What You Will Learn
One of the challenges organizations face in complying with the Health Insurance Portability and Accountability Act (HIPAA) is that the act's regulatory and privacy standards are not prescriptive enough to help organizations successfully build an effective security and compliance program. Audit and assessment engagements with government agencies such as the Office of Civil Rights (OCR) and with state attorney generals during and after reportable data breaches or privacy-related security incidents can be overwhelming for organizations to navigate without previous knowledge or experience.
To address tight budget restrictions, many healthcare organizations promote security and compliance team members from within the organization in order to cultivate and retain talent internally. These professionals have a wide range of experience and skill sets. The SANS SEC474 course can help organizations level-set and prepare healthcare compliance and security by sharing first-hand knowledge and experiences.
The goal of this course is to show that HIPAA compliance in itself is neither an antidote nor a cure for the shortcoming of an organization's healthcare security. The ultimate goal is to develop, maintain, and demonstrate a secure environment for the organization by implementing repeatable processes based on industry best practices. When that is achieved, evidence of HIPAA compliance is a result of those efforts.
Healthcare organizations in the United States face two major challenges: first, to properly secure the organization from tactical risk, and second, to achieve compliance with the array of government regulations known as HIPAA. This course will help students develop the skills to make measurable improvements to the overall security posture of their organization's IT infrastructure while also building and maintaining a compliance program. Using the safeguards of the HIPAA Security Rule along with the NIST Framework 800-66 to identify and assess risk, students will learn how to report progress on their compliance activities and their security value in support of the organization's mission.
Students will gain skills and knowledge in SEC474 that they will be able to use on their first day back at work. Students will leave the classroom knowing what it takes to establish and nurture a culture of compliance where both compliance and business objectives are promoted as a singular goal. They will be able not only to assess compliance, but also to measure the maturity and effectiveness of compliance activities.
You Will Be Able To
- Tackle the challenges at hand - many HIPAA compliance regulations run counter to business objectives, so we will explore why this is and how to overcome the issue.
- Interpret the Security Rule text in-depth, including an analysis of every line item of the regulation and what it means to your organization.
- Draft sound policy that supports business as well as compliance objectives.
- Perform a risk assessment, enumerate threat data, analyze vulnerabilities, and select proper safeguards to lower risk.
- Define the value of the compliance program for the organization.
- Create a culture of compliance.
- Establish lines of communication and reporting channels.
- Understand the value of internal monitoring and auditing by learning the key components of a continuous monitoring reporting and improvement program.
- Promote a culture of compliance.
This Course Will Prepare You To
- Take steps to meet compliance standards, particularly those of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH)
- Protect your healthcare organization from cyber-threats, unintended data disclosures, and mishandling of data in the enterprise
- Understand the most prevalent security concerns specifically around the healthcare industry such as data disclosures, ransomware, unauthorized access and modification, incident response, and business continuity planning
- Apply the HIPAA Security Rule in practice
- Build an organizational security plan
- Understand the job roles in a compliance program
The hands-on labs will teach you practical actions to protect a healthcare-based environment. The labs draw on real-world examples. Each lab has step-by-step instructions that enable you to learn new skills or become even more knowledgeable and skilled with the cybersecurity techniques and procedures you already know.
- Lab Install: Initial download and installation of lab VM where the referenced software and data reside, ensuring students have the core resources needed to complete the remainder of the labs.
- Rules of the Road: Use raw field data from a site assessment walk-through and enter results into an assessor in order to ensure that students are comfortable with navigating both the assessor and ticketing provided in lab software, and then enter data into the most appropriate sections.
- Identifying Vulnerabilities and Threats: Analyze and prioritize vulnerabilities in ticketing systems referencing organizational policies and procedures in order to ensure that students are comfortable with navigating the policy manager software provided in the lab VM.
- Mapping and Scoring Assessment Maturity Ratings: Analyze assessment report results and enter the appropriate maturity scale (1-4) based on the evidence provided in order to ensure that students are familiar with the rating and scoring process within the assessor software.
- Safeguards and Storage: Review ticket requests and security incidents common in the healthcare industry and make appropriate decisions based on the evidence and information obtained from key departments outside of security. This lab requires student to use critical thinking based on a number of key factors.
- Measuring Response Effectiveness: Analyze a recent Ryuk Ransomware security incident report to measure response effectiveness as it relates to current trends in cybersecurity and specifically the healthcare industry. Using the Mitre ATT&CK framework, students will also have an added bonus challenge to unmask the suspected threat group responsible for the attack!
- Finalizing a Telecommute Policy: Review a drafted telecommute policy that is missing key security and compliance elements. Students will need to address common challenges faced during the COVID-19 pandemic, enabling remote workers to securely continue operations from home.
- Business Impact Analysis (BIA) for Telehealth Services: Analyze and review a BIA for telehealth services that has been recently updated. Students will respond to an email form the IT Director on overall business impact and recovery time objective score information that is derived from the BIA.
- Initial Assessment for Telehealth Services: Review and assess three software\hardware platforms to use telehealth services and engage with patients remotely. Students will assess the security controls of each solution proposed and list pros and risks associated with the individual platforms. Then they'll make recommendations on which telehealth platform should be selected with supporting reasoning and taking into consideration the recent guidelines issued by the U.S. Department of Health and Human Services (HHS) during the pandemic.
- Reporting to Management: Review and complete missing sections of the annual Information Security Report to the executive board by looking up tickets within the ticketing system and contacting key individuals by email to obtain additional information and context to provide to the CIO for an upcoming board meeting. Students will take elements and data points gathered from previous labs to enter in final updates.
What You Will Receive
- Physical and digital workbooks
- Virtual Machine tailored to the course
- HIPAA-Based Risk Assessment Tool
Syllabus (12 CPEs)
This course section introduces the student to the HIPAA regulations and how they support, and occasionally conflict with, organizational goals of patient care and privacy. The student will learn the fundamentals of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HITECH, and the Omnibus Rule.
This course focuses on effectiveness and maturity by exploring the following key questions:
- Is there written documentation?
- Is there a process in place?
- Is the process automated or manual?
- Can effectiveness be demonstrated with metrics?
We will also explore strategies to align with healthcare objectives and focus on the effectiveness and maturity of security activities. Students will learn the importance of physical security in safeguarding electronic protected health information (ePHI). The section concludes with a discussion on defining the value of the compliance program to align with business needs.
- Rules of the Road: Using raw field data from a site assessment walk-through and entering results into an assessor, this exercise ensures that students are comfortable with navigating both the assessor and ticketing provided in lab software and entering data into the most appropriate sections.
- Identifying Vulnerabilities and Threats: This exercise involves analyzing and prioritizing vulnerabilities in ticketing systems and referencing organizational policies and procedures. The aim is to ensure that students are comfortable with navigating the policy manager software provided in the lab virtual machine.
- Mapping and Scoring Assessment Maturity Ratings: Analyzing assessment report results and enter the appropriate maturity scale (1-4) based on the evidence provided. The aim is to ensure that students are familiar with the rating and scoring process within the assessor software.
- Safeguards and Storage: This exercise involves reviewing ticket requests and security incidents common in the healthcare industry and making appropriate decisions based on the evidence and information obtained from key departments outside of security. These skills require students to use critical thinking based on a number of key factors.
- Measuring Response Effectiveness: In this exercise, students will analyze a recent Ryuk Ransomware security incident report to measure response effectiveness as it relates to current trends in cybersecurity and specifically the healthcare industry. Using the Mitre ATT&CK framework, students will also have an added bonus challenge to unmask the suspected threat group responsible for the attack!
- Understanding the Challenge
- Healthcare is one of the most vulnerable and attacked industries
- e-PHI has value to the organization and the adversary
- HIPAA is something you must do - it's the law
- The organization may not see the value.
- HIPAA does not always align with healthcare objectives
- HIPAA, HITECH, and the Omnibus Rule: An Exploration of the Laws and Regulations that Affect Covered Entities
- Applying the HIPAA Security Rule Using the NIST Cybersecurity Framework Security Objectives to:
- Exploring the Security Rule Safeguards and How to Apply Them in a Healthcare Setting
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Risk Analysis
- CIA triad
- Least privilege and separation of duties
- Prevent/Detect/Corrective action (response)
- Due care
- Types of Attacks
- Other Frameworks
- CIS Critical Security Controls
- Physical Security
- Contingency operations
- Facility security plan
- Access control
- Maintenance records
- Workstation security
- Device and media controls
- Data backup
- Define the Value of Your Compliance Program
- Security axioms
- Security vs. compliance
- Supervisory safeguards
- Assessment vs. audit
This course section focuses on security and compliance efforts, including identifying key roles, contracts, and other documents. The goal is to teach the student how to design organizational structures with outcomes that ensure compliance. Students will learn the dual roles of culture and policy to ensure that compliance mandates are met. They'll also learn to use written procedures and standards to define management intent, as well as how to use training and awareness to ensure compliance. We'll wrap up the course section by examining the importance of continuous improvement and the measurement of success through continuous monitoring, auditing, and reporting. Students will learn techniques for proper communication of risk to leadership.
- Finalizing a Telecommute Policy: In this exercise, students will review a drafted telecommute policy that is missing key security and compliance elements. Students will need to address common challenges faced during the COVID-19 pandemic, including how to best enable remote workers to continue operations from home securely.
- Business Impact Analysis (BIA) for Telehealth Services: This exercise involves analyzing and reviewing a BIA for telehealth services that has been recently updated. Students will respond to an email from the IT Director on overall business impact and recovery time objective score information that is derived from the BIA.
- Initial Assessment for Telehealth Services: Students will review and assess three software/hardware platforms to use telehealth services and engage with patients remotely. Students will assess the security controls of each solution proposed and list pros and risks associated with the individual platforms. Then they'll make recommendations on which telehealth platform should be selected, with supporting reasoning and taking into consideration the recent guidelines issued by U.S. Department of Health and Human Services during the pandemic.
- Reporting to Management: In this exercise, students will review and complete missing sections of the annual BHHS Information Security Report to the executive board by looking up tickets within the ticketing system and contacting key individuals by email to obtain additional information and context to provide to the CIO for an upcoming board meeting. Students will take elements and data points gathered from previous labs to enter in final updates.
- Culture and Policy
- The HIPAA Security Officer
- The HIPAA Privacy Officer
- Business Associate Agreements and contracts
- Data Owners
- Draft and Disseminate Written Policies
- Policy vs. Procedure
- Training and Awareness
- Compliance Officers
- Managing access control
- Incident Response and Contingency Planning
- Implement Written Procedures and Standards
- Conduct Internal Monitoring and Auditing
- Levels of monitoring
- Audit controls
- Cloud computing
- Promote a Culture of Compliance
- Data Owner assignment
- Password management
- Strong authentication
- Continuous Monitoring, Reporting, and Improvement
- Establishing lines of communication
- Reporting channels
- Breach reporting
- Periodic evaluations
- Basic knowledge of and experience with HIPAA or healthcare security
- Knowledge of how to use a Virtual Machine
- Prior completion of SANS SEC301 or a similar course is helpful but not required
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.
Baseline Hardware Requirements
- CPU: 64-bit Intel i5/i7 2.0+ GHz processor
- BIOS: Enabled "Intel-VT" virtualization
- USB: 3.0 Type-A Port
- RAM: 8GB RAM (4GB min)
- Hard Drive Free Space: 30 GB Free Space
- Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
Additional Hardware Requirements
The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.
Network, Wireless Connection
- A wireless 802.11 B, G, N or AC network adapter is required.
Additional Software Requirements
- PDF reader
- You will need Google Chrome, Adobe Acrobat, or another PDF reader.
Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x, or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the class if they're enabled on your system.
Your course media will be delivered via download. The media files for class can be large, some in the 40 to 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speeds vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
"Throughout my career in securing healthcare organizations and human subjects research, the question I was asked time and time again was simply, 'Are we HIPAA compliant?' I didn't know how to answer this simple question, and after many years I finally realized why I didn't have a good answer. This wasn't the right question! The problem with HIPAA compliance efforts in most organizations is that their focus is on producing evidence of compliance.
"This focus on evidence to pass a compliance audit has been the wrong approach to HIPAA all along. Neither was this approach the true intent of the regulations to begin with. I wrote this course to help show students the right approach to securing a healthcare organization. When you take the right approach, the evidence your efforts produce is what demonstrates your compliance. In this course, we will explore how to change the question, and then have the right answers." - Doc Blackburn
"Having spent over 20 years as a cybersecurity professional, leader, and educator, I have discovered that healthcare is a unique industry with a wide range of disciplines and services to navigate. There are many aspects to consider when it comes to achieving effective security and regulatory compliance controls for healthcare organizations. The course content, examples, and labs in SEC474 are based on real-world healthcare industry experiences. The course is designed to evoke critical thinking from various compliance- and security-related roles that need to engage and communicate with one another to successfully protect the organization. The resources and labs are highly interactive and emulate common challenges and scenarios faced in healthcare." - DJ McArthur
"As a developer, I spent several years seeing the direct impact of HIPAA audits on my customers. I was often asked for an application or program to help them become compliant, which proved to be an impossible task. This course was designed from the ground up with usable, implementable strategies that you can take back to work and be effective. Concrete examples and labs with direct, hands-on scenarios drive home the concepts discussed in the course and make the abstract ideas of HIPAA compliance clear and understandable." - Aaron Cure