Access to Electronic PHI Finding the Balance. Security, Convenience, and Usability

Similar documents
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Reducing Cyber Risk in Your Organization

My Docs Online HIPAA Compliance

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

CHIS, Inc. Privacy General Guidelines

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

SAFELY ENABLING MICROSOFT OFFICE 365: THREE MUST-DO BEST PRACTICES

Nine Network Considerations in the New HIPAA Landscape

Healthcare Information Security Today

Health Information Privacy Refresher Training. March 2013

BUSINESS ASSOCIATE AGREEMENT

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA Compliance Guide

plantemoran.com What School Personnel Administrators Need to know

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Cybersecurity and Secure Authentication with SAP Single Sign-On

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Managing Privacy and Security Challenges of Patient EHR Portals

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Security within a development lifecycle. Enhancing product security through development process improvement

Business Associate Agreement

Security Is Everyone s Concern:

HIPAA Compliance Calendar

HIPAA Compliance: Are you prepared for the new regulatory changes?

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

FACT SHEET: Ransomware and HIPAA

Compliance in 5 Steps

HIPAA Security Rule Compliance

CA Technologies Healthcare security solutions:

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

INFORMATION TECHNOLOGY POLICY

FERPA: Data & Transport Security Best Practices

Cloud Security and Managing Use Risks

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

FirstCarolinaCare Insurance Company Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

HIPAA and HITECH Compliance for Cloud Applications

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

Overview of the HIPAA Security Rule

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

SAMPLE BUSINESS ASSOCIATE AGREEMENT

New HIPAA regulations require action. Are you in compliance?

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Security Issues in Cloud Computing

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

ALERT LOGIC FOR HIPAA COMPLIANCE

HIPAA/HITECH Compliance Using VMware vcloud Air

How to reduce the cost and complexity of two factor authentication

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Information Security Plan May 24, 2011

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

CYBERSECURITY INVESTIGATIONS

UF IT Risk Assessment Standard

FDA Releases Final Cybersecurity Guidance for Medical Devices

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Department of Alcohol & Drug Programs. Information Management Services Division (IMSD) ENCRYPTION INSTRUCTIONS

Cyber Security An Exercise in Predicting the Future

DRAFT BUSINESS ASSOCIATES AGREEMENT

Keep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

Introducing the NASW Updated Sample HIPAA Privacy Forms and Policies

Big Data, Big Risk, Big Rewards. Hussein Syed

HIPAA Compliance Guide

SaaS. Business Associate Agreement

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

Transcription:

Access to Electronic PHI Finding the Balance Security, Convenience, and Usability

Speaker Lassaad Fridhi, MS Information Privacy & Security Officer Commonwealth Care Alliance

Anatomy of Anthem s Massive Data Breach TARGET: Anthem TIME: Sometime before Wed, 2/04/2015 EXPLOIT: Credentials used to access a database IMPACT: Compromise of 80 million customers and employees 1 in 4 Americans WEAKNESS: Anthem did not take appropriate measures to encrypt its customers data COST: Unknown (definitely huge cost)

The Information Pyramid Wisdom/ Judgment Knowledge Information PHI, PI, etc Data

Poll Question 1 What does PHI stand for?

What Information Do we Care About? Trade secrets (proprietary and confidential information): secret device or technique used by a company, in the form of formulas, processes, and methods, used in its production or services, Personally identifiable information (PII): any information used to identify, contact, or locate a single person, or to identify an individual in context, Protected health information (PHI): any PII that can associate a person and the delivery of their health care, Sensitive data: Any of the above can be considered sensitive in PHI, HIV/AIDS info, alcohol and drug abuse info, etc. are considered even more confidential than other PHI. Information Data

The Sphere of Confidential Information Sensitive PHI PII

Poll Question 2 How often do you use PHI to perform your job duties?

What is Information Security? Information being free from danger or threat. Against unauthorized access, use, disclosure, disruption, modification, or destruction, Regardless of form: electronic, print, or other, From internal or external threats.

Why secure information? To ensure its value there needs to be a protection of its C.I.A.: Confidentiality Integrity Availability plus: Accuracy Authenticity Utility Possession

Poll Question 3 Which major regulation (or part of) governs the security of protected health information (PHI)?

It s the Law(s)! In health care, most notably: Health Insurance Portability and Accountability Act (HIPAA) 1996 Health Information Technology for Economic and Clinical Health (HITECH) 2009 Omnibus HIPAA Rulemaking (Omnibus Rule) 2013

HIPAA In general, HIPAA rules prescribe: Who s covered What s protected What s required These 2 are concerned with confidentiality: HIPAA Privacy Rule HIPAA Security Rule

HIPAA Security Rule Administrative Safeguards Physical Safeguards Technical Safeguards: Authentication Access Control Etc.

Over-Authentication and Password Exhaustion 6-8 passwords per employee within organization, despite single sign-on (SSO) 1 Plus, an average of 17 passwords for personal use 2 Total of 25 passwords to manage 1 Inglesant & Sasse, CHI 2010 2 The 2014 Intermedia SMB Cloud Landscape Report

The Price of Password Exhaustion On average, it takes 20 seconds to log into an application it doesn t sound like much. But, while each user stares at the login screen for 20 seconds, the employer is losing $ (in productivity): $14K for 75 users, or $102K for 550 users Not to mention when your password standards are too stringent, users end up working around it! *The 2014 Intermedia SMB Cloud Landscape Report

Bad Authentication Costs Productivity! A frustrated user might: Stop using the technology Return the equipment Make repeated phone calls to the helpdesk Leave the company

Bad Input=Bad Results Bad Security Measures = Bad Security Outcomes Unhappy users will find risky workarounds to avoid security measures, which puts the company at risk for major security breaches.

5 Quality Components of Usability As outlined by the Nielsen Norman Group www.nngroup.com

Poll Question 4 Define usability

Learnability How easy it is for users to accomplish basic tasks the first time they encounter the design.

Efficiency Once users have learned the design, how quickly can they perform tasks.

Memorability When users return to the design after a period of not using it, how easily can they reestablish proficiency.

Errors How many errors do users make, how severe are these errors, and how easily can they recover from the errors.

Satisfaction How pleasant the design is to use.

Poll Question 5 There is an inherent tension between usability and security, which unless eased, one is usually at the expense of the other.

Zero-Sum Equation? SECURITY USABILITY

Poll Question 6 Do you think your organization favors security over usability?

Don t Fool Yourself Usability is their satisfaction, but Security is an obstacle So, security becomes secondary!

A Battle and a Balance According to Kaspersky: A never-ending battle and a tricky balance. That s because, as one study points out, there is an inherent conflict of interest between users and system owners: The top priority for users is maximum ease of use, while the top priority for system owners is the security of their system.

Discover your users Know who they are What they want What they don t want What they like

Discover more! Be the user for systems, applications and processes Understand what doesn t work and why Find out why they think what you thought works for them, actually doesn t!

Test, Test, and Test Some More Test your technology Test your user Test your security

Poll Question 7 How likely do you think the balance between usability, security and efficiency can be achieved?

Partnership! Good security is always built on good usability Usability Efficiency Security

Prevent Conduct your risk analysis Conduct your usability analysis Do your security training Do your technology education Keep an open line of communication Keep only the minimum necessary

Mitigate Address your risks Deal with the Sec measures that are hurting usability Update them on how security is (good or bad) Find out if your users know your technology No news, does not always mean good news If you can t get rid of it, build a fort around it!

Think outside the box Find the right technology Apply hardened security to the right place Adopt best practices (learn from others mistakes) Give ownership to the user and keep an eye on it! Build a partnership with influential users Recruit pioneers and champions

Create a balance! ORGANIZATION Evaluate Monitor Usability Test Measure Discover Simplify Prevent Predict Security USER

Thank you! Questions!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information