Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Published byAmbrose Watts Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center."— Presentation transcript:

1 HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center

2 Disclaimers & Definitions: Disclaimer: The focus of this presentation is based on the auditing process which we will follow to ensure Valley Medical Center is HIPPA compliant. This process will include auditing people, procedures and security logs. This is a journey not a task! Compliance- At Valley Medical Center we are tying privacy and security into one coherent plan rather than building separate silos of concern. This is recommended for hospitals that already deal with JCAHO in order to create a more viable long term strategy. For us at Valley, privacy and security have complementary goals. For further technical guidelines or questions, email me at drew@valleymed.org.

3 Security Quote Maybe you don’t have any security problems because no one is looking at security. Your security weakness will not be at the system level- it will be a breakdown at the human level. –Drew

4 How do I start? Get on the path! Review the HIPPA regulations and follow the necessary requirements. Create a checklist that combines your policies and the HIPAA/JCAHO/State regulations for validation. Update policies to include the HIPPA regulations. Incorporate management and Administration Set up a schedule to periodically report to management and continue staff development

5 Use the “top-down” strategy approach. Manage expectations “Make it so!” “Are we done yet?” Keep administration and staff informed and involved. Remember security is everyone’s responsibility. Okay, then what?

6 § 164.306 Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.

7 § 164.306 Security standards: General rules. (d) Implementation specifications (i) Assess whether each implementation specification is a reasonable and appropriate…and (ii) As applicable to the entity-- (A) Implement the specification; or (B) If implementing the implementation specification is not reasonable and appropriate-- (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate.

8 § 164.308 Administrative safeguards (ii) Implementation specifications: …(D) Information system activity review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

9 System Auditing Notes In god we trust, All others we audit.

10 Audit Privacy & Security together What are the potential gaps? Lack of Procedures or lack of implementation Lack of Education Lack of understanding Lack of awareness Vulnerability to social engineering –Be careful Lack of consistency Will every department have the same policies? No....and that is not a bad thing.

11 Auditing Basics How often Who is involved Who do we report to What are the objectives Where do we store logs, reports and incidents

12 What am I auditing for? Policy awareness understanding and implementation. Client computer configuration- Anti-Virus, Installed software, Screen Saver, Patches, Users knowledge on reporting privacy and security incidents Users knowledge of the PHI disposal policy Physical Security Authentication requests Failed login attempts System logging is only one half of it-one must actually parse the logs for the logs to be useful.

13 Walkthrough Info Use Checklists Give manager checklist- before and after Talk with staff not just to ding them but to educate them Let them know that it is personally important to you but you are not a fanatic Make managers and staff accountable for security. You are there to spot check. Managers should enforce P & P. Did I mention that you have to have a mandate from Administration

14 Quarterly Computer Audit Separation of duties Least privilege Patches Account changes Log review Firewall review

15 Auditing tools and links Privacy Auditor Event Comb http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/window s/secwin2k/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/window s/secwin2k/default.asp Syslog Swatch/logwatch Log Parser http://www.microsoft.com/windows2000/downloads/tool s/logparser/default.asp http://www.microsoft.com/windows2000/downloads/tool s/logparser/default.asp Elogdmp.exe resource kit tool

16 Quarterly Awareness Campaign (for staff) Topics may include Top 5 Privacy FAQ’s Virus Awareness Acceptable Use Password Policies How to report incidents Weird facts

17 Quarterly report to Compliance Committee Make it meaningful Make it clear Be specific Have a plan

18 Questions??? Walk the path, don’t just know the path!

Download ppt "HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Hipaa privacy and Security

Hipaa privacy and Security
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Information Security Policies and Standards

Information Security Policies and Standards
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google