NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.

HISPC-Illinois II The Public-Private Partnership Moves Forward on Privacy and Security.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 1 The Goal of HIPAA: Administrative Simplification HIPAA for Allied Health.

U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.

Interoperability Roadmap Comments Package Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair February 24, 2015.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Privacy and Security Workgroup: Big Data Public Hearing December 8, 2014 Deven McGraw, chair Stan Crosley, co-chair.

Consumer Work Group Presentation Federal Health IT Strategic Plan January 9, 2015 Gretchen Wyatt Office of Planning, Evaluation, and Analysis.

Part II Objectives F Describe how policies and procedures are used F Identify different types of P & P F Describe the purpose and components of a Policy.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Complying With The Federal Information Security Act (FISMA)

1-2 Training of Process FacilitatorsTraining of Coordinators 5-1.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Information Security Framework & Standards

Simon Brewin Overview of the National Supply Chain Reform Task Force.

April 11, 2007 Prepared by the North American Energy Standards Board 1 North American Energy Standards Board Standards Development Process.

Staff Structure Support HCCA Special Interest Group New Regulations: A Strategy for Implementation Sharon Schmid Vice President, Compliance and.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 5 HIPAA Enforcement HIPAA for Allied Health Careers.

HIPAA Revisions! Section 1104 THE PATIENT PROTECTION AND AFFORDABLE CARE ACT February 17, Nachimson Advisors, LLC.

NIST Special Publication Revision 1

State of Iowa Enterprise HIPAA Compliance

ISO 9000 & TOTAL QUALITY ISO 9000 refers to a group of quality assurance standards established by the International Organization for Standardization.This.

Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Marina Signore Head of Service “Audit for Quality Istat Assessing Quality through Auditing and Self-Assessment Signore M., Carbini R., D’Orazio M., Brancato.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

ADD Perspectives on Accountability Where are We Now and What does the Future Hold? Jennifer G. Johnson, Ed.D.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

HIPAA TRANSACTIONS 2002 UPDATE. HHS Office of General Counsel l Donna Eden l Office of the General Counsel l Department of Health and Human Services.

Utilizing the CMS Security Risk Assessment Tool Liz Hansen, PCMH CEC, ICD-10 PMC Special Consultant, GA-HITEC Member Manager, GaHIN

National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.

Dan Steinberg Senior Consultant Booz Allen Hamilton Presentation for HIPAA Summit X Baltimore, MD April 7, 2005 The HIPAA Security Rule: Theory and Practice.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Next Steps NIST Mission: To promote.

WEDI ICD-10 Update National Committee on Vital and Health Statistics Subcommittee on Standards June 10, 2014 Jim Daley, Chairman, WEDI Director, IT Risk.

Business and Systems Aligned. Business Empowered. TM Federal Identity Management Handbook May 5, 2005.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Eliza de Guzman HTM 520 Health Information Exchange.

Name Position Organisation Date. What is data integration? Dataset A Dataset B Integrated dataset Education data + EMPLOYMENT data = understanding education.

ISA Setting the Standard for Automation ™ Automation Standards Compliance Institute ISA Security Compliance Institute (ISCI) Prepared by: Andre Ristaino,

1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.

Audit Planning Process

Seeking a National Standard for Security: Developing a Systematic Crosswalk of the Final HIPAA Security Rule, the NIST SP , NIST SP Security.

Security and Privacy Workgroup SMALL PRACTICE IMPLEMENTATION WEDI/SNIP Security and Privacy Workgroup White Paper Version 2.0 – Dated April 2004.

Working with HIT Systems

EGovOS Panel Discussion CIO Council Architecture & Infrastructure Committee Subcommittee Co-Chairs March 15, 2004.

Standard Unique Health Identifier for Health Care Providers April 9, th Annual HIPAA Summit Gail Kocher Highmark.

1 HIPAA Summit 10 HIPAA Transactions and Code Sets Implementation Roundtable Presented by Mark McLaughlin Chairman, WEDI.

1 PARCC Data Privacy & Security Policy December 2013.

NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.

Moving Successfully Toward SACS Reaffirmation: An Introductory Discussion Presenters Dr. Cathy Fleuriet Associate Vice President for Institutional Effectiveness.

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.

NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI

PRECONFERENCE III Advanced Strategies to Achieve ROI in Implementing HIPAA Karl Ideman, CEO Pool Administrators Inc. September 14, 2003.

April 14, 2003 – HIPAA Privacy Audioconference The Importance of April 14, 2003: Where you should be regarding HIPAA privacy policies and procedures and.

Asset Management Accountability Framework - Guidance

TSMO Program Plan Development

EMPLOYER HIPAA COMPLIANCE STRATEGIES HIPAA Summit Audio Conference

Transactions and Code Sets and the National Provider Identifier (NPI) – Getting Value From the HIPAA Standards Presented by: Steven S. Lazarus, PhD, CPEHR,

Matthew Christian Dave Maddox Tim Toennies

Group Meeting Ming Hong Tsai Date :

Strategies to Comply with the HPAA Privacy Rule Before the HIPAA Security and Enforcement Rules are Final Presented by: Steven S. Lazarus, PhD, FHIMSS.

Part II Objectives Describe how policies and procedures are used

Central New York HEALTH EMERGENCY PREPAREDNESS COALITION

Presentation transcript:

NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society

Background u NIST/URAC/WEDi Health Care Security Workgroup established late 2002 u Response to HIPAA final Security Rule u Formed to: – Facilitate identification and implementation of best practices in health care for information security requirements – Identify similarities between those practices and HIPAA standards

Workgroup Mission u To facilitate communication and consensus on best practices for information security in health care u To promote implementation of uniform approach to security practices and assessments

Workgroup Goals u Identify security standards for future use in health care industry u Review and discuss security standards currently being used in health care industry to drive consensus on best practice

Founding Organizations u Three founding organizations – NIST – URAC – WEDi

NIST u National Institute of Standards and Technology u Founded in 1901 u Non-regulatory federal agency u Within U.S. Commerce Department’s Technology Administration

NIST u Mission: To develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life u Responsibilities include development of technical, physical, administrative, and management standards and guidelines for cost-effective security and privacy

URAC u Independent, nonprofit organization u Leader in promoting health care quality through accreditation and certification u Offers wide range of quality benchmarking programs and services u Provides symbol of excellence for organizations to validate commitment to quality and accountability u Ensures all stakeholders represented in establishing quality measures

WEDi u Workgroup for Electronic Data Interchange u Vision: Improve health care through electronic commerce u Mission: Foster widespread support for the adoption of electronic commerce within health care

WEDi u Provides forum for definition of standards, resolution of implementation issues, development and delivery of education and development of strategies and tactics for continued expansion of electronic commerce in health care u Named in HIPAA as one of entities HHS directed to consult

HC WG Founding Organization Contacts u Lisa Gallagher, URAC u Arnold Johnson, NIST u Mark McLaughlin, WEDi

Work to Date u Workgroup holds meetings nearly every month u Covered great deal of information u Information on all past and future Workgroup meetings at:

Work to Date u HIPAA Security Rule u Meeting Safeguard Requirements in Privacy Rule (Section (c)) u NIST SP : Risk Management Guide for Information Technology Systems – Describes how to perform a risk analysis – 4 NIST documents cited in final Security Rule

Work to Date u NIST SP : Guide for the Security Certification and Accreditation of Federal Information Systems – Being developed in response to Federal Information Security Management Act of 2002 u NIST SP : 1 st draft: Recommended Security Controls for Federal Information Systems – Recommended set of controls for low and moderate impact systems

Work to Date u Security Self-Assessment Guide for IT Systems and the Automated Security Self-Evaluation Tool (ASSET) – Purpose to automate completion of questionnaire in NIST SP – Users able to assess IT security posture for systems and assess status of organization’s security program plan

Work to Date u FIPS (Federal Information Processing Standards) Publication 199: Standards for Security Categorization of Federal Information and Information Systems – FIPS Publications meant to apply to federal government agencies – Defines baseline for security categorization standards and potential levels of risk relevant to securing federal information and information systems

Work to Date u ISO Security Standards: Information Technology – Code of Practice for Information Security Management – Detailed security standard organized into ten major sections, each covering a different topic or area – ISO = International Organization for Standardization sells ISO 17799

Work to Date u CMS Contractor Assessment Security Tool (CAST) – Provides Medicare Carriers and Intermediaries with standard method of documenting compliance with CMS Core Security Requirements u CMS Internet Security Requirements – Establishes fundamental rules and system security requirements for use of Internet

Work to Date u SEI OCTAVE Model for Risk Analysis – Risk-based strategic assessment and planning technique for security u HIPAA-CMM proposed by Corbett Technologies – Standard methodology for assessing health care organization’s compliance with HIPAA security standards u And more ….

Disclaimer u Workgroup does not endorse and is not suggesting that entities use any specific products described above, including those for sale only u Rather, Workgroup reviewing range of products in order to develop guidance for industry in implementing HIPAA Security Rule

Work Plan u Crosswalk Task Force established u Provide crosswalk of HIPAA Security Rule requirements to existing security standards used in health care u Provide industry with crosswalk matrix to assist with effective implementation of HIPAA by comparing various security standards, which may already be implemented, with HIPAA

Crosswalk u Focus of remainder of afternoon u Standards being considered for review: – NIST Special Publication 800 Series – ISO – CMS Core Security Requirements – CMS Internet Security Requirements – Federal Information System Control Manual (FISCAM) – DoD Information Technology Security Certification and Accreditation Process (DITSCAP)

Resources u URAC for Workgroup information, minutes, and presentations u NIST for SP 800 Series csrc.nist.gov/publications/nistpubs/index.html u WEDi for Security White Papers, including summary of NIST SP 800 documents 0.htm

Andrew H. Melczer, Ph.D. Vice President, Health Policy Research Illinois State Medical Society