HEALTHCARE & SECURITY OF DATA IN THE CLOUD
|
|
- Erin Doyle
- 8 years ago
- Views:
Transcription
1 HEALTHCARE & SECURITY OF DATA IN THE CLOUD August 2014 LYNLEE ESPESETH Marketing Strategy Associate Denver Fargo Minneapolis sundog FAX:
2 In this day and age, there s no denying the importance of cloud technology in the healthcare world. The era of cabinet drawers overflowing with patient files and flustered workers digging for what they need is coming to an end. Healthcare employees desire quick access to patient information from anywhere they may need it, and healthcare consumers want prompt, high-quality and unified care from all of their providers. A 2012 report states that cloud technology in healthcare will grow at an annual rate of 20.5% between 2012 and That same report states revenue in the cloud computing market will go from $1.8 billion in 2011 to $5.4 billion in 2017, with North America being the largest contributor to the market. 1 While the growing place of cloud technology in our modern world is certain, questions remain about the security of data in the cloud. This is particularly concerning for healthcare organizations, as they store incredible amounts of personal information ranging from social security numbers and payment methods to detailed health histories and home addresses. And any breach of this information can be expensive, timeconsuming and even legally damaging. 2 The good news is that cloud technology providers are well aware of the security challenges healthcare organizations face, and they are meeting these challenges head on. It is indeed possible to keep patient data safely stored in the cloud, while still offering the best and most efficient care possible. In this white paper, we will look at how laws both old and new have affected the way data in the cloud is protected. We will then examine best practices and steps to keep information in the cloud safe. Finally, we will explore the case studies of various healthcare organizations that have successfully implemented cloud systems and wrap up with a summary of key takeaways for healthcare organizations. Background of Security in the Healthcare Cloud Reputable healthcare organizations know that there is a great deal of responsibility involved in storing patient information. Data known as protected health information (PHI) or electronic protected health information (EPHI) stored in the cloud must be kept secure under current law. PHI and EPHI includes a patient s past, present or future physical or mental health conditions; the provision of healthcare to a patient; a patient s past, present or future payment for healthcare; and information that identifies an individual including names, addresses, birth dates, service dates, phone numbers, fax numbers, addresses, URLs, IP addresses, social security numbers, account numbers, license numbers, medical-records numbers, health-plan beneficiary numbers, vehicle identifiers, biometric identifiers and photos. 3 What are the most significant laws that dictate how all of this information should be protected? The Health Information Portability and Accountability Act (HIPAA) is a well-known law in regard to information security and is very important to cloud providers. In addition, the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Omnibus Rules that modified HIPAA in 2013 are important, as they help older privacy laws work in the modern electronic world. Having a full understanding of these regulations is critical for successful cloud implementation. HIPAA: The Rules HIPAA was signed into law in 1996 and is generally recognized as the most important law regarding the protection of patient information. According to an article published by IBM on the security of patient data in the cloud, two rules put forth under HIPAA the Security Rule and the Privacy Rule are most relevant to the protection of patient data that is stored in the cloud. 4 Security Rule This rule addresses the administrative, physical and technical safeguards 3 4 2
3 organizations should use to keep patient information safe. In other words, it lays out what organizations need to do to ensure electronic information is protected. It applies only to information in electronic form. 5 Privacy Rule This rule applies to all information, be it in electronic or paper form. It lists the rights patients have regarding their private information, as well as who must adhere to HIPAA regulations, and groups known as covered entities. According to the United Stated Department of Health and Human Services, these covered entities include individual and group health plans, including health, dental, vision and prescription drug insurers; health maintenance organizations (HMOs); Medicare; Medicaid; Medicare+Choice and Medicare supplement insurers; long-term care insurers; health care providers; health care clearinghouses such as billing services, repricing companies, community health management information systems and valueadded networks and switches; and the business associates of these entities. HIPAA: THE RULES Security Rule This rule lays out what organizations need to do to ensure electronic information is protected. Privacy Rule This rule lists the rights patients have regarding their private information, as well as who must adhere to HIPAA regulations, groups known as covered entities. HITECH Act This act decided that a cloud provider is considered a business associate, and now must follow the same regulations that any hospital, clinic or insurer does to make sure patient data stays safe. Omnibus Rules These rules essentially state that any group who is involved in creating, receiving, maintaining, or transmitting protected or electronic protected health information must adhere to all HIPAA and HITECH rules and regulations. 5 HITECH Act More regulations continued to take shape, and in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law. 6 HITECH moved regulations into the world of cloud services and strengthened the laws set forth in HIPAA, as it gave the Health and Human Services Office for Civil Rights (OCR) jurisdiction over not only those dealing directly with patients, but also their business associates defined as any group that works with patient information on behalf of an organization. Thus, a cloud provider is considered a business associate, and now must follow the same regulations that any hospital, clinic or insurer does to make sure patient data stays safe. Omnibus Rules To further solidify these rules, in January 2013 the OCR published further modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economics and Clinical Health Act. These modifications, also known as the Omnibus Rules, state that subcontractors who work on behalf of business associates are also under the jurisdiction of the OCR. Essentially, any group who is involved in creating, receiving, maintaining, or transmitting protected or electronic protected health information must adhere to all HIPAA and HITECH rules and regulations. These Omnibus Rules clarify the importance of security to any and all parties working on behalf of a cloud provider. How Is Patient Data Being Protected in the Cloud? Now that we have an understanding of how the laws governing patient data have come to affect the cloud, let s examine the specific steps that healthcare organizations and the cloud companies they work with are taking to keep patient data secure. Choose the Right Cloud Provider and Cloud Model for You It is imperative that healthcare organizations choose a trusted and reputable cloud provider. For most organizations, this is the first step toward successful cloud implementation. According to IBM, several items should appear on a Business Associate Agreement 6 hitechenforcementifr.html 3
4 (BAA) that a healthcare provider enters into with a cloud provider, including: Terms and conditions for access and use of services The period of service Conditions for termination Disposition of data upon termination Privacy policy that addresses information-handling practices and how information is collected, used and managed Who is responsible for the creation, implementation, management and modification of access privileges Who is responsible for incident response, encryptions, key management and data monitoring Cloud providers and healthcare organizations should be fully confident in what services are being provided, who is responsible for what tasks and what the risks will be. 7 Types of Cloud Models Once an acceptable cloud provider has been found, organizations should choose which cloud model works for them. There are four different types of cloud models: 1. Public 2. Private 3. Community 4. Hybrid In a public cloud model, the infrastructure is open to everyone, whereas a private model is only open to a single consumer. A community cloud is open to a specific community of people, and a hybrid uses both public and private models across different sets of data. Most healthcare organizations choose a private cloud model as it provides the most security. Some groups, like the Centers for Disease Control, have used public models for data related to disease surveillance, but most healthcare groups will find that anything other than a private model carries too much risk. Keep Data in the Right Hands When data is stored in the cloud, cloud providers and their customers must make sure that a system is in place to prevent anyone from accessing data who doesn t have the right to. HIPAA requires healthcare organizations to store patient data in such a way that anyone trying to gain access to that data must prove they are indeed who they say they are and have permission to access patient information. Generally this is done via a login system where a user must provide a unique username, password or other information that verifies their identity. 8 Beyond a basic login system, there are other technologies cloud providers can offer to keep data safe. Single sign-on (SSO) options like Lightweight Directory Access Protocol can be put in place so users are identified more easily each time they wish to access information, without having to enter a login and password each time. Security Assertion Markup Language (SAML) can also be used. According to the National Institute of Standards and Technology (NIST), SAML: Can convey assertions that a user has been authenticated by an identity provider and also includes information about the user s privileges. Upon receipt of the transaction, the service provider then uses the information to grant the user an appropriate level of access, once the identity and credentials supplied for the user are successfully verified
5 SAML is often complemented with extensible Access Control Markup Language (XACML), which gives organizations the ability to more easily adapt and change who has access to patient information. 9 Encrypting data is also a very important step for organizations to take. When data is encrypted, it means that it is unusable, unreadable or indecipherable to unauthorized individuals. 10 Data is only made understandable by the use of a key that authorized individuals have access to. That key must be kept protected, away from encrypted data, so anyone attempting to illegally access data cannot get the key. The NIST has encryption standards to follow for data that is both at rest and in motion (or being transmitted), and by following these standards, organizations can be in compliance with HIPAA. Have a Plan It doesn t matter if data is being stored in a hightech or low-tech manner, there will always be risks involved. Disasters, theft, hacking, employee error and many other incidents can occur, but they can also be planned for and hopefully prevented. Both HIPAA and HITECH recognize that risks are involved and thus put a focus on the importance of incident response and mitigation of damages, limiting interruptions in critical business operations, and maintaining security and privacy of EPHI. 11 An important part of being prepared is monitoring data. Because of requirements under HIPAA and HITECH, organizations with information stored in the cloud are required to have hardware, software and/or procedural mechanisms in place to record the activity that occurs in the cloud. As far as what activities need to be recorded, there is an extensive list. One item that needs to be continuously monitored and kept up to date is the list of personnel with access rights. As employees come and go, the list of people with rights to view patient data needs to change as well. By conducting frequent audits of this information, organizations can ensure that no one still has access who shouldn t. It is also very important to keep thorough records of activity within the cloud. Reports detailing what information has been accessed and when, what information has been changed and when, and who has been accessing and editing data should all be taken. Cloud systems also need to be continuously tested for security vulnerabilities, and risk assessments need to be conducted regularly. If a vulnerability is discovered, it must be recorded, and organizations and cloud providers should decide if action needs to be taken or changes need to be made. Finally, all data in the cloud must be backed up. Cloud services can provide offsite data backup, but organizations need to determine where this information is stored, how long it should be retained, how it should be accessed and how often the back-ups should occur. Having a back-up allows organizations to keep functioning after any event, from a fire to a natural disaster to a computer failure. After all of this information has been gathered (and continues to be gathered on a regular basis), cloud providers and consumers need to agree on a process to report all of this information. According to HIPAA, it is required that organizations create these reports not only for their own use, but also to prove to regulators that their systems are safe. Audit logs, access reports and incident tracking reports all must be created and produced to the appropriate regulation organizations when needed. In the event that a security threat is discovered, cloud providers and their consumers should have a response plan in place. As stated by IBM: Consumers should outline what they expect from cloud providers in the event of an incident in particular, how the incident will be verified and how the information to analyze the incident will be gathered. Additionally, consumers and cloud providers should discuss recoverytime objectives and recovery-point objectives, as well as ensure that both can respond in a coordinated fashion. 12 Having this response plan in place, as well as all of the gathered data, allows cloud providers and health care organizations to carry out the goals of HIPAA #resources #resources 5
6 Who Is Doing It Right? To further examine the ways cloud implementation in healthcare organizations can be done, let s look at a general report and case studies of various groups who have had success in the cloud. General Findings In a 2013 report titled Targeted Attacks and Opportunistic Hacks: State of Cloud Security Report, Alert Logic looked at the security of cloud operations versus enterprise data centers (where data is stored on physical hard drives). The study found that across various industries, including healthcare, storing data in the cloud was no less secure than using a different system, and security fears should not keep any business from moving information into the cloud. In fact, the study found that cloud providers can often offer much more efficient solutions, along with sophisticated levels of protection, so moving data to the cloud usually impacts businesses in a positive way. 13 Specific Healthcare Case Studies Moving from that general report to more specific cases, it s easy to see how cloud services can have a positive impact on healthcare organizations. According to a case study by Microsoft, CareGroup Healthcare System the corporate parent of Beth Israel Deaconess Medical Center and other hospitals needed a solution to store the electronic medical records of more than 3.5 million patients. As necessitated by HIPAA and HITECH, CareGroup needed to not only protect patient information, but run frequent audits to see who was accessing information, what information employees were looking at, what information was being modified, who was modifying information, and how many (if any) unauthorized attempts to access information were happening. After moving to a cloud provider, CareGroup was able to run these audits quickly, within 5-15 minutes, when they were requested. In addition to providing CareGroup with easy and fast access to all the data needed, CareGroup s cloud provider was able to offer data encryption with intensive levels of security that was still workable for 13 Logic_Cloud_Security_Report_Spring2013.pdf?mkt_tok=3RkMMJWWf F9wsRonuaXMZKXonjHpfsX56%2BsrWKawlMI%2F0ER3fOvrPUfGjI4AT sjgi%2bsldweygjlv6sgft7fmmbrw1lgpwbg%3d the organization. CareGroup can encrypt data without having to occupy extensive amounts of their own IT department s time and without having to get help from an outside source, freeing up time to focus on other areas of business. 14 Two other examples from Microsoft include Tampa General Hospital in Tampa, Florida and Excel Anesthesia, a network of anesthesiologists who work across various locations. In both cases, a system was needed that would allow employees to access data in a secure environment, regardless of where they were. Tampa General Hospital chose to use a cloud system that offered a single sign-on system to employees, who could then access information with ease (and without compromising security) without having to use the IT department s resources for retrieving passwords or usernames. The system was able to give appropriate employees ease of access, while still keeping information secure and meeting or surpassing all HIPAA requirements. 15 Excel Anesthesia also needed to follow HIPAA regulations and was in the unique position of having employees who required access to data from several different hospitals that they were continuously traveling between. By utilizing a cloud provider, the company way able to count on a partner to keep data secure according to HIPAA regulations, making the flexible nature of their business easier to handle. Employees of Excel Anesthesia were still able to access the data they needed, but many stresses were taken off the company, as they could trust that their data was secure and no on-premise servers could now fail or be stolen or lost at any point. 16 Salesforce, a CRM and cloud computing company, also offers various case studies in the healthcare field. Two case studies that deal specifically with HIPAA compliance in the cloud include The Schumacher Group, a healthcare staffing and outsourcing firm, and Visiting Nurse Service of New York. Both organizations were able to increase the productivity and communication 14 Server-2008-Enterprise/CareGroup-Healthcare-System/ Healthcare-Group-Improves-Availability-and-Security-of-Mission-Critical-Databases/ Productivity-Online-Standard-Suite/Tampa-General-Hospital/ Hospital-Moves-Communication-to-the-Cloud-Frees-IT-to-Focus-on- Healthcare/ Excel-Anesthesia/Healthcare-Provider-Gains-Robust-Compliant- - Avoids-83-Percent-of-On-Premises-Cost/
7 between employees, offer better and more efficient care, give employees smoother access to necessary information while minimizing paperwork, and increase satisfaction among customers and employees while still keeping information secure. This was a direct result of the efficiency, safety and reliability that the cloud service was able to offer them. A case study provided by OffsiteDataSync profiles Rochester Gynecologic & Obstetric Associate, P.C. The clinic needed a cloud solution to manage the data of 40,000 patients visiting multiple offices across the Rochester area. The clinic was concerned about having access to data even in emergencies or outages of any kind, and having a back-up of all data should any of it be lost. Utilizing a cloud provider gave them not only peace of mind that information would always be available, but also provided the clinic with a way to control who accessed patient data and the ability to encrypt data so it stayed secure, even when it was being wirelessly transmitted between locations. 19 A final case study by Becker s Hospital Review discusses Yuma District Hospital, a critical access hospital in Yuma, Colorado. Before moving to a cloud-based system, the hospital was using paper records that were stored everywhere, took up a great deal of space, and didn t allow for efficient patient care. Security was a concern when switching to a cloud-based service, but the hospital was able to implement several of the measures discussed in this white paper to ensure HIPAA compliance and keep records secure. These measures included specialized controls over who can access, print and edit files. All information was also made password protected, and encryption was used to keep data secure while being transmitted. These efforts have resulted in better service and happier patients, all while keeping data safe. 20 Successful cloud implementation secures patient data making it easy to access by those who need it and protecting it from those who d abuse it. 1. Organizations should first understand HIPAA and HITECH regulations, and use those regulations to guide the security measures they put in place. Each step in the cloud process must be made with safety and security in mind. 2. The right cloud provider should first be selected, and from there a secure cloud model can be chosen. 3. As data is put into the cloud, it should be protected behind secure login systems and encrypted, so it is made unusable to anyone attempting to illegally access it. 4. Organizations must constantly monitor information in the cloud, creating reports detailing who has access to information, how information in the cloud is being used, and what security threats occur along the way. 5. Finally, data must be backed up, so healthcare organizations can rest assured that their operations can continue as quickly as possible, no matter the disaster they may face. As evidenced by the regulations in place, the number of businesses using cloud services, and the security and efficiency cloud providers can provide, this technology is no longer the future of healthcare data storage. It is the now. Conclusion & Key Takeaways Moving patient information to the cloud is an intimidating process for many healthcare organizations, but one that can be very beneficial to both patients and employees case_study.pdf
HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationHIPAA Compliance for Students
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationFaster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions
Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...
More informationHIPAA ephi Security Guidance for Researchers
What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationHIPAA HANDBOOK. Keeping your backup HIPAA-compliant
The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this
More informationHIPAA Security Rule Changes and Impacts
HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.
More informationHIPAA and Cloud IT: What You Need to Know
HIPAA and Cloud IT: What You Need to Know A Guide for Healthcare Providers and Their Business Associates GDS WHITE PAPER HIPAA and Cloud IT: What You Need to Know As a health care provider or business
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA Security Overview of the Regulations
HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationHealthcare to Go: Securing Mobile Healthcare Data
Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationHIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1
HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationHIPAA/HITECH: A Guide for IT Service Providers
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationDonna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
More informationTechnical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and
Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationHIPAA Security Series
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationHIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA: Bigger and More Annoying
HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationTable of Contents INTRODUCTION AND PURPOSE 1
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
More informationThe HIPAA Security Rule: Cloudy Skies Ahead?
The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly
More informationEnsuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services
Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of
More informationLeveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance
ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection
More informationJoe Dylewski President, ATMP Solutions
Joe Dylewski President, ATMP Solutions Joe Dylewski President, ATMP Solutions Assistant Professor, Madonna University 20 Years, Technology and Application Implementation Experience Served as Michigan Healthcare
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationHow to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization
How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints Contents
More informationRaymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP
Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor/Clinic Director Department of Communication Sciences and Disorders Financial o Employed by the University of Georgia o Non-Financial
More informationTriageLogic Information Security Policy
TriageLogic Information Security Policy What is HIPAA, and what information is protected by it? HIPAA, short for the United States Health Insurance Portability and Accountability Act, is a set of standards
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationALERT LOGIC FOR HIPAA COMPLIANCE
SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationHIPAA COMPLIANCE AND
INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery
More informationEnsuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services
Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority
More informationEthics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationEnsuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services
Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority
More informationHIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationRSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS
RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationHIPAA Privacy and Security Requirements
600 East Superior Street, Suite 404 I Duluth, MN 55802 I Ph. 800.997.6685 or 218.727.9390 I www.ruralcenter.org HIPAA Privacy and Security Requirements Joe Wivoda CIO and HIT Consultant June 19, 2013 Purpose
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationWHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE
WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from
More informationEvaluating IaaS security risks
E-Guide This expert tip examines the risks organizations need to be aware of when evaluating IaaS solutions, and highlights the key architectural and process components of access management services that
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHIPAA compliance audit: Lessons learned apply to dental practices
HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationHIPAA, PHI and Email. How to Ensure your Email and Other ephi are HIPAA Compliant. www.fusemail.com
How to Ensure your Email and Other ephi are HIPAA Compliant How to Ensure Your Email and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by email are compliant with
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
More information