Healthcare to Go: Securing Mobile Healthcare Data
|
|
- Oscar Lambert
- 8 years ago
- Views:
Transcription
1 Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1
2 Why Information Security is Essential for Healthcare Safeguard patient information from theft, loss, and misuse Annual cost of security breaches to the healthcare industry is over $7 billion and 94% of healthcare organizations surveyed had at least one data breach in the past 2 years, according to Ponemon Institute s Third Annual Benchmark Study on Patient Privacy & Data Security Leading Causes of Data Breaches are the following: Theft Hacking Virus/Malware Loss Public Access or Distribution Unauthorized Access/Use Improper Disposal Copyright 2013 Lee Kim 2
3 Examples of Reported Breaches Disabled firewall exposes patient information Configuration error occurred at password authentication level allowing hacker to circumvent the security system Lost USB drives/disks containing patient information Theft of laptop with unencrypted hard drive containing patient information Malware leads to potential exposure of patient information Patient information inadvertently posted online Rogue employee (now ex-employee) allegedly transferred patient information to personal account Copyright 2013 Lee Kim 3
4 Policy Drivers of Healthcare InfoSec Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA Privacy Rule Uses and disclosures of protected health information (PHI) (a type of personally identifiable information) HIPAA Security Rule Administrative, physical, and technical safeguards to assure the confidentiality, integrity, and availability of electronic protected health information (ephi) HIPAA now applies to covered entities (healthcare providers, clearinghouses, health plans) and business associates (entities working on behalf of covered entities handling their PHI) Copyright 2013 Lee Kim 4
5 Policy Drivers of Healthcare InfoSec HITECH Act (part of the American Recovery and Reinvestment Act of 2009) Breach notification rule Business associates directly liable for HIPAA obligations HIPAA Omnibus Rule Modifies HIPAA and HITECH requirements Breach Notification Rule (replaces HITECH rule) Update to HIPAA Privacy and Security Rules and changes/clarifies HITECH obligations Effective date: March 26, 2013 Compliance date: September 23, 2013 Copyright 2013 Lee Kim 5
6 Policy Drivers of Healthcare InfoSec Super sensitive information Protected by federal and state laws (e.g., HIV/AIDS, drug and alcohol abuse, mental illness) While HIPAA may permit the exchange of information, if a more stringent law/regulation applies, then you must abide by that. Cybercrime Healthcare information is extremely valuable (including in the financial sense) Identity theft Alteration of medical records or other patient information or data may lead to patient harm or death Copyright 2013 Lee Kim 6
7 Government Audits HITECH Act Section Requires US Department of Health and Human Services (HHS) to perform periodic audits on covered entities and business associates for HIPAA Privacy, Security, and Breach Notification Standard requirements HHS Office of Civil Rights (OCR) commenced audits in November 2011 (ongoing) Large and small healthcare providers, hospitals, health plans, and physician practices were audited in 2012 Audits will also include business associates (entities doing a function on behalf of covered entity involving PHI) Corrective action plans and fines may result Copyright 2013 Lee Kim 7
8 Government Audits OCR HIPAA Audit Program analyzes processes, controls, and policies to determine HIPAA compliance for entities that create, receive, or retain electronic Protected Health Information (ephi) Healthcare providers and health plans have been audited under the program Business associates (those that work for covered entities and handle their PHI) will be audited OCR has found from its audits that the lack of HIPAA compliance has been because the entity was unaware of the requirement, in spite of the rules stating what the entity needs to exactly do to comply Copyright 2013 Lee Kim 8
9 Government Audits Results of 2012 OCR HIPAA Audit Program No findings or observations for 11% of the entities Security accounted for 60% of the findings and observations for virtually all entities No complete and accurate risk assessment (risk analysis) for two-thirds (2/3) of the entities Security addressable implementation specifications Addressable does not mean optional, but implemented if reasonable & appropriate» Almost every entity could have fully implemented the addressable implementation specification Small entities struggled with HIPAA compliance across the board Copyright 2013 Lee Kim 9
10 HIPAA Security Rule: The Basics The HIPAA Security Rule has the following: Security Standards Implementation specifications Required Addressable (not optional) must be implemented if reasonable and appropriate. HIPAA Security Rule is technology-neutral Policies and procedures need to be in place Criminal and civil liabilities for HIPAA violations (including Security Rule) Copyright 2013 Lee Kim 10
11 HIPAA Security Rule: The Basics Entity must appoint a HIPAA Security Official for the organization who oversees the development, implementation, monitoring, and communication of security policies and procedures in accordance with the Security Rule Copyright 2013 Lee Kim 11
12 HIPAA Security Compliance: Building the Foundation The cornerstones of an effective HIPAA Security compliance program include: Ongoing risk analysis and risk management Routine information system reviews This should include mobile devices, whether employersupplied or employee-provided (BYOD) There may be restrictions on what can be reviewed for BYOD devices If activity cannot be reviewed, document whether this is reasonable and the rationale for not reviewing (if that is the case) Copyright 2013 Lee Kim 12
13 HIPAA Security Compliance: Building the Foundation Securing and protecting all health information With mobile devices, ensure that the information is protected when used in public, on site, and at remote locations Authorization, supervision, and clearance for those who can access, receive, transmit, retain, or otherwise exchange ephi on mobile devices Sanctions for non-compliance of workforce members Including and up to termination Copyright 2013 Lee Kim 13
14 HIPAA Security Rule: Best Practices Implement a security framework E.g., HITRUST, NIST, ISO, etc. Consider the different types of healthcare data, access and roles, and data usage Healthcare data: administrative or clinical Consider the sensitivity of the data Access and roles: clinical staff vs. non-clinical staff (e.g., office manager, billing clerk, appointment scheduler, etc.) Data usage: Workflow, storage, retrieval Copyright 2013 Lee Kim 14
15 HIPAA Security Rule: Best Practices Conduct risk analysis and risk management on a regular (continuous basis) Understand the potential threats and vulnerabilities Outside your organization Inside your organization Insider threats Unauthorized use/access Understand the impact of the threat / vulnerability Ensure accuracy of policies and procedures Ensure workforce is trained and periodic training occurs Monitor user and system activity Copyright 2013 Lee Kim 15
16 HIPAA Security Rule: Best Practices Establish a security incident management program Develop a security incident management process Detect events and declare security incidents Respond to and recover from security incidents Address and report security incidents (including breaches) Organizational resilience Continuity of patient care and coordination of are Business continuity Engage law enforcement when necessary or prudent (with authorization from organization s stakeholders) Copyright 2013 Lee Kim 16
17 HIPAA Security Rule: Best Practices Risk management What are you doing to manage the risks and how can you lower the risks through policies, training, and access controls? Consider following NIST guidance to lower risks. Make sure your business associates and subcontractors are complying with HIPAA (including downstream business associates). Make sure expectations are clearly spelled out in business associate and subcontractor agreements. Copyright 2013 Lee Kim 17
18 HIPAA Security Rule: Application to mhealth When do we need to worry about HIPAA with mobile devices, mobile applications, and medical devices? Is it being used to create, receive, retain, transmit, or otherwise exchange ephi? If yes, then HIPAA applies! Copyright 2013 Lee Kim 18
19 HIPAA Security Rule: Risk Analysis What are the potential threats and vulnerabilities for mobile devices and how critical are they (e.g., low, medium, high)? Inherent risks with mobile/medical devices Attack vectors may be different for mobile devices: hardware, wireless eavesdropping, software (including web browser), user layer attacks, availability attacks Malware is evolving and increasingly machinegenerated Copyright 2013 Lee Kim 19
20 HIPAA Security Rule: Risk Analysis What are the potential threats and vulnerabilities for mobile/medical devices and how critical are they (e.g., low, medium, high)? Inherent risks: Easily portable and therefore easily stolen Wireless network connection (instead of wired) Battery (limited power) Rogue applications Loss of devices Unauthorized users or entities getting access to ephi Copyright 2013 Lee Kim 20
21 HIPAA Security Rule: Risk Analysis What are the potential threats and vulnerabilities for mobile/medical devices and how critical are they (e.g., low, medium, high)? (con t) Virus/malware Phishing User error (e.g., inadvertent posting to social media) Application error/misconfiguration Data mining Copyright 2013 Lee Kim 21
22 HIPAA Security Rule: Risk Analysis (Know Where and What the Data is) Where is my ephi? 1. What mobile apps, mobile devices, and medical devices are used to create, transmit, receive, or maintain the ephi? 2. Is the ephi stored on the device itself (e.g., , text message, etc.), as opposed to in a mobile app? 3. Does the mobile app developer create, receive, maintain, or transmit ephi on your behalf? 4. Is the ephi encrypted (at rest, in motion, archived)? Copyright 2013 Lee Kim 22
23 HIPAA Security Rule: Risk Analysis (Know Where and What the Data is) Practice tip: 1. Make an inventory list of the mobile apps, mobile devices, and medical devices which handle PHI, the type of PHI, and what is done with the PHI. 2. Do an assessment of the risks given the inventory list. Copyright 2013 Lee Kim 23
24 HIPAA Security Rule: Risk Analysis Questions to Ask the Developer How is the PHI secured? If the developer handles the PHI, what are its policies, procedures, and training? How secure is the mobile app/device itself?» Have the security controls been validated? (E.g., FIPS validated encryption module) Who holds the key(s) for encryption/decryption? The developer or you? Is the information encrypted at rest, in transit, and archived? Copyright 2013 Lee Kim 24
25 HIPAA Security Rule: Risk Analysis Gap Analysis Where are the gaps in my risk analysis? (What have I not considered?) Example: How is my mobile device communicating ephi with other servers, medical devices/components, patient mobile devices (not regulated by HIPAA), BYOD or employer-provided mobile devices, etc. and what types of ephi are involved? Example: Have I considered the security of the network and the software interfaces/connection points? (Holistic approach) Copyright 2013 Lee Kim 25
26 HIPAA Security Rule: Risk Analysis Factors to Consider Authentication Complex passwords Encryption (data at rest, in transit, and archived) Segregating BYOD network traffic from other traffic Network flow analysis Intrusion detection system Mobile device management Preventing and detecting rogue network devices (evil twin) Remote lock and wipe functionality Anti-virus and anti-malware protection Copyright 2013 Lee Kim 26
27 HIPAA Security Rule: Risk Analysis Factors to Consider Operating system, firmware, application, middleware, interface, etc. updates (mobile devices and medical devices, including software & hardware components in between & network connectivity) Timely account de-provisioning (revoking system access: local and remote) Mobile applications Is the data remotely or locally stored? Does it comply with the HIPAA Privacy (e.g., use and disclosure of PHI) and Security Rules (e.g., technical safeguards)? Is the data encrypted and who has the key? Copyright 2013 Lee Kim 27
28 HIPAA Security Rule: Risk Analysis Secure web browser Secure Factors to Consider Social media (shortened links that lead to malware; improperly posting ephi) Texting and videoconferencing (none vs. secure end-to-end solutions) Camera/microphone (improperly recording PHI) Remote hosting of data (vs. local storage on device that may be lost or stolen, etc.) Media re-use and disposal Has the ephi/data really been destroyed? Copyright 2013 Lee Kim 28
29 HIPAA Security Rule: Risk Analysis Factors to Consider Backing up of data Are the backups encrypted? Network type and connectivity Copyright 2013 Lee Kim 29
30 HIPAA Security Rule: Risk Management (The Basics) Always to keep mind the need to ensure confidentiality, integrity, and availability of PHI and manage the risks identified in the risk analysis. 1. Based on the risk analysis, what are the risks that are medium and high? I.e., likelihood of exploitation and the impact of the threat / vulnerability 2. What medium and high risks can be lowered through policies, training, and access controls? If the risks can be lowered, then the risk analysis needs to be revised and the documentation needs to be updated. Copyright 2013 Lee Kim 30
31 HIPAA Security Rule: Risk Management Factors to Consider How secure is the PHI? (At rest, in transit, archived) Is the PHI reasonably available? Is the application and data (PHI) reasonably available? Is there an ability to export the PHI in a non-proprietary format for interoperability purposes or to migrate the information to another app or device? In the event of a disaster or emergency, can the mobile data (and access to it via the mobile app/device/portal) enable business continuity? Consider: Sum total of mobile data in the aggregate across all mobile users in an organization. Copyright 2013 Lee Kim 31
32 HIPAA Security Rule: Risk Management Third Parties What are the business associates and subcontractors doing with your data? Under the HIPAA Omnibus Rule, business associates include the following (if they handle the healthcare provider s, health plan s, or clearinghouse s PHI): Cloud providers Health information exchanges Health information organizations e-prescribing gateways Personal health record vendors Subcontractors Copyright 2013 Lee Kim 32
33 HIPAA Security Rule: Risk Management Business Associates & Subcontractors What are the business associates and subcontractors doing with your ephi? 1. Perform due diligence (e.g., review of Security Rule policies and procedures, training, network/security infrastructure documents, etc.) Is the business associate or subcontractor located in the US? Where are the hosting facilities and data centers located? 2. Obtain a business associate agreement / subcontractor agreement and set forth the expectations Consider whether you want to permit business associates/subcontractors to use de-identified (nonpersonally identifiable) health information (e.g., data mining risk) Copyright 2013 Lee Kim 33
34 Questions/Contact Information Lee Kim, Esq. Tucker Arensberg, P.C One PPG Place Pittsburgh, PA (412) (work) (412) (cell) Copyright 2013 Lee Kim 34
35 References HIPAA Omnibus Rule OCR and NIST Security Rule Guidance urityrule/securityruleguidance.html NIST Computer Security Guidance (Special Publications) mhimss Mobile Privacy & Security Toolkit HIPAA Audits Copyright 2013 Lee Kim 35
36 References OCR HIPAA Audit Program Protocol /protocol.html Breaches Affecting 500 or More Individuals achnotificationrule/breachtool.html Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals achnotificationrule/brguidance.html Safeguarding Health Information: Building Assurance through HIPAA Security Copyright 2013 Lee Kim 36
37 References Nationwide Rollup Review of the Centers for Medicare & Medicaid Federal Risk and Authorization Management Program OWASP Mobile Security Project - Top Ten Mobile Risks le_security_project_-_top_ten_mobile_risks Validated FIPS and FIPS Cryptographic Modules Copyright 2013 Lee Kim 37
38 References HITRUST Common Security Framework k/ ANSI/AAMI/IEC :2010, Application of risk management for IT Networks incorporating medical devices - Part 1: Roles, responsibilities and activities Direct: Implementation Guidelines to Assure Security and Interoperability entation_guidelines_to_assure_security_and_interoperabi lity.pdf Copyright 2013 Lee Kim 38
39 References Health IT Policy Committee Privacy & Security Tiger Team NIST Cybersecurity Framework Workshop NIST National Cybersecurity Center of Excellence Third Annual Benchmark Study on Patient Privacy & Data Security /Third_Annual_Study_on_Patient_Privacy_FINAL.pdf Copyright 2013 Lee Kim 39
40 References 2nd Annual HIMSS Mobile Technology Survey pubid=81559&tid=131 World Privacy Forum Copyright 2013 Lee Kim 40
HIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationHIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients
HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationHIPAA Security Rule Changes and Impacts
HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationHIPAA/HITECH: A Guide for IT Service Providers
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationHIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS
HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationHIPAA Requirements and Mobile Apps
HIPAA Requirements and Mobile Apps OCR/NIST 2013 Annual Conference Adam H. Greene, JD, MPH Partner, Washington, DC Use of Smartphones and Tablets Is Growing 2 How Info Sec Sees Smartphones Easily Lost,
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationCybersecurity for Meaningful Use. 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013
Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationHealthcare Insurance Portability & Accountability Act (HIPAA)
O C T O B E R 2 0 1 3 Healthcare Insurance Portability & Accountability Act (HIPAA) Secure Messaging White Paper This white paper briefly details how HIPAA affects email security for healthcare organizations,
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationHIPAA Security Risk Analysis for Meaningful Use
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationLeveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance
ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection
More informationDeciphering the Safe Harbor on Breach Notification: The Data Encryption Story
Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their
More information3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More informationThe benefits you need... from the name you know and trust
The benefits you need... Privacy and Security Best at Practices the price you can afford... Guide from the name you know and trust The Independence Blue Cross (IBC) Privacy and Security Best Practices
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationEthics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746
More informationHIPAA Security Education. Updated May 2016
HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationOCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA
Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationLessons Learned from HIPAA Audits
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationMedicare & Medicaid Services Efforts to Address Prior Office of Inspector General Findings After the 2008 audit
DEPARTMENT OF HEALTH & HUMAN SERVICES Office of Inspector General Washington, D.C. 20201 May 16, 2011 TO: Georgina Verdugo Director Office for Civil Rights FROM: /Daniel R. Levinson/ Inspector General
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationUsing Data Encryption to Achieve HIPAA Safe Harbor in the Cloud
Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationHealth Homes Implementation Series: NYeC Privacy and Security Toolkit. 16 February 2012
Health Homes Implementation Series: NYeC Privacy and Security Toolkit 16 February 2012 1 Agenda What are the New York ehealth Collaborative (NYeC) and the Regional Extension Center? What are Health Homes?
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationProtecting Patient Information in an Electronic Environment- New HIPAA Requirements
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationPreparing for the HIPAA Security Rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More information