JEFF HOWELL
  • Home
  • About
  • Cyber Security Fundementals
    • Threats and Vulnerabilities
    • Reference Monitor
    • Links to Additional Resources
  • Cryptography
    • Block Ciphers
    • Hash Functions
    • Message Authentication Codes (MAC's)
    • Kerberos Key Management (Single sign-on)
    • Public Key Infrastructure (PKI)
    • Links to Additional Resources
  • Secure Architecture
    • Architecture Strategy
    • Contextual Security Architecture
    • Conceptual Security Architecture
    • Logical Security Architecture
    • Physical Security Architecture
    • Component Security Architecture
    • Operations
    • Supporting Materials
  • Reference Link Library
    • Industry Websites
    • Government Resources
    • Cyber Security News
    • Certification and Training
    • Books
    • Cyber Security Tools
  • Risk Management
    • Supporting Materials
  • Operational Policy
    • Laws and Regualations
    • Data Classification
    • Policy Implementation and Enforcement
    • Supporting Materials
  • Management and Cyber Security
    • Contingency Planning
    • ROI of Cyber Security
    • Staffing Models
    • Links to Additional Resources
  • Secure Software Design and Development
    • Heartbleed Details
    • Mobile Device Vulnerabilities
    • Links to Additional Resources
  • Network Visualization and Vulnerability Detection
    • Visualizing the Network
    • Protecting the Perimeter
    • Vulnerability Detection
    • Sniffing Wireless Networks
    • Links to Additional Resources
  • Cyber Threat Intelligence
    • Links to Additional Resources
  • Incident Response and Computer Network Forensics
    • Links to Additional Resources
Picture
This provides some common laws and regulations along with required security controls that have been enacted in the United States and the State of California.  

Health Insurance Portability and Accountability Act (HIPAA) of 1996
HIPAA is a U.S. Federal law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. These standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed (HHS, 2013).
Required Security Controls
  • Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
  • Assign a unique name and/or number for identifying and tracking user identity
  • Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency
  • Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
  • Implement a mechanism to encrypt and decrypt electronic protected health information
  • Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information
  • Implement policies and procedures to protect electronic protected health information from improper alteration or destruction
  • Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
  • Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed
  • Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network
  • Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
  • Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate
  
Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
Federal law enacted in 2009 to increase the meaningful adoption of Electronic Health Records (HER) systems. The law is composed of four parts: Promotion of health information technology, testing of health information technology, grants and loans funding and privacy (Morgan, 2012)
Required Security Controls
  • Requires entities covered by the HIPAA to report data breaches, which affect 500 or more persons, to the United States Department of Health and Human Services (U.S.HHS), to the news media, and to the people affected by the data breaches
  • Covered entities, business associates, vendors of PHI records and related entities must comply with notification requirements in the event of a breach of unsecured PHI data occurs.
  • Provides individuals with the right to receive an access report indicating who has accessed electronic protected health information in a designated record set.
 
Red Flags Rule passed in January 2008
This legislation officially passed in 2008 but clarified in 2010; requires businesses and organizations (including insurers) to develop a written program to detect identity theft warning signs in ongoing operations.  The law was proposed by the Federal Trade Commission (FTC) to help prevent identity theft.
Required Security Controls
  • Must have the ability to detect and report identity theft. 
 
California State rules and statutes for entities providing health insurance
 
California Notice of Security Breach Act 2003
A breach notification law that applies to businesses or state agencies that own or maintain personal information on California residents to notify the resident of a breach or suspected breach to their unencrypted data (Becerra, 2017). 
Required Security Controls
  • Requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event.
  • Any person or business required to issue a security breach notification to more than 500 California residents must electronically submit a single sample copy of that security breach notification to the Attorney General.
 
California Insurance Code Sections 791 - 791.27, the Insurance Information and Privacy Protection Act (IIPPA) (CDI, n.d.)
Provide protections for one's personally identifiable information, which is generally provided to an agent, broker or insurance company in order to apply for insurance or submit a claim.
Required Security Controls
  • Licensees must generally provide consumers with a notice describing the licensee's privacy practices at the time of policy application and annually thereafter.
  • Notices must describe the categories of personal information collected about individuals
  • licensee must provide a clear and conspicuous Opt-Out notice and a cost-free method for the consumer to reply if the licensee wishes to disclose financial information to 3rd parties
  • Nonpublic personal medical record information may not be disclosed without prior written consent.
  • Standards are required for the safeguarding of nonpublic personal information.
​References
Becerra, X. (2017, September 14). Data Security Breach Reporting. Retrieved March 27, 2018, from https://www.oag.ca.gov/privacy/databreach/reporting
 
California Department of Insurance. (n.d). California Department of Insurance (CDI). Laws and Regulations. Retrieved from: http://www.insurance.ca.gov/01-consumers/130-laws-regs-hearings/
 
CMS. (2007, March). HIPAA Security Series (United States of America, Dept. of Health and Human Services, Centers for Medicare and Medicaid Services (CMS)). Retrieved March 26, 2018, from
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
 
HHS Office of the Secretary, Office for Civil Rights. (2013, July 26). Summary of the HIPAA Privacy Rule. Retrieved March 18, 2018, from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
 
Morgan, Lewis, & Bockius. (2012, March 22). HIPAA/HITECH Enforcement Action Alert. Retrieved March 26, 2018, from https://www.natlawreview.com/article/hipaahitech-enforcement-action-alert
 
United States of America, Dept. of Health and Human Services, Office for Civil Rights. (2003). Summary of the HIPAA privacy rule: HIPAA compliance assistance. Washington,D.C.: U.S. Dept. of Health and Human Services.
Jeff Howell  -  San Carlos, CA  -  Privacy Statement - email Jeff
  • Home
  • About
  • Cyber Security Fundementals
    • Threats and Vulnerabilities
    • Reference Monitor
    • Links to Additional Resources
  • Cryptography
    • Block Ciphers
    • Hash Functions
    • Message Authentication Codes (MAC's)
    • Kerberos Key Management (Single sign-on)
    • Public Key Infrastructure (PKI)
    • Links to Additional Resources
  • Secure Architecture
    • Architecture Strategy
    • Contextual Security Architecture
    • Conceptual Security Architecture
    • Logical Security Architecture
    • Physical Security Architecture
    • Component Security Architecture
    • Operations
    • Supporting Materials
  • Reference Link Library
    • Industry Websites
    • Government Resources
    • Cyber Security News
    • Certification and Training
    • Books
    • Cyber Security Tools
  • Risk Management
    • Supporting Materials
  • Operational Policy
    • Laws and Regualations
    • Data Classification
    • Policy Implementation and Enforcement
    • Supporting Materials
  • Management and Cyber Security
    • Contingency Planning
    • ROI of Cyber Security
    • Staffing Models
    • Links to Additional Resources
  • Secure Software Design and Development
    • Heartbleed Details
    • Mobile Device Vulnerabilities
    • Links to Additional Resources
  • Network Visualization and Vulnerability Detection
    • Visualizing the Network
    • Protecting the Perimeter
    • Vulnerability Detection
    • Sniffing Wireless Networks
    • Links to Additional Resources
  • Cyber Threat Intelligence
    • Links to Additional Resources
  • Incident Response and Computer Network Forensics
    • Links to Additional Resources