Beruflich Dokumente
Kultur Dokumente
Compliance
Module 12
Simplifying Security.
1 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
May 19, 2011
Watchdog Reports: Security Catalysts?
The timing of two new watchdog reports that highlight the need to
protect the security of electronic health records could help build
momentum for action, some observers say.
This week's reports from the Department of Health and Human
Services' Office of the Inspector General call for a ramping up of
enforcement of the HIPAA Security Rule and the inclusion of more
security requirements in the HITECH Act electronic health record
incentive program (see: Watchdog Hits HHS on Records Security).
The HHS Office for Civil Rights, which enforces HIPAA, recently
requested a 13.5 percent increase in its fiscal 2012 budget for,
among other things, enforcement of the HIPAA Security Rule and
compliance reviews of smaller breach incidents (see: More HIPAA
Enforcement Funding Sought). "So it's timely to raise the issue of
HIPAA enforcement in the middle of the budget discussions," says
Dan Rode, vice president of policy and government relations at the
American Health Information Management Association.
http://www.govinfosecurity.com
2 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Monday, May 23, 2011
Business Workshop: HITECH Ushers in Era of Higher
Penalties Under HIPAA
Two recent cases suggest we have entered a new era of more stringent enforcement of HIPAA's privacy
and security standards.
For the first time, the Office for Civil Rights (OCR) at the Department of Health and Human Services,
which is charged with enforcing HIPAA's privacy and security standards, has imposed a civil money
penalty under HIPAA, or the Health Insurance Portability and Accountability Act.
In a press release from February, OCR announced that Cignet Health of Maryland was fined a total of
$4.3 million for ignoring requests for medical records
from 41 individuals and for failing to cooperate with
OCR's investigation of 27 related complaints.
Two days later, OCR announced a $1 million settlement
with Massachusetts General Hospital after an employee left documents containing patients' health
information on the subway. OCR's investigation indicated that the hospital "failed to implement
reasonable, appropriate safeguards to protect the privacy of protected health information."
http://www.post‐gazette.com
3 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Objectives
HIPPA (Health Insurance Portability
and Accountability Act)
HIPPA Checklist
FERPA (Family Educational Rights and
Privacy Act)
FERPA Checklist
PCI DSS (Payment Card Industry Data
Security Standard)
PCI DSS Checklist
4 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
5 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
HIPAA (Health Insurance Portability and
Accountability Act)
HIPPA is a security standard to provide physical, technical, and administrative safeguards to protect
the integrity, availability, and confidentiality of health information
The purpose of this security standard is to prevent the inappropriate use and disclosure of
individuals’ health information
It imposes restrictions on organizations to protect health information and the systems that store,
transmit, and process it
Objectives of HIPPA
It allows for portability and continuity of health
Group and Individual Insurance Reform insurance and places limits on pre‐existing
exclusion provisions
It reduces the potential for waste, fraud, and
New penalties and sanctions will be imposed
abuse
It requires the application of uniform standards to
Its goal is to improve the effectiveness and
electronic data transactions in a confidential and
efficiency of the health care system
secure environment
6 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
HIPAA Checklist
File Security Education and Sanctions Authorization Procedures
File cabinets or drawers storing Professional workforce should be Ensure that only authorized
patient records should be trained with HIPPA requirements, personnel have access to
securely locked, or if possible, both on and off the job the HIPAA protected
the room itself Ensure that the employees know information
Restrict access to computer about the endorsements they can
Review the file logs or
terminals to only authorized expect for violating HIPAA
computer records regularly
personnel and set up passcodes restrictions
to know how the
for electronic files Violators of HIPPA are punished authorization is used to
Be alert to security lapses that to send a message to other
ensure that it is not abused
might allow illegitimate users to employees that HIPAA is
access the records considered seriously within the
organization
7 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
FERPA (Family Educational Rights
and Privacy Act)
The Family Education Rights and Privacy Act The rights given to students by FERPA
(FERPA) of 1974 also known as the Buckley regarding the educational records include:
Amendment, is a federal law that is meant Right to access educational records kept by
to protect the accuracy and privacy of the school
student education records
Right to demand that educational records be
This law is applicable to all institutions that disclosed only with student permission
are recipients of federal service directed by Right to amend educational records
the Secretary of Education Right to file complaints against the school for
disclosing educational records in violation of
FERPA gives certain rights to parents with FERPA
respect to their children’s educational
records. Rights transfer to the student when Right to know about the purpose, content,
he/she reaches the age of 18 or a school and location of information kept as a part of
their educational records
beyond the high school level
Individual staff or faculty’s private notes, campus
police records, medical records, and statistical
data compilations that do not contain personally
identifiable student information are not
considered as educational records under FERPA
8 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
FERPA Checklist
Post the grades using secure technology Do not discuss the progress of any student with
anyone other than the student (including
Ensure that the confidential, non‐directory, and parents/guardians) without the consent of the
sensitive student personal information is student
encrypted whereever it is stored such as laptops
and thumb drives Do not provide anyone with lists of students
enrolled in classes for any commercial purpose
Do not use social security numbers for any
purpose unless necessary. Replace them with UINs Institutions must have written permission from the
(Universal Identification Number) student to release any information from the
student’s educational record
Do not leave graded tests or papers in a stack for
students to pickup by sorting through the tests or Only student directory information can be disclosed
papers of all students by the institutions without the student’s permission
but not non‐directory information
Do not provide anyone with student schedules or
assist anyone other than professional university Students should be notified about their rights under
employees in finding a student on campus FERPA by institutions through annual publications
Do not link the name of a student with that
student’s social security number or universal
identification number (UIN) in any public manner
9 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
PCI DSS (Payment Card Industry Data
Security Standard )
Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines, measures, and controls
that were established to assist merchants implement strong security precautions to ensure safe credit
card usage and secure information storage
Businesses with merchant identification that takes credit card payments—whether online, over the
phone, or using credit card machines or paper forms—need to comply with these standards, even if
they use a payment service provider
Objectives of PCI DSS include the following:
Maintain an Information Security Policy Build and Maintain a Secure Network
Regularly Monitor and Test
Protect Cardholder Data
Networks
Implement Strong Access Control Maintain a Vulnerability Management
Measures Program
10 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
PCI DSS Checklist
Install and maintain a firewall Restrict access to cardholder data by
configuration to protect cardholder data business need‐to‐know
Assign a unique ID to each person with
Protect stored cardholder data
computer access
Do not use vendor‐supplied defaults for
Restrict physical access to cardholder
system passwords and other security
data
parameters
Encrypt transmission of cardholder data Track and monitor all access to network
across open, public networks resources and cardholder data
Use and regularly update anti‐virus Regularly test security systems and
software processes
Develop and maintain secure systems Maintain a policy that addresses
and applications information security
11 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Summary
HIPPA is a security standard to provide physical, technical, and administrative
safeguards to protect the integrity, availability, and confidentiality of health information
The purpose of HIPPA is to prevent the inappropriate use and disclosure of individuals’
health information
FERPA is a federal law that is meant to protect the accuracy and privacy of student
education records
PCI DSS is a set of guidelines, measures, and controls that were established to assist
merchants implement strong security precautions to ensure safe credit card usage and
secure information storage
Businesses with merchant identification that takes credit card payments—whether
online, over the phone, or using credit card machines or paper forms—need to comply
with PCI DSS standards
12 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.