2. HIPAA Security Best Practices

3. Clint Davies Principal BerryDunn cdavies@berrydunn.com

4. Dan Vogt Senior Manager BerryDunn dvogt@berrydunn.com

5. Agenda Introductions HIPAA in the News Overview of the HIPAA Security Rule Risk Assessment Approach Top Issues Challenging IT Security Questions and Answers

6. HIPAA in the News 2 2 http://www.healthcareitnews.com/

7. Source: http://www.idtheftcenter.org/data-breaches-in-2013.html

8. Cost of a Data Breach Source: Verizon 2015 Data Breach Investigations Report

9. Background Health Insurance Portability and Accountability Act (HIPAA) Established in 1996 Privacy and Security Rules ARRA (2009) Omnibus Rule (2013)

10. Security Rule The Security Rule is structured by: Implementation Specifications Standards Safeguard

11. Security Rule Safeguards are organized into: Administrative Safeguards Physical Safeguards Technical Safeguards Implementation Specifications are either: Required Addressable

12. Administrative Safeguards StandardImplementation SpecificationR/A Security Management Process Risk AnalysisR Risk ManagementR Sanction PolicyR Information System Activity ReviewR Assign Security Responsibility R Workforce Security Authorization and/or SupervisionA Workforce Clearance ProcedureA Termination ProceduresA

13. Administrative Safeguards (cont.) StandardImplementation SpecificationR/A Information Access Management Isolating Health Care Clearinghouse Functions R Access AuthorizationA Access Establishment and ModificationA Security Awareness and Training Security RemindersA Protection from Malicious SoftwareA Log-in MonitoringA Password ManagementA Security Incident Procedures Response and ReportingR

14. Administrative Safeguards (cont.) StandardImplementation SpecificationR/A Contingency Plan Data Backup PlanR Disaster Recovery PlanR Emergency Mode Operation PlanR Testing and Revision ProceduresA Application and Data Criticality AnalysisA EvaluationR Business Associate Contracts and Other Arrangements Written Contract or Other ArrangementR

15. StandardImplementation SpecificationR/A Facility Access Controls Contingency OperationsA Facility Security PlanA Access Control and Validation ProceduresA Maintenance RecordsA Workstation UseR Workstation SecurityR Device and Media Controls DisposalR Media Re-UseR AccountabilityA Data Backup and StorageA Physical Safeguards

16. Technical Safeguards StandardImplementation SpecificationR/A Access Control Unique User IdentificationR Emergency Access ProcedureR Automatic LogoffA Encryption and DecryptionA Audit ControlsR IntegrityMechanism to Authenticate Electronic PHIA Person or Entity Authentication R Transmission Security Integrity ControlsA EncryptionA

17. All about assessing the risks!

18. 18 Likelihood and Impact

19. THE RISK ASSESSMENT PROCESS

24. Putting this to practical use – the Top 10 IT Security Control Risks and what you can do

25. #10 Segregation of Duties

26. #9 Finding and Maintaining Qualified Security Personnel

27. #8 Lack of Management Support

28. #7 IT Diplomatic Immunity

29. #6 Data on User Owned Mobile Devices

30. #5 Lack of Encryption

31. #4 Outdated Operating Systems

32. #3 Technology Innovations That Outpace Security

33. #2 Inadequate System Logging

34. #1 Overreliance on Security Monitoring Software

35. QUESTIONS?

36. Clint Davies cdavies@berrydunn.com Dan Vogt dvogt@berrydunn.com