Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1.

Slides:

Advertisements

Similar presentations

Security for Mobile Devices

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 8, 2014 DRAFT1.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

HIPAA Regulations What do you need to know?.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Are you ready for HIPPO??? Welcome to HIPAA

Health information security & compliance

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

Security Controls – What Works

Barracuda Backup Service Data Backup and Disaster Recovery.

Information Security Policies and Standards

Developing a Records & Information Retention & Disposition Program:

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Computer Security: Principles and Practice

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

Complete Data Protection from [INSERT SOFTWARE NAME] Insert logo.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

New Data Regulation Law 201 CMR TJX Video.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Information Security Technological Security Implementation and Privacy Protection.

Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Understanding HIPAA (Health Insurandce Portability and Accountability Act)

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Chapter 2 Securing Network Server and User Workstations.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

IS3220 Information Technology Infrastructure Security

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.

Chapter 8 Data Privacy. Data Collection IP addresses Visited urls Anonymized? If so, supposed to prevent personal identification Europe considers IP address.

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.

Privacy: HIPAA Emerson Murphy-Hill. Rosie Callender, RHIA, web.msm.edu/hipaa/An%20Introduction%20to%20HIPAA.ppt What is HIPAA? A Federal Law Created in.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Reviewed by: Gunther Kohn Chief Information Officer, UB School of Dental Medicine Date: October 20, 2015 Approved by: Sarah L. Augustynek Compliance Officer,

Business Risks of Insecure Networks

County HIPAA Review All Rights Reserved 2002.

HIPAA Overview.

HIPAA & PHI TRAINING & AWARENESS

Introduction to the PACS Security

Office of Audit, Compliance & Privacy

From Baby Boomers to Millennials

Presentation transcript:

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1 Chapter 13: Healthcare Information Technology Security

HIPAA Health Insurance Portability and Accountability Act (HIPAA) is part of the American Recovery and Reinvestment Act (ARRA) – A US Federal Law HIPAA defines Protected Health Information (PHI) –Including: name, locations, dates, phones/fax, addresses, Social Security numbers, medical record numbers, insurance plan numbers, accounts, licenses, vehicle numbers, URLs, IP addresses, biometrics, portraits, and other identifying informationf HIPAA establishes penalties and notification requirements in case of data spillaage 10/7/2015 DRAFT2 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Healthcare Risk Assessment Required by HIPAA Risks must be identified along with restricted data –Risk mitigation plans must be formulated and put into action Internet perimeter security alone is insufficient in healthcare –See Hard on the Outside, Gooey in the Middle in Chapter 2 Need to know is a key risk principle 10/7/2015 DRAFT3 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Healthcare Records Management Laptops and mobile devices are increasingly used and pose significant risks Records retention policies must be rigorously designed and implemented HIPAA makes this easier because Federal law trumps weaker state laws Retention times vary, typically 7 to 10 years –Vital records and surgical records must be retained indefinitely 10/7/2015 DRAFT4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Healthcare IT and the Judicial Process More than 1,000,000 patients in US affected by PHI losses every year Support for medical court case is a key data management requirement If records are retained too long they pose a potential liability is a major risk because they are e- discoverable, and were considered private when they were composed Once a record is discovered its records lifecycle (i.e. retention policy) is suspended 10/7/2015 DRAFT5 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Data Loss Prevention (DLP) DLP is shifting focus from finding restricted data on servers to mobile devices Mobile devices are subject to physical loss and cyber attack from the Internet Encryption is essential on mobile devices and storage media (thumb drives, CDs, DVDs, removable hard drives, and tape backups) Clear data transfer policies should be established 10/7/2015 DRAFT6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Managing Logs in Healthcare Organizations Healthcare organizations should create detailed logs across all forms of devices –Clocks should be synchronized Logs should be normalized and centralized for analysis and retention Logged events should indicate: what occurred, where, when, with what information Logs should support non-repudiation Logs should be handled with a formal chain of custody supporting judicial processes 10/7/2015 DRAFT7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Authentication and Access Control Role based access control (RBAC) is usually not flexible enough for healthcare –Certain users may assume many roles: document, executive administrator, patient One shared account always logged in was standards practice –Now that data is life critical, individual accountability must be tracked and logged Password-based authentication is being replaced the multi-factor Usability is a critical issue, Single Sign On is one solution 10/7/2015 DRAFT8 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

REVIEW CHAPTER SUMMARY Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 10/7/2015 DRAFT9