InfoGard Healthcare Services. 2015 InfoGard Laboratories Inc.

Similar documents
HIPAA and HITECH Compliance for Cloud Applications

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Compliance Guide

HIPAA Compliance Guide

Healthcare and IT Working Together KY HFMA Spring Institute

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Meaningful Use and Security Risk Analysis

HIPAA in an Omnibus World. Presented by

HIPAA Security Rule Compliance

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Nine Network Considerations in the New HIPAA Landscape

Datto Compliance 101 1

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Compliance & Privacy. What You Need to Know Now

HIPAA Security Overview of the Regulations

HIPAA Security & Compliance

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Business Associate Management Methodology

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Surviving a HIPAA Audit: What you need to know NOW So you can cope THEN. Jonathan Krasner

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Why Lawyers? Why Now?

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

What Every Organization Needs to Know about Basic HIPAA Compliance and Technology. April 21, 2015

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

HIPAA Compliance and the Protection of Patient Health Information

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Security Is Everyone s Concern:

The HIPAA Omnibus Final Rule

Overview of the HIPAA Security Rule

HIPAA Compliance: Are you prepared for the new regulatory changes?

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

What s New with HIPAA? Policy and Enforcement Update

Document Imaging Solutions. The secure exchange of protected health information.

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA COMPLIANCE AND

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Implementing Multi-factor Authentication for Clinical Applications

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

HIPAA: Compliance Essentials

Regulatory Requirements, and insure a Safe Workplace

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

HIPAA Security Rule Changes and Impacts

ALERT LOGIC FOR HIPAA COMPLIANCE

HIPAA Security Education. Updated May 2016

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

Preparing for the HIPAA Security Rule

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

The HIPAA Audit Program

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Business Associates, HITECH & the Omnibus HIPAA Final Rule

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

University Healthcare Physicians Compliance and Privacy Policy

Q: How does a provider know if their system has encryption? Do big services (gmail, yahoo, hotmail, etc.) have built-in encryption?

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

SecurityMetrics Business Associate HIPAA compliance program

COMPLIANCE ALERT 10-12

Anatomy of a Healthcare Data Breach

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Lessons Learned from HIPAA Audits

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

FACT SHEET: Ransomware and HIPAA

HIPAA security rules of engagement

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Healthcare Insurance Portability & Accountability Act (HIPAA)

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Somansa Data Security and Regulatory Compliance for Healthcare

Transcription:

InfoGard Healthcare Services

10 Steps To Protect My Covered Entity From Breach

Your Presenters Alan Martin Account Manger Marvin Byrd Security Engineer

Test and Certification Laboratory Healthcare Payment Systems Federal Programs

Healthcare Services ONC HIT Certification Program Accredited Testing Laboratory and Authorized Certification Body for Electronic Health Records (EHR) DEA EPCS Certification Program Approved Certifying Organization Security Risk Assessment (SRA) and Analysis for MU and HIPAA InfoGard was the first organization approved by the DEA to test and certify applications for Electronic Prescriptions for Controlled Substances (EPCS)

HIPAA Security Rule The HIPAA Security Rule (45 CFR 164.3081) requires that an organization, Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Civil Enforcement Department of Health & Human Services (HHS) Office for Civil Rights (OCR) OCR is authorized to level fines starting from $10,000 based on willful neglect of compliance.

HIPAA Facts Over the past two years: 91 percent of healthcare organizations had one data breach 39 percent experienced two to five data breaches 40 percent had more than five data breaches two-thirds of respondents do not offer any protection services for patients whose information has been breached Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data

HIPAA Facts A patient s record can be worth as much as $50 on the black market, while a credit card or social security number is valued at only around $1! $ = 50X $1 $50

The Ten Steps

STEP 1: Security Risk Assessment Identify the Risks. Essential to use staff trained in SRAs or an expert. The HIPAA security rule is a great resource. Put yourself in the mind of an attacker and attempt to gains access to EPHI. Consider all reasonable types of attackers and threats.

Liability in Detail Negligence Minimum Maximum in the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision in the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect in the case of a violation of such provision in which it is established that the violation was due to willful neglect - AND - the violation is corrected in the case of a violation of such provision in which it is established that the violation was due to willful neglect - AND - the violation is not corrected (Source: American Medical Association) $100/record total of $25,000 cumulative for breach group $1,000/record total of $100,000 cumulative for breach group $10,000/record total of $250,000 cumulative for breach group $50,000/ record total of $1.5 million cumulative for breach group $50,000/ record total of $1.5 million cumulative for breach group $50,000/ record total of $1.5 million cumulative for breach group $50,000/ record total of $1.5 million cumulative for breach group $50,000/ record total of $1.5 million cumulative for breach group

STEP 2: Risk Management Plan Identify the threats and their risk level. Decide how each threat is going to be addressed. Assign a time frame on when the controls should be implemented. Assign the necessary resources. Assign responsibility to a staff member.

STEP 3: Gap Analysis Evaluate Security Controls to ensure that they are providing the expected protections. Review password guidelines. Verify compliance Test effectiveness Check that new software is configured correctly. Test contingency plans.

STEP 4: Train Staff Keep your staff trained and aware of security issues. Making staff aware of security controls can be the easiest was to secure EPHI. Staff training comes in two categories: Ensuring they have the capabilities to perform their job function. Ensuring that they are knowledgeable about the policies and procedures currently in place.

STEP 5: Network Protection Vulnerability scanning External vulnerability scanning is critical to know that your infrastructure is safe from the external world. Internal vulnerability scanning can reveal ways that the infrastructure could be compromised from internal use. Anti-malware software can address a large percentage of vulnerabilities at a low cost. Keep it up to date as new malware is being created every day!

STEP 6: Contingency Planning When a disaster occurs normal operating procedures may quickly become obsolete, especially if human life is at stake. Keep a set of policies and procedures on how to respond in the event of a disaster is critical for business continuity and ensuring health care information remains safe. Having an established chain of command and decision making will help organize staff members. Having current staff exercise the contingency plan will avoid a lot of confusion when time is critical.

STEP 7: Monitor Access Control authorized access to PHI. Review: IT access logs Physical access tokens Set up automatic alerts for suspicious access. A quick response might make the difference between ending up on the breach list, or just facing a few fines. Account for all physical tokens to prevent unauthorized access.

STEP 8: Automation Invest in automated systems. Save payroll costs. Cameras and auditing tools take out the human factor. Recording for forensics. If there is a breach - this can help the recovery process.

Step 9: Business Associates Require a security risk assessment/risk management plan from every business associate. This is a great indicator of how serious a third party is about protecting PHI as these are explicitly required by HIPAA. While the Omnibus rule places much more fiscal liability on subcontractors, the reputation of a covered entity can take many years to repair. When you end up on the breach list there is a risk of large staff turnover to avoid damage to the individuals reputation.

Step 10: Mobile Devices The HIPAA security rule also applies to mobile devices. This includes things like transmission security & encryption, auditing, access control etc A lost phone containing EPHI would be considered a breach. Consider having the organization provided cell phones/tablets.

Summary 1. Security Risk Assessment 2. Risk Management Plan 3. Gap Analysis 4. Train Staff 5. Network Protection 6. Contingency Planning 7. Monitor Access 8. Use Automation 9. Manage Business Associates 10. Manage Mobile Devices

Questions? Submit questions about this presentation, HIPAA requirements or Security Risk Assessments to sra@infogard.com InfoGard s technical staff will be answering the questions and posting the answer s on InfoGard s Health IT blog throughout National Health IT Week. If you are interested in InfoGard s SRA services, contact sales@infogard.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information