Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture

Published byRosamund Pope Modified over 5 years ago

Similar presentations

Presentation on theme: "The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture"— Presentation transcript:

1 The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture
Presented By Tim Burris Product Manager, Iatric Systems

2 Today’s Speaker Tim Burris Product Manager Iatric Systems

3 The Privacy Cycle Continuous process that relates regulations to meaningful actions in Healthcare organizations

4 5 Key Steps to the Privacy Cycle
Policy and Procedure Review Auditing Documentation Trend Analysis Corrective Action

5 Step 1 Policy & Procedure Review

6 Step 1: Policy & Procedure Review Know Your Regulatory Requirements
HIPAA Security Rule, 45 CFR (a)(1)(i) Security management process Organizations must implement policies and procedures to prevent, detect, contain and correct security violations HIPAA Security Rule, 45 CFR (b) Audit controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI HIPAA Security Rule, 308(a)(1)(ii)(D) Information system activity review Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports

7 Step 1: Policy & Procedure Review OCR Guidance
It is imperative for Covered Entities and Business Associates to review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations. Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach.

8 Step 1: Policy & Procedure Review Considerations
Determine “reasonable and appropriate” measures to implement Conduct a comprehensive Risk Assessment Risk vs. Likelihood Additional Considerations: Technical infrastructure Software capabilities Staffing and expertise

9 Step 1: Policy & Procedure Review Considerations
Effective and Enforceable Include Process to Routinely Review Remember the Real Goal – Promote Culture

10 Step 2 Auditing

11 Step 2: Auditing Know Your Data
Use Risk Assessment results to determine what systems need to be routinely audited What systems are within scope What is the overall risk of each system What audit tools/features are available

12 Step 2: Auditing Know Your Users
Do you know who is using these systems? (Accountability) What details do you have on each system user (Identity Management) Consider Non-employees, Physicians, Contractors, and Students Have you documented what each user or role should have access to?

13 Step 2: Auditing Develop a Sustainable Program
Who is responsible? Scope of Audits Frequency of Audits Procedures for investigation, escalation, and follow-up Example — Weekly proactive auditing program with procedures for investigation of complaints or issues related to known security incidents.

14 Step 2: Auditing Proactive Auditing – What To Look For
Known relationships Neighbor, Coworker, Relative, Roommate, etc. Suspicious Access Volumes Number of Logs Generated Number of Unique Patients Accessed Irregular Behaviors Suspicious screens or events for a specific job title. (Registrar Accessing Clinical Notes/Orders)

15 Step 2: Auditing Consider Audit Solutions
A comprehensive audit solution can help save a lot of time by consolidating systems and helping to automate detection of suspicious activity

16 Step 3 Documentation

17 Step 3: Documentation Types of documentation
Incident documentation This documentation should provide details of every investigated incident. May also include investigations that resulted in no inappropriate actions. Breach Risk Assessment This is used to determine if a confirmed incident is an actionable breach Breach Documentation Specifically included those incidents that identified a reportable breach Documentation of Breach notification actions Record when were required notifications were provided.

18 Step 3: Documentation Document considerations
Capture additional information that could benefit later review How the incident was identified? Details about the user — Job Title, Department, Hire Date, and Shift Relationship between user and patient

19 Step 4 Research & Trend Analysis

20 Step 4: Research & Trend Analysis Routine Review
Review documentation over time to identify trends in data

21 Step 4: Research & Trend Analysis Predict Future Incidents
Who Patterns in Job Title, Role, Age Group, Experience, Hire Date, etc. What What parts of chart are viewed, or what data is typically accessed as a part of an inappropriate event When Most common times when incidents occur Where Facilities, departments, workstations, or remote workplaces that have the most incidents Why Determine motives – Snooping, Bored, Names in Media, Local VIPs/Celebrities, Information harvesting, malicious intent How What systems are they using? What path do they take? Do they take precautions to minimize their risk? Do they bypass securities? Are they exploiting a particular feature or function?

22 Step 5 Corrective Action

23 Step 5: Corrective Action Sanctions
An effective and consistent sanction policy should be a priority

24 Step 5: Corrective Action Goes beyond sanctions
What improvements can we make to prevent incidents in the future? Consider HIPAA Administrative, Technical, and Physical Safeguards Administrative Policies written and communicated effectively Training and awareness programs Identity & Access Management Technical Accounts configured with least privilege necessary Role based access controls Technology to detect future incidents of this type Physical Devices in private locations Workstation and screen positioning

25 Rinse and Repeat Policies Auditing Documentation Trend Analysis
Corrective Action

26 Questions & Discussion

27 Takeaways Strategy to tie Policies and Procedures to an effective, continuous process to improve your organizations Privacy Culture Tips for building a successful proactive auditing and documentation program An approach to routinely analyze incidents for patterns so that future incidents can be prevented through realistic corrective action measures

Download ppt "The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Hipaa privacy and Security

Hipaa privacy and Security
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Computer Security: Principles and Practice

Computer Security: Principles and Practice
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Information Security Issues at Casinos and eGaming

Information Security Issues at Casinos and eGaming
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.

Similar presentations

Ads by Google