HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September.

Slides:

Advertisements

Similar presentations

St. Louis Public Schools Human Resources Support for District Improvement Initiatives (Note: The bullets beneath each initiative indicate actions taken.

Advertisements

Electronic Medical Records: Implications of HIPAA for Selecting and Implementing an EMR Todd Frech Senior Partner

PhoenixPro Procurement. technology. contracts. projects.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

Series 2: Project Management Understanding and Using 6 Basic Tools 9/2013 From the CIHS Video Series “Ten Minutes at a Time”

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

1 Introduction to Workforce Planning and Development in State of Alaska Executive Branch Departments.

Security Controls – What Works

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Quality evaluation and improvement for Internal Audit

Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Staff Structure Support HCCA Special Interest Group New Regulations: A Strategy for Implementation Sharon Schmid Vice President, Compliance and.

1 Module 4: Designing Performance Indicators for Environmental Compliance and Enforcement Programs.

An Educational Computer Based Training Program CBTCBT.

Basics of OHSAS Occupational Health & Safety Management System

SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.

ODINCINDIO Marine Information Management Training Course February 2006 Evaluating the need for an Information Centre Murari P Tapaswi National Institute.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

An EDI Testing Strategy Rosemary B. Abell Director, National HIPAA Practice Keane, Inc. HIPAA Summit IV April 24-26, 2002.

IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Director of Evaluation and Accountability Manager, UW’s Grand Rapids, Michigan Robert McKown, CIRS Director of Evaluation and Accountability Sherri.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.

The Fifth National HIPAA Summit – October 30, 2002 What to Do Now: Operational Implementation of HIPAA Privacy and Security Training Presented by: Steven.

The Quality Colloquium at Harvard University August 27, 2003 Patient Safety Organizational Readiness Assessment Tool Louis H. Diamond, MDBeverly A. Collins,

Connecting the Dots A Practical Approach to Integrating Compliance, Risk and Quality Jody Ann Noon RN, JD Partner Health Care Regulatory Practice.

Audit Planning Process

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.

Working with HIT Systems

ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.

Using OMB Section 508 reporting in addressing your agency's program maturity. How to Measure Your Agency's 508 Program.

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

An EDI Testing Strategy Rosemary B. Abell Director, National HIPAA Practice Keane, Inc. HIPAA Summit V October 30 – November 1, 2002.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

Installation and Maintenance of Health IT Systems Unit 8a Troubleshooting; Maintenance and Upgrades; and Interaction with Vendors, Developers, and Users.

AssessPlanDo Review QuestionYesNo? Do I know what I want to evaluate and why? Consider drivers and audience Do I already know the answer to my evaluation.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Collaboration Process 1. IC Objectives and Risk Tolerances Define, document, and implement top-down internal control objectives and risk tolerances: 

Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Primary Steps for Achieving ISO Certification.

On completion of the scenario, students will be able to: Learning Outcomes 1 Critically analyse and prioritise information security risks. 2 Systematically.

Evaluating the Quality and Impact of Community Benefit Programs

Compliance with hardening standards

TechStambha PMP Certification Training

Introduction to the Federal Defense Acquisition Regulation

SYSTEMS ANALYSIS Chapter-2.

TRINITY UNIVERSITY HOSPITAL INTERNAL EXIT MEETING

The Practical Side of Meaningful Use:

IS4680 Security Auditing for Compliance

HIPAA Security A Quantitative and Qualitative Risk Assessment

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Security Risk Assessment (SRA)

Presentation transcript:

HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September 14-16, 2003

2 Overview The Data Security issue – –Why listen to this presentation? –What do we need to do – Security Gap Assessment? Gap Analysis VS Risk Assessment –Goals of a Risk Assessment –How to perform a Risk Assessment Lesson Learned

HIPAA Security Why are you here?

4 Things to Think About? What grade would you get on your security plan if your DOI commissioner walked into your organization today? If you found out you had a security breach, what 3 areas come to mind? What tools and process do you use to explain to your senior management that you really studied your security plan?

5 Things to Think About? When you are in the witness box, how many of you can say that someone else certified your network? If it came across the national news that there are truck full of paper claims laying on the highway, how many of you would pick up the phone and call your management to see if it was your organization?

HIPAA Security What To Do?

7 Why conduct a Security Assessment? Provide an understanding of the impact of HIPAA legislation on business operations and technology infrastructure –Identify gaps between current business and technical environments compared to the requirements of HIPAA –Evaluate the significance of the vulnerabilities (Risks) in the context of the organization’s operations

8 What do we need to do? 1.Plan 2.Gather Data 3.Analyze Data 4.Assess Risk

9 Plan Kickoff meeting to provide an understanding of the security assessment process –Identify the people involved, confirm staff to be interviewed –Identify the security assessment approach –Identify the steps to be taken –Review high level milestones

10 Gather Security Data Customize security assessment questionnaire for HIPAA specifications Assign appropriate questions to representatives from functional areas Interview representatives from functional areas using the applicable questionnaires Record data

11 Conduct Gap Analysis Compile results of questionnaires Identify gaps Develop gap analysis report to reveal gaps in compliance between the current environments and the HIPAA requirements

HIPAA Security Gap Analysis VS Risk Assessment?

13 Gap Analysis vs. Risk Assessment The gap analysis compares where we are to where we need to be in relation to HIPAA compliance. It helps determine the areas where the organization has vulnerabilities The risk assessment will be used to evaluate the significance of the vulnerabilities in context of the organization’s operations

14 Risk Assessment The questions you are trying to answer in the risk assessment are: –What could compromise the confidentiality,integrity and availability of the health information in our possession? –If that information is compromised what is the impact to our business or to the individual? –What is the probability that it will happen?

15 How to perform a Risk Assessment The Risk areas rank the relative impacts of “not compliant” responses to the organization. –Qualitative Risks: based on values associated with each of the questions asked in the assessment questionnaire. If a “not compliant” answers implies a solution that typically requires a significant effort to achieve compliance, it carries a high qualitative. Medium and low qualitative risk values are assigned for those with correspondingly lower typical efforts. When summarized for a section, this value gives an indication of the average level of effort that will be needed for compliance activities. –The Quantitative Risks reflect the counts of “not compliant” responses within the set of questions for a regulation section. The counts associated with each of the High/Medium/Low risk values for each section since sections have different numbers of questions. When summarized for a section, this value shows volume of identified compliance gaps. More than 50% non-compliant responses = High 33%- 50% non-compliant responses = Medium Less that 33% non-complaint responses = Low

16 Other Considerations Purpose of process/system/ department Number of users Types of users, internal, external, on-site, remote, contract Type of access, level and scope of access Frequency of use Knowledge level of users Input into the Risk Assessment:

17 Other Considerations Number of locations/sites Physical environment Types of security controls Interdependencies and interfaces Type of information and risks for confidentiality, integrity and availability Type of threats (intentional or unintentional) Input into the Risk Assessment:

18 Example: FindingsRecommendationsRisk The departments indicated that it did not know whether health care access requirements are reviewed as a result of internal policy changes. The departments indicated that it did not know whether health care access requirements are reviewed as a result of organizational restructuring or change. The qualitative risk is High. The quantitative risk is Medium since 2 of 6 responses were negative. Recommended solutions are: Policies and procedures must be developed and implemented to require review of health care access requirements as a result of internal policy changes and organizational restructuring or change. All staff must be trained on the policies and procedures Qualitative = Quantitative = Section: Administrative Safeguards Standard: (1) Information Access Management Implementation: Access Establishment and Modification (Addressable) Department; Common Department Findings

19 Priority Scheme Qualitative Average Low 1 High Quantitative Medium 6 5 High Medium Low

20 Lessons Learned Create a well-defined approach Obtain executive commitment Assign one responsible individual Provide awareness and education The assessment does not execute itself –It must be administered and controlled Upfront planning pays many dividends –More timely and accurate response

21 Thank You ! Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc (919)