.

Friday, October 11, 2019

Heart Healthy Information Security Policy Essay

Due to personnel, policy and system changes, and audits, Heart Healthy has voluntarily updated their information security policy to be in-line with the current information security laws and regulations. Currently Heart-Healthy Insurance, a large insurance company, plans to review and provide recommendations for an updated information security policy in the area ‘s of: 1. Current New Users Policy – The current new user section of the policy states: â€Å"New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator access.†(Heart-Healthy Insurance Information Security Policy) 2. Current Password Requirements – The current password requirements section of the policy states: â€Å"Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.†(Heart-Healthy Insurance Information Security Policy) Heart Healthy Insurance Information Security Policy and Update Proposed User Access Policy The purpose of the User Access Policy is to provide access to Heart-Healthy’s network infrastructure and to ensure appropriate access to all of Heart-Healthy’s information resources. The purpose of Heart-Healthy’s â€Å"Network Access Policy† is to establish the appropriate level of user access to Heart-Healthy’s network infrastructure. Heart-Healthy’s network access rules are necessary in order to preserve the confidentiality, Integrity and availability of Heart-Healthy’s proprietary information. Heart-Healthy’s Information Security Office will be responsible for management and administration of Heart-Healthy’s information security function(s). Heart-Healthy’s Information Security Office will be the chief point of contact for any and all security related functions. User Access Policy * Heart-Healthy users will be permitted access based on the principle of least privileges’ * Remote access or dial-in-services will be requested by Manager level positions and up, and approved by the Information Security Department. * End users are not allowed to re-transmit or extend any of Heart-Healthy’s network services. E.g. users will not attach hubs, switches, firewalls, access points to Heart-Healthy’s network without prior written authorization. * Users are not allowed to install any additional hardware or software without the express written consent from the Heart-Healthy information technology department. * All Heart-Healthy computer systems will conform to agency standards * End users are not allowed to download, install or run any programs that could potentially reveal or undermine Heart-Healthy’s in-place security system, e.g. packet sniffers, password crackers or network mapping tools are strictly forbidden. All Heart-Healthy employees, 3rd party contractors are responsible for managing their information resources and will be held accountable for any information security violations or infractions Current Password Policies and Requirements â€Å"Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset†(Heart-Healthy Insurance Group Information Security Policy). NIST Special Publication 800-63 The stronger the password, the more likely that password guessing and cracking will be deterred. The combination of the password and the complexity directly lead to its unpredictability. With 8 character complex passwords, with current GPU processing power a password can be broken in less than 26 days by exhausting all possible combinations. Proposed Password Guidelines * Passwords should be a minimum of 14 characters * Passwords based on dictionary words are prohibited * Passwords based on pet names, biographical information, children’s names, no names of relatives * Passwords must consist of a mixture of uppercase, lowercase, and a special character * System will remember last 12 passwords * If passwords are written down, they must be kept in a safe place, e.g. a wallet, or a safe. Passwords are not be be written down and tape to the bottom of the keyboard, stuck to the computer monitor with a sticky note, or put in an unlocked desk drawer. * All passwords will be changed every 90 days Proposed Password Policy Heart-Healthy password policy guideline is a recommendation for creating a new user password. This policy is a guideline to help end users in: * Choosing and creating a strong password * Ensure that passwords are highly resistant to brute force attacks and password guessing * Recommendations on how users should handle and store their passwords safely * Recommendations on lost or stolen passwords Password expiration * Password expiration will serve 2 specific purposes: * Password expiration will limit the time crackers have to either guess, or brute force a password. * If a password has been compromised, the password expiration will help to limit the time the cracker / hacker has access to Heart-Healthy’s internal networking system. Heart-Healthy has embarked on a path to bring their information security posture regarding â€Å"Password Requirements† and â€Å"New Users† up-to-date. Heart-Healthy has used NIST (National Institute of Standards) and HIPAA ( Health Insurance Portability and Accounting Act) regulations in order to achieve their goal of providing the CIA (Confidentiality, Integrity, Authorization) triad for information security. The federal government has implemented a number of laws and regulations that pertain to the handling, reviewing and compliance assurance of private or confidential data. With respect to NIST, and HIPAA; although they do not specifically outline the methods in these documents, Heart-Healthy is obligated to make an attempt to implement reasonable standards in order to meet the current legal obligations outlined by these laws and regulations. Heart-Healthy will focus on three main categories for their security posture: Physical, Technical, Administrative, * Physical Security – Heart-Healthy has designed their physical security around protecting computer systems that store confidential data. * Technical Security – Heart-Healthy has implemented software and security safeguards designed specifically to ensure access is controlled, and the integrity and the authentication of the stored data remains intact. * Administrative Security – Heart-Healthy’s administrative security ensures that Heart-Healthy procedures, standards, security measures, and organizational policies are implemented by qualified personnel. The HIPAA Security Rule The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (HSS.gov ). NIST ensures that the CIA (Confidentiality, Integrity, and Availability) of any electronic personal health information (EPHI) information that is maintained, received or transmitted is protected from potential threats and hazards that could potentially affect the integrity of the ePHI information. NIST also provides protection against the accidental or intentional exposure of private information. Heart-Healthy understands that information security means protecting their information from unauthorized disclosure, access and any disruptions. Heart-Healthy understands the difference in protecting their sensitive data lies primarily in their approach. Heart-Healthy has taken precautions to prevent accidental or intentional exposure to electronic private health information. Heart-Healthy feels confident that these policies put forth will help eliminate unauthorized access to Heart-Healthy’s information systems. Heart-Healthy’s technical security policies will help ensure that end users are responsible for their information. Technical policies will also serve to protect end users from accidental exposure by providing adequate protection to end users passwords and confidential data. Heart-Healthy will provide annual training on their new policies, in order to ensure end users are aware of security risks and that end users will ultimately be accountable for their personal security awareness. Heart-Healthy personnel will ultimately be responsible for the management of their information resources and will be held accountable for their actions in relation to their information security. All access to Heart-Healthy information resources are for authorized business purposes only. Heart-Healthy will not provide access to or guarantee access to email, web browsing. Heart-Healthy will monitor all electronic communications that might be needed in order to fulfill a complaint or any investigatory requirements. Heart-Healthy understands that if any confidential information is breached or falls into the hands of a competitor or a hacker that the consequences could be devastating. References mailchip.com. (2012). 3 Billion Passwords Per Second. Are Complex Passwords Enough Anymore?. Retrieved from http://blog.mailchimp.com/3-billion-passwords-per-second-are-complex-passwords-enough-anymore/ nist.gov. (2011). NIST Policy on Information Technology Resources Access and Use. Retrieved from http://www.nist.gov/director/oism/itsd/policy_accnuse.cfm hss.gov. (). Health Information Privacy. Retrieved from http://www.hhs.gov/ocr/privacy/index.html hss.gov. (). Health Information Privacy. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html nist.gov. (). Guide to Enterprise Password Management. Retrieved from http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf

No comments:

Post a Comment