Access Controls and Safeguards

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 42 minutes
Video Transcription
Welcome back, you cyber captains of controls, containment and compliance. This is Module two of implementing a HIPPA compliance program for leadership. Now that we have a firm foundation of the HIPPA guidelines and patient privacy in this module, we're gonna learn about our hippo security program and what we need to have in place to comply with the HIPPA privacy, security, enforcement
and all the other rules and requirements of the Health Information Portability and Accountability Act.
In this lesson, we're gonna learn about arguably the most important control we have controlling access to pH. I patient information itself and the safeguards we need to have in place to enforce this thing called access policy. So if you're ready, let's begin.
But I do need to let you know you're gonna be monitored by our surveillance throughout this entire lecture, and we know what you're clicking on. So stop posting to Instagram. We all know you're famous. It's time
to focus
in today's lecture. We're gonna learn about the most important control in the health care organization. Well, other than those end users we thought were just clown people controlling access and privileges of Ph I e p h I grouped into a category called Access Controls. We differentiate between the three classes of safeguards administrative, physical and technical.
And then we're gonna break down each of the three families of controls in detail
and how a category of controls like access has a place in relationships in all three families of controls. And then for today's homework, we will put our propeller hats on going to our physics lab and start solving really complicated technical problems. Like Why does the British call mathematics maths?
I'm confused.
There are a bunch of controls that we're gonna review in this lecture. But other than our people, the biggest and most important control, I think, is access controlling access to our organizations protected health information. It's our responsibility to keep pH. I confidential and only share disclose this information because of the appropriate HIPPA guidelines. Approving its use or through patient consent,
and a key component to access is making sure you have the right security policies in place.
Well, those administrative controls and the right physical controls. The physical records are locked in a file room with keycard access, and only those with approved privilege are given key cards and the necessary technical controls, like accessing the network file share with the electronic patient Records are stored,
and it requires authentication via group policy. You're approved by the organization toe Access PH. I records.
You have the necessary password policies in place, and you are accessing the records with devices that are properly hardened and not using vulnerable browsers that air running out of date, vulnerable code, etcetera.
So when we talk about hip and compliance, we're really talking about the various controls that are in place or, if not in place, the controls that need to be deployed and fully utilized to protect pH. I. Andy ph. I thes controls put into three classes or three pillars of every security program in our case where health care organization and we must be HIPPA compliant.
But if your bank well, you must adhere to the Gramm Leach Bliley Act or G L B A.
Or if you're a company with offices in Europe, while your data must adhere to the general data protection rules or GDP are and every one of these organizations, regardless of their compliance requirements, where they're gonna have their own unique security controls. But those controls were put into to these three pillars administrative control, physical controls
and technical controls. So now we're gonna break those down for you.
According to the U. S. Department of Health and Human Services Office of Civil Rights, the security rule defines administrative safeguards as administrative actions and policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect e p. H I. And to manage the conduct
of the covered entities workforce in relation to the protection of that information.
So some examples of administrative controls could be things like employee training, security awareness. Maybe you put posters up, reminding your employees about PH. I confidentiality in the office break rooms and elevators, your written policies and procedures for adhering to the hip of security and privacy rules, your organization's incident response plans and written breach notification plans
and your written business associate agreements and policies and practices for background checks.
And you need to be aware of hip administrative controls. Requirements such as all documentation within the HIPAA privacy rule must be maintained for six years past their date of creation or their go live effective dates.
The Hippo security rule describes physical safeguards as the physical measures, policies and procedures to protect the covered entities. Electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion, physical controls and safeguards, and not as exciting to security professionals as, say, encryption and the technical controls.
So physical controls are easy to disregard or put lower in organizations priority.
The HIPPA requires the organization address the facility controls for things like disaster recovery, an emergency operations that have implemented access controls to validate a person's identity. The facility where Ph. I is used and resides based on their role in function.
And that you keep records that show you are properly maintaining your physical controls, such as you are documenting your repairs and modifications of your physical security
related components. Hardware walls, doors and locks, etcetera. For your electron ICS. You have disposal procedures for the final disposition of E. P. H I and or the hardware and electronic media on which it stored, and you maintain records of the movements of hardware and electronic media and the persons responsible for it.
And you have implemented physical safeguards restricting the access toe unauthorized users
for all workstations that access e p h I. So, as you can start to see, there's a lot to managing a security program that is required to be HIPPA compliant.
Security rule defines technical safeguards Is the technology and the policy and procedures for its use that protect Elektronik protected health information in controlled access to it. So, like all rules and standards, the standards committees or the sponsors who manage federal statutes don't dictate to your organization what specific technology solutions you need to deploy and have in place.
You are required, however, to implement the appropriate technical controls and technical solutions
to adhere to the standards and the proper implementation. My rule is simple. If it moves zeros and ones nail it down. But for flexibility, every organization is different. So the hippo security rule doesn't care if your organization uses a firewall or security proxy or secure Internet gateway.
As long as your organization meets the standards of protecting outside threat agents
from accessing the e. P. H I inside your network, we need access controls like multi factor authentication, controlled wired and wireless network access based on your employees role in group policy and controlled physical access. We need to audit both physical and electronic activity surrounding your pH I e p. H i.
Who did what, where, why and how we need to control the integrity of our data and prevent its deletion or alteration in any way.
And we need to guarantee the necessary data is always available to those who require when they need it. And we need to protect our data regardless of the transmission method. If it's on a wire encrypted from eavesdroppers and controlled access to your data closet so criminals can't walk in and tap into a phone line and eavesdrop on your private patient calls
the appropriate administrative, physical and technical controls for your organization. Well, that's the name of the compliance game.
I have a ton of heroes that I look up to for inspiration, for the confidence that I can achieve a goal and that we as a human race where we can achieve our goals together. And one of these heroes is Dr Samuel King, Ph. D. Dr. King is a Nobel Prize winner in physics for discovering a new subatomic particle on the current problem he's trying to solve
is to prove that there's dark matter and dark energy in the universe. Well, we are trying to find dark matter in our hospital. Our problems and our challenges aren't near that hard or complex were simply trying to use the dark matter between our ears
and build the security program to protect our patients. Ph I but Albert Einstein said everything is relative. Are three families of controls and safeguards in our security program All relate to one another, and our job is a security leader is to manage those relationships. Let me give you example.
Before we protect our data, we must create an administrative control Where our hospital has a data classifications Policy
room is differentiate what is a medical record and what is protected health information from standard business class data. Once we identify what data is to be protected, well, then we must create policies on who has access to that data, how our employees properly handled the data and destroy it when they're done.
Then we must build the physical safeguards of the data, ensuring we're keeping our records locked away toe on lee, the authorized personnel who have access to it,
and then we need fire suppression and fire alarm systems to protect our data from environmental hazards and the list goes on. But it's these relationships and these challenges that we must manage if we are to achieve our goal, adhering to the hip of security and privacy rules while improving patient care and well being.
So now that we're all cut up in our mathematics, biology and the unified string theory of particle physics, let's go into our physics lab and blow something up. Well, maybe just to be safe. Let's go through a quick quiz. So safety goggles and Bunsen burners off, especially you, the cyber to even the back of the class. So we've decided that were required to control access to Ph. I.
Well, what three safeguards do we need in place?
Well, we need administrative controls like access policy and use your training to make sure that we're properly handling pH. I. We have to have the proper physical controls, such as a locked data center with keycard access that controls the physical access to the hard drive and storage arrays. The house R E P H I,
and we need fire suppression or gas systems. Water and computers don't mix very well
to protect our data center from environmental hazards like a fire. And we need some technology to authenticate our users and enforce group policy. There's those pesky administrative controls again and authorized users with the appropriate privileges. So nice job everybody.
So in today's lecture, we talked about access control and controlling all of the forms of R P H i N E P H i. By controlling access to them and we reviewed the three families of controls, the administrative, physical and technical controls. And we learned about how all our controls air interrelated. And it's our job is security leaders to manage those relationships.
And so in our next lecture, we're gonna be looking at another technical control, everybody's favorite, especially if it's a es 2 56
and that is encryption.
So thanks for attending this lesson as part of the cyber implementing a HIPPA compliance program for leadership. We hope you found learning about the elements of controls useful and fun on behalf of all of us. That cyber a thanks for watching and happy journeys at near the speed of light, but never actually reaching it, because our friend Alfred says, Well, that's kind of impossible. So until next time,
take care.
Be safe out there, have some fun learning
and happy journeys
Up Next