© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works
Information Security Policies and Standards
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.
Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.
The Use of Health Information Technology in Physician Practices
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Compliance Management Platform ™. Compliance Management Platform Compliance is the New Marketing – Position yourself to thrive in the new regulatory and.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
Privacy Project Framework & Structure HIPAA Summit Brent Saunders
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
Connecting the Dots A Practical Approach to Integrating Compliance, Risk and Quality Jody Ann Noon RN, JD Partner Health Care Regulatory Practice.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services.
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
© 2014 By Katherine Downing, MA, RHIA, CHPS, PMP.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Paul T. Smith Davis Wright Tremaine LLP
Privacy Project Framework & Structure
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
The Practical Side of Meaningful Use:
HIPAA Security Standards Final Rule
Introduction to the PACS Security
Presentation transcript:

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk Analysis for Meaningful Use

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meaningful Use Overview Vision & Goals Vision Enable improvements in population health through a transformed health care delivery system Goals Quality, safety and efficiency Engaging patients and their families Care coordination Population and public health Privacy and security protections 2

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meaningful Use Security and Privacy Objectives Measures Provide and monitor privacy and security protection of confidential protected health information through operating policies, procedures and technologies Respect applicable federal and state laws and regulations Provide transparency of data sharing to patients disruption of clinical and administrative processes Governance Model Security program components/ regulatory requirements (HIPAA Privacy and Security, Breach Notification Laws, HITECH, Red Flags Rule, State laws) Risk Assessment and Mitigation Processes Security Program Evaluation Risk Assessment and Risk Management Privacy and Security Awareness and Training Incident Reporting and Response Accounting of Disclosures 3

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Review existing governance of privacy and security programs Help implement security governance processes Include privacy and security as primary components of the organization’s strategic planning process Enhance internal controls for compliance with privacy and security requirements (HIPAA and other federal and state regulations) Conduct regular evaluations and audits of compliance with HIPAA and new requirements included in HITECH (e.g., breach notification, accounting of disclosures, sale of PHI for marketing and fundraising). Understand the gaps and prioritize improvement efforts Develop an ongoing and documented process for evaluating the privacy and security programs. This is not a one-time process, but rather a regular recurring assessment to consider changes in the environment and regulatory requirements. Include privacy and security risk assessment in the enterprise-wide risk assessment and management (EWRA) processes Develop new and enhanced training programs in privacy and security for management, board, staff and all those considered to be part of the organization’s workforce (e.g., medical students, residents, fellows, volunteers, contractors, etc.). Best Practices for Achieving the Goal Of Meaningful Use 4

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Meeting New Requirements for Privacy/Security 5

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. What is Involved Despite 10 years since the passage of HIPAA –Nearly weekly news reports of lax security practices involving sensitive patient information –The public and regulators receive these constant reminders that more protection is needed Hospitals still struggle to maintain information security and privacy programs that are in compliance HITECH raises the bar on expectations: the National Privacy and Security Framework The recent consolidation of responsibility for privacy and security in one agency (the Office of Civil Rights) could lead to stepped up enforcement of compliance Meeting New Requirements for Privacy/Security Common HIPAA Violations Found in Compliance Audits in 2008 HIPAA Security Policies and Procedures Business Associate Agreements Encryption of ePHI on mobile devices HIPAA Security Training s/HIPAAComplianceReviewSumtopost508.pdf 6

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Getting There Conduct a security risk assessment and develop and implement a remediation plan ASAP –Follow all CMS recommendations/requirements –Include elements of the National Privacy and Security Framework –Cover all of the new systems, system upgrades and physical relocations of IT assets for meaningful use –Lax practices are typically a bigger threat than hackers Do not wait until 2015 to move data from the desktop and incorporate encryption in data management –More patient data online = more responsibility to ramp up the protections that technology can afford –Incorporate as part of the roll-out for meaningful use –Critical for device selection and the user transition HITECH encourages hospitals to participate in HIE of patient data –Your responsibility travels with your data after it crosses your corporate boundaries Meeting New Requirements for Privacy/Security 7

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Meaningful Use Risk Assessments 8 Information Gathering Review & Analyses Reporting Project Initiation Staff Interviews & Documentation Review Governance, Policy, Management, & Risk Tolerance Security & Privacy Requirements ePHI Mapping & Supporting Business Processes Technical Vulnerability Testing / Results Objectives & Controls Business Drivers Information & Technology Environment Regulatory Requirements Discovery Risk / Gap Analysis Assessment Report Management Presentation

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Two types of assessment scope Full HIPAA / HITECH / EHR Risk Assessment –Recommended for organizations which have not recently conducted an enterprise (or those areas within the organization that are in scope) risk assessment –Larger in scope than the EHR risk analysis; cost is dependent on the maturity of the information security program –Based upon the HIPAA, HITECH and Meaningful Use security requirements Risk assessment limited to the implementation of the EHR –Recommended for organizations that consistently conduct enterprise HIPAA risk assessment –Assessment environment limited in scope –Focused on the EHR Meaningful Use Risk Analysis requirements and appropriate management controls to check that not only are the specific controls implemented at a risk level acceptable to the organization, but that the controls are assessed and treated continually Assessment Scope 9

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Risk Analysis Methodology 10 Threat Assessment Exposure Identification Risk Determination Threats-From Determination Threats-To Determination Likely Attacks & Attack Vectors Vulnerability Determination General IT Control Determination Exposures Threats Exposures Likelihood Threats Risk Determination

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Risk Analysis Methodology Roadmap Understand Business Operations Prioritized List of Residual Risks Prioritized List of Residual Risks Prioritized Threat List Prioritized Threat List Control Gaps Getting Organized Gathering and Analyzing Data Communicating Findings and Recommendations Develop Methodology Develop Methodology Identify Business Objectives NIST Based Threat Model Asset Identification Asset Identification Preparation Threat Assessment Threat Assessment Risk Assessment Risk Assessment Recommendation 11 Determine Scope Asset Subgroups Identify Assets Identify Assets Categorize Assets Asset List Identify Threats Identify Threats Assess Impact Assess Impact Assess Likelihood Assess Likelihood Assign Threat Values Assign Threat Values Identify Expected Safeguards Assess Existing Safeguards Determine Control Gaps Determine Control Gaps Compute Residual Risk Compute Residual Risk Identify Unacceptable Risks Assess Projected Risk Assess Projected Risk Identify Remediation Projects Identify Mitigating Controls

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. HIPAA / HITECH / Meaningful Use Risk Assessment 12 Value Incorporates Meaningful Use requirements into overall HIPAA Risk Assessment Provides an enterprise view of risk associated with the security and privacy of PHI Gains the SureSeal certification letter Scope Includes HIPAA / HITECH / EHR Meaningful Use Provides enterprise coverage and sampling of facilities that store, process and transmit PHI

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Scoping Factors Type (e.g., Health Plan, Medical Facility/ Hospital, Pharmacy, Third Party Processor) and size of the organization (e.g., hospitals can be measured by number of beds) Geographical Factors –State, Multi-state, Offshore System Factors –Quantity and types of devices, systems and applications that store, process or transit PHI –Additional risk factors such as whether the in scope systems are Internet-accessible, accessible by third parties, business partner connections and mobile devices are used in the environment Security Program Maturity Scope and Pricing Considerations 13

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Requirement Conduct or review a security risk analysis, remediate identified risks, as appropriate, and continually improve controls Specific Requirements around: Access Control Emergency Access Automatic Log-off Audit Log Integrity Authentication Encryption Accounting of Disclosures AT&T Consulting includes additional management controls Meaningful Use Risk Analysis 14

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T SureSeal SM Certification Letter and Logo 15 Certification Letter This one page summary report will present AT&T Consulting test scope of the risk analysis and summary findings in a manner that can be presented to third parties. Logo You will be granted certification and will be given the use of the AT&T SureSeal SM logo to be used on your website for a one-year period.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Sample Certification Customer Logo Display 16 You can display the logo on your website and other official materials for a one-year period

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. 17

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.