Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Compliance …from Planning to Practice Sharon A. Budman Director of HIPAA Privacy & Security September 13, 2004 © University of Miami Office of.

Published byAshlee Matthews Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Compliance …from Planning to Practice Sharon A. Budman Director of HIPAA Privacy & Security September 13, 2004 © University of Miami Office of."— Presentation transcript:

1 Security Compliance …from Planning to Practice Sharon A. Budman Director of HIPAA Privacy & Security September 13, 2004 © University of Miami Office of HIPAA Privacy & Security

2 Accomplishing the Goal Vision Strategy PeopleProcess © University of Miami Office of HIPAA Privacy & Security

3 Vision Security Compliance Risk Assessment is the first step towards Security Compliance © University of Miami Office of HIPAA Privacy & Security

4 Understanding the Challenge The Strategy – Risk Assessment Identification of systems, key stakeholders, and associated information related to e-phi within the organization. Design a strategy to inventory all systems that maintain or transmit e-phi. Develop and disseminate a data collection tool that details the systems, users, and information. Analyze the data. © University of Miami Office of HIPAA Privacy & Security

5 The Goal of the Analysis Process Protect the organization and its ability to perform its mission. –IT assets facilitate our mission –The process should NOT be treated primarily as a technical function but rather as an essential management function of the organization. NIST – SP800-30 (as referenced in the security rule) © University of Miami Office of HIPAA Privacy & Security

6 Defining the People/Players Who are they? Leadership Support/Sponsor Steering Committee -Leadership Group Key Stakeholders – System Owners Risk Assessment Team © University of Miami Office of HIPAA Privacy & Security

7 The Structure - Hybrid Decentralized IT Structure Decentralized Clinical Departments Decentralized Medical Records Research – Outside of the Covered Entity © University of Miami Office of HIPAA Privacy & Security

8 Planning Considerations Types of Risk Assessments Quantitative vs. Qualitative © University of Miami Office of HIPAA Privacy & Security

9 Quantitative Risk Assessment Main Advantage –Provides specific quantifiable measurements of the magnitude of the impacts which can be used in a cost benefit analysis of the recommended controls. Main Disadvantage –Values must be assigned to the assets and determining accurate values may be difficult. © University of Miami Office of HIPAA Privacy & Security

10 Qualitative Risk Assessment Main Advantage –Prioritizes the risk and identifies the areas for immediate improvement. Main Disadvantage –Does not provide specific quantifiable measurements of the magnitude of the impacts, therefore, making a cost benefit analysis of any recommended controls difficult. © University of Miami Office of HIPAA Privacy & Security

11 Risk Assessment Risk Management Risk Mitigation Risk Analysis 3 Phase Approach A Continuous Process © University of Miami Office of HIPAA Privacy & Security

12 Defining the Phases of Risk Analysis Risk Assessment - Determine the hazards, the exposure and characterizing the risk to the organization Risk Management – Analyze and select the policies and control alternatives based on the risk assessment findings. Risk Mitigation – Implement the selected policies and controls and subsequently monitor their application. © University of Miami Office of HIPAA Privacy & Security

13 Risks to Covered Entity Permanent loss or corruption of EPHI Temporary loss or unavailability of medical records Loss of financial cash flow Unauthorized access to or disclosure of EPHI Loss of physical assets Damage to reputation and public confidence Threats to patient safety Threats to employee safety © University of Miami Privacy Office © University of Miami Office of HIPAA Privacy & Security

14 PRIORTIZATION OF RISK ….as defined by Leadership –Patient Care Impact –Financial Loss –Legal Implication Loss –Loss of Reputation © University of Miami Office of HIPAA Privacy & Security

15 The Roll-out Embarked on Quantitative Risk Assessment Unable to readily obtain necessary values to incorporate into the analysis Changed gears and moved towards Qualitative Risk Assessment © University of Miami Office of HIPAA Privacy & Security

16 Current Status Enlisted all key system owners for data collection purposes Obtained information related to systems with E-phi Prioritization of Systems based on Leadership Priorities Expanded infrastructure © University of Miami Office of HIPAA Privacy & Security

17 Living and Learning Garner leadership support Encourage Buy-in from Key Stakeholders Use HIPAA for Continuous Process Improvement Look at HIPAA in a positive realm and use it as a catalyst to effectuate change © University of Miami Office of HIPAA Privacy & Security

18 Questions???? Contact information: Sharon A. Budman sbudman@med.miami.edu Director of HIPAA Privacy & Security University of Miami Office of HIPAA Privacy & Security 305-243-5000 © University of Miami Office of HIPAA Privacy & Security

19 UNDERSTANDING THE KEY ELEMENTS OF RISK ANALYSIS TO MEET THE HIPAA FINAL SECURITY RULE Caroline Hamilton, President RiskWatch, Inc.

20 -- Peter Drucker “IF YOU CAN’T MEASURE IT, YOU CAN’T MANAGE IT!” RISK ANALYSIS IS A MANAGEMENT TOOL – IT ELEVATES THE SECURITY FUNCTION UP TO THE BOARD ROOM

21 5 STEPS IN THE HIPAA SECURITY RISK ANALYSIS Define & value all assets Analyze Existing Threats Survey personnel to discover vulnerabilities in handling protected electronic health information. Analyze the data. Write the report.

22 ALL SECURITY RISK ANALYSIS ELEMENTS COME FROM GOVERNMENT AND AUDIT GUIDELINES ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS

23 SAMPLE ASSET CATEGORIES Applications Clinical Staff Communication Systems Data Centers Databases E-Health Info Electrical Power Facilities Hardware Medical Records Networks Monitoring Equipment Patients Personnel Pharmacy Security Systems Software System Software

24 THREAT INFORMATION Quantified threat data is hard to find. Categories of Threats: Natural Disasters, Criminal Activity Malicious Code, Hackers, Fraud Includes collected data from Web Sources, government data, weather data, crime casts, global info services, access control systems, incident logs. You can customize with data from internally collected sources

25 STANDARD AND LOCAL THREAT DATA FREQUENCY ESTIMATES PER ORGANIZATION PER YEAR

26 Surveying the entire organization Using a non-threatening scientific approach Must include complete audit trails Should include different levels of the organizations Finding Vulnerabilities Through Electronic Surveys – Finding out how people do their jobs

27 ANALYZE POTENTIAL LOSS CATEGORIES Delays and Denials of Service Disclosure of PHI Direct Loss (Computers Destroyed) Regulatory Fines (Liability) Modification of Data Reputation (Credibility) Direct Related (Sum of the Above)

28 HIPAA-REQUIRED SAFEGUARD CATEGORIES

29 Linking Relationships Applications Databases PHI Medical Records Hardware System Software Delays & Denials Fines Disclosure Modification Direct Loss Disclosure Hackers Fraud Viruses Network Attack Loss of Data Embezzlement Acceptable Use Disaster Recovery Authentication Network Controls No Security Plan Accountability Privacy Access Control AssetVulnerabilityThreatLoss Risk = Asset * Loss * Threat * Vulnerability

30 HOW TO ILLUSTRATE RESULTS OF THE ANALYSIS FOR MANAGEMENT OVERALL COMPLIANCE VS. NON-COMPLIANCE

31 Vulnerability Distribution Report Indicates Weak Security Areas By Category and Backed up by Audit Trails

32 How To Calculate Return on Investment 1.Finish Disaster Recovery Plan2000:1 2.Finish the Security Plan 1200:1 3.Distribute Security Policy 943:1 4.Mandatory Security Training 75:1

33 RISK ANALYSIS REPORTING RECOMMENDED CONTROLS BY RETURN ON INVESTMENT (ROI)

34 USING COLLECTED DATA TO BENCHMARK HEALTHCARE RISKS By Hospital, by Systems, by Business Unit, by Region Common standards, terms and definitions Use for budgeting purposes --- determining ‘reasonable precautions’ --- ‘as good as’

35 THE BOTTOM LINE The Risk Analysis Process means Ongoing Compliance Measurement and Validation Data Security/Privacy regulations in Healthcare will continue to increase. The Risk Analysis is a key to demonstrating on-going HIPAA compliance Properly done, a risk analysis will credibly measure HIPAA compliance, identify vulnerabilities, justify capital improvements and focus & prioritize the security budget.

36 chamilton@riskwatch.com www.riskwatch.com

Download ppt "Security Compliance …from Planning to Practice Sharon A. Budman Director of HIPAA Privacy & Security September 13, 2004 © University of Miami Office of."

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Workshop on High Confidence Medical Device Software and Systems (HCMDSS) Research & Roadmap June 2-3, 2005 Philadelphia, PA. Manufacturer/Care-Giver Perspective.

Workshop on High Confidence Medical Device Software and Systems (HCMDSS) Research & Roadmap June 2-3, 2005 Philadelphia, PA. Manufacturer/Care-Giver Perspective.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Medication Reconciliation Networking Session Steve Rough, MS., RPh. Director of Pharmacy University of Wisconsin Hospital and Clinics.

Medication Reconciliation Networking Session Steve Rough, MS., RPh. Director of Pharmacy University of Wisconsin Hospital and Clinics.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Similar presentations

Ads by Google