Presentation is loading. Please wait.

Presentation is loading. Please wait.

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 1 Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Published byColeen Page Modified over 8 years ago

Similar presentations

Presentation on theme: "Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 1 Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures."— Presentation transcript:

1 Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 1 Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures and Standards

2 What We’ll Cover… Identify the regulatory requirements –HIPAA privacy and security rules Best practices Identify and assess protection measures –Access control –Firewalls –Intrusion detection –Encryption –Importance of user training Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 2

3 Security and Privacy Under HIPAA, protected health information (PHI) includes: any individually identifiable health information, as well as health information with data which could reasonably be expected to allow individual identification. Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 3

4 Security and Privacy Federal, state, and local laws control access to and control of health record information. These laws govern: Who can have access What should be done to protect the data How long the records should be kept What to do if a breach is discovered Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 4

5 Security and Privacy 18 identifiers are recognized as providing identifiable links to individuals, including: Names, addresses, ZIP codes Dates (birth dates, discharge dates, etc.) Contact info, including email, web URLs Social Security Numbers or record numbers Account numbers of any sort License numbers, license plates, ID numbers Device identifiers, IP addresses Full face photos, finger prints, recognizable markings Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 5

6 Security and Privacy State and local laws vary. Federal law tends to supersede state and local laws. Where overlap occurs, always choose the tightest constraint. Our lecture will focus on federal regulatory obligations. Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 6

7 Common Types of Security Breaches Inside jobs and social engineering Brute force Eavesdropping Data modification Identity spoofing Password-based attacks Denial of service attacks Man in the middle attacks Application layer attacks Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 7

8 What is HIPAA Privacy? Federal law governing privacy of patients' medical records and other health information maintained by covered entities Covered entities include: –Health plans, including Veterans Health Administration, Medicare, and Medicaid –Most doctors & hospitals –Health care clearinghouses Compliance required since April 2003 Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 8

9 HIPAA Privacy Rule Health and Human Services’ (HHS) Office of Civil Rights (OCR) investigates all Health Insurance Portability and Accountability Act (HIPAA) privacy and security complaints –54,562 complaints received as of August 2010 Filed against: –Private health care practices –General hospitals –Pharmacies –Outpatient facilities –Group health plans Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 9

10 HIPAA Privacy Rule Compliance issues investigated most often: 1.Impermissible uses and disclosures of protected health information (PHI) 2.Lack of safeguards of PHI 3.Lack of patient access to their PHI 4.Uses or disclosures of more than the minimum necessary PHI 5.Complaints to the covered entity Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 10

11 HIPAA Security Rule Established standards for securing electronic protected health information (ePHI) –Ensure confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit –Identify and protect against reasonably anticipated threats to the security or integrity of the information –Protect against reasonably anticipated, impermissible uses or disclosures –Ensure compliance by their workforce Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 11

12 What is Required by HIPAA Security? HIPAA Security requirements can be broken down into four categories: Administrative safeguards Physical safeguards Technical safeguards Organizational requirements Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 12

13 Administrative Safeguards Address the “process” of security management in your organization Require a risk analysis be performed and steps taken to mitigate identified risks. This analysis includes: –Evaluating the likelihood and impact of potential risks to e- PHI –Implementing appropriate security measures to address the risks identified in the risk analysis –Documenting the chosen security measures and, where required, the rationale for adopting those measures –Maintaining continuous, reasonable, and appropriate security protections Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 13

14 Administrative Safeguards –You must designate a security official responsible for developing and implementing security policies and procedures. This person should: Have knowledge of good HIPAA practices and be familiar with established IT security standards. Be able to interface well with all levels of management and staff. Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 14

15 Administrative Safeguards –Require a covered entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user’s or recipient's role (role-based access). –Can your policy address these questions? Who gets access to ePHI data? What level of access is needed? Who is the agent authorizing the access? Is this authorization adequately documented? Is the access periodically reviewed? Is there a process for rescinding access once it’s no longer needed? Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 15

16 Administrative Safeguards –Must set up processes for appropriate authorization and supervision of workforce members who work with e-PHI. –Must routinely train all workforce members regarding security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate Its policies and procedures. Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 16

17 Physical Safeguards - Access Limit physical access to facilities while ensuring that authorized access is allowed –Server rooms where ePHI is stored –Work areas where ePHI is accessed –Back-up media storage potentially containing ePHI Inventory your hardware and software. –Know where the inventory is kept. –Know the value of your hardware, software, equipment. Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 17

18 Physical Safeguards - Access Implement policies and procedures specifying proper use of and access to workstations and electronic media, including its transfer, removal, disposal, and re-use. –Lock down publicly-accessible systems potentially containing ePHI. –Use strong passwords (8-14 characters with a variety of letters, symbols, and numbers) that are changed regularly. –Encrypt electronic media using 256-bit encryption, especially for wireless, backups, and offsite data. –ePHI media should be destroyed after being thoroughly wiped. Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 18

19 Technical Safeguards - Access Control Addresses access controls, audit controls, integrity, person, or entity authentication and transmission security. HIPAA security rules require measures to guard against unauthorized access. Adequate access controls include: –Active Directory / LDAP –Vendor-specific controls Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 19

20 Technical Safeguards - Access Control Firewall –Inspects incoming network traffic and permits or denies access based on a set of criteria. –May be hardware or software driven. –Blocks ports through which an intruder can gain access. –Is most commonly placed on the network perimeter (network-based) or on a network device (host-based). Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 20

21 Firewalls Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 21 BLOCKED ALLOWED NETWORK FIREWALL COMPUTER FIREWALL

Download ppt "Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall 2010 1 Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Hipaa privacy and Security

Hipaa privacy and Security
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.

The Health Insurance Portability and Accountability Act Basic HIPAA Training For CMU workforce with access to PHI.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA Security Training 2005

HIPAA Security Training 2005
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.

Similar presentations

Ads by Google