Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Training for Management Complying with the HIPAA Security Law.

Published byEarl Parrish Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Training for Management Complying with the HIPAA Security Law."— Presentation transcript:

1 Information Security Training for Management Complying with the HIPAA Security Law

2 HIPAA Was a One-Two Punch On March 14, 2003, we had to obey the United States’ HIPAA Privacy Rule On April 21, 2005, we had to obey the HIPAA Security Rule We have no choice – the same severe penalties apply for both Privacy and Security

3 Complying with HIPAA Security Means: Information Security Policies and Procedures A Security Awareness Program A Risk Management Program A Disaster Recovery and Business Continuity Management Team (DRBCMT) A Security Incident Response Team (SIRT) A Security Compliance Management Program

4 Information Security Policies and Procedures - Part 1 Acceptable Use Assigned Security Responsibility Business Continuity and Disaster Recovery Security Compliance Management Data Classification, Inventory, and Control Data Stewardship Incident Management Information Security Management Information Systems Security Certification

5 Information Security Policies and Procedures - Part 2 IS Authorization and Account Management Logical Access Control Network and Telecommunications Security Personnel Security for Information Systems Physical and Environmental Security Risk Management Security Training and Awareness User Identification and Authentication

6 Security Awareness Training – Why? Required by HIPAA, our Division, and DHHS Management must believe in data security Management must understand they will be held liable for not providing security We will gain by preventatives Consider the cost of our reputation Think of information as our major product

7 Security Awareness Training – What? Upper Management Training Security Awareness Day Security Awareness Training for all staff Computer Users’ Supervisor Training Initial General Security Training for all users Ongoing General Security Training for all users Security “Marketing” Efforts Annual System-specific training Professional Education Training

8 Security Awareness Training – Who? The Information Security Official will provide the content of all training, the Upper Management training, the Ongoing General Security Training, the Professional Education Training for Computer Services staff, and Security Awareness Day training The Staff Development Department will provide the Security Awareness Training and Initial General Security Training for all new employees, and the annual system-specific training DHHS will provide Professional Education Training to the Information Security Official

9 Most Important of All! Management must believe in data security!

10 Risk Management Program Upper Management must dominate the Risk Management Committee RM Committee reviews threats, Application Risk Analysis results, System Risk Analysis results, DHHS Penetration Testing results, and IS Policy and Procedure status report RM Committee makes recommendations of cost-effective risk mitigation actions RM effectiveness will be measured by the QA Director

11 Why Engage in Risk Management? Why do cars have brakes? So they can go fast! Having a risk management program allows us to be able to take risks. In a competitive world, the organization that can take risks wins After our people, our information is our most valuable asset. It needs to be protected

12 Disaster Recovery and Business Continuity Management Team Primarily Computer Services staff Updates the Disaster Recovery and Business Continuity Plan on February 1 each year Body of plan has relatively static information Appendix contains information valuable at disaster recovery time, such as network and hardware inventories, network diagrams, emergency mode operation plans, support agreements, and contact lists

13 Security Incident Response Team Security incidents must be reported The SIRT responds when necessary to security violations Our Team is made up mostly of local Computer Services staff, plus the QA Director Our Division is notified of all Level 2 and Level 3 Security violations

14 Information Security Compliance Management Program We must have a Security Compliance Management program with three elements 1) Compliance Management (we must comply) 2) Compliance Monitoring (we must measure our compliance) 3) Compliance Auditing (our compliance must be measured independently)

15 Our Information Security Program! New Information Security Policies and Procedures A Security Awareness Program A Risk Management Program A Disaster Recovery and Business Continuity Management Team (DRBCMT) A Security Incident Response Team (SIRT) A Security Compliance Management Program

16 The HIPAA Security Rule Balancing Home Living with Secure Information The Work is Worth It!

Download ppt "Information Security Training for Management Complying with the HIPAA Security Law."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.

National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Security Awareness Norfolk State University Policies.

Security Awareness Norfolk State University Policies.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
An Educational Computer Based Training Program CBTCBT.

An Educational Computer Based Training Program CBTCBT.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google