– Document at least 2 alternatives
• Include factors from 164.306(b)
• Document the fit between requirements and each alternative
• Estimate cost & time to implement
• Summarize reasons for recommending one alternative
– Document management approval for selected solution
• Outputs from maintenance determine ongoing costs and staffing needs
– Document maintenance oversight roles, responsibilities and procedures
• 164.306(e) : “Security measures . . . must be reviewed and modified as needed to continue
provision of reasonable and appropriate protection of EPHI”
– Document intersections with other processes required by HIPAA Security rules
• Risk analysis and management; system activity review; access authorization; contingency
planning; evaluation; etc.
12
Information Security Program Survey
•
•
Our methodology
Respondents
– Type
• Covered entity - plan, clearinghouse, provider
• Hybrid
• Other (includes business associate, consultant, vendor)
– Size
• Total employees
• Number of IT FTEs
– IT Security
• Number of IT Security FTEs
• Annual IT Security training budget
• Annual IT Security budget
– By confidence in meeting HIPAA Security compliance date
13
Respondents by Type of Organization
25
42%
20
29%
15
19%
10
8%
5
2%
0
1
Health
Plan
14
2
3
Clearinghouse Provider
4
Hybrid
Other5 (vendor,
consultant,
attorney, etc.)
Respondents by Size of OrganizationTotal Number of Employees
16
29%
27%
14
23%
12
10
8
6
10%
27%
4
2
0
1-501
Total EEs
15
2
51-500
Total EEs
3
501-1000
Total EEs
4
1001-5000
Total EEs
5
5000+
Total EEs
Respondents by Size of IT Department
Total Number of IT FTEs
25
42%
20
29%
15
19%
10
8%
5
2%
0
1-50 1
IT Employees
16
2
51-500
IT Employees
3
501-1000
IT Employees
4
1001-5000
IT Employees
5
5000+
IT
Employees
Does Your Organization Have IT
Security FTEs?
27% No
73% Yes
17
How Much Do You Spend Annually
On IT Security
16
31%
14
12
10 %
10
8%
17%
8
6
10%
4
4%
2
0
1
<$10,000
18
2
$10K - $25K
3
$25K - $100K
4
$100K - $500K
5
6
$500K - $1 mil
$1 mil+
Is Organization Confident of Meeting
HIPAA Security Deadline?
Not Very Confident
4%
Don't Know/
Not Applicable
33%
44%
19%
Very Confident
19
Confident
Some of the Challenges
•
Communication
– Does the right hand know what the left hand is doing?
•
Prioritization
– Are “dubious projects” getting the money?
•
Training
– NIST and others address this
20
Does Scalability = Reality?
•
Is bigger really better?
– Security spending doesn’t necessarily scale to an organization’s size
– HIPAA and GLB are acknowledged as contributing to policy/procedure infrastructure
in larger organizations
– Damage to an organization’s reputation is more of a concern
•
Related surveys
–
“US Healthcare Industry Quarterly HIPAA Survey Results: Winter 2003”
http://www.hipaadvisory.com
•
–
21
“Security remediation efforts are progressing slowly”
“Does Company Size Really Matter?,” Information Security, September 2002
http://www.infosecuritymag.com/2002/sep/2002survey.pdf
Conclusions
22