Northwestern University Feinberg School of Medicine

Size: px
Start display at page:

Download "Northwestern University Feinberg School of Medicine"

Transcription

1 Northwestern University Feinberg School of Medicine Information Security at Feinberg School of Medicine Past, Present, Future Advisory Council for Clinical Research Monthly Lecture Series October 18, 2013 Carl Cammarata Chief Information Security Officer, Feinberg School of Medicine, Northwestern Medical Faculty Foundation Interim Chief Information Security Officer, Northwestern Medicine

2 Information Security at Feinberg School of Medicine Past, Present, Future Learning Objectives Why data security is important in clinical research? What are our most serious security risks? What is Feinberg School of Medicine doing to improve its data security posture? What security services are being planned to support the clinical research process? Who is responsible for data security? Q&A

3 Information Security at Feinberg School of Medicine Past, Present, Future We live in an age where you are private by effort and public by default Your risks, your consequences Human factors self-disclosure of private information, weak/shared too many passwords Importance of your data Reliance on others for privacy Social Media sites, wrong security, security changed without notice, confidentiality, ex- friends Malicious code viruses, spyware Social engineering phishing, spam, too much data Compromised devices Lost or stolen data Identity theft Reputation Lost job or financial opportunities

4 Information Security at Feinberg School of Medicine Past, Present, Future Who is responsibility for data security? You are We are Everyone is by Aaron Muszalski

5 Information Security at Feinberg School of Medicine Past, Present, Future Consequences of unauthorized disclosure can be significant Potentially delayed patient benefits from research Distractions from core mission Real direct and indirect costs resulting from mistakes, lack of awareness, negligence, remediation Public/Internal embarrassment, negative publicity, reputation, furious patients Investigations, fines, penalties Financial Losses (jobs, future/renewed grants, alumni giving)

6 Information Security at Feinberg School of Medicine Past, Present, Future Why is security important in clinical research? Patient privacy, preventing unauthorized disclosure Patient safety, availability of research data to address adverse events Data integrity from collection to analysis, reporting and regulatory submission Compliance with regulations, contracts/grants criteria & University policy

7 Information Security at Feinberg School of Medicine Past, Present, Future What are our most serious security risks? Research and PHI data being used as conduit for medical identity theft, compromising research, effecting patient privacy and safety: Data - unencrypted Data - on personal devices Data - on portable devices Data - in the cloud Data - in personal Data unmanaged, unsecured

8 Information Security at Feinberg School of Medicine Past, Present, Future Other than data, our risks.. Policies & Procedures require revision to improve clarity, expectations of behavior and compliance posture (Risk: Content varies considerably and are not consistently applied or understood). Technology must be managed to Policy and accepted standards to minimize risk of exposure of PHI and disruption of research (Risk: Security configuration of technology varies considerably. There is a non-trivial risk of PHI being inadvertently disclosed because of a misconfiguration, malware infected device or proliferation of mobile devices). As custodians of Research and Protected Health Information (PHI) we must ensure it be consistently and rigorously secured (Risk: PHI is widely dispersed and is secured to varying degrees. There is a non-trivial risk of research data and PHI being inadvertently disclosed due the absence of adequate protection or an incomplete knowledge of its location).

9 Northwestern University Feinberg School of Medicine Information Security Management Approach Supporting Clinical Research Past, Present and Future Advisory Council for Clinical Research Monthly Lecture Series October 18, 2013 Carl Cammarata Chief Information Security Officer, Feinberg School of Medicine, Northwestern Medical Faculty Foundation Interim Chief Information Security Officer, Northwestern Medicine

10 Information Security at Feinberg School of Medicine Improving our Security Posture - Timeline & Projects HIPAA Security Rule Consulting Risk Assessment, September 2010 FISMA / NIST secure projects (source: Warren Kibbe) o National Children's Study (NCS) Information Management Hub, March 2011 o NCS South Regional Operational Center, September 2012 HIPAA Compliance of Research Data Committee, November 2011 CIO appointed, January 2012 IT Security Policy including encryption requirements published, February 2012 IT Security Policy all user acknowledgment initiated, February 2012 Executive IT Steering committee formed, March 2012 NUIT secure disk storage, offered August 2012 Security dashboard reporting (encryption compliance), September 2012 NMFF secure physical facilities, offered January 2013 NMFF secure server farm, offered January 2013 NMFF secure disk storage, offered March 2013 CISO hired, March 2013 IT Leadership and IT Working group committees formed, March 2013 Information Security Strategy and Plan, August 2013 Network Security infrastructure project, complete August 2013 Active Directory, Windows domain project, started August 2013, ongoing Managed secure device project, planning started September 2013 Northwestern Medicine formed, August 2013 Central IT Support environment, anticipated Past Present Policy and technical foundational to reduce risk of exposing research and PHI data

11 Information Security at Feinberg School of Medicine Information Security Strategy & Plan Improving our Security Posture Establish a managed and secure technology environment Publish revised and synchronized policies and procedures Clinical research information security services Clinical research - data security plans FISMA Clinical partners integration Executive Oversight & IT Security Committee Implement a risk assessment process PHI/PII asset management

12 Information Security at Feinberg School of Medicine Network Security Infrastructure Project Improving our Security Posture Description Deliver an improved network connection between NU (FSM) and NMFF/NMH 1. Installation of new network hardware 2. Creation of 3 service tiers: Tier 1 - NMFF network extension Tier 2 - FSM Managed Network Tier 3 - Unmanaged Network Project Team Julian Koh Warren Harding Matt Wilson John Brow Ben Nicholson Rocky Xu Brian Griffin Carl Cammarata Jon Lewis Danny Garza Todd Nelson Implementation Julian Koh Warren Harding Matt Wilson John Brow Ben Nicholson Rocky Xu Danny Garza Enable network connectivity from the Northwestern University (NU) network to the Northwestern Medical Faculty Foundation (NMFF) network to improve security and staff productivity through security tiers. Status Completed Benefits Tier 1 Device becomes part of NMFF/NMH network, direct access to clinical resources Tier 2 Direct access to FSM central resources, indirect access to clinical resources Tier 3 Limited access to FSM central resources Security Posture Controls access to clinical resources based upon the integrity of the device and access point on the network.

13 Information Security at Feinberg School of Medicine Active Directory, Windows Domain Project Improving our Security Posture Description Deliver an upgraded central FSM domain focused on improving security and standardizing endpoint support. Project Team Dong Fu Jignesh Patel Rocky Xu Noah Xu Michael Tittle Brian Griffin Carl Cammarata Jon Lewis Todd Nelson Implementation FSM IT Support Groups Update the existing FSM technical environment to enable centralized management of devices and standardized device configuration and security policy. Status Active Benefits Enables uniform management of devices to software standards and enhanced security policy (e.g., software and security updates, encryption). Allows more efficient cross departmental IT support services Establishes pre-requisite for future two-way device trust with NMFF/NMH. Security Posture Devices can be managed and controlled from central support management consoles (application of security patches, installation and management of software such as encryption.)

14 Information Security at Feinberg School of Medicine Managed, Secure Device Project Improving our Security Posture Description The migration and standardization of FSM endpoints to the new Tier Managed environment defined by the related Network and Domain projects (Nexus and Zenith). Project Team Tim Hite Alex Cohn Frank Schleicher Bob Valadka Karen Kelly Patrick Canevello Brian Griffin Carl Cammarata Jon Lewis Troy Alexander Matt Newsted Todd Nelson Implementation FSM IT Support Groups Standardize configuration and management of end point devices to allow for security trust (and improved access productivity) between NU and NMFF through network security tiers and managed devices. Status Planning Benefits Deploys standard images to end point devices. Enables central management and more efficient problem resolution. Device software updated and patched from central services. Improved device reliability, serviceability, and integrity. Security Posture Reduced risk of data disclosure resulting from mal-ware infections. Efficient central management of end point device and security software such as encryption.

15 Information Security at Feinberg School of Medicine Anticipated Technology Initiatives Improving our Security Posture Mobile device security Wireless security Data loss prevention (DLP) Network access control (NAC) Two factor authentication Vulnerability assessment tools Device theft risk mitigation (RFID, LoJack)

16 Information Security at Feinberg School of Medicine Anticipated Policy Portfolio Improving our Security Posture FSM IT Policy Category Procurement Integration Collaboration Secure Storage Backup & Retention Departmental Support Local Networks Network Architecture IT Security Named Policy IT Goods & Services Device Standards File Sharing Secure Storage Backup & Retention Departmental Support Domain Device Lab Device Network Architecture IT Security

17 Information Security at Feinberg School of Medicine Departmental IT Support Alignment Improving our Security Posture Alex Cohn IPHAM Daniel Erickson Preventive Medicine Dawood Ali Medical Social Sciences Frank Schleicher Medicine, Surgery, a few others Fang Gao Physical Therapy J C Thomas Rogers Anesthesiology Jasmin Shah Obstetrics/Gynecology Jeremy Fox Physical Medicine and Rehabilitation Jeremy Prevost Galter Library Jignesh Patel, Dong Fu NUCATS Matthew Newsted Center for Genetic Medicine Robert Valadka Basic Science Sean Withrow Radiology Troy Alexander Pediatric Research Jonathan Lewis Dean s Administration Neurology Psychiatry Pathology Lurie Cancer Center FSM/NMFF collaboration FSM/NMFF collaboration FSM/NMFF collaboration FSM/NMFF collaboration Otolaryngology Ophthalmology Orthopaedic Surgery Urology Neurological Surgery Emergency Medicine Global Health Radiation Oncology Dermatology

18 Clinical Research Information Security Services Data Security Plan Review Human Subject Research Data Security Plans Objective: to ensure all personally identifiable information and protected health information which is entered, stored, transmitted, analyzed, and reported as part of an approved IRB research protocol is properly and adequately secured throughout the research process Data Security Plans The plan would describe the data flow and how the data is secured throughout the life of the research project from initial data collection to reporting, publishing, registration and archiving. A plan would include, at least, the following and describe the security capabilities of each. Plans may vary in complexity consistent with the complexity of the research: - How and by whom will data be collected, transmitted and stored. - How will data be secured at each stage in the workflow - How will access be controlled and through what mechanisms - Describe where and how data will be encrypted - How will data be backed up and at what frequency - Where will backup data be stored - Describe the type of computing equipment that will be part of the information work flow and will each type be secured - How will data be disposed and using what disposal mechanism

19 Clinical Research Information Security Services Data Security Plan Review Challenges - Volume - Workflow impact - Change Critical Success Factors - Agreement among key stakeholders - Fine-tuning a reliable (technology driven) workflow with minimal disruption - Triaging review process based upon subject, data risk, study complexity - Agreement on what approving a data security plan means - Expedited process - Exception process - Staff resources

20 Clinical Research Information Security Services Data Security Plan Review Integration Considerations - Exempt protocols (non-human subject) - Expedited (low risk, human subject) - Rigor of review - emr data - ephi - consented (PII, research data) - Record of approval linked to research portfolio - Rejection re-review cycle - Technical integration of work flow Next Steps - Data security approaches currently reviewed on a case-by-case basis - Continue to work toward developing a formal plan

21 Clinical Research Information Security Services - FISMA What is FISMA (Federal Information Security Management Act of 2002)? From Wikipedia, the free encyclopedia The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L , 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. [1] The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. [1] FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for costeffective security." [1] FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency s information security program and report the results to Office of Management and Budget (OMB). FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. [2] Why FISMA at Northwestern? Required by some Federal agencies (e.g., NIH) as pre-requisite, stipulation of grant awards. This requirement is becoming more common place.

22 Clinical Research Information Security Services FISMA Required Standards & Guidelines FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, April 2004, 13 pages o Required to determine system category FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, 17 pages o Required to derive impact from system category NIST Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013, 457 pages o Baseline security controls guidance applied to subject system s category and impact NIST A Revision 1, Guide for Assessing the Security Controls in Federal Systems and Organizations, June 2010, 399 pages outdated as of April 2013 o Guide for building effective security assessment plans

23 Clinical Research Information Security Services FISMA Categorization & Impact FISMA Life Cycle Categorize Analyze Impact Determine & Apply Minimum Security Standards Assess Risk & Gaps Remediate Re-assess Certify

24 Clinical Research Information Security Services FISMA Controls Baseline NIST (FISMA) HIPAA HITRUST Crosswalk NIST Control Specification Program Management Access Control HIPAA Security Standard Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Access Control Person or Entity Authentication HITRUST CSF Direct Control Categories NIST Security Baseline Controls by FISMA Category Low Medium High 0,2,3,5,6,7,9, ,2,5,6,8,9,10, Awareness & Training Security Awareness & Training 1,2,5,6,9, Audit & Accountability Audit Controls Integrity 6, Security Assessment & Authorization Evaluation 0,3,5, Configuration Management Evaluation 0,3,5, Contingency Planning Contingency Plan 2,7,9, Identification & Authentication Person or Entity Authentication Incident Response Security Incident Procedures 2, Maintenance Evaluation 0,3,5, Media Protection Device & Media Controls 2,7,8,9, Physical & Environmental Protection Facility Access Controls Workstation Use Workstation Security 1,2,5,7,8,9, Planning Security Management Process Assigned Security Responsibility 0,2,3,5,6,7,9, Personnel Security Workforce Security 1,2,5,8, Risk Assessment Evaluation 0,3,5, System & Services Acquisition System & Communications Protection System & Information Integrity Business Associate Contracts 2,5, Transmission Security 6,9, Security Management Process Integrity Security Awareness & Training 0,1,2,3,5,6,7,9, Totals 135 Control Specifications Controls Baselines NIST (FISMA), HITRUST is overarching of HIPAA Small percentage of available supplemental controls NIST (FISMA) are guidelines but driven by ATO contracts Extensive breadth & depth Multi-purpose benefit Broad compliance posture Risk & self assessment baselines drive measurable improvement Drives down ephi risks Drives up Grant intake opportunities

25 Clinical Research Information Security Services FISMA General Recommendations Institutionalize FISMA capabilities implement FISMA service delivery model o Integral to FSM academic and technology processes o With HITRUST foundation of IT compliance and policy o Competitive advantage o Internal and possibly external service model with revenue and ROI FISMA is an overarching approach while HIPAA security improvements run in parallel o Risk assessment approaches address HIPAA and FISMA requirements o Department self (risk)-assessments become integral to the process o Integrates academic and clinical considerations o Broad approach maximizes compliance coverage Develop initial policies addressing entry-level requirements and synchronize with HIPAA, HITRUST requirements Document the Security Plan and risk assessment process Complete baseline gap analysis and propose remediation efforts

26 Clinical Research Information Security Services FISMA Current Commitments National Children's Study Information Management Hub, in use by 15 study centers across the country. In production (Warren) National Children's Study South Regional Operations Center, overseeing 10 study centers across the country (a different 10 centers than the Hub). Institute for Healthcare Studies. In operation. National Children's Study Adaptive Test Design. Part of the National Children's Study Health Measurement Network. Medical Social Sciences. Planned to go live by Jan Cancer Prevention Agent Development Program: Early Phase Clinical Research. Creating a FISMA version of the RHLCCC NOTIS clinical trials management system. Lurie Cancer Center. Go Live July 2013

27 Clinical Research Information Security Services FISMA Critical Success Factors Managed technology environments are basic prerequisites to FISMA (and HIPAA) baseline requirements Documented FISMA polices and risk assessment procedures Department ability to define baseline control requirements Viable risk measurement tool Acceptance and adoption of FISMA requirements FSM-wide service delivery model with sufficient resources to meet projected capacity

28 Clinical Research Information Security Services Clinical Partners Integration NUCATS 2.0 Leadership Structure Clinical Partners Information Security Partner Governance Best Practices Sponsorship Accountability Clinical Partners Information Security Integrated Leadership Group Collaboration Service Management Objectives (Charter) Unify information security principles Integrate security for cross-partner clinical research activities Contribute to grant award applications Resolve complex security issues Proactively address emerging threats and security technology evolution Process Improvement

29 Clinical Research Information Security Services Clinical Partners Integration Align information security strategy with clinical partners Northwestern University Feinberg School of Medicine NUCATS Northwestern Medicine Lurie Children s Hospital Rehabilitation Institute of Chicago NM EDW Establish Leadership Group comprised of partner representation Proactive collaboration and exchange of strategy formulating information Active participant of NUCATS Organization and Governance Accountable to the NUCATS Steering Committee Leadership Group Charter Establish unified information security principles and federated policies to support collaborative initiatives Define and support an information security integration strategy for cross-partner clinical research activities (e.g., CTSA, FISMA) Contributing author of information security material for grant award applications Evaluate and propose common resolutions to complex security issues Proactively evaluate emerging threats and security technology evolution

30 Clinical Research Information Security Services Clinical Partners Integration Leadership Group Northwestern University Feinberg School of Medicine NUCATS Northwestern Medicine Lurie Children s Hospital Rehabilitation Institute of Chicago NM EDW Anticipated outcomes Unified information security principles (e.g., federated policy structure) Information security integration strategy for cross-partner clinical research activities Structured information security material for grant award applications Leverage best practices & experience to resolve complex security issues Ongoing educational forum which discuss risks, threats, technology evolution Proactively evaluate emerging threats and security technology evolution

31 May I steal your data please? Clinical Research Information Security Services Security responsibilities Use only encrypted memory sticks and portable devices Keep your computer and antivirus software up-to-date Never store PHI or PII on portable devices unless encrypted Never share memory sticks Reportable breaches can occur As USB drives become cheaper and information is distributed freely, the possibility of Trojans and other malware increases

32 I am free and easy Clinical Research Information Security Services Security responsibilities Unparalleled technological and educational advancement opportunity Equally unparalleled security risks Understand the risks before putting your own personal data (e.g. tax data) into the cloud Keep PHI and PII off cloud computing platforms unless there is a NU approved legal contract Reportable breaches can occur The incredible cost savings and flexibility cloud computing affords also opens up a superhighway for cybercrime. As cloud use increases, so, too, will the number of opportunities for data infection or theft.

33 I just stole your data The Insider Threat Clinical Research Information Security Services Security responsibilities this is the way we ve always done it I didn t know I couldn t wait security takes time I care about my personal data but why should I care of that belonging to others Lack of separation of responsibilities, management oversight and consequences of actions, excess access, mistakes, lack of training, non-compliance with policies and procedures, under utilization of existing security technology, laziness, convenience and covert activities increase data risks to the University.

34 May I steal your data please? Clinical Research Information Security Services Security responsibilities Who is responsibility for data security? Everyone is We are You are

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Healthcare Insurance Portability & Accountability Act (HIPAA)

Healthcare Insurance Portability & Accountability Act (HIPAA) O C T O B E R 2 0 1 3 Healthcare Insurance Portability & Accountability Act (HIPAA) Secure Messaging White Paper This white paper briefly details how HIPAA affects email security for healthcare organizations,

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Compliance Risk Management IT Governance Assurance

Compliance Risk Management IT Governance Assurance Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems

More information

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Revision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014

Revision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014 Information Security Information Technology Policy Identifier: IT-003 Revision Date: October 16, 2014 Effective Date: March 1, 2015 Approved by: BOR Approved on date: October 16, 2014 Table of Contents

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you

More information

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Specific observations and recommendations that were discussed with campus management are presented in detail below. CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE

More information

HIPAA Security Balancing Security & Costs

HIPAA Security Balancing Security & Costs HIPAA Security Balancing Security & Costs Balancing Security & Cost Threats Budget Priorities Top Threats Loss or Theft of Devices Workforce/Third Parties Threats from Workforce Members and Third Parties

More information

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Improvements Are Needed to the Information Security Program March 11, 2008 Reference Number: 2008-20-076 This report has cleared the Treasury Inspector

More information

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting

More information

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013 Greenway Marketplace Hear from GSG Compliance & White Plume November 14, 2013 Marketplace Mission Statement To enhance the Greenway customer user experience by offering innovative, forwardthinking technologies

More information

Data Management & Protection: Common Definitions

Data Management & Protection: Common Definitions Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Before the U.S. House Oversight and Government Reform Committee Hearing on Agency Compliance with the Federal Information

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

POSTAL REGULATORY COMMISSION

POSTAL REGULATORY COMMISSION POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

Data Loss Prevention Program

Data Loss Prevention Program Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2

More information

I. U.S. Government Privacy Laws

I. U.S. Government Privacy Laws I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy: Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training State of South Carolina Policy Guidance and Training Policy Workshop All Agency Mobile Security July 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy Overview: Mobile Security

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

STATE OF NEW JERSEY Security Controls Assessment Checklist

STATE OF NEW JERSEY Security Controls Assessment Checklist STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response

More information

AUDIT REPORT. The Energy Information Administration s Information Technology Program

AUDIT REPORT. The Energy Information Administration s Information Technology Program U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Energy Information Administration s Information Technology Program DOE-OIG-16-04 November 2015 Department

More information

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013 ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

Security Compliance, Vendor Questions, a Word on Encryption

Security Compliance, Vendor Questions, a Word on Encryption Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org

More information

How to Secure Your Environment

How to Secure Your Environment End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

More information

NASA OFFICE OF INSPECTOR GENERAL

NASA OFFICE OF INSPECTOR GENERAL NASA OFFICE OF INSPECTOR GENERAL OFFICE OF AUDITS SUITE 8U71, 300 E ST SW WASHINGTON, D.C. 20546-0001 April 14, 2016 TO: SUBJECT: Renee P. Wynn Chief Information Officer Final Memorandum, Review of NASA

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY

More information

Information Security Policy Manual

Information Security Policy Manual Information Security Policy Manual Latest Revision: May 16, 2012 1 Table of Contents Information Security Policy Manual... 3 Contact... 4 Enforcement... 4 Policies And Related Procedures... 5 1. ACCEPTABLE

More information

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS Department of Veterans Affairs VA Directive 6004 Washington, DC 20420 Transmittal Sheet September 28, 2009 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS 1. REASON FOR ISSUE: This Directive establishes

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely

More information

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, 2015. Point of Contact and Author: Michael Gray michael.gray@ed.

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, 2015. Point of Contact and Author: Michael Gray michael.gray@ed. For Non-GFE for Remote Access Date: May 26, 2015 Point of Contact and Author: Michael Gray michael.gray@ed.gov System Owner: Allen Hill allen.hill@ed.gov Office of the Chief Information Officer (OCIO)

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

INFORMATION SECURITY STRATEGIC PLAN

INFORMATION SECURITY STRATEGIC PLAN INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information

More information

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment

More information

Audit of the Board s Information Security Program

Audit of the Board s Information Security Program Board of Governors of the Federal Reserve System Audit of the Board s Information Security Program Office of Inspector General November 2011 November 14, 2011 Board of Governors of the Federal Reserve

More information

Microsoft Services Premier Support. Security Services Catalogue

Microsoft Services Premier Support. Security Services Catalogue Microsoft Services Premier Support Security Services Catalogue 2014 Microsoft Services Microsoft Services helps you get the most out of your Microsoft Information Technology (IT) investment with integrated

More information

2014 Audit of the Board s Information Security Program

2014 Audit of the Board s Information Security Program O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL

More information

University System of Maryland University of Maryland, College Park Division of Information Technology

University System of Maryland University of Maryland, College Park Division of Information Technology Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

May 16, 2011. Georgina Verdugo Director Office for Civil Rights. /Daniel R. Levinson/ Inspector General

May 16, 2011. Georgina Verdugo Director Office for Civil Rights. /Daniel R. Levinson/ Inspector General DEPARTMENT OF HEALTH & HUMAN SERVICES Office of Inspector General Washington, D.C. 20201 May 16, 2011 TO: Georgina Verdugo Director Office for Civil Rights FROM: /Daniel R. Levinson/ Inspector General

More information

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE

More information

Enabling Research Securely Data Security Plans

Enabling Research Securely Data Security Plans Carl Cammarata, Senior Director-Chief Information Security Officer & David Kovarik, Director-IT Information & Systems Security/Compliance Enabling Research Securely Plans New policy announced by Dean Nielson

More information

Data S ec e u c ri r t i y als l o F I F SMA

Data S ec e u c ri r t i y als l o F I F SMA Data Security also FISMA Scott Bradner University Technology Security Officer Harvard University Research Compliance Conference June 13, 2011 302-1 Issues in Research Data Security communication mindset

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12 Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General

More information

Department of Homeland Security

Department of Homeland Security Evaluation of DHS Information Security Program for Fiscal Year 2013 OIG-14-09 November 2013 Washington, DC 20528 / www.oig.dhs.gov November 21, 2013 MEMORANDUM FOR: FROM: SUBJECT: Jeffrey Eisensmith Chief

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS) Appendix 10 IT Security Implementation Guide For Information Management and Communication Support (IMCS) 10.1 Security Awareness Training As defined in NPR 2810.1A, all contractor personnel with access

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2014 May 19, 2015 14-01820-355 ACRONYMS CRISP

More information

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters GAO United States Government Accountability Office Report to Congressional Requesters May 2010 INFORMATION SECURITY Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing GAO-10-513

More information

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority

More information

Utica College. Information Security Plan

Utica College. Information Security Plan Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles

More information