SlideShare a Scribd company logo

Team Ruby Final Presentation Slides R7

Download as PPTX, PDF
K
Kevin Jones
1 of 69
Cybersecurity Assessment for Soft Touch Dentistry Perry Escamilla, Kevin Jones, Jim Patterson, Leon Slack, Jason Smith & Robert Valdez National University, Capstone Professor Bane
Summary • Project Overview • Project Schedule • HIPAA • HIPAA Auditing, Wireless Audit • Vulnerability Assessment • DRP/BCP • Security Plan Development • Cost Avoidance • Conclusion National University2 Jason
Organization Chart Jason Smith Project Manager Kevin Jones Vulnerability Assessor Leon Slack Disaster Recovery Robert Valdez HIPAA Auditor Perry Escamilla Remediation Planner Jim Patterson Security Planner 3 National University Jason
Project Overview
Project Overview • Soft Touch Dentistry is a small dental office in Murrieta, CA. Team Ruby, comprised of six students from National University, proposed to the dentistry a project to conduct a cybersecurity assessment of their medical practice. • The assessment consisted of a vulnerability assessment, wireless audit and a HIPAA inspection. • Furthermore, Team Ruby put together a Business Continuity Plan, Disaster Recovery plan and a Security Plan for the dentistry to assist them with those items as well. • Lastly, Team Ruby performed a cost avoidance analysis to demonstrate how their project benefited the dentistry and how the dentistry was able to now avoid some future costs because of the project being performed for them. 5 National University Jason
Project Schedule
Project Schedule 7 National University Kevin
Project Schedule Cont. 8 National University Kevin
Project Schedule Cont. 9 National University Kevin
Project Gantt Chart 10 National University Kevin
HIPAA
Purpose HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule: • To allow better access to health insurance • Reduce fraud and abuse • Lower the overall cost of health care 12 National University Robert
Administrative Safeguards Compliance with the Administrative Safeguards portion must include implementation of the following: • Conduct a risk analysis • Implement risk management controls • Develop a security plan • Conduct periodic information system reviews and training 13 National University Robert
Physical Safeguards Compliance with the Physical Safeguards portion must include implementation of the following: • Contingency operations • Limit facility access and restricting levels of access • Proper management of organization's computer systems and network • Appropriate device and media controls 14 National University Robert
Technical Safeguards Compliance with the Technical Safeguards portion must include implementation of the following: • Appropriate access controls such as unique user IDs and permissions • Automatic logoff procedures • Encryption and decryption procedures • Measures to ensure integrity of ePHI 15 National University Robert
Key Elements of Compliance • Senior Management Support is essential • Conduct and maintain inventory of ePHI • Conduct regular and detailed risk analysis • Determine what is appropriate and reasonable • Develop and implement security policies • Prepare for ongoing compliance • Maintain a security-minded culture within workplace 16 National University Robert
Penalties Civil penalties vary from $100 to $50,000 per violation with annual max penalty of $1.5 million depending on depth of negligence Criminal penalties and imprisonment could also be sentenced in additional to civil penalties Additional Negatives: • Negative publicity • Loss of customers • Loss of business • Legal liability 17 National University Robert
Soft Touch Dentistry Initial assessment • Administrative Safeguards – Partial Compliance • Physical Safeguards – Non-Compliant • Technical Safeguards – Non-Compliant 18 National University RobertRobert
Soft Touch Dentistry Initial Assessment Safeguards Security Standards Assessment Percentage Assessment Compliance Rating Administrative Safeguards §164.308(a)(1)(i) Security Management Process 25% Partial §164.308(a)(2) Assigned Security Responsibility 25% Partial §164.308(a)(3)(i) Workforce Security 4% Partial §164.308(a)(4)(i) Information Access Management 20% Partial §164.308(a)(5)(i) Security Awareness and Training 13% Partial §164.308(a)(6)(i) Security Incident Procedures 0% Non-Compliant §164.308(a)(7)(i) Contingency Plan 0% Non-Compliant §164.308(a)(8) Evaluation 25% Partial §164.308(b)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant Physical Safeguards §164.310(a)(1) Facility Access Controls 0% Non-Compliant §164.310(b) Workstation Use 0% Non-Compliant §164.310(c) Workstation Security 0% Non-Compliant §164.310(d)(1) Device and Media Controls 0% Non-Compliant Technical Safeguards §164.312(a)(1) Access Control 0% Non-Compliant §164.312(b) Audit Controls 0% Non-Compliant §164.312(c)(1) Integrity 0% Non-Compliant §164.312(d) Person or Entity Authentication 0% Non-Compliant §164.312(e)(1) Transmission Security 0% Non-Compliant Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant §164.314(b)(1) Requirements for Group Health Plans 0% Non-Compliant Policy, Procedures, and Documentation §164.316(a) Policy and Procedures 0% Non-Compliant §164.316(b)(1) Documentation 0% Non-Compliant 19 National University Robert
Soft Touch Dentistry Post Team Ruby Safeguards Security Standards Assessment Percentage Assessment Compliance Rating Administrative Safeguards §164.308(a)(1)(i) Security Management Process 88% Partial §164.308(a)(2) Assigned Security Responsibility 100% Compliant §164.308(a)(3)(i) Workforce Security 68% Partial §164.308(a)(4)(i) Information Access Management 60% Partial §164.308(a)(5)(i) Security Awareness and Training 38% Partial §164.308(a)(6)(i) Security Incident Procedures 100% Compliant §164.308(a)(7)(i) Contingency Plan 42% Partial §164.308(a)(8) Evaluation 75% Partial §164.308(b)(1) Business Associate Contracts and Other Arrangements 100% Compliant Physical Safeguards §164.310(a)(1) Facility Access Controls 93% Partial §164.310(b) Workstation Use 100% Compliant §164.310(c) Workstation Security 100% Compliant §164.310(d)(1) Device and Media Controls 56% Partial Technical Safeguards §164.312(a)(1) Access Control 41% Partial §164.312(b) Audit Controls 0% Non-Compliant §164.312(c)(1) Integrity 0% Non-Compliant §164.312(d) Person or Entity Authentication 0% Non-Compliant §164.312(e)(1) Transmission Security 0% Non-Compliant Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 100% Compliant §164.314(b)(1) Requirements for Group Health Plans 0% Not Applicable Policy, Procedures, and Documentation §164.316(a) Policy and Procedures 100% Compliant §164.316(b)(1) Documentation 100% Compliant 20 National University Robert
New Soft Touch Dentistry Policies • Access, Use and Disclosure • Request for Accounting of Disclosures • Disclosure of Patient Information to the Public • Release of Information to Media and Public • Network, and E-mail Usage (Acceptable Use) • Facsimile of Information • Notice of Privacy Practices • Information Security Program • Information Security Incident Reporting and Response • Soft Touch Dentistry Compliance Program • Credit Card and Payment Card Information Protection 21 National University Robert
HIPAA Wireless Audit
Network Topology STD Network Topology IP scheme 192.168.77.1 192.168.77.6 192.168.77.51 192.168.77.3192.168.77.50 192.168.77.5 192.168.77.7 192.168.77.230 192.168.77.8 192.168.77.205 192.168.77.2192.168.77.201 192.168.77.202 192.168.77.4 National University23
What Was Found • Password was all numbers, 129458866. • Password was protected by WEP (Wired Equivalent Privacy),. • Password was available for anyone to use. • Wireless network was connected to the physical business network. National University24 Kevin
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 25 National University Kevin
SANS Institute Case Study • Study performed by Daniel O’Dorisio • Submitted 12/23/2003 • Singled out five regulations in 164.312 that pertain to wireless communication. • Expressed the language of the HIPAA safeguards in regular terms and how they could be breached by wireless vulnerabilities. National University26 Kevin
HIPAA Safeguards • 164.312 Person Authentication • A covered entity must, in accordance with Sec. 164.306: (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. • 164.312 Access Control • A covered entity must, in accordance with Sec. 164.306: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). 27 National University Kevin
HIPAA Safeguards 28 • 164.312 Integrity • A covered entity must, in accordance with Sec. 164.306: (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. • 164.312 Transmission Security • A covered entity must, in accordance with Sec. 164.306: (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. National University Kevin
Vulnerability Assessment
Vulnerability Assessment Defined & Tool • “A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise” (SANS, 2001). • Retina • Ease of use • Free Trials (Savings of $1,700 Dollars) • Industry Accepted Tool • Fast Local Scans (3 – 10 minutes per machine) 30 National University Jason
High, Medium & Low 31 National University Jason May result in the high costly loss of assets; risks that significantly violate, harm or impede operations May result in the costly loss of assets; risks that violate, harm, or impede operations May result in the loss of some assets or may affect operations
Vulnerabilities Found Total Findings – 1,137 32 National University Jason 76% Findings Fixed 862 High Not Fixed 3 High False Positive 1 Medium Not Fixed 29 Medium False Positives 24 Low Not Fixed 218
Vulnerabilities Found (Continued) High & Medium Findings Fixed - 862 33 National University Jason 94% Findings Fixed 862 High Not Fixed 3 High False Positive 1 Medium Not Fixed 29 Medium False Positives 24
Plan of Action & Milestones (Open) 34 National University Jason
Plan of Action & Milestones (Closed) 35 National University Jason
DRP/BCP Disaster Recovery Plan/ Business Continuity Plan
Initial Findings Physical Description of the Site • Located at 25395 Hancock Ave. and is zoned as Office Research Park (ORP) by the city of Murrieta • The site is between two major freeways, approximately 1 mile east of the I-15 and 0.4 miles west of the I-215 and approximately 0.3 miles north of Murrieta Hot Springs Rd. • Parcel Map (PM) 26610 and Assessor’s Parcel Number (APN) 910-250-007 • Building construction is Type V–N (also known as V–B); wood framed building with no fire protection for the exterior walls • Unarmed security guard onsite between 8:00 AM and 5:00 PM during the week and contains a general announcing system 38 National University Leon
Initial Findings (cont.) Physical Description of the Site (cont.) • Soft Touch Dental office itself does not have an alarm system or enhanced locks • The site is approximately 2.2 miles or 6 minutes south of the Murrieta City Police Department at 2 Town Center • Chances of being a victim of a violent crime are 1 in 1505 in Murrieta as compared to 1 in 252 for the state of California 39 National University Leon
Initial Findings (cont.) • Physical Description of the Site (cont.) • Risk to the Physical Property • Fire • Greatest risk overall • Building construction is TYPE V-B, offers no protection for the external walls • Proprietor states that they have insurance • Flood • The site is not in danger of flooding or other related incidents • Earthquake • Less than 10% chance of major structural damage • Building is located on a sandstone formation • No major active faults nearby 40 National University Leon
• Office Description • The office is located on the 2nd floor and totals less than 800 sq. ft. • Contains two entry points • Exam room, private office, rest rooms, employee break area, utility/wiring closet and X-ray area Initial Findings (cont.) 41 National University Leon
Initial Findings (cont.) • Office Description (cont.) • Door between the patient waiting area and exam area is unsecured • Utility/Wiring closet is unlocked • Water heater risk PBX Switch Patch Panel UPS Units Network Switch DSL Router 42 National University Leon
Initial Findings (cont.) • Office Description (cont.) • One of the ports is not mounted to the break out box and thus exposes the wiring to possible damage 43 National University Leon Exposed wiring
Initial Findings (cont.) • Office Description (cont.) • There are no network connections in the private office space. The connection for the server and office workstation are ran along the floor out into hallway and then into the x-ray area 44 National University Leon Office Server Office Workstation Hallway Workstation & Server Cable Office Exit
• Office Risks • Networking and communications equipment at risk from a water heater leak • Poor wiring may be leading to some spotty network performance • There are no protections in place on the network. It is recommended that the network be segmented and a firewall put in place. Initial Findings (cont.) 45 National University Leon
Initial Findings (cont.) • Administration • Mutual Aid and Assistance Memorandum of Understanding is a verbal commitment • Policies and Procedures do not exist for any IT operations • Staff performs a manual copy of the server’s D: drive on a daily basis to one of two 300 GB external hard drives • Administrative Risks • The current saves process is inadequate and is not saving any of the Dentrix data. • The Mutual Aid and Assistance MOU needs to be formalized • Written policies and procedures for IT operations need to be developed 46 National University Leon
Asset Inventory and Replacement • Current Inventory • 7 desktop workstations w/ monitors • 3 laptop workstations • 2 MFC printers • 1 server • 1 24-port switch • 2 5-port switches • Replacement List and Costs • Costs do not reflect any taxes or shipping fees • The list assumes that all telecommunication and internet connectivity are in place and functional 47 National University Leon
Estimated cost to replace would be: $9,435.74 Asset Inventory and Replacement (cont.) Item Source Quantity Unit Cost Total Cost Desktop Workstation Dell Corp 7 $679.00 $4,753.00 Laptop Workstation Dell Corp 3 $479.00 $1,437.00 Server Dell Corp 1 $1,914.44 $1,914.44 MFC Printer Canon 2 $148.98 $297.96 24 Port Network Switch Linksys 1 $177.99 $177.99 Wireless Access Point Amped Wireless 1 $71.99 $71.99 5 Port Network Switch Linksys 2 $39.97 $79.94 KVM Switch Office Depot 1 $73.49 $73.49 Monitors Walmart 7 $89.99 $629.93 Total Estimated Costs $9,435.74 48 National University Leon
DRP/BCP Development Approach • Small Office with Limited Resources • Key Personnel • The Owner • The Office Manager • Mutual Aid and Assistance Memorandum of Understanding • Developed one based off of an MOU between the California Emergency Management Agency and the California Dental Identification Team • Critical Data Sources • Dentrix Database • Critical Office Correspondence 49 National University Leon
• Critical Services • Access to an alternative site • Procurement and installation of replacement equipment • Restoration of Dentrix data and Dentrix operations • Restoration of critical office correspondence data • Recovery Process • In the case of the loss of the office spaces, a 5 day plan has been described in the Disaster Recovery Plan • Plan can be tailored down for loss of critical infrastructure DRP/BCP Development Approach (cont.) 50 National University Leon
• Data Backup and Recovery Plan • Continue to use the external hard disk drives • Need to run Dentrix back-up process from the Server Administration Utility • Need to test encryption of the back-up drives • No data restoration procedures have been written at this time • Dentrix restoration requires the removal of all database files • The office does not have a second server system to use for the restoration check • Restoration procedures have been added to the POA&M • Equipment Restoration Plan • Cost was a driving concern • Chose business class hardware for server and workstations DRP/BCP Development Approach (cont.) 51 National University Leon
Security Plan Development
Managing Enterprise Risk • Key activities in managing enterprise-level risk—risk resulting from the operation of an information system: • Categorize the information system • Select set of minimum (baseline) security controls • Refine the security control set based on risk assessment • Document security controls in system security plan • Implement the security controls in the information system • Assess the security controls • Determine agency-level risk and risk acceptability • Authorize information system operation • Monitor security controls on a continuous basis 53 National University Jim
Publication Overview • NIST Special Publication 800-18 (Security Planning) • FIPS Publication 199 (Security Categorization) • NIST Special Publication 800-60 Vol 1 & 2 (Security Category Mapping) • FIPS Publication 200 (Minimum Security Requirements) • NIST Special Publication 800-53R4 (Recommended • Security Controls) • NIST Special Publication 800-30 (Risk Assessment) • NIST Special Publication 800-66R1 (Guide for Implementing HIPAA) • ISO/IEC 27000 (Establishing an Information Security Management System (ISMS) • ISO/IEC 27002 (Code of practice for information security controls) • NIST Special Publication 800-53A (Security Control Assessment) • NIST Special Publication 800-37 (Certification & Accreditation) Source: NIST SP 800-18 Pg 11 54 National University Jim
Categorizing Information and Information Systems (Source: FIPS 199 Table 1 Pg 6) Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law. 55 National University Jim Purpose • Enabled Soft Touch Dentistry to implement appropriate controls in a cost effective manner based on potential impact to defined security objectives. Objectives • CONFIDENTIALITY: The loss of confidentiality is the unauthorized disclosure of information (EX. ePHI) • INGERITY: The loss of integrity is the unauthorized modification or destruction of information (EX. Payment Modifications) • AVAILABILITY: The loss of availability is the disrupt of use or access to information or the information system (EX. Ransomware) Impacts • A categorization of LOW is defined as having a limited adverse effect on organization mission • A categorization of MODERATE is defined as having a serious effect on organization mission • A categorization of HIGH is defined as having a serious/catastrophic impact on organization mission
Categorizing Information Types Identification of Information Types Information is categorized according to its information type. An information type is a specific category of information; Soft Touch Dentistry Critical Information • Personally Identifiable Information (PII) • Patient health information (ePHI) • Patient credit card and insurance billing information. Source: NIST SP 800-60 Vol 1 Pg 16 56 Jim • Privacy • Proprietary • Medical • Financial
D.14.4 Health Care Delivery Services Information Type Supports the delivery of health care, planning of health services and the managing of clinical information and documentation. The recommended provisional security categorization for health care delivery services information is as follows: Security Category = {(confidentiality, Low), (integrity, High), (availability, Low)} Confidentiality The confidentiality impact level is the effect of unauthorized disclosure of health care delivery services on the ability of responsible agencies to provide and support the delivery of health care to its beneficiaries will have only a limited adverse effect on agency operations, assets, or individuals. Special Factors Affecting Confidentiality Impact Determination: In some cases, unauthorized disclosure of this information such as privacy-protected medical records can have serious consequences for agency operations. In such cases, the confidentiality impact level may be moderate. Categorizing Information Types Source: NIST SP 800-60 Vol 2 Pg 171
System Categorization Recommended Integrity Impact Level: Because of the potential for the loss of human life, the provisional integrity impact level recommended for health care delivery services information is high. Organizations should: (i) review the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing; (ii) adjust the security objective impact levels as necessary using the special factors guidance found in Volume II, Appendices C and D; and (iii) document all adjustments to the impact levels and provide the rationale or justification for the adjustments. Provisional Impact Levels Review and Adjust Impact Levels Final Information System Categorization was Evaluated as Moderate58 (Source: NIST SP 800-60 Vol 2 Pg 172) (NIST SP 800-60 Vol 1 Pg 23)
NIST Security Control Selection FIPS 200 – Provides the minimum security requirements covering seventeen (17) security-related areas. • States that selected set of controls must include at least one baseline • Must include all controls in the baseline unless exceptions based on tailoring NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations • 18 Control Families • Seventeen control families for an information system • One control family focusing on organization-wide requirements (Program Management) • Provides tailored set of baseline security controls based on overall system categorization • 159 Controls based on an information system categorized at the Moderate impact level • Tailoring Controls • Provides a cost-effective, risk-based security approach that supports organizational mission/business needs. • Identifying Common Security Controls • Apply Scoping Considerations • Select Compensating Controls • Supplement with Control Enhancements • Documentation 59 National University Jim
ISO 27002 Security Control Selection ISO 27002 Security Techniques, Code of Practice for Information Security Controls • International standard intended to be used as guidance for organizations implementing commonly accepted information security controls • States that security controls from any or all clauses could be important, therefore each organization applying this standard should identify applicable controls based on how important they are to the specific application • Contains the actual “best practices” details of what goes into building a comprehensive IT security program • The selection of controls is dependent upon organizational decisions based on organizational risk acceptance • May be regarded as a starting point for developing organization-specific guidelines • 14 Security Clauses (Policies, Human Resource Security, Access Control etc.) • 35 Security Control Categories (Policies for Information Security, Review of Policies) • Objective • 114 Controls • Implementation Guidance • Other Information 60 National University Jim
Mitigating Findings with Selected Controls 61 Jim
Implementing Controls • Developed Policies • Patched Software • Developed Training • Implemented Access Controls • Unique user accounts • Strong passwords • Group Policy Objects • Changed Default Passwords • Made recommendations in POA&M 62 National University Jim
Cost Avoidance
Proposed Cost of the Project 64 National University Perry
HIPAA Fine Breakdown • Covered entity was not aware of the violation • $100 per violation • Not to exceed $25,000 • Violation occurred due to “reasonable cause” • $1,000 per violation • Not to exceed $100,000 • Due to willful neglect • $10,000 per violation • Not to exceed $250,000 • Due to willful neglect, Violation is not corrected • $50,000 per incident • Not to exceed $1,500,000 65 National University Perry
Cost Avoidance $150,000 National University66 Perry
Lessons Learned & Conclusion
Lessons Learned • Project Management is the key to completing these assessments. Conducting this training while doing the project resulted in lessons learned that were too late to implement • Small businesses are challenged to maintain compliance with federal regulations • Understanding the current environment, personnel, equipment etc.., is important prior to finalizing project scope and statement of work • Creating a work breakdown eliminates confusion for task assignments 68 National University Jim
Conclusion • Project Overview • Project Schedule • HIPAA • HIPAA Wireless Audit Project Value • Provided a no-cost vulnerability and HIPAA assessment that resulted in the implementation of controls that significantly hardened from attack the Soft Touch Dentistry information system. Policies and training were also developed that position the organization to take control of their cybersecurity posture in the future. National University69 Jim • Vulnerability Assessment • DRP/BCP • Security Plan Development • Cost Avoidance
Questions? 70 National University Jason

Recommended

HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
Introduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointbradleyl2
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementKeySys Health
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule updateO'Connor Davies CPAs
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
OSHA's Top 10: An Analysis of the Most Cited Workplace Violations in 2019
OSHA's Top 10: An Analysis of the Most Cited Workplace Violations in 2019OSHA's Top 10: An Analysis of the Most Cited Workplace Violations in 2019
OSHA's Top 10: An Analysis of the Most Cited Workplace Violations in 2019Triumvirate Environmental
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 

Recommended

HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
Introduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointbradleyl2
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementKeySys Health
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule updateO'Connor Davies CPAs
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
OSHA's Top 10: An Analysis of the Most Cited Workplace Violations in 2019
OSHA's Top 10: An Analysis of the Most Cited Workplace Violations in 2019OSHA's Top 10: An Analysis of the Most Cited Workplace Violations in 2019
OSHA's Top 10: An Analysis of the Most Cited Workplace Violations in 2019Triumvirate Environmental
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...3GDR
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
Safety Management System SMS
Safety Management System SMSSafety Management System SMS
Safety Management System SMSKhan Mohammad Shinwaray Lecturer at ADU , Kardan , Bakhtar University
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
IS audit checklist
IS audit checklistIS audit checklist
IS audit checklistiFour Consultancy Services
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management SystemDaniel Suchy, CPP, MSyI
 
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...Triumvirate Environmental
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesCMDLMS
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1Process Safety Culture
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Intland Software GmbH
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
Safety Management System
Safety Management SystemSafety Management System
Safety Management SystemVerde Ventures Pvt. Ltd.
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?VISTA InfoSec
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
Businessorganizations
BusinessorganizationsBusinessorganizations
BusinessorganizationsConferat Conferat
 
Spring (FY17) POS Order
Spring (FY17) POS OrderSpring (FY17) POS Order
Spring (FY17) POS OrderGena Feldmann
 

More Related Content

What's hot

Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...3GDR
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...Triumvirate Environmental
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesCMDLMS
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1Process Safety Culture
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Intland Software GmbH
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?VISTA InfoSec
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 

What's hot (20)

Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
 
Safety Management System SMS
Safety Management System SMSSafety Management System SMS
Safety Management System SMS
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
IS audit checklist
IS audit checklistIS audit checklist
IS audit checklist
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
 
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...
2019 Healthcare Accreditation Regulatory Updates: How Do the New Regulations ...
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slides
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1PSM RM - Process Safety Management implementation guidance 1
PSM RM - Process Safety Management implementation guidance 1
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
Security audit
Security auditSecurity audit
Security audit
 
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
Compliance with medical standards iec 62304, iso 14971, iec 60601, fda title ...
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Safety Management System
Safety Management SystemSafety Management System
Safety Management System
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 

Viewers also liked

Spring (FY17) POS Order
Spring (FY17) POS OrderSpring (FY17) POS Order
Spring (FY17) POS OrderGena Feldmann
 
talkingcloud_Design_Samples
talkingcloud_Design_Samplestalkingcloud_Design_Samples
talkingcloud_Design_SamplesAnand Modha
 
2016_09_15_DOKTORSKA-PREDSTAVITEV-HAUC
2016_09_15_DOKTORSKA-PREDSTAVITEV-HAUC2016_09_15_DOKTORSKA-PREDSTAVITEV-HAUC
2016_09_15_DOKTORSKA-PREDSTAVITEV-HAUCGregor Hauc
 
Visual Media Portfolio
Visual Media PortfolioVisual Media Portfolio
Visual Media PortfolioDee Wightman
 
FORUM SDM BALI - WEBSITE GRATIS POS - Guideline tampilan produk pada webstore...
FORUM SDM BALI - WEBSITE GRATIS POS - Guideline tampilan produk pada webstore...FORUM SDM BALI - WEBSITE GRATIS POS - Guideline tampilan produk pada webstore...
FORUM SDM BALI - WEBSITE GRATIS POS - Guideline tampilan produk pada webstore...Gunawan Wicaksono
 
Formulas y Diagramas para vigas
Formulas y Diagramas para vigasFormulas y Diagramas para vigas
Formulas y Diagramas para vigasJOHNNY JARA RAMOS
 
Greek powerpoint PP [Autosaved]
Greek powerpoint PP [Autosaved]Greek powerpoint PP [Autosaved]
Greek powerpoint PP [Autosaved]Tiana Smith
 
Levantamiento Topografico Y Procesamiento de Datos
Levantamiento Topografico Y Procesamiento de DatosLevantamiento Topografico Y Procesamiento de Datos
Levantamiento Topografico Y Procesamiento de DatosJOHNNY JARA RAMOS
 

Viewers also liked (17)

Businessorganizations
BusinessorganizationsBusinessorganizations
Businessorganizations
 
Spring (FY17) POS Order
Spring (FY17) POS OrderSpring (FY17) POS Order
Spring (FY17) POS Order
 
Social media
Social mediaSocial media
Social media
 
talkingcloud_Design_Samples
talkingcloud_Design_Samplestalkingcloud_Design_Samples
talkingcloud_Design_Samples
 
Resume
ResumeResume
Resume
 
portfolio-simmetron
portfolio-simmetronportfolio-simmetron
portfolio-simmetron
 
K1
K1K1
K1
 
S4 tarea4 cagaf
S4 tarea4 cagafS4 tarea4 cagaf
S4 tarea4 cagaf
 
Велика Британія
Велика БританіяВелика Британія
Велика Британія
 
2016_09_15_DOKTORSKA-PREDSTAVITEV-HAUC
2016_09_15_DOKTORSKA-PREDSTAVITEV-HAUC2016_09_15_DOKTORSKA-PREDSTAVITEV-HAUC
2016_09_15_DOKTORSKA-PREDSTAVITEV-HAUC
 
Visual Media Portfolio
Visual Media PortfolioVisual Media Portfolio
Visual Media Portfolio
 
FORUM SDM BALI - WEBSITE GRATIS POS - Guideline tampilan produk pada webstore...
FORUM SDM BALI - WEBSITE GRATIS POS - Guideline tampilan produk pada webstore...FORUM SDM BALI - WEBSITE GRATIS POS - Guideline tampilan produk pada webstore...
FORUM SDM BALI - WEBSITE GRATIS POS - Guideline tampilan produk pada webstore...
 
INGENIERIA SISMORESISTENTE
INGENIERIA SISMORESISTENTEINGENIERIA SISMORESISTENTE
INGENIERIA SISMORESISTENTE
 
Formulas y Diagramas para vigas
Formulas y Diagramas para vigasFormulas y Diagramas para vigas
Formulas y Diagramas para vigas
 
S4 tarea4 cagaf
S4 tarea4 cagafS4 tarea4 cagaf
S4 tarea4 cagaf
 
Greek powerpoint PP [Autosaved]
Greek powerpoint PP [Autosaved]Greek powerpoint PP [Autosaved]
Greek powerpoint PP [Autosaved]
 
Levantamiento Topografico Y Procesamiento de Datos
Levantamiento Topografico Y Procesamiento de DatosLevantamiento Topografico Y Procesamiento de Datos
Levantamiento Topografico Y Procesamiento de Datos
 

Similar to Team Ruby Final Presentation Slides R7

OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?ID Experts
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
Get your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginGet your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginID Experts
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesCole Libby
 
Computer Software Assurance (CSA): Understanding the FDA’s New Draft Guidance
Computer Software Assurance (CSA): Understanding the FDA’s New Draft GuidanceComputer Software Assurance (CSA): Understanding the FDA’s New Draft Guidance
Computer Software Assurance (CSA): Understanding the FDA’s New Draft GuidanceGreenlight Guru
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1jhietala
 
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validationXybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validationXybion Corporation
 
How to Secure Medical Devices presentation.pptx
How to Secure Medical Devices presentation.pptxHow to Secure Medical Devices presentation.pptx
How to Secure Medical Devices presentation.pptxShandevinda
 
Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
Increasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityIncreasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityCynergisTek, Inc.
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAAAlert Logic
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Presentation: TGA - Software inspections and therapeutic goods
Presentation: TGA - Software inspections and therapeutic goodsPresentation: TGA - Software inspections and therapeutic goods
Presentation: TGA - Software inspections and therapeutic goodsTGA Australia
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeCompliancy Group
 

Similar to Team Ruby Final Presentation Slides R7 (20)

OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?OCR HIPAA Audits…Will You Be Prepared?
OCR HIPAA Audits…Will You Be Prepared?
 
File000169
File000169File000169
File000169
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
Get your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginGet your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to Begin
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
 
Computer Software Assurance (CSA): Understanding the FDA’s New Draft Guidance
Computer Software Assurance (CSA): Understanding the FDA’s New Draft GuidanceComputer Software Assurance (CSA): Understanding the FDA’s New Draft Guidance
Computer Software Assurance (CSA): Understanding the FDA’s New Draft Guidance
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validationXybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
 
How to Secure Medical Devices presentation.pptx
How to Secure Medical Devices presentation.pptxHow to Secure Medical Devices presentation.pptx
How to Secure Medical Devices presentation.pptx
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Increasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityIncreasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and Security
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Presentation: TGA - Software inspections and therapeutic goods
Presentation: TGA - Software inspections and therapeutic goodsPresentation: TGA - Software inspections and therapeutic goods
Presentation: TGA - Software inspections and therapeutic goods
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challenge
 
SOQ RCI
SOQ RCISOQ RCI
SOQ RCI
 

Team Ruby Final Presentation Slides R7

  • 1. Cybersecurity Assessment for Soft Touch Dentistry Perry Escamilla, Kevin Jones, Jim Patterson, Leon Slack, Jason Smith & Robert Valdez National University, Capstone Professor Bane
  • 2. Summary • Project Overview • Project Schedule • HIPAA • HIPAA Auditing, Wireless Audit • Vulnerability Assessment • DRP/BCP • Security Plan Development • Cost Avoidance • Conclusion National University2 Jason
  • 3. Organization Chart Jason Smith Project Manager Kevin Jones Vulnerability Assessor Leon Slack Disaster Recovery Robert Valdez HIPAA Auditor Perry Escamilla Remediation Planner Jim Patterson Security Planner 3 National University Jason
  • 5. Project Overview • Soft Touch Dentistry is a small dental office in Murrieta, CA. Team Ruby, comprised of six students from National University, proposed to the dentistry a project to conduct a cybersecurity assessment of their medical practice. • The assessment consisted of a vulnerability assessment, wireless audit and a HIPAA inspection. • Furthermore, Team Ruby put together a Business Continuity Plan, Disaster Recovery plan and a Security Plan for the dentistry to assist them with those items as well. • Lastly, Team Ruby performed a cost avoidance analysis to demonstrate how their project benefited the dentistry and how the dentistry was able to now avoid some future costs because of the project being performed for them. 5 National University Jason
  • 7. Project Schedule 7 National University Kevin
  • 8. Project Schedule Cont. 8 National University Kevin
  • 9. Project Schedule Cont. 9 National University Kevin
  • 10. Project Gantt Chart 10 National University Kevin
  • 11. HIPAA
  • 12. Purpose HIPAA is the Health Insurance Portability and Accountability Act. There are thousands of organizations that must comply with the HIPAA Security Rule. The Security Rule is just one part of the federal legislation that was passed into law in August 1996. The purpose the Security Rule: • To allow better access to health insurance • Reduce fraud and abuse • Lower the overall cost of health care 12 National University Robert
  • 13. Administrative Safeguards Compliance with the Administrative Safeguards portion must include implementation of the following: • Conduct a risk analysis • Implement risk management controls • Develop a security plan • Conduct periodic information system reviews and training 13 National University Robert
  • 14. Physical Safeguards Compliance with the Physical Safeguards portion must include implementation of the following: • Contingency operations • Limit facility access and restricting levels of access • Proper management of organization's computer systems and network • Appropriate device and media controls 14 National University Robert
  • 15. Technical Safeguards Compliance with the Technical Safeguards portion must include implementation of the following: • Appropriate access controls such as unique user IDs and permissions • Automatic logoff procedures • Encryption and decryption procedures • Measures to ensure integrity of ePHI 15 National University Robert
  • 16. Key Elements of Compliance • Senior Management Support is essential • Conduct and maintain inventory of ePHI • Conduct regular and detailed risk analysis • Determine what is appropriate and reasonable • Develop and implement security policies • Prepare for ongoing compliance • Maintain a security-minded culture within workplace 16 National University Robert
  • 17. Penalties Civil penalties vary from $100 to $50,000 per violation with annual max penalty of $1.5 million depending on depth of negligence Criminal penalties and imprisonment could also be sentenced in additional to civil penalties Additional Negatives: • Negative publicity • Loss of customers • Loss of business • Legal liability 17 National University Robert
  • 18. Soft Touch Dentistry Initial assessment • Administrative Safeguards – Partial Compliance • Physical Safeguards – Non-Compliant • Technical Safeguards – Non-Compliant 18 National University RobertRobert
  • 19. Soft Touch Dentistry Initial Assessment Safeguards Security Standards Assessment Percentage Assessment Compliance Rating Administrative Safeguards §164.308(a)(1)(i) Security Management Process 25% Partial §164.308(a)(2) Assigned Security Responsibility 25% Partial §164.308(a)(3)(i) Workforce Security 4% Partial §164.308(a)(4)(i) Information Access Management 20% Partial §164.308(a)(5)(i) Security Awareness and Training 13% Partial §164.308(a)(6)(i) Security Incident Procedures 0% Non-Compliant §164.308(a)(7)(i) Contingency Plan 0% Non-Compliant §164.308(a)(8) Evaluation 25% Partial §164.308(b)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant Physical Safeguards §164.310(a)(1) Facility Access Controls 0% Non-Compliant §164.310(b) Workstation Use 0% Non-Compliant §164.310(c) Workstation Security 0% Non-Compliant §164.310(d)(1) Device and Media Controls 0% Non-Compliant Technical Safeguards §164.312(a)(1) Access Control 0% Non-Compliant §164.312(b) Audit Controls 0% Non-Compliant §164.312(c)(1) Integrity 0% Non-Compliant §164.312(d) Person or Entity Authentication 0% Non-Compliant §164.312(e)(1) Transmission Security 0% Non-Compliant Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 0% Non-Compliant §164.314(b)(1) Requirements for Group Health Plans 0% Non-Compliant Policy, Procedures, and Documentation §164.316(a) Policy and Procedures 0% Non-Compliant §164.316(b)(1) Documentation 0% Non-Compliant 19 National University Robert
  • 20. Soft Touch Dentistry Post Team Ruby Safeguards Security Standards Assessment Percentage Assessment Compliance Rating Administrative Safeguards §164.308(a)(1)(i) Security Management Process 88% Partial §164.308(a)(2) Assigned Security Responsibility 100% Compliant §164.308(a)(3)(i) Workforce Security 68% Partial §164.308(a)(4)(i) Information Access Management 60% Partial §164.308(a)(5)(i) Security Awareness and Training 38% Partial §164.308(a)(6)(i) Security Incident Procedures 100% Compliant §164.308(a)(7)(i) Contingency Plan 42% Partial §164.308(a)(8) Evaluation 75% Partial §164.308(b)(1) Business Associate Contracts and Other Arrangements 100% Compliant Physical Safeguards §164.310(a)(1) Facility Access Controls 93% Partial §164.310(b) Workstation Use 100% Compliant §164.310(c) Workstation Security 100% Compliant §164.310(d)(1) Device and Media Controls 56% Partial Technical Safeguards §164.312(a)(1) Access Control 41% Partial §164.312(b) Audit Controls 0% Non-Compliant §164.312(c)(1) Integrity 0% Non-Compliant §164.312(d) Person or Entity Authentication 0% Non-Compliant §164.312(e)(1) Transmission Security 0% Non-Compliant Organizational Requirements §164.314(a)(1) Business Associate Contracts and Other Arrangements 100% Compliant §164.314(b)(1) Requirements for Group Health Plans 0% Not Applicable Policy, Procedures, and Documentation §164.316(a) Policy and Procedures 100% Compliant §164.316(b)(1) Documentation 100% Compliant 20 National University Robert
  • 21. New Soft Touch Dentistry Policies • Access, Use and Disclosure • Request for Accounting of Disclosures • Disclosure of Patient Information to the Public • Release of Information to Media and Public • Network, and E-mail Usage (Acceptable Use) • Facsimile of Information • Notice of Privacy Practices • Information Security Program • Information Security Incident Reporting and Response • Soft Touch Dentistry Compliance Program • Credit Card and Payment Card Information Protection 21 National University Robert
  • 23. Network Topology STD Network Topology IP scheme 192.168.77.1 192.168.77.6 192.168.77.51 192.168.77.3192.168.77.50 192.168.77.5 192.168.77.7 192.168.77.230 192.168.77.8 192.168.77.205 192.168.77.2192.168.77.201 192.168.77.202 192.168.77.4 National University23
  • 24. What Was Found • Password was all numbers, 129458866. • Password was protected by WEP (Wired Equivalent Privacy),. • Password was available for anyone to use. • Wireless network was connected to the physical business network. National University24 Kevin
  • 25. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 25 National University Kevin
  • 26. SANS Institute Case Study • Study performed by Daniel O’Dorisio • Submitted 12/23/2003 • Singled out five regulations in 164.312 that pertain to wireless communication. • Expressed the language of the HIPAA safeguards in regular terms and how they could be breached by wireless vulnerabilities. National University26 Kevin
  • 27. HIPAA Safeguards • 164.312 Person Authentication • A covered entity must, in accordance with Sec. 164.306: (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. • 164.312 Access Control • A covered entity must, in accordance with Sec. 164.306: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). 27 National University Kevin
  • 28. HIPAA Safeguards 28 • 164.312 Integrity • A covered entity must, in accordance with Sec. 164.306: (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. • 164.312 Transmission Security • A covered entity must, in accordance with Sec. 164.306: (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. National University Kevin
  • 30. Vulnerability Assessment Defined & Tool • “A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise” (SANS, 2001). • Retina • Ease of use • Free Trials (Savings of $1,700 Dollars) • Industry Accepted Tool • Fast Local Scans (3 – 10 minutes per machine) 30 National University Jason
  • 31. High, Medium & Low 31 National University Jason May result in the high costly loss of assets; risks that significantly violate, harm or impede operations May result in the costly loss of assets; risks that violate, harm, or impede operations May result in the loss of some assets or may affect operations
  • 32. Vulnerabilities Found Total Findings – 1,137 32 National University Jason 76% Findings Fixed 862 High Not Fixed 3 High False Positive 1 Medium Not Fixed 29 Medium False Positives 24 Low Not Fixed 218
  • 33. Vulnerabilities Found (Continued) High & Medium Findings Fixed - 862 33 National University Jason 94% Findings Fixed 862 High Not Fixed 3 High False Positive 1 Medium Not Fixed 29 Medium False Positives 24
  • 34. Plan of Action & Milestones (Open) 34 National University Jason
  • 35. Plan of Action & Milestones (Closed) 35 National University Jason
  • 37. Initial Findings Physical Description of the Site • Located at 25395 Hancock Ave. and is zoned as Office Research Park (ORP) by the city of Murrieta • The site is between two major freeways, approximately 1 mile east of the I-15 and 0.4 miles west of the I-215 and approximately 0.3 miles north of Murrieta Hot Springs Rd. • Parcel Map (PM) 26610 and Assessor’s Parcel Number (APN) 910-250-007 • Building construction is Type V–N (also known as V–B); wood framed building with no fire protection for the exterior walls • Unarmed security guard onsite between 8:00 AM and 5:00 PM during the week and contains a general announcing system 38 National University Leon
  • 38. Initial Findings (cont.) Physical Description of the Site (cont.) • Soft Touch Dental office itself does not have an alarm system or enhanced locks • The site is approximately 2.2 miles or 6 minutes south of the Murrieta City Police Department at 2 Town Center • Chances of being a victim of a violent crime are 1 in 1505 in Murrieta as compared to 1 in 252 for the state of California 39 National University Leon
  • 39. Initial Findings (cont.) • Physical Description of the Site (cont.) • Risk to the Physical Property • Fire • Greatest risk overall • Building construction is TYPE V-B, offers no protection for the external walls • Proprietor states that they have insurance • Flood • The site is not in danger of flooding or other related incidents • Earthquake • Less than 10% chance of major structural damage • Building is located on a sandstone formation • No major active faults nearby 40 National University Leon
  • 40. • Office Description • The office is located on the 2nd floor and totals less than 800 sq. ft. • Contains two entry points • Exam room, private office, rest rooms, employee break area, utility/wiring closet and X-ray area Initial Findings (cont.) 41 National University Leon
  • 41. Initial Findings (cont.) • Office Description (cont.) • Door between the patient waiting area and exam area is unsecured • Utility/Wiring closet is unlocked • Water heater risk PBX Switch Patch Panel UPS Units Network Switch DSL Router 42 National University Leon
  • 42. Initial Findings (cont.) • Office Description (cont.) • One of the ports is not mounted to the break out box and thus exposes the wiring to possible damage 43 National University Leon Exposed wiring
  • 43. Initial Findings (cont.) • Office Description (cont.) • There are no network connections in the private office space. The connection for the server and office workstation are ran along the floor out into hallway and then into the x-ray area 44 National University Leon Office Server Office Workstation Hallway Workstation & Server Cable Office Exit
  • 44. • Office Risks • Networking and communications equipment at risk from a water heater leak • Poor wiring may be leading to some spotty network performance • There are no protections in place on the network. It is recommended that the network be segmented and a firewall put in place. Initial Findings (cont.) 45 National University Leon
  • 45. Initial Findings (cont.) • Administration • Mutual Aid and Assistance Memorandum of Understanding is a verbal commitment • Policies and Procedures do not exist for any IT operations • Staff performs a manual copy of the server’s D: drive on a daily basis to one of two 300 GB external hard drives • Administrative Risks • The current saves process is inadequate and is not saving any of the Dentrix data. • The Mutual Aid and Assistance MOU needs to be formalized • Written policies and procedures for IT operations need to be developed 46 National University Leon
  • 46. Asset Inventory and Replacement • Current Inventory • 7 desktop workstations w/ monitors • 3 laptop workstations • 2 MFC printers • 1 server • 1 24-port switch • 2 5-port switches • Replacement List and Costs • Costs do not reflect any taxes or shipping fees • The list assumes that all telecommunication and internet connectivity are in place and functional 47 National University Leon
  • 47. Estimated cost to replace would be: $9,435.74 Asset Inventory and Replacement (cont.) Item Source Quantity Unit Cost Total Cost Desktop Workstation Dell Corp 7 $679.00 $4,753.00 Laptop Workstation Dell Corp 3 $479.00 $1,437.00 Server Dell Corp 1 $1,914.44 $1,914.44 MFC Printer Canon 2 $148.98 $297.96 24 Port Network Switch Linksys 1 $177.99 $177.99 Wireless Access Point Amped Wireless 1 $71.99 $71.99 5 Port Network Switch Linksys 2 $39.97 $79.94 KVM Switch Office Depot 1 $73.49 $73.49 Monitors Walmart 7 $89.99 $629.93 Total Estimated Costs $9,435.74 48 National University Leon
  • 48. DRP/BCP Development Approach • Small Office with Limited Resources • Key Personnel • The Owner • The Office Manager • Mutual Aid and Assistance Memorandum of Understanding • Developed one based off of an MOU between the California Emergency Management Agency and the California Dental Identification Team • Critical Data Sources • Dentrix Database • Critical Office Correspondence 49 National University Leon
  • 49. • Critical Services • Access to an alternative site • Procurement and installation of replacement equipment • Restoration of Dentrix data and Dentrix operations • Restoration of critical office correspondence data • Recovery Process • In the case of the loss of the office spaces, a 5 day plan has been described in the Disaster Recovery Plan • Plan can be tailored down for loss of critical infrastructure DRP/BCP Development Approach (cont.) 50 National University Leon
  • 50. • Data Backup and Recovery Plan • Continue to use the external hard disk drives • Need to run Dentrix back-up process from the Server Administration Utility • Need to test encryption of the back-up drives • No data restoration procedures have been written at this time • Dentrix restoration requires the removal of all database files • The office does not have a second server system to use for the restoration check • Restoration procedures have been added to the POA&M • Equipment Restoration Plan • Cost was a driving concern • Chose business class hardware for server and workstations DRP/BCP Development Approach (cont.) 51 National University Leon
  • 52. Managing Enterprise Risk • Key activities in managing enterprise-level risk—risk resulting from the operation of an information system: • Categorize the information system • Select set of minimum (baseline) security controls • Refine the security control set based on risk assessment • Document security controls in system security plan • Implement the security controls in the information system • Assess the security controls • Determine agency-level risk and risk acceptability • Authorize information system operation • Monitor security controls on a continuous basis 53 National University Jim
  • 53. Publication Overview • NIST Special Publication 800-18 (Security Planning) • FIPS Publication 199 (Security Categorization) • NIST Special Publication 800-60 Vol 1 & 2 (Security Category Mapping) • FIPS Publication 200 (Minimum Security Requirements) • NIST Special Publication 800-53R4 (Recommended • Security Controls) • NIST Special Publication 800-30 (Risk Assessment) • NIST Special Publication 800-66R1 (Guide for Implementing HIPAA) • ISO/IEC 27000 (Establishing an Information Security Management System (ISMS) • ISO/IEC 27002 (Code of practice for information security controls) • NIST Special Publication 800-53A (Security Control Assessment) • NIST Special Publication 800-37 (Certification & Accreditation) Source: NIST SP 800-18 Pg 11 54 National University Jim
  • 54. Categorizing Information and Information Systems (Source: FIPS 199 Table 1 Pg 6) Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law. 55 National University Jim Purpose • Enabled Soft Touch Dentistry to implement appropriate controls in a cost effective manner based on potential impact to defined security objectives. Objectives • CONFIDENTIALITY: The loss of confidentiality is the unauthorized disclosure of information (EX. ePHI) • INGERITY: The loss of integrity is the unauthorized modification or destruction of information (EX. Payment Modifications) • AVAILABILITY: The loss of availability is the disrupt of use or access to information or the information system (EX. Ransomware) Impacts • A categorization of LOW is defined as having a limited adverse effect on organization mission • A categorization of MODERATE is defined as having a serious effect on organization mission • A categorization of HIGH is defined as having a serious/catastrophic impact on organization mission
  • 55. Categorizing Information Types Identification of Information Types Information is categorized according to its information type. An information type is a specific category of information; Soft Touch Dentistry Critical Information • Personally Identifiable Information (PII) • Patient health information (ePHI) • Patient credit card and insurance billing information. Source: NIST SP 800-60 Vol 1 Pg 16 56 Jim • Privacy • Proprietary • Medical • Financial
  • 56. D.14.4 Health Care Delivery Services Information Type Supports the delivery of health care, planning of health services and the managing of clinical information and documentation. The recommended provisional security categorization for health care delivery services information is as follows: Security Category = {(confidentiality, Low), (integrity, High), (availability, Low)} Confidentiality The confidentiality impact level is the effect of unauthorized disclosure of health care delivery services on the ability of responsible agencies to provide and support the delivery of health care to its beneficiaries will have only a limited adverse effect on agency operations, assets, or individuals. Special Factors Affecting Confidentiality Impact Determination: In some cases, unauthorized disclosure of this information such as privacy-protected medical records can have serious consequences for agency operations. In such cases, the confidentiality impact level may be moderate. Categorizing Information Types Source: NIST SP 800-60 Vol 2 Pg 171
  • 57. System Categorization Recommended Integrity Impact Level: Because of the potential for the loss of human life, the provisional integrity impact level recommended for health care delivery services information is high. Organizations should: (i) review the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing; (ii) adjust the security objective impact levels as necessary using the special factors guidance found in Volume II, Appendices C and D; and (iii) document all adjustments to the impact levels and provide the rationale or justification for the adjustments. Provisional Impact Levels Review and Adjust Impact Levels Final Information System Categorization was Evaluated as Moderate58 (Source: NIST SP 800-60 Vol 2 Pg 172) (NIST SP 800-60 Vol 1 Pg 23)
  • 58. NIST Security Control Selection FIPS 200 – Provides the minimum security requirements covering seventeen (17) security-related areas. • States that selected set of controls must include at least one baseline • Must include all controls in the baseline unless exceptions based on tailoring NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations • 18 Control Families • Seventeen control families for an information system • One control family focusing on organization-wide requirements (Program Management) • Provides tailored set of baseline security controls based on overall system categorization • 159 Controls based on an information system categorized at the Moderate impact level • Tailoring Controls • Provides a cost-effective, risk-based security approach that supports organizational mission/business needs. • Identifying Common Security Controls • Apply Scoping Considerations • Select Compensating Controls • Supplement with Control Enhancements • Documentation 59 National University Jim
  • 59. ISO 27002 Security Control Selection ISO 27002 Security Techniques, Code of Practice for Information Security Controls • International standard intended to be used as guidance for organizations implementing commonly accepted information security controls • States that security controls from any or all clauses could be important, therefore each organization applying this standard should identify applicable controls based on how important they are to the specific application • Contains the actual “best practices” details of what goes into building a comprehensive IT security program • The selection of controls is dependent upon organizational decisions based on organizational risk acceptance • May be regarded as a starting point for developing organization-specific guidelines • 14 Security Clauses (Policies, Human Resource Security, Access Control etc.) • 35 Security Control Categories (Policies for Information Security, Review of Policies) • Objective • 114 Controls • Implementation Guidance • Other Information 60 National University Jim
  • 61. Implementing Controls • Developed Policies • Patched Software • Developed Training • Implemented Access Controls • Unique user accounts • Strong passwords • Group Policy Objects • Changed Default Passwords • Made recommendations in POA&M 62 National University Jim
  • 63. Proposed Cost of the Project 64 National University Perry
  • 64. HIPAA Fine Breakdown • Covered entity was not aware of the violation • $100 per violation • Not to exceed $25,000 • Violation occurred due to “reasonable cause” • $1,000 per violation • Not to exceed $100,000 • Due to willful neglect • $10,000 per violation • Not to exceed $250,000 • Due to willful neglect, Violation is not corrected • $50,000 per incident • Not to exceed $1,500,000 65 National University Perry
  • 67. Lessons Learned • Project Management is the key to completing these assessments. Conducting this training while doing the project resulted in lessons learned that were too late to implement • Small businesses are challenged to maintain compliance with federal regulations • Understanding the current environment, personnel, equipment etc.., is important prior to finalizing project scope and statement of work • Creating a work breakdown eliminates confusion for task assignments 68 National University Jim
  • 68. Conclusion • Project Overview • Project Schedule • HIPAA • HIPAA Wireless Audit Project Value • Provided a no-cost vulnerability and HIPAA assessment that resulted in the implementation of controls that significantly hardened from attack the Soft Touch Dentistry information system. Policies and training were also developed that position the organization to take control of their cybersecurity posture in the future. National University69 Jim • Vulnerability Assessment • DRP/BCP • Security Plan Development • Cost Avoidance