Presentation is loading. Please wait.

Presentation is loading. Please wait.

HITEQ Highlights: Community Health Center Privacy & Security Best Practices Good afternoon everyone and welcome to this webinar on Privacy and Security.

Published byBrent Park Modified over 7 years ago

Similar presentations

Presentation on theme: "HITEQ Highlights: Community Health Center Privacy & Security Best Practices Good afternoon everyone and welcome to this webinar on Privacy and Security."— Presentation transcript:

1 HITEQ Highlights: Community Health Center Privacy & Security Best Practices
Good afternoon everyone and welcome to this webinar on Privacy and Security Best Practices for Community Health Centers. My name is Nathan Botts from Health Information Technology, Evaluation and Quality Center (or HITEQ Center) and I will be your moderator for this webinar. Also, we will be taking questions through the chat function, so if you have any questions during the presentation, please use the chat feature located in the lower left hand corner of your screen. We will address as many as we can at the end of the presentation as time permits. Your feedback is important to us as it helps us to plan effective webinars and other trainings.  At the end of this webinar you’ll be asked to complete an evaluation survey. It will pop up on your screen immediately after this webinar. We thank you in advance for taking the time to provide your feedback. April 17, 2017 | 3-4 pm ET

2 HITEQ Purpose The Health Information Technology Evaluation and Quality (HITEQ) Center is a HRSA-funded Cooperative Agreement that collaborates with HRSA partners to support health centers in full optimization of their EHR/Health IT systems The HITEQ Center is a HRSA-funded cooperative agreement that collaborates with our HRSA partners including PCAs, HCCNs and other National Cooperative Agreements to support HCs in full optimization of the use of EHRs and other health IT systems for continuous data driven QI

3 HITEQ Services Web-based health IT knowledgebase
Workshops and webinars Targeted technical assistance HITEQ’s main services include development and ongoing updates to a Web-based health IT knowledgebase, conducting workshops and webinars, and providing targeted technical assistance in collaboration with our partners.

4 HITEQ Focus Areas Health IT Enabled Quality Improvement EHR Selection and Implementation Health Information Exchange QI/HIT Workforce Development Value-Based Payment Privacy and Security Electronic Patient Engagement We provide these services in 8 main focus areas: Health IT Enabled Quality Improvement, EHR Selection and Implementation, Health Information Exchange, QI/HIT Workforce Development, Value based payment, privacy and security, electronic patient engagement, and population health management. For the Web-based health IT knowledgebase, we have resource sets for each of the 8 main topic areas. These resource sets are curated groups of resources that we have either developed internally or identified from experts or organizations that are health center focused. Resource sets include: business cases; checklists; sample forms; decision support tools; best practices; tips and lessons learned; and case studies. Today we are highlighting strategies and resources around privacy and security for community health centers. Population Health Management

5 Legal Disclaimer The information included in this presentation is for informational purposes only and is not a substitute for legal advice. Please consult an appropriate attorney if you have any particular questions regarding a legal issue.

6 Today’s Presenter Adam Kehler, CISSP
Senior Consultant - Healthcare Information Privacy and Security at Online Business Systems Specializing in Information Security, Adam has experience conducting Security Risk Assessments, conducting vulnerability assessments, and assisting organizations meet compliance requirements such as the HIPAA Privacy and Security Rules and HITECH.

7 Session Agenda Overview of Healthcare Privacy & Security
Implications for Health Centers Key Considerations for Health IT Admin Board of Director Oversight and Responsibilities Questions and Discussion

8 Overview of Privacy and Security

9 Problem Statement Increased use of electronic health record systems increases security risk Increased use of IoT enabled mobile health and medical devices increases security risk Increased use of internet-based systems increases security risk Increased numbers of users on a given system increases security risk That can be a lot of security risk for small to medium health centers to effectively manage!

10 Healthcare Privacy & Security Policies and Regulations
Health Insurance Portability and Accountability Act of 1996 (HIPAA): required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information. Health Information Technology for Economic and Clinical Health (HITECH) Act’s Meaningful Use program: required objective measures for ensuring the safety of electronic Protected Health Information (ePHI) as dictated by the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) (OCR 2009). Cybersecurity Information Sharing Act of 2015 CISA will allow healthcare cybersecurity professionals to connect with one another via a network so that they can exchange information regarding cybersecurity threats. This will help healthcare providers increase the protection of their patient’s health data and be prepared for cyberattacks.

11 Security Rule Requirements
Reference: Michigan Center for Effective IT Adoption

12 Security Risk Assessment
Required by HIPAA Security Rule and Meaningful Use Should be conducted annually Not required to, but should follow an established framework such as NIST, COBIT, or ISO

13 Security Risk Assessment 1
Challenges Can be hard to understand requirements Hard to find concrete examples and expertise Organizations worry about enforcement actions if they acknowledge they have security risks Many “risk assessments” end up being an enumeration of security controls or simple checklists

14 Compliance vs. Security
Security is not a product Compliance is not your blueprint Security is a mindset Avoid Checkbox Compliance Security is an ongoing program Remember “reasonable and appropriate” Security is not just an IT responsibility Compliance is an ongoing requirement

15 Approach The Security Risk Assessment approach is designed to allow organizations to implement “reasonable and appropriate” security controls as opposed to being prescriptive For example, what is a reasonable disaster recovery plan for a large health system would be excessive for a small doctor’s office; this allows flexibility while still being enforceable If other organizations of the same size are encrypting their laptops, it would seem reasonable to expect your organization to do the same But how can you determine what is “reasonable and appropriate” for your organization? Look to industry standards and guidance

16 Information Security Basics

17 Information Security Basics 2
Protect the confidentiality, integrity, and availability of electronic PHI Identify everywhere PHI is stored or transmitted: Stored PHI may include EHR/PM, patient portal, medical devices, file storage, scanned documents, web-based systems, removable storage, photocopiers, fax machines or electronic fax systems Transmitted PHI may include , fax, or text messages for purposes of billing, insurance, prescriptions, communicating with other healthcare providers, communicating with patients, communicating within the office, research, or other third parties Workflow analysis performed by business may help

18 Information Security Basics 3
Protect PHI in transit Only send over the internet encrypted (encrypted , https, secure ftp) Protect PHI at rest Unique logins Access Controls (password protect all devices) Consider encryption of PHI and full disk encryption for laptops, tablets, and smartphones

19 Information Security Basics 4
Practice continuous maintenance, patching, and upgrades Apply operating system updates regularly Where possible, set programs to update automatically Subscribe to information security alert services such as the US Computer Emergency Readiness Team ( Regularly test your backups. Backups fail frequently.

20 Information Security Basics 5
Antivirus is important, but not sufficient! Today’s attacks are adept at circumventing AV Consider full endpoint protection. Includes: Malware removal based on existing signature files and heuristic algorithms Built-in antispyware protection Ingress/Egress firewall IPS/IDS sensors and warning systems Application control and user management Data input/output control, including portable devices

21 Information Security Basics 6
Administrative Controls Security Awareness Training Build a culture motivated and dedicated to securing patient data Train users on handling of PHI as well as detecting and responding to suspicious activity such as phishing and social engineering attempts Policies and Procedures for handling of information If you are unsure, hire external consultants to help you build a strategy and test that strategy frequently

22 Security for IT Managers and System Administrators

23 IT Managers and System Administrators
While the HIPAA Security Rule does provide a framework for security risk management, it can be difficult to know what specific steps to take to implement “reasonable and appropriate” security controls What are other organizations doing? What are the most effective controls? Look to industry standards The Center for Internet Security (CIS) maintains a list of the Top 20 Security Controls Internationally recognized Guidance on varying levels of maturity Specific and Practical According to the Australia Signals Directorate (ASD): “Incorporating the Top 4, the eight mitigation strategies with an 'essential' rating are so effective at mitigating targeted cyber intrusions and ransomware that ASD considers them to be the cyber security baseline for all organisations.”

24 IT Managers and System Administrators 2
Center for Internet Security (CIS) Top 20 Security Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges

25 HIPAA Security Rule Controls
CSC and HIPAA Control Family HIPAA Security Rule Controls Critical Security Control #1: Inventory of Authorized and Unauthorized Devices (c): Workstation Security - R (d)(1): Device and Media Controls: Accountability - A Critical Security Control #2: Inventory of Authorized and Unauthorized Software (c): Workstation Security - R Critical Security Control #3: Secure Configurations for Hardware and Software Critical Security Control #4: Continuous Vulnerability Assessment and Remediation (a)(8): Evaluation (a)(6): Security Incident Procedures Critical Security Control #5: Controlled Use of Administrative Privileges (b): Workstation Use - R (c): Workstation Security - R : Access Control: Unique User Identification - R (b): Audit Controls (d): Person or Entity Authentication

26 CSC 1: Inventory of Authorized and Unauthorized Devices
Workstations Photocopiers Storage “Know what you have” is the basis of information security You can’t secure it if you don’t know about it Actively managing hardware inventory provides the basis for CSC 2-20 This is important in regards to the HIPAA Security Rule and conducting a Security Risk Assessment because it allows you to create an inventory of ePHI Tablets Fax Machines Firewalls BYOD Switches Backup Media Laptops VoIP Phones Smart Phones Servers USB Drives Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. (c): Workstation Security - R (d)(1): Device and Media Controls: Accountability - A

27 CSC 2: Inventory of Authorized and Unauthorized Software
“Know what you have” Part 2 You can’t secure it if you don’t know about it There are different levels of implementing these controls. All the way from simply inventorying and manually correcting to application whitelisting Whitelisting is one of the best protections against malware Create an inventory of software systems that store or transmit ePHI. Include cloud-based systems Practice Mgmt Fax Software Training EHR Patient Portal Messaging Billing Remote Support Office Programs Web Portals Imaging Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. (c): Workstation Security

28 CSC 3: Secure Configurations for Hardware and Software
Now that you “Know what you have”, you can manage it Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Put systems in place to enforce ongoing compliance with security benchmarks Benchmarks available: The Center for Internet Security Benchmarks Program ( The NIST National Checklist Program (checklists.nist.gov) Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. (c): Workstation Security

29 CSC 4: Continuous Vulnerability Assessment and Remediation
Now that you “Know what you have”, you can patch it HIPAA requires that you test your security controls. This is an excellent way to perform technical testing Continuous! Scans should be scheduled and run no less than weekly Run credentialed scans on servers Open Source and SaaS tools commonly available Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. “Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85 percent of successful exploits.” Verizon 2016 Data Breach Investigations Report (a)(8): Evaluation (a)(6): Security Incident Procedures

30 CSC 5: Controlled Use of Administrative Privileges
“The misuse of administrative privileges is a primary method for attackers to spread inside a target organization” Workstation users running as privileged users Attacker elevates permissions by compromising the password of a network administrator gaining access to all systems on the network Only use administrative accounts when they are required Keep an inventory of administrative accounts Set up alerting/reporting on the use, creation, and modification of administrative accounts The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. (b): Workstation Use - R (c): Workstation Security - R : Access Control: Unique User Identification - R (b): Audit Controls (d): Person or Entity Authentication

31 Additional Best Practices
Network Segmentation Log Aggregation IDS/IPS Two-factor authentication for remote access and sensitive/privileged accounts Encryption of data at rest

32 Board of Directors

33 Board of Directors Oversight
As the costs and organizational impacts of breaches rise, boards are paying more attention to cybersecurity While a board is generally not involved in the day-to-day operations of cybersecurity, they do have a responsibility to ensure that proper structures are in place and that the organization is taking appropriate steps to identify and address cybersecurity risks Cybersecurity may be incorporated into existing corporate risk management frameworks (RMF) E.g. COSO/COBIT Results of Security Risk Assessment should be summarized and reported to the board through the RMF Report security incidents to the board

34 Board Responsibility for Cybersecurity Oversight
People Assign board-level responsibility for cyber security Processes Boards should inform themselves of specific operational, reporting, and compliance aspects of cybersecurity, using at least one recognized framework to do so Recognized international frameworks include COBIT, ISO27001/2, NIST , HITRUST “Members of the board need to be aware of the organization’s information assets and their criticality to ongoing business operations. This can be accomplished by periodically providing the board with the high-level results of comprehensive risk assessments and business impact analyses.” Technology The Board should have representation from a person with specific technical and cybersecurity experience and familiarity with industry standards and privacy law If these capabilities are not available internally, the organization may wish to seek outside assistance Source: Global Network of Directors International, Guiding Principles for Cybersecurity Oversight

35 Board of Directors Oversight 2
Cybersecurity questions directors should be asking: What steps is management taking to identify and address cybersecurity risks? How is the organization protecting customer, employee and other important information from significant threats? How much are we spending on information security and what are the outcomes? How are our disaster recovery, business continuity and incident response plans kept up-to date, thoroughly tested, and communicated to the right people so we minimize the impact of a breach when it happens? Source: Cybersecurity Risk — Questions for Directors to Ask

36 Board of Directors Oversight 3
Cybersecurity questions directors should be asking: What cyber-threats could really damage this organization? How are we distinguishing between systems, networks and users we do control or have strong assurance over as a third party, and those which we do not, as a basis for establishing which digital relationships and what data and identities from outside our organization we can trust? What are the soft spots in our cyber-defenses (and those of our business partners)? Have these soft spots resulted in a breach impacting our business, and what is being done to identify root causes and remediate these ‘weak’ links? Source: Cybersecurity Risk — Questions for Directors to Ask

37 Conclusion Everyone from the Board of Directors to the system administrators and end users have responsibilities for Privacy and Security Those responsibilities will vary depending on the position There are known best practices and frameworks that can be followed to help ensure information security is addressed appropriately

38 Want more information?

39 Comments, Questions, and Discussion
Please ask your questions in the chat box.

40 See details in the HRSA BPHC Digest
HITEQ Webinar Series Access our archived webinars at hiteqcenter.org Coming Soon! Using Data for Population Health: Social Determinants and Population Health (May 9, 3-4 ET) Health Center Framework for Effective Electronic Patient Engagement (June 13, 3-4 ET) Please visit our website to access our archived webinars. We have additional webinars that are currently being scheduled for later in the Spring that focus on electronic patient engagement and using data for population health. Look for details in upcoming HRSA BPHC Digest. See details in the HRSA BPHC Digest

41 Questions? Comments? Contact HITEQ at: Please take our evaluation!!! If you have any further questions or comments, please contact us. And just a reminder that in a moment, an evaluation survey will pop up for you to fill out. Please fill this out as it helps us to plan effective webinars and other trainings.  

42 Thank you again for your participation. Good bye.
This project was supported by the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) under cooperative agreement numberU30CS29366, Training and Technical Assistance National Cooperative Agreement for $1,954,318 with 0% of the total NCA project financed with non-federal sources.  This information or content and conclusions are those of the author and should not be construed as the official position or policy of, nor should any endorsements be inferred by HRSA, HHS or the US Government. Thank you again for your participation. Good bye.

Download ppt "HITEQ Highlights: Community Health Center Privacy & Security Best Practices Good afternoon everyone and welcome to this webinar on Privacy and Security."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Similar presentations

Ads by Google