CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Slides:



Advertisements
Similar presentations
Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
David Assee BBA, MCSE Florida International University
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Information Security Policies and Standards
Stephen S. Yau CSE , Fall Security Strategies.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Chapter 6 of the Executive Guide manual Technology.
Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIPAA Security Final Rule Overview
Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
The Health Insurance Portability and Accountability Act 
East Carolina University
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
Health Insurance Portability and Accountability Act
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Final HIPAA Security Rule
Health Insurance Portability and Accountability Act
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
Lesson 1  7 Basic Components of an Effective Compliance Plan
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Presentation transcript:

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison Madison, Wisconsin

CAMP Med 2 Organizational Structure University of Wisconsin - Madison 41,500 students 2,060 Faculty 15,000 Employees Ranks second among public universities, third among all universities for research expenditures

CAMP Med 3 Organizational Structure UW Medical School 15 Clinical, 11 Basic Science Departments 1,150 Faculty 550 MD, 427 PhD students 29th for NIH funding in 2003 (~ $142,000,000)

CAMP Med 4 UW-Madison Organizational Structure UW Hospital And Clinics UW Medical Foundation UW-Health

CAMP Med 5 Organizational Structure UW – Hybrid Covered Entity Non-HCC Health Care Component School of Nursing School of Pharmacy Student Health Hygiene Lab Clinical Departments of the Medical School

CAMP Med 6 Organizational Structure UW – Hybrid Covered Entity Affiliated Covered Entity UW Hospital And Clinics UW Medical Foundation USE

CAMP Med 7 Administrative Structure Campus (CE): –Security Officer –HIPAA Task Force –Security Committee HCC units: –Security Coordinators

CAMP Med 8 CE Requirements under Security Rule Ensure CIA of electronic PHI Protect against any reasonably anticipated threats or hazards to security or integrity of ePHI Protect against any reasonably anticipated uses or disclosures of such information not permitted under the Privacy Rule Ensure compliance by workforce

CAMP Med 9 HIPAA Security Rule Essentially requires the implementation of safeguards to protect the CIA of data (ePHI): Confidentiality Integrity Availability Requires reasonable and appropriate measures, not NSA-proof. Same measures that “best practices” suggests should be used with all electronic data

CAMP Med 10 Challenges to Compliance Academic, traditionally open environment Research mission encourages collaboration Decentralized organization Multiple research databases Non-uniform IT resources –Each department has separate IT group & budget –Wide range of OS’s, servers, support

CAMP Med 11 Approach to Compliance Electronic data, purely IT Solution, right? Improved security awareness Additional technology, e.g., firewall User behavior: –Training –Policies

CAMP Med 12 Campus Level Initiatives Campus HIPAA security committee created representing all units in the HCC Series of best practices guidelines developed to ensure security of all data including ePHI All units meeting the best practice guidelines in compliance with security rule Not all of guidelines addressed with pure IT solutions

CAMP Med 13 Best Practices Guidelines Encryption Account Creation and Access Control Audit Controls User Authentication Network Device Security Password Management Single Device Remote Access

CAMP Med 14 Best Practices Guidelines (cont) Server Security Wireless Communication Information Sensitivity DMZ Network Workstation Use and Workstation Security Portable Devices Disaster Recovery

CAMP Med 15 First Step of the 1000 Mile (Li) Trip Sec (a) (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. –Risk analysis –Risk management –Sanction policy –Information system activity review

CAMP Med 16 Risk Analysis: Risk Assessment Inventory Based on the Security Standard Matrix, the central IT group on campus developed a spreadsheet against which each unit in the HCC can appraise their current condition in terms of risk.

CAMP Med 17 Risk Assessment Inventory Spreadsheet configured as separate matrices for: –Technical Assets –Physical Sites –Administrative Units Individual cells given a A – F grade with color coding for easy browsing Each clinical department in the Medical School submits their own RAI

CAMP Med 18 Risk Assessment Inventory (Administrative)

CAMP Med 19 Risk Assessment Inventory (Physical)

CAMP Med 20 Risk Assessment Inventory (Technical)

CAMP Med 21 Risk Management Medical School Migration Plan Based on the results of the RAIs from each of the departments, the migration plan is intended to spell out an organized, systematic approach designed to ensure timely Medical School compliance with the Security Rule based on analysis of the current state of data security.

CAMP Med 22 1.Develop strategy on steps to take –Using technology to improve CIA of ePHI –Provide training –Develop policies to modify user behavior 2.Evaluate the level at which the implementation most efficiently occurs Migration Plan

CAMP Med 23 Campus Level Elements Assign security officer Develop training Develop best practices guidelines for HCC

CAMP Med 24 Departmental Elements Risk Assessment Workforce Security Physical Controls Backup Media Controls Authentication

CAMP Med 25 Unit (MS) Level Elements Designate HIPAA Security Coordinator Develop security architecture that includes firewall, vulnerability scanning and incident response. Assign a full time position. Contingency planning Security committee represented by all departments Policy

CAMP Med 26 Clinical departments, with trusted access to UW Hospital and Clinics (EMR) Medical School Firewall Campus/ Internet Basic science departments, restricted access to PHI HCC UWHC

CAMP Med 27 Clinical departments, with trusted access to UW Hospital and Clinics (EMR) Campus/ Internet Campus/ Internet Medicine Biostatistics & Medical Informatics ACE Surgery Medical School Firewall -Clinical

CAMP Med 28 Medical School Firewall Allowing limited access from outside to inside A firewall “hole” may be requested to allow limited access to hosts on the inside of the firewall Campus/Internet All open TCP ports periodically scanned

CAMP Med 29 Medical School Wireless Network Open wireless useful in MS library, etc No authentication Outside MS firewall Requires remote access client to access networks containing PHI –Citrix –VPN Ensures authentication, end-to-end encryption when accessing PHI

CAMP Med 30 Elements to be Addressed by ACE Incident response team Secure solutions TLS UWMS UWMF UWHC

CAMP Med 31 Keys Ongoing process, much different than Y2K problem Security Rule not just IT issue HIPAA Security Rule should be approached as safeguards to all data especially ePHI Reasonable and appropriate

CAMP Med 32 Enterprise (CE) Level Authentication Workforce security Enforce “minimal use” part of Privacy Rule Enable audit controls First step in multi-factor authentication