آگاهی رسانی امنیت اطلاعات 2020-1399

1. 1 EC-Council
Information Security and Legal
Compliance
Module 12
Simplifying Security.

2. WatchdogReports: Security Catalysts?
2 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
May 19,2011
Thetiming of two newwatchdog reports that highlight the needto
protect the security of electronic health records could help build
momentum for action, some observerssay.
This week's reports from the Department of Health and Human
Services' Office of the Inspector General call for a ramping up of
enforcementof the HIPAASecurity Rule and the inclusionof more
security requirements in the HITECHAct electronic health record
incentive program (see:WatchdogHits HHS on RecordsSecurity.)
The HHS Office for Civil Rights, which enforces HIPAA, recently
requesteda 13.5percent increase in its fiscal 2012 budget for,
among other things, enforcement of the HIPAA Security Rule and
compliance reviews of smaller breach incidents (see:More HIPAA
Enforcement Funding Sought). "So it's timely to raise the issue of
HIPAA enforcement in the middle of the budget discussions," says
Dan Rode, vicepresidentof policyand governmentrelations at the
AmericanHealth Information ManagementAssociation.
http://www.govinfosecurity.com

3. Monday, May23, 2011
3 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
Business Workshop: HITECHUshers in Era ofHigher
Penalties UnderHIPAA
Tworecent cases suggest we have entered a new era of more stringent enforcement of HIPAA's privacy
and securitystandards.
Forthe first time, the Office for Civil Rights (OCR) at the Department of Health and Human Services,
which is charged with enforcing HIPAA's privacy and security standards, has imposed a civil money
penalty under HIPAA, or the Health Insurance Portability and AccountabilityAct.
In a pressreleasefrom February,OCR announced that Cignet Health of Maryland was fined a totalof
4.3$millionfor ignoring requests for medicalrecords
from 41individuals and for failing to cooperatewith
OCR's investigation of 27relatedcomplaints.
Twodays later,OCR announced a $1million settlement
with Massachusetts General Hospital after an employee left documents containing patients' health
information on the subway. OCR's investigation indicated that the hospital "failed to implement
reasonable, appropriate safeguards to protect the privacy of protected healthinformation".
http://www.post‐gazette.com

4. Module Objectives
4 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
HIPPA(Health InsurancePortability
and AccountabilityAct)
HIPPAChecklist
FERPA(Family Educational Rightsand
PrivacyAct)
FERPAChecklist
PCI DSS (PaymentCard IndustryData
Security Standard)
PCI DSS Checklist

5. Module
5 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
Flow
Health Insurance
Portability and
AccountabilityAct
(HIPPA)
Family Educational
Rights and Privacy
Act (FERPA)
Payment Card
Industry Data
Security Standard
(PCI DSS)

6. and
6 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
HIPAA(Health Insurance Portability
Accountability Act)
HIPPAis a security standard to provide physical, technical, and administrative safeguards to protect
the integrity, availability, and confidentiality of health information
The purpose of this security standard is to prevent the inappropriate use and disclosure of
individuals’health information
It imposes restrictions on organizations to protect health information and the systems that store,
transmit, and process it
Objectives of HIPPA
It allows for portability and continuity of health
insurance and places limits on pre‐existing
exclusion provisions
Group and Individual InsuranceReform
It reducesthe potential for waste, fraud,and
abuse
New penalties and sanctions will be imposed
It requires the application of uniform standardsto
electronic data transactions in a confidential and
secureenvironment
Its goal is to improve the effectivenessand
efficiency of the health care system

7. HIPAA Checklist
7 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
File cabinets or drawers storing
patient records should be
securely locked, or if possible,
the room itself
Restrict access to computer
terminals to only authorized
personnel and set up passcodes
for electronic files
Be alert to security lapses that
might allow illegitimate usersto
access the records
FileSecurity Education andSanctions
Professional workforce should be
trained with HIPPA requirements,
both on and off the job
Ensure that the employees know
about the endorsements they can
expect for violating HIPAA
restrictions
Violators of HIPPAare punished
to send a message to other
employees that HIPAAis
considered seriously within the
organization
AuthorizationProcedures
Ensure that onlyauthorized
personnel have access to
the HIPAAprotected
information
Review the file logs or
computer records regularly
to know how the
authorization is used to
ensure that itis not abused

8. FERPA (Family Educational Rights
and Privacy Act)
8 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
Therights given to students byFERPA
regarding the educational records include:
Right to access educational recordskept by
the school
Right to demandthateducationalrecords be
disclosed only with studentpermission
Right to amend educationalrecords
Right to file complaints against the school for
disclosing educational records in violation of
FERPA
Right to know about the purpose, content,
and location of informationkeptas a partof
their educationalrecords
Individualstaffor faculty’sprivatenotes, campus
police records, medical records, and statistical
datacompilations thatdo not contain personally
identifiable student information are not
considered as educational records underFERPA
The Family Education Rights and PrivacyAct
(FERPA)of 1974 also known as the Buckley
Amendment, is a federal law that is meant
to protect the accuracy and privacyof
student education records
This law is applicable to all institutions that
are recipients of federal service directed by
the Secretary of Education
FERPAgives certain rights to parents with
respect to their children’s educational
records. Rights transfer to the studentwhen
he/she reaches the age of 18 or a school
beyond the high school level

9. FERPA Checklist
9 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
Do not discuss the progressofany student with
anyone other than the student (including
parents/guardians) without the consent of the
student
Do not provide anyone with lists ofstudents
enrolledin classes forany commercialpurpose
Institutions must have writtenpermissionfromthe
student to release any information from the
student’s educationalrecord
Only student directory information can be disclosed
by the institutions without the student’s permission
but not non‐directoryinformation
Students should be notifiedabouttheirrightsunder
FERPAby institutions through annual publications
Postthe grades using securetechnology
Ensure that the confidential, non‐directory, and
sensitive student personal information is
encryptedwhereeverit is storedsuch as laptops
and thumbdrives
Do not use social security numbers for any
purposeunless necessary.Replace them with UINs
(Universal IdentificationNumber)
Do not leave graded tests or papers in a stack for
students to pickup by sorting through the tests or
papers of allstudents
Do not provide anyone with studentschedulesor
assist anyone other than professional university
employeesin finding a student on campus
Do not link the name of a student with that
student’s social security number or universal
identificationnumber(UIN) in any public manner

10. PCI DSS (Payment Card Industry Data
Security Standard )
10 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines, measures, and controls
that were established to assist merchants implement strong security precautions to ensure safe credit
cardusage and secureinformation storage
Businesses with merchant identification that takes credit card payments—whether online, over the
phone, or using credit card machines or paper forms—need to comply with these standards,even if
they use a payment service provider
Objectivesof PCI DSS include thefollowing:
Maintain an Information SecurityPolicy Build and Maintain a SecureNetwork
Regularly Monitor andTest
Networks
Protect Cardholder Data
Implement StrongAccess Control
Measures
Maintain a Vulnerability Management
Program

11. PCI DSS Checklist
11 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
Install and maintain afirewall
configuration to protect cardholderdata
Protect storedcardholderdata
Do not use vendor‐supplied defaultsfor
system passwords and other security
parameters
Encrypt transmission of cardholderdata
across open, public networks
Use and regularly updateanti‐virus
software
Develop and maintain securesystems
and applications
Restrict access to cardholder databy
business need‐to‐know
Assign a unique ID toeach person with
computeraccess
Restrict physical access tocardholder
data
Trackand monitor all access tonetwork
resources and cardholderdata
Regularly test security systemsand
processes
Maintain a policy thataddresses
information security

12. Module Summary
12 Copyright © by EC-Council
All Rights Reserved. Reproduction is StrictlyProhibited.
HIPPAis a security standard to provide physical, technical, and administrative
safeguards to protect the integrity,availability,and confidentiality of health information
 The purpose of HIPPAis to prevent the inappropriate use and disclosure of individuals’
health information
 FERPAis a federal law that is meant to protect the accuracy and privacy of student
education records
 PCI DSS is a set of guidelines, measures, and controls that were established to assist
merchants implement strong security precautions to ensure safe credit card usageand
secure information storage
Businesses with merchant identification that takes credit card payments—whether
online, over the phone, or using credit cardmachines or paper forms—need to comply
with PCI DSS standards