Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

Data Breach Risks Overview Heather Pixton www2.idexpertscorp.com

1 Red Flags Rule: Implementing an Identity Theft Prevention Program Health Managers Network May Chris Apgar, CISSP President, Apgar & Associates,

Security and Personnel

Security Controls – What Works

IT Security Challenges In Higher Education Steve Schuster Cornell University.

12 th National HIPAA Summit – Managing a Data Security Audit Program 2.05, 1:15 PM Chris Apgar, CISSP Apgar & Associates, LLC.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Training for Management Complying with the HIPAA Security Law.

HIPAA PRIVACY AND SECURITY AWARENESS.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Challenges in Infosecurity Practices at IT Organizations

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.

Eliza de Guzman HTM 520 Health Information Exchange.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc

The Fifth National HIPAA Summit – October 30, 2002 What to Do Now: Operational Implementation of HIPAA Privacy and Security Training Presented by: Steven.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

Working with HIT Systems

Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP.

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

CIBC Global Services © 2006, Echoworx Corporation Ubiquity of Security Compliance and Content Management Stephen Dodd Director – Enterprise Accounts.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Privacy Act United States Army (Managerial Training)

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Key Points for a Privacy Programme for Multinationals Steve Coope.

Patricia Alafaireet Patricia E. Alafaireet, PhD Director of Applied Health Informatics University of Missouri-School of Medicine Department of Health.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Principles of Information Security, Fourth Edition Chapter 1 Introduction to Information Security Part II.

Business Continuity Planning 101

Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.

Introduction to Business (MRK 151)

Microsoft 365 Get help with regulatory compliance

Health Care: Privacy in a Digital Age

HIPAA Security Standards Final Rule

Enforcement and Policy Challenges in Health Information Privacy

Pam Matthews, FHIMSS Director of Business Information Systems Business Information Systems is focused around administrative and financial information.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Managing Privacy Risk in Your Commercial Practices

HIPAA Privacy and Security Update - 5 Years After Implementation

Introduction to the PACS Security

Presentation transcript:

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

 Balancing business & security  Security & privacy not all technology  Placement of privacy & security - Organizational oversight  Importance of risk analysis  Other non-technical requirements  Selling security  Q&A 12/12/20072Apgar & Associates, LLC (c) 2007

 DoD protection not required  Risks are unavoidable  Remember profitability  Privacy & security solutions need to represent sound practice for the industry & the size & complexity of the organization 12/12/20073Apgar & Associates, LLC (c) 2007

 HIPAA security rule flexible – take advantage of flexibility  Expensive tools not always best protection  Business needs to adopt security culture  Users need to be involved – greatest risk area 12/12/20074Apgar & Associates, LLC (c) 2007

 HIPAA security rule – more than 1/3 administrative security  Technology section not predominant section – support to administrative security  Physical security may involve technology but often involves old fashioned keys & fire extinguishers 12/12/20075Apgar & Associates, LLC (c) 2007

 Privacy requires appropriate security but not necessarily technically specific solutions  Privacy (and security) more people focused  Technology important but needs to support needs of the business and sound administrative/physicial security requirements 12/12/20076Apgar & Associates, LLC (c) 2007

 Examples: ◦ Access control administrative safeguard ◦ Audit administrative & technical safeguard ◦ Risk analysis administrative safeguard ◦ Disaster recovery/emergency mode operations plans ◦ Training ◦ Policies & procedures 12/12/20077Apgar & Associates, LLC (c) 2007

 Examples (continued): ◦ Patient privacy rights – primarily paper interface ◦ Privacy covers non-electronic & many providers continue to rely on paper charts (even after EHR implementation) ◦ Appropriate application security (e.g., EHR, bio-medical devices, PHR, etc.) lacking in today’s applications ◦ Secure relies on sender & recipient 12/12/20078Apgar & Associates, LLC (c) 2007

 Variations between organizations – who is appointed privacy and security officers (no matter the size)  Generally security reports to IT  Frequently privacy officer training lacking  Frequently security officer non- technical training lacking 12/12/20079Apgar & Associates, LLC (c) 2007

 Authority & responsibility of privacy & security officers vary between organizations ◦ Sometimes “only because HIPAA requires it” ◦ Too often positions lack authority to force/effect change ◦ Often responsibility exceeds authority ◦ Important findings/risks overlooked 12/12/200710Apgar & Associates, LLC (c) 2007

 Privacy & security officers organizational placement vary  Placement in organization needs to consider position effectiveness and perceived neutrality  Positions need to be view as positions of trust 12/12/200711Apgar & Associates, LLC (c) 2007

 Appropriate placement of privacy officer in organization: ◦ Compliance office ◦ Legal ◦ CEO/president ◦ Senior executive with cross-organization responsibilities/authority 12/12/200712Apgar & Associates, LLC (c) 2007

 Appropriate placement of security officer in organization: ◦ Compliance office ◦ Legal ◦ CEO/president ◦ Senior executive with cross-organization responsibilities/authority ◦ Not CIO 12/12/200713Apgar & Associates, LLC (c) 2007

 Positions need to be visible in positive way  Heavy visible engagement in audits, risk analysis, policy/procedure development, etc.  Interaction with local, state, federal standards development projects & bodies required 12/12/200714Apgar & Associates, LLC (c) 2007

 HIPAA security rule requires risk analysis conducted regularly  Foundation for security program: ◦ Risk identification & mitigation ◦ Policy & procedure development/ amendment ◦ Disaster recovery/emergency mode operations plan building block ◦ Audit criteria development ◦ Workforce training content & requirements 12/12/200715Apgar & Associates, LLC (c) 2007

 Conducted at least annually or when any major system or business change occurs  Most health care organization haven’t conducted risk analysis since security rule effective date  Risk analysis reflects environmental, technical, business, etc. changes which don’t stop 12/12/200716Apgar & Associates, LLC (c) 2007

 Most health care organizations conduct qualitative or combined qualitative/ranking risk analysis  Frequently risk analyses not standardized within organization  Security controls evaluated often not technical  Lack of follow through/mitigation an issue 12/12/200717Apgar & Associates, LLC (c) 2007

 Organizations miss value – data collected during sound risk analysis applicability to other standards & processes  Security officer – educational role  Need to know business and assist in identifying risks to mitigate and risks to accept 12/12/200718Apgar & Associates, LLC (c) 2007

 Balance identified risks between security, privacy & business needs  Risk analysis should be globally rather than technically focused  User involvement required – employees often know of risks before management  Match perception with reality 12/12/200719Apgar & Associates, LLC (c) 2007

 Risk management ties it all together  Proper training key to successful security & privacy program  Remote users represent significant non-technical threat  Physical security – protect the infrastructure 12/12/200720Apgar & Associates, LLC (c) 2007

 People most significant threat  Role based access control – appropriate, tracked and enforced  Trading partners & business associates – inter-organizational agreements/contracts  Legal requirements (state, federal, case law) 12/12/200721Apgar & Associates, LLC (c) 2007

 Security/privacy incident response  Breach notification requirements  Trust building between organizations and consumers  Non-electronic data management  Document/data retention & destruction (FRCP, HIPAA, etc.) 12/12/200722Apgar & Associates, LLC (c) 2007

 ROI difficult to sell/demonstrate  Package as insurance policy  Identify damages caused by lax security ◦ Regulatory compliance ◦ Liability ◦ Business reputation ◦ Economic loss – trust, trade secrets, etc. ◦ Lost data can bring down business 12/12/200723Apgar & Associates, LLC (c) 2007

 Keep horror stories to a minimum  Senior management – focus on non- technical risks (what will it cost in damages)  Too much tech talk leads to glazed eyes  Tie directly to business (must know the business)  Clearly map to the risks (the value in pictures) 12/12/200724Apgar & Associates, LLC (c) 2007

 Be reasonable – remember organization size, complexity and financial viability  Sell phased security/privacy  Rely on fact & accurate business impact  Clearly spell out costs: ◦ Solution cost (acquisition, installation, maintenance) ◦ Staff support requirements (implementation & maintenance  Be prepared to negotiate 12/12/200725Apgar & Associates, LLC (c) 2007

Chris Apgar, CISSP President