Educause Security Discussion mailing list archives
Re: HIPAA architecture
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Tue, 21 Jun 2011 19:04:18 -0400
Dave, This is a weak spot in HIPAA. It was early legislation and relies on qualatative analysis, with little guidance on how to calibrate your risk-o-meter. The part of the HIPAA where the rubber hit the road is in the ARRA Hi-Tech era Enforcement rules. Steep Federal, civil and even criminal penalties are now levied for HIPAA breaches. If a breach occurs and a willful neglect is found, the Fed's penalty is $50,000 per potentially lost data field, to a max of $1.5M per identical incident. These numbers enable meaningful risk analysis to be conducted in real business terms. The per-field penalty falls to $1k per field when an acceptable compensating control is in place. One approach might be to determine how many records your HIPAA covered offices hold, and what sort of HIPAA information they contain. Next, develop some plausible risk scenarios, and calculate the losses if a medium level breach were to occur. Then consider the likelihood (projected anual rate of occurence). The cost responding to a breach will likely be far lower than implementing the controls. HIPAA is closely linked to NIST, and is also supported by ISO 27002. A risk analysis against either of those two references would be pretty solid. I have some example Privacy Impact Analysis and Risk Analasis documents - please let me know if these would be helpful. On the clinical side of our academic-clinical medical center, we've gone with a variation on your example #2. Users have one computer, each person uses their own credentials; sometimes authenticated via prox card - usually at shared (eg. nursing) stations. The desktop image is hardened and centrally managed. All of the HIPAA data is in a well fortressed virtual desktop infrastructure. All users access this via captive portal, either on campus or remotely via SSL-VPN. An added benefit of VDI is that users don't need as much horsepower on their desk, so this could be figured into the cost model. We're doing similar in some places on the school/research side, but not as broadly as the with clinical system. Best, Dan ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Opitz [DOpitz () LOYOLA EDU] Sent: Tuesday, June 21, 2011 2:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HIPAA architecture Hi, We are changing our network design for our HIPAA covered offices. I've read PCI requirements and they basically require anything that has access to credit card data to be totally isolated from any other part of your network, giving some specifics on how this must be accomplished. HIPAA isn't that specific - it does require a "risk analysis", but that is subjective and we aren't reaching agreement on what is acceptable risk. We are considering 3 different architectures, and I'm wondering what acceptable level of risk you would be comfortable recommending to your management. 1). Users have 2 computers (or perhaps a thin client) that use an A/B toggle switch to share keyboard/mouse/monitor, with one computer connected to the Internet (for email, web surfing, general use) and the other only to the HIPAA network (isolated via a VLAN or IPsec tunnel). 2). Users have 1 computer but it is a locked down configuration (no local admin rights for users, no incoming connections allowed by firewall/ACL rules, quickly patched, etc.). It is allowed to access both the Internet and HIPAA data. 3). One standard PC with a Type 1 (or bare metal) hypervisor running different instances of an operating system, one for Internet access, one for access to secured data. Actually, I'm not sure there is a product that would be easy for a user to use (quickly switch back and forth between OS's without rebooting). Do you know of such a product and would you consider the hypervisor adequate protection to provide this separation? Peace, Dave
Current thread:
- SANS Securing The Human aggregate buy Doug Pearson (Jun 20)
- HIPAA architecture David Opitz (Jun 21)
- Re: HIPAA architecture Alexander Kurt Keller (Jun 21)
- Re: HIPAA architecture Jones, Dan (Jun 21)
- HIPAA architecture David Opitz (Jun 21)