Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Slides:

Advertisements

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

Health information security & compliance

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Security Controls – What Works

Authentication choices! Vincent van Kooten: Business Sales Manager Benelux Distributed by -

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

HIPAA Security Rule November 16 th, 2004 ISSA/ISC ² Secure SD Security Conference, San Diego, CA Sean Lewis CISSP (ISSAP, ISSEP, ISSMP), CISA, SSCP, TICSA,

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

PKI Forum Business Panel March 6, 2000 Dr. Ray Wagner Sr. Director, Technology Research.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.

HIPAA Security Final Rule Overview

Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

HIMSS National Conference New Orleans Convention Center

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA Security Standards Final Rule

Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Presentation transcript:

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy

Agenda Why Focus on Authentication? HIPAA Security Requirements Selecting Authentication Technologies Framework for Assessing Authentication Technologies – Examples Summary Case Study: McKesson

Why Focus on Authentication? Foundation for other critical services Growing need for stronger authentication –Expanding access to applications –User base –SSO HIPAA Business policy: liability, assurance for transactions Relationships between people, groups, and organizations Applications and services: access control and authorization Relationships between identities and information Presentation / Personalization: what the user sees Defining relationships through quality of experience Authenticated Identity (user, device, application, group, organization) Source of graphic: Burton Group, “Enterprise Identity Management”, October 2002

HIPAA Security Requirements General requirements –Ensure the confidentiality, integrity, and availability of all electronic protected health information –Protect against any reasonably anticipated threats or hazards and uses or disclosures not permitted under privacy regulations Flexible Approach –Use security measures that reasonably and appropriately implement the standards based on risk analysis –Consider organizational size, complexity, existing infrastructure, and capabilities; as well as costs –Technology-neutral

HIPAA Security Requirements Technical Safeguards –Authentication, access control, data integrity, transmission security, audit controls Administrative safeguards –Policies and procedures, risk analysis, workforce training, disaster recovery, evaluation, business associate contracts Physical Safeguards –Controlling access to facilities, workstation security, device and media controls

HIPAA Security Requirements “Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”* *45 CFR Part HIPAA Security Standards: Technical Safeguards

HIPAA Security Requirements Based on risk analysis, select appropriate and reasonable method –Look at security best practices in the industry For some applications, best practices require more than passwords –E.g. “Remote access requires two-factor authentication.”* For others, current best practices say passwords okay –E.g. For patient or member access to web sites** For many applications, will depend on organization Best practices evolving *HIPAA Security: the latest and best practices, Tom Walsh, CISSP, HIMSS, 2003 **Gartner

Selecting Authentication Technology Levels of authentication –Single factor versus multi-factor Diverse environments –On-site clinical versus on-site office –Web access for patients/members –Remote and web access for professionals Selection criteria –Strategic fit in corporate/system –Strategic fit for users –Total cost of ownership Passwords

Framework for Assessing Authentication Technologies: Authentication Scorecard: Total Cost of Ownership Acquisition Deployment Operating Total Cost of Ownership Acquisition Deployment Operating Strategic Fit (Corporate / System) Relative Security Interoperability / Back-End Integration Robustness / Scale Future Flexibility Strategic Fit (Corporate / System) Relative Security Interoperability / Back-End Integration Robustness / Scale Future Flexibility Strategic Fit (Users) Convenience / ease of use Portability Multi-purpose Strategic Fit (Users) Convenience / ease of use Portability Multi-purpose Apply a score of 1-10 to each of the ten attributes.

Example: User ID/Password

Example: Hardware Tokens

Example: Digital Certificates

Example: Smart Cards

Summary Selection of authentication technology depends on –Organization –Application –Risk analysis –Best practices Case study –Implementing authentication for SSO initiative Meet HIPAA and other requirements

Laura Robinson Healthcare Industry Analyst RSA Security, Inc.