Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

Similar presentations


Presentation on theme: "© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk."— Presentation transcript:

1 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk Analysis for Meaningful Use

2 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meaningful Use Overview Vision & Goals Vision Enable improvements in population health through a transformed health care delivery system Goals Quality, safety and efficiency Engaging patients and their families Care coordination Population and public health Privacy and security protections 2

3 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meaningful Use Security and Privacy Objectives Measures Provide and monitor privacy and security protection of confidential protected health information through operating policies, procedures and technologies Respect applicable federal and state laws and regulations Provide transparency of data sharing to patients disruption of clinical and administrative processes Governance Model Security program components/ regulatory requirements (HIPAA Privacy and Security, Breach Notification Laws, HITECH, Red Flags Rule, State laws) Risk Assessment and Mitigation Processes Security Program Evaluation Risk Assessment and Risk Management Privacy and Security Awareness and Training Incident Reporting and Response Accounting of Disclosures 3

4 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Review existing governance of privacy and security programs Help implement security governance processes Include privacy and security as primary components of the organization’s strategic planning process Enhance internal controls for compliance with privacy and security requirements (HIPAA and other federal and state regulations) Conduct regular evaluations and audits of compliance with HIPAA and new requirements included in HITECH (e.g., breach notification, accounting of disclosures, sale of PHI for marketing and fundraising). Understand the gaps and prioritize improvement efforts Develop an ongoing and documented process for evaluating the privacy and security programs. This is not a one-time process, but rather a regular recurring assessment to consider changes in the environment and regulatory requirements. Include privacy and security risk assessment in the enterprise-wide risk assessment and management (EWRA) processes Develop new and enhanced training programs in privacy and security for management, board, staff and all those considered to be part of the organization’s workforce (e.g., medical students, residents, fellows, volunteers, contractors, etc.). Best Practices for Achieving the Goal Of Meaningful Use 4

5 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meeting New Requirements for Privacy/Security 5

6 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. What is Involved Despite 10 years since the passage of HIPAA –Nearly weekly news reports of lax security practices involving sensitive patient information –The public and regulators receive these constant reminders that more protection is needed Hospitals still struggle to maintain information security and privacy programs that are in compliance HITECH raises the bar on expectations: the National Privacy and Security Framework The recent consolidation of responsibility for privacy and security in one agency (the Office of Civil Rights) could lead to stepped up enforcement of compliance Meeting New Requirements for Privacy/Security Common HIPAA Violations Found in Compliance Audits in 2008 HIPAA Security Policies and Procedures Business Associate Agreements Encryption of ePHI on mobile devices HIPAA Security Training s/HIPAAComplianceReviewSumtopost508.pdf 6

7 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Getting There Conduct a security risk assessment and develop and implement a remediation plan ASAP –Follow all CMS recommendations/requirements –Include elements of the National Privacy and Security Framework –Cover all of the new systems, system upgrades and physical relocations of IT assets for meaningful use –Lax practices are typically a bigger threat than hackers Do not wait until 2015 to move data from the desktop and incorporate encryption in data management –More patient data online = more responsibility to ramp up the protections that technology can afford –Incorporate as part of the roll-out for meaningful use –Critical for device selection and the user transition HITECH encourages hospitals to participate in HIE of patient data –Your responsibility travels with your data after it crosses your corporate boundaries Meeting New Requirements for Privacy/Security 7

8 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Meaningful Use Risk Assessments 8 Information Gathering Review & Analyses Reporting Project Initiation Staff Interviews & Documentation Review Governance, Policy, Management, & Risk Tolerance Security & Privacy Requirements ePHI Mapping & Supporting Business Processes Technical Vulnerability Testing / Results Objectives & Controls Business Drivers Information & Technology Environment Regulatory Requirements Discovery Risk / Gap Analysis Assessment Report Management Presentation

9 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Two types of assessment scope Full HIPAA / HITECH / EHR Risk Assessment –Recommended for organizations which have not recently conducted an enterprise (or those areas within the organization that are in scope) risk assessment –Larger in scope than the EHR risk analysis; cost is dependent on the maturity of the information security program –Based upon the HIPAA, HITECH and Meaningful Use security requirements Risk assessment limited to the implementation of the EHR –Recommended for organizations that consistently conduct enterprise HIPAA risk assessment –Assessment environment limited in scope –Focused on the EHR Meaningful Use Risk Analysis requirements and appropriate management controls to check that not only are the specific controls implemented at a risk level acceptable to the organization, but that the controls are assessed and treated continually Assessment Scope 9

10 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Risk Analysis Methodology 10 Threat Assessment Exposure Identification Risk Determination Threats-From Determination Threats-To Determination Likely Attacks & Attack Vectors Vulnerability Determination General IT Control Determination Exposures Threats Exposures Likelihood Threats Risk Determination

11 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Risk Analysis Methodology Roadmap Understand Business Operations Prioritized List of Residual Risks Prioritized List of Residual Risks Prioritized Threat List Prioritized Threat List Control Gaps Getting Organized Gathering and Analyzing Data Communicating Findings and Recommendations Develop Methodology Develop Methodology Identify Business Objectives NIST Based Threat Model Asset Identification Asset Identification Preparation Threat Assessment Threat Assessment Risk Assessment Risk Assessment Recommendation 11 Determine Scope Asset Subgroups Identify Assets Identify Assets Categorize Assets Asset List Identify Threats Identify Threats Assess Impact Assess Impact Assess Likelihood Assess Likelihood Assign Threat Values Assign Threat Values Identify Expected Safeguards Assess Existing Safeguards Determine Control Gaps Determine Control Gaps Compute Residual Risk Compute Residual Risk Identify Unacceptable Risks Assess Projected Risk Assess Projected Risk Identify Remediation Projects Identify Mitigating Controls

12 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. HIPAA / HITECH / Meaningful Use Risk Assessment 12 Value Incorporates Meaningful Use requirements into overall HIPAA Risk Assessment Provides an enterprise view of risk associated with the security and privacy of PHI Gains the SureSeal certification letter Scope Includes HIPAA / HITECH / EHR Meaningful Use Provides enterprise coverage and sampling of facilities that store, process and transmit PHI

13 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Scoping Factors Type (e.g., Health Plan, Medical Facility/ Hospital, Pharmacy, Third Party Processor) and size of the organization (e.g., hospitals can be measured by number of beds) Geographical Factors –State, Multi-state, Offshore System Factors –Quantity and types of devices, systems and applications that store, process or transit PHI –Additional risk factors such as whether the in scope systems are Internet-accessible, accessible by third parties, business partner connections and mobile devices are used in the environment Security Program Maturity Scope and Pricing Considerations 13

14 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Requirement Conduct or review a security risk analysis, remediate identified risks, as appropriate, and continually improve controls Specific Requirements around: Access Control Emergency Access Automatic Log-off Audit Log Integrity Authentication Encryption Accounting of Disclosures AT&T Consulting includes additional management controls Meaningful Use Risk Analysis 14

15 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T SureSeal SM Certification Letter and Logo 15 Certification Letter This one page summary report will present AT&T Consulting test scope of the risk analysis and summary findings in a manner that can be presented to third parties. Logo You will be granted certification and will be given the use of the AT&T SureSeal SM logo to be used on your website for a one-year period.

16 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Sample Certification Customer Logo Display 16 You can display the logo on your website and other official materials for a one-year period

17 © 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 17


Download ppt "© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk."

Similar presentations


Ads by Google