SlideShare ist ein Scribd-Unternehmen logo

Csa security risks_compliance_ramadoss_11102016_mo_d

Als PPTX, PDF herunterladen
T
Trish McGinity, CCSK

Csa security risks_compliance_ramadoss_11102016_mo_d

Technologie
1 von 24
www.cloudsecurityalliance.org Healthcare Information Security Risks and Compliance 2016 Colorado CSA Fall Summit | November 10, 2016 Ram Ramadoss, Vice President, CRP Privacy, Information Security and EHR Compliance Oversight, Catholic Health Initiatives Copyright © 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Overview • About Catholic Health Initiatives • Healthcare Industry Overview • Top Technology Trends • HIPAA Compliance/Risk Assessment • OCR’s Cloud Computing Guidance • Q&A
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Catholic Health initiatives • The nation’s third-largest nonprofit health system • CHI operates in 19 states and comprises 103 hospitals; Four academic health centers and major teaching hospitals as well as 30 critical-access facilities; Home Health, Senior Living Facilities • Other facilities and services that span the inpatient and outpatient continuum of care
Healthcare Industry
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Overview • Current state • Evolution • Complexity • Challenges and Opportunities
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Evolution • Major consolidation of Healthcare providers • Small and Medium sized practices are struggling • A major movement to Electronic Health Record systems • We are seeing an increasing shift towards outsourcing • Competing priorities and budget limitations • Consumerization
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Complexity • A significant number of legacy electronic systems • 20 plus years retention timeframe for medical records • Legacy medical devices / wireless capability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Security Challenges Unique to the Healthcare Sector • Protected Health Information (PHI) includes fundamental, unchanging facts about a patient • An average security breach cost - $363 per record in healthcare versus $154 per record in other industries • In 2015 alone,113 million patients were affected by breaches • Fraud opportunities for criminals include:  Identity theft  Exploitation of insurance details  Prescription drug benefits
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Challenges and Opportunities Challenges: • Vulnerabilities and weak security controls • Aggressive Threat Landscape • HIPAA regulatory requirements Opportunities: • Desperately looking for technology solutions • An open minded approach with outsourcing • Exploring efficiency and automation opportunities
Top Technology Trends
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The Consumerization of Healthcare • Consumer connected to the New Healthcare Economy • A greater expectation for personalized experience • Business intelligence tools to derive patterns and consumer trends
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Big Data • 360-degree view of customers/patients • Unstructured data to help with predictive analytics • Increasing focus on Health Clouds • Medium size providers – huge opportunity • Large Healthcare providers - partnerships
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Mobile Devices/Applications • Not just the Millennials • Access to Health Information using smartphones • Online scheduling / Insurance shopping / Virtual care drive off • Developing a digital eco-system • Patient/Physician portals; information sharing  Engagement and interactions with patients
Patient Data vs Patient Safety Focus
HIPAA Compliance and Risk Assessments
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Business Associate Agreements (BAA) • A contractual agreement between a Covered Entity (CE) and any third party company with access to patient information (Business Associate) • A mandatory requirement – HIPAA Administrative Safeguard • Key provisions include but not limited to:  Return or Destruction of Protected Health Information (PHI) upon Termination  Safeguard the ePHI and Breach Notification
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Information Security Amendments • Additional language regarding a minimum security program • Security provisions regarding access from foreign locations and storage of data outside the country • Risk stratification of partners and Business Associates • Monitoring of partners security and compliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Suppliers/Business Associates Facts: • Increasing outsourcing activities (Business Process/IT) • Cloud-based electronic health record systems • Patient care program is reliant upon the support received from partners / BAs Mitigation: • Cybersecurity insurance coverage • BAAs and security amendments • Access and storage outside the United States • Supplier risk management program
The Office for Civil Rights’ (OCR) Cloud Computing Guidance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • Covered Entities (CE) must execute BAAs with Cloud Service Providers (OCR’s recent fines against a CE) • Risk Analysis – both CE and CSP • Service Level Agreements must include:  System availability and reliability  Back-up and data recovery  Manner in which data will be returned to the customer after service use termination  Security responsibility  Use, retention and disclosure limitations
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • CSP is directly liable under the HIPAA Privacy Rule  Use and disclosure of data not authorized by the contract, law and HIPAA • CSP is directly liable under the HIPAA Security Rule  Failure to safeguard ePHI  Failure to notify a Covered Entity regarding a breach • CSP’s are still considered Business Associates:  If the data is encrypted  Even if the CSPs do not have access to data
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • Can a CSP be considered to be a “conduit” like the postal service?  the conduit exception is limited to transmission-only services for PHI including any temporary storage of PHI • Lack of actual knowledge by CSPs that their services are used to handle ePHI  Affirmative defense - address compliance within 30 days • Breach Notification – CSPs must implement:  Policies and Procedures  Document security incidents  Report incidents to CEs and Business Associates
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • CSPs must return or destroy all PHI at the termination of the BAA where feasible  If such return or destruction is not feasible, the BAA must extend the privacy and security protections • HIPAA rule does not restrict storage of data outside the US  Risk Assessment is the key • Customers may require additional assurances from CSPs such as the documentation of safeguards or audits • De-identified ePHI per HIPAA Privacy Rule  CSP is not a Business Associate
24 Thank You

Empfohlen

So familiar!
So familiar!So familiar!
So familiar!Abhishek Kumar
 
Startup sorocaba: Apresentação Institucional
Startup sorocaba: Apresentação InstitucionalStartup sorocaba: Apresentação Institucional
Startup sorocaba: Apresentação InstitucionalStartup Sorocaba
 
The transformation of business: From social media to social business
The transformation of business: From social media to social businessThe transformation of business: From social media to social business
The transformation of business: From social media to social businessNeo Consulting
 
FINASK Bodwell - Graphic Organizer
FINASK Bodwell - Graphic OrganizerFINASK Bodwell - Graphic Organizer
FINASK Bodwell - Graphic OrganizerAshley Slade
 
Ebay News 2006 7 19 Earnings
Ebay News 2006 7 19 EarningsEbay News 2006 7 19 Earnings
Ebay News 2006 7 19 EarningsQuarterlyEarningsReports
 
One pagepdf
One pagepdfOne pagepdf
One pagepdftestslidesha12
 
Startup Sorocaba: Entrevista - Jornal Rede Repórter
Startup Sorocaba: Entrevista - Jornal Rede RepórterStartup Sorocaba: Entrevista - Jornal Rede Repórter
Startup Sorocaba: Entrevista - Jornal Rede RepórterStartup Sorocaba
 
Scaling Agile without frameworks
Scaling Agile without frameworksScaling Agile without frameworks
Scaling Agile without frameworksJose Manuel Beas
 

Empfohlen

So familiar!
So familiar!So familiar!
So familiar!Abhishek Kumar
 
Startup sorocaba: Apresentação Institucional
Startup sorocaba: Apresentação InstitucionalStartup sorocaba: Apresentação Institucional
Startup sorocaba: Apresentação InstitucionalStartup Sorocaba
 
The transformation of business: From social media to social business
The transformation of business: From social media to social businessThe transformation of business: From social media to social business
The transformation of business: From social media to social businessNeo Consulting
 
FINASK Bodwell - Graphic Organizer
FINASK Bodwell - Graphic OrganizerFINASK Bodwell - Graphic Organizer
FINASK Bodwell - Graphic OrganizerAshley Slade
 
Ebay News 2006 7 19 Earnings
Ebay News 2006 7 19 EarningsEbay News 2006 7 19 Earnings
Ebay News 2006 7 19 EarningsQuarterlyEarningsReports
 
One pagepdf
One pagepdfOne pagepdf
One pagepdftestslidesha12
 
Startup Sorocaba: Entrevista - Jornal Rede Repórter
Startup Sorocaba: Entrevista - Jornal Rede RepórterStartup Sorocaba: Entrevista - Jornal Rede Repórter
Startup Sorocaba: Entrevista - Jornal Rede RepórterStartup Sorocaba
 
Scaling Agile without frameworks
Scaling Agile without frameworksScaling Agile without frameworks
Scaling Agile without frameworksJose Manuel Beas
 
CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageCSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageTrish McGinity, CCSK
 
La guerra civil
La guerra civilLa guerra civil
La guerra civilevapucela
 
Trabajo sociales
Trabajo socialesTrabajo sociales
Trabajo socialesevapucela
 
Distributed systems1
Distributed systems1Distributed systems1
Distributed systems1Sumita Das
 
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6Rildo (@rildosan) Santos
 
Maths: Addition Worksheet (CBSE Grade II)
Maths: Addition Worksheet (CBSE Grade II)Maths: Addition Worksheet (CBSE Grade II)
Maths: Addition Worksheet (CBSE Grade II)theeducationdesk
 
Hrvatski narodni preporod – Ilirski pokret
Hrvatski narodni preporod – Ilirski pokretHrvatski narodni preporod – Ilirski pokret
Hrvatski narodni preporod – Ilirski pokretPrivatna jezično-informatička gimnazija "Svijet"
 
Діма Зубець ” The Zachman Framework for Enterprise Architecture”
Діма Зубець ” The Zachman Framework for Enterprise Architecture”Діма Зубець ” The Zachman Framework for Enterprise Architecture”
Діма Зубець ” The Zachman Framework for Enterprise Architecture”Dakiry
 
Economy-Environment-DiscussionPaper-v2-4
Economy-Environment-DiscussionPaper-v2-4Economy-Environment-DiscussionPaper-v2-4
Economy-Environment-DiscussionPaper-v2-4Shannon Rohan
 
Úszás oktatás
Úszás oktatásÚszás oktatás
Úszás oktatásVince Tordai
 
One pagepdf
One pagepdfOne pagepdf
One pagepdftestslidesha12
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Trish McGinity, CCSK
 
Privacy 101
Privacy 101Privacy 101
Privacy 101Trish McGinity, CCSK
 
Cloud Seeding
Cloud SeedingCloud Seeding
Cloud SeedingTrish McGinity, CCSK
 
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebToken Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebTrish McGinity, CCSK
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Trish McGinity, CCSK
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggTrish McGinity, CCSK
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxTrish McGinity, CCSK
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Trish McGinity, CCSK
 

Weitere ähnliche Inhalte

Andere mochten auch

CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageCSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageTrish McGinity, CCSK
 
La guerra civil
La guerra civilLa guerra civil
La guerra civilevapucela
 
Trabajo sociales
Trabajo socialesTrabajo sociales
Trabajo socialesevapucela
 
Distributed systems1
Distributed systems1Distributed systems1
Distributed systems1Sumita Das
 
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6Rildo (@rildosan) Santos
 
Maths: Addition Worksheet (CBSE Grade II)
Maths: Addition Worksheet (CBSE Grade II)Maths: Addition Worksheet (CBSE Grade II)
Maths: Addition Worksheet (CBSE Grade II)theeducationdesk
 
Діма Зубець ” The Zachman Framework for Enterprise Architecture”
Діма Зубець ” The Zachman Framework for Enterprise Architecture”Діма Зубець ” The Zachman Framework for Enterprise Architecture”
Діма Зубець ” The Zachman Framework for Enterprise Architecture”Dakiry
 
Economy-Environment-DiscussionPaper-v2-4
Economy-Environment-DiscussionPaper-v2-4Economy-Environment-DiscussionPaper-v2-4
Economy-Environment-DiscussionPaper-v2-4Shannon Rohan
 

Andere mochten auch (11)

CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageCSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassage
 
La guerra civil
La guerra civilLa guerra civil
La guerra civil
 
Trabajo sociales
Trabajo socialesTrabajo sociales
Trabajo sociales
 
Distributed systems1
Distributed systems1Distributed systems1
Distributed systems1
 
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6
Workshop Scrum Product Owner, Delírios de PO em Dia de Verão v6
 
Maths: Addition Worksheet (CBSE Grade II)
Maths: Addition Worksheet (CBSE Grade II)Maths: Addition Worksheet (CBSE Grade II)
Maths: Addition Worksheet (CBSE Grade II)
 
Hrvatski narodni preporod – Ilirski pokret
Hrvatski narodni preporod – Ilirski pokretHrvatski narodni preporod – Ilirski pokret
Hrvatski narodni preporod – Ilirski pokret
 
Діма Зубець ” The Zachman Framework for Enterprise Architecture”
Діма Зубець ” The Zachman Framework for Enterprise Architecture”Діма Зубець ” The Zachman Framework for Enterprise Architecture”
Діма Зубець ” The Zachman Framework for Enterprise Architecture”
 
Economy-Environment-DiscussionPaper-v2-4
Economy-Environment-DiscussionPaper-v2-4Economy-Environment-DiscussionPaper-v2-4
Economy-Environment-DiscussionPaper-v2-4
 
Úszás oktatás
Úszás oktatásÚszás oktatás
Úszás oktatás
 
One pagepdf
One pagepdfOne pagepdf
One pagepdf
 

Mehr von Trish McGinity, CCSK

Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Trish McGinity, CCSK
 
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebToken Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebTrish McGinity, CCSK
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Trish McGinity, CCSK
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggTrish McGinity, CCSK
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxTrish McGinity, CCSK
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Trish McGinity, CCSK
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionTrish McGinity, CCSK
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsTrish McGinity, CCSK
 

Mehr von Trish McGinity, CCSK (16)

Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
 
Cloud Seeding
Cloud SeedingCloud Seeding
Cloud Seeding
 
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebToken Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure Web
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott Hogg
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghx
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities
 
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
 
Ed Rios - New ncc brief
Ed Rios - New ncc briefEd Rios - New ncc brief
Ed Rios - New ncc brief
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
 
Davitt Potter - CSA Arrow
Davitt Potter - CSA ArrowDavitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Csa security risks_compliance_ramadoss_11102016_mo_d

  • 1. www.cloudsecurityalliance.org Healthcare Information Security Risks and Compliance 2016 Colorado CSA Fall Summit | November 10, 2016 Ram Ramadoss, Vice President, CRP Privacy, Information Security and EHR Compliance Oversight, Catholic Health Initiatives Copyright © 2016 Cloud Security Alliance
  • 2. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Overview • About Catholic Health Initiatives • Healthcare Industry Overview • Top Technology Trends • HIPAA Compliance/Risk Assessment • OCR’s Cloud Computing Guidance • Q&A
  • 3. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Catholic Health initiatives • The nation’s third-largest nonprofit health system • CHI operates in 19 states and comprises 103 hospitals; Four academic health centers and major teaching hospitals as well as 30 critical-access facilities; Home Health, Senior Living Facilities • Other facilities and services that span the inpatient and outpatient continuum of care
  • 5. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Overview • Current state • Evolution • Complexity • Challenges and Opportunities
  • 6. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Evolution • Major consolidation of Healthcare providers • Small and Medium sized practices are struggling • A major movement to Electronic Health Record systems • We are seeing an increasing shift towards outsourcing • Competing priorities and budget limitations • Consumerization
  • 7. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Complexity • A significant number of legacy electronic systems • 20 plus years retention timeframe for medical records • Legacy medical devices / wireless capability
  • 8. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Security Challenges Unique to the Healthcare Sector • Protected Health Information (PHI) includes fundamental, unchanging facts about a patient • An average security breach cost - $363 per record in healthcare versus $154 per record in other industries • In 2015 alone,113 million patients were affected by breaches • Fraud opportunities for criminals include:  Identity theft  Exploitation of insurance details  Prescription drug benefits
  • 9. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Challenges and Opportunities Challenges: • Vulnerabilities and weak security controls • Aggressive Threat Landscape • HIPAA regulatory requirements Opportunities: • Desperately looking for technology solutions • An open minded approach with outsourcing • Exploring efficiency and automation opportunities
  • 11. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The Consumerization of Healthcare • Consumer connected to the New Healthcare Economy • A greater expectation for personalized experience • Business intelligence tools to derive patterns and consumer trends
  • 12. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Big Data • 360-degree view of customers/patients • Unstructured data to help with predictive analytics • Increasing focus on Health Clouds • Medium size providers – huge opportunity • Large Healthcare providers - partnerships
  • 13. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Mobile Devices/Applications • Not just the Millennials • Access to Health Information using smartphones • Online scheduling / Insurance shopping / Virtual care drive off • Developing a digital eco-system • Patient/Physician portals; information sharing  Engagement and interactions with patients
  • 14. Patient Data vs Patient Safety Focus
  • 15. HIPAA Compliance and Risk Assessments
  • 16. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Business Associate Agreements (BAA) • A contractual agreement between a Covered Entity (CE) and any third party company with access to patient information (Business Associate) • A mandatory requirement – HIPAA Administrative Safeguard • Key provisions include but not limited to:  Return or Destruction of Protected Health Information (PHI) upon Termination  Safeguard the ePHI and Breach Notification
  • 17. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Information Security Amendments • Additional language regarding a minimum security program • Security provisions regarding access from foreign locations and storage of data outside the country • Risk stratification of partners and Business Associates • Monitoring of partners security and compliance
  • 18. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Suppliers/Business Associates Facts: • Increasing outsourcing activities (Business Process/IT) • Cloud-based electronic health record systems • Patient care program is reliant upon the support received from partners / BAs Mitigation: • Cybersecurity insurance coverage • BAAs and security amendments • Access and storage outside the United States • Supplier risk management program
  • 19. The Office for Civil Rights’ (OCR) Cloud Computing Guidance
  • 20. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • Covered Entities (CE) must execute BAAs with Cloud Service Providers (OCR’s recent fines against a CE) • Risk Analysis – both CE and CSP • Service Level Agreements must include:  System availability and reliability  Back-up and data recovery  Manner in which data will be returned to the customer after service use termination  Security responsibility  Use, retention and disclosure limitations
  • 21. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • CSP is directly liable under the HIPAA Privacy Rule  Use and disclosure of data not authorized by the contract, law and HIPAA • CSP is directly liable under the HIPAA Security Rule  Failure to safeguard ePHI  Failure to notify a Covered Entity regarding a breach • CSP’s are still considered Business Associates:  If the data is encrypted  Even if the CSPs do not have access to data
  • 22. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • Can a CSP be considered to be a “conduit” like the postal service?  the conduit exception is limited to transmission-only services for PHI including any temporary storage of PHI • Lack of actual knowledge by CSPs that their services are used to handle ePHI  Affirmative defense - address compliance within 30 days • Breach Notification – CSPs must implement:  Policies and Procedures  Document security incidents  Report incidents to CEs and Business Associates
  • 23. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • CSPs must return or destroy all PHI at the termination of the BAA where feasible  If such return or destruction is not feasible, the BAA must extend the privacy and security protections • HIPAA rule does not restrict storage of data outside the US  Risk Assessment is the key • Customers may require additional assurances from CSPs such as the documentation of safeguards or audits • De-identified ePHI per HIPAA Privacy Rule  CSP is not a Business Associate

Hinweis der Redaktion

  1. 40 mins.