HIPAA Compliance is not a Cybersecurity Strategy

Similar documents
Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

All Aboard the HIPAA Omnibus An Auditor s Perspective

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

DeMystifying Data Breaches and Information Security Compliance

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Building a Resilient Security Posture for Effective Breach Prevention

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

PULSE TAKING THE PHYSICIAN S

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Putting It All Together:

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Information Governance, the Next Evolution of Privacy and Security

Cybersecurity in Higher Ed

The ABCs of HIPAA Security

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Background FAST FACTS

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

2015 HFMA What Healthcare Can Learn from the Banking Industry

Not Just Another Day of HIPAA

locuz.com SOC Services

Healthcare HIPAA and Cybersecurity Update

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

HIMSS 15 Doing Better Business in the Era of Data Security and Privacy

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

HEALTH CARE AND CYBER SECURITY:

Cybersecurity The Evolving Landscape

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA 2017 Compliancy Group, LLC

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

This Webcast Will Begin Shortly

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Protecting PHI in the Cloud. Session #47, February 20, 2017 Kurt J. Long, Founder & CEO, FairWarning, Inc.

HITRUST CSF: One Framework

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Journey to HIMSS18: Privacy, Security and Cybersecurity

HITRUST Common Security Framework - Are you prepared?

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Best Practices & Lesson Learned from 100+ ITGRC Implementations

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

01.0 Policy Responsibilities and Oversight

PROFESSIONAL SERVICES (Solution Brief)

HIPAA-HITECH: Privacy & Security Updates for 2015

Art of Performing Risk Assessments

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

The Evolving Threat to Corporate Cyber & Data Security

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Choosing the right two-factor authentication solution for healthcare

The Relationship Between HIPAA Compliance and Business Associates

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

HIPAA Privacy, Security and Breach Notification

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Protecting your next investment: The importance of cybersecurity due diligence

Is Your Compliance Strategy Putting Your Business at Risk?

Hospital Council of Western Pennsylvania. June 21, 2012

NYDFS Cybersecurity Regulations

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

MITIGATE CYBER ATTACK RISK

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

SOLUTION BRIEF Virtual CISO

Security and Privacy Governance Program Guidelines

The Customer Relationship:

CYBER RISK MANAGEMENT

IMPLEMENTING A RISK-BASE CYBER SECURITY FRAMEWORK FOR HEALTHCARE

Disaster Recovery and HIPAA Compliance

Sage Data Security Services Directory

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

The Future of HITRUST

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

2018 Guide to Building Your Security Strategy. January 23, pm 2 pm ET

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

What It Takes to be a CISO in 2017

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

The Next Frontier in Medical Device Security

FDA & Medical Device Cybersecurity

Transcription:

HIPAA Compliance is not a Cybersecurity Strategy Presented by: Hector Rodriguez, WW Health CISO, Microsoft Jay Trinckes, Director, Coalfire

Speaker Introductions Hector Rodriguez, WW Health CISO, Microsoft Jay Trinckes, Director, Coalfire

Agenda Timeline how did we get here? Why does this matter? What s the problem? Coalfire: Risk versus compliance assessments Coalfire: Managing cybersecurity risk in a HIPAAcompliant world

Timeline HOW DID WE GET HERE?

HIPAA Compliance Cybersecurity HIPAA compliance An audit process Focused on ephi and code sets A yearly report of security and compliance policies & procedures and ability to meet a specific set of defined requirements at a point in time A process Holistic Always On Cybersecurity Built on modern technology Layered Security Security-in-Depth Critical must have Everyone s responsibility Compliance + Cybersecurity Not mutually exclusive Must be integrated Always On together Applied to everyone and everything Include security, privacy, and compliance Foundational

Timeline from HIPAA to Cybersecurity The Internet Came First But Source: http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet

Timeline from HIPAA to Cybersecurity HIPAA Compliance Out of Sync 2015-2017- Ransomware, Cyberattacks, etc. 1991-1 st Web Page 1998-2002- HIPAA NPRMs Progress 2007-NPID Compliance 1/2012-HIPAA 5010 1/2013- HITECH W/ Breach Notification Final Rule HIPAA has Teeth more fines, lack of risk assessment 8/1996-HIPAA Enacted 2003-2005- Compliance & Deadlines 2/2009- HITECH/ARRA Signed 2012-MA Eye&Ear, BCBSTN - $1.5M HIPAA Violation Fines 2/2014-NIST CSF Published The HIPAA Compliant covered entities thought they were secure

Timeline from HIPAA to Cyber Security Attacks on HIPAA Compliant Entities Continue

Regulations what regulations? No Matches Found L* Cloud Cybersecurity *Note: HITRUST CSF and NIST CSF Fill the Gap

WHY DOES THIS MATTER?

Start with Why: 86% of CEOs consider Digital their #1 priority CEOs believe technology will transform their business more than Technological advances Demographic shifts Shift in global economic power Resource scarcity & climate change Urbanization any other global trend Top 5 Concerns Keeping Hospital Executives Up Trends that will transform business, next five years (%) 1. Engaging physicians in reducing clinical variation (53%) 2. Redesigning health system for Population Health (52%) 3. Meeting increasing consumer expectations for services (47%) 4. Implementing Patient Engagement strategies (45%) 5. Controlling avoidable utilization (44%) -The Advisory Board Company s Annual CEO Survey, April 2016 Source: PWC CEO Survey

Scenarios for Healthcare Digital Transformation Pillars in Healthcare ENGAGE MEMBERS EMPOWER CARE TEAMS, UTILIZATION OPTIMIZE CLINICAL & OPERATIONAL EFFECTIVENESS TRANSFORM THE CARE CONTINUUM More Efficient Access Virtual Care Quality Improvement Remote Monitoring/Rural Health Health Scenarios More Efficient Engagement More Continuous Engagement Care Team Collaboration & Productivity Care Coordination Population Health Operational & Financial Efficiency Precision Health Managing Devices & Facilities Trusted Technology enabling Security, Privacy, & Regulatory Compliance Must be built on an end-to-end Cybersecurity Foundation

Role: Security, Privacy, and Compliance are Foundational to Healthcare Digital Transformation Data Modern IT Ø Not mutually exclusive, required across the extended enterprise Ø Success in today's economy requires that organizations establish and operationalize a culture of security and privacy to ensure consistent and continued protection of sensitive data Security and Privacy Companies need to rethink their approach to security The approach we recommend is really founded on the fact that security is part of the entire life cycle. It should be catered to at the start of the digital transformation Raymond Teo SVP NTT Security s APAC Field Operations

Role: Digital Transformation Enables New Designs Better Care For Individuals Better Health for Populations The Institute for Health Improvement states that new designs must be developed to simultaneously pursue the three dimensions of healthcare transformation called the Triple Aim. 1. Improving the patient experience of care (including quality and satisfaction) 2. Improving the health of populations 3. Reducing the per capita cost of health care Lower Per Capita Costs Microsoft defines digital transformation in health as "technology enabled care, health promotion and disease prevention that advances the triple aim in a trusted mobilefirst, cloud-first world.

WHAT S THE PROBLEM?

Covered Entities Believe They are Secure Common Myths and Misunderstandings Our EMR vendor will make us HIPAA Compliant Our Cloud Services Provider is HIPAA Compliant We re HIPAA Compliant so therefore We re secure We don t run cloud services on premise so it doesn t apply to us There s no ephi so it doesn t apply

Covered Entities Believe They are Secure But Here s a Perfect Example MCPN filed a breach report with OCR on January 27, 2012 Breach took place in December 2011. Hacker accessed employees email accounts and obtained 3,200 individuals ephi through a phishing incident OCR then investigated the incident and the agency found that MCPN took necessary corrective action related to the phishing incident Investigation also revealed that MCPN failed to conduct a risk analysis until mid-february 2012 Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ephi environment Had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis When MCPN finally conducted a risk analysis, it was insufficient to meet the requirements of the Security Rule

Risk Assessment vs. Compliance Assessment WHAT S THE DIFFERENCE?

Challenges: Managing Cybersecurity Risk in a HIPAA-Compliant World Compliance Versus Risk HIPAA Compliance is not a Cybersecurity Strategy HITRUST is a risk-based assessment that covers the security, privacy, and compliance posture overall and the HITRUST CSF fully integrates the requirements of the HIPAA Security Rule with the standards of ISO, NIST and many other federal, state, and business requirements listed in the whitepaper. One of the statements that we made last year and still holds true is that HIPAA compliance is not a cyber-security posture or plan. In the US, covered entities need to work with cloud and solution vendors who do both (and more).

HOW DO YOU MANAGE CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD?

Managing Cybersecurity Risk in a HIPAA- Compliant World White Paper by Andrew Hicks, Managing Principal, Coalfire Visit the Coalfire booth in the exhibitor area to get the paper.

Visit www.hitrustalliance.net for more information To view our latest documents, visit the Content Spotlight

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback