1. HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June 23 rd, 2012

2. Introduction People’s Hospital has made a significant Financial and Human Resources investment to achieve HIPAA Security Rule Compliance Healthcare delivery is undergoing significant changes in the regulatory environment as well as creation, access and uses of digital data and information To ensure a trusted and growing relationship with the community we service, as well as to attract the leading clinical staff, the best evidence based toolsets must be available This dynamic landscape of highly credentialed staff, delivering world class evidence based medicine, with emerging digital tools, mandates a HIPAA Security Rule program based on a continuously improving model

3. HIPAA Security Rules Principles Confidentiality- ePHI shall not be exposed to individuals without appropriate authorization (Access Control – Encryption – Data Loss Prevention) Integrity- Intentional unauthorized and unintentional unauthorized modification to ePHI must not occur (Access Control – Integrity Checking, Constrained User Interfaces, Two-Factor Authentication) Availability- ePHI data shall be available to authorized individuals when and where it is required to support the delivery of evidence based medicine (High Availability, Disaster Recovery, Continuity of Business, Data Back-Up)

4. HIPAA Security Rules Highlights HIPAA Privacy vs HIPAA Security Rules Administrative Safeguard, Technical Safeguard, Physical Safeguard Required Attributes vs Addressable Attributes Non-Prescriptive to aid in adoption of new technologies, flexibility to support various organizational structures and foster alternatives to fulfilling desired outcomes Business Partners interacting with ePHI classified as Covered Entity

5. Impact on People’s Hospital - Lose of HIPAA Security Rule Non-Compliance Unrealized gains from investments in achieving HIPAA Security Rule Compliance Security Breaches Social and Emotional Impact to Patient Revenue Downturn to People’s Hospital Lose of Patient Trust Regulatory Fines Civil Litigation from Patients Civil Litigation form Business Partners Criminal Litigation

6. HIPAA Security Rule Operationalized HIPAA Security Rules People’s Hospital General Policies Clinical Unit Specific Policies Device Standards Instructional Level Processes Minimum Controls for Security Best Practice- Guidelines

7. HIPAA Security Rule Risk Management Program Cycle Assess Risk and Determine Needs Monitor and Evaluate Promote Awareness Implement Policies and Controls Central Management

8. Assess Risk and Determine Needs Inventory of Systems - Flow of ePHI through Systems Inventory of Business Partners accessing, generating or updating ePHI Identify Owners of Systems and Data Identify System and Data Custodians Identify and Quantify Risk Target HIPAA Compliance budget into Programs as directed by Board, based on formal risk management protocol Do not forget about Physical access to areas hosting ePHI data

9. Risk Management Risk Must be Identified Risk Avoidance Risk Transference Risk Mitigation Risk Acceptance

10. Monitor and Evaluate Develop metrics for HIPAA Security Rule Compliance Ensure methods are in place to capture and analyze HIPAA Security Rule Compliance metrics Governance over Business Partners classified as covered entities, based on metrics Audit Processes, Systems and Device Configurations Vulnerability Testing of COT and Custom applications and devices Remediate Systems based on audit and testing Keep updates on regulatory and industry practices as it relates to HIPAA Update General and Functional Polices as required External / Third Party Audit

11. Workforce Development Awareness - General awareness related to Patient Privacy to all members of People’s Hospital such as awareness days, posters, password policies etc Training - Training specifically focused on IT Technical Team and other members as well as organizational specific training related to pharmacy, nursing, Radiology etc. Education - Formal Education on HIPAA Compliance Auditing and Security Management for People’s Hospital HIPAA Security Team

12. Implement Policies and Controls Formal Policy Development Process Policies shall be high level Policies shall be documented Policies should be reviewed Formal Review / Exception Process for Non-Compliance Ramification for Non-Compliance without formal review and approval

13. Security Policies Controls Metric based Audits Governance Risk Management Leadership Support Continuous Awareness, Training and Education HIPAA Security Compliance requires a Continuously Improving Program, not a singular project or event. Summary

14. Thank you

15. References: Health Insurance Reform: Security Standards; Final Rule. 45 CFR Parts 160, 162, and 164 (2003). Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdfhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf Kibbe, D. (2005). 10 steps to HIPAA security compliance. Family Practice Management. 12(4). Pp (43-49) Retrieved from: http://www.aafp.org/fpm/2005/0400/p43.htmlhttp://www.aafp.org/fpm/2005/0400/p43.html Bowen, P., Hash, J., & Wilson, M.. (2006). Information Security Handbook: A Guide for Managers Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-100 http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf Tipton, H. F. (2010). Official (isc)2 guide to the cissp cbk, second edition. Boca Raton: Auerbach Publications. Security Officers Management & Analysis Project http://www.somap.org/