HIPAA Strategies
Gary Christoph, Ph.D.
Sr. VP Government and Healthcare
[email protected]
410-884-1313
April 8, 2005
A Blumberg Capital, Valley Ventures and Intel Capital Funded Security Company
Seclarity, Inc.
11705 Lightfall Court
Columbia, MD 21044
© by Seclarity Inc. 2005, Slide: 1
The Issue
• Recent Compliance Mandates
(HIPAA, GLBA, SarbOx, etc.) are
(unfortunately) strong security
drivers
• Network Security is Hard and
Expensive
• Use a “Common Sense” approach
© by Zephra Corporation 2002, Slide: 2
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
2
2
HIPAA
Title II
Administrative
Simplification
Transaction
Standards
Standard
Code Sets
Security
Unique Health
Identifiers
Privacy
Limitations
Administrative
Procedures
• Chain of Trust Agreement
• Certification,
• Internal Audit, Training,
Written Policies &
Procedures, etc.
Physical Safeguards
• Secure Workstation
• Physical Access Controls,
Media Controls, etc.
• Security Awareness
Training
•• Training
Technical Security
Services
• Access Controls
• Authorization
• Data Authentication
EntityAuthentication
Authentication
••Entity
Technical Security
Mechanisms
•• Basic
Basic Network
Network
Safeguards
Safeguards
•• Integrity
Integrity and
and Protection
Protection
Electronic Signature
• Covers Protected Health
Information (PHI) transmitted or
stored, in any medium (electronic,
paper, oral)
General Rules
• PHI data elements defined
• Notice of Privacy Practices mandated
Minimumnecessary
necessarydisclosure/use
disclosure/useof
•• Minimum
of
data
data
• Consent required for routine use
• Authorization required for non-routine
use
• Business associate contracts required
• Designated Privacy Officer
• Not currently required
© by Zephra Corporation 2002, Slide: 3
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
3
3
What Does HIPAA Really Require?
YOU MUST:
• Think about the risks you face
• Develop coherent, enforceable policy
• Write it down
• Implement/operate whatever controls
this requires
• Train/educate staff
• Periodically test & document
© by Zephra Corporation 2002, Slide: 4
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
4
4
Compliance Issues:
• Policy is not written down
• Written policy is not followed
• Implementations are not “fire and
forget”
• Consultants aim to make money,
not fix the problem
© by Zephra Corporation 2002, Slide: 5
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
5
5
Hard NW Security/Privacy Issues:
• People are involved
 People are neither repeatable nor logical
 People on the job make inappropriate assumptions
• Technical Solutions are too complex
 Point products do not tile the floor
 Management of many solutions is not easy or cheap
 Pace of technological change adds new vulnerabilities
(e.g., wireless)
• Administrative Solutions that are not
 Processes get in the way of work
 Controls violated without your knowledge or without
consequence
© by Zephra Corporation 2002, Slide: 6
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
6
6
A Simple Strategy:
• Decide what is important to
protect
• Find a simple way to protect it
• Document it
© by Zephra Corporation 2002, Slide: 7
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
7
7
The Regs were written to be
scalable and technology neutral.
Why?
• Rules have to cover everything from a oneperson Dentist’s office in Podunk, Missouri, to
Johns Hopkins Hospital
• It economically makes no sense to require
everyone to have the same controls
• Technology evolves
Therefore:
The solution must fit the need
© by Zephra Corporation 2002, Slide: 8
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
8
8
Technical Solution Target
• Want transparency
 Easy for users to comply
 Easy for admins to enforce
• Want universality
 Everywhere same policy enforced the same
 Use technology to reduce administrative controls
• Want simplicity
 Complexity is the enemy
 Easy to manage
• Want verifiability
 Documentable
• Want cheap
 Do not want to go out of business
© by Zephra Corporation 2002, Slide: 9
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
9
9
A Simplified View of a Contemporary
“Secured” Network:
Wireless
Unencrypted Traffic
Remote users
With Software
VPN agents
Firewall
Internet
Unencrypted Traffic
VPN
IDS
Encrypted Traffic Proxy
© by Zephra Corporation 2002, Slide: 10
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
10 10
A Simple view of an
Endpoint-Secured Network:
Wireless
Encrypted Traffic
Encrypted Traffic
Firewall
Remote user
Internet
Encrypted Traffic
© by Zephra Corporation 2002, Slide: 11
© by ©
Seclarity
by Seclarity
Inc. 2004,
Inc. 2005,
Slide:Slide:
11 11