Driving Information Governance: Compliance, Security, and Privacy as a Base for Information Governance

Similar documents
Managing Mobile Device Security

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Nine Network Considerations in the New HIPAA Landscape

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Building the Case for Information Governance in Healthcare

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Overview of the HIPAA Security Rule

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Top Ten Technology Risks Facing Colleges and Universities

HIPAA Security Rule Changes and Impacts

FACT SHEET: Ransomware and HIPAA

Can Your Diocese Afford to Fail a HIPAA Audit?

Why Lawyers? Why Now?

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

plantemoran.com What School Personnel Administrators Need to know

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Security Is Everyone s Concern:

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Security Rule Compliance

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Supplier Information Security Addendum for GE Restricted Data

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Montclair State University. HIPAA Security Policy

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

2016 OCR AUDIT E-BOOK

My Docs Online HIPAA Compliance

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

HIPAA and Mental Health Privacy:

What s New with HIPAA? Policy and Enforcement Update

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

HIPAA Compliance Guide

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

HIPAA 101. March 18, 2015 Webinar

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

COMPLIANCE ALERT 10-12

Healthcare Compliance Solutions

HIPAA and HITECH Compliance for Cloud Applications

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

Information Security Program Management Standard

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA Requirements and Mobile Apps

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist


HIPAA Health & Medical Billing Requirements and Risk Management

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

HIPAA Security & Compliance

HIPAA Security Alert

HIPAA Compliance Guide

What do you need to know?

Mobile Device Deployments-The Security Dangers of Technology on the Go

An Independent Member of Baker Tilly International

Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.

IAPP Practical Privacy Series. Data Breach Hypothetical

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

HIPAA Privacy & Security Rules

HIPAA Security Education. Updated May 2016

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

HIPAA Security Risk Analysis for Meaningful Use

Datto Compliance 101 1

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

Healthcare Compliance Solutions

HIPAA Compliance Annual Mandatory Education

HIPAA Update Focus on Breach Prevention

Preparing for the HIPAA Security Rule

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

HIPAA Security Overview of the Regulations

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

InfoGard Healthcare Services InfoGard Laboratories Inc.

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security

Legal Issues in Medical Office Use of Social Media. James F. Doherty, Jr. Pecore & Doherty, LLC Columbia, Maryland

03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

Our Commitment to Information Security

Data Security Considerations for Research

Security Compliance, Vendor Questions, a Word on Encryption

Community First Health Plans Breach Notification for Unsecured PHI

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Transcription:

Driving Information Governance: Compliance, Security, and Privacy as a Base for Information Governance Kathy Downing, MA, RHIA, CHPS, PMP Director Practice Excellence AHIMA Twitter: HIPAAqueen #IGNOW

Objectives for this Webinar Discuss information governance as used in other industries Outline how the IG Principles of Compliance and Information Protection lay a framework for enterprise wide information governance Identify links from security and privacy

Information Governance Not just HealthCare MasterCard Motorola AutoTrader McKesson UBS

HIPAA Penalty Tiers Show the Importance of Information Governance Did not know or by reasonable diligence would not have known Each Violation - $100-$50,000 All such violations/yr $1,500,000 Reasonable Cause Each Violation - $1,000-$50,000 All such violations/yr $1,500,000 Willful Neglect Corrected 30 days Each Violation - $10,000-$50,000 All such violations/yr $1,500,000 Willful Neglect Not corrected Each Violation - $50,000 All such violations/yr $1,500,000 4

The Year of the HealthCare Hack St. Joseph Health System reports that as many as 405,000 records may have been compromised, but actual damage remains speculative. Massive breach at health care company Anthem Inc

HIPAA Breaches Reach 30M Patients HIPAA data breaches climb 138 percent Information on 4.9 million Tricare Management Activity beneficiaries was stolen from a Science Applications International Corporation employee s car in 2011. This year, Complete Health Systems, based in Tennessee, reported that a network server was hacked and personal information was stolen, affecting 4.5 million people around the country. Illinois-based Advocate Health and Hospitals Corporation reported the theft of company computers, which impacted almost 4.03 million individuals in 2013. Health Net in California had a data breach in 2011 that affected 1.9 million people. In that case, IBM alerted Health Net that several unencrypted server hard drives were missing from a California-based data center.

Information Governance How could it help? If your organization has a breach and patient information is not the target of the attack there is still reputational damage and local concern. Enterprise wide effort to protect information, not just clinical information.

Insider Threat Consider the insider threat Malicious Accidental Solution Trust and policy are not enough. Organizations must invest in security, risk, and information governance training and enforcement.

Analyze sensitive data: Discover and classify sensitive data and uncover compliance risks automatically Know who is accessing data, spot anomalies, and stop data loss with real-time data, application, and file activity monitoring Rapidly analyze data usage patterns to uncover and remediate risks

Ponemon Study on Cost of a Breach Overall the average cost of a data breach across all industries was $194 per record. The cost of a data breach in healthcare was $240 per record. Before we examine what makes up these costs, let s look at some of the financial impact of a data breach. # of records / Cost 1 $240 10 $2,400 100 $24,000 1,000 $240,000 10,000 $2,400,000

Cost of a Breach Per Ponemon Turnover of existing customers Diminished customer acquisition Detection and escalation costs Notification costs Post data breach costs

Protection Appropriate levels of protection from breach, corruption and loss must be provided for information that is private, confidential, secret, classified, essential to business continuity, or otherwise requires protection... Must address all sources, all media and must apply throughout the life of the information. AHIMA.ORG/INFOGOV

Security Roles and Information Governance Security Officers often focus efforts on: Clinical data Electronic data Expansion of the security officer s role to Information Governance Involvement in business continuity and disaster recovery planning Involvement in access management

Exercise #1 Does your organization have technical controls in place to safeguard information? Are technical controls defined, implemented and managed centrally? Are advanced controls and systems like encryption, master data management being evaluated and implemented? Is there a program of continuous monitoring, auditing, and improvement of technical safeguards?

OCR Audit Outcomes By Issue 8% 14% 14% 9% 4% 12% 18% 14% 7% Risk Analysis Access Management Security Incident Procedures Contingency Planning and Backups Workstation Security Media Movement and Destruction Encryption Audit Controls and Monitoring Integrity Controls

Security Safeguards Administrative - Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. Physical physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Technical issues The technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 16

Risk Assessment and Information Governance Every organization handles confidential information If a risk analysis is not conducted, then: How will you effectively know what the risks are to your information? How will you adequately determine if controls are implemented and appropriate? How will management and stakeholders make informed decisions? How will you establish an acceptable level of risk?

Assessment vs. Analysis Assessment A judgment about something based on an understanding of the situation Analysis The close examination of something in detail in order to draw conclusions from it

4 New Risk Assessment Factors ( 164.402)[78FR5639] 1. Nature and extent of PHI involved 2. Unauthorized person who used the PHI or to whom it was disclosed 3. Whether the PHI was actually acquired or used 4. Extent to which the risk to the PHI has been mitigated 19

Relationships Surrounding Risk Threat 6. which protects against a... 1. Exploits or compromises a... Vulnerability or Gap 2. which leads to a... 5. But this can be minimized by a... Control or Safeguard 4. and result in... Something Bad Happening 3. that can damage an... Asset, Process or Capability RISK

Using Infection As An Example Threat Vulnerability Impact Control Germ Bacteria Microorganism Mouth Nose Wounds Rash Infection Disease Medication Hand washing Surgery

Industry Recognized Risk Analysis Methodologies International Organization of Standardization (ISO) provides guidance in the ISO 27005 standard which specifies a structured, systematic process for analyzing risks to create a risk treatment plan National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Revision 1, Guide for Conducting Risk Assessments provides guidance for carrying out each of the steps in their risk analysis process Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) provides a standard approach for a risk-driven and practice-based information security evaluation

Information Governance for Mobile Devices Information Governance for mobile computing can include building security into the mobile applications. Are your nurses texting your physicians? How are they identifying patients? Do you offer encrypted texting options?

What Are Mobile Devices? Smart Phones with personal computer-like functionality Laptops, netbooks and ultrabooks Tablet computers Universal Serial Bus (USB) devices (thumb drives) Digital cameras Radio frequency identification (RFID) devices Source: Mobile Device Security, 2013 AHIMA Convention, Brian Evans, CISSP, CISM, CISA, CGEIT

Greatest Data Protection Risks Source: The Risk of Regulated Data on Mobile Devices & in the Cloud Ponemon Institute June 2013 Only 19 percent say their organizations actually know how much regulated data is on mobile devices

Mobile Device Threats Theft or physical loss Stored/synchronized data to a public cloud Inadvertent or maliciously leaked information Eavesdropped or intercepted communication Unauthorized access Unauthorized or unlicensed software Malware and malicious code Jail breaking (Apple) or Rooting (Android)

Ensure Minimum Security Requirements Use a password or other user authentication Keep security software up-to-date Install or enable encryption Install or activate wiping and/or remote disabling Disable and do not install file-sharing applications Install or enable a firewall Research mobile applications (apps) before downloading Maintain physical control of your mobile device Use VPNs to send or receive health information over public Wi-Fi networks Install or enable security software Delete all stored health information before discarding or reusing the mobile device Source: Office of National Coordinator

Information Governance Mobile Device Policy Requires a cross functional IG team Clarify how mobile devices are being used EHR Access Financial system access Email Consider legal and compliance issues Consider Mobile Device Management Develop your Communications and Training Plan Update and Fine-Tune this one can t stay on the shelf!

Mobile Device Management (MDM) An MDM solution would enforce certain security control settings on a personally-owned device to comply with organizational policy Concern: Users may consider this unacceptable since it manages the entire device Once you become part of our network, we are going to apply our network policies to your device A wipe or kill command could erase personal data MDM can control what apps are allowed on a device Some organizations have created their own App store 29

Privacy Roles and Information Governance HIPAA privacy rule 2003 Privacy Officer, Privacy Official in Place Time to expand this role outside of clinical information. Enterprise wide standards Enterprise wide access Paper and electronic

OCR Audit Outcomes By Issue 4% 2% Business Associates Identify Verification 11% 18% Minimum Necessary Authorizations 9% 8% Deceased Individuals Personal Representatives 7% 17% Judical and Administrative Procedures Group Health Plan Requirements Source: ocr.gov

Exercise #2 Has your organization fully implemented identity access management? Is access managed through a central process according to minimum necessary? Do you have access creep?

Breach Investigation Process Gather all the facts of the potential breach Document specifically who, when, where, why and how the situation occurred Identify those impacted and what PHI was potentially compromised Analyze & evaluate all the facts objectively to determine whether or not an impermissible access, use, or disclosure of PHI can be substantiated. 33

Breach Investigation Process More than just clinical Once a violation is substantiated outline the mitigation, sanctions, education, and prevention remediation actions that will be taken Confirm your notification processes Document all actions and communications (internal and/or external) 34

Breach Response / Incident Management Process

Discovery and Report Workforce shall report any potential event that adversely affects the confidentiality, integrity, or availability of Institutional Information, regardless of form (electronic or paper).

Breach Response / Incident Management Team Chief Information Officer Chief Information Security Officer Chief Medical Information Officer Corporate Compliance Officer Director, Health Information & Privacy Director, Internal Audit Director, Office of Institutional Assurances Director, Risk Management General Counsel Hospital President SCRI President Research Integrity Officer VP Human Resources VP Marketing & Communications Leaders from affected departments

Information Governance & Social Media Not just Facebook! Web Publishing Blogs, wikispaces microblogging (twitter) Social Networking LinkedIn File Sharing / storage Google drive Drop Box Photo libraries

Biggest Risks of Social Media Lack of a Social Media Policy Who can use social media What they can state / discuss Training is key Employees accidental or intentional Legal Risks This risk is avoidable with an information governance policy, guidelines, monitoring

IG Social Media Guideline Examples Specifies authorized individuals Clear distinctions between business and personal use of social media and whether a person can use social media while at work. Strictly forbids any profanity, statements that could be defamatory, inflammatory, Outlines sanctions Draws clear rules on use of company logos Instructs employees shall not have an expectation of privacy when using social media for company purposes. Outlines negative impact on brand.

Social Media Will Be Governed According to Policy In Gartner's report from March of 2013 on the "Six Questions to Drive Records Management in Your Social Initiatives," it is clearly stated that social media content requires records management, just like all other content, but many organizations don't know how to create an effective management process. In 2015, more organizations will look to incorporate social media content in their policy definition and explore methods on enforcing the policy across the various systems.

Compliance Information practices and processes must comply with organization policies and all applicable laws, regulations, and standards.

Enhance IG Awareness and Training Ensure users know what NOT to do: Share passwords or user credentials Allow the use of mobile devices by unauthorized users Store or send unencrypted confidential information Ignore security software updates Download applications from untrusted sources Leave mobile devices unattended Use unsecured Wi-Fi networks for sharing confidential information Discard devices without wiping all confidential information Ignore organizational policies and procedures Source: Office of National Coordinator

Valuation of Information Assets Information is being created at a pace faster than organizations can analyze and extract value from it, which means that the potential value of the information may be far greater than the actual value an organization is able to derive. Organizations simply cannot afford to ignore the value of their information assets.

New Leaders Will Continue to Emerge / The Evolution of the Privacy, Security, and Compliance Officer In the last few years, there has been a tremendous uptick in the creation of information governance steering committees; however, there is still a need for an executive in each organization to drive the information governance initiative across their company. This executive must have the authority (and oversight) to manage the program.

Workforce Awareness Formal IG Training Awareness Program Monitoring and Accountability Regulatory and Legal Response

Compliance Expanded Information assets inventory Information asset classification Total cost of ownership Managed inventory of information Patient information request response

Wrap Up Compliance + Privacy + Security= Chief Information Governance Officer

Resources The Final HITECH Omnibus Rule (January 25, 2013) http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf Combined HIPAA/Omnibus Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/co mbined/index.html U.S. Department of Health and Human Services Office for Civil Rights: HIPAA Administrative Simplification - 45 CFR Parts 160, 162, and 164 Information Governance, 2014. Robert F. Smallwood 49

IG PulseRate a quick check into your organization s IG maturity. Free instant assessment of the maturity level of IG in your organization available at www.igiq.com Review and rate the key success measures that impact organizational IG maturity Evaluate your organization s strengths and help identify weaknesses that may be impeding your organization s path to enterprise information governance

Driving IG for HealthCare: Recommended Reading AHIMA. Information Governance Principles for Healthcare 2014. Chicago, IL. AHIMA, 2014. Available at: www.ahima.org/infogov ARMA International. Generally Accepted Recordkeeping Principles. ARMA International, 2013. Available at www.arma.org Cohasset Associates and AHIMA. A Call to Adopt Information Governance Practices. 2014 Information Governance in Healthcare. Minneapolis, MN. Cohasset Associates, 2015. Cohasset Associates and AHIMA. Professional Readiness and Opportunity 2015 Information Governance in Healthcare. Minneapolis, MN. Cohasset Associates, 2015. Implementing Health Information Governance, 2015. Linda Kloss, MA, RHIA, FAHIMA Enterprise Health Information Management and Data Governance, 2015. Merida L Johns, PhD, RHIA. The Information Governance Initiative. The Information Governance Initiative Annual Report. 2014 and 2015. New York, NY. www.iginitiative.com The Joint Commission. Information Management (IM) Chapter, Comprehensive Accreditation Manual for Hospitals, 2014, Oakbrook Terrace, IL: The Joint Commission, 2014, pp.im-1 IM-10. The Sedona Conference. Commentary on Information Governance The Sedona Conference Working Group Series. A project of The Sedona Conference Working Group on Electronic Document Retention and Production (WGI)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information