Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Software Quality Assurance Plan

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

NAU HIPAA Awareness Training

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Security Controls – What Works

Information Security Policies and Standards

Information Systems Security Officer

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Computer Security: Principles and Practice

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Session 3 – Information Security Policies

A District Perspective Thomas Purwin, Jersey City Public Schools

Complying With The Federal Information Security Act (FISMA)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

SEC835 Database and Web application security Information Security Architecture.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

HIPAA PRIVACY AND SECURITY AWARENESS.

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

1 Information Security Compliance System Owner Training Module 3 Risk Analysis and Security Plan Richard Gadsden Information Security Office Office of.

NIST Special Publication Revision 1

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Agency Risk Management & Internal Control Standards (ARMICS)

IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Project Management Basics

HIPAA Security Final Rule Overview

1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

An Independent Licensee of the Blue Cross Blue Shield Association Right Sizing the HIPAA Security Program Laurie Leer, CISSP;Manager Information Systems.

Governance, risk and ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.

Junli M. Awit, RN.  Enacted by President Bill Clinton in 1996  Title I of HIPAA protects health insurance coverage for workers and their families when.

Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.

Final HIPAA Security Rule

HIPAA Security Standards Final Rule

Drew Hunt Network Security Analyst Valley Medical Center

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Privacy and Security Update - 5 Years After Implementation

Introduction to the PACS Security

Presentation transcript:

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles Information Assurance Compliance MUSC Medical Center

Overview ➲ Information Security Fundamentals ➲ HIPAA Security vs. HIPAA Privacy ● How the two regulations differ ● MUSC's compliance strategy ➲ New Security Responsibilities ● Enterprise ● Covered Entities ● System Owners ● Other individuals

Information Security Process ➲ The goal: protection of information assets from threats to their: ● availability ● integrity ● confidentiality ➲ Security is a process... ● not a product ● not really a state either ● not “set it and forget it”

Information Security A Risk Management Process ➲ Risk management ● the process for making security decisions ➲ Steps in the process ● identify significant risks ● evaluate possible controls ● implement the most cost-effective set of controls that will keep risks within acceptable levels ➲ Caveat: zero risk is not attainable

MUSC's Information Security Policy System Owners Are Responsible For... ➲ Ensuring that accurate and thorough risk assessments are conducted and documented at appropriate points in the lifecycle of the System, beginning prior to the System's implementation, and that the findings are applied to the effective management of risks over the entire life of the System. ➲ Ensuring that appropriate System-specific policies, procedures and safeguards are developed and implemented, to comply with all applicable MUSC policies, any applicable Entity policies, and all applicable laws and regulations.

Information Assurance ➲ Standard of Due Care ● duty is to protect against “all reasonably anticipated threats” by implementing “reasonable and appropriate” safeguards ➲ Reasonable and appropriate ● ideally, minimum but sufficient controls ● must avoid unacceptable risks ● must avoid unnecessary expense

Reasonable and Appropriate ➲ How to achieve? ● the risk management process ● assessment of risk ● evaluation and selection of controls ● approval, funding, implementation, operation ➲ How to verify? ● the compliance process ● documentation ● audits and other reviews

Information Assurance Compliance Process ➲ Document the level of assurance ● Are all security responsibilities clearly defined and understood? ● Is a sound (risk-based and cost-conscious) decision-making process being followed? ● Are security procedures documented? ● Are procedures being followed? ● Are controls working as intended?

HIPAA: Security Rule vs. Privacy Rule ➲ Security is more than just privacy ● confidentiality, integrity, availability ➲ PHI vs. ePHI ● all electronic (“computerized”) PHI is subject to both the Privacy Rule and the Security Rule ● telephone and fax communications are subject to the Privacy Rule, but not the Security Rule ➲ Covered Entities (CEs) ● responsible for compliance with both regulations

Security vs. Privacy: MUSC ➲ Overall HIPAA compliance strategy ● Organizational: MUSC OHCA comprised of 4 CEs ➲ Privacy Rule strategy ● policies were set by each MUSC Entity ➲ Security Rule strategy ● One set of enterprise-wide security policies ● these policies apply to all MUSC Entities ● not just for HIPAA/ePHI, but for all types of protected information ● 16 new policies and 1 updated policy were issued by the Office of the President in Feb 2005

MUSC's Security Policies ➲ Computer Use Policy (updated) ➲ Information Security Policies (new) ● Information Security, Risk Management, Evaluation, Workforce Security, Awareness and Training, Incident Response, Contingency Plan, Workstation Use, Device and Media Controls, Access Control, Network Access, Audit Controls, Person or Entity Authentication, Data Integrity, Encryption, Documentation

New Security Responsibilities ➲ Enterprise (Office of the CIO) ➲ Covered Entities (CEs) ➲ System Owners and System Administrators ➲ Managers and Supervisors ➲ Workforce members

Responsibilities: OCIO ➲ Information Security Office (ISO) will: ● Document security architecture and plans ● Coordinate development of enterprise policies, standards, guidelines ● Manage Enterprise-level safeguards ● Develop shared tools and services ● Direct MUSC's incident response team ● Conduct vulnerability assessments

Covered Entities ➲ Each Entity will designate an Information Assurance Compliance Officer (IACO), who will: ● Monitor compliance (system owners, system administrators, managers, supervisors, workforce members) ● Report violations of policy to appropriate enforcement authorities ● Ensure access to documentation and training

System Owners ➲ Each System must have a designated System Owner, who will: ● Assess and manage security risks ● Risk assessments and risk management plans must be documented if the system contains protected information (e.g. ePHI) ● Ensure that appropriate safeguards are implemented ● Some safeguards are required only if the System contains protected information (e.g. ePHI) ● Also, designate a System Administrator

MUSC Risk Management Standards ➲ Standards established for managing risk at 4 stages in the System life cycle ● Initiation ● Development/Procurement ● Implementation ● Post-Implementation ● aka “Existing Systems”

Existing Systems i.e. “Post-Implementation Stage” ➲ Have you... ● Registered your system? ● Designated a System Administrator? ● Conducted a System risk assessment? ● Implemented appropriate safeguards? ● administrative measures ● physical security measures ● technical measures ● document, document, document...

Step 1.0: Review MUSC Policies, Standards and Guidelines ➲ URL:

Step 2.0: Document Current System Environment and Personnel ➲ Deliverable: Security Documentation, Section 2 (System Identification) ● System Name ● Key System Personnel ● Functional Description ● Key Components ● System Boundaries ● Relationships with other systems ● interfaces, interdependencies

Step 3.0: Document Current System-Specific Security Procedures and Other Controls ➲ Deliverable: Security Documentation, Section 3 (Current System Procedures) ➲ Use the MUSC Information Security Policy Compliance Checklist for System Owners as a guide ➲

Step 4.0: Identify and Analyze Potential Issues ➲ Deliverable: Risk Analysis Worksheet ➲ ➲ Priorities ● Address policy compliance gaps identified using the Policy Checklist, or any other assessments ● Decide how to address other risks identified through formal risk analysis process

Step 5.0: Develop Security Plan ➲ Deliverable: Security Plan Summary ➲ ➲ Document your plan for resolving all known compliance gaps ● who ● what ● when

Step 6.0: Execute Security Plan ➲ Deliverables ● Document changes made to system procedures and other controls (Section 3, Current System Procedures) ● Progress and status reports as required by your Entity's IACO

Are We There Yet? ➲ Security is never finished ➲ Repeat the risk management cycle as warranted by conditions ● respond to environmental, operational, policy, and/or regulatory changes ➲ Evaluate the effectiveness of your System's security measures ● until your System is retired ➲ Set it and forget it? Not an option!