Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1.

Published byElijah Bridges Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1."— Presentation transcript:

1 Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1 Chapter 13: Healthcare Information Technology Security

2 HIPAA Health Insurance Portability and Accountability Act (HIPAA) is part of the American Recovery and Reinvestment Act (ARRA) – A US Federal Law HIPAA defines Protected Health Information (PHI) –Including: name, locations, dates, phones/fax, e-mail addresses, Social Security numbers, medical record numbers, insurance plan numbers, accounts, licenses, vehicle numbers, URLs, IP addresses, biometrics, portraits, and other identifying informationf HIPAA establishes penalties and notification requirements in case of data spillaage 10/7/2015 DRAFT2 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

3 Healthcare Risk Assessment Required by HIPAA Risks must be identified along with restricted data –Risk mitigation plans must be formulated and put into action Internet perimeter security alone is insufficient in healthcare –See Hard on the Outside, Gooey in the Middle in Chapter 2 Need to know is a key risk principle 10/7/2015 DRAFT3 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

4 Healthcare Records Management Laptops and mobile devices are increasingly used and pose significant risks Records retention policies must be rigorously designed and implemented HIPAA makes this easier because Federal law trumps weaker state laws Retention times vary, typically 7 to 10 years –Vital records and surgical records must be retained indefinitely 10/7/2015 DRAFT4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

5 Healthcare IT and the Judicial Process More than 1,000,000 patients in US affected by PHI losses every year Support for medical court case is a key data management requirement If records are retained too long they pose a potential liability E-mail is a major risk because they are e- discoverable, and were considered private when they were composed Once a record is discovered its records lifecycle (i.e. retention policy) is suspended 10/7/2015 DRAFT5 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

6 Data Loss Prevention (DLP) DLP is shifting focus from finding restricted data on servers to mobile devices Mobile devices are subject to physical loss and cyber attack from the Internet Encryption is essential on mobile devices and storage media (thumb drives, CDs, DVDs, removable hard drives, and tape backups) Clear data transfer policies should be established 10/7/2015 DRAFT6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

7 Managing Logs in Healthcare Organizations Healthcare organizations should create detailed logs across all forms of devices –Clocks should be synchronized Logs should be normalized and centralized for analysis and retention Logged events should indicate: what occurred, where, when, with what information Logs should support non-repudiation Logs should be handled with a formal chain of custody supporting judicial processes 10/7/2015 DRAFT7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

8 Authentication and Access Control Role based access control (RBAC) is usually not flexible enough for healthcare –Certain users may assume many roles: document, executive administrator, patient One shared account always logged in was standards practice –Now that data is life critical, individual accountability must be tracked and logged Password-based authentication is being replaced the multi-factor Usability is a critical issue, Single Sign On is one solution 10/7/2015 DRAFT8 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

9 REVIEW CHAPTER SUMMARY Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 10/7/2015 DRAFT9

Download ppt "Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1."

Similar presentations

Security for Mobile Devices

Security for Mobile Devices
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 8, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 8, 2014 DRAFT1.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Health information security & compliance

Health information security & compliance
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Security Controls – What Works

Security Controls – What Works
Barracuda Backup Service Data Backup and Disaster Recovery.

Barracuda Backup Service Data Backup and Disaster Recovery.
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Similar presentations

Ads by Google