• No results found

HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016"

Copied!
36
0
0

Loading.... (view fulltext now)

Download now ( 36 Page )

Full text

(1)

HIPAA Reality Check: The Gap Between Execs and IT

March 1, 2016

(2)

Conflict of Interest

(3)

Agenda

• Healthcare status

• HIPAA Misconceptions • Real World Examples • Why the Gap?

• Analyze Risks • Minimize Risks • Questions

(4)

Learning Objectives

• Discuss prominent HIPAA and data security assumptions made in the healthcare industry by IT, compliance officers, executives, stakeholders, and board members

• Identify common struggles preventing organizations from

completing crucial security improvements to sensitive patient health data.

• Assess an effective way to fill the communications gap

between executives and IT while promoting an organizational culture of data security.

• Analyze how to minimize organizational data breach probability based on vulnerabilities, threats, and risks.

(5)

An Introduction of How Benefits Were Realized for the Value of Health IT

http://www.himss.org/ValueSuite

• S: 86% of employees and executives cite ineffective communication for failure in the workplace.

• T: 54% of patients would switch providers after a data breach.

• E: Healthcare still lags behind on securing upgraded technology.

• P: Reaching full HIPAA compliance is a fantastic thing to bring up with patients. • S: Remediation costs for crime-linked

data breaches of patient data are $170 per record.

(6)

Healthcare

Status

(7)

HIPAA Status Disparity

• 89% of C-Suite believe they are HIPAA

compliant • Only 67% of

Compliance and Risk Officers believe they are HIPAA compliant

(8)

Belief vs. Truth

• Fantasy: Healthcare is doing well in HIPAA

security

• Reality: Most healthcare organizations have

vulnerabilities in their

security and don’t realize it

(9)

Compromise is Imminent

• Criminal attacks in the healthcare industry have risen 125% since 2010* • 80% healthcare IT

leaders say systems have been

compromised* *(Ponemon Institute)

(10)

HIPAA

(11)

Myth: Firewalls are Enough

• Firewalls need to be updated

• Firewalls don’t take care of all security issues

– Remote access software

– Social engineering – Physical security

(12)

Myth: HIPAA Doesn’t Apply to Me

• Many organizations think: – They are too small

– Their organization doesn’t have PHI

– Cloud-stored data is exempt

• HIPAA Security Rule applies to pretty much all healthcare entities

(13)

Myth: IT and Attorneys Have

Us Covered

• IT professionals need additional

training for security • Attorneys don’t have

(14)

Myth: My Data Isn’t Valuable

• Health data more lucrative than credit cards on black market

– Credit card data sells for $1–2

– PHI sells for $20– 200

• Easy to replace credit cards, impossible to replace social security numbers

(15)

Myth: Business Associates Take

All Liability

• There’s shared liability between businesses and business

associates

• Business associates

may have vulnerabilities that endanger your data

(16)

Myth: We’re Already Doing

Security

• HIPAA staff are mostly following Privacy Rule, but not Security Rule

– Staff aren’t trained in security

(17)

Myth: Social Engineering

Isn’t a Threat

• Social engineering targets weakest link: people!

• Doesn’t require technical talent

(18)

Real World

Examples

(19)

Business Associate

• Target

(20)

Unsecured PHI

• Two types of data

(21)

Social Engineering

• Janitor • IT • Service Provider • EHR • Build Trust

(22)
(23)

Time

• HIPAA will eat your time

– Small organizations: 200 hours annually

– Large organizations: 800+ hours annually

• Solutions:

– Hire outside security consultant – Baby steps (prioritize based on

(24)

Money

• Staff time

• Purchase: security tools, policies, training, etc. • Solutions:

– Prioritize (#1 risk? What needs to be protected first?)

– Work it into your budget – Get management support

– HIPAA packages (training + policies, + audit combo)

(25)

Training

• Most staff don’t understand proper Security Rule practices

• Solutions:

– Train monthly instead of annually

– Send weekly security tip reminders

(26)
(27)

Analyze HIPAA Risk

• Assess current controls

• Determine likelihood of occurrence • Determine potential impact

• Determine level of risk • Identify security

(28)

Document PHI Flow: Data

Flow Charts

• Simple way to

identify scope and start documentation • Record all devices • Interview

departments

(29)

Prioritize

• Address critical problems first

– Depends on your

individual environment • Risk Analysis and Risk

Management Plan will help determine these risks

(30)

Train Staff Properly

• Monthly training meetings • Incorporate HIPAA

Security Rule

• Not just nurses/doctors, but receptionists too!

• Recognize social engineering

(31)

Secure PHI Around the

Office

• Eliminate unencrypted PHI

• Screensavers

• Passwords after time-out • Reception desks

(32)

Strengthen Physical Security

• Visitor/maintenance log • Controls to limit physical

access

• Video cameras to monitor access to sensitive areas • Distinguish visitors from

(33)

Have Individual User

Accounts

• Workforce members are not all created equal

• All staff should have separate user

accounts

(34)

Update Systems and Apps

• EHR • Anti-virus • Medical devices • Operating systems • Firewalls • IPS/FIM/DLP

(35)

A Summary of How Benefits Were Realized for the Value of Health IT

http://www.himss.org/ValueSuite

• S: 86% of employees and executives cite lack of collaboration or ineffective

communication for failure in the workplace.

• T: 54% of patients would switch providers after a data breach.

• E: Healthcare has exponentially upgraded its technology in the past five years, but still lags behind on securing that

technology.

• P: Reaching full HIPAA compliance is a fantastic thing to bring up with patients. • S: Remediation costs for crime-linked

data breaches of patient data are $170 per record.

(36)

Questions

[email protected]

References

Download now ( PDF - 36 Page - 1.27 MB )

Related documents

HIPAA Security & Compliance

Compliance Assessment vs.  Risk Assessment • A Compliance Assessment is a gap  analysis that identifies gaps in the 

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Rule Compliance and Health Care Information Protection.. How SEA’s Solution Suite Ensures HIPAA Security Rule

HIPAA Security and HITECH Compliance Checklist

This is not a required standard (addressable) Access to ePHI, should be based on the staff member's job responsibilities and qualifications. Authorization should be limited to

BRIDGING THE GAP BETWEEN BUSINESS AND IT

Red Hat ® JBoss ® BPM Suite incorporates all the key elements needed by business process management (BPM) projects to document, simulate, manage, automate, and monitor

LogRhythm and HIPAA Compliance

• Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.. LogRhythm

Security and HIPAA Compliance

ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, Aegis, AppAnalyzer, AppManager, the cube logo design, Change Administrator, Change Guardian, Compliance

Healthcare Security and HIPAA Compliance with A10

With respect to specific HIPAA standards, A10’s Thunder and AX Series ADCs offer features for disaster recovery, data encryption, and multi-layer network protection, helping

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

1.1.3 Serves as chair of the HIPAA Compliance Council; assures that responsibilities of this committee, HIPAA Chief Privacy Officer, and HIPAA Privacy Officers are coordinated