© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc. 11705 Lightfall Court Columbia, MD 21044 A Blumberg Capital, Valley Ventures and Intel Capital Funded.

Slides:

Advertisements

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Advertisements

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

Presented by the Office of the General Counsel An Overview of HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Information Security Policies and Standards

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

August 22, 2002 THE HIPAA COLLOQUIUM at Harvard University A. John Blair, III, MD Chairman and Chief Executive Officer Taconic IPA, Inc. Fishkill, NY HIPAA.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

HCCA HIPAA Readiness Survey Results Jody Noon Principal Deloitte & Touche Portland, OR November, 2002 John Steiner Esq. Chief Compliance Officer Cleveland.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,

The Implementation of HIPAA Joan M. Kiel, Ph.D., C.H.P.S. Duquesne University Pittsburgh, Pennsylvania.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc Lightfall Court Columbia, MD A Blumberg Capital, Valley Ventures and Intel Capital Funded.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Understanding HIPAA (Health Insurandce Portability and Accountability Act)

Eliza de Guzman HTM 520 Health Information Exchange.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

HIPAA Security Final Rule Overview

HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.

Junli M. Awit, RN.  Enacted by President Bill Clinton in 1996  Title I of HIPAA protects health insurance coverage for workers and their families when.

The Health Insurance Portability and Accountability Act

HIPAA Administrative Simplification

Paul T. Smith Davis Wright Tremaine LLP

HIPAA Update J. T. Ash University of Hawaii System

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

Health Care: Privacy in a Digital Age

HIPAA Security Standards Final Rule

Drew Hunt Network Security Analyst Valley Medical Center

National Congress on Health Care Compliance

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Privacy and Security Update - 5 Years After Implementation

Strategies to Comply with the HPAA Privacy Rule Before the HIPAA Security and Enforcement Rules are Final Presented by: Steven S. Lazarus, PhD, FHIMSS.

Introduction to the PACS Security

Presentation transcript:

© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc Lightfall Court Columbia, MD A Blumberg Capital, Valley Ventures and Intel Capital Funded Security Company Gary Christoph, Ph.D. Sr. VP Government and Healthcare April 8, 2005 HIPAA Strategies

© by Zephra Corporation 2002, Slide: 2 © by Seclarity Inc. 2004, Slide: 2© by Seclarity Inc. 2005, Slide: 2 The Issue Recent Compliance Mandates (HIPAA, GLBA, SarbOx, etc.) are (unfortunately) strong security drivers Network Security is Hard and Expensive Use a “Common Sense” approach

© by Zephra Corporation 2002, Slide: 3 © by Seclarity Inc. 2004, Slide: 3© by Seclarity Inc. 2005, Slide: 3 Administrative Procedures Technical Security Services Not currently required Electronic Signature Physical Safeguards General Rules Limitations Technical Security Mechanisms HIPAA Title II Administrative Simplification Transaction Standards Standard Code Sets Unique Health Identifiers Security Privacy Chain of Trust Agreement Certification, Secure Workstation Physical Access Controls, Media Controls, etc. Security Awareness PHI data elements defined Notice of Privacy Practices mandated Consent required for routine use Authorization required for non-routine use Business associate contracts required Designated Privacy Officer stored, in any medium (electronic, paper, oral) Data Authentication Internal Audit, Training, Written Policies & Procedures, etc. Training Basic Network Safeguards Integrity and Protection Basic Network Safeguards Integrity and Protection Access Controls Authorization Access Controls Authorization Entity Authentication Covers Protected Health Information (PHI) transmitted or Minimum necessary disclosure/use of data

© by Zephra Corporation 2002, Slide: 4 © by Seclarity Inc. 2004, Slide: 4© by Seclarity Inc. 2005, Slide: 4 What Does HIPAA Really Require? YOU MUST: Think about the risks you face Develop coherent, enforceable policy Write it down Implement/operate whatever controls this requires Train/educate staff Periodically test & document

© by Zephra Corporation 2002, Slide: 5 © by Seclarity Inc. 2004, Slide: 5© by Seclarity Inc. 2005, Slide: 5 Policy is not written down Written policy is not followed Implementations are not “fire and forget” Consultants aim to make money, not fix the problem Compliance Issues:

© by Zephra Corporation 2002, Slide: 6 © by Seclarity Inc. 2004, Slide: 6© by Seclarity Inc. 2005, Slide: 6 People are involved  People are neither repeatable nor logical  People on the job make inappropriate assumptions Technical Solutions are too complex  Point products do not tile the floor  Management of many solutions is not easy or cheap  Pace of technological change adds new vulnerabilities (e.g., wireless) Administrative Solutions that are not  Processes get in the way of work  Controls violated without your knowledge or without consequence Hard NW Security/Privacy Issues:

© by Zephra Corporation 2002, Slide: 7 © by Seclarity Inc. 2004, Slide: 7© by Seclarity Inc. 2005, Slide: 7 Decide what is important to protect Find a simple way to protect it Document it A Simple Strategy:

© by Zephra Corporation 2002, Slide: 8 © by Seclarity Inc. 2004, Slide: 8© by Seclarity Inc. 2005, Slide: 8 The Regs were written to be scalable and technology neutral. Why? Rules have to cover everything from a one- person Dentist’s office in Podunk, Missouri, to Johns Hopkins Hospital It economically makes no sense to require everyone to have the same controls Technology evolves Therefore: The solution must fit the need

© by Zephra Corporation 2002, Slide: 9 © by Seclarity Inc. 2004, Slide: 9© by Seclarity Inc. 2005, Slide: 9 Technical Solution Target Want transparency  Easy for users to comply  Easy for admins to enforce Want universality  Everywhere same policy enforced the same  Use technology to reduce administrative controls Want simplicity  Complexity is the enemy  Easy to manage Want verifiability  Documentable Want cheap  Do not want to go out of business

© by Zephra Corporation 2002, Slide: 10 © by Seclarity Inc. 2004, Slide: 10© by Seclarity Inc. 2005, Slide: 10 A Simplified View of a Contemporary “Secured” Network: VPN IDS Proxy Wireless Remote users With Software VPN agents Unencrypted Traffic Encrypted Traffic Internet Firewall Unencrypted Traffic

© by Zephra Corporation 2002, Slide: 11 © by Seclarity Inc. 2004, Slide: 11© by Seclarity Inc. 2005, Slide: 11 A Simple view of an Endpoint-Secured Network: Wireless Remote user Encrypted Traffic Internet Firewall Encrypted Traffic