Risk Assessment, the ISO maze

Posted on January 21, 2013 by Vijayashankar Na

Extensive promotion has made ISO 27001  the key recall when we think of “Risk Assessment”. No doubt ISO 27001 is the most popular ISMS framework. The fact that it lends itself to certification makes it attractive to organizations which want the certificate to plug in some compliance requirements.

However ISO is a maze. It is an excellent strategy for ISO to make money creating numerous documents and specifications sold at fancy prices. But for the users, the multiple frameworks with overlapping provisions make it increasingly difficult to cut through this maze and find out what is good for an organization.

While many are still confused with ISO 9000 series and 27000 series itself, of late more terminologies are coming out into the open. For example what is ISO 31000? What is ISO-2000-1 ? What is ISO 22301? how are they related to ISO 27001? are questions that often arise in the minds of corporate executives who need to take decisions about budgeting the ISO audits.

ISO 27001 is an ISMS standard focused on the keyword “information” protection. Information asset is ‘anything that has a business value”. In other words if an organization is seeking to protect all forms of information against unauthorized access (Confidentiality), unauthorized modification (integrity), and protection against loss and destruction (Availability), the standard provides a series of controls that enables you to pick and chose those that are relevant based on a formal asset-wise risk assessment. ISO 27001 certification involves 133 controls which aims are a combined secure architecture, preventive, detective controls and several controls and encompass procedural, physical, technical and personnel controls.

On the other hand, ISO 31000 standard aims to cover almost all areas of organization risk. So it covers personnel, operations, information, and financial. It is however a generic standards and does not cover the specifics. This is not a certification standard, and organization use it compare best practices. Unlike other standard the degree of implementation interpretation is left to users and advisers/consultants/internal auditors used by the organization. In comparison ISO 27001 addresses specifics and requires asset-wise risk valuation which should clearly articulate the state of an asset and its control environment.

The latest in the standard family (in terms of inclusion of the word ‘risk’) is ITSM – ISO 20000 certification which is aimed at making traditional IT organization/department free from service risk. It is aimed at making IT as a ‘service’ department and the standard has best practices aligned with ITIL. You would choose this if you wish to make your IT a “service” organization. A “service” catalog is a starting point for this and makes your organization aligns with business objectives.

Further, ISO 22301 – ‘societal’ business continuity management system is upgraded version of BS 25999 and gives more meaning to the scope of business continuity. ISO 22301 certification showcases the ability of an organization to demonstrate its ability to deliver in case of a disaster.

Within ISO 27000 family, every standard from the ISO 27000 series is designed with a certain focus – if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; if you want to implement controls, you should use ISO 27002, if you want to carry out risk assessment and risk treatment, you should use ISO 27005 etc. There is a logic for the multiplicity though it is rather convoluted.

If we look through the above standards, it is clear that ISO is creating more confusion in the IS implementation community and trying to offset competition from other frameworks such as COSO or COBIT by creating multiple standards within its own fold.

It must be noted that most organizations have used and continue to use ISO 27001 to show their continuity maturity. It is not clear if the ISO organization expects corporates to implement ISO 31000 or 2000-1 for building a security culture and certify with ISO 27001 and ISO 22301 so that ISO gets multiple revenues. This also results in a multiple cost burden on the organizations which will certainly hurt the brand ISO.

One would not be surprised if this strategy borne out of a typical brand marketing exercise used in the marketing of consumer products such as soaps and shampoos with adjectives such as “New”, “New and Improved” etc backfires in the more informed Information Security market. Companies would soon find it more comfortable to back other frameworks which are sure of what they are doing.

I hope the Government of India (DIT) which has given an unfair, unconstitutional, misleading parliamentary endorsement for ISO 27001 in its “Reasonable Security Practices” notification of April 29, 2011, takes note of this situation and understands that it is backing up the wrong horse.

Naavi

Posted in Information Assurance, Uncategorized | Leave a comment

HIPAA Final Rule 2013-Data Breach Notification

Posted on January 20, 2013 by Vijayashankar Na

Data Breach Notification (DBN) has been one of the most contentious issues of HIPAA regulations. Presently breach of unsecured protected information either at the Covered Entity or at the Business Associate entity needs to be reported to the affected individuals, the HHS and the media by the Covered Entity. While public want such a disclosure, business organizations were vary of the disclosure because of the possibility of loss of reputation and creation of panic on account of innocuous and accidental breaches.

Taking into consideration both sides of the arguments the Final rule has made the following suggestion.

“Breach notification is not required if the covered entity/Business Associate can demonstrate through a risk assessment that there is a low probability that the PHI has been compromised”

The final rule has also provided some guidelines for the risk assessment to state that the following aspects need to be considered along with any other relevant matters,

(1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(2) the unauthorized person who used the protected health information or to whom the disclosure was made;
(3) whether the protected health information was actually acquired or viewed; and
(4) the extent to which the risk to the protected health information has been mitigated.

As a corollary, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors.

Such risk assessment must be conducted following both impermissible uses and disclosures (that do not otherwise fall within the other enumerated exceptions to breach).

Covered entities and business associates need to investigate an impermissible use or disclosure to determine if the protected health information was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.

Further, Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised.

A “post suspected breach audit” is therefore mandatory.

It is also clarified that for determining the time when the notice is to sent, the period is to be calculated “from the date of discovery” and not from the date of occurrence. However it is reiterated that the 60 day limit is only an outer limit and the notice has to be provided within a reasonable time at the earliest.

Naavi

Posted in HIPAA | Leave a comment

HIPAA Final Rule 2013-Definitions

Posted on January 20, 2013 by Vijayashankar Na

The HIPAA final rule 2013 made effective from March 26, 2013 makes a few important changes in the definitions.

Firstly, the definition of “Business Associate” has been expanded to include “Patient Safety Organizations”.  Hence Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records will be considered as “Business Associates” and such Business Associates will be directly covered under the obligations of Privacy, Security and Enforcement rules.

Secondly, any “Sub Contractor” of the business associate will also be considered as covered under the provisions of the Final rule as applicable for Privacy, Security and Enforcement. For this purpose, a Sub Contractor means “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”. Hence the provision of obtaining satisfactory assurances for meeting HIPAA obligations extend to Sub Contractors as much as the primary business associates.

The third definitional aspect that is modified by the Final rule is to define that the ter “PHI” extends to the information of a deceased person upto a period of 50 years after death.

Naavi

Posted in HIPAA | Leave a comment

HIPAA Final Rule 2013-Background

Posted on January 20, 2013 by Vijayashankar Na

HIPAA Privacy and Security rules are covered under

1. The HIPAA Privacy Rule, (45 CFR Part 160 and Subparts A and E of Part 164,)

2. The HIPAA Security Rule,( 45 CFR Part 160 and Subparts A and C of Part 164,)

3. The HIPAA Enforcement Rule,( 45 CFR Part 160, Subparts C – E)

Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted on February 17,2009, as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111-5, modifies certain provisions of the Social Security Act pertaining to the HIPAA Rules, as well as requires certain modifications to the Rules themselves, to strengthen HIPAA privacy, security, and enforcement.

The HITECH Act also provides new requirements for notification of breaches of unsecured protected health information by covered entities and business associates.

In addition, the Genetic Information Nondiscrimination Act of 2008 (GINA) calls for changes to the HIPAA Privacy Rule to strengthen privacy protections for genetic information. This final rule implements the modifications required by GINA, as well as most of the privacy, security, and enforcement provisions of the HITECH Act. This final rule also includes certain other modifications to the HIPAA Rules to improve their workability and effectiveness.

Some of the proposed, and now final, changes are necessitated by the statutory changes made by the HITECH Act and GINA, while others are of a technical or conforming nature.

Naavi

Posted in HIPAA, Uncategorized | Leave a comment

HIPAA Final Rules 2013- An Omnibus Rule

Posted on January 20, 2013 by Vijayashankar Na

The HIPAA Final Rules announced with effect from 26th March 2012 comprises of four final rules. Hence it is being referred as the “Omnibus Final Rule”.

They are,

1.Final Modifications with improvements to the proposed rule of July 14, 2010 under HITECH Act. They are

a) Make Business Associates directly liable for compliance with relevant parts of the Privacy and Security rule
b)Strengthen the limitations on the use and disclosure of PHI for marketing
c) Expand individual’s right to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
d)Require modifications to and redistribution of a covered entity’s notice on privacy practices
e)Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to descendent information by family members or others
f) Adopt the additional HITECH Act enhancements to the enforcement rule not previously adopted in the October 30, 2009 interim final rule such as non compliance due to wilful neglect.

2. Final Rule adopting changes to HIPAA Enforcement rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
3. Final rule on Breach Notification for Unsecured PHI
4.Final Rule modifying the HIPAA Privacy Rule as required by the Genetic Information Non Discrimination Act (GINA)

Naavi

Posted in HIPAA, Uncategorized | Leave a comment

Privacy Rule under HIPAA-HITECH Act expanded

Posted on January 18, 2013 by Vijayashankar Na

HHS, the department of Health and Human Resources has revised the Privacy and Secuirty Rule and broadened its reach particularly for the Business Associates.

Since many Indian entities work as Business Associates of HIPAA covered entities this development is of relevance to their activities. Related report : Press Release

The directions will be effective from March 26, 2013. Compliance deadline is 180 days from this date, which will be 23rd September 2013.

The rule

a) clarifies when breaches of information must be reported to the Office for Civil Rights,

b) sets new rules on the use of patient-identifiable information for marketing and fundraising, and

c) expands direct liability under the law to the “business associates” of hospitals and physicians and other “HIPAA-covered entities.”Those associates might include a provider’s healthcare data-miners and health information technology service providers.

d) It also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.

These changes will be incorporated with immediate effect in the forthcoming HIPAA-HITECH Act audits conducted by Naavi and Ujvala Consultants Private Limited.

Naavi

Posted in HIPAA, Privacy, Uncategorized | Leave a comment