Health Care Security Essentials
Health Care Security Essentials is designed to provide SANS students with an introduction to current and emerging issues in health care information security and regulatory compliance. The class provides a foundational set of skills and knowledge for health care security professionals by integrating case studies, hands-on labs, and tips for securing and monitoring electronic Protected Health Information ("ePHI"). Administrative insights for those managing the many aspects of health care security operations will also be discussed. The goal of the course is to present a substantive overview and analysis of relevant information security subject matter that is having a direct and material impact on the U.S. health care system.
HST.1: Day 1
Thu May 14th, 2015
9:00 AM - 5:00 PM
Module 1: Overview of Health Care Information Security
The theft of sensitive health care information continues to challenge covered entities and business associates alike. Increased regulation combined with a dynamic threat landscape requires today's health care information security professional to not only understand the intent of relevant legislation but also how they can best assist the business with meeting regulatory demands while monitoring and sustaining the protection of patient data and customer information.
The first module of the class focuses on current threats to health care information systems and data. We will examine the 'how' and 'why' patient information is being targeted as well as key trends, including, but not limited to, the commercialization of malicious software , medical identity theft, insider threats, mobile device proliferation, cloud computing, and poor operational governance. The module will conclude with a discussion on common sources of health care data breaches and practical countermeasures.
Module 2: HIPAA Security 2.0
The HIPAA Security Rule has presented its share of challenges for health care organizations over the past several years, yet relatively lax enforcement led many covered entities to delay their commitment to a sustainable compliance program. However, the final omnibus rule has made notable changes to HIPAA compliance obligations while also broadening the laws enforcement provisions.
Module 2 will provide attendees with and overview of the HIPAA Security Rule and its context, with close attention paid to the rules structure, safeguards, and the implementation specifications governing ePHI. Students will also examine breach notification requirements and conclude the module by reviewing the security implications of Electronic Medical Records ("EMR's") and Meaningful Use.
CPE/CMU Credits: 6
- Introduction, Course Overview & Goals
- Health Care Threat Landscape Overview
- Why Target Patient Data and Health Care Systems?
- The Influence of Organized Criminal Markets
- Malware Commercialization
- Medical Identity Theft
- Insider Threat
- Exercise 1: Department of Health and Human Services (HHS) Data Breach Analysis. During this exercise attendees will examine recent HHS breach data and be tasked with identifying key trends and potential root cause(s). While root cause analysis is not provided by HHS, students can engage in identifying possible failures in administrative, physical, and technical controls, and what could have been done to mitigate the potential risk. Some trends, such as "Hacking/IT Incidents" and the correlation to network situational awareness are not so obvious and are likely grossly under-reported at present. The overall goal of the exercise is to assist the student with understanding the value of examining publicly disclosed data breach information sources while considering whether their own organization may be prepared to handle such scenarios. The trends identified during this initial review can then serve as a central theme for additional class exercises, taking real world scenarios and extracting audit and information security considerations from them. As well, the initial lab will provide a good discussion point for ongoing health care security challenges and subsequent labs involving data encryption, log management, and security auditing.
- Exercise 1 discussion
- Mobile Device Proliferation & Management in Health Care
- Opportunities & Risks in the Cloud
- HIPAA Overview
- Introduction to the HIPAA Security Rule
- HIPAA Security Rule - Structure
- HIPAA Security Rule - Administrative Safeguards
- HIPAA Security Rule - Physical Safeguards
- HIPAA Security Rule - Technical Safeguards
- Exercise 2: ePHI Exposed. During this exercise students will review a real-world case study involving a hacked web server that contains ePHI. As part of the exercise, students will first identify the issue, determine whether patient data is at risk, and what the potential implications are from a regulatory compliance perspective. The case study will be accompanied by mock, yet realistic HIPAA Security policies that are intentionally lacking both in terms of content, organizational ownership, and enforcement. The overall goal of the exercise is to assist the student with understanding the importance of well documented, implemented, monitored and enforced HIPAA Security policies and procedures (and what could arise if they are deficient) as well as a logical workflow for health care breach response/incident handling. This exercise also supports the final lab of the day regarding data encryption as well as how effective log management may have helped detect the incident before a breach of ePHI occurred.
- Exercise 2 discussion
- HIPAA Security Rule - Policies, Procedures, and Documentation
- HIPAA Security Rule - Enforcement
- HIPAA Security Rule - Business Associates
- Electronic Medical Records Overview
- EMR's and Security Implications
- Exercise 3: Encrypting sensitive data using GPG and Microsoft RMS. During this exercise students will build upon the prior examples and lessons learned by gaining hands on experience with creating a public and private key pair via GNU Privacy Guard. The keys will then be used to encrypt and transmit faux PHI. A second component to this lab will entail the use of Microsoft RMS to protect PHI at rest and in transit. The intent of this lab is to demystify the use of encryption, clearly demonstrate a practical application, understand how they can use both open community and vendor supported software to protect ePHI at rest and in transit, and reinforce how the use of such software can assist their organization with regulatory compliance obligations.
- Day 1 Wrap Up
HST.2: Day 2
Fri May 15th, 2015
9:00 AM - 5:00 PM
Module 3: Risk Analysis & Management
The risk analysis requirement of the Security Rule, รยง164.308(a)(1)(ii)(A), is a critical compliance component of any HIPAA Security audit program, yet, as recent Centers for Medicaid and Medicare Services ("CMS") audit findings have confirmed, continues to challenge many covered entities and business associates. Day 2 will begin with a discussion on a risk based guidance framework to assist health care based organizations and other custodians of personal health information with developing an effective risk assessment program, one specifically designed to identify risks to the confidentiality, integrity, and availability of ePHI while meeting Office for Civil Rights ("OCR") expectations.
Module 4: Medical Device Security
The course will conclude by taking the lessons learned from previous modules and attempting to understand their applicability to medical device management. Medical devices, large and small alike, continue to play an essential and growing role in patient care. Today's security professional must understand the risks medical devices may present to wired and/or wireless networks, patient data, and end users and how those risks should be appropriately managed.
CPE/CMU Credits: 6
- Exercise 3 discussion
- The HIPAA Security Rule and Risk Analysis
- Key Risk Analysis Components
- Defining Your Risk Analysis Program
- Risk Assessment Considerations
- Identifying ePHI Assets
- Risk Based Valuation
- ePHI Threat Identification
- Risk Management Considerations
- Exercise 4: Identifying Workstation/Laptop Risks using Security Onion & OSSEC . The required implementation specification, Information System Activity Review รยง164.308(a)(1)(ii)(D) of the HIPAA Security Rule, requires Covered Entities and Business Associates to "implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports." During this exercise students will utilize OSSEC, an open source host-based intrusion detection system capable of performing several useful functions including log analysis, file integrity checking, policy monitoring, rootkit detection, and real-time alerting and active response. The overall goal of this exercise is to present a highly functional open source software package that students can utilize to not only monitor select Windows and *nix OS files, but also other HIPAA Security related controls. Note, this lab may also utilize the Security Onion network security monitoring distribution.
- Exercise 4 discussion
- Risk & Cost Benefit Analysis
- Risk Management Strategies & Available Frameworks
- Common HIPAA Security Risk Analysis Failures & How to Avoid Them
- An Introduction to Regular Expressions
- Exercise 5: Finding ePHI Through the Use of OpenDLP. Identifying where ePHI exists within an organization is a critical component for performing an effective risk analysis. During this exercise students will learn how to utilize regular expressions to search for sensitive information, such as ePHI, that may exist within their networked environment and on their local machines. The exercise will make use of native Windows OS/Linux functionality as well as select open community tools. The overall goal of the exercise is to assist the student with understanding how regular expressions work and how they can potentially be utilized within their environment. Quite often, health care based organizations simply do not know where ePHI resides - this exercise may offer some considerations that can help, even for those with a limited budget. Additionally, many data loss prevention ("DLP") tools utilize similar functionality and the exercise will also assist with understanding the potential power of DLP.
- Exercise 5 discussion
- Medical Device Introduction
- Ecosystem & Governing Bodies
- Medical Devices & PHI
- Medical Devices & Security Risks
- Medical Device Security Assessments & Testing
- Exercise 6: Medical Device Case Study This case study will examine the use of wireless technologies and medical devices and require students to sort through and document associated risks to the device, the patient, and the corresponding usage environment. Techniques for managing medical device risk will then be explored.
- Exercise 6 discussion
- Course Conclusion
Students are required to bring a laptop running Windows or Linux. OS X will work, too.
- DVD Drive
- 30 GB Free Disk space
- 2 GB RAM (4 GB is recommended)
- DVD ROM drive
- Microsoft Office or OpenOffice and a PDF reader application
Laptops running Windows or Linux should have VMware Workstation or Player. OS X users should have VMware Fusion.
If you have additional questions about the laptop specifications, please contact email@example.com.