The Practical Side of Meaningful Use:

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

David Assee BBA, MCSE Florida International University

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Technological Security Implementation and Privacy Protection.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

The Use of Health Information Technology in Physician Practices

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.

Imagine a health system that focuses on health, not just health care. Imagine a sustainable health system with one goal: to improve the lives of the people.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Health Insurance Portability and Accountability Act By Bradley Gleich.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

Terminology in Healthcare and Public Health Settings Electronic Health Records Lecture b – Definitions and Concepts in the EHR This material Comp3_Unit15.

Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.

The Health Insurance Portability and Accountability Act

BEST PRACTICES FOR AN IT SECURITY ASSESSMENT

In-depth look at the security risk analysis

Understanding HIPAA Dr. Jennifer Lu.

Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.

The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Final HIPAA Security Rule

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA Security Standards Final Rule

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Privacy and Security Update - 5 Years After Implementation

Introduction to the PACS Security

HIPAA Security Risk Assessment (SRA)

Presentation transcript:

The Practical Side of Meaningful Use: What we learned from a Security Perspective Presented to: HIPAA Privacy and Security Summit 2018 Raymond Ribble Founder & President SPHER Inc. CONFIDENTIAL This document may not be reproduced, transmitted, or distributed without the prior permission of SPHER Inc.

SoCal RECs – Certified Service Partner 1500 Providers 800 Providers From Paper to Digital 2100 + Attestations 91% Success Rate

The Early Stages: How Meaningful was it? 2011-2012 Data Capture & Sharing STAGE 2 2014 Adv. Clinical Processes STAGE 3 2016 Improved Outcomes Meaningful Use Security Focused On: Meaningful Use Security Focused On: Meaningful Use Security Focused On: Electronic capture of patient PHI in standard format More rigorous Health Information Exchange (HIE) Technology solutions tied to improved health outcomes for patients Conduct Initial Security Risk Assessment to address ePHI safety Regular & Appropriate Updates to SRAs and Review Processes TeleHealth solutions start to expand Knowing who is logging in and looking at the data System Audit Controls Monitoring application audit logs 164.312 (b) Electronic transmission of patient ePHI across multiple settings, increased exposure to data breach risk More patient access to Self-management tools Increased monitoring obligations Information System Activity Review Reviewing all records in the application 164.308(a)(1)(ii)(D) Patient-controlled data portals Access to ePHI through patient-centered HIE. Monitoring access to the HIE 2100 Provider engagements over 5.5 years

Core Security Problems Observed Lack of understanding of what PHI Security involved. No Encryption, Weak Password Policies, Shared Kiosks No System Back-ups in place No Phishing or Ransomware monitoring No Network Monitoring No User Access Monitoring Again, No Security Risk Assessment awareness Security was NOT a priority

Major Problems & Concerns 2011 - Now Strong network Monitoring 75% Some network Monitoring 50% No network Monitoring 0% No network Monitoring 0% Enterprise Hospital Regional Health Clinic Clinic Private Practice Yes-SRA, User Activity Monitoring Low Some-SRA, User Activity Monitoring None No-SRA, User Activity Monitoring None No-SRA, User Activity Monitoring None *ePHI Security was not and continues to be a Low Priority

Security Rule - Risk Assessment Policies & Procedures People Information Assets Workforce Training & Evaluation Security Management Process Administrative Safeguards Assigned Security Personnel Information Access Management Measures, Policies, and Procedures to protect ePHI CE & BA Facility Access and Control Physical Safeguards CE & BA Workstation Security Device and Media control ePHI Transmission Security Access Controls Technical Safeguards Audit Controls Integrity Controls *MIPS requirements and heightened awareness are driving adherence

The Cyber-Security Landscape Cybersecurity awareness and audit processes are lacking Continuing convergence of EMR/EHR solutions Unsecured health systems - remain vulnerable Influx of personal/device IoT solutions Insider threats are increasing Phishing attacks increasingly sophisticated Healthcare reform impacting change/upgrades Breaches are accelerating: 171 million records in ‘17 © Copyright 2018 SPHER Inc.

Find the PHI here Desktops Laptops Tablets Paperwork/Files Printer Copier Physician’s BYOD Medical Devices

Or here as well…

Layers of Security: Required Policies & Procedures Physical Perimeter Hosting Application ePHI © Copyright 2018 SPHER Inc.

Artificial Intelligence detectors analyze the behaviors of end-users within information systems to identify unauthorized access. Machine Learning is then applied towards remediation, without human intervention, when activity deviates from the norm.