Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Size: px
Start display at page:

Download "Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map"

Transcription

1 Click to edit Master title style Evaluating the Security of Your IT Network Vulnerability Scanning & Network Map Kyle Stafford / M-CEITA 5/12/

2 Disclaimer This presentation was current at the time it was published or uploaded onto the web. Medicare and Medicaid policy changes frequently, so links to source documents have been provided for your reference. This presentation was prepared as a service to the public and is not intended to grant rights or impose obligations. This presentation may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage participants to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. 2

3 Agenda Overview of M-CEITA Security Updates Rise of Hacking Attacks Security Mitigation Vulnerability Scan Network Map Questions and Answers 3

4 Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THE TRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 4

5 M-CEITA Services Meaningful Use Support Security Risk Assessment & Network Security Evaluation Audit Preparation Targeted Process Optimization (Lean) GLPTN - Great Lakes Practice Transformation Network Chronic Care Management (CCM) Quality Payment Program Resource Center MICH-EHR 5

6 Security Updates Rise Of Hacking Attacks Pre-determined healthcare cybersecurity attacks rise by 320% within the 2016 calendar year. (HealthITSecurity.com, 2016) 113 healthcare providers within 2016 reported a breach in relation to Hacking/IT incidents. (500+) records. The average cost of a patient medical record post breach is up to $402. (Ponemon Institute, 2016) U.S. Department of Health and Human Services 6

7 Security Updates Rise Of Hacking Attacks Hacking Attacks Against Healthcare Providers

8 Security Updates Rise Of Hacking Attacks hacking incidents have been reported - HHS 969,091 individuals affected Total Hacking incidents now make up 75% of all individuals affected on the HHS wall of shame. (Ponemon Institute, 2016) 8

9 Security Updates Rise Of Hacking Attacks How are hackers gaining access to your network? Exploiting a vulnerability/weakness. Inefficient security controls Lack of security/network awareness 9

10 How To Mitigate Against Attacks Be aware of where your weaknesses exist Identify critical assets Ensure appropriate measures are implemented How do you know what to implement?... 10

11 Vulnerability Database New vulnerabilities identified every day Operating systems, software & applications, network devices, configurations Determine if your devices are prone to known vulnerabilities 11

12 Vulnerability Ranking & Scoring Vulnerabilities classified? CVE Common Vulnerabilities and Exposures Structure and consistency CVSS Scoring CVSS Common Vulnerability Scoring System Used to rank vulnerabilities CVSS Ratings V2: Low ( )Medium ( )High ( ) V3: Low ( )Medium ( )High ( ) Critical ( ) 12

13 Vulnerability Scanning - Explained What is a vulnerability scan? A vulnerability scan is a tool used to detect and identify technical vulnerabilities and provide remediation recommendations to address, prioritize, and mitigate risk. Why have a vulnerability scan? Commonly, a medical practice will not be aware of their weak points with their current technical configurations. Awareness is necessary to defend against attacks. 13

14 Vulnerability Scanning Compliance While not explicitly referenced by the security rule, vulnerability scans and network maps are common methods for meeting numerous requirements of HIPAA. Vulnerability scans are common methods for meeting the Evaluation requirement of the HIPAA Security Rule. 14

15 Vulnerability Scanning Compliance Security Rule (a)(8) Evaluation Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity's or business associate s security policies and procedures meet the requirements of this subpart. Summary: Practices are required to identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-phi. 15

16 Vulnerability Scanning Common Questions How do I know if I need a vulnerability scan? You are a HIPAA Covered Entity Your network has devices which store / process / transmit / or maintain sensitive information (including ephi) Your network has undergone significant changes / upgrades to technology Your internal or external operating environment experienced significant technology-related changes within the past year 16

17 Vulnerability Scanning Common Questions How does this compare to a Security Risk Assessment? Risk assessment identifies the presence of risk as it pertains to the assets and information flows in place. Evaluation should determine how effectively you protect that risk from being actualized. The need for technical evaluation is likely to be identified in a risk assessment. 17

18 Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Define the scope of computers/devices to be scanned. (What to scan & what not to scan) Access the devices and network being scanned. (wired/wireless) Scan using the scope of assets defined and confirmed. Report is generated from the data collected from the scan. Present the results to appropriate parties (management, IT, security officer). 18

19 Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Define Determine which assets should be scanned. Do you have ownership of ALL the devices? Are some devices shared within the network? 19

20 Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Access Ensure that that scanner will be able to communicate with the devices Device with the scanner should be on the same network Preferably a wired connection 20

21 Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Scan Configure the vulnerability scanner Input the scope of devices to be scanned Specify devices which need to be avoided 21

22 Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Report Generate a report based on the findings Executive summary for management Full details report for IT and compliance 22

23 Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Present Appropriate staff should be notified of the findings Office/Practice Managers Executive Management IT Staff Compliance Officers 23

24 Vulnerability Scanning Types Of Assets What types of assets can be scanned? Computers: Desktops, Laptops, Tablets, Smart Phones Operating Systems: Windows, Apple, Linux Software: Web Browsers, Word Processing, Mail Clients, OS. Network Devices & Configurations: Routers, Modems, Firewalls 24

25 25

26 26

27 27

28 Understand Your Network Now that you know what devices are vulnerable, what next? Understanding the relation between devices and how they can reveal how vulnerabilities are related. 28

29 Network Map - Explained What is a Network Map? A network map is a visual schematic outlining the topology of a currently configured computer network. Why obtain a Network Map? This map will not only assist with determining assets in which create, maintain, receive, or transmit ephi and sensitive information but will make the HIPAA audit protocol much easier. 29

30 Network Map Compliance Security Rule (d)(2)(iv) Device and Media Controls -- Data Backup and Storage Procedures Security Rule (e)(1) Transmission Security Rule (b) Workstation Use 30

31 Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Define the boundary of assets within the network to be included. List will be formalized with which assets to be included. Gather physical, technical, and configuration information of all assets included in the network map. Design the visual representation of the network topology. Present the final copy of the network diagram to appropriate parties. 31

32 Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Define Determine what assets should be included within the network map. Are some devices not connected to the network? Should some assets not be included? 32

33 Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results List Formalize a readable list to be used for the design process List of devices will be larger than expected 33

34 Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Gather Leverage automation tools (network scanners) Determine what details should be included IP address, FQDN/Hostname, MAC address 34

35 Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Design Choose a software that you feel most comfortable with Microsoft Visio is commonly used Other drafting alternatives are available Draw and label how the devices are connected Wired or wireless connections Represent the network map to display an easy way to determine how one device can interact with another 35

36 Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Present Present the results to appropriate staff Ensure that this document is secured Encrypted and stored in a secure location This could be used as a roadmap to where critical assets are located within your network 36

37 37

38 Conclusion Hacking attacks are at an all time high, increasingly targeting the health care industry In response to this trend, medical offices need to understand and actively improve their network security more than ever Technical evaluation of a network will reveal important details about where security needs to be improved Vulnerability scanning and network mapping are important tools for a complete evaluation of a medical practice s security 38

39 Questions Additional Contact Info: MIPS, MACRA & MU MICH-EHR Presenter: Kyle Stafford Phone:

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer

More information

Security Audit What Why

Security Audit What Why What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,

More information

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created

More information

HIPAA Security and Privacy Policies & Procedures

HIPAA Security and Privacy Policies & Procedures Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400

More information

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely

More information

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked

More information

Information Governance, the Next Evolution of Privacy and Security

Information Governance, the Next Evolution of Privacy and Security Information Governance, the Next Evolution of Privacy and Security Katherine Downing, MA, RHIA, CHPS, PMP Sr. Director AHIMA IG Advisors Follow me @HIPAAQueen 2017 2017 Objectives Part Part I IG Topic

More information

K12 Cybersecurity Roadmap

K12 Cybersecurity Roadmap K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the

More information

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,

More information

The ABCs of HIPAA Security

The ABCs of HIPAA Security The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield

More information

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches

More information

Data Backup and Contingency Planning Procedure

Data Backup and Contingency Planning Procedure HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage

More information

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP

More information

All Aboard the HIPAA Omnibus An Auditor s Perspective

All Aboard the HIPAA Omnibus An Auditor s Perspective All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes

More information

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved. HITRUST CSF Assurance Program HITRUST CSF Assurance Program The Need Organizations facing multiple and varied assurance requirements from a variety of parties Increasing pressure and penalties associated

More information

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing

More information

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY SEPTEMBER 11 13, 2017 BOSTON, MA REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY HealthcareSecurityForum.com/Boston/2017 #HITsecurity Brian Selfridge Partner, Meditology Services https://www.meditologyservices.com/

More information

mhealth SECURITY: STATS AND SOLUTIONS

mhealth SECURITY: STATS AND SOLUTIONS mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported

More information

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

IT Security in a Meaningful Use Era C&SO HIMSS Meeting CSOHIMSS 2011 Slide 1 October 21, 2011 October 21, 2011 IT Security in a Meaningful Use Era C&SO HIMSS Meeting Presented by: Mac McMillan CEO CynergisTek, Inc. Chair, HIMSS Privacy & Security Task Force

More information

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know Introduction Privacy, Security and Risk Management What Healthcare Organizations Need to Know Agenda I. Privacy, Security and Confidentiality Definitions in a Healthcare Context Patient Privacy concerns

More information

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston CYBERSECURITY Recent OCR Actions & Cyber Awareness Newsletters Claire C. Rosston DISCLAIMER This presentation is similar to any other legal education materials designed to provide general information on

More information

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision

More information

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements

More information

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017 HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting

More information

Healthcare Privacy and Security:

Healthcare Privacy and Security: Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association

More information

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities

More information

The Relationship Between HIPAA Compliance and Business Associates

The Relationship Between HIPAA Compliance and Business Associates The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach

More information

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San

More information

Cyber Protections: First Step, Risk Assessment

Cyber Protections: First Step, Risk Assessment Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441 315.338.5818 www.nystec.com In this presentation

More information

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,

More information

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement

More information

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare Request for Proposal HIPAA Security Risk and Vulnerability Assessment May 1, 2016 First Choice Community Healthcare Timeline The following Timeline has been defined to efficiently solicit multiple competitive

More information

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,

More information

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Policy and Procedure: SDM Guidance for HIPAA Business Associates Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:

More information

[DATA SYSTEM]: Privacy and Security October 2013

[DATA SYSTEM]: Privacy and Security October 2013 Data Storage, Privacy, and Security [DATA SYSTEM]: Privacy and Security October 2013 Following is a description of the technical and physical safeguards [data system operator] uses to protect the privacy

More information

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost

More information

01.0 Policy Responsibilities and Oversight

01.0 Policy Responsibilities and Oversight Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities

More information

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected

More information

HIPAA / HITECH Overview of Capabilities and Protected Health Information

HIPAA / HITECH Overview of Capabilities and Protected Health Information HIPAA / HITECH Overview of Capabilities and Protected Health Information August 2017 Rev 1.8.9 2017 DragonFly Athletics, LLC 2017, DragonFly Athletics, LLC. or its affiliates. All rights reserved. Notices

More information

Chapter 5: Vulnerability Analysis

Chapter 5: Vulnerability Analysis Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we

More information

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information

More information

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016 How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are

More information

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations

More information

Security and Privacy Breach Notification

Security and Privacy Breach Notification Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains

More information

Cloud Communications for Healthcare

Cloud Communications for Healthcare Cloud Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization

More information

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:

More information

Vulnerability Assessments and Penetration Testing

Vulnerability Assessments and Penetration Testing CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze

More information

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013 Update from HIMSS National Privacy & Security Lisa Gallagher, VP Technology Solutions November 14, 2013 Agenda Update on HIMSS new Technology Solutions Department HIPAA Omnibus Rules Meaningful Use 2 P&S

More information

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should

More information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security

More information

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? Jonathan Carroll, MBA, CISSP AVP Enterprise IT Operations Information Security Officer University of Connecticut Why Are We Talking About This? Data breaches

More information

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15 Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15 Risk Analysis with EHR Questions Example Answers/Help: Status What new electronic health information has been introduced into my practice

More information

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government

More information

HIPAA Compliance Checklist

HIPAA Compliance Checklist HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.

More information

Objectives of the Security Policy Project for the University of Cyprus

Objectives of the Security Policy Project for the University of Cyprus Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University

More information

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles Incident Response Lessons From the Front Lines Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles 1 Conflict of Interest Nolan Garrett Has no real or apparent conflicts of

More information

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program

More information

Healthcare HIPAA and Cybersecurity Update

Healthcare HIPAA and Cybersecurity Update Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Healthcare HIPAA and Cybersecurity Update Agenda > Introductions > Cybersecurity

More information

Designing and Building a Cybersecurity Program

Designing and Building a Cybersecurity Program Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity

More information

Medical Device Cybersecurity: FDA Perspective

Medical Device Cybersecurity: FDA Perspective Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological

More information

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June

More information

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification 2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,

More information

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA & Privacy Compliance Update

HIPAA & Privacy Compliance Update HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com

More information

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC 855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance

More information

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/ Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite

More information

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR)

More information

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018 Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations Christopher S. Yoo University of Pennsylvania July 12, 2018 Overview of Research Tort and products liability for CPS Privacy and

More information

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID Billing & Reimbursement Revenue Cycle Management 8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID Billing and Reimbursement for Physician Offices, Ambulatory Surgery Centers and Hospitals Billings & Reimbursements

More information

Carbon Black PCI Compliance Mapping Checklist

Carbon Black PCI Compliance Mapping Checklist Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and

More information

SecurityScorecard 2018 Healthcare Report. A Pulse on the Healthcare Industry's Cybersecurity Risks

SecurityScorecard 2018 Healthcare Report. A Pulse on the Healthcare Industry's Cybersecurity Risks SecurityScorecard 2018 Healthcare Report A Pulse on the Healthcare Industry's Cybersecurity Risks securityscorecard.com [800] 682 1707 Overview Since we issued our last report in 2016 on the cyberhealth

More information

EXHIBIT A. - HIPAA Security Assessment Template -

EXHIBIT A. - HIPAA Security Assessment Template - Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,

More information

Modified Stage 2 Meaningful Use: Objective #9 Secure Electronic Messaging Massachusetts Medicaid EHR Incentive Payment Program

Modified Stage 2 Meaningful Use: Objective #9 Secure Electronic Messaging Massachusetts Medicaid EHR Incentive Payment Program Modified Stage 2 Meaningful Use: Objective #9 Secure Electronic Messaging Massachusetts Medicaid EHR Incentive Payment Program July 19, 2016 Today s presenter: Thomas Bennett, Client Services Relationship

More information

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements

More information

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm Avoiding an Information Security Mismanagement Program through Fundamentals Bill Curtis, SynerComm Husband, father and grandfather 30+ years IT/IS: Army Allen Bradley/Rockwell Automation Bucyrus/Caterpillar

More information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

University of Pittsburgh Security Assessment Questionnaire (v1.7) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Service Definition Table of Contents 1 INTRODUCTION... 2 2 SERVICE OFFERINGS VULNERABILITY MANAGEMENT... 2 3 SOLUTION PURPOSE... 3 4 HOW IT WORKS... 3 5 WHAT S INCLUDED... 4 6

More information

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway Agenda Topics: Using risk assessments to improve

More information

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran Technology Security Failures Common security parameters neglected Presented by: Tod Ferran October 31 st, 2015 1 HALOCK Overview Founded in 1996 100% focus on information security Privately owned Owned

More information

FDA & Medical Device Cybersecurity

FDA & Medical Device Cybersecurity FDA & Medical Device Cybersecurity Closing Keynote, February 19, 2017 Suzanne B. Schwartz, M.D., MBA Associate Director for Science & Strategic Partnerships Center for Devices and Radiological Health US

More information

HIPAA Compliance. Dr. John Barker Ph.D., MIEEE MEDICAL DEVICES BUSINESS SEMINAR

HIPAA Compliance. Dr. John Barker Ph.D., MIEEE MEDICAL DEVICES BUSINESS SEMINAR HIPAA Compliance Dr. John Barker Ph.D., MIEEE MEDICAL DEVICES BUSINESS SEMINAR A Novel Approach for the Implementation of HIPAA Compliant ephi Access Control Abstract Storing and maintaining electronic

More information

Vendor Security Questionnaire

Vendor Security Questionnaire Business Associate Vendor Name Vendor URL Vendor Contact Address Vendor Contact Email Address Vendor Contact Phone Number What type of Service do You Provide Covenant Health? How is Protected Health Information

More information

Anatomy of a Healthcare Data Breach

Anatomy of a Healthcare Data Breach Business White Paper Anatomy of a Healthcare Data Breach Prevention and remediation strategies Page 2 of 8 Anatomy of a Healthcare Data Breach Table of Contents Page 2 Increased Risk Page 3 Mitigation

More information

IBM Internet Security Systems Proventia Management SiteProtector

IBM Internet Security Systems Proventia Management SiteProtector Supporting compliance and mitigating risk through centralized management of enterprise security devices IBM Internet Security Systems Proventia Management SiteProtector Highlights Reduces the costs and

More information

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

10 Cybersecurity Questions for Bank CEOs and the Board of Directors 4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors

More information

Data Compromise Notice Procedure Summary and Guide

Data Compromise Notice Procedure Summary and Guide Data Compromise Notice Procedure Summary and Guide Various federal and state laws require notification of the breach of security or compromise of personally identifiable data. No single federal law or

More information

Synology Security Whitepaper

Synology Security Whitepaper Synology Security Whitepaper 1 Table of Contents Introduction 3 Security Policy 4 DiskStation Manager Life Cycle Severity Ratings Standards Security Program 10 Product Security Incident Response Team Bounty

More information

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,

More information

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide Cyber Attacks and Data Breaches: A Legal and Business Survival Guide August 21, 2012 Max Bodoin, Vince Farhat, Shannon Salimone Copyright 2012 Holland & Knight LLP. All Rights Reserved What this Program

More information

HIPAA Privacy, Security and Breach Notification

HIPAA Privacy, Security and Breach Notification HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance

More information

Hospital Council of Western Pennsylvania. June 21, 2012

Hospital Council of Western Pennsylvania. June 21, 2012 Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program

More information

View the Replay on YouTube

View the Replay on YouTube View the Replay on YouTube HIPAA Omnibus Rule: Education & Practical Application for Breach Notification FairWarning Executive Webinar Series February 19, 2013 Agenda Breach Notification changes under

More information

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion. The HITECH Act 5 things you can do Right Now to pave the road to compliance Beginning in 2011, HITECH Act financial incentives will create a $5,800,000 opportunity over four years for mid-size hospital

More information

The Next Frontier in Medical Device Security

The Next Frontier in Medical Device Security The Next Frontier in Medical Device Security Session #76, February 21, 2017 Denise Anderson, President, NH-ISAC Dr. Dale Nordenberg, Executive Director, MDISS 1 Speaker Introduction Denise Anderson, MBA

More information

Horizon Health Care, Inc.

Horizon Health Care, Inc. Customer Success Story Horizon Health Care, Inc. Comprehensive Security Risk Analysis Helps FQHC Achieve Meaningful Use and Safeguard PHI. Page 2 of 6 Horizon Health Care, Inc. Comprehensive Security Risk

More information

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009 Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009 Privacy Policy Intent: We recognize that privacy is an important issue, so we design and operate our services with

More information

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA ljohnson@ffalaw.com INTRODUCTION Cyber attacks increasing Liability/actions resulting

More information

Medical Device Vulnerability Management

Medical Device Vulnerability Management Medical Device Vulnerability Management MDISS / NH-ISAC Process Draft Dale Nordenberg, MD June 2015 Market-based public health: collaborative acceleration Objectives Define a trusted and repeatable process

More information

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015 Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually

More information