AHLA. C. Big Data, Cloud Computing and the New World Order for Health Care Privacy



Similar documents
How To Ensure Your Health Care Is Safe

How To Manage An Infrmatin Security Gvernance Prgram

How Does Cloud Computing Work?

Systems Support - Extended

HIPAA HITECH ACT Compliance, Review and Training Services

GUIDANCE FOR BUSINESS ASSOCIATES

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

CLOUD COMPUTING: SECURITY THREATS AND MECHANISM

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

BRISTOL CITY COUNCIL ROLE AND EMPLOYEE PROFILE: Architect (Practitioner Level) Specific Role Data Architect

Appendix H. Annual Risk Assessment and Audit Plan 2013/14

Personal Data Security Breach Management Policy

VCU Payment Card Policy

Mobile Workforce. Improving Productivity, Improving Profitability

Cloud Services Frequently Asked Questions FAQ

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

The ADVANTAGE of Cloud Based Computing:

Key Steps for Organizations in Responding to Privacy Breaches

White Paper for Mobile Workforce Management and Monitoring Copyright 2014 by Patrol-IT Inc.

Guidelines on Data Management in Horizon 2020

High Level Meeting on National Drought Policy (HMNDP) CICG, Geneva March 2013

Network Security Trends in the Era of Cloud and Mobile Computing

Privacy and Security Training Policy (PS.Pol.051)

Professional Leaders/Specialists

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Configuring, Monitoring and Deploying a Private Cloud with System Center 2012 Boot Camp

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6

Business Plan

Project Startup Report Presented to the IT Committee June 26, 2012

Information Services Hosting Arrangements

Chapter 7 Business Continuity and Risk Management

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

TESTING TIMES: HOLISTIC ENVIRONMENT MANAGEMENT IN AN AGILE WORLD

IEMA Practitioner Volume 14 Supporting Information

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

OFFICIAL JOB SPECIFICATION. Network Services Analyst. Network Services Team Manager

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Service Level Agreement in IBM T Clud - ITAP

Completing the CMDB Circle: Asset Management with Barcode Scanning

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

State of Wisconsin. File Server Service Service Offering Definition

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

NHPCO Guidelines for Using CAHPS Hospice Survey Results

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

Help Desk Level Competencies

Sources of Federal Government and Employee Information

Procedures for Payments Made to or on Behalf of International Students, Visitors and Vendors

UC4 AUTOMATED VIRTUALIZATION Intelligent Service Automation for Physical and Virtual Environments

Re- Defining Physician Credentialing Software A New Approach

In addition to assisting with the disaster planning process, it is hoped this document will also::

Health and Safety Training and Supervision

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

CCPRF. Request for Proposals. Monitoring Services. November 25, 2009

Internal Audit Charter and operating standards

Basic concept of Cloud computing

Phi Kappa Sigma International Fraternity Insurance Billing Methodology

General Records Authority 33. Accredited Training

Privacy Breach and Complaint Protocol

The University of Dublin Trinity College Dublin

How To Create A Veteran Prgram

Transcription:

AHLA C. Big Data, Clud Cmputing and the New Wrld Order fr Health Care Privacy Marti Arvin Chief Cmpliance Officer UCLA David Geffen Schl f Medicine Ls Angeles, CA Kirk J. Nahra Wiley Rein LLP Washingtn, DC Legal Issues Affecting Academic Medical Centers and Other Teaching Institutins January 22-23, 2015

Cybersecurity and Clud Services Cmpliance Cnsideratins AHLA AMC Cnference January 2015 Washingtn, DC Marti Arvin, CHC-F, CCEP-F, CHPC, CHRC Chief Cmpliance Officer UCLA Health System and David Geffen Schl f Medicine MArvin@mednet.ucla.edu Overview Are yu in the clud? The Natinal Institute f Standards and Technlgy (NIST) defines clud cmputing as a mdel fr enabling ubiquitus, cnvenient, n demand netwrk access t a shared pl f cnfigurable cmputing resurces (e.g., netwrks, servers, strage, applicatins, and services) that can be rapidly prvisined and released with minimal management effrt r service prvider interactin. Benefits f Clud Cmputing Fr many healthcare rganizatins, clud cmputing has becme essential fr planning and perfrmance. It can be used fr everything frm string emails and persnal phts, t research cllabratin and business cntinuity planning. It allws an rganizatin t be extremely flexible by allcating cmputing resurces n demand, and makes it pssible t data mine large amunts f data in a shrt perid f time. Hsting data with an external clud vendr means that an rganizatin desn t have t supprt the infrastructure necessary t gain all f the benefits f the clud. This can lead t a reductin in cst and imprved system perfrmance and reliability. 2 1

Are yu in the clud? Even if yu think yu are nt, yu prbably are Tech savvy users IT staff Students, residents, fellws Researchers eager t cllabrate Mbile device backup iclud are yu using it fr mre than Find My iphne Vendrs, cntractrs and ther third parties 3 Are yu thinking abut being in the clud? Clud Technlgy Have a frmal apprach fr evaluating new hardware and sftware in yur envirnment Perfrm a frmal HIPAA Security Assessment f ptential clud vendrs that includes an analysis f security at the fllwing fur (4) OSI Layers: Applicatin Presentatin (Encryptin and decryptin) Netwrk Physical (Server) 4 2

Are yu thinking abut being in the clud? Specific Requirements HIPAA Business Assciate Agreement (BAA) Enterprise Single Sign-On (SSO) Tw Factr Authenticatin Data Encryptin (256-bit AES) in transit and at rest Review f vendr business cntinuity plan & testing, t include: Clud Prvider Backup and Retentin Plan Infrmatin Technlgy Penetratin Test (Pen-Test) 5 S nw yu have the agreement with the clud vendr Have a (fully tested) prcess in place fr cnducting investigatins when an event des ccur. An effective security investigatin is similar t the incident respnse prcess, and many cases will be cnducted cncurrently with yur recvery actins: Preparatin Acquire the necessary tls and training Develp investigatin plicies and prcedures Determine yur evidence cllectin requirements and establish a plicy fr secure strage and handling f ptential evidence Crdinate with Legal & HR t ensure cmplete transparency Investigatin Cllect evidence frm varius surces Transprt and secure evidence (Be mindful f the Chain f Custdy) Examine the evidence and analyze the results Presentatin Present yur investigatin methdlgy, the results f yur analysis, and 6 yur cnclusins 3

S nw yu have the agreement with the clud vendr Privacy Cnsideratins with PHI in the Clud Is it part f yur Designated Recrd Set? Patient access and amendment When can infrmatin be dwnladed and stred lcally? When can yur users invite third-parties t cllabrate r access PHI in the clud? Minimum necessary Verificatin f identity and authrity Accunting f disclsures implicatins Are there tls fr mnitring apprpriateness f access t PHI in the clud? 7 Pssible Use Cases If yu can think it, yur users might be ding it r want t! External cllabratin prjects Incming patient data uplads Outside recrds sent in advance f a cnsult Images r phts Telewrking Replacement fr sending files by e mail 8 4

AHLA C. Big Data, Clud Cmputing and the New Wrld Order fr Health Care Privacy Marti Arvin Chief Cmpliance Officer UCLA David Geffen Schl f Medicine Ls Angeles, CA Kirk J. Nahra Wiley Rein LLP Washingtn, DC Legal Issues Affecting Academic Medical Centers and Other Teaching Institutins January 22-23, 2015