Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Published byKathryn Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy."— Presentation transcript:

1 Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy

2 Agenda Why Focus on Authentication? HIPAA Security Requirements Selecting Authentication Technologies Framework for Assessing Authentication Technologies – Examples Summary Case Study: McKesson

3 Why Focus on Authentication? Foundation for other critical services Growing need for stronger authentication –Expanding access to applications –User base –SSO HIPAA Business policy: liability, assurance for transactions Relationships between people, groups, and organizations Applications and services: access control and authorization Relationships between identities and information Presentation / Personalization: what the user sees Defining relationships through quality of experience Authenticated Identity (user, device, application, group, organization) Source of graphic: Burton Group, “Enterprise Identity Management”, October 2002

4 HIPAA Security Requirements General requirements –Ensure the confidentiality, integrity, and availability of all electronic protected health information –Protect against any reasonably anticipated threats or hazards and uses or disclosures not permitted under privacy regulations Flexible Approach –Use security measures that reasonably and appropriately implement the standards based on risk analysis –Consider organizational size, complexity, existing infrastructure, and capabilities; as well as costs –Technology-neutral

5 HIPAA Security Requirements Technical Safeguards –Authentication, access control, data integrity, transmission security, audit controls Administrative safeguards –Policies and procedures, risk analysis, workforce training, disaster recovery, evaluation, business associate contracts Physical Safeguards –Controlling access to facilities, workstation security, device and media controls

6 HIPAA Security Requirements “Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”* *45 CFR Part 164.312 HIPAA Security Standards: Technical Safeguards

7 HIPAA Security Requirements Based on risk analysis, select appropriate and reasonable method –Look at security best practices in the industry For some applications, best practices require more than passwords –E.g. “Remote access requires two-factor authentication.”* For others, current best practices say passwords okay –E.g. For patient or member access to web sites** For many applications, will depend on organization Best practices evolving *HIPAA Security: the latest and best practices, Tom Walsh, CISSP, HIMSS, 2003 **Gartner

8 Selecting Authentication Technology Levels of authentication –Single factor versus multi-factor Diverse environments –On-site clinical versus on-site office –Web access for patients/members –Remote and web access for professionals Selection criteria –Strategic fit in corporate/system –Strategic fit for users –Total cost of ownership Passwords

9 Framework for Assessing Authentication Technologies: Authentication Scorecard: Total Cost of Ownership Acquisition Deployment Operating Total Cost of Ownership Acquisition Deployment Operating Strategic Fit (Corporate / System) Relative Security Interoperability / Back-End Integration Robustness / Scale Future Flexibility Strategic Fit (Corporate / System) Relative Security Interoperability / Back-End Integration Robustness / Scale Future Flexibility Strategic Fit (Users) Convenience / ease of use Portability Multi-purpose Strategic Fit (Users) Convenience / ease of use Portability Multi-purpose Apply a score of 1-10 to each of the ten attributes.

10 Example: User ID/Password

11 Example: Hardware Tokens

12 Example: Digital Certificates

13 Example: Smart Cards

14 Summary Selection of authentication technology depends on –Organization –Application –Risk analysis –Best practices Case study –Implementing authentication for SSO initiative Meet HIPAA and other requirements

15 Laura Robinson Healthcare Industry Analyst RSA Security, Inc. lrobinson@rsasecurity.com

Download ppt "Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Health information security & compliance

Health information security & compliance
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
Authentication choices! Vincent van Kooten: Business Sales Manager Benelux Distributed by -

Authentication choices! Vincent van Kooten: Business Sales Manager Benelux Distributed by -
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Similar presentations

Ads by Google