Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

David Assee BBA, MCSE Florida International University
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Security Controls – What Works
Information Security Policies and Standards
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Payment Card Industry (PCI) Data Security Standard
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Session 3 – Information Security Policies
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Security Guide for Interconnecting Information Technology Systems
Uday O. Ali Pabrai, CISSP, CHSS Chief executive, HIPAA Academy Health care & HIPAA Security Remediation.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Information Systems Security Operational Control for Information Security.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Eliza de Guzman HTM 520 Health Information Exchange.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Questions HHS May Ask in a HIPAA Audit: Critical Steps for Compliance Uday Ali Pabrai, CISSP, CSCS Author, The Art of Information Security.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
IMFO Annual Conference – 2015 S21: Good Governance & Oversight B2B.
Working with HIT Systems
Chapter 2 Securing Network Server and User Workstations.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Frontline Enterprise Security
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Information Security tools for records managers Frank Rankin.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Blackboard Security System
iSecurity Compliance with HIPAA
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
I have many checklists: how do I get started with cyber security?
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Security Standards Final Rule
Security week 1 Introductions Class website Syllabus review
Introduction to the PACS Security
Presentation transcript:

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit

2008. All Rights Reserved. ecfirst. HIPAA Requirements Security Mgmt. Process, Sec. Officer Workforce Security, Info. Access Mgmt. Security Training, Security Incident Proc. Contingency Plan, Evaluation, BACs Facility Access Controls Workstation Use Workstation Security Device & Media Controls Access Control Audit Control Integrity Person or Entity Authentication Transmission Security CIA

2008. All Rights Reserved. ecfirst. Healthcare Technology Challenges State of the Infrastructure Too many servers, too many applications Too many credentials across multiple systems to manage Lack of expertise, resource availability to audit capabilities to track credential access Too many PCs to maintain and manage Mobility of devices is rapidly increasing Storage demands are increasing fast Highly specialized technical skills required Serious lack of redundancy

2008. All Rights Reserved. ecfirst. HIPAA Audit People That May Be Interviewed President, CEO or Director HIPAA Compliance Officer Lead Systems Manager or Director Systems Security Officer Lead Network Engineer and/or individuals responsible for: Administration of systems which store, transmit, or access EPHI Administration of systems, networks (wired and wireless) Monitoring of systems which store, transmit, or access EPHI Monitoring systems networks Computer Hardware Specialist Disaster Recovery Specialist or person in charge of data backup Facility Access Control Coordinator (physical security) Human Resources Representative Director of Training Incident Response Team Leader Others as identified

2008. All Rights Reserved. ecfirst. HIPAA Audit Documentation That May Be Requested Policies and procedures that address: Prevention, detection, containment, and correction of security violations Employee background checks and confidentiality agreements Establishing user access for new and existing employees List of authentication methods used to identify users authorized to access EPHI List of individuals and contractors with access to EPHI to include copies pertinent business associate agreements List of software used to manage and control access to the Internet Detecting, reporting, and responding to security incidents Physical security Encryption and decryption of EPHI Mechanisms to ensure integrity of data during transmission - including portable media transmission

2008. All Rights Reserved. ecfirst. HIPAA Audit Documentation That May Be Requested Policies and procedures that address (contd.): Monitoring systems use - authorized and unauthorized Use of wireless networks Granting, approving, and monitoring systems access (for example, by level, role, and job function) Sanctions for workforce members in violation of policies and procedures governing EPHI access or use Termination of systems access Session termination policies and procedures for inactive computer systems Policies and procedures for emergency access to electronic information systems Password management policies and procedures Disposal of media and devices containing EPHI Secure workstation use

2008. All Rights Reserved. ecfirst. HIPAA Audit Other Documentation That May Be Requested Entity-wide Security Plan Risk Analysis (most recent) Risk Management Plan (addressing risks identified in the Risk Analysis) Security violation monitoring reports Vulnerability scanning plans Results from most recent vulnerability scan Network penetration testing policy and procedure Results from most recent network penetration test List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) Configuration standards to include patch management for systems which store, transmit, or access EPHI (including workstations) Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI

2008. All Rights Reserved. ecfirst. HIPAA Audit Other Documentation That May Be Requested Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures Policies and procedures governing the use of virus protection software Data backup procedures Disaster recovery plan Disaster recovery test plans and results Analysis of information systems, applications, and data groups according to their criticality and sensitivity Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI List of all Primary Domain Controllers (PDC) and servers Inventory log recording the owner and movement of media and devices that contain EPHI

2008. All Rights Reserved. ecfirst. Typical Security Initiatives Emerging Best Practices Harden Firewall Solutions, IDS/IPS Secure Facilities & Server Systems Implement Identity Management Systems Deploy Single Sign-On (SSO) Solution Activate Auditing Capabilities to Manage/Track Access Schedule regular scans of the infrastructure Deploy Integrity Controls and Encryption Develop Contingency Plans Conduct Security Training & Awareness Update Security Policies

2008. All Rights Reserved. ecfirst. Getting Started…

2008. All Rights Reserved. ecfirst. About ecfirst Provider of compliance, cyber security and IT professional services Managed Compliance Services Program (MCSP) for HIPAA AuditShield TM service launched to support client audit efforts BIA and Disaster Recovery Plan (DRP) development Annual Risk Analysis and Quarterly Vulnerability Assessments Recognition Achieved Inc. 500 status in 2004 Exclusively endorsed by the American Hospital Association (AHA) Innovation: Launched Certified Security Compliance Specialist TM (CSCS TM ) program addressing PCI, ISO, SOX, HIPAA and international security regulations customers worldwide –

2008. All Rights Reserved. ecfirst. Thank You! Join me, May 20 th, Realizing HIPAA Compliance for Credential Management Through SSO – register at Ali Pabrai, CISSP, CSCS

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.