Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Security Controls – What Works
Information Security Policies and Standards
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Information Security Technological Security Implementation and Privacy Protection.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.
Eliza de Guzman HTM 520 Health Information Exchange.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.
Working with HIT Systems
1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIPAA Security Final Rule Overview
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA Security Best Practices Clint Davies Principal BerryDunn
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
The Health Insurance Portability and Accountability Act 
iSecurity Compliance with HIPAA
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
Paul T. Smith Davis Wright Tremaine LLP
HIPAA.
Health Insurance Portability and Accountability Act
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
Health Insurance Portability and Accountability Act
County HIPAA Review All Rights Reserved 2002.
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Tom Walsh, CISSP President
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

Thursday, June 5 10:45 - 11:45 AM Session 1.01 Tom Walsh, CISSP HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications – Are you Correctly Addressing Them? Thursday, June 5 10:45 - 11:45 AM Session 1.01 Tom Walsh, CISSP Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Certified Information Systems Security Professional (CISSP) Invited speaker at national conferences Former information security manager for large healthcare system in Kansas City, MO DOE-certified safeguards and security instructor A little nerdy, but overall, a nice guy  Copyright © 2003, Tom Walsh Consulting, LLC

HIPAA Security Standards Administrative Safeguards (55%) 12 Required, 11 Addressable Physical Safeguards (24%) 4 Required, 6 Addressable Technical Safeguards (21%) 4 Requirements, 5 Addressable Flexibility, Scalability, and Technology Neutral Covered entities must assess if an implementation specification is reasonable and appropriate Copyright © 2003, Tom Walsh Consulting, LLC

Addressable Implementation Specifications “In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: Implement one or more of the addressable implementation specifications; Implement one or more alternative security measures; Implement a combination of both; or Not implement either an addressable implementation specification or an alternative security measure.” Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) “Risk Analysis” is listed before “Assigned Security Responsibility” Copyright © 2003, Tom Walsh Consulting, LLC

Risk Assessment / Analysis Each covered entity: Assesses its own security risks Determines its risk tolerance or risk aversion Devises, implements, and maintains appropriate security to address its business requirements Does not imply that organizations are given complete discretion to make their own rules Documents its security decisions Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Risk Analysis Two types: Qualitative – (Easiest and most common) Rating risks on a scale such as: Quantitative – (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations High Medium Low $ Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Risk Calculations Impact Probability of Occurrence H 7 8 9 M 4 5 6 L 1 2 3 L M H The higher the number, the greater your risks. Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Assigned Security Responsibility Responsibility must rest with one individual to ensure accountability Information Security Officer (ISO) Large organizations may have site-security coordinators working with the ISO Security standards extends to the members of a covered entity’s workforce even if they work at home such as transcriptionists Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Workforce Security Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Authorization controls to verify the identity of the workforce member Types of background checks that will be conducted for workforce members (Does not imply background checks on everyone.) Termination – Collecting access control devices or changing door locks, etc. Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Information Access Management Isolating Healthcare Clearinghouse Function (R) Access authorization (A) Access Establishment and Modification (A) Isolating Healthcare Clearinghouse Function – New requirement Requirement for “User-based, role-based, or context-based” was removed However – Compliance with the Privacy Rule’s “Minimum necessary” and JCAHO IM standards may drive role-based access controls Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) What is the difference between: Training, Education and Awareness? What other information security content should be covered in workforce training? “Security awareness training is a critical activity, regardless of an organization’s size.” Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Security Incident Procedures Response and Reporting (R) Provides a way for users to report unusual occurrences in security or breaches to patient confidentiality Goals: Identify Contain Correct Prevent Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Contingency Plan Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Documented procedure for the secure, off-site storage and rotation of backups Work in conjunction with Data Owners to determine the organization’s Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for all other applications as part of a Business Impact Analysis (BIA). Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Evaluation Periodic review of technical controls and procedural review of the entity’s security program Non-Technical review – Self assessment, readiness assessment, or gap analysis Certification of systems Compliance documentation Audit logs and incident reports Technical review – Vulnerability scan Testing of security controls Copyright © 2003, Tom Walsh Consulting, LLC

Administrative Safeguards Business Associate Contracts and Other Arrangement Written Contract or Other Arrangement (R) Identify all business associates who receive or have access to electronic PHI Tie efforts with the Privacy initiative. Leverage the opportunity to establish rules for remote access for vendors to limit downstream liability. Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Physical Safeguards Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) To protect buildings, equipment, and media from natural and environmental hazards and unauthorized intrusions Track maintenance records for door lock repairs or changes Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Physical Safeguards Workstation Use Workstation Security Could address both standards in a single policy Verify workstations are located to prevent unauthorized, casual viewing by others Conduct a random audit of computer workstations to verify they have been updated with the latest version of virus definitions (Process for standalone PCs and laptops) Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Physical Safeguards Device and Media controls Disposal (R) Media Re-use (R) Accountability (A) Data backup and Storage (A) “Device” added to media controls to address other storage devices such as PDAs Media Re-use – New requirement; Sanitization of media (Overwriting the disk with random patterns of “1s” and “0s” Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Technical Safeguards Access Control Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Unique UserID for accountability – Most important for clinical applications Automatic logoff also permits an equivalent measure to restrict access Encryption is an acceptable method of access control (data at rest) Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Technical Safeguards Audit Controls Use risk assessment and analysis to determine how intensive audit trails need to be Events that trigger an audit trail need to be jointly determined by the Data Owners, the Privacy and Security Officers Check with vendors on audit capability Store audit logs on a separate server System administrators should not have access to the audit logs Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Technical Safeguards Integrity Mechanism to Authenticate Electronic PHI (A) Document any integrity controls that will be employed especially for transmissions outside of the internal network to ensure the validity of the data being sent or the sender of the data Examples: Check sum, encryption, PKI, digital signature, etc. Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Technical Safeguards Person or Entity Authentication Person or entity authentication is primarily accomplished through UserID and passwords Consider two-factor authentication for remote access to systems Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Technical Safeguards Transmission Security Integrity Controls (A) Encryption (A) “…When electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.” Recognition that there is not a simple and interoperable solution to encrypting e-mail containing PHI Copyright © 2003, Tom Walsh Consulting, LLC

Copyright © 2003, Tom Walsh Consulting, LLC Thanks for Attending! Tom Walsh, CISSP twalshconsulting@aol.com 913-696-1573 Copyright © 2003, Tom Walsh Consulting, LLC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.