6 May 2011

Heart-Health Insurance Information Security Policy Proposal By Thomas Groshong A review of the current New Users and Password Requirements policies and the proposed changes to these policies with justifications are listed below. Current Policies: New Users New Users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A managers approval is required to grant administrator level access. Current Policies: Password Requirements Passwords must be at least eight characters long and contain a combination of upper - and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset. A: Revised Policies: New Users New Users are assigned appropriated access based on their role within the organization and their need to access specific data and/or data stores. The user and supervisor must submit a signed request and indicate which systems (Roles) the new user will need access to and what level of access will be required. To grant administrator level access an additional signature from a manager is required. New Users are required training on workforce awareness, password management procedures, remote device protection, and transmission of EPHI (Electronic Protected Health Information) over open networks (email), or downloading files to public or remote computers. The awareness training must be completed and documentation submitted as part of the access approval process (HIPPA Security Guidance, (2006)) Revised Policies: Password Requirements Passwords must be at least eight characters long and contain a combination of uppercase letters, lowercase letters, numbers and special characters. Passwords cannot contain standard names, dictionary words or common keystroke combinations as part of the password. Shared passwords are not permitted on any system at any time and are specific to an authenticated user. When resetting a password, users cannot reuse any of the six passwords previously used. Users entering an incorrect password more than three times will be locked out and must request password reset through their supervisor. Supervisors requesting user password resets must submit requests in written form (email) for documentation purposes. Passwords will expire 90 days from date of reset and the system will notify users 10 day before expiration with a password change required notice and date of expiration. B: Justification Changes in the New Users and Password Requirements can be justified by reviewing SANS standard practices, NIST (National Institute of Standards and Technologies) standards and HIPAA (Health Insurance Portability and Accounting Act) regulations. Information security is achieved by ensuring confidentiality, integrity, and availability of information. To follow mandates of laws and regulations concerning the handling of data it is important to review these documents and assure compliance. Although specific methods are not spelled out in these documents a reasonable attempt to follow existing norms and standards to meet these legal obligations.(Smedinghoff, T.J.(2008))

File:RLHT_Task1 By Thomas Groshong

6 May 2011

There are three categories of security; physical, technical and administrative. Physical security is designed to protect computers and networks that store data. Technical security is the use of software and data safeguards designed to ensure availability, access control, authentication and integrity of stored data. Administrative security consists of organizational security measures, procedures, standards, and guidelines to ensure honest and qualified people are granted access. (Smedinghoff, T.J.(2008)) These new security policies/measures are to prevent unauthorized access, disclosure, modification, disruption, or destruction of data by unauthorized entities. HIPAA security guidelines discuss risk analysis and risk management of EPHI (Electronic Protected Health Information) data. Data access policies and procedures focus on ensuring that users only access data for which they are appropriately authorized. (U.S. Department of Health and Human Services, (2006)) NIST sums up these requirements this way; Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits; Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI; and protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule.(Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C.D., Steinberg, D.I.,(2008)) SANS institute provides guidance for password strength, password protection, and password frequency of change that have been used to create the new Password Requirements policy. (SAN. (n.d.)) This password lockout policy is to prevent guessing and possible cracking abuses that could occur. This policy tries to provide a reasonable amount of technical security without causing too much administrative overhead for management. Changing the New User and Password Requirements policies increases the security posture to prevent unauthorized access. By adding additional authorization signatures and documentation to the process you provide proof authorization and authentication to user accounts. Training new users on their responsibilities to protect their passwords and the treatment of data adds confidentiality and integrity to the data. The technical security policies insure that users are held accountable for their handling of information and their access to that data. Administrative security in the form of Supervisor and Manager Signatures shoulders corporate responsibility for the process and authentication of new user access.

File:RLHT_Task1 By Thomas Groshong

6 May 2011
C: References SANS Institute, Initials. (n.d.). Password Policy. Retrieved May 6, 2011, from http://www.sans.org/security-resources/policies/Password_Policy.pdf Scholl,M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C.D., & Steinberg, D.I., U.S. Department of Commerce, NIST (National Institute of Standards and Technologies. (2008). An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: Information Security (NIST Special Publication 800-66 Revision 1). Gaithersburg, MD: Government Printing Office. http://csrc.nist.gov/publications/nistpubs/800 -66Rev1/SP-800-66-Revision1.pdf

U.S. Department of Health and Human Services, (2006). HIPAA Security Guidance,http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteu se.pdf Smedinghoff, T. (2008). Information Security Law: The Emerging Standard for Corporate Compliance. Ely: IT Governance Pub.

File:RLHT_Task1 By Thomas Groshong