Information Security Training for Management Complying with the HIPAA Security Law.

Slides:



Advertisements
Similar presentations
Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Red Flag Rules: What they are? & What you need to do
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
First Practice - Information Security Management System Implementation and ISO Certification.
National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Security Awareness Norfolk State University Policies.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
SEC835 Database and Web application security Information Security Architecture.
An Educational Computer Based Training Program CBTCBT.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Confidentiality Integrity Accountability Communications Data Hardware Software Next.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
HIPAA Presented by: Riley Schiefelbein. HIPAA Defined Health Insurance Portability and Accountability Act (1996) Title 1 – Group health plans Title 2.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Information Security Training for People who Supervise Computer Users.
UMBC POLICY ON ESH MANAGEMENT & ENFORCEMENT UMBC Policy #VI
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
The Direction of Information Security and Privacy in State Government Presented by Colleen Pedroza Chief Information Security Officer California State.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
TOP 10 DHS IT SECURITY & PRIVACY BEST PRACTICES #10 Contact The Office of Systems & Technology for appropriate ways to proceed if you need access to.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Information Security tools for records managers Frank Rankin.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
Information Security Program
WSU IT Risk Assessment Process
Cybersecurity - What’s Next? June 2017
Understanding HIPAA Dr. Jennifer Lu.
“The Link” - Continuity of Operations and Emergency Management
IT Development Initiative: Status and Next Steps
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
CompTIA Security+ Study Guide (SY0-401)
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
HIPAA Policy & Procedure Strategies
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Presentation transcript:

Information Security Training for Management Complying with the HIPAA Security Law

HIPAA Was a One-Two Punch On March 14, 2003, we had to obey the United States’ HIPAA Privacy Rule On April 21, 2005, we had to obey the HIPAA Security Rule We have no choice – the same severe penalties apply for both Privacy and Security

Complying with HIPAA Security Means: Information Security Policies and Procedures A Security Awareness Program A Risk Management Program A Disaster Recovery and Business Continuity Management Team (DRBCMT) A Security Incident Response Team (SIRT) A Security Compliance Management Program

Information Security Policies and Procedures - Part 1 Acceptable Use Assigned Security Responsibility Business Continuity and Disaster Recovery Security Compliance Management Data Classification, Inventory, and Control Data Stewardship Incident Management Information Security Management Information Systems Security Certification

Information Security Policies and Procedures - Part 2 IS Authorization and Account Management Logical Access Control Network and Telecommunications Security Personnel Security for Information Systems Physical and Environmental Security Risk Management Security Training and Awareness User Identification and Authentication

Security Awareness Training – Why? Required by HIPAA, our Division, and DHHS Management must believe in data security Management must understand they will be held liable for not providing security We will gain by preventatives Consider the cost of our reputation Think of information as our major product

Security Awareness Training – What? Upper Management Training Security Awareness Day Security Awareness Training for all staff Computer Users’ Supervisor Training Initial General Security Training for all users Ongoing General Security Training for all users Security “Marketing” Efforts Annual System-specific training Professional Education Training

Security Awareness Training – Who? The Information Security Official will provide the content of all training, the Upper Management training, the Ongoing General Security Training, the Professional Education Training for Computer Services staff, and Security Awareness Day training The Staff Development Department will provide the Security Awareness Training and Initial General Security Training for all new employees, and the annual system-specific training DHHS will provide Professional Education Training to the Information Security Official

Most Important of All! Management must believe in data security!

Risk Management Program Upper Management must dominate the Risk Management Committee RM Committee reviews threats, Application Risk Analysis results, System Risk Analysis results, DHHS Penetration Testing results, and IS Policy and Procedure status report RM Committee makes recommendations of cost-effective risk mitigation actions RM effectiveness will be measured by the QA Director

Why Engage in Risk Management? Why do cars have brakes? So they can go fast! Having a risk management program allows us to be able to take risks. In a competitive world, the organization that can take risks wins After our people, our information is our most valuable asset. It needs to be protected

Disaster Recovery and Business Continuity Management Team Primarily Computer Services staff Updates the Disaster Recovery and Business Continuity Plan on February 1 each year Body of plan has relatively static information Appendix contains information valuable at disaster recovery time, such as network and hardware inventories, network diagrams, emergency mode operation plans, support agreements, and contact lists

Security Incident Response Team Security incidents must be reported The SIRT responds when necessary to security violations Our Team is made up mostly of local Computer Services staff, plus the QA Director Our Division is notified of all Level 2 and Level 3 Security violations

Information Security Compliance Management Program We must have a Security Compliance Management program with three elements 1) Compliance Management (we must comply) 2) Compliance Monitoring (we must measure our compliance) 3) Compliance Auditing (our compliance must be measured independently)

Our Information Security Program! New Information Security Policies and Procedures A Security Awareness Program A Risk Management Program A Disaster Recovery and Business Continuity Management Team (DRBCMT) A Security Incident Response Team (SIRT) A Security Compliance Management Program

The HIPAA Security Rule Balancing Home Living with Secure Information The Work is Worth It!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.