11.3 STANDARD: SECURITY MANAGEMENT PROCESS

11.3 STANDARD: SECURITY MANAGEMENT PROCESS

The Security Management Process Standard has 4 separate Implementation Specifications, all of which are required:

• Risk analysis

• Risk management

• Sanction policy

• Information system activity review

Quoting from the Federal Register comments section, 'This standard and its component implementation specifications form the foundation upon which an entity's necessary security activities are built.'

Explicit throughout the HIPAA Security regulations is the emphasis on maintaining the 'confidentiality', 'integrity', and 'availability' of EPHI, which is the core of any information system security process.

This Standard is to involve the 'creation, administration, and oversight of policies' as well as procedures to address the 'full range of security issues' and to prevent, detect, contain, and correct security violations.

In order to 'prevent' security violations from the world outside a private network, a covered entity will probably need to install and maintain a Router and a Firewall on an Internet connection to deny and allow certain types of traffic.

The Router should be placed on outside perimeter of network and properly configured to route packets through a network, and to drop traffic meant for unknown destinations. The router should be specifically programmed for each individual network and not used out of the box with factory defaults.

Security filtering can be accomplished with the Router by using an Access Control List (ACL) which commands the Router traffic to allow or deny, based upon specific IP address. Security filtering with and ACL can also deny or permit packets based upon packet header information, protocols or port number.

Router will not act to 'tear down' a packet and inspect it for a dangerous payload. That is the job for a Firewall. The Firewall is the second layer of a multiple-layer defense system. It provides 'packet-level' security and inspection of data traffic flowing into a private network. The Firewall can allow or deny traffic through ports, and provide ingress or egress filtering, like a Router does. The Firewall should be placed where the various types of network traffic intersect, and usually just on the inside of the Router.

While Routers can look at fields in data packets, Firewalls do this function much faster. Using 'Network Address Translation' a Firewall can also shield internal network addresses from the outside world. With NAT, an internal network using any number of Servers with private IP addresses connects to the Internet with only one external IP (gateway) address. NAT works to modify the outbound packet changing internal private address to the public translated NAT'd (translated) address.

In order to 'detect' security violations from the world outside a private network, a covered entity will probably need to install and maintain an intrusion detection system (IDS) on the Internet connection, as well as setting up audit logging on all Servers. The IDS should alert the appropriate staff to intrusion attempts so they can be monitored and prevented, if possible. To detect security violations from inside a network, Servers and other data storage devices should have their built-in logging systems turned on and monitored . While this will realistically only allow for after-the-fact detection, it can still be a source of information on how attackers are attempting to access EHPI or how users are inappropriately using or sharing this data.

Whether security violations are prevented or detected , the covered entity's security staff must 'contain' the intrusion, and this means catching attackers in the act and suppressing their activities. Again, an intrusion detection system is needed for this.

However, not all threats come from outside a private network. Threats can be internal as well as external. The biggest attacks as far a scope will probably come from outside, but statistically, the biggest revenue and time losses come from inside. This underscores the need for a 'Defense in Depth' approach to information security.