Healthcare Security Professional Roundtable. The Eighth National HIPAA Summit Monday, March 8, 2004

Similar documents
HIPAA Security and Privacy Policies & Procedures

The ABCs of HIPAA Security

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Art of Performing Risk Assessments

Vendor Security Questionnaire

10 Things Every Auditor Should Do Before Performing a Security Audit

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Healthcare Privacy and Security:

HIPAA Privacy, Security and Breach Notification

Forensics and Active Protection

Applying ISO and NIST to Address Compliance Mandates The Four Laws of Information Security

What It Takes to be a CISO in 2017

NW NATURAL CYBER SECURITY 2016.JUNE.16

01.0 Policy Responsibilities and Oversight

Implementing and Enforcing the HIPAA Security Rule

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Information Governance, the Next Evolution of Privacy and Security

HIPAA Federal Security Rule H I P A A

The simplified guide to. HIPAA compliance

Health Care: Privacy & Security in a Digital Age

Lakeshore Technical College Official Policy

Compliance With HIPAA Privacy Rule Before Security & Enforcement Rules are Final: Challenges in Practice

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Not Just Another Day of HIPAA

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA RISK ADVISOR SAMPLE REPORT

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Department of Public Health O F S A N F R A N C I S C O

Putting It All Together:

HIPAA Compliance Checklist

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

EXHIBIT A. - HIPAA Security Assessment Template -

Cyber Security Program

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Threat and Vulnerability Assessment Tool

Next Generation Policy & Compliance

Cybersecurity Auditing in an Unsecure World

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Department of Management Services REQUEST FOR INFORMATION

DeMystifying Data Breaches and Information Security Compliance

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

CCISO Blueprint v1. EC-Council

Why you should adopt the NIST Cybersecurity Framework

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

HIPAA Security: What Everyone Should Know

NERC Staff Organization Chart

ISE North America Leadership Summit and Awards

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

NERC Staff Organization Chart Budget 2018

a publication of the health care compliance association MARCH 2018

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Effective Strategies for Managing Cybersecurity Risks

WHITE PAPER- Managed Services Security Practices

Support for the HIPAA Security Rule

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Internal Audit Report DATA CENTER LOGICAL SECURITY

HIPAA SECURITY RISK ASSESSMENT

building a security culture to counter emerging cybersecurity threats

Bring Your Own Device (BYOD) Best Practices & Technologies

New! Checklist for HIPAA & HITECH Compliance Pabrai

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Avanade s Approach to Client Data Protection

[DATA SYSTEM]: Privacy and Security October 2013

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Hospital Council of Western Pennsylvania. June 21, 2012

DETAILED POLICY STATEMENT

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

NERC Staff Organization Chart Budget

HIPAA Compliance Assessment Module

2015 HFMA What Healthcare Can Learn from the Banking Industry

How to Ensure Continuous Compliance?

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Apex Information Security Policy

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Information Technology General Control Review

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

From Russia With Love

NERC Staff Organization Chart Budget 2019

Establishing a Credible Cybersecurity Program. September 2016

The IS Audit Process Part-1 Four key objectives

Information Security Policy

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Security and Privacy Governance Program Guidelines

Transcription:

1 Healthcare Security Professional Roundtable The Eighth National HIPAA Summit Monday, March 8, 2004

Panelists John Parmigiani, Sr.VP for Consulting Services, QuickCompliance, Inc.; President, John C. Parmigiani and Associates, LLC (moderator) Ali Pabrai, CEO, HIPAA Academy Tom Walsh, President, Tom Walsh Consulting Chris Apgar, Data Security and HIPAA Compliance Officer, Providence Health Plan Tom Welch, CEO, Secure Enterprise Solutions Bob Tahmaseb, Principal Systems Engineer, RSA Security 2

3 John Parmigiani Sr. VP for Consulting Services QuickCompliance, Inc. and President John C. Parmigiani and Associates, LLC Ellicott City, MD

Action Items for Compliance Read and understand the Rule Appoint a CSO/HIPAA Security Team Determine ephi data flow and existence in information systems Conduct a risk analysis- assets, vulnerabilities, threats, impacts Examine, update, and create security policies and procedures in line with the implementation specifications Work with your vendors and business associates to enlist their help 4

Action Items for Compliance Identify existing security safeguardsadministrative, physical, and technical Build and deliver security training programs Identify and prioritize remediation projects Build an ongoing risk management process Create a security management process with accompanying documentation that supports your decision making/choices relative to the security standards Stay on top of best practices within the healthcare industry and federal guidance 5

6 Uday O. Ali Pabrai, CISSP, CHSS Chief Executive HIPAA Academy Warrenville, IL

7 Seven Steps to HIPAA Security Compliance

HIPAA Security Rule Access Control Audit Control Integrity Person or Entity Authentication Transmission Security Facility Access Controls Workstation Use Workstation Security Device & Media Controls Security Mgmt. Process, Sec. Officer Workforce Security, Info. Access Mgmt. Security Training, Security Incident Proc. Contingency Plan, Evaluation, BACs CIA Technical Technical Safeguards Safeguards for e-phi for e-phi Physical Safeguards Physical Safeguards for e-phi for e-phi Administrative Safeguards Administrative Safeguards for e-phi for e-phi Privacy Privacy Rule Rule reasonable reasonable safeguards safeguards for for all all PHI PHI 8

HIPAAShield TM Methodology 9

10 Tom Walsh, CISSP President Tom Walsh Consulting, LLC Overland Park, KS

Risk Profiling What is it? How does this help with risk analysis? Example: Car Insurance 11

Traditional Approach to Assessing Systems (Ref: NIST SP800-26) Major App 1 Data Application Interfaces Network Hardware & Operating System Physical/ Environment Operational Practices Assessing Controls Major App 2 Data Application Interfaces Network Hardware & Operating System Physical/ Environment Operational Practices Assessing Controls 12

Risk Profile Approach Major App 1 Data Application Interfaces Network Hardware & Operating System Physical/ Environment Operational Practices Assessing Major App 2 Data Application Interfaces Network Hardware & Operating System Physical/ Environment Operational Practices Assessing A hierarchical approach to assessing controls and risks Risk Profile Risk Profile Risk Profile Risk Profile Risk Profile 13

14 Chris Apgar, CISSP Data Security and HIPAA Compliance Officer Providence Health Plan Beaverton, OR

Audit Implementation is only the Beginning Security audit, like financial audit good business practice Audit program should be designed to: Keep the masses honest Monitor potential vulnerabilities Be thorough without being onerous 15

Audit Implementation is only the Beginning Sized to fit the organization, technical configuration & business Should include regular and random audits and audits when major changes occur (i.e., new technology, high level staff leave, etc.) Need to publicize and follow through 16

Evaluation Evaluation on going Healthcare an ever changing environment while audits and risk assessments are snapshots in time What was an effective audit process, security practice, etc. yesterday may not be today Embed in culture, planning and processes 17

18 Thomas Welch, CPP,CISSP Chief Executive Officer Secure Enterprise Solutions, Inc. Parsippany, NJ

Information Security Lifecycle Building Blocks People Process Technology CIRT & Forensics Technology Implementation VPN Encryption Firewalls Authentication IDS Patch Mgmt Security Assurance Testing Reporting Monitoring Training Business Applications & Services Networks, Intranet, Internet, Remote Access Hardware & Operating Systems Solution Design & Selection Security Design Technology Selection Security is a process not a product... Policy & Architecture Risk Assessment Security Policy 19

Information Security Policy Provides the foundation for the information security program Puts employees and consultants on notice pertaining to issues of: Acceptable use of IT resources Employee Monitoring General security requirements 20

Information Security Policy HR Policies Monitoring Awareness Privacy Issues & 1st Amendment Rights Company Equipment Use Who Owns the Data Operational Policies Internet & Intranet Usage Passwords E-mail usage File transfers & Attachments Virus Control Data Classification Sensitivity Moral & Ethical Conduct Etiquette and Proper Usage Pornography Harassment Legal Responsibilities, Penalties & Enforcement Warning Notice Incident Response Plan 21

InfoSec Awareness Policies provide the notice and guidelines, while awareness training provides the knowledge Can be classroom-based or CBT-based An on-going program is more effective that a one-time course E-mail alerts, bulletins, reward programs, posters, etc. Goal is to change behavior 22

23 Bob Tamaseb Principal Systems Engineer RSA Security, Inc. Bedford, MA

HIPAA Authentication: Proving Your Identity Physical vs. Digital Identity Technical Safeguards for person and entity authentication Types of Authentication Something you know Something you have Something you are Leveraging authentication for access management 24

Types of Authentication Something you know Something you have Something you are Enter PIN Enter PIN OK Cancel 25

26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback