North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Size: px
Start display at page:

Download "North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP"

Transcription

1 Mobile Device Management Risky Business in Healthcare North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

2 Agenda HIPAA/HITECH & Mobile Devices Breaches Federal and State Law Implications Text Messaging & PHI Is it Legal? Importance of a Risk Analysis The Mobile Health Revolution Privacy and Security Implications

3 HIPAA/HITECH & Mobile Devices HITECH included breach notification requirements now defined in the omnibus privacy, security, enforcement and breach notification rule If mobile devices are lost or stolen and ephi is not encrypted breach of unsecure PHI Texting ephi, if intercepted, also represents a breach of unsecure PHI

4 HIPAA/HITECH & Mobile Devices Mobile devices passwords required per the HIPAA Security Rule This means passwords need to be activated, strong, regularly changed and not reused for several password change iterations The benefits of multi-factor authentication in reducing risk Remember auto logoff

5 The Rise of the Smart Phone 49% of adult Americans own a smartphone 60% of Americans making > $75 K own one 60% of Americans ages 18 to 35 own one iphone (35%); Android (24%); Blackberry (24%) Pew Internet & American Life Project, 7/2011

6 The Rise of the Smart Phone 90% of smartphone owners used it to access or the Internet 25% do most of their online activities on their smartphone The Pew Internet & American Life Project (July 2011)

7 The Rise of the Tablet Tablets are replacing PCs: 77% of tablet owners use their tablets for activities previously done on their laptop/ desktop 35% of tablet owners use their desktop less 32% of tablet owners use their laptop less Why? (1) Easy to carry (31%); (2) Easy to interface (21%); (3) Quick start-up (15%) Nielsen Study (May 2011)

8 Mobile Device Use Decisions how will mobile devices be used in your workplace: Ban use (unrealistic) Require they be company owned (lowest risk by may not be realistic) Bring your own device (BYOD) with mobile device management (MDM) software and policies

9 Mobile Device Use Decisions how will mobile devices be used in your workplace (continued): BYOD with sandbox and software (not always user friendly) BYOD with mobility management software and policies (may leave PHI stored on device) BYOD with policies (difficult to enforce) BYOD with no controls (highest risk)

10 Mobile Device Use Benefits Allowed use of BYOD increases employee satisfaction and productivity: 78% of surveyed employees believe that BYOD superior company provided device (Six Degrees Group Oct. 2011) BYOD eliminates need to carry multiple devices

11 Mobile Device Use Benefits Perceived decreased costs for companies that elect to adopt BYOD practice Citrix use realized 20% cost savings over three years and drop in desktop support requests and incident reports (Computer Business Review Online Dec. 2011) Thin client (such as Citrix) reduces likelihood of stored PHI

12 Mobile Device Key Risk Areas Information Governance: Litigation Hold compliance Record retention Record destruction Confidentiality Regulatory: GLBA, HIPAA and other laws requiring information security controls

13 Mobile Device Key Risk Areas Information security: Required encryption Breach notification Employee privacy Stored Communications Act Computer trespass Wage & hour compliance IP and Trade Secret protection

14 Mobile Device & Data Loss Top causes of PHI and other sensitive data loss: Lost or stolen devices/media (31%) Hackers (23%) Web 2.0 and file sharing (21%) Unsecured mobile devices/media (13%) misrouted (6%) BYOD are carried more frequently and lost or stolen more frequently than company supplied laptops

15 Mobile Device & System Security 80% of CIOs believe BYOD use increases company vulnerability to attack (Ovum Study 11/2010) 46% increase in development of mobile device malicious software between 2009 and 2010 (McAfee 2/2011) No vetting of apps submitted to Android Play Store 10% of apps store passwords in clear text (Via Forensics Study 8/2011)

16 Mobile Device General Risks BYOD and company issued mobile device backups to personally owned devices such as itunes backup Personal use of cloud-based that includes PHI such as icloud, imessage, Dropbox, Google Docs, SugarSync Use of remote access tools exposing PHI such as Splashtop and LogMeIn

17 BYOD Specific Risks Difficult to enforce information security, especially without use of MDM tools Potential personal property issues: Data difficult to access for security incident investigations Data difficult to access if litigation hold required May not be able to recover sensitive data upon termination

18 Text Messaging & PHI Is it Legal? HIPAA and HITECH do not prohibit use of text messaging to send and receive ephi from a mobile device HITECH requires individual and OCR notification if text messaging is unencrypted and messages intercepted Texting ephi represents a risk to covered entities and business associates Risk should be assessed as part of required risk analysis

19 Text Messaging & PHI Is it Legal? HIPAA and HITECH do not specifically require encryption of text messages or mobile devices HIPAA requires risks associated with ephi stored on and transmitted to and from mobile devices be assessed and mitigated if the risk is deemed significant Don t forget Meaningful Use Stage 2 The bottom line does your organization believe text messaging represents a risk sufficient to prohibit texting ephi or is the risk considered acceptable Documentation is critical

20 Importance of a Risk Analysis All covered entities required to periodically conduct risk analyses since April 2005 and many do not Business associates required by statute to conduct periodic risk analyses since February 2010 OCR will enforcing business associate compliance very soon State attorneys general already are

21 Importance of a Risk Analysis Risk analysis represents the proactive process that is the foundation of your security program A through risk analysis should include assessment of mobile device use (especially BYOD) The required risk analysis needs to address more than just technology Risks associated with mobile devices can be high

22 Importance of a Risk Analysis Breaches becoming more and more common; many are preventable Interception of text messages likely to increase Stored text messages and voice mail that include ephi represent a risk More breaches related to workforce carelessness or lack of training Need to account for and mitigate risks or document why a risk will not be mitigated

23 Risk Mitigation Limit BYOD and mobile device use to defined and controlled categories of employees and contractors Require company configuration of mobile devices (company owned) and prohibit employees and contractors from disabling or modifying Restrict company resources that can be accessed remotely (e.g., , calendar and contacts only)

24 Require: Risk Mitigation Encryption of data stored on mobile devices and portable media Password protection (strong passwords, periodic changes, etc.) Maximum password attempts Inactivity timer/auto-logoff Remote wipe capability (all company owned; selective BYOD) Anti-malware protection

25 Risk Mitigation Consider multi-factor authentication Restrict storage of company data BYOD (e.g., only without attachments, calendar entries and contact cards) BYOD subject to all company policies Inform employees and contractors BYOD will be monitored when connected to the company network

26 Risk Mitigation Inform employees and contractors BYOD and associated passwords will be inspected upon reasonable request for company investigations if personally owned mobile devices used for business/clinical purposes Be prepared to provide a company owned mobile device if employees or contractors are required to use mobile devices and do not agree to device inspection

27 Risk Mitigation Require employees and contractors immediately report lost or stolen device Obtain and document employee and contractors agreement to remote wipe in the event of loss, theft, or termination Add inspection of BYOD to exit interview procedures. Robust training is critical

28 Risk Mitigation Policies & Procedures Policies required by HIPAA Privacy and Security Rules OCR Culture of Compliance robust policies and procedures including employee and contractor training Includes development and implementation of mobile device and portable media policies and procedures Don t forget sanctions

29 Mobile Device Agreement Include the following elements in employee/contractor mobile device use agreement (BYOD & company owned): Agree to remote wipe Agree to company monitoring when connected to company network Agree to device inspection incident investigation & legal hold

30 Mobile Device Agreement Mobile device use agreement (BYOD & company owned; continued): Agree to hold company harmless if device is damaged and/or if personal data is viewed Company will configure and install security software

31 Mobile Device Agreement Mobile device use agreement (BYOD & company owned; continued): Employee/contractor won t modify or delete configuration/security software Immediately report if device lost or stolen Limit storage of company data on device Acknowledge company policies and procedures apply to device use

32 Increase in Consumerism Significant increase in the use of Internet and mobile devices for personal health purposes Patient portals Health plan claims access and wellness Mobile device health applications (e.g., prescription management, diabetes management, personal medical record storage, etc.)

33 Increase in Consumerism New health care delivery models Medical in-home visits and treatment Assistive living devices ACO and state equivalents Patient portals Remote diagnostics and patient e- communication Telemedicine Patients can and will share PHI covered entities not responsible for personal decisions

34 Regulations & Mobile Devices: A final word HIPAA Security Rule requires protection of ephi when used, disclosed, stored or transmitted Storage of ephi on mobile devices represents another security environment to protect Encryption of mobile devices used to store ephi no longer addressable given related risks

35 Summary and Q&A Chris Apgar, CISSP CEO & President

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK Chris Apgar Andy Nieto 2015 OVERVIEW How to get started assessing your risk What your options are how to protect PHI What s the

More information

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates HIPAA Myths WEDI Regional Affiliates Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the

More information

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice Agenda Learning objectives for this session Fundamentals of Mobile device use and correlation to HIPAA compliance HIPAA

More information

5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES

5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES White paper 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES PROTECTING PHI ON PORTABLE DEVICES 2016 SecurityMetrics 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES 1 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES PROTECTING

More information

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating

More information

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right

More information

HIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates

HIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates HIPAA Myths WEDI Member Town Hall Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right

More information

Electronically Communicating in Compliance with HIPAA Privacy and Security Requirements. Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP

Electronically Communicating in Compliance with HIPAA Privacy and Security Requirements. Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP Electronically Communicating in Compliance with HIPAA Privacy and Security Requirements Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP Agenda Communicating with Patients Security Rule compliance

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

HIPAA Requirements and Mobile Apps

HIPAA Requirements and Mobile Apps HIPAA Requirements and Mobile Apps OCR/NIST 2013 Annual Conference Adam H. Greene, JD, MPH Partner, Washington, DC Use of Smartphones and Tablets Is Growing 2 How Info Sec Sees Smartphones Easily Lost,

More information

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Electronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security

Electronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile

More information

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Checklist for Breach Readiness Enabling a Resilient Organization Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Facts about breach violation impact

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

The CIO s Guide to HIPAA Compliant Text Messaging

The CIO s Guide to HIPAA Compliant Text Messaging The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

Security and Compliance challenges in Mobile environment

Security and Compliance challenges in Mobile environment Security and Compliance challenges in Mobile environment Emerging Technologies November 19, 2013 Bob Bastani Introductions Bob Bastani, Security & Compliance Program Manager, IBM, 301-803-6078, bbastani@us.ibm.com

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013 Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information

HIPAA Privacy and Information Security Management Briefing

HIPAA Privacy and Information Security Management Briefing HIPAA Privacy and Information Security Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212)

More information

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Agenda Introduction / Session Overview HIT Budgeting 101 Security and Compliance EHR budgeting HIT Where Are We Going Q & A 2 Copyright

More information

Common HIPAA Risks & The New HITECH Final Rule

Common HIPAA Risks & The New HITECH Final Rule Common HIPAA Risks & The New HITECH Final Rule Eric W. Humes 1 What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to protect the privacy of patient

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

Managing Mobile Device Security

Managing Mobile Device Security Managing Mobile Device Security Kathy Downing, MA, RHIA, CHPS, PMP AHIMA Director Practice Excellence Objectives Understand how HIPAA and HITECH apply to mobile devices. Understand the oversight needed

More information

Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes

Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes Watch the Replay Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes FairWarning Executive Webinar Series May 20, 2014 #AnytimeAudit Today s Panel Laura E. Rosas, JD, MPH

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

Network Security for End Users in Health Care

Network Security for End Users in Health Care Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP. Director of Compliance, Chief Privacy and Information Security Officer. Pensacola, Florida

Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP. Director of Compliance, Chief Privacy and Information Security Officer. Pensacola, Florida 2015 SCCE Compliance & Ethics Institute Wednesday, October 7, 2015 (10:00 11:45) Session W14 Bring Your Own Device(BYOD) They are here and they are not going away. Understanding the benefits, risks, and

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the

More information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability

More information

HIPAA Security Rule Changes and Impacts

HIPAA Security Rule Changes and Impacts HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.

More information

Securing Health Data in a BYOD World

Securing Health Data in a BYOD World BUSINESS WHITE PAPER Securing Health Data in a BYOD World Five strategies to minimize risk Securing Health Data in a BYOD World Table of Contents 2 Introduction 3 BYOD adoption drivers 4 BYOD security

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations Inside ü Tips for deploying or expanding BYOD programs while remaining

More information

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. What is Mobile Security? Mobile security is the protection of both personal and business information stored on and transmitted

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

June 2013. May 7, 2013 IT SECURITY, HIPAA PRIVACY AND DISASTER RECOVERY

June 2013. May 7, 2013 IT SECURITY, HIPAA PRIVACY AND DISASTER RECOVERY May 7, 2013 IT SECURITY, HIPAA PRIVACY AND DISASTER RECOVERY 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,

More information

Adams County, Colorado

Adams County, Colorado Colorado Independent Consultants Network, LLC Adams County, Colorado Bring-Your-Own-Device Policy Prepared by: Colorado Independent Consultants Network, LLC Denver, Colorado March 20, 2014 Table of Contents

More information

Agenda. Overview of BYOD in Healthcare lh Legal Risks Associated with BYOD Recommendations to Address Legal Risks 4/18/2016

Agenda. Overview of BYOD in Healthcare lh Legal Risks Associated with BYOD Recommendations to Address Legal Risks 4/18/2016 Inviting Legal to the BYOD Party Laura Clark Fey, Esq., Principal, Fey LLC Agenda Overview of BYOD in Healthcare lh Legal Risks Associated with BYOD Recommendations to Address Legal Risks 2 1 OVERVIEW

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101

Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101 Human Subject Research: HIPAA Privacy and Security Human Research Academy 101 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

= AUDIO. The Importance of Mobile Device Management in HIT. An Important Reminder. Mission of OFMQ 12/9/2015

= AUDIO. The Importance of Mobile Device Management in HIT. An Important Reminder. Mission of OFMQ 12/9/2015 The Importance of Mobile Device Management in HIT Mario Cruz OFMQ Chief Information Officer An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906 0123. Step 2: Enter code 2071585#.

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Southwest Airlines 2013 Terms of Use Portable Devices Feb 2013

Southwest Airlines 2013 Terms of Use Portable Devices Feb 2013 1 TERMS OF USE As of February 3, 2013 The following terms and conditions of use ( Terms of Use ) form a legally binding agreement between you (an entity or person) and Southwest Airlines Co. ( Southwest

More information

Bring Your Own Device: Calling for a Strategy. CHIME College Live 23 April 2014

Bring Your Own Device: Calling for a Strategy. CHIME College Live 23 April 2014 Bring Your Own Device: Calling for a Strategy CHIME College Live 23 April 2014 Bring Your Own Device (BYOD) Topics» Introductions» Learning Objectives» Business Drivers» Key Strategies» Policy Issues»

More information

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity

More information

An Independent Member of Baker Tilly International

An Independent Member of Baker Tilly International Healthcare Security and Compliance July 23, 2015 Presenters Kelley Miller, CISA, CISM - Principal Kelley.Miller@mcmcpa.com Barbie Thomas, MBA, CHC Barbie.Thomas@mcmcpa.com 2 Agenda Introductions Cybersecurity

More information

Mobile Device Deployments-The Security Dangers of Technology on the Go

Mobile Device Deployments-The Security Dangers of Technology on the Go Mobile Device Deployments-The Security Dangers of Technology on the Go Presented by Mark Bell, PMP, CISSP, CISA, CHSS OM03 Friday, 10/25/2013 3:45 PM - 5:00 PM Mobile Device Deployments Is Your Organization

More information

Assessing Your HIPAA Compliance Risk

Assessing Your HIPAA Compliance Risk Assessing Your HIPAA Compliance Risk Jennifer Kennedy, MA, BSN, RN, CHC National Hospice and Palliative Care Organization HIPAA Security Rule All electronic protected health information (PHI and EPHI)

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HIPAA Security Overview of the Regulations

HIPAA Security Overview of the Regulations HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.

More information

Security and Privacy Considerations for BYOD

Security and Privacy Considerations for BYOD Security and Privacy Considerations for BYOD Carol Woodbury, President SkyView Partners, Inc 1 Introduction The world of BYOD (Bring Your Own Device) is rapidly expanding. You may not think it s happening

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Mobile Devices in the Workplace: What Every Employer Needs to Know

Mobile Devices in the Workplace: What Every Employer Needs to Know Mobile Devices in the Workplace: What Every Employer Needs to Know Presented by: Shannon Huygens Paliotta Senior Associate, Littler Mendelson, P.C. spaliotta@littler.com (412) 201-7631 Marcy McGovern Knowledge

More information

Joseph Suchocki HIPAA Compliance 2015

Joseph Suchocki HIPAA Compliance 2015 Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address

More information

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

White Paper. HIPAA-Regulated Enterprises. Paper Title Here White Paper White Endpoint Paper Backup Title Compliance Here Additional Considerations Title for Line HIPAA-Regulated Enterprises A guide for White IT professionals Paper Title Here in healthcare, pharma,

More information

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA compliance audit: Lessons learned apply to dental practices HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Cyber Security. John Leek Chief Strategist

Cyber Security. John Leek Chief Strategist Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity

More information

HIPAA Security & Compliance

HIPAA Security & Compliance Creative Mind. Creative Heart. Creative Care. 2014 WALA Spring Conference HIPAA Security & Compliance Jeff Grady Thursday, March 27 10:30 am HIPAA Security & Compliance A TIME FOR ACTION Jeff Grady, Senior

More information

Violation Become a Privacy Breach? Agenda

Violation Become a Privacy Breach? Agenda How Does a HIPAA Violation Become a Privacy Breach? Karen Voiles, MBA, CHC, CHPC, CHRC Senior Managing Consultant, Compliance Agenda Differentiating between HIPAA violation and reportable breach Best practices

More information

A Guide to MAM and Planning for BYOD Security in the Enterprise

A Guide to MAM and Planning for BYOD Security in the Enterprise A Guide to MAM and Planning for BYOD Bring your own device (BYOD) can pose a couple different challenges, not only the issue of dealing with security threats, but also how to handle mobile applications.

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

PHI- Protected Health Information

PHI- Protected Health Information HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

More information

Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption?

Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? A. Most e-mail systems do not include encryption. There are

More information

Secure Endpoint Management. Presented by Kinette Crain and Brad Lewis

Secure Endpoint Management. Presented by Kinette Crain and Brad Lewis Secure Endpoint Management Presented by Kinette Crain and Brad Lewis Brad Lewis Brad Lewis - Service Specialist 14 years of IT experience In-House Support Manager Network Administrator Assessing Risk:

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Presented by: Gina L. Campanella, JD, MHA Rules that Control Privacy A collection of laws and regulations including:

More information

Bring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com

Bring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com Bring Your Own Device (BYOD) and Mobile Device Management tekniqueit.com Bring Your Own Device (BYOD) and Mobile Device Management People are starting to expect the ability to connect to public networks

More information

Making Mobility Matter in Healthcare Data Security

Making Mobility Matter in Healthcare Data Security Making Mobility Matter in Healthcare Data Security Four Critical Tactics Security in Transition Executive Summary Mobile device usage in healthcare facilities has increased significantly in recent years,

More information

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you

More information

Bring Your Own Device (BYOD) and Mobile Device Management. www.cognoscape.com

Bring Your Own Device (BYOD) and Mobile Device Management. www.cognoscape.com Bring Your Own Device (BYOD) and Mobile Device Management www.cognoscape.com Bring Your Own Device (BYOD) and Mobile Device Management People are starting to expect the ability to connect to public networks

More information