MEANINGFUL USE & RISK ASSESSMENT

Similar documents
Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

Chapter 9 Legal Aspects of Health Information Management

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Information Privacy and Security

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

A self-assessment for GxP and HIPAA concerns

FCSRMC 2017 HIPAA PRESENTATION

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Advanced HIPAA Communications and University Relations

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

EMPOWERING THE NEW HEATHCARE ERA

MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION

CLINICIAN S GUIDE TO HIPAA PRIVACY

HIPAA Privacy Training for Non-Clinical Workforce

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

HIPAA Training

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

OSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

Title: HIPAA PRIVACY ADMINISTRATIVE

HCCA Institute Privacy Officer Round Table Discussion

East Carolina University 2010 Annual HIPAA Privacy Training

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

MCCP Online Orientation

Status Check On Health IT

Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

2018 Employee HIPAA Orientation (EHO) Handbook

HIPAA and HITECH: Privacy and Security of Protected Health Information

Statement of Guidance: Outsourcing Regulated Entities

HIPAA Education Program

Breach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers

The Privacy & Security of Protected Health Information

HIMSS Security Survey

Compliance Program, Code of Conduct, and HIPAA

Your Role in Protecting Patient Privacy 2018

HIPAA THE PRIVACY RULE

Protecting Health Information: Health Data Security Training

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

Last Chance to Review Your Security Risk Analysis

Patient Privacy Requirements Beyond HIPAA

Compliance Program Updated August 2017

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

2514 Stenson Dr Cedar Park TX Fax

A Deep Dive into the Privacy Landscape

Sample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere s hospital

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

Security and Privacy Practices for Electronic Health Records. Joseph W. Hales, PhD, FACMI Intermountain Healthcare Salt Lake City, UT

Peek-A-Boo: EHR Access and Compliance

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

Security Risk Analysis

Understanding the Privacy and Security Regulations

A general review of HIPAA standards and privacy practices 2016

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

Privacy & Security: What You Need to Know

HIPAA Privacy and Security Training for Researchers

Consumer View of Personal Information Risks

HIPAA Policies and Procedures Manual

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Safeguarding Healthcare Information. By:

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

Health Information Privacy Policies and Procedures

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Headline News: Anatomy of a VIP Records Breach

Alignment. Alignment Healthcare

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

Technology Standards of Practice

Outsourcing Guidelines. for Financial Institutions DRAFT (FOR CONSULTATION)

Memorial Hermann Information Exchange. MHiE POLICIES & PROCEDURES MANUAL

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

IRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix

OREGON HIPAA NOTICE FORM

Notice of HIPAA Privacy Practices Updates

Granny Cams in Long-Term Care: Rights, Responsibilities and the Law PRESENTED BY: TIMOTHY J. FORD, ESQ

Report of the Auditor General to the Nova Scotia House of Assembly. December Independence Integrity Impact

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY IMPACT ASSESSMENT (PIA) For the

TAKING CARE OF LIABILITY:

Managing Risks and Security in Outsourced Environment

Security and Risk considerations for outsourced IT Services EA InfoSec Conference,14/08/2013, version 1.0

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

DUTIES OF A CUSTODIAN

Responding to Healthcare Industry Regulations Date: May 9, 2013

FAFSA Completion Initiative Participation Agreement

HIPAA Breach Policy & Procedures Handbook

Policy on Telecommuting

HIPAA Privacy Rule. Best PHI Privacy Practices

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 9

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

Transcription:

MEANINGFUL USE & RISK ASSESSMENT Montana HIMSS 2013 Spring Convention Presented by John Whalen CISSP, CISA, CRISC

Contents 1. What are we protecting? 2. In what ways are protecting it? 3. What is Meaningful Use asking for? 4. In what ways is Meaningful Use asking? 5. Practically speaking

Key objectives Understanding CIA Defining Risk Assessment Building Governance

ephi the crown jewels Financial Medical Identity Theft: Someone is getting medical help using your name and/or other information. Criminal Medical Identity Theft: You are being held responsible for the actions of another s criminal behavior. Government Benefit Fraud: Your medical benefits are being used by another person.

It s all about the money A major challenge for IT security is the increase in criminal attacks, which has seen an increase from 20 percent in 2010 to 33 percent this year.

2013 breaches from Identity Theft Resource Center # of Breaches YTD: 204 # of Records Exposed YTD: 44 million 2013 Breaches # of Breaches Healthcare YTD- 94 # of Records Exposed YTD: 1.5 million Healthcare Breaches

2012 Breaches top 3 causes Lost or stolen computing device Employee mistakes or unintentional actions Third-party snafus Fifty-two percent discovered the data breach as a result of an audit or assessment followed by employees detecting the breach

Hacked! 1. Please consider the ramifications. 2. What would this breach cost your hospital/clinic?

2012 Breaches Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all included on the server. The Utah breach stands as the 9th largest data breach ever reported to the HHS.

2012 Breaches The South Carolina Department of Health and Human Services reported a data breach that started in January when an employee compiled data on more than 228,000 people and transmitted it to a private email account.

2013 Hospital breaches from Identity Theft Resource Center South Shore Medical Center Wayne Memorial Hospital St. Mark's Medical Center Tallahassee Memorial HealthCare Upstate University Hospital John J. Pershing VA Medical Center South Miami Hospital Mount Sinai Medical Center Brookdale University Hospital and Medical Center Adventist Health System Glen Falls Hospital Saint Francis Hospital University of Mississippi Medical Center Baptist Health - South Miami Hospital Samaritan Hospital Froedtert Hospital Boca Raton Regional Hospital

2012 Hospital breaches from Identity Theft Resource Center Oregon State Hospital Emory University Hospital North Shore-Long Island Jewish Health System Memorial Healthcare System Thomas Jefferson University Hospitals University of Arkansas Medical Sciences St. Joseph s Medical Center St. Elizabeth s Medical Center Sequoia Hospital Ohio State University Medical Center Howard University Hospital Robley Rex VA Medical Center Medical College of Georgia Kern Medical Center Hackensack University Medical Center

2011 Hospital breaches from Identity Theft Resource Center Swedish Medical Center Boulder Community Hospital Mount Sinai Hospital Texas Presbyterian Hospital Wake Forest Medical Center Loyola University Medical Center Provena Covenant Medical Center Methodist Charlton Medical Center Reid Hospital UMass Memorial Healthcare Fairview Southdale Hospital Jacobi Medical Center Trinity Medical Center Barnes Jewish Hospital Brigham and Women s Hospital Nyack Hospital Gunhill Medical Center North Central Bronx Hospital Tremont Health Center Texas Children s Hospital Saint Francis Broken Arrow Hospital Henry Ford Health System Charleston Area Medical Center VA Medical Centers in Akron, OH, Portland, OR and Lexington, KY Beth Israel Deaconess Medical Center Dekalb Medical Center Troy Regional Medical Center

Hospital breaches-types Computer hackers through public website Lost or stolen paper medical records Lost or stolen laptops with ephi Stolen workstations Stolen thumb dives Stolen hard drives Computer hackers through viruses PHI stolen by employee Lost back up tapes Shared workstation breached Improper disposal of paper medical records

Increase in data breaches Paper records to digital less stable environment Push to digitize Outsourcing of data processing to cloud providers Increase in mobile devices to conduct business

Negative impact of breach What best describes the negative impact of breaches you experienced. Check all that apply. Brand or reputation diminishment 78% Time and productivity loss 81% Loss of patient goodwill 75% Loss of revenues 41% Cost of outside consultants and lawyers 40% Fines and penalties paid to regulators 26% lawsuits 19% Poor employee morale 15% No impact 16%

Per-record cost of healthcare breach $240

Breach cost breakdown Legal fees Consumer notifications Credit monitoring services Decreased patient retention Decreased patient acquisition

Patient churn 4.2 % Estimated number of customers who will terminate their relationship as a result of the breach incident. $113,400 Estimated average lifetime value of one lost patient.

The CIA Triad Confidentiality prevents unauthorized disclosure of sensitive information Integrity prevents unauthorized modification of sensitive information Availability prevents disruption of service and productivity

CIA Triad Confidentiality Integrity Availability

Meaningful Use HIPAA Privacy & security of patient info HITECH Breach notification, penalties, legal remedies Meaningful Use Protect patient info, conduct security assessment Risk assessment Determine potential risks, document current state, discover vulnerabilities Baseline & roadmap Mitigate. Put controls in place.

164.304 Administrative Safeguards Administrative safeguards are administrative actions, and policies and procedures, to: manage the selection, development, implementation, and maintenance of security measures to protect ephi to manage the conduct of the covered entity s or business associate s workforce in relation to the protection of that information.

Core Set Objective # 14 Conduct or review a security risk analysis per 45 CFR (164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

164.308 Administrative safeguards. (a) A covered entity must, in accordance with 164.306: (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

164.308 Administrative safeguards (cont.) (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

For reference 164.306 164.306 Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.

Beyond technical Top 4 1. Risk assessment 2. Business continuity and disaster recovery 3. Policies 4. Security awareness training

It s all about risk! Is $100,000 expensive? Is a long password too much to ask? Is a security policy too much trouble?

What s your appetite for risk?

The Risk Executive Function

The Risk Executive Function Provides senior leadership input and oversight Integrates security organization-wide Risk-based protection strategies beyond single systems Visibility into mission/business processes and systems

Risk-Based Protection Strategies Identifying Understanding Mitigating Explicitly accepting residual risk

Risk Analysis Risk analysis is a tool to: Identify the company s assets Calculate their values Identify vulnerabilities Estimate the threats and associated risks Assess the impact on the company if threat agents took advantage of current vulnerabilities

Risk assessment Gather stakeholders Analyze risk Hospital assets Potential threats Likelihood of threats acting against assets

What is a security assessment? Baseline Roadmap

Think home inspection.

Ethical hackers Same tools as the hackers use An audit perspective

Assessment phases External vulnerability testing Internal testing Interviews Review of policies Wireless, passwords, physical security Remote offices visited

Deliverable Executive summary Tools and methodology Rating criteria Managerial and operational Technical Physical HIPAA-Readiness Technical reports

Risk matrix Vulnerability Risk rating Difficulty rating Description Action plan

Next steps Risk assessment: an internal effort to determine what is at risk. Gives context for security costs, disaster recovery and business continuity. Security assessment: use an independent team Discover vulnerabilities Prioritize vulnerabilities according to risk to your hospital / clinic Fix the holes in security Test again Ongoing: Submit your hospital to an infosec audit regime as you do with ongoing financial audits.

BCP NIST 800-34 Sustaining an organization s mission/business processes during and after a disruption.

BCP NIST 800-34 1. Develop the contingency planning policy statement. 2. Conduct the business impact analysis (BIA). 3. Identify preventive controls. 4. Create contingency strategies. 5. Develop an information system contingency plan. 6. Ensure plan testing, training, and exercises. 7. Ensure plan maintenance.

Key Policies Internet use Remote access Removable media Encryption Data classification Vendor management, Business associate agreements Termination

Security Awareness Training NIST 800-50 A needs assessment has been conducted A strategy has been developed An awareness and training program plan for implementing that strategy has been completed Awareness and training material has been developed.

Success Indicators Sufficient funding to implement the agreed-upon strategy. Appropriate organizational placement to enable those with key responsibilities to effectively implement the strategy. Support for broad distribution and posting of security awareness items. Executive/senior level messages to staff regarding security Use of metrics

Success Indicators Managers do not use their status in the organization to avoid security controls that are consistently adhered to by the rank and file. Level of attendance at mandatory security forums/briefings. Recognition of security contributions Motivation demonstrated by those playing key roles in managing/coordinating the security program.

Hack: Hyundai Capital South Korea s largest consumer-finance company Hack occurred April 2011 According to CEO Biggest mistake: treating the IT department as simply one of many units that helped the company get its main job done Today he treats security as central to everything the company does Now the new IT security group reports directly to CEO From Wall Street Journal 6/21/11

CEO, Ted Chung What I learned from the hack: 1. Trust the authorities 2. Stay open and transparent 3. Learn IT and know where the vulnerabilities are 4. Create a philosophy that drives IT decisions 5. Reassess plans for products and services How things look and how they work is now secondary. Security is now first. From Wall Street Journal 6/21/11

Calculate your risk Multiply the number of records in the EMR by $240

Thank you! Have a great conference!

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback