Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Similar documents
The simplified guide to. HIPAA compliance

HIPAA Security and Privacy Policies & Procedures

HIPAA Federal Security Rule H I P A A

EXHIBIT A. - HIPAA Security Assessment Template -

Security Policies and Procedures Principles and Practices

Information Technology Update

Employee Security Awareness Training Program

Red Flags/Identity Theft Prevention Policy: Purpose

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

HIPAA Compliance Checklist

Checklist: Credit Union Information Security and Privacy Policies

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Baseline Information Security and Privacy Requirements for Suppliers

Policy and Procedure: SDM Guidance for HIPAA Business Associates

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

HIPAA & Privacy Compliance Update

Data Backup and Contingency Planning Procedure

A Security Risk Analysis is More Than Meaningful Use

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Trust Services Principles and Criteria

Protecting Health Information

7.16 INFORMATION TECHNOLOGY SECURITY

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Healthcare Privacy and Security:

Data Compromise Notice Procedure Summary and Guide

Cyber Security Issues

Apex Information Security Policy

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

University of North Texas System Administration Identity Theft Prevention Program

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Information Technology General Control Review

Putting It All Together:

NMHC HIPAA Security Training Version

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

IAM Security & Privacy Policies Scott Bradner

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Information Security Policy

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Annual Report on the Status of the Information Security Program

efolder White Paper: HIPAA Compliance

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

UTAH VALLEY UNIVERSITY Policies and Procedures

Start the Security Walkthrough

DETAILED POLICY STATEMENT

SECURITY & PRIVACY DOCUMENTATION

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Security Audit What Why

Subject: University Information Technology Resource Security Policy: OUTDATED

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

2015 HFMA What Healthcare Can Learn from the Banking Industry

HIPAA FOR BROKERS. revised 10/17

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

HIPAA-HITECH: Privacy & Security Updates for 2015

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

HIPAA AND SECURITY. For Healthcare Organizations

The BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO

SYSTEMS ASSET MANAGEMENT POLICY

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Securing Information Systems

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Securing Information Systems

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Information Security Policy

Red Flag Regulations

CCISO Blueprint v1. EC-Council

HIPAA Enforcement Training for State Attorneys General

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Vendor Security Questionnaire

IS Today: Managing in a Digital World 9/17/12

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

HIPAA Security Manual

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Education Network Security

Why you MUST protect your customer data

The Common Controls Framework BY ADOBE

Guidelines for Data Protection

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA UPDATE. Michael L. Brody, DPM

Juniper Vendor Security Requirements

Transcription:

Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Agenda Have you secured your key operational, competitive and financial information? IT control options to secure your key information IT control options to prevent fraud Case study: How HIPAA helped the healthcare industry protect their confidential information Case study: How to protect key information in different areas of your business

UM ETHICS PROGRAMS 2002

Have you secured your key operational, competitive and financial information? In the news Education Department working to fix software after student loan data breach StarTribune.com Insurance firm posts private data breach to customers (Blue Cross Blue Shield of NC) Infowatch.com

Have you secured your key operational, competitive and financial information? (cont.) Gartner Group analysis: By the end of 2007, 75% of enterprises were infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. The threat environment is changing - financially motivated, targeted attacks are increasing. Automated malware generation kits allow quick, simple creation of thousands of variants, but our security processes and technologies haven't kept up.

Have you secured your key operational, competitive and financial information? (cont.) What information is important to your organization? Payroll Information Proprietary Information Acquisition Targets Financial Information Cost Structure Supplier Information Client Listing R&D Information

Have you secured your key operational, competitive and financial information? (cont.) Securing your organization s information involves: Preventing unauthorized access Preventing unauthorized transmission Preventing accidental or intentional destruction Preventing unauthorized modifications

Have you secured your key operational, competitive and financial information? (cont.) What are the threats? Threats to data security can be grouped into three categories: Physical threats e.g. hurricane, fire, theft, flood, and power outages Human error e.g. careless disposal of information, sharing access information, social engineering techniques and transmitting data using non-secure channels Malicious activities e.g. malicious damage, corporate espionage, viruses and fraud

Have you secured your key operational, competitive and financial information? (cont.) What are some of the weak points? Trash Segregation of Duties Physical Security Smartphones Authentication Media Internet Reports Laptops Outdated Technology Portable Storage Social Engineering Inadequate Network Architecture

Have you secured your key operational, competitive and financial information? (cont.) Common risk areas for the information

Have you secured your key operational, competitive and financial information? (cont.) At what levels should security be implemented? Business Processes

UM ETHICS PROGRAMS 2002

IT control options to secure your key information: How can you secure your data? Logical security e.g. passwords, segregation of functions, encryption, firewalls, antivirus software Physical security e.g. restricted access to the data room, networking cabinets, tokens and workstations Network infrastructure multi-tiered data protection schema with multiple levels of protection to ensure that data is protected if a layer is compromised

IT control options to secure your key information How can you secure your data? (cont.) Backups e.g. backup strategy, offsite storage and recovery strategy Data Loss Prevention (DLP) Implementing a DLP that ensures protection of the sensitive data during storage and transmission by allowing for: content inspection automatic protection of sensitive data incident response workflow

IT control options to secure your key information How can you secure your data? (cont.) Implementing an IT control framework:

UM ETHICS PROGRAMS 2002

IT control options to prevent fraud How can IT help prevent fraud? Enforce segregation of duties Log sensitive transactions Generate automated exception reports Allow ongoing monitoring of the IT environment Safeguard sensitive data Restrict user access to all layers of the IT stack

UM ETHICS PROGRAMS 2002

Case study: How HIPAA helped the healthcare industry protect their confidential information HIPAA forever impacted the internal and external operations of the healthcare industry by protecting both employees and patients under Federal law. While HIPAA regulations are not entirely IT related, information security plays a vital role in complying with HIPPA. In fact, two of the four main objectives of HIPAA are directly related to information security, including the reduction of fraud and abuse, and the safeguarding of Protected Health Information.

Case study: How HIPAA helped the healthcare industry protect their confidential information (cont.) Confidentiality Integrity Availability

Case study: How HIPAA helped the healthcare industry protect their confidential information (cont.) Confidentiality: The property that data or information is not made available or disclosed to unauthorized persons or processes. Providers must protect against unauthorized Access Users Disclosures

Case study: How HIPAA helped the healthcare industry protect their confidential information (cont.) Integrity: The property that data or information has not been altered or destroyed in an unauthorized manner. Providers must protect against improper destruction or alteration of data They must also provide appropriate backup in the event of a threat, hazard, or natural disaster

Case study: How HIPAA helped the healthcare industry protect their confidential information (cont.) Availability: The property that data or information is accessible and usable upon demand by an authorized person. Must guard against threats and hazards that may deny access to data or render the data unavailable when needed Must provide appropriate backup in the event of a threat, hazard, or natural disaster Must provide appropriate disaster recovery and business continuity plans for departmental operations involving electronic protected health information (ephi).

UM ETHICS PROGRAMS 2002

Case study: How to protect key information in different areas of your business Accounts Payable Accounts Receivable Inventory Online Banking Payroll

Case study: How to protect key information in different areas of your business (cont.) Accounts Payable Segregation of the ability to receive and buy goods Access controls to the receiving function Access controls to the purchasing function Monitoring of unusual transactions

Case study: How to protect key information in different areas of your business (cont.) Online Banking Segregation of the ability of creating and approving payments using the online banking application Security tokens to access the online banking application Digital certificates to access the online banking application Encryption of information

Case study: How to protect key information in different areas of your business (cont.) Inventory Segregation of the ability to maintain the inventory levels and participation in the inventory control processes Restriction to adjust the inventory levels Ongoing monitoring of inventory levels Automated inventory control processes

Case study: How to protect key information in different areas of your business (cont.) Payroll Restriction to modify the payroll information Encryption of the payroll information Segregation of duties to ensure that the person who approves time reports does not prepare, disburse, or reconcile payroll Reporting of changes to the payroll data

Case study: How to protect key information in different areas of your business (cont.) Accounts Receivable Segregation of the ability to receive and buy goods Access controls to the receiving function Access controls to the purchasing function Monitoring of unusual transactions

Q&A

For additional information, contact: Andres Castañeda, Senior Manager, Advisory Services T 786.206.2311 C 954.817.0663 E Andres.Castaneda@gt.com Steve Nouss, Partner, Advisory Services T 954.727.5610 C 954.254.0222 E Steve.Nouss@gt.com

UM ETHICS PROGRAMS 2002

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback