Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Similar documents
HIPAA Enforcement Training for State Attorneys General

All Aboard the HIPAA Omnibus An Auditor s Perspective

Hospital Council of Western Pennsylvania. June 21, 2012

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Security and Privacy Policies & Procedures

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Putting It All Together:

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Privacy, Security and Breach Notification

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA-HITECH: Privacy & Security Updates for 2015

The Relationship Between HIPAA Compliance and Business Associates

HIPAA Security & Privacy

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

The HIPAA Omnibus Rule

Data Backup and Contingency Planning Procedure

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Recommendations for Implementing an Information Security Framework for Life Science Organizations

HIPAA COMPLIANCE AND

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

What s New with HIPAA? Policy and Enforcement Update

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Compliance and Auditing in the Public Cloud


HIPAA Tips and Advice for Your. Medical Practice

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Seven gray areas of HIPAA you can t ignore

HIPAA Highlights and Impact to your Telehealth Program. Wednesday, Sept 27, 2017

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Cloud Computing Guidance

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

HIPAA Compliance & Privacy What You Need to Know Now

Healthcare Privacy and Security:

HIPAA Controls. Powered by Auditor Mapping.

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

The simplified guide to. HIPAA compliance

efolder White Paper: HIPAA Compliance

HIPAA Security Checklist

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA Security Checklist

Information Governance, the Next Evolution of Privacy and Security

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Privacy and Security in the Age of Meaningful Use

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

The ABCs of HIPAA Security

Meeting the Meaningful Use Security and Privacy Measure

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA Security Rule Policy Map

Checklist: Credit Union Information Security and Privacy Policies

[DATA SYSTEM]: Privacy and Security October 2013

SECURITY & PRIVACY DOCUMENTATION

HIPAA and the Chiropractic Practice

Secure HIPAA Compliant Cloud Computing

HIPAA Summit Day II Afternoon Plenary Session: HIPAA Security

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Altius IT Policy Collection Compliance and Standards Matrix

EHR & HIPAA Managing Compliance & Progress. Agenda. Federal EHR Imperatives & Achieving Meaningful Use. EHR & HIPAA: Managing Compliance & Progress

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

01.0 Policy Responsibilities and Oversight

HIPAA Compliance Checklist

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Altius IT Policy Collection Compliance and Standards Matrix

HIPAA & Privacy Compliance Update

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

How to Ensure Continuous Compliance?

Modeling Factors Associated with Healthcare Data Breaches. Session #155, March 3, 2018 Dr. Alex McLeod, Dr. Diane Dolezel, Texas State University

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Introduction CHAPTER 1

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, FHIMSS. Margret\A Consulting, LLC

Meaningful Use Webcast

Transcription:

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway

Agenda Topics: Using risk assessments to improve security and efficiency in clinical record exchange Meeting Meaningful Use Stage 2 (MUS2) requirements Governance and visibility of information and health records exchange to minimize risk Considerations to drive efficient information exchange to improve care and reduce costs 2

HIPAA Omnibus Final Rule HIPAA Privacy, Security and Enforcement Rules mandated by HITECT ACT Business Associates directly liable for compliance with HIPAA Privacy and Security Rules requirements Enforcement of noncompliance with HIPAA rules due to willful neglect Disclosure Strengthen limitations on use & disclosure of PHI for marketing and fundraising Prohibit sale of PHI without individual authorization Expand individual rights to receive electronic copies of their health information Restrict disclosures to a health plan if individual paid out of pocket in full Require modifications to, redistribution, of CE s notice of privacy practices Facilitate research & disclosure of child immunization proof to schools Enable access to decedent information by family members 3

HIPAA Omnibus Rule Effective Effective March 26, 2013 Covered Entities (CE) and Business Associates (BA) of all sizes will have 180 days beyond the effective date to comply September 2013 Including Breach Notification Rule HIPAA Privacy Rule changes under GINA (Genetic Information) 4

Risk Assessment HIPAA Regulations: All electronic protected health information (EPHI) created, received, maintained or transmitted by a covered entity is subject to the Security Rule. Covered entities are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of EPHI. The Security Rule requires covered entities to evaluate risks & vulnerabilities in their environments and to implement policies & procedures to address those risks and vulnerabilities. 5

Risk Assessment 6 HIPAA The Security Management Process standard has four required implementation specifications. Two of the implementation specifications are Risk Analysis and Risk Management. The required implementation specification at 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to, [c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. The required implementation specification at 164.308(a)(1)(ii)(B), for Risk Management, requires a covered entity to [i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a) [(the General Requirements of the Security Rule)]. these processes will form the foundation upon which an entity s necessary security activities are built. (68 Fed. Reg. 8346.)

Risk Assessment HITECH Meaningful Use Stage 2 "Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process" for EPs "at 495.6(j)(16)(ii) and eligible hospitals and CAHs at 495.6(l)(15)(ii). We proposed this measure because the implementation of CEHRT has privacy and security implications under 45 CFR 164.308(a)(1). A review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider's risk management process and implemented or corrected as dictated by that process. 7 Federal Register, 2012-21050_PI page 132-134

Risk Assessment HITECH Meaningful Use Stage 2 Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches (breaches affecting 500 or more individuals) involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this requirement under 45 CFR 164.308(a)(1). 8 Federal Register, 2012-21050_PI page 132-134

Getting Started The NIST Risk Assessment Methodology Flowchart in NIST SP 800-30 contains 9 steps: Risk Assessment Activities System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation Output Boundary, Functions, Criticality Threat Statement List of potential Vulnerabilities List of current, planned controls Likelihood rating Impact rating Risks and risk levels Recommended controls Assessment report 9

Risk Assessment Key Components What? Include all forms of electronic media, all devices, networks Where? Identify where PHI is stored, received, maintained or transmitted. Include physical security to systems and human access to the data. How? Assess effectiveness of current policy, procedures Who? Identify threats, holes, weaknesses both human, system & environmental When? Determine the probability of a loss How much? Identify risk level and scope of potential loss Results Document findings both pros and cons Assign risk level Identify corrective actions 10

Plan for the Unexpected As part of the Risk Assessment and regular policy, procedures, you need to Identify risk in your infrastructure Have a plan to reduce the risk If you decide not to, document why What is risk? Vulnerability Threat Probability 11

Identify Vulnerabilities Vulnerability [a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. Non-technical vulnerabilities: Gaps or flaws in operational processes, work flows Technical vulnerabilities: holes, flaws or weaknesses in the application software, technical infrastructure or system provisioning 12

Identify Threats Threat [t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Natural threats: Floods, earthquakes, tornadoes, and landslides. Environmental threat: Unforeseen disruption due to power failures, excess water, fire Human threats: Theft, errors, accidents 13

Quantify Risk Risk is The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur.... [R]isks arise from legal liability or mission loss due to 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system. 14

Do Something About Risk If you know you have a risk, You must mitigate it OR Document why NO action is required Reasonable Expectation That a similar IT shop would Willful Neglect Penalties, Fines and Damages 15

Doing something OCR says Risk Analysis is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. Design appropriate personnel screening processes. (45 C.F.R. 164.308(a)(3)(ii)(B).) Identify what data to backup and how. (45 C.F.R. 164.308(a)(7)(ii)(A).) Decide whether and how to use encryption. (45 C.F.R. 164.312(a)(2)(iv) and (e)(2)(ii).) Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. 164.312(c)(2).) Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. 164.312(e)(1).) 16

Risk Assessments Related Links http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec urityrule/riskassessment.pdf http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec urityrule/rafinalguidancepdf.pdf http://www.ofr.gov/(x(1)s(uzclbwrx5fwqm2w2mipkysrh))/ OFRUpload/OFRData/2012-21050_PI.pdf 17

Considerations for Governance & Visibility The New World of Compliance Provisioning to standards Service Management Encrypted Channels Walk the Talk Policy Compliance Managing Access The 3 A s Rise of Human Consistent User Experience Multiple Connections Delivery Assurance Restart/Retry Non-repudiation Rise of Real-Time Right Channel, Right Time View, Download, Transmit Patient access Mobile Access Inside your world Outside your world 18

Governance and Visibility The value of standardization access and connections Access Multi-location physician must record encounters live Managing patient identity is essential Trust Lifecycle Connectivity Standardized approaches increase speed of connecting and improve IT productivity Walt the Talk essential to meet audit requirements Integrate consent with collaboration 19 Monitoring Quickly assess impact of potential breach Calculated Service Level Agreements Minimize impact on downstream, scheduled processes

4 Questions for Governance & Visibility???? How long does it take to produce a system inventory? Which systems contain sensitive data? Which have critical access or DR characteristics? How many access points exist in your network? Batch? Real-time? Web Service? FTP? Portals? Are role and access rights the same regardless? Do you know where your ephi, PII data? How long does it take to troubleshoot message delivery issues? Is patient consent considered before exchange of data? In 25 words or less, do you have a single consistent strategy to protect data at rest and in motion? Does critical data always use a consistent safe route? Are policy and reality aligned? 20

2013 Enterprise Risk Checklist B2B Channels Clearinghouses, Gateways BA Agreement in place? Length of Msg Storage Training for Offshore staff Ad Hoc File Transfer Exec, Business, Provider Connectivity training Revenue Cycle Mgmt feeds email Attachments Endpoints Data Loss Prevention program Mobile, Cloud, Portal Policy, Training BYOD Patient Consent forms Centralized Identity Management Same roles, access regardless Single Front Door API Policy Filter for cloud, mobile app integration Firewalls, intrusion detection White lists/ Black Lists 21

Bottom Line Securing patient records is critical and requires a plan Risk Assessments are required and incented Consolidation of access points and connection processes into gateways offers measureable efficiency Achieving Meaningful Use Stage 2, Telepresence and BYOD will scatter patient records across your enterprise and your community 22

Control the Edge with Axway mhealth Cloud Identity Management IAM Coordinated Care Community 23 Manage & Secure Connections to improve service & productivity

Questions? Ruby Raley, Director Healthcare Solutions rraley@axway.com, 404-933-2282 www.axway.com 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback