1 HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010
2 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment CSF Assurance Program Overview Case Study
3 Presenters John Christiansen Faculty, Information School at University of Washington Managing Director/Attorney, Christiansen IT Law Michael Frederick Chief Information Security Officer, Baylor Health Care System Cliff Baker Chief Strategy Officer, HITRUST
4 Regulatory Background
5 Legal Background Roots of Meaningful Use U.S. Office of National Coordinator for Health Information Technology (ONC) (est. 2004) National Health Information Network (NHIN), regional and local health information organizations (RHIOs and LHIOs), interoperable electronic health records, EHR certification, etc. Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of American Recovery and Reinvestment Act of 2009 (ARRA) Enhanced privacy and security protections, standards development and certification infrastructure for EHRs and health information exchange Financial incentives for EHRs
6 Legal Background Financial incentives Eligible professionals (EPs) may seek incentive under Medicare or Medicaid (not both) Medicare: Up to $18,000 in calendar year 2011 or 2012, to five year cap of $44,000 Medicaid: Maximum of $63,750 over six years, $21,250 maximum in first year Single employer (physician practice, etc.) may aggregate all EP incentives
7 Legal Background Financial incentives Hospitals Both Medicare and Medicaid possible Complicated formula, base of $2 million for up to 1,149 acute care inpatient discharges for prior 12 months, plus $200 for each additional discharge up to 23,000, to maximum of $6,370,200, plus transition factors Multi-campus hospital systems under same provider number considered one hospital (with some adjustments) Possible legislative fix in Congress
8 Legal Background Financial incentives Must demonstrate compliance with meaningful use criteria Stage 1 criteria: published in July 2010 (our current concern) Stage 2 to be issued 2011 Stage 3 to be issued 2013
9 Legal Background How to get the money Medicare hospitals EPs must attest, through secure mechanism approved by CMS, that they have satisfied the required objectives and associated measures of Calendar years 2011 and after (no provision for demonstration), except that EPs using certified EHR need not attest until CFR 495.8;
10 Legal Background How to get the money Medicaid providers must attest: This is to certify that the foregoing information is true, accurate, and complete. I understand that Medicaid EHR incentive payments submitted under this provider number will be from Federal funds, and that any falsification, or concealment of a material fact may be prosecuted under Federal and State laws. (42 CFR )
11 Legal Background 42 CFR (a) (EPs), (b) (hospitals): Stage 1 objectives and associated measures (d)(15)(eps), (f)(14)(hospitals): (i) Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. (ii) Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
12 Legal Background The objective is appropriate technical capabilities The measure is whether a HIPAA risk analysis has been conducted, security updates have been implemented and security deficiencies have been corrected Is the risk analysis only required to consider technical capabilities? Probably not.
13 Legal Background Measure: Can you attest that you have implemented/ complied with the Risk Analysis standard without looking at non-technical risks? The standard: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (45 CFR (a)(1)
14 Legal Background Measure: Can you attest that you have implemented security updates and corrected security deficiencies without looking at non-technical risks? The standard: A security update would be required if any security deficiencies were identified during the risk analysis. A security update could be updated software for certified EHR technology to be implemented as soon as available, to changes in workflow processes, or storage methods or any other necessary corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis.
15 Legal Background What are appropriate technical capabilities? The ONC final rule specifies certain capabilities that must be in certified EHR technology. For the objective we simply mean that a technical capability would be appropriate if it protected the electronic health information created or maintained by the certified EHR technology. All of these capabilities could be part of the certified EHR technology or outside systems and programs that support the privacy and security of certified EHR technology. We could not develop an exhaustive list. It depends.
16 Legal Background HIPAA risk analysis standard The required risk analysis is also a tool to allow flexibility for entities in meeting the requirements of this final rule. The risk analysis requirement is designed to allow entities to look at their own operations and determine the security risks involved. The degree of response is determined by the risks identified. Application of HIPAA Risk Analysis to EHR technical capabilities for determination of appropriate updates and corrections requires analysis of EHR administrative, physical safeguards to identify possible technical risks
17 Legal Background Risks associated with attestation A commenter indicated that attestation is an insufficient means to hold providers accountable for the expenditure of public funds and to protect against fraud and abuse. We likewise are concerned with the potential fraud and abuse. However, Congress for the HITECH Act specifically authorized submission of information as to meaningful use through attestation. CMS is developing an audit strategy to ameliorate and address the risk of fraud and abuse.
18 Legal Background Risks associated with attestation CMS (Medicare) and states may review an EP, eligible hospital or CAH s demonstration of meaningful use. (42 CFR 495.8) States required to annually collect and verify information regarding the efforts to adopt, implement, or upgrade certified EHR technology and the meaningful use of said technology before making any payments to providers. (42 CFR )
19 Legal Background Risks associated with attestation States required to Ensure the qualifications of the providers who request Medicaid EHR incentive payments Detect improper payments Refer suspected cases of fraud and abuse to the Medicaid Fraud Control Unit Take corrective action in the case of improper EHR payment incentives to Medicaid providers. (42 CFR )
21 Legal Background Managing risks associated with attestation Risk analysis is a process, not a product Follow HIPAA flexible factors and reasonable and appropriate standards in determining updates and corrections Show due diligence in risk identification and update and correction implementation Use appropriate professional expertise Incorporate best practices information from industry, professional communities Strongly consider use of outside expertise
22 Legal Background Supporting attestation Make sure attesting officer is properly informed about risks, updates, corrections, etc. Create and retain supporting documentation file In any field where officer does not have appropriate expertise, ensure s/he is briefed and provided with supporting documentation from appropriate experts Good business judgment is the attesting officer s best friend Show your work! Document risk analysis process and findings Document implementation of updates and corrections Providers must retain documentation supporting their demonstration of meaningful use for 6 years after attestation HIPAA has same document retention period John R. Christiansen, Esq., Christiansen IT Law
23 CSF Assurance Program Simplified Risk Assessment
24 Overview of CSF Assurance Program Efficient risk assessment process Referenced by Office of Civil Rights in risk assessment guidance dance.pdf Designed to cost-effectively gather the information about security controls that is required to appropriately understand and mitigate risk Leverages defined, reasonable controls in the HITRUST Common Security Framework, the most broadly adopted security control framework in the healthcare industry Streamlines risk determination analysis by prioritizing areas based on analysis for breach data for the healthcare industry Formal and credible report for internal and external reporting Benchmarking data Recommendations for remediation
25 Risk Assessment Methodology (NIST, ISO) Likelihood Impact Risk Controls Residual Risk HITRUST Risk Areas Determined based upon analysis of breach data Significantly simplified for organizations HITRUST Common Security Framework Reasonable practice
26 Key Components of CSF Assurance Program Standardized tools and processes Questionnaire Focus assurance dollars to efficiently assess risk exposure Measured approach based on risk and compliance Ability to escalate assurance level based on risk Worksheet for reporting compliance Report Output that is consistently interpreted across the industry Cost effective and rigorous assurance Multiple assurance options based on risk Quality control processes to ensure consistent quality and output across CSF Assessors
27 High Risks for Healthcare Organizations Insecure and/or unauthorized removable/transportable media and laptops (internal and external movements) Insecure and/or unauthorized external electronic transmissions of covered information Insecure and/or unauthorized remote access by internal and third-party personnel Insider snooping and data theft Malicious code and inconsistent implementation and update of prevention software Inadequate and irregular information security awareness for the entire workforce Lack of consistent network isolation between internal and external domains Insecure and/or unauthorized implementation of wireless technology Lack of consistent service provider, third-party and product support for information security Insecure web development and applications Ineffective password management and protection Ineffective disposal of system assets
28 Questionnaire Common Healthcare Information Protection (CHIP) Questionnaire: Innovative approach to assess the quality of information protection practices in an efficient manner Focus on the security capabilities and outcomes of an organization Leverages key measures and benchmarking Structured according to the highrisk areas identified in the CSF, which reflect the controls required to mitigate the most common sources of breaches for the industry
29 Benchmark Data PRISMA SCORE Organization Benchmark Orgs
30 HIPAA Compliance Scorecard Standardized output that is consistently interpreted across the industry HIPAA Compliance Scorecard produced for each HIPAA security requirement
31 Assurance Multiple assurance options: Self reporting Remote testing conducted by a CSF Assessor that includes interviews with key personnel and the review of organization charts, policies, procedures and other third-party testing that may have recently been conducted On-site assessment conducted by a CSF Assessor that includes remote testing and the review of system configurations and physical walk-throughs
32 Conducting your Meaningful Use Risk Assessment Five steps to getting started with the CSF Assurance program: 1. Visit for more information on performing your meaningful use risk assessment* 2. Identify your scope 3. Perform a self assessment using the Common Healthcare Information Protection (CHIP) Questionnaire and the Compliance Worksheet** 4. Submit your CHIP to HITRUST as instructed in the questionnaire 5. Obtain a HITRUST CSF Validated Report with benchmarking data * For other assurance options, including remote and on-site assessments via a third party CSF Assessor, please visit ** A Compliance Worksheet only needs to be completed where a compliance scorecard is required
33 CSF Assessors 32
34 Case Study
35 Background on BCHS Information Security Baylor Health Care System is a not-for-profit medical network that serves seven counties in the Dallas-Fort Worth metro area through more than a dozen hospitals and medical centers. 20,000 employees Baylor Health Care System (BHCS) has a dedicated department, the Office of Information Security (OIS), assigned the responsibility of information security reporting to the Chief Information Security Officer. Department has three groups: Information Assurance, Monitoring and Response, and Identity Management. All three groups consists of 22 dedicated full-time employees Variety of certifications including CISSP, CISA, CBLE, CBCP, CeH, GIAC, and HITRUST CSF Practitioner.
36 BCHS Deployed Security Tools Host-based firewalls Workstation encryption Asset management and recovery Compliance configuration management for servers and workstations Wireless access point control and management Anti-malware Anti-spyware Inventory scanning Vulnerability scanning Web application vulnerability scanning Hard drive disk wiping Copy machine disk wiping Intrusion prevention system Enterprise class perimeter firewalls Web proxy gateway and encryption Log aggregation and correlation Intrusion detection system SFTP server SSL VPN Identity, access, and role management Multifactor authentication security tokens Remote access gateway Online learning tool
37 Steps in BCHS Approach to Security Risk Assessment 1. Determine Scope 2. Prepare for Assessment 3. Report 4. Track and Measure Progress Applications, interfaces, infrastructure -Focus on high risk areas -Identify individuals responsible for key control areas -Conduct top down enterprise control analysis -Do not get stuck in the weeds Report on findings and remediation plan -Track progress against industry benchmarks -Focus on measures HITRUST Scoping Template -HITRUST High Risk List -HITRUST CHIP -HITRUST/NIST PRISMA -HITRUST CSF Validated Report -Corrective Action Plan Template HITRUST CSF Validated Report
38 Background on BCHS Information Security Interview roles: Web application manager Internal audit Security assurance manager (risk management, business continuity management, vulnerability management, training and awareness, security policies) Monitoring and response manager Server engineering Desktop engineering Human resources Access and identity management Application developer
39 Background on BCHS Information Security Documents review: Asset inventory with risk classification Network diagram Organization chart Business Associate Agreement template Risk assessment program Application assessment questionnaires Sample web application assessments Sample network vulnerability assessments Sample attack and penetration report Project/engagement hierarchy
40 Background on BCHS Information Security Documents review (continued): Business continuity management program Business Impact Analysis templates Business continuity plan template Disaster recovery plan template Sample business continuity and disaster recovery plans Sample security awareness and training materials Policies and standards framework Policy and standards third party review report Incident monitoring and response program and associated procedures Security council charter
41 Lessons Learned Healthcare providers have challenges you will have gaps Assessment methodology Sound NIST based approach Very efficient approach Credibility with executives and regulators Positions us well for meaningful use but also helps us address longer term goals and maintain HIPAA compliance
42 For More Information: For more information on the CSF Assurance Program visit: For a list of HITRUST CSF Assessors visit: For assistance, contact:
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Advisor, Health Information Trust Alliance 2011-2014 HITRUST LLC, Frisco,
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, ASEP, CCSFP CISO & VP, CSF Development & Implementation Health Information Trust Alliance
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
Security, Privacy and Other Compliance Risks From Evolving Meaningful Use and HIPAA Guidelines Bruce A. Metz, PhD Chief Information Officer Thomas Jefferson University November 3, 2010 Agenda Understanding
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
Watch the Replay on YouTube OIG Security Audit: What You Need To Know Executive Series Webinar July 23rd, 2015 Today s Speakers Elana R. Zana Attorney & Author Ogden Murphy Wallace P.L.L.C. email@example.com
4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 firstname.lastname@example.org
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
HIPAA Security Rule & Live Hack Tod Ferran, CISSP, QSA Intro Tod Ferran, CISSP, QSA 25 years working with IT and physical security 2 years PCI and HIPAA security consulting, performing entity compliance
How to Use the NYeC Privacy and Security Toolkit V 1.1 Scope of the Privacy and Security Toolkit The tools included in the Privacy and Security Toolkit serve as guidance for educating stakeholders about
Health & Life sciences breach security program David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences Overview 1. Healthcare Security Research / Directions 2. Healthcare
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY S OVERSIGHT OF THE TESTING AND CERTIFICATION OF ELECTRONIC HEALTH
Health IT and Meaningful Use Update Nebraska Healthcare Quality Forum June 4, 2014 Barbara E. Person and Michael W. Chase Baird Holm LLP #1258792 HIPAA - Breaking News! Office for Civil Rights (OCR) will
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
Compliance, Incentives and Penalties: Hot Topics in US Health IT Table of Contents Introduction... 1 The Requirements... 1 PCI HIPAA ARRA Carrot and Stick How does third party assurance fit into the overall
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
Technology Help Desk 412 624-HELP  technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction
Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
CMS AND ONC FINAL REGULATIONS DEFINE MEANINGFUL USE AND SET STANDARDS FOR ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
Strategies for Integra.ng the HIPAA Rule Kaiser Permanente: Charles Kreling, Execu.ve Director Sherrie Osborne, Director Paulina Fraser, Director Professional Strategies S21 2013 Fall Conference Sail to
RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,
Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
Federal Fraud and Abuse Laws Remaining in Compliance while Attesting to Meaningful Use 1 Overview This presentation provides an overview of key Federal laws aimed at preventing healthcare fraud and abuse
View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System
Securing Patient Portals What you need to know to comply with HIPAA Omnibus and Meaningful Use Brian Selfridge, Partner, Meditology Services, LLC Blake Sutherland, VP Enterprise Business, Trend Micro Brian
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
OIG Security Audits of EHR Incentive Program Participants April 12-16, 2015 David G. Schoolcraft and Elana R. Zana Attorneys Ogden Murphy Wallace, P.L.L.C. 1 DISCLAIMER: The views and opinions expressed
Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on
Santa Rosa Presents Webinar Series Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid February 11, 2011 Chris Apgar, CISSP President Overview ARRA & Meaningful Use Rule Overview
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
Health Homes Implementation Series: NYeC Privacy and Security Toolkit 16 February 2012 1 Agenda What are the New York ehealth Collaborative (NYeC) and the Regional Extension Center? What are Health Homes?
www.getrealhealth.com Meaningful Use Overview We are at the forefront of the patient engagement era. The American Recovery and Reinvestment Act of 2009 included the Health Information Technology for Economic
Healthcare and IT Working Together 2013 KY HFMA Spring Institute Introduction Michael R Gilliam Over 7 Years Experience in Cyber Security BA Telecommunications Network Security CISSP, GHIC, CCFE, SnortCP,
What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics
ARRA HITECH Stimulus HIPAA Security Compliance Reporter White Paper ARRA HITECH AND ACR2 HIPAA SECURITY The healthcare industry is in a time of great transition, with a government mandate for EHR/EMR systems,
HIPAA Security Compliance Reviews Elizabeth S. Holland, MPA Office of E-Health Standards and Services Centers for Medicare & Medicaid Services U.S. Department of Health and Human Services 1 2 What is HIPAA?
Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework Introduction This presentation is intended to address how an organization can implement the HITRUST Risk Management
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
LANDesk Solutions Descriptions Proven LANDesk Solutions IT departments face pressure to reduce costs, reduce risk, and increase productivity in the midst of growing IT complexity. More than 4,300 organizations
Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard
InfoGard Healthcare Services 10 Steps To Protect My Covered Entity From Breach Your Presenters Alan Martin Account Manger Marvin Byrd Security Engineer Test and Certification Laboratory Healthcare Payment