Unit 6a System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Hipaa privacy and Security
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Western Asset Protection
Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 3 This material was developed by Oregon Health & Science University,
Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,
The Health Insurance Portability and Accountability Act 
East Carolina University
Installation and Maintenance of Health IT Systems
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
Introduction to the PACS Security
WELCOME.
Privacy, Confidentiality, Security, and HIPAA
The Health Insurance Portability and Accountability Act
Presentation transcript:

Unit 6a System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC

What We’ll Cover Regulatory requirements –HIPAA privacy and security rules Best practices Identify and assess protection measures –Access control –Firewalls –Intrusion detection –Encryption –Importance of user training Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Security and Privacy Federal, state, and local laws govern access to and control of health record information, particularly: –Who can have access –What should be done to protect the data –How long the records should be kept –Whom to notify and what to do if a breach is discovered Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Security and Privacy: HIPAA HIPAA = Health Insurance Portability and Accountability Act of 1996 –Protected health information (ePHI) includes any health information that: Explicitly identifies an individual Could reasonably be expected to allow individual identification. –Excludes PHI in education records covered by Family Educational Rights and Privacy Act (FERPA), employment records. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Security and Privacy: HIPAA (cont’d) 18 identifiers recognized as providing identifiable links to individuals. –Name, address, ZIP code –Dates (birth dates, discharge dates, etc.) –Contact info, including , web URLs –Social Security Number or record numbers –Account numbers of any sort –License number, license plates, ID numbers –Device identifiers, IP addresses –Full face photos, finger prints, recognizable markings Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Security and Privacy (cont’d) State and local laws vary. Federal law tends to supersede state and local laws. Where overlap occurs, always choose the tightest constraint. Our lecture will focus on federal regulatory obligations. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

What is HIPAA Privacy? Federal law governing privacy of patients' medical records and other health information maintained by covered entities including: –Health plans, including Veterans Health Administration, Medicare, and Medicaid –Most doctors & hospitals –Healthcare clearinghouses Gives patients access to records and significant control over use and disclosure. Compliance required since April Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

HIPAA Privacy Rule Privacy and security complaints –All investigated by Office of Civil Rights (OCR) of Dept. of Health and Human Services (HHS), as of –54,562 complaints received (as of August 2010), of which 11,632 required corrective actions. –Steep fines for validated complaints. –Entities needing the most corrective actions: Private health care practices General hospitals Pharmacies Outpatient facilities Group health plans Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

HIPAA Privacy Rule (cont’d) Violations investigated most often: 1.Impermissible uses and disclosures of protected health information (ePHI) 2.Lack of safeguards of ePHI 3.Lack of patient access to their ePHI 4.Uses or disclosures of more than the minimum necessary ePHI 5.Complaints to the covered entity Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

HIPAA Security Rule Established standards for securing electronic protected health information (ePHI) created, received, maintained, or transmitted. –Delineated as “required” or “addressable”. –Designed to be flexible, scalable. By 2005, entities required to: –Ensure confidentiality, integrity, availability. –Identify and protect against reasonably anticipated threats to the security or integrity of the information. –Protect against reasonably anticipated, impermissible uses or disclosures. –Ensure compliance by workforce. Works in tandem with Privacy Rule. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

What is Required by HIPAA Security Rule? Categories: 1.Administrative safeguards 2.Physical safeguards 3.Technical safeguards 4.Organizational requirements Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Common Security Breaches According to the TCP/IP Core Networking Guide from Microsoft: Inside jobs, social engineering Brute force Eavesdropping, sniffing, snooping Data modification Identity spoofing Password-based attacks Denial of service attacks Man in the middle attacks Application layer attacks Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Administrative Safeguards Address process of security management in your organization. Risk analysis –Evaluating likelihood and impact of potential risks to ePHI –Implementing appropriate security measures to address identified risks –Documenting security measures chosen, with rationale –Maintaining continuous, reasonable, appropriate protections Ongoing process, with regular reviews Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Administrative Safeguards (cont’d) –Designated security official Responsible for developing and implementing security policies and procedures. Knowledge of good HIPAA practices Familiarity with established IT security standards Ability to interface well with all levels of management and staff Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Administrative Safeguards (cont’d) –Policies & procedures for authorizing access to ePHI only when appropriate for one’s role (role-based access). Who gets access to ePHI data? What level of access is needed? Who is the agent authorizing the access? Is this authorization adequately documented? Is the access periodically reviewed? Is there a process for rescinding access when no longer needed? Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Administrative Safeguards (cont’d) –Processes for appropriate authorization and supervision of workforce members who work with ePHI. –Well-documented training of all workforce members in security policies and procedures Appropriate sanctions against violators. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Physical Safeguards: Access Limit physical access to facilities, while ensuring that authorized access is allowed. –Server rooms where ePHI is stored –Work areas where ePHI is accessed –Back-up media storage potentially containing ePHI Inventory hardware and software. –Know where inventory is kept. –Know value of hardware, software, equipment. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Physical Safeguards: Access (cont’d) Policies and procedures for proper use of & access to workstations & electronic media, including transfer, removal, disposal, re-use. –Lock down publicly-accessible systems potentially containing ePHI. –Strong passwords (8-14 characters with variety of letters, symbols, numbers) changed regularly. –At least 256-bit encryption, especially for wireless, backups, & offsite data. –Media destroyed after being thoroughly wiped. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Technical Safeguards: Access Control Access controls, audit controls, integrity, person, user/entity authentication, transmission security Most effective: layered approach. –Multiple technologies employed concurrently. Adequate access controls include: –AD (Active Directory), LDAP (Lightweight Directory Access Protocol) –Vendor-specific controls usually part of EHR Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Technical Safeguards: Firewall Inspects incoming network traffic; permits or denies access based on criteria. Hardware- or software-driven. Blocks ports through which intruders can gain access (e.g., port 80, which regulates web traffic). Most commonly placed on network perimeter (network-based) or network device (host- based). EHR will require certain ports to remain open. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Firewalls Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring Blocked Allowed NETWORK FIREWALL COMPUTER FIREWALL

Summary Protected health information (ePHI) –Strictly regulated by HIPAA and other government guidelines prohibiting unwanted, unauthorized access. –Should be protected using layered approach, including numerous, administrative, physical, and technical safeguards. Firewalls as first-level technical safeguard. Component 8/Unit 6aHealth IT Workforce Curriculum Version 2.0 Spring

Reference Summary of the HIPAA Security Rule, US Department of Health & Human Services – rsummary.htmlhttp:// rsummary.html “Common Types of Network Attacks” Microsoft Windows TCP/IP Core Networking Guide. Distributed Systems Guide, Windows 2000 Server – us/library/cc aspxhttp://technet.microsoft.com/en- us/library/cc aspx Strong Password Definition, Requirements, and Guidelines – Component 8/Unit 8aHealth IT Workforce Curriculum Version 2.0 Spring

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.