SlideShare ist ein Scribd-Unternehmen logo

The Fundamentals of HIPAA Privacy & Security Risk Management

KeySys Health
KeySys Health

The Fundamentals of HIPAA Privacy & Security Risk Management

Gesundheit & MedizinTechnologieBusiness
1 von 26
THE FUNDAMENTALS OF HIPAA PRIVACY & SECURITY RISK MANAGEMENT The journey toward compliance
WHY IT’S SO IMPORTANT Federal Requirement Alabama is one of only 4 states without additional State-mandated breach notification legislation • Changing Patient Environment • Changing Technology Environment • Practice Exposure due to a Breach  Reputational  Financial  Operational
FEDERAL REQUIREMENT The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.1 and for assuring compliance with the Rule (45 C.F.R. 164.302 – 318.) The Security Management Process standard in the Security Rule requires organizations to :: “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. 164.308(a)(1).)
FEDERAL REQUIREMENT All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) • An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable & appropriate, the organization must document why it is not reasonable & appropriate and adopt an equivalent measure if it is reasonable & appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. 164.306(d)(3).) • Meaningful Use Core Set requirement
CHANGING PATIENT ENVIRONMENT The engagement of patients and their families in their own health care is a prominent goal of the CMS Incentive Program (Meaningful Use)  Greater acceptance by patients of electronically sharing medical information among multiple providers & care settings to improve care coordination & adherence to care plans  Increased awareness by patients of their right to timely access to their health information
CHANGING TECHNOLOGY ENVIRONMENT 81% of organizations permit employees & medical staff to use their own mobile devices, such as smartphones or tablets, to connect to their networks or enterprise systems such as email.
PACE OF CHANGE ACCELERATING 1. The Internet eclipsed all technologies in pace of adoption Consider:  Radio – in existence 38 yrs before 50M people tuned in  TV - took 13 yrs to reach 50M viewers  PCs – needed 16 yrs to hit 50M users  Internet – in 4 yrs - 50M users logged on (current estimate is 2B users worldwide, as high as 78.6% of population of N. America) 2. 2nd wave of innovation was in 2007 – introduction of the Iphone  42M smartphones were sold in the 4th Qtr of 2012  1M Iphone apps on the market (18,000 health & wellness apps)
PRACTICE EXPOSURES Since 2009 as published by CMS: 477 breaches reported affecting > 500 people’s records 55,000 breaches reported involving < 500 people’s records representing 20,970,222 people‟s records 6 health care organizations reported security breaches of > 1M+ records (TriCare’s breach alone involved 4.9M records) Summary of Other Key Research Findings: • Vast majority of healthcare organizations have had at least one data breach in the past two years • The economic impact can exceed $1 Million (man hours to resolve incidents, fines, legal, credit monitoring fees, etc.) • Insider negligence continues to be at the root of most data breach – employee carelessness • Patient identity theft growing – medical & financial information
WHERE ARE THE RISKS? Stolen laptop (1.9M records) Hard drive went missing (1.22M records) External drive stolen ( 1.02M records) Data backup tapes lost (1.05M records) Network server hacked (31, 700 records) theft 54% unauthor ized access 20% lost records/ devices 11% hacking 6% improper disposal 5% other 4% types of breaches
FROM THE RULE Conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process Since Practices vary in terms of technical sophistication and security capabilities – the Rule is designed to be flexible & scalable
FLEXIBLE AND SCALABLE That‟s me! Flexible I‟ll do it whenever Scalable I‟ll just assess my EMR (which is already certified, right??)
CONSEQUENCES  Willful Neglect  Potential Breach • Must Identify  Internal and external areas of the practice that store, use or transmit PHI, not just your EMR or EHR • Must protect  Confidentially, Integrity & Availability of ePHI OVERLY FLEXIBLE OVERLY SIMPLIFIED
CLINICAL RISK MANAGEMENT THE PERFECT ANALOGY • Focused on identifying adverse events (clinical risks), prevention & control • Uses root cause analysis – systemic causal factors • Develop corrective action plans • Devise risk reduction strategies • Training
THE ELEMENTS OF A PRIVACY AND SECURITY RISK MANAGEMENT PROCESS Risk Assessment & Analysis (against controls defined in HIPAA) Evaluating risk to the confidentiality, availability or integrity of PHI (determine vulnerability for gaps in compliance) Develop a Remediation Plan (close the gaps) Create Evidence (training, policy and procedure documentation, track risk mitigation activities, etc.) Monitor Effectiveness of Controls and Periodic Review (Ongoing Risk Management process)
RISK ANALYSIS Numerous methods of performing risk analysis are available • None „guarantee‟ compliance Ultimately, risk is a function of:  the likelihood of a given threat triggering or exploiting a particular vulnerability. (gap in compliance requirements)  the anticipated impact on the organization (usually high, medium or low) Risk is not a single factor or event, but rather a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.
FUNDAMENTAL STEPS IN RISK ANALYSIS  Identify the scope of the analysis (any resources used to create, receive, maintain or transmit PHI)  Gather data (inventories)  Assess current security measures against required controls and standards (ad hoc, in-place, or non-existent)  Determine the level of risk (likelihood of threat occurrence and potential impact)  Identify security gaps to be remediated to minimize risks and document the analysis (remediation plan)
1ST STEP TOWARD COMPLIANCE The first step in an organization‟s Security Rule compliance efforts Develop an ongoing risk management process that provides the organization with detailed understanding of the risks to the confidentiality, integrity, & availability of e-PHI. RISK ANALYSIS
DEVELOPING A REMEDIATION WORK PLAN TO MANAGE RISK 1 Utilize the highest rated (priority) risks identified in the risk analysis to develop an Initial Remediation Work Plan or blueprint of projects that define ongoing risk mitigation efforts 2 Institute a disciplined Project Management Process in order to assure progress is tracked and achieved on remediation efforts and to demonstrate an ongoing risk management process Documentation, Documentation, Documentation!!!!
EXECUTING A WORK PLAN  Assign a Project Manager to be in charge of each risk remediation project  Customize/develop & document policies and procedures  Establish Review & Monitoring Procedures  Develop & help execute implementation plans (contingency plan, disaster recovery plan, workforce training plan, etc.)  Coach & train personnel on new or revised policies, procedures and plans
EXECUTING A WORK PLAN  Revisit what was done & do it all again!  Continue Review & Monitoring Procedures
REMEDIATION REQUIRED Conduct or review a security risk analysis AND Implement security updates as necessary AND Correct identified security deficiencies as part of its risk management process
RISK MANAGEMENT A JOURNEY NOT A PROJECT Not a static event: • Ongoing evaluation & monitoring • Outputs of a risk assessment & analysis are the inputs to the ongoing risk management program GOAL : Reasonable & appropriate risk mitigation actions that assure the confidentiality and security of PHI
CULTURE OF SECURITY AWARENESS  Leadership  Knowledge & Understanding of HIPAA Privacy & Security and HITECH Act Requirements  Implement changes based on credible threats & obvious vulnerabilities  Training :: onboarding, annual and supplemental  Vigilence :: ongoing reassessment, upgrading, updating
VALUE OF SECURITY AWARENESS a) What is in it for me? b) What is in it for my people? c) What is in it for my practice?
THE RISK OF DOING NOTHING Recent CMS announcement  Approx. 1 out of 20 practices (5%) that attested to Meaningful Use will be audited for compliance  Both pre-payment and post-payment audits OCR Perspective  Audit eligible = All covered entities & their business associates Harm to patients, potential fines, civil suits in the event of breach, costs to mitigate an incident, loss of patients, reputation!
CONTACT: KeySys Health, LLC Susan Pretnar, President 4268 Cahaba Heights Court Suite 190 Vestavia, Al 35243 www.keysyshealth.com spretnar@keysyshealth.com

Empfohlen

Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Reporttbeckwith
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 

Empfohlen

Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Reporttbeckwith
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Understanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical DevicesUnderstanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical DevicesKeerthi Gunasekaran
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™CPaschal
 
Health and safety management systems
Health and safety management systemsHealth and safety management systems
Health and safety management systemsUniversitas Negeri Malang
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Human Factors - Driver for Safety Management, Engineering and Risk Governance
Human Factors - Driver for Safety Management, Engineering and Risk GovernanceHuman Factors - Driver for Safety Management, Engineering and Risk Governance
Human Factors - Driver for Safety Management, Engineering and Risk GovernanceThe Windsdor Consulting Group, Inc.
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisCharles McNeil
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management SystemDaniel Suchy, CPP, MSyI
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Safety management
Safety managementSafety management
Safety managementSrini Vasan
 
Safety Management System
Safety Management SystemSafety Management System
Safety Management SystemVerde Ventures Pvt. Ltd.
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Chapter008
Chapter008Chapter008
Chapter008Jeanie Delos Arcos
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment ReportBelinda Edwards
 
ARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional MeetingsARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional MeetingsCSW
 

Weitere ähnliche Inhalte

Was ist angesagt?

Understanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical DevicesUnderstanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical DevicesKeerthi Gunasekaran
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™CPaschal
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Human Factors - Driver for Safety Management, Engineering and Risk Governance
Human Factors - Driver for Safety Management, Engineering and Risk GovernanceHuman Factors - Driver for Safety Management, Engineering and Risk Governance
Human Factors - Driver for Safety Management, Engineering and Risk GovernanceThe Windsdor Consulting Group, Inc.
 
Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisCharles McNeil
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 
Safety management
Safety managementSafety management
Safety managementSrini Vasan
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 

Was ist angesagt? (20)

Security policy
Security policySecurity policy
Security policy
 
Understanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical DevicesUnderstanding Risk Management & Cyber security Principles in Medical Devices
Understanding Risk Management & Cyber security Principles in Medical Devices
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
Health and safety management systems
Health and safety management systemsHealth and safety management systems
Health and safety management systems
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Human Factors - Driver for Safety Management, Engineering and Risk Governance
Human Factors - Driver for Safety Management, Engineering and Risk GovernanceHuman Factors - Driver for Safety Management, Engineering and Risk Governance
Human Factors - Driver for Safety Management, Engineering and Risk Governance
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
 
Security audit
Security auditSecurity audit
Security audit
 
Safety management
Safety managementSafety management
Safety management
 
Safety Management System
Safety Management SystemSafety Management System
Safety Management System
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
Chapter008
Chapter008Chapter008
Chapter008
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 

Andere mochten auch

HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment ReportBelinda Edwards
 
ARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional MeetingsARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional MeetingsCSW
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
Risk assessment principles and guidelines
Risk assessment principles and guidelinesRisk assessment principles and guidelines
Risk assessment principles and guidelinesHaris Tahir
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk AssessmentSteve Bishop
 

Andere mochten auch (7)

HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
 
ARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional MeetingsARRA Overview Illinois Workforce Partnership Regional Meetings
ARRA Overview Illinois Workforce Partnership Regional Meetings
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
Risk assessment principles and guidelines
Risk assessment principles and guidelinesRisk assessment principles and guidelines
Risk assessment principles and guidelines
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 

Ähnlich wie The Fundamentals of HIPAA Privacy & Security Risk Management

Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™CPaschal
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023Conference Panel
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...IT Network marcus evans
 
Case Study
Case StudyCase Study
Case Studylneut03
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentVinit Thakur
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptxStevenTharp2
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...Healthcare Network marcus evans
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 

Ähnlich wie The Fundamentals of HIPAA Privacy & Security Risk Management (20)

HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
 
Case Study
Case StudyCase Study
Case Study
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
Got Your Resilience On? Reducing the Risk of Disaster with Business Continuit...
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 

Kürzlich hochgeladen

Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxDr.Nusrat Tariq
 
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...narwatsonia7
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...narwatsonia7
 
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...Miss joya
 
High Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service Jaipur
High Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service JaipurHigh Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service Jaipur
High Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service Jaipurparulsinha
 
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingCall Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingNehru place Escorts
 
Russian Call Girls Chickpet - 7001305949 Booking and charges genuine rate for...
Russian Call Girls Chickpet - 7001305949 Booking and charges genuine rate for...Russian Call Girls Chickpet - 7001305949 Booking and charges genuine rate for...
Russian Call Girls Chickpet - 7001305949 Booking and charges genuine rate for...narwatsonia7
 
Asthma Review - GINA guidelines summary 2024
Asthma Review - GINA guidelines summary 2024Asthma Review - GINA guidelines summary 2024
Asthma Review - GINA guidelines summary 2024Gabriel Guevara MD
 
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service LucknowVIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknownarwatsonia7
 
Call Girls Thane Just Call 9910780858 Get High Class Call Girls Service
Call Girls Thane Just Call 9910780858 Get High Class Call Girls ServiceCall Girls Thane Just Call 9910780858 Get High Class Call Girls Service
Call Girls Thane Just Call 9910780858 Get High Class Call Girls Servicesonalikaur4
 
Call Girls Hebbal Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hebbal Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hebbal Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hebbal Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdf
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdfHemostasis Physiology and Clinical correlations by Dr Faiza.pdf
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdfMedicoseAcademics
 
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...narwatsonia7
 
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceCollege Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceNehru place Escorts
 
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...narwatsonia7
 
Russian Call Girls in Pune Riya 9907093804 Short 1500 Night 6000 Best call gi...
Russian Call Girls in Pune Riya 9907093804 Short 1500 Night 6000 Best call gi...Russian Call Girls in Pune Riya 9907093804 Short 1500 Night 6000 Best call gi...
Russian Call Girls in Pune Riya 9907093804 Short 1500 Night 6000 Best call gi...Miss joya
 
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service ChennaiCall Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service ChennaiNehru place Escorts
 

Kürzlich hochgeladen (20)

Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptx
 
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
 
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Electronic City Just Call 7001305949 Top Class Call Girl Service A...
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
 
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
 
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
 
High Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service Jaipur
High Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service JaipurHigh Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service Jaipur
High Profile Call Girls Jaipur Vani 8445551418 Independent Escort Service Jaipur
 
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment BookingCall Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
Call Girls Service Nandiambakkam | 7001305949 At Low Cost Cash Payment Booking
 
Russian Call Girls Chickpet - 7001305949 Booking and charges genuine rate for...
Russian Call Girls Chickpet - 7001305949 Booking and charges genuine rate for...Russian Call Girls Chickpet - 7001305949 Booking and charges genuine rate for...
Russian Call Girls Chickpet - 7001305949 Booking and charges genuine rate for...
 
Asthma Review - GINA guidelines summary 2024
Asthma Review - GINA guidelines summary 2024Asthma Review - GINA guidelines summary 2024
Asthma Review - GINA guidelines summary 2024
 
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service LucknowVIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
 
Call Girls Thane Just Call 9910780858 Get High Class Call Girls Service
Call Girls Thane Just Call 9910780858 Get High Class Call Girls ServiceCall Girls Thane Just Call 9910780858 Get High Class Call Girls Service
Call Girls Thane Just Call 9910780858 Get High Class Call Girls Service
 
Call Girls Hebbal Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hebbal Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hebbal Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hebbal Just Call 7001305949 Top Class Call Girl Service Available
 
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdf
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdfHemostasis Physiology and Clinical correlations by Dr Faiza.pdf
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdf
 
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
 
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceCollege Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
 
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
 
Russian Call Girls in Pune Riya 9907093804 Short 1500 Night 6000 Best call gi...
Russian Call Girls in Pune Riya 9907093804 Short 1500 Night 6000 Best call gi...Russian Call Girls in Pune Riya 9907093804 Short 1500 Night 6000 Best call gi...
Russian Call Girls in Pune Riya 9907093804 Short 1500 Night 6000 Best call gi...
 
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
 
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service ChennaiCall Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
 

The Fundamentals of HIPAA Privacy & Security Risk Management

  • 1. THE FUNDAMENTALS OF HIPAA PRIVACY & SECURITY RISK MANAGEMENT The journey toward compliance
  • 2. WHY IT’S SO IMPORTANT Federal Requirement Alabama is one of only 4 states without additional State-mandated breach notification legislation • Changing Patient Environment • Changing Technology Environment • Practice Exposure due to a Breach  Reputational  Financial  Operational
  • 3. FEDERAL REQUIREMENT The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.1 and for assuring compliance with the Rule (45 C.F.R. 164.302 – 318.) The Security Management Process standard in the Security Rule requires organizations to :: “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. 164.308(a)(1).)
  • 4. FEDERAL REQUIREMENT All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) • An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable & appropriate, the organization must document why it is not reasonable & appropriate and adopt an equivalent measure if it is reasonable & appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. 164.306(d)(3).) • Meaningful Use Core Set requirement
  • 5. CHANGING PATIENT ENVIRONMENT The engagement of patients and their families in their own health care is a prominent goal of the CMS Incentive Program (Meaningful Use)  Greater acceptance by patients of electronically sharing medical information among multiple providers & care settings to improve care coordination & adherence to care plans  Increased awareness by patients of their right to timely access to their health information
  • 6. CHANGING TECHNOLOGY ENVIRONMENT 81% of organizations permit employees & medical staff to use their own mobile devices, such as smartphones or tablets, to connect to their networks or enterprise systems such as email.
  • 7. PACE OF CHANGE ACCELERATING 1. The Internet eclipsed all technologies in pace of adoption Consider:  Radio – in existence 38 yrs before 50M people tuned in  TV - took 13 yrs to reach 50M viewers  PCs – needed 16 yrs to hit 50M users  Internet – in 4 yrs - 50M users logged on (current estimate is 2B users worldwide, as high as 78.6% of population of N. America) 2. 2nd wave of innovation was in 2007 – introduction of the Iphone  42M smartphones were sold in the 4th Qtr of 2012  1M Iphone apps on the market (18,000 health & wellness apps)
  • 8. PRACTICE EXPOSURES Since 2009 as published by CMS: 477 breaches reported affecting > 500 people’s records 55,000 breaches reported involving < 500 people’s records representing 20,970,222 people‟s records 6 health care organizations reported security breaches of > 1M+ records (TriCare’s breach alone involved 4.9M records) Summary of Other Key Research Findings: • Vast majority of healthcare organizations have had at least one data breach in the past two years • The economic impact can exceed $1 Million (man hours to resolve incidents, fines, legal, credit monitoring fees, etc.) • Insider negligence continues to be at the root of most data breach – employee carelessness • Patient identity theft growing – medical & financial information
  • 9. WHERE ARE THE RISKS? Stolen laptop (1.9M records) Hard drive went missing (1.22M records) External drive stolen ( 1.02M records) Data backup tapes lost (1.05M records) Network server hacked (31, 700 records) theft 54% unauthor ized access 20% lost records/ devices 11% hacking 6% improper disposal 5% other 4% types of breaches
  • 10. FROM THE RULE Conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process Since Practices vary in terms of technical sophistication and security capabilities – the Rule is designed to be flexible & scalable
  • 11. FLEXIBLE AND SCALABLE That‟s me! Flexible I‟ll do it whenever Scalable I‟ll just assess my EMR (which is already certified, right??)
  • 12. CONSEQUENCES  Willful Neglect  Potential Breach • Must Identify  Internal and external areas of the practice that store, use or transmit PHI, not just your EMR or EHR • Must protect  Confidentially, Integrity & Availability of ePHI OVERLY FLEXIBLE OVERLY SIMPLIFIED
  • 13. CLINICAL RISK MANAGEMENT THE PERFECT ANALOGY • Focused on identifying adverse events (clinical risks), prevention & control • Uses root cause analysis – systemic causal factors • Develop corrective action plans • Devise risk reduction strategies • Training
  • 14. THE ELEMENTS OF A PRIVACY AND SECURITY RISK MANAGEMENT PROCESS Risk Assessment & Analysis (against controls defined in HIPAA) Evaluating risk to the confidentiality, availability or integrity of PHI (determine vulnerability for gaps in compliance) Develop a Remediation Plan (close the gaps) Create Evidence (training, policy and procedure documentation, track risk mitigation activities, etc.) Monitor Effectiveness of Controls and Periodic Review (Ongoing Risk Management process)
  • 15. RISK ANALYSIS Numerous methods of performing risk analysis are available • None „guarantee‟ compliance Ultimately, risk is a function of:  the likelihood of a given threat triggering or exploiting a particular vulnerability. (gap in compliance requirements)  the anticipated impact on the organization (usually high, medium or low) Risk is not a single factor or event, but rather a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.
  • 16. FUNDAMENTAL STEPS IN RISK ANALYSIS  Identify the scope of the analysis (any resources used to create, receive, maintain or transmit PHI)  Gather data (inventories)  Assess current security measures against required controls and standards (ad hoc, in-place, or non-existent)  Determine the level of risk (likelihood of threat occurrence and potential impact)  Identify security gaps to be remediated to minimize risks and document the analysis (remediation plan)
  • 17. 1ST STEP TOWARD COMPLIANCE The first step in an organization‟s Security Rule compliance efforts Develop an ongoing risk management process that provides the organization with detailed understanding of the risks to the confidentiality, integrity, & availability of e-PHI. RISK ANALYSIS
  • 18. DEVELOPING A REMEDIATION WORK PLAN TO MANAGE RISK 1 Utilize the highest rated (priority) risks identified in the risk analysis to develop an Initial Remediation Work Plan or blueprint of projects that define ongoing risk mitigation efforts 2 Institute a disciplined Project Management Process in order to assure progress is tracked and achieved on remediation efforts and to demonstrate an ongoing risk management process Documentation, Documentation, Documentation!!!!
  • 19. EXECUTING A WORK PLAN  Assign a Project Manager to be in charge of each risk remediation project  Customize/develop & document policies and procedures  Establish Review & Monitoring Procedures  Develop & help execute implementation plans (contingency plan, disaster recovery plan, workforce training plan, etc.)  Coach & train personnel on new or revised policies, procedures and plans
  • 20. EXECUTING A WORK PLAN  Revisit what was done & do it all again!  Continue Review & Monitoring Procedures
  • 21. REMEDIATION REQUIRED Conduct or review a security risk analysis AND Implement security updates as necessary AND Correct identified security deficiencies as part of its risk management process
  • 22. RISK MANAGEMENT A JOURNEY NOT A PROJECT Not a static event: • Ongoing evaluation & monitoring • Outputs of a risk assessment & analysis are the inputs to the ongoing risk management program GOAL : Reasonable & appropriate risk mitigation actions that assure the confidentiality and security of PHI
  • 23. CULTURE OF SECURITY AWARENESS  Leadership  Knowledge & Understanding of HIPAA Privacy & Security and HITECH Act Requirements  Implement changes based on credible threats & obvious vulnerabilities  Training :: onboarding, annual and supplemental  Vigilence :: ongoing reassessment, upgrading, updating
  • 24. VALUE OF SECURITY AWARENESS a) What is in it for me? b) What is in it for my people? c) What is in it for my practice?
  • 25. THE RISK OF DOING NOTHING Recent CMS announcement  Approx. 1 out of 20 practices (5%) that attested to Meaningful Use will be audited for compliance  Both pre-payment and post-payment audits OCR Perspective  Audit eligible = All covered entities & their business associates Harm to patients, potential fines, civil suits in the event of breach, costs to mitigate an incident, loss of patients, reputation!
  • 26. CONTACT: KeySys Health, LLC Susan Pretnar, President 4268 Cahaba Heights Court Suite 190 Vestavia, Al 35243 www.keysyshealth.com spretnar@keysyshealth.com

Hinweis der Redaktion

  1. In order to comply with the Security Rule, all covered entities (and their business associates) should use the same basic approach. At a minimum, you are required to: Assess the strength of current security efforts related to the controls or ‘safeguards’ spelled out in the Rule (which means are your policies and procedures documented, are they fully implemented and are they routinely monitored for compliance) , and then to analyze the security controls, weighing vulnerabilities, threats and the likelihood of a risk being exploited to determine a risk rating for each security gap. Finally, each covered entity or BA should use assessment information to develop an implementation plan to close existing security gaps as well as implement an ongoing risk management process to assure continuing attention to security controls that may be affected by changes in staff, the physical environment or the IT infrastructure. (Please keep in mind this is not just a project for the practice but an ongoing business function)Program components involve the people in your organization to keep the data safe, either directly or indirectly, through processes and technologies. What is attained in the end is a systematic ‘culture’ that recognizes that privacy and security risks are real and everyone takes them seriously.
  2. In order to comply with the Security Rule, all covered entities (and their business associates) should use the same basic approach. At a minimum, you are required to: Assess the strength of current security efforts related to the controls or ‘safeguards’ spelled out in the Rule (which means are your policies and procedures documented, are they fully implemented and are they routinely monitored for compliance) , and then to analyze the security controls, weighing vulnerabilities, threats and the likelihood of a risk being exploited to determine a risk rating for each security gap. Finally, each covered entity or BA should use assessment information to develop an implementation plan to close existing security gaps as well as implement an ongoing risk management process to assure continuing attention to security controls that may be affected by changes in staff, the physical environment or the IT infrastructure. (Please keep in mind this is not just a project for the practice but an ongoing business function)Program components involve the people in your organization to keep the data safe, either directly or indirectly, through processes and technologies. What is attained in the end is a systematic ‘culture’ that recognizes that privacy and security risks are real and everyone takes them seriously.
  3. Patients who are well informed of their medical condition are more likely to comply with their provider’s recommended regimen.  They are also better able to communicate important health information to their providers, which can assist providers with their diagnosis and care plans.  Informed and educated patients and their families can take an active role in healthcare decision making; for example, when faced with multiple treatment options (e.g., choice of breast or prostate cancer treatments), educational materials and tools can help them share in treatment decisions.  They are also more likely to effectively manage their own care, as healthy behaviors and chronic care are ongoing, everyday activities.  Patients’ participation in chronic care self-management programs can have a substantial impact on their health 
  4. Since 2010 the threats to healthcare organizations have become increasingly more difficult to control. Technologies that promise greater productivity and convenience such as mobile devices, file-sharing applications and cloud-based services are difficult to secure. Eighty-one percent of organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their networks or enterprise systems such as email. On average, 51 percent of employees are bringing their own devices to the healthcare facility.
  5. Healthcare organizations seem to face an uphill battle in their efforts to stop and reduce the loss or theft of protected health information (PHI) or patient information. As is revealed in the Third Annual Benchmark Study on Patient Privacy and Data Security, many healthcare organizations struggle with a lack of technologies, resources and trained personnel to deal with privacy and data security risks. Since first conducting this study in 2010 the percentage of healthcare organizations reporting a data breach has increased and not declined. Further, there are more reports of multiple breaches and only 40 percent of organizations in this study have confidence that they are able to prevent or quickly detect all patient data loss or theft. Since 2010 the threats to healthcare organizations have become increasingly more difficult to control. Employee mistakes and negligence also continue to be a significant cause of data breach incidents. The price tag for dealing with these breaches can be staggering. While the cost can range from $10,000 to more than $1 million, we calculate that the average cost for the organizations represented in this benchmark study is $2.4 million over a two-year period. This year 80 healthcare organizations participated in this benchmark research and 324 interviews were conducted1. Respondents interviewed work in all areas of the organization: security, administrative, privacy, compliance, finance and clinical.
  6. Visual picture would be nice here
  7. Scope of the AnalysisThe scope of risk analysis that the Security Rule encompasses includes the potential risksand vulnerabilities to the confidentiality, availability and integrity of all e-PHI that anorganization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) Thisincludes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs,DVDs, smart cards or other storage devices, personal digital assistants, transmissionmedia, or portable electronic media. Electronic media includes a single workstation aswell as complex networks connected between multiple locations. Thus, an organization’srisk analysis should take into account all of its e-PHI, regardless of the particularelectronic medium in which it is created, received, maintained or transmitted or thesource or location of its e-PHI.Data CollectionAn organization must identify where the e-PHI is stored, received, maintained ortransmitted. An organization could gather relevant data by: reviewing past and/or existingprojects; performing interviews; reviewing documentation; or using other data gatheringtechniques. The data on e-PHI gathered using these methods must be documented. (See45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).)Identify and Document Potential Threats and VulnerabilitiesOrganizations must identify and document reasonably anticipated threats to e-PHI. (See45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify differentthreats that are unique to the circumstances of their environment. Organizations must alsoidentify and document vulnerabilities which, if triggered or exploited by a threat, wouldcreate a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)Assess Current Security MeasuresOrganizations should assess and document the security measures an entity uses tosafeguard e-PHI, whether security measures required by the Security Rule are already inplace, and if current security measures are configured and used properly. (See 45 C.F.R.§§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)The security measures implemented to reduce risk will vary among organizations. Forexample, small organizations tend to have more control within their environment. Smallorganizations tend to have fewer variables (i.e. fewer workforce members andinformation systems) to consider when making decisions regarding how to safeguard e-PHI. As a result, the appropriate security measures that reduce the likelihood of risk toPosted July 14, 2010the confidentiality, availability and integrity of e-PHI in a small organization may differfrom those that are appropriate in large organizations.Determine the Likelihood of Threat OccurrenceThe Security Rule requires organizations to take into account the probability of potentialrisks to e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) The results of this assessment,combined with the initial list of threats, will influence the determination of which threatsthe Rule requires protection against because they are “reasonably anticipated.”The output of this part should be documentation of all threat and vulnerabilitycombinations with associated likelihood estimates that may impact the confidentiality,availability and integrity of e-PHI of an organization. (See 45 C.F.R. §§164.306(b)(2)(iv), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)Determine the Potential Impact of Threat OccurrenceThe Rule also requires consideration of the “criticality,” or impact, of potential risks toconfidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)An organization must assess the magnitude of the potential impact resulting from a threattriggering or exploiting a specific vulnerability. An entity may use either a qualitative orquantitative method or a combination of the two methods to measure the impact on theorganization.The output of this process should be documentation of all potential impacts associatedwith the occurrence of threats triggering or exploiting vulnerabilities that affect theconfidentiality, availability and integrity of e-PHI within an organization. (See 45 C.F.R.§§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1)(ii).)Determine the Level of RiskOrganizations should assign risk levels for all threat and vulnerability combinationsidentified during the risk analysis. The level of risk could be determined, for example, byanalyzing the values assigned to the likelihood of threat occurrence and resulting impactof threat occurrence. The risk level determination might be performed by assigning a risklevel based on the average of the assigned likelihood and impact levels.The output should be documentation of the assigned risk levels and a list of correctiveactions to be performed to mitigate each risk level. (See 45 C.F.R. §§ 164.306(a)(2),164.308(a)(1)(ii)(A), and 164.316(b)(1).)Finalize DocumentationThe Security Rule requires the risk analysis to be documented but does not require aspecific format. (See 45 C.F.R. § 164.316(b)(1).) The risk analysis documentation is adirect input to the risk management process.Periodic Review and Updates to the Risk AssessmentThe risk analysis process should be ongoing. In order for an entity to update anddocument its security measures “as needed,” which the Rule requires, it should conductcontinuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e)and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to performrisk analysis as part of a comprehensive risk management process. The frequency ofperformance will vary among covered entities. Some covered entities may perform theseprocesses annually or as needed (e.g., bi-annual or every 3 years) depending oncircumstances of their environment.