Strategies for Integra.ng the HIPAA Security Rule
|
|
- Augustus Armstrong
- 8 years ago
- Views:
Transcription
1 Strategies for Integra.ng the HIPAA Rule Kaiser Permanente: Charles Kreling, Execu.ve Director Sherrie Osborne, Director Paulina Fraser, Director Professional Strategies S Fall Conference Sail to Success CRISC CGEIT CISM CISA
2 Agenda 1 About Kaiser Permanente 2 The Regulatory Compliance Challenge 3 Integrating Regulatory Compliance 4 Key Learnings Page 2
3 About Kaiser Permanente Nation s largest nonprofit health plan Integrated health care delivery system 9.1 million members 17,000 physicians 175,000 employees Serving 9 states and the District of Columbia 37 hospitals 618 medical offices and other facilities $50.6 billion operating revenue (2012) Page 3
4 Integrated Regulatory & Information Services (IRISS) Mission* Provide an integrated roadmap to simplify compliance with multiple security regulations in the Information area Vision* Integrated strategic solutions for SOX, HIPAA & PCI Integrated requirements, guidance, and how-to manuals Exceptional customer service to Kaiser Permanente information security clients Charles Kreling Executive Director Integrated Regulatory & Information Services (IRISS) Sherrie Osborne Director Integrated Regulatory & Information Services (IRISS) Paulina Fraser Director Integrated Regulatory & Information Services (IRISS) * IRISS was formed August 2013; mission & vision are draft. Page 4
5 The Regulatory Compliance Challenge SOX, HIPAA /HITECH, & PCI at Kaiser Permanente Other National Compliance Office (NCO) Business Application Owners (BAOs) Application Access Lifecycle Management (AALM) HIPAA/HITECH, SOX, PCI, and Other Information Technology Risk Office (TRO) Infrastructure Management Group (IMG) Meaningful Use Program Office (MU PMO) SOX PMO Business Information Officers (BIOs) 5 Page 5
6 Sarbanes-Oxley (SOX) at Kaiser Permanente Computer Operations Change Management Page 6
7 Sarbanes-Oxley (SOX) at Kaiser Permanente : Access Controls (Host & Database) (Provision) , , (De-provision) (QAR) Configurations (Host & Database) SOD (Segregation of Duties) (Logical separation of duties) Physical (Review Physical Access to Production Hardware security control - data center aspect) (Application Access Lifecycle Management - Business Application Access Controls): (Provision) (De-provision) (QAR) Intersection (Activity Monitoring): & Change Management (Application, Host & Database) (Application) Intersection (ALL): Population Management (Supporting function critical to success execution of controls) (Network monitoring) (Self Assessment monitoring) Computer Operations: Backup & Batch Jobs (Backup / Batch Approval) (Backup recoverable) (Backup / Batch Jobs Monitored) IT Incident Resolution (Problem & Incident) Computer Operations Change Management Change Management: Change Management & Configuration Management (Changes authorized) (Version control) (Changes tested) (Changes approved prior to migration) (Review Logical Access to Production) Page 7
8 HIPAA Rule/HITECH at Kaiser Permanente The HIPAA Rule aims to protect the confidentiality, integrity and availability of electronic protected health information (ephi). The HIPAA Rule comprises: 1) Administrative Safeguards 2) Physical Safeguards 3) Technical Safeguards Some safeguards are required while others are addressable Meaningful Use Core Set Objective 14/15: Privacy and Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis per 45 CFR (a)(1) and implement updates as necessary and correct identified security deficiencies as part of the Eligible Professionals (EP), Eligible Hospitals (EH), or Critical Access Hospitals (CAH) risk management process. Page 8
9 HIPAA Rule/HITECH at Kaiser Permanente Risk and Control Matrix The HIPAA Rule and Privacy Rule (data de-identification only) requirements (58 and 1 requirements, respectively) were organized into 24 control categories, aligned with SOX IT General Controls as applicable. DATA DE-IDENTIFICATION WORK TRACK APPLICATION AND INFRASTRUCTURE WORK TRACKS INFRASTRUCTURE WORK TRACK NON- APPLICATION / NON-TECHNICAL CONTROLS Uses and Disclosures Access, Activity Review, and Configuration Emergency Management Data (In Transit and At Rest) Physical Enterprise Data De-Identification System Activity Review and Audit Controls Disaster Recovery Plan Encryption Facility Access Contracts and Business Associate Agreements Incident Procedures Business Continuity Plan Data Transmission Facility Access Termination and Review Policies and Governance User Access Provisioning Facility Plan Risk Management User Access Termination Facility Maintenance Records Training and Awareness User Access Review Device and Media Controls Evaluation Configuration Workstations and Other Devices These controls ensure Workforce management Clearance directives pertaining to the entire Change Management (Integrity) Business is involvement is required in order to meet control objectives (e.g., application access controls, business continuity planning, etc.) Page 9
10 PCI-DSS at Kaiser Permanente PCI-DSS The Dirty Dozen Objectives Keep your network secure Protect cardholder data Maintain a vulnerability management program Control access to data and data systems Monitor and test Have an information security policy 1. Protect data with a firewall 2. Do not use default passwords 3. Protect stored data 4. Encrypt data over public networks 5. Perform regular anti-virus updates 6. Secure systems and applications 7. Restrict access to data 8. Assign unique IDs to each person 9. Restrict physical entry 10. Monitor all data access 11. Test security systems and processes 12. Maintain an information security policy Translates to more than 200 specific requirements. PCI is a 100% Compliance requirement à failing one requirement means overall non-compliance. Page 10
11 The Regulatory Compliance Challenge Control Design & Implementation Variation Testing Methods & Schedules Not Aligned/ Integrated Multiple Risk & Control Assessment Methods & Tools HIPAA/HITECH, SOX, PCI, and Other Information Risk Governance Performed by Multiple Organizations Various Risk Models & Standards Metrics & Reporting Not Consistently Integrated High Cost of Compliance Organizational Frustration & Compliance Fatigue Multiple Risk & Control Frameworks Page 11
12 Integrating Regulatory & Information Compliance Technology Risk & Controls (TRC) Framework Sustainment Info Sec Policies & Standards HIPAA/HITECH, SOX, PCI, and Other Information Common Services Assessment Methods & Tools & Guidance 12 Page 12
13 Integrating Regulatory & Information Compliance IRISS (Monitoring) Technology Risk & Controls (TRC) Framework TRM TRM ITC (Control Self- Assessments) Sustainment Info Sec Policies & Standards IRISS (System Activity Review, Data De- Identification, other) Common Services HIPAA/HITECH, SOX, PCI, and Other Information Assessment Methods & Tools ITC (Assessments) TRM (Tools) IAM (Central Authentication) IRISS & Guidance Cyber (PLSE & technical / threat assessments) 13 Page 13
14 Integrating Regulatory & Information Compliance Technology Risk & Controls (TRC) Framework Technology Risk & Controls (TRC) Framework Benefits Single framework encompassing all applicable regulations (including HIPAA, SOX, and PCI) Sustainment Common Services HIPAA/ HITECH, SOX, PCI, and Other Information & Guidance Info Sec Policies & Standards Assessment Methods & Tools Based on industry standards, but customized for Kaiser Permanente Basis for TRO risk assessment Status Being rationalized for consistency 14 Page 14
15 Integrating Regulatory & Information Compliance Technology Risk & Controls (TRC) Framework (example) Technology Risk and Controls Framework Technology Risk & Controls (TRC) Framework Enables aggregated, comprehensive management of multiple factors Sustainment HIPAA/HITECH, SOX, PCI, and Other Information Info Sec Policies & Standards Captures key data such as: Common Services Assessment Methods & Tools Domain & Guidance Process description Control objectives Industry best practices Integrates SOX, HIPAA & PCI 15 Page 15
16 Integrating Regulatory & Information Compliance Info Sec Policies & Standards Technology Risk Standard (TRS) Technology Risk & Controls (TRC) Framework Provides common language and integration for all regulatory terms Sustainment HIPAA/ HITECH, SOX, PCI, and Other Information Info Sec Policies & Standards Maps provisions to regulatory requirements, creating 100% traceability Common Services & Guidance Assessment Methods & Tools Aligns Assessment methods and tools with TRS requirements Policies Ongoing refinement of policies to assure inclusivity and reduce redundancy 16 Page 16
17 Integrating Regulatory & Information Compliance Info Sec Policies & Standards (example) Technology Risk & Controls (TRC) Framework Sustainment Common Services HIPAA/ HITECH, SOX, PCI, and Other Information Info Sec Policies & Standards Assessment Methods & Tools & Guidance 17 Page 17
18 Integrating Regulatory & Information Compliance Assessment Methods & Tools Benefits Technology Risk & Controls (TRC) Framework Provides common tools and methodologies based on TRC Framework Lessens compliance fatigue by developing a test once, use many methodology Sustainment Common Services HIPAA/ HITECH, SOX, PCI, and Other Information & Guidance Info Sec Policies & Standards Assessment Methods & Tools Standardizes and integrates HIPAA/HITECH, SOX, and PCI assessments based both on common and unique attributes Improves audit readiness Status Integrated control assessment requirements in the process of being defined 18 Page 18
19 Integrating Regulatory & Information Compliance Assessment Methods & Tools (example) Technology Risk & Controls (TRC) Framework Sustainment Info Sec Policies & Standards HIPAA/ HITECH, SOX, PCI, and Other Information Common Services Assessment Methods & Tools & Guidance 19 Page 19
20 Integrating Regulatory & Information Compliance and Guidance Benefits Rationalizes all regulatory requirements into a single set of compliance instructions Sustainment Technology Risk & Controls (TRC) Framework HIPAA/ HITECH, SOX, PCI, and Other Information Info Sec Policies & Standards Customizable based on regulatory applicability Common Services & Guidance Assessment Methods & Tools Defines control attribute requirements for each regulatory framework Status Utilizes the 9 SOX Domain controls as its basis 20 Page 20
21 Integrating Regulatory and Information Compliance and Guidance (continued) Multiple inputs evaluated to create an integrated set of compliance manuals for HIPAA, SOX, and PCI Collaborate with Stakeholders Identify relevant HIPAA Standards/ Implementation Specifications Align HIPAA- SOX-PCI requirements Draft and Develop HIPAA- SOX-PCI Control Language and Attributes Objective Enhance HIPAA-SOX- PCI and Attributes Deliver Integrated Compliance Manual 9 SOX Domain Controls HIPAA Rule Centers for Medicare and Medicaid Services (CMS) Guidance Docs TRC Framework ITC Mapping Compliance Manuals, Narratives, other documents PCI DSS 2.0 Authoritative Sources (HITRUST, SIG, COBIT, ISO 27002, NIST ) Compliance Manuals, Narratives, other documents Stakeholder feedback/comments on draft HIPAA-SOX- PCI requirements and guidance Manuals, Narratives, other documents Page 21
22 Integrating Regulatory and Information Compliance and Guidance (continued) Making compliance easier Technology Risk & Controls (TRC) Framework Sustainment Info Sec Policies & Standards HIPAA/ HITECH, SOX, PCI, and Other Information Common Services Assessment Methods & Tools & Guidance Page 22
23 Integrating Regulatory & Information Compliance and Guidance (example) Technology Risk & Controls (TRC) Framework Sustainment Info Sec Policies & Standards HIPAA/ HITECH, SOX, PCI, and Other Information Common Services Assessment Methods & Tools & Guidance 23 Page 23
24 Integrating Regulatory & Information Compliance Common Services Benefits Utilizes standardized, centralized, and scalable solutions Provides consistent control execution across all regulatory frameworks Sustainment Common Services Technology Risk & Controls (TRC) Framework HIPAA/ HITECH, SOX, PCI, and Other Information Info Sec Policies & Standards Assessment Methods & Tools Examples & Guidance Identity and Access Management (IAM) Application Access Lifecycle Management (AALM) System Activity Review / Elevated Activity Monitoring Data De-Identification (DDI) 24 Page 24
25 Integrating Regulatory & Information Compliance Sustainment Benefits Technology Risk & Controls (TRC) Framework Provides ongoing reporting of the risk landscape Enhances controls effectiveness and maturity Sustainment Common Services HIPAA/ HITECH, SOX, PCI, and Other Information & Guidance Info Sec Policies & Standards Assessment Methods & Tools Examples IRISS Monitoring services Controls Self-Assessments (CSAs) 25 Page 25
26 Integrating Regulatory & Information Compliance Approach to Compliance Sustainability Kaiser Permanente built a strategy that sustains compliance and includes compliance education, monitoring and enforcement. The fast changing regulatory environment requires that Kaiser Permanente take an aggressive and forward-thinking approach to regulatory compliance. Sarbanes-Oxley Act (SOX) NAIC Model Audit Rule (MAR) HIPAA Rule/ HITECH (MU P&S) and HIPAA Privacy Rule (DDI only) Payment Card Industry Data Standards (PCI-DSS) Effects of Non-Compliance may include: Damage to the Kaiser Permanente reputation and brand Loss of member trust through required breach notification Unable to attest to portions of HIPAA for Meaningful Use purposes Significant civil and/or criminal fines and penalties Increased scrutiny in the form of more enforcement audits Material financial misstatements Page 26
27 Integrating Regulatory & Information Compliance Approach to Compliance Sustainability Current State and Proposed Future State How do we accelerate compliance sustainability? Current State Fragmented sustainment processes Decentralized compliance monitoring and reporting Varied levels of compliance maturity Unclear accountabilities Leveraging SOX approach Proposed Future State Highly integrated compliance model Centralized compliance monitoring and reporting Standardized processes and tools Clearly defined accountabilities. Benefits of Compliance Integration Accelerates and enhances compliance Increases visibility and transparency Drives standardization Leverages existing tools and processes Supports Technology Risk & Control (TRC) framework efforts Page 27
28 Integrating Regulatory & Information Compliance Approach to Compliance Sustainability Control Maturity Levels (example) Business Maturity Level Accountability Documenta.on Evidence Process Monitoring - Accountable - Knowledgeable - Full authority - Engaged/mo9vated - Process documented - Accurate & complete - Updated periodically - Evidence retained - Centrally stored - Complete popula9on - Consistent with narra9ve - Follows internal & external - Team self- monitors best prac9ces - Issues resolved 9mely - Standardized & automated 0 Does Not Exist Does not exist Does not exist Does not exist Does not exist Does not exist 1 Incomplete 2 Inconsistent Exists but unsure & not clearly defined Accountable but no full authority to exercise responsibilikes Exists but inaccurate, incomplete or undefined Accurate & complete but informally managed Exists but inadequate or incomplete Complete & retained but informally managed Exists but does not follow the narrakve or incomplete Complete but very manual, resource intensive & not standardized Ad- hoc monitoring in place, no resolukon management process Periodic monitoring in place, no resolukon management process 3 Consistent & Streamlined Accountable, knowledgeable, & full authority Formally approved by management & centrally stored Complete, retained, & centrally stored Standardized, streamlined and manual or parkally automated Periodic monitoring & resolukon management process in place 4 OpKmized & Sustainable Accountable, knowledgeable, fully authorized & engaged Updated & approved regularly using a formal change management process System- generated & managed using an integrated tool End- to- end process is supported by integrated tools and automakon Automated, conknuous monitoring & resolukon management process in place IT Criteria and Defini.on Maturity Rating (0-4) Accountability Documenta.on Design and Opera.ng Effec.veness Self Assessment Process and Execu.on - IdenKfied and confirmed - Accountability understood - Knowledgeable - Full authority and empowerment - Engaged - Process documented - Reflects control design - Accurate & complete - Reviewed and approved periodically - Retained and readily available Adequate control design (saksfies SOX PMO guidance) - Control is evaluated either through self teskng or management teskng - No design gaps and consistent, effeckve control operakon (no open CAPs) - Standard self assessment process - Self assessment performed for each control/layer - TesKng sufficiently evidenced and documented - Adequate disposikon of test results (e.g. CAP decision) Overall control maturity considers all four criteria and is calculated based on weight of each criterion. (Accountability 5%, Process and Controls Documentation 5%, Design and Operating Effectiveness 80%, and Self Assessment Process and Execution 10%) Page 28
29 Key Takeaways Collaborate, collaborate, collaborate! Clearly define ownership of critical functions and processes Clearly define roles/responsibilities Establish a RACI for organization and lower level RACIs for functions Understand the spirit of the regulation Plan and do the foundational work before diving into the detailed work Leverage and re-use what works Understand your population: Asset inventory What you do and don t know; work to reduce the unknowns Your maturity model; which controls do/do not exist for in scope applications, infrastructure, and enterprise Find and fix early: CSAs self-detect and correct; don t wait for tester to tell you what s wrong Page 29
30 Page 30 Questions
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationPrivacy and Security Meaningful Use Requirement HIPAA Readiness Review
Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationDoes Your Information Security Program Measure Up? Session #74
Does Your Information Security Program Measure Up? Session #74 DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy
More informationCertified Identity and Access Manager (CIAM) Overview & Curriculum
Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management
More informationMU Security & Privacy Risk Assessments: What It Is & How to Approach It
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Advisor, Health Information Trust Alliance 2011-2014 HITRUST LLC, Frisco,
More informationSunday March 30, 2014, 9am noon HCCA Conference, San Diego
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationHIPAA Security Risk Analysis for Meaningful Use
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationAUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM
GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationGuidance on Risk Analysis Requirements under the HIPAA Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
More informationDEVELOPING A CYBERSECURITY POLICY ARCHITECTURE
TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationVermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0
Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0 EA APPROVALS EA Approving Authority: Revision
More informationWhat can HITRUST do for me?
What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationHIPAA COMPLIANCE PLAN FOR 2013
HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt
More informationChecklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security
Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the
More informationHow to Leverage HIPAA for Meaningful Use
How to Leverage HIPAA for Meaningful Use The overlap between HIPAA and Meaningful Use requirements 2015 SecurityMetrics How to Leverage HIPAA for Meaningful Use 2 About this ebook Who should read this
More informationSustainable Compliance: A System for Ongoing Audit Readiness
View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationwww.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!
Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationCompliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire
Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on
More informationSolution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationHIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationROLE-BASED ACCESS GOVERNANCE AND HIPAA COMPLIANCE: A PRAGMATIC APPROACH
ROLE-BASED ACCESS GOVERNANCE AND HIPAA COMPLIANCE: A PRAGMATIC APPROACH Executive Summary The Health Information Technology for Economic and Clinical Health Act (HITECH) has made significant changes to
More informationVirtualization Impact on Compliance and Audit
2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance
More informationAuditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP
Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
More informationG21: HIPAA, HITECH, and Latest Trends Scott Morgan and Roy Masatani, Kaiser Permanente
G21: HIPAA, HITECH, and Latest Trends Scott Morgan and Roy Masatani, Kaiser Permanente HIPAA, HITECH, and Latest Trends Scott Morgan: Executive Director, National Compliance Privacy and Security Officer
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationPCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationPreparing for HIPAA and Meaningful Use Compliance Audits
Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com
More informationHow to Use the NYeC Privacy and Security Toolkit V 1.1
How to Use the NYeC Privacy and Security Toolkit V 1.1 Scope of the Privacy and Security Toolkit The tools included in the Privacy and Security Toolkit serve as guidance for educating stakeholders about
More informationMU Security & Privacy Risk Assessments: What It Is & How to Approach It
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, ASEP, CCSFP CISO & VP, CSF Development & Implementation Health Information Trust Alliance
More informationThe HIPAA Security Rule Primer Compliance Date: April 20, 2005
AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationTechnology Risk Management
1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact
More informationHIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationDeveloping HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant
Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics
More informationThe CIO s Guide to HIPAA Compliant Text Messaging
The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially
More informationHIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More informationAre You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
More informationPREPARING FOR THE NEW PCI DATA SECURITY STANDARDS
PREPARING FOR THE NEW PCI DATA SECURITY STANDARDS Vita Zeltser Locke Lord Louis Dienes Locke Lord Pat Hatfield Locke Lord Rebecca Perry Jordan Lawrence Associate Partner Partner Director Professional Services
More informationARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper
ARRA HITECH Stimulus HIPAA Security Compliance Reporter White Paper ARRA HITECH AND ACR2 HIPAA SECURITY The healthcare industry is in a time of great transition, with a government mandate for EHR/EMR systems,
More informationCompliance, Incentives and Penalties: Hot Topics in US Health IT
Compliance, Incentives and Penalties: Hot Topics in US Health IT Table of Contents Introduction... 1 The Requirements... 1 PCI HIPAA ARRA Carrot and Stick How does third party assurance fit into the overall
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationPreparing for and Responding to an OCR HIPAA Audit
Preparing for and Responding to Carole Klove Carole.Klove@ucsfmedctr.or g Gerry Hinkley gerry.hinkley@pillsburylaw.com SIXTH NATIONAL HIPAA SUMMIT WEST October 10-12, 2012 Overview Background What to expect
More informationThe HIPAA Security Rule Primer A Guide For Mental Health Practitioners
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
More informationHow To Improve Your Business
IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends
More informationWhite Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA
White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationHealthcare Management Service Organization Accreditation Program (MSOAP)
ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee
More informationPCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1
PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationLessons Learned from HIPAA Audits
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
More informationTop 20 IT Risks for the Healthcare Industry and How to Mitigate Them
Top 20 IT Risks for the Healthcare Industry and How to Mitigate Them By Raj Chaudhary, CRISC, CGEIT, and Robert L. Malarkey, CISSP, CISA Moving into 2015, the healthcare industry continues to undergo dramatic
More informationSecurity Trends and Client Approaches
Security Trends and Client Approaches May 2010 Bob Bocchino, CISA ERM Security and Compliance Business Advisor IBU Technology Sales Support Industries Business Unit, Technology Sales Support 1 Mark Dixon
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationHow To Protect Yourself From Cyber Threats
Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit
More informationCMS AND ONC FINAL REGULATIONS DEFINE MEANINGFUL USE AND SET STANDARDS FOR ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM
CMS AND ONC FINAL REGULATIONS DEFINE MEANINGFUL USE AND SET STANDARDS FOR ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator
More informationHIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com
HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations
More informationWhite paper September 2009. Realizing business value with mainframe security management
White paper September 2009 Realizing business value with mainframe security management Page 2 Contents 2 Executive summary 2 Meeting today s security challenges 3 Addressing risks in the mainframe environment
More informationHans Bos Microsoft Nederland. hans.bos@microsoft.com
Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party
More informationState Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4
State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes
More informationIT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system
More information