HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the Hcs PP certification course with Sai Buri controls to remediate risk.
00:08
My name is Shalane Hutchins.
00:12
Today we're gonna talk about types of controls and controls related to time.
00:20
We talked about controls earlier in the course
00:23
and we're going to review them again In the context of risk management.
00:27
These three categories of controls administrative,
00:32
operational, physical
00:34
and technical are expanded upon in the NIST SP 800-66 specifically map to the requirements to find in the hip of security rule.
00:45
They can also serve as recommended practices for health care organizations, business associates and other organizations not covered by HIPAA laws.
00:59
This defines administrative controls as actions and policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic ph. I and to manage the conduct of the covered entities workforce
01:18
in relation to the protection of that information.
01:21
The specific administrative control areas are
01:23
security management process,
01:26
meaning all controls related to conducting a thorough risk assessment and implementing a risk management program,
01:36
a signed security responsibility
01:38
who is assigned and responsible for risk
01:42
senior management
01:45
who may rely on business units or data owners to assistant identification of risks
01:51
and some organizations. There may be a security officer assigned and in smaller organizations, the security person may wear multiple hats
02:01
or for security.
02:04
These air job controls, such as segregation of duties,
02:07
job description, documentation, mandatory vacations and least privileged access.
02:15
Additionally, clear termination procedures should be in place to ensure credentials and access to sensitive data is removed upon departure
02:29
information, access management,
02:31
comprehensive access control policies and management to ensure that personnel have access toe on Lee. The information that is needed to perform their jobs.
02:43
Security awareness, training,
02:45
security awareness training is a method to inform employees about their roles and expectations surrounding their roles and the information security requirements,
02:55
security incident procedures.
02:59
Security incidents need to be investigated and followed up on promptly as this is a key mechanism and minimizing losses from an incident and reducing the chance of her parents.
03:10
A contingency plan.
03:12
A contingency plan or business continuity plan is designed to prepare for any occurrence that could have the ability to impact the company's objectives negatively.
03:23
And third party
03:24
controls related to third parties are largely administrative as their managed on a contractual rather than operational or technical basis.
03:38
This defines physical controls as physical measures, policies and procedures to protect covered entities, Elektronik information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion
03:54
Facility access controls
03:57
should manage the installation maintenance, an ongoing operation of the CCTV surveillance systems, the alarm systems and the card reader access control systems.
04:10
Ah, workstation inventory should be well documented, including policies and procedures for effectively deploying servers, laptops and network devices to reduce downtime.
04:23
Device and media controls should be documented and enforced to include policies and procedures for adding to inventory and tracking throughout the lifecycle, including backup and ultimately disposal to ensure that sensitive health records are not lost or leaked.
04:43
Mystifies technical controls as the technology and policy and procedures for its use that protect Elektronik ph. I and control access to it.
04:55
Specific technical control areas are access controls.
04:59
Technical access controls need to be well managed to ensure that sensitive health information is only accessible to those that need it to perform their work.
05:10
This includes the need to develop policies and procedures that allocate unique user names, toe all staff
05:15
tracks and regularly reviews all access to sensitive data
05:19
and updates permissions accordingly.
05:25
Arctic controls
05:27
information systems that contain sensitive health information should be monitored and audited on a regular basis, depending upon the nature of a given system. There a system attributes and status information that are written into laws.
05:44
These logs should be reviewed for anomalous activities,
05:47
and procedure should dictate when certain activity should be reported for further investigation.
05:56
Integrity is the principle that information should be protected from intentional, unauthorised or accidental changes.
06:04
Sensitive health information stored in files, databases,
06:09
systems and networks must be relied upon to make accurate diagnosis and recommendations.
06:15
Controls are in place to ensure that information is modified through accepted practices. Sample control and sample controls include air correcting memory,
06:28
magnetic disk storage, digital signatures and check some technology.
06:34
The core of transmission security is to establish policies and implement procedures for using encryption technology to ensure the confidentiality of sensitive health information while in transit,
06:49
healthcare organizations should review their networks as well as the interconnections with third parties to ensure that all egress points and weak spots in the network are covered by these procedures.
07:08
Controls related to time allude to a subset of security controls that are of importance during various stages of an information systems lifecycle as it relates to an incident.
07:19
Preventive controls are defined by NIST as those that deter, detect and or reduce impacts to the system.
07:29
Preventive measures are preferable and that the cost is less than the majority of recovery activities.
07:36
Studies show that the relative costs of fixing defects in production is 30 toe 100 times more expensive.
07:48
Detective controls reduce the risk of exposing sensitive personal and health information. Detective controls include firewalls, intrusion intrusion detection and prevention systems,
08:01
data loss prevention or DLP,
08:05
network access controls or KNACK
08:07
and other mechanisms to deter malicious actors from accessing this highly sensitive information.
08:15
The key is developing layer defenses and strong detective controls toe identify when a breach has occurred and, to the extent possible, reduce the effectiveness of the breach.
08:28
Corrective controls relate to those activities required when addressing a security incident.
08:35
For example,
08:35
if malware is discovered on the system, the Incident Response Team made disconnect the machine from the network in order to ensure that it doesn't spread to other systems in the organization
08:50
and recovery.
08:52
Recovery controls relate to those activities that provide for the timely restoration of a system, service or operation to her protection state after a security incident.
09:03
This is the time when recovery plans are executed, lessons are learned, our lessons learned are incorporated back into the recovery planning process and the activities and outcomes are communicated to the stakeholders.
09:20
So in summary, what we talked about today, where different types of controls and controls related to time
09:26
next up is risk of response.

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor