TNAAP 8TH ANNUAL PEDIATRIC PRACTICE MANAGERS CONFERENCE FREDERICK SCHOLL,PHD MONARCH INFORMATION NETWORKS ELIZABETH PIERCE, MD RIVERGATE PEDIATRICS

Size: px

Start display at page:

Download "TNAAP 8TH ANNUAL PEDIATRIC PRACTICE MANAGERS CONFERENCE FREDERICK SCHOLL,PHD MONARCH INFORMATION NETWORKS ELIZABETH PIERCE, MD RIVERGATE PEDIATRICS"

Antonia Skinner
7 years ago
Views:

1 TNAAP 8TH ANNUAL PEDIATRIC PRACTICE MANAGERS CONFERENCE FREDERICK SCHOLL,PHD MONARCH INFORMATION NETWORKS ELIZABETH PIERCE, MD RIVERGATE PEDIATRICS

2 SUMMARY OUTLINE ESSENTIAL SECURITY PRACTICES THAT WILL HELP YOU RUN YOUR PRACTICE MORE EFFICIENTLY WHILE COMPLYING WITH HIPAA

3 LEGAL DISCLAIMER SECURITY COMPLIANCE INVOLVES LEGAL INTERPRETATION INFORMATION HEREIN REPRESENTS SECURITY PRACTICES BASED ON PRESENTERS EXPERIENCE NOT LEGAL ADVICE

4 WHERE ARE PRACTICES TODAY? IMPLEMENTING EHR? SECURITY PRACTICES? HITECH HIPAA REQUIREMENTS? SURVEY

5 HIPAA/HITECH UPDATES OLD REQUIREMENT NEW REQUIREMENT ACTION MUST NOTIFY CE IN CASE OF BREACH NO BREACH REQUIREMENT TWO TIERS OF FINES: MAXIMUM PENALTY IS $25,000 BA S MUST MEET HIPAA PRIVACY AND SECURITY REQUIREMENTS CE S AND BA S MUST NOTIFY PATIENTS IN CASE OF BREACH FOUR TIERS OF FINES: MAXIMUM IS $1.5 MILLION UPDATE BAA WITH NEW REQUIREMENTS ENCRYPT PHI TO AVOID THIS ISSUE AND ASSOCIATED COST SIGNIFICANT INCREASE IN FINES AND ENFORCEMENT

6 HIPAA ENFORCEMENT INCREASING SECURITY RULE ENFORCEMENT GIVEN TO OCR (JULY, 2009) SECURITY RULE CMS 10 AUDITS IN 2008 PRIVACY RULE HHS/OCR 6746 INVESTIGATED RESOLUTIONS 2008

7 WHERE IS THE DATA? CONFIDENTIALITY (HIPAA SECURITY) INTEGRITY AVAILABILITY BELT AND SUSPENDERS: MULTIPLE LAYERS

8 IMPROVING SECURITY People Process Products Partners

9 13 ESSENTIAL SECURITY PRACTICES DESIGNATE SECURITY MANAGER REGULAR RISK ASSESSMENT SECURITY AWARENESS TRAINING FIREWALLS: IMPLEMENT AND MANAGE UPGRADE FROM WEP TO WPA WIRELESS ENCRYPT PHI AT REST/TRANSMISSION ENSURE AVAILABILITY ANTIVIRUS

10 13 PRACTICES, CONT. TEST APPLICATION SECURITY FOR INTERNET FACING APPLICATIONS SECURE ACCESS TO DATA REGULAR SYSTEM/APPLICATION PATCHING MANAGED THIRD PARTY VENDOR SECURITY SECURE DATA DISPOSAL

11 ESSENTIAL SECURITY PRACTICES DESIGNATE SECURITY/PRIVACY MANAGER CARRY OUT RISK ASSESSMENT DOCUMENT BUSINESS PROCESSES DOCUMENT THREATS DOCUMENT CONTROLS

12 RISK ASSESSMENT THREAT, VULNERABILITY, ASSET VALUE RISK = THREAT X VULNERABILITY X ASSET VALUE ($$) REGULARLY UPDATE MAKE USE OF PRACTICAL INFORMATION

14 AWARENESS TRAINING RISKS SOCIAL ENGINEERING SPEAR PHISHING DRIVE BY DOWNLOADS

15 SAFE BROWSING NEVER CLICK ON LINKS

16 FIREWALLS IMPLEMENT FIREWALLS (HW + SW) NETWORK: IS THE FIREWALL SECURE? DESKTOP: WINDOWS FIREWALL MONITOR FIREWALL LOGS

17 WIRELESS SECURITY WEP SECURITY: CRACK IN SECONDS WPA: WITH GOOD KEY, NOT CRACKABLE MUST CHANGE TO WPA

18 PROTECTING AGAINST THEFT LAPTOPS DESKTOPS NO PHI ON LAPTOPS THE ONLY SOLUTION IS ENCRYPTION

19 BREACHES AFFECTING > 500 RECORDS Records Breached, 9/09-3/ Total Hacking Incorrect mailing Loss Misdirected Other Phishing Scam Theft Unauthorized access

20 ENCRYPTION AD HOC PROCESSES (CORRESPONDANCE) MICROSOFT BITLOCKER: WINDOWS 7 FREE DESKTOP ENCRYPTION: TRUECRYPT

21 ENSURE AVAILABILITY: BACKUPS ON-LINE BACKUPS TEST THE RESTORE PROCESS

22 AVAILABILITY: UPS POWER SUPPLY TOP STATES FOR LIGHTNING DENSITY FL, OK, KS, MO, AR, LA, MS, TN CAN FRY COMPUTER AND CORRUPT DATA USE UPS FOR COMPUTER + NETWORK

23 ANTIVIRUS ANTIVIRUS MANY COMMERCIAL PROGRAMS MICROSOFT SECURITY ESSENTIALS (FREE)

24 APPLICATION SECURITY TESTING PATIENT PORTALS APPLICATION DEVELOPMENT: TEST USING OWASP* STANDARDS (GOOD HOUSEKEEPING SEAL) OWASP INCLUDES COMMON HACKER METHODS IN ITS TEST SUITE * OPEN WEB APPLICATION SECURITY PROJECT

25 ACCESS CONTROLS INDIVIDUAL ACCOUNTS (NOT SHARED) STRONG PASSWORDS NEED TO KNOW PRINCIPLE MONITORING: COMPENSATING CONTROL

26 PATCH SYSTEMS WINDOWS SET FOR AUTOINSTALL OTHER APPS UPDATE MANUALLY

27 COUNTERPARTY RISK YOU HAVE GOTTEN TO 98+% INTERNAL SECURITY LEVELS 10% OF BREACHES ATTRIBUTED TO BA S BACKGROUND CHECKS CRIMINAL RECORDS FEDERAL: WHITE COLLAR CRIME COST: $30-40 CHOOSE VENDOR CAREFULLY UPDATED HIPAA/HITECH BA AGREEMENT

28 DATA DISPOSAL HOME/OFFICE SHREDDER GET MACHINE 2 X BIGGER THAN YOU NEED COMMERCIAL SHREDDING, GET RECEIPT DATA SHREDDING SHRED HARD DRIVE WIPE DRIVE: WHOLE MACHINE ($5/PC) FILES: CCLEANER (FREE!)

29 ONLINE BANKING RISKS SMALL BUSINESS IS TARGET OF CHOICE ELECTRONIC FUNDS TRANSFER OUT OF YOUR ACCOUNT USE SEPARATE BANKING COMPUTER AUTO-DELETE INFORMATION FROM YOUR BROWSER

30 CONTACT INFORMATION FREDERICK SCHOLL

31 QUESTIONS OR DISCUSSION?

Electronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security

Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile