Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Hardware Retirement Best Practices in Healthcare: Regulations, Risks and Rewards Neil Peters-Michaud Cascade Asset Management September 15, 2011.

Similar presentations


Presentation on theme: "IT Hardware Retirement Best Practices in Healthcare: Regulations, Risks and Rewards Neil Peters-Michaud Cascade Asset Management September 15, 2011."— Presentation transcript:

1 IT Hardware Retirement Best Practices in Healthcare: Regulations, Risks and Rewards Neil Peters-Michaud Cascade Asset Management September 15, 2011

2 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Ault Chiropractic CenterBlue Cross Blue Shield Michigan Community Action Partnership of Natrona County Sta-Home Health & Hospice Southern Perioperative Services, P.C. Center for Arthritis and Rheumatic Diseases Cumberland Gastroenterology, P.S.C.Fransiscan Medical Group Brian J Daniels D.D.S.,Paul R Daniels D.D.S. Keystone/AmeriHealth Mercy Health Plans State of South Carolina Budge and Control Board Employee Insurance Program (EIP)MMM Healthcare, Inc. Puerto Rico Department of HealthBenefit Resources, Inc.PMC Medicare Choice Henry Ford Hospital University of Nebraska Medical CenterEisenhower Medical Center Ochsner Health SystemGrays Harbor Pediatrics, PLLCImaging Center of Garland Indiana Regional Medical Center Hanger Prosthetics & Orthotics, Inc.Navos Gary C. Spinks, DMD, PCJEFFREY J. SMITH, MDTroy Regional Medical Center University Health Services, University of Massachusetts, AmherstOsceola Medical Center Union Security Insurance Company VNA of Southeasten CT Baptist Memorial Hospital - Huntingdon Park Avenue Obstetrics & Gynecology, PC Triple-S Salud, Inc.Baylor Heart and Vascular Center Spartanburg Regional Healthcare System Oklahoma City VA Medical CenterCHC Memphis CMHC, LLCVA Caribbean Healthcare System University of Arkansas for Medical Sciences Long Beach Memorial Medical CenterRobert B. Miller, MD Mountain Vista Medical CenterSaint Louis University Tuba City Regional Health Care Corporation Memorial Hospital of GardenaJefferson Center for Mental HealthNew River Health Association Zarzamora Family Dental CareOrtho Montana, PSC Reid Hospital & Health Care Services Northridge Hospital Medical CenterFriendship Center Dental OfficeGene S. J. Liaw, MD. PS Blue Cross and Blue Shield of Florida New York City Health & Hospitals Corporation's North Bronx Healthcare Network Medicare Fee-for-Service Program Robert Wheatley, DDS, PC Texas Health Arlington Memorial Hospital Blue Cross and Blue Shield of Florida Albert Einstein Healthcare Network Lake Woods Nursing and Rehabilitation CenterDrs. Edalji & Komer Clarksburg--Louis A. Johnson VA Medical CenterAccendo Silverpop Systems, Inc. Health and Welfare Plan Cook County Health & Hospitals SystemMolina Medicare Methodist Charlton Medical Center Mankato ClinicCancer Care Northwest P.S. New York State Department of Health International Union of Operating Engineers Health and Welfare FundUniversity of Missouri Health Plan Beth Israel Deaconess Medical Center OhioHealth Corporation dba Grant Medical Center Green River District Health DepartmentHealth Plan of San Mateo Geisinger Wyoming Valley Medical CenterOmnicare, Inc.Foothills Nephrology, PC Dean Health Systems, Inc.; St. Mary's Hospital; St. Mary's Dean Ventures, Inc.Health Net, Inc.Robert B. Neves, M.D., Inc. Hospital Auxilio Mutuo NYU School of Medicine Faculty Group PracticeAnderson Air Force Base Guam Indiana Family and Social ServicesHenry Ford Hospital Sutter Gould Medical Foundation (SGMF) Ankle & foot Center of Tampa Bay, Inc.Catholic Social ServicesOhio Health Plans Kadlec Regional Medical CenterRape & Brooks Orthodontics, P.C.The Mount Sinai Hospital Centra Charleston Area Medical Center, Inc University of Missouri Health Care Seacoast Radiology, PAMidState Medical Center Brigham and Women's Hospital and Faulkner Hospital Riverside Mercy Hospital and Ohio/Mercy DiagnosticsSW General Inc. Washington State Department of Social and Health Services California Therapy Solutions Aiken Community Based Outpatient Clinic Austin Center for Therapy and Assessment, LLC St. Vincent Hospital - IndianapolisKeith & Fisher, DDS, PATreatment Services Northwest Do you Need to Deal with HIPAA Breaches? In the last 12 months: 112 reported data breaches affecting over 6 million people. In the last 12 months: 112 reported data breaches affecting over 6 million people.

3 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Individuals Affected by Breaches on IT Hardware (September, 2009 to July, 2011)

4 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Key Points 1.Understanding compliance requirements and develop appropriate standards 2.Implementing policies and tools that best meet the standards 3.Making IT asset disposition a value added business service 4

5 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com HIPAA Compliance Requirements - some background Health Information Portability and Accountability Act (HIPAA) of 1996 –Defines Personal Health Information (PHI) and requires Covered Entities to implement safeguards to protect against unauthorized use of PHI –PHI is contained in physical documents, in communications (emails, mailings), on electronic media, on computing devices, on communication devices, in x-rays, etc. –Requirement to notify affected individuals and media of breaches –Penalties for failure to notify and for negligent activity –Business Associates (BA) who handle PHI for Covered Entities (CE) should be under contract and coordinate activities together. 5

6 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com HITECH Act 2009 ups the ante Health Information Technology for Economic and Clinical Health (HITECH) Act of 1996 –Part of American Reinvestment and Recovery Act of 2009 –$20 billion set aside to support electronic medical record implementation –Expands scope of who must comply with PHI protections Specific requirements introduced for PHI data in disposal –Data must be unrecoverable and indecipherable Business Associates are now potentially liable for breaches. Contracts must be in place between Covered Entities and Business Associates who handle PHI. 6

7 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Compliance Requirements Covered Entities must have a designated Security/HIPAA Compliance Officer Need a security policy Appropriate Safeguards must be in place –IT must implement controls over network, communications, data in storage –There must be a way to track assets until PHI is destroyed on those assets 7 Security Policy Security Policy

8 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Security Policy Adoption Policy needs to be incorporated into other employee/corporate policies Get buy-in across the organization Employees need to be trained, and training must be documented Employees should sign off on corporate IT asset usage policies Restrict use of personal devices for business Discipline failure to follow rules Negligence when there is no follow-through on policies 8

9 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Training resources for you 9

10 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Data Destruction Standards Guidance in HITECH is to follow NIST 800-88 Guidelines for Media Sanitization –Replaces the limited data wiping standard – Dept. of Defense 5220.22-M (3 pass wipe) –Comprehensive approach to secure data destruction on any storage device. Hard drives, data tapes, cell phones, SSDs, storage in copiers/printers –Overwrite method must match company security requirement – 1 pass is often sufficient 10 Link to NIST 800-88: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf Link to NIST 800-88: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

11 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com 11 Effective Security exists in layers

12 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com 12 Define Scope of Devices that may contain PHI Security Layers

13 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Track Devices – Asset Management Identify assets under your control Manage procurement, installation, changes, and disposal Storage of PHI on network/cloud vs. local devices Implementing encryption tools Restricting the use of difficult to control devices and personal devices 13

14 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Mitigate risk of loss of hardware Most breaches from loss or theft of hardware Keep devices on the network and in communication with discovery tools When deciding to retire, keep hardware secure –Dont let retired computers accumulate in a hallway –Dont leave stacks of media or HDDs in the open –Do wipe drives or get equipment out to a responsible disposition vendor ASAP 14

15 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Disposal of IT Assets Determine where PHI is destroyed –in-house or outsourced If outsource PHI destruction, a Business Associate Agreement (BAA) is required with vendor –Good idea to have a full contract in place to define limits of liability, insurance coverage (E&O) and service requirements BA must have safeguards in place BA must report suspected breaches to CE BA is potentially liable for breaches. Dont forget about damaged assets with PHI sent back for warranty return/replacement! 15 BAA

16 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Transfer of assets (and responsibility) to 3 rd party Only transfer title of assets based on detail of asset transfer –Need mutual agreement that specific items are being sent to disposal vendor –Inventory items on-site and get a sign-off of title transfer –Need to prove chain of custody Without detail on asset transfer, vendor can claim they never received an asset Doesnt matter if assets are owned or leased – still responsible for the data 16

17 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Disposal – Agree to requirements Vendor should follow your data security standard –May require all items to be physically destroyed/recycled –If allow for electronic over-write and reuse of hard drives, need to define wipe standard –How can vendor ensure it follows process? Agreement on what happens if an asset or data is potentially lost –BAA will define response procedure –MSA will list insurance and indemnification coverage 17

18 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Final disposition – closing the loop Vendor provides final disposition status for each asset Certificate of Destruction is a document from vendor that is their claim of how equipment was processed –Sometimes only as good as the paper theyre written on – need clear details on individual assets –Good idea to audit these records –Expect timely reporting, otherwise there may be an issue –Tie in final disposition report to asset management system –Provides cradle to grave accountability –Easiest access for audits 18

19 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Why care about security during IT asset disposal? Keeps your CIO out of prison! Keeps your organizations name out of the paper due to breaches The cost to notify parties affected by breaches is ~ $115 per person. In last 12 months, breach notifications cost healthcare organizations over $690 million Consider the organizations spend on other security programs as a benchmark for disposal investments Estimate a cost of ~$25/system for complete and secure disposition 19

20 Copyright 2011 – Cascade Asset Management * www.cascade-assets.comwww.cascade-assets.com Contact info@cascade-assets.com for reproduction rightsinfo@cascade-assets.com Make IT Asset Disposition a Business Value You are an essential part of the HIPAA security compliance program – get a seat at the table by offering solutions A third party disposition vendor transfers your liability and provides a good check on your system The faster data are destroyed, the better the organizations security is protected Institute an employee recycling program – to deal with security threats from institutional data on personal devices A quality IT asset disposition vendor will process your equipment in an environmentally responsible manner and promote sustainability goals – look for certifications from e-Stewards, R2, or others as a start, but have the environmental dept. complete their due diligence You could earn revenue from the resale of properly processed assets 20

21 IT Hardware Retirement Best Practices in Healthcare: Regulations, Risks and Rewards Neil Peters-Michaud Cascade Asset Management Download documents following the Security Link on Cascades homepage


Download ppt "IT Hardware Retirement Best Practices in Healthcare: Regulations, Risks and Rewards Neil Peters-Michaud Cascade Asset Management September 15, 2011."

Similar presentations


Ads by Google