Docstoc

HIPAA Security Case Studies for Small and Medium Healthcare

Document Sample
HIPAA Security Case Studies for Small and Medium Healthcare Powered By Docstoc
					                           Systems Criticality Matrix
                                       Confidentiality   Integrity   Availability

CPSI Hospital Information System                H             H               H
Exchange Server MV5000-1                        H             H               H
EXT Old Hospital System with
Records                                         H             H               H
NF3400-1 User Files, Accounting, and
Encoder Software                                H             H               H
Pyxis Systems Pharmacy and
Inventory                                       H             H               H
Dictaphone Transcription System                 H             H               H
E500 Appliance Virus Detection
System                                          M             H               H
E800II Blood Gas system and Per se’
Billing System                                  H             H               H
Chart Link System Physician Access
thru SSL                                        H             H               H
Linux System Undecided of use for
now, still testing                              L             M              M
JJJH2 Used for OWA and new
helpdesk                                        H             H               H
Panasonic Video Security System                 H             H               H
Rembrandt Sleep Lab System                      H             H               H

                                                         National Security Agency
                                                         Information Assurance Methodology
OCTAVESM
   Operationally Critical, Threat, Asset and Vulnerability
    Evaluation
     Sort through complex organizational and technological issues
     Defines an approach to information security risk evaluations
         Comprehensive
         Systematic
         Context driven
         Self-directed
     Self directed
         Business and IT part of the team
     Three Phases
         Build asset-based threat profiles
         Identify infrastructure vulnerabilities
         Develop security strategy and plans


                               OCTAVESM
                               Carnegie Mellon – Software Engineering Institute
Asset             Method    Actor     Motive                Outcome                               Impact

                                                                                                      M M L     M   L   -
                                                                Disclosure
                                         Accidental                                                   M M M M H
                                                                Modification
                                                                                                      M M L     M   L   -
                                                                Loss, Destruction
                                                                                                      M M H M H
                                                                Interruption
                             Inside
                                                                                                      M M L     M   L   -
                                                                Disclosure
                                                                                                      M M M M H
                                                                Modification
                                                                                                      M M H     M   H       -
                                         Deliberate             Loss, Destruction
                                                                                                      M M H M H
Patient Records   Network                                       Interruption
System
                                                                                                      M M L     M   L   -
                                                                Disclosure
                                         Accidental                                                   M M M M H
                                                                Modification
                                                                                                      M M H     M   H       -
                                                                Loss, Destruction
                                                                                                      M M H M H
                                                                Interruption

                            Outside
                                                                                                      H H   L   M   L   -
                                                                Disclosure
                                                                Modification                          M M H M H

                                         Deliberate             Loss, Destruction                     M M H     M   H       -

                                                                Interruption                          M M H M H


  Human Actors Using Network Access




                                                                                                      Productivity
                                                                                                      Reputation
                                                                                                      Financial


                                                                                                      Safety
                                                                                                      Other
                                                                                                      Fines
                                               OCTAVESM
                                               Carnegie Mellon – Software Engineering Institute
                                                                       Disclosure
                                  Software defects                     Modification        M M L     M   L   -

                                                                       Loss, Destruction   M M M M H
                                                                                           M M L     M   L   -
                                                                       Interruption
                                                                                           M M H M H


                                                                       Disclosure          M M L     M   L   -

                                   Malicious Code                      Modification        M M M M H
                                                                                           M M H     M   H       -
                                                                       Loss, Destruction
                                                                                           M M H M H
                                                                       Interruption
    Patient Records
    System
                                                                                           M M L     M   L   -

                                                                                           M M M M H
                                                                       Disclosure          M M H     M   H       -

                                   System crashes                      Modification        M M H M H

                                                                       Loss, Destruction
                                                                                           H H   L   M   L   -
                                                                       Interruption
Threat Profile: System Problems                                                            M M H M H
                                                                                           M M H     M   H       -

                                                                       Disclosure          M M H M H

                                   Hardware defects                    Modification




                                                                                           Productivity
                                                                                           Reputation
                                                                       Loss, Destruction



                                                                                           Financial


                                                                                           Safety
                                                                                           Other
                                                                                           Fines
                                                                       Interruption
                                  OCTAVESM
                                  Carnegie Mellon – Software Engineering Institute
Human Actors Using Network Access                                                                                                                                                                                                        Basic Risk Profile
                                                                                   Security Practice Areas

      Probability                         Strategic                                                                                                                       Operational                                                                                                     Approach




                                                                                                                                                                                                                                                      Sec Arch & Design
                                                                                                                                                       Monitor Phys Sec
                                                                                   Sec Policy & Reg




                                                                                                                                                                                                            Authen & Author
                                                                                                                                                                          Sys & Net Mgmt
                                                                                                                                      Phys Acc Cntrl
                                                                                                      Coll Sec Mgmt




                                                                                                                                                                                           Monitor IT Sec




                                                                                                                                                                                                                                                                          Incident Mgmt
                                                                                                                      Cont Planning
                                                         Sec Strategy
                                          Sec Training




                                                                                                                                                                                                                                         Encryption
      Very Much
                  Somewhat




                                                                        Sec Mgmt
                             Not At All




                                                                                                                                                                                                                              Vul Mgmt




                                                                                                                                                                                                                                                                                                           Mitigate
                                                                                                                                                                                                                                                                                          Accept
                                                                                                                                                                                                                                                                                                   Defer
  H   x                                   R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                        x
  L               x                       R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                        x
  L               x                       R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                        x
  L   x                                   R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                        x

  H   x                                   R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                                x
  L               x                       R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                                x
  L               x                       R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                                x
  L               x                       R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                                x

  L                          x            R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                        x
  L                          x            R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                        x
  L                          x            R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                        x
  L                          x            R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                        x

  L                          x            R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                                x
  L                          x            R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                                x
  L               x                       R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                                x
  L               x                       R              R              R            Y                R               Y                                                   Y                Y                R                 R          R            R                   Y                                x




                                                                                        OCTAVESM
                                                                                        Carnegie Mellon – Software Engineering Institute

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:1/20/2013
language:Latin
pages:5