Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

Similar documents
Putting It All Together:

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

SECURETexas Health Information Privacy & Security Certification Program

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

MNsure Privacy Program Strategic Plan FY

Security and Privacy Governance Program Guidelines

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

Security and Privacy Breach Notification

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

HITRUST CSF: One Framework

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

HIPAA Privacy, Security and Breach Notification

HIPAA Security and Privacy Policies & Procedures

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Pennsylvania s HIE Journey

01.0 Policy Responsibilities and Oversight

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

The ABCs of HIPAA Security

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Cybersecurity in Higher Ed

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Critical HIPAA Privacy & Security Crossover Areas

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

HIPAA Compliance is not a Cybersecurity Strategy

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

All Aboard the HIPAA Omnibus An Auditor s Perspective

NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2018

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

NERC Staff Organization Chart Budget 2019

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

University of Wisconsin-Madison Policy and Procedure

Exploring Emerging Cyber Attest Requirements

HIPAA For Assisted Living WALA iii

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Integrating HIPAA into Your Managed Care Compliance Program

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

NOTICE OF PRIVACY PRACTICES

Data Compromise Notice Procedure Summary and Guide

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Cybersecurity Considerations for GDPR

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Mobile Application Privacy Policy

Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

SECURITY & PRIVACY DOCUMENTATION

2017 RIMS CYBER SURVEY

Altius IT Policy Collection Compliance and Standards Matrix

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

How to Ensure Continuous Compliance?

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

Protecting PHI in the Cloud. Session #47, February 20, 2017 Kurt J. Long, Founder & CEO, FairWarning, Inc.

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Altius IT Policy Collection Compliance and Standards Matrix

[DATA SYSTEM]: Privacy and Security October 2013

Introduction to the HITRUST CSF. Version 8.1

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

Implementing and Enforcing the HIPAA Security Rule

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Data Protection Policy

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Not Just Another Day of HIPAA

HIPAA-HITECH: Privacy & Security Updates for 2015

Managing Cybersecurity Risk

Introduction to the HITRUST CSF. Version 9.1

Steffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext

Federal Breach Notification Decision Tree and Tools

Privacy Policy on the Responsibilities of Third Party Service Providers

HIPAA & Privacy Compliance Update

Measuring Cybersecurity Readiness: The Cybersecurity Maturity Model

NERC Staff Organization Chart Budget 2017

HCISPP HealthCare Information Security and Privacy Practitioner

Overview of Presentation

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Health Information Privacy Education in Healthcare Organizations

Getting OCR Audit-Ready in 7 Steps:

Whip Your Incident Response Program into Shape

Social Security Number Protection Policy.

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010

NERC Staff Organization Chart Budget 2017

HIPAA Federal Security Rule H I P A A

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

UCOP ITS Systemwide CISO Office Systemwide IT Policy

The Future of HITRUST

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

HPE DATA PRIVACY AND SECURITY

Applying ISO and NIST to Address Compliance Mandates The Four Laws of Information Security

HIPAA Risk Assessment: Been There... Should ve Done It the First Time

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

DAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT

Data Backup and Contingency Planning Procedure

Data Recovery Policy

Transcription:

Introduction Angela Holzworth, RHIA, CISA, GSEC Sr. IT Infrastructure Analyst Kimberly Gray, Esq., CIPP/US Chief Privacy Officer, Global, IMS Health 1 Incorporating Privacy into the CSF: Approach and Benefits

Outline Privacy and Security How Security and Privacy Relate Current State of Privacy and Security Drivers for Integration / Current Trends HITRUST Privacy Working Group State Laws NIST SP 800-53, Appendix J HIPAA Privacy Rule Next Steps Privacy Domain Implementation 2 Incorporating Privacy into the CSF: Approach and Benefits

How Security and Privacy Relate (i) Fair Information Practice Principles (FIPPs) Over the past 30 years, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information -- their "information practices" and the safeguards required to assure those practices are fair and provide adequate privacy protection. Privacy Principles have been established world wide: Health, Education and Welfare (HEW) - Fair Information Principles Organization for Economic Cooperation and Development (OECD) Guidelines Health Insurance Portability and Accountability Act (HIPAA) Privacy Office of the National Coordinator for Health Information Technology (ONC) Privacy Framework 3 Incorporating Privacy into the CSF: Approach and Benefits

How Security and Privacy Relate (ii) Top 10 most common principles include; 1. Openness / Transparency 2. Notice / Choice 3. Collection Limitation / Data Minimization 4. Specified Purposes 5. Data Integrity 6. Security Safeguards 7. Individuals Rights 8. Preventing Harm 9. Privacy-by-Design 10. Accountability. 4 Incorporating Privacy into the CSF: Approach and Benefits

How Security and Privacy Relate (iii) HIPAA Privacy Rule Safeguards A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. 5 Incorporating Privacy into the CSF: Approach and Benefits

How Security and Privacy Relate (iv) HIPAA Security Rule Safeguards Administrative safeguards are administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures... Physical safeguards are physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment... Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 6 Incorporating Privacy into the CSF: Approach and Benefits

7 Incorporating Privacy into the CSF: Approach and Benefits Current State & Trends

Current State of Privacy and Security Security functions are typically: Typically embedded within IT department Director or manager-level IT-centric Focused on controls based on security frameworks Not always responsible to a Board-level committee Privacy functions are typically: Stand-alone or embedded within compliance function VP or director-level Legal & Compliance-centric Focused on regulatory compliance Responsible to Board-level audit committee 8 Incorporating Privacy into the CSF: Approach and Benefits

Drivers for Integration Individual privacy is dependent upon security Separate functions are not always efficient Overlapping education, training & awareness programs Overlapping incident response applications and functions Overlapping security controls and privacy safeguards New requirements due to HITECH Increased collaboration is necessary to fulfill Breach Notification requirements. 9 Incorporating Privacy into the CSF: Approach and Benefits

Drivers for Integration - Current Trends Overlapping Programs Increased cooperation between traditionally siloed security and privacy functions Breach Notification Legislators beginning to supplement privacy / data breach legislation with complementary security legislation Federal Government Integrating privacy requirements into security control standard, NIST SP 800-53 10 Incorporating Privacy into the CSF: Approach and Benefits

11 Incorporating Privacy into the CSF: Approach and Benefits Privacy Working Group

HITRUST Privacy Working Group (2012) Growing reliance on EHRs and interoperable HIEs Improve patient care, reduce errors, control costs Increased risk to patient information HITRUST will incorporate privacy requirements into CSF Ensure better alignment between security and privacy programs Ensure an integrated approach for protecting health information HITRUST Privacy Working Group Identify and document new CSF controls and/or enhancements Uniform and practical approach to implementing privacy controls Provide additional recommendations, e.g., assessment guidance 12 Incorporating Privacy into the CSF: Approach and Benefits

HITRUST Privacy Working Group (2014) State Law Challenges Variations exist regarding, but not limited to; breaches (including definition of a breach), authorizations, consents, access/amendment, restriction requests, who must comply and who the requirements apply to. States identified social security numbers and sensitive date, such as mental health, HIV/AIDs, drug and alcohol abuse/treatment as having increased privacy concerns and requirements. Results: HITRUST CSF to include references to and adhere to applicable state law, as required. 13 Incorporating Privacy into the CSF: Approach and Benefits

HITRUST Privacy Working Group (2014) NIST SP 800-53, Appendix J Provides a structured set of privacy controls for federal government Establishes a linkage and relationship between privacy and security controls Demonstrates the applicability of the NIST Risk Management Framework Promotes closer cooperation between privacy and security officials within the federal government Results: While NIST may present a uniform approach, it is not practical for universal healthcare industry implementation Privacy Working Group to revisit NIST 800-53, Appendix J, possibly add as level 2 or 3 requirement CSF controls 14 Incorporating Privacy into the CSF: Approach and Benefits

HITRUST Privacy Working Group (2014) HIPAA Privacy Rule Universally acceptable and applicable standards in the healthcare industry Includes Final Omnibus Rule Achieves a uniform and practical approach Utilizes OCR Audit Protocol as the basis for control language Results: HIPAA Privacy Rule requirements will be used as level 1 controls in the HITRUST CSF HITRUST CSF Level 1 compliance may now satisfy HIPAA Compliance with both the Privacy and Security Rule. 15 Incorporating Privacy into the CSF: Approach and Benefits

16 Incorporating Privacy into the CSF: Approach and Benefits Next Steps

Privacy Domain Implementation Privacy Domain HIPAA Privacy Rule requirements Implement/revise controls related to; Review existing controls that relate to Privacy NIST SP 800-53 controls HIE requirements Achieves well-rounded Common Security Framework consistent with industry trends. 17 Incorporating Privacy into the CSF: Approach and Benefits

Questions? Kim Gray, Esq., kgray@us.imshealth.com, 610-244-3149 Angela Holzworth angela.holzworth@highmark.com 412-544-7815 18 Incorporating Privacy into the CSF: Approach and Benefits

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback