SECURETexas Health Information Privacy & Security Certification Program
|
|
- Justin Stevens
- 5 years ago
- Views:
Transcription
1 Partners in Texas Health Informa3on Protec3on SECURETexas Health Information Privacy & Security Certification Program 2015 HITRUST, Frisco, TX. All Rights Reserved.
2 Outline Introduction Background Benefits SECURETexas Certification Framework Criteria Process Tools Pricing About HITRUST About THSA 2
3 Introduction Background (1) Multitude of challenges Significant government oversight Evolving requirements Complex business relationships Uncertain standard of care Reasonable and appropriate? Adequate protection? 3
4 Introduction Background (2) Texas legislators concerned about health information protection Increased use of electronic health records Federal HIPAA guidance lacking Significant increase in data breaches Texas House Bill (HB) 300 Passed May 30, 2011 Signed June 17, 2011 Effective Sept. 1, 2012 Amended the following statutes: Texas Health and Safety Code Chapters 181 & 182; Texas Business and Commerce Code, Chapters 521 and 522; Texas Government Code, Chapter 531; and Texas Insurance Code, Chapter 602 4
5 Introduction Background (3) Maintains the broader, Texas definition of Covered Entity Covers any business or individual coming into contact with PHI Supports patient rights re: Electronic Health Records (EHRs) Provides for the collection/reporting of consumer complaints Increases penalties for non-compliance/breach $5K to $1.5M per year based on 5 factors, not just intent and risk of harm Capped at $250M per year based on specific circumstances A pattern of non-compliance could result in license revocation Establishes Texas standards for healthcare information privacy and security Standards ratified by Texas Health and Human Services Commission and codified at 1 TAC 390 Provides for certification of compliance with the Texas standards Potential to mitigate penalties from regulatory and legal penalties 5
6 Introduction Background (4) THSA selects HITRUST for SECURETexas Certification program HITRUST Risk Management Framework (RMF) provides robust support for SECURETexas Certification Comprehensive coverage, relevant to healthcare, that is scalable, prescriptive and tailorable to meet entity requirements Certification supports assertions of compliance Common framework & reporting provide significant efficiency & cost savings Most widely adopted information protection framework in U.S. healthcare industry simplifies adoption For this program to be successful, it must provide the appropriate level of assurance and verifica3on while s3ll being prac3cal and implementable; therefore, it was important we select the best possible partner for developing and implemen3ng the SECURETexas Health Informa3on Privacy and Security Cer3fica3on Program. We are confident in our choice given HITRUST s leading role in the assessment and cer3fica3on of compliance with mul3ple health informa3on protec3on regula3ons and best prac3ces through the HITRUST Common Security Framework (CSF). - Tony Gilman, CEO, THSA 6
7 Introduction Benefits In addition to the those provided by leveraging the HITRUST RMF, covered entities receive specific benefits from obtaining SECURETexas Certification Mitigation of civil and administrative penalties Evidence of good faith efforts to comply with federal and state requirements 7
8 SECURETexas Certification Framework (1) Resources and tools available by HITRUST CSF Scalable, prescriptive and certifiable framework incorporated a multitude of state and federal regulations, US and International Standards, and best practices maintained and updated for health care industry CSF Assurance A covered entity information protection certification program with an existing base of certified assessor organizations MyCSF Automated support for CSF assessment and certification CSF CSF Assurance HITRUST RMF Methods & Tools (e.g., MyCSF) 8
9 SECURETexas Certification Framework (2) HITRUST s healthcare-centric RMF Leverages international and U.S. RMFs Rationalizes multiple healthcare requirements Provides industry standard of due diligence and care Three risk-based control baselines Organizational, system and regulatory factors Texas compliance demonstrated through detailed mappings to the CSF control requirements 9
10 SECURETexas Certification Criteria Examples of Texas requirements mapped to the CSF CSF Control All HIPAA xrefs 02.e, Level 1 07.e, Level 1 11.a, TX Covered EnVVes TX Requirement Texas Health and Safety Code (THSC) a A covered envty, as that term is defined by 45 C.F.R. SecVon , shall comply with the Health Insurance Portability and Accountability Act and Privacy Standards. THSC (a) Each covered envty shall provide a training program to employees of the covered envty regarding the state and federal law concerning protected health informavon as it relates to the covered envty's parvcular course of business and each employee's scope of employment. THSC , referenced by 1 Texas AdministraVve Code (TAC) 390.2(a)(4)(A)(ii) Specifies that care shall be given to ensure sensivve informavon subject to special handling, e.g., HIV test results, mental health and substance abuse- related records, is idenvfied and appropriate labeling and handling requirements are expressly defined and implemented consistent with applicable federal and state legislavve and regulatory requirements and industry guidelines. THSC 577, referenced by 1 TAC 390.2(a)(4)(A)(ii) To comply with the requirements specified in THSC 577, private psychiatric (mental) hospitals, crisis stabilizavon units and other mental health facilives shall incorporate procedures in their security and privacy incident response programs to assist with state invesvgavons, including the release of otherwise confidenval informavon related to the invesvgavon, as required under THSSC 157. *Refer to the 2013 CSF, 2013 interim Summary of Changes, and the 2014 Summary of Changes for all the SECURETexas Certification requirements 10
11 SECURETexas Certification Process (1) SECURETexas Certification Completely flexible implementation, as organizations may: Request SECURETexas Certification with CSF (HIPAA) assessment Increment to SECURETexas Certification after CSF (HIPAA) assessment is done Varying levels and costs of assurance Risk Exposure HIGH MEDIUM CSF Assurance (Self) Compliance with HIPAA CSF Assurance (Remote) CSF Assurance (3rd Party) The CSF Assurance Program balances the cost of assurance with the risk exposure. The program is designed to cost effecvvely gather the informavon about privacy and security controls that is required to appropriately understand and mivgate risk. Compliance with ISO Compliance with PCI Compliance with NIST LOW 11 Cost of Assurance
12 SECURETexas Certification Process (2) Covered entity engages independent assessor organization* CSF Assessor conducts assessment against certification requirements CSF assessor submits assessment results to HITRUST for review HITRUST conducts QA review; resolves outstanding issues HITRUST prepares report with SecureTexas Certification Scorecard If covered entity achieves appropriate scores, HITRUST will provide a certification recommendation to be submitted to THSA THSA reviews recommendation and issues certification letter Covered entity is added to website listing certified covered entities Assessor engaged* Assessment conducted* Results submiied to HITRUST HITRUST conducts QA; prepares report HITRUST determines scoring; if appropriate recommends THSA grants or denies cervficavon OrganizaVon Listed on Website *Small organizavons may conduct a remote- assessment 12
13 SECURETexas Certification Tools (1) MyCSF GRC-based platform CSF controls Illustrative procedures Assessment scoping Workflow management Documentation repository Dashboards and reporting Automated submission for HITRUST validation and certification Simplifies SecureTexas Certification 13
14 SECURETexas Certification Tools (2) HITRUST Website General Support HITRUST RMF content News / updates Blogs / chats SecureTexas Certification Support Provide specific guidance Address user questions THSA SecureTexas Website SecureTexas Certification support Who should certify Benefits of certifying How to get started Pricing FAQs 14
15 Pricing (1) Covered entity assessment and report generation fee Certification Remote Assessment (if applicable) $3500 to perform remote assessment and generate recommendation for Texas Certification $1000 if adding SECURETexas Certification to an existing HITRUST certification Certification Third Party Assessment $ $7500 to review third party assessment and generate recommendation for Texas Certification $1500 if adding SECURETexas Certification to existing HITRUST certification Fees paid to HITRUST Covered entity certification fee Certification Remote Assessment: $100 to $1500 (less than $750, if 150 employees of fewer) Certification Assessment: $ $7500 (depending on revenue) Fees paid to THSA 15
16 Pricing (2) Fee Schedule TX Only Remote < $5M Third Party < $50M Third Party < $500M Third Party < $1B/yr Third Party < $10B Third Party >$10B Assessor Fees N/A TBD TBD TBD TBD TBD HITRUST Fees $3500 $3750 $4500 $5250 $6000 $7500 THSA Fees $1500 $2500 $3250 $5000 $6250 $7500 Total $5000 $6250 $7750 $10,250 $12,250 $15,000 Fee Schedule TX Added to CSF Remote < $5M Third Party < $50M Third Party < $500M Third Party < $1B/yr Third Party < $10B Third Party >$10B Assessor Fees N/A TBD TBD TBD TBD TBD HITRUST Fees $1000 $1500 $1500 $1500 $1500 $1500 THSA Fees $1500 $2500 $3250 $5000 $6250 $7500 Total $2500 $4000 $4750 $6500 $7750 $
17 Pricing (3) Fee Schedule For Small Businesses 1-25 employees employees employees employees Assessor Fees N/A N/A N/A N/A HITRUST Fees $1400 $1750 $2000 $2250 THSA Fees $100 $250 $500 $750 Total $1500 $2000 $2500 $
18 Summary The SECURETexas Health Information Privacy & Security Certification Is competitively priced and sufficiently robust to support wide adoption; Demonstrates compliance with the Texas Medical Records Privacy Act and associated standards; Specifically addresses high-risk threats associated with reported data breaches; Supports overall compliance with HIPAA (Final Omnibus Rule) implementation specifications; Leverages HITRUST s online GRC-based tool, MyCSF, to provide automated workflow for certification assessment, quality assurance and reporting; Provides a standardized method of reporting compliance and risk, including the recommendation for SECURETexas Certification; Facilitates the communication of assurances with other business partners, patients and their families, and other key stakeholders, such as federal and state regulators; and Provides for potential, limited safe harbor from regulatory and legal penalties 18
19 About HITRUST In 2007, the Health Information Trust Alliance or HITRUST was formed by a group of concerned healthcare organizations out of the belief improvements in the state of information security and privacy in the industry are critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information, all of which are necessary to improve the quality of patient care while lowering the cost of healthcare delivery. Key focus: Increase the protection of protected health and other sensitive information Mitigate and aid in the management of risk associated with health information Contain and manage costs associated with appropriately protecting sensitive information Increase consumer and governments confidence in the industry's ability to safeguard health information Address increasing concerns associated with business associate and 3rd party privacy, security and compliance Work with federal and state governments and agencies and other oversight bodies to collaborate with industry on information protection Facilitate sharing and collaboration relating to information protection amongst and between healthcare organizations of varying types and sizes Enhance and mature the knowledge and competency of health information protection professionals 19
20 About THSA In 2007, the Texas Legislature created THSA to help improve the Texas healthcare system Promote and coordinate HIE and HIT throughout the state Ensure the right information is available to right provider at the right time In 2011, the Texas Legislature authorized THSA to: Identify relevant privacy and security standards Develop a privacy and security certification for Texas covered entities In 2013, THSA partnered with HITRUST to create the SecureTexas Health Information Privacy and Security Certification Program 20
21 For more information
The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationHITRUST CSF: One Framework
HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior
More informationHITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.
HITRUST CSF Assurance Program HITRUST CSF Assurance Program The Need Organizations facing multiple and varied assurance requirements from a variety of parties Increasing pressure and penalties associated
More informationHITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO
HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO Topics 1. HITRUST s Approach to CSF v10 2. Changes to the
More informationIntroduction to the HITRUST CSF. Version 8.1
Version 8.1 February 2017 Contents Executive Summary.... 3 Organization of the HITRUST CSF.... 3 Practical Action Plan for Implementing the HITRUST CSF... 4 Introduction.... 5 Organization of the HITRUST
More informationIntroduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst
Introduction Angela Holzworth, RHIA, CISA, GSEC Sr. IT Infrastructure Analyst Kimberly Gray, Esq., CIPP/US Chief Privacy Officer, Global, IMS Health 1 Incorporating Privacy into the CSF: Approach and Benefits
More informationModel Approach to Efficient and Cost-Effective Third-Party Assurance
Model Approach to Efficient and Cost-Effective Third-Party Assurance 1 CHALLENGES WITH THIRD-PARTY ASSURANCE 2 What s Driving Demand for Increased Assurance? Increasing risk posed by third parties Increasing
More informationPerspectives on Navigating the Challenges of Cybersecurity in Healthcare
Perspectives on Navigating the Challenges of Cybersecurity in Healthcare May 2015 1 Agenda 1. Why the Healthcare Industry Established HITRUST 2. What We Are and What We Do 3. How We Can Help Health Plans
More informationHITRUST ON THE CLOUD. Navigating Healthcare Compliance
HITRUST ON THE CLOUD Navigating Healthcare Compliance As the demand for digital health solutions increases, the IT regulatory landscape continues to evolve. Staying ahead of new cybersecurity rules and
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationRisk Management Frameworks
1 Risk Management Frameworks How HITRUST provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk
More information2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,
More informationIntroduction to the HITRUST CSF. Version 9.1
Introduction to the HITRUST CSF Version 9.1 February 2018 Contents Executive Summary.... 3 Organization of the HITRUST CSF... 3 Practical Action Plan for Implementing the HITRUST CSF... 4 Introduction....
More informationHITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.
HITRUST CSF Roadmap for 2018 and Beyond HITRUST CSF Roadmap 2017 HITRUST CSF v9 Update 21 CFR Part 11 (FDA electronic signatures) Add FFIEC IT Examination (InfoSec), FedRAMP, DHS Critical Resilience Review
More informationThe Future of HITRUST
The Future of HITRUST Henry Vynalek, Director, HIE & IT Operations and Security Officer Mike Wells, Director of Security, Director of Engineering The Ohio Health Information Partnership (CliniSync) Henry
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationMyCSF User Guide. Prepared By: HITRUST Frisco Square Blvd. Suite 327. Frisco, Texas P: (469) F: (469)
MyCSF User Guide Prepared By: HITRUST 6136 Frisco Square Blvd. Suite 327 Frisco, Texas 75034 P: (469)269-1110 F: (469)269-1101 www.hitrustalliance.net 1 P a g e Table of Contents MyCSF User Guide Browser
More informationLeveraging HITRUST CSF Assessment Reports
Leveraging HITRUST CSF Assessment Reports A Guide for New Users 1 Covered Entity Challenges with Third Party Assurance Business Associate Challenges with Third Party Assurance Complex contracting process
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES
ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES ACCREDITATION SCHEME MANUAL Document Title: Document Number: Various Accreditation Schemes ACCAB-ASM-7.0 CONTROLLED COPY Revision Number Revision
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationCSF to Support SOC 2 Repor(ng
CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationPrivacy Policy on the Responsibilities of Third Party Service Providers
Privacy Policy on the Responsibilities of Third Party Service Providers Privacy Office Document ID: 2489 Version: 3.2 Owner: Chief Privacy Officer Sensitivity Level: Low Copyright Notice Copyright 2016,
More informationRisk Analysis Guide for HITRUST Organizations & Assessors
Risk Analysis Guide for HITRUST Organizations & Assessors A guide for self and third-party assessors on the application of HITRUST s approach to risk analysis February 2016 Contents Preface....3 Introduction....4
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationHITRUST Common Security Framework - Are you prepared?
ALLINIAL HITRUST Common Security Framework - Are you prepared? Michael Kanarellis, HITRUST CCSFP May 17, 2017 MEMBER OF PKF ALLINIAL NORTH GLOBAL, AMERICA, AN ASSOCIATION AN OF LEGALLY OF LEGALLY INDEPENDENT
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES
ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES ACCREDITATION SCHEME MANUAL Document Title: Document Number: Various Accreditation Schemes ACCAB-ASM-7.0 CONTROLLED COPY Revision Number Revision
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationUpdate on Statewide HIE Activities and 2015 HIT/HIE-Related Legislation
Update on Statewide HIE Activities and 2015 HIT/HIE-Related Legislation Presentation Summary THSA Background 2015 HIT/HIE-Related Legislation Legislative Interim Activities HIETexas Update Discussion of
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationEnsuring Privacy and Security of Health Information Exchange in Pennsylvania
Ensuring Privacy and Security of Health Information Exchange in Pennsylvania The Pennsylvania ehealth Initiative in collaboration with the Pennsylvania ehealth Partnership Authority Introduction The Pennsylvania
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationPOSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, 2017 14TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS 1 Fact vs. Myth Let s Play: Fact vs. Myth The FDA is the federal entity
More informationData Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationReady, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan
Ready, Willing & Able Michael Cover, Manager, Blue Cross Blue Shield of Michigan Agenda 1. Organization Overview 2. GRC Journey Story 3. GRC Program Roadmap 4. Program Objectives and Guiding Principals
More informationTrust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite)
Trust is not a Control... But you s1ll have to have it. (Or How I learned to Stop Worrying and (HI)TRUST Control Compliance Suite) David Finn, CISA, CISM, CRISC Health IT Officer, Symantec 1 Objec1ves
More informationPeer Collaboration The Next Best Practice for Third Party Risk Management
SESSION ID: GRM-F02 Peer Collaboration The Next Best Practice for Third Party Risk Management Robin M. Slade EVP & COO The Santa Fe Group & Shared Assessments Program Introduction Q: How do we achieve
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationMEDICAL DEVICE CYBERSECURITY: FDA APPROACH
MEDICAL DEVICE CYBERSECURITY: FDA APPROACH CYBERMED SUMMIT JUNE 9TH, 2017 SUZANNE B. SCHWARTZ, MD, MBA ASSOCIATE DIRECTOR FOR SCIENCE & STRATEGIC PARTNERSHIPS CENTER FOR DEVICES AND RADIOLOGICAL HEALTH
More informationPhase I CAQH CORE 102: Eligibility and Benefits Certification Policy version March 2011
Phase I CAQH CORE 102: Eligibility and Benefits Certification Policy GUIDING PRINCIPLES After signing the CORE Pledge, the entity has 180 days to complete CORE certification testing. CORE will not certify
More informationUpdate from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013
Update from HIMSS National Privacy & Security Lisa Gallagher, VP Technology Solutions November 14, 2013 Agenda Update on HIMSS new Technology Solutions Department HIPAA Omnibus Rules Meaningful Use 2 P&S
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationMANAGING CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD ANDRE W HIC KS MB A, C IS A, C C M, CR IS C,
W H I T E P A P E R MANAGING CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD ANDRE W HIC KS MB A, C IS A, C C M, CR IS C, HIT R US T CSF PRACT IT I O NE R D IRECTO R, HE AL T HC ARE PR ACT I CE L E AD DR.
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationAchieving third-party reporting proficiency with SOC 2+
Achieving third-party reporting proficiency with SOC 2+ Achieving third-party reporting proficiency with SOC 2+ Today s organizations do business within a broad ecosystem. Customers, partners, agents,
More informationWhat Why Value Methods
Compliance What = Compliance for purposes of this discussion is the overarching guidance established as Federal & State Statutes; Federal Regulations, Directives, Instructions, Guidelines, Policies, &
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationConference for Food Protection. Standards for Accreditation of Food Protection Manager Certification Programs. Frequently Asked Questions
Conference for Food Protection Standards for Accreditation of Food Protection Manager Certification Programs Frequently Asked Questions Q. What was the primary purpose for the Conference for Food Protection
More informationPhase II CAQH CORE 202 Certification Policy version March 2011 CAQH 2011
CAQH 2011 Phase II CAQH CORE 202 Certification Policy GUIDING PRINCIPLES Phase II CORE 202 Certification Policy After signing the CORE Pledge and/or Addendum, the entity has 180 days to complete CORE certification
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationPREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice
PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationThe HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.
The HITECH Act 5 things you can do Right Now to pave the road to compliance Beginning in 2011, HITECH Act financial incentives will create a $5,800,000 opportunity over four years for mid-size hospital
More informationInformation Technology (CCHIT): Report on Activities and Progress
Certification Commission for Healthcare Information Technology Certification Commission for Healthcare Information Technology (CCHIT): Report on Activities and Progress Mark Leavitt, MD, PhD Chair, CCHIT
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationHCISPP HealthCare Information Security and Privacy Practitioner
HCISPP HealthCare Information Security and Privacy Practitioner William Buddy Gillespie, HCISPP Global Academic Instructor (ISC)² Former Healthcare CIO Chair Advocacy Committee, CPAHIMSS budgill@aol.com
More informationGuidance for Exchange and Medicaid Information Technology (IT) Systems
Department of Health and Human Services Office of Consumer Information and Insurance Oversight Centers for Medicare & Medicaid Services Guidance for Exchange and Medicaid Information Technology (IT) Systems
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer
More informationTowards an integrated regulation platform in Luxembourg. Information Security Education Day th of april
Towards an integrated regulation platform in Luxembourg Information Security Education Day 2017-28 th of april Context A complex and inter-connected digital ecosystem contributing to all sectors A set
More informationINTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE
INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE INTRODUCTION AGENDA 01. Overview of Cloud Services 02. Cloud Computing Compliance Framework 03. Cloud Adoption and Enhancing
More informationCalifornia Code of Regulations TITLE 21. PUBLIC WORKS DIVISION 1. DEPARTMENT OF GENERAL SERVICES CHAPTER 1. OFFICE OF THE STATE ARCHITECT
California Code of Regulations TITLE 21. PUBLIC WORKS DIVISION 1. DEPARTMENT OF GENERAL SERVICES CHAPTER 1. OFFICE OF THE STATE ARCHITECT SUBCHAPTER 2.5. VOLUNTARY CERTIFIED ACCESS SPECIALIST PROGRAM Program
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified Management System Auditor www.pecb.com The objective of the PECB Certified Management System Auditor examination is to ensure that the candidates
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationMaryland Health Care Commission
Special Review Maryland Health Care Commission Security Monitoring of Patient Information Maintained by the State-Designated Health Information Exchange September 2017 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT
More informationIT Security in a Meaningful Use Era C&SO HIMSS Meeting
CSOHIMSS 2011 Slide 1 October 21, 2011 October 21, 2011 IT Security in a Meaningful Use Era C&SO HIMSS Meeting Presented by: Mac McMillan CEO CynergisTek, Inc. Chair, HIMSS Privacy & Security Task Force
More informationPolicy. Policy Information. Purpose. Scope. Background
Background Congress enacted HIPAA Privacy & Security Compliance Policy Policy Information Policy Owner: (TBD Possibly HIPAA Privacy and Security Official or Executive Director of University Ethics and
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationIntroduction CHAPTER 1
CHAPTER 1 Introduction Data security breaches are an everyday occurrence. The news media constantly publicize data breaches, especially those involving retailers in which hackers steal the payment card
More informationGDPR ESSENTIALS END-USER COMPLIANCE TRAINING. Copyright 2018 Logical Operations, Inc. All rights reserved.
GDPR ESSENTIALS END-USER COMPLIANCE TRAINING 1 POTENTIAL MAXIMUM GDPR PENALTY 2 WHAT IS DATA PRIVACY? MOST NOTABLE US/CA PRIVACY LAWS Federal Trade Commission Act, Sec4on 5 California Online Privacy Protec4on
More informationSERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?
WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe 877.224.8077 info@coalfire.com coalfire.com TABLE OF CONTENTS Summary...
More informationVirtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).
myvirtua.org Terms of Use PLEASE READ THESE TERMS OF USE CAREFULLY Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ). Virtua has partnered with a company
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More informationIntroduction to AWS GoldBase
Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document
More informationSteffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext
JOINT NOTICE OF PRIVACY PRACTICES NEWMAN REGIONAL HEALTH, NEWMAN REGIONAL HEALTH MEDICAL PARTNERS, HOSPICE, NEWMAN PHYSICAL THERAPY, COMMUNITY WELLNESS AND MEMBERS OF THE NEWMAN REGIONAL HEALTH ORGANIZED
More informationGetting Security Right: The CISO of the Future
Getting Security Right: The CISO of the Future Presented by: Mac McMillan CEO, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com
More informationCOMPLIANCE SCOPING GUIDE
COMPLIANCE SCOPING GUIDE Version 2017.2 Disclaimer: This document is provided for REFERENCE purposes only. It does not render professional services and is not a substitute for professional services. If
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationCertification Commission for Healthcare Information Technology. CCHIT A Catalyst for EHR Adoption
Certification Commission for Healthcare Information Technology CCHIT A Catalyst for EHR Adoption Alisa Ray, Executive Director, CCHIT Sarah Corley, MD, Chief Medical Officer, NextGen Healthcare Systems;
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationPULSE TAKING THE PHYSICIAN S
TAKING THE PHYSICIAN S PULSE TACKLING CYBER THREATS IN HEALTHCARE Accenture and the American Medical Association (AMA) surveyed U.S. physicians regarding their experiences and attitudes toward cybersecurity.
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationApril 2018 Page 1 of 14
April 2018 Page 1 of 14 Abstract The adoption of cloud and mobile technologies in healthcare is disrupting the services delivery models, and responsibilities and risks for involved actors. By their very
More informationThe NIS Directive and Cybersecurity in
The NIS Directive and Cybersecurity in ehealth Dr. Athanasios Drougkas Officer in NIS Belgian Hospitals Meeting on Security Brussels 13 th October European Union Agency For Network And Information Security
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationCOBIT 5 With COSO 2013
Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationSOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions
SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American
More information