Avior Healthcare Security Compliance Webcast Final1
-
Upload
jhietala -
Category
Technology
-
view
941 -
download
0
description
Transcript of Avior Healthcare Security Compliance Webcast Final1
Webcast:Webcast:Webcast: Webcast:
C l i ith HIPAA P i dC l i ith HIPAA P i dComplying with HIPAA Privacy and Complying with HIPAA Privacy and Security StandardsSecurity Standards
Agenda:Agenda:
••Healthcare IT Trends Healthcare IT Trends Jim Hietala, Compliance Research GroupJim Hietala, Compliance Research Group
•• Recovery Act of 2009, and HITECH Act, Security Recovery Act of 2009, and HITECH Act, Security and Compliance Implications and Compliance Implications
Karl Muenzinger Janus AssociatesKarl Muenzinger Janus AssociatesKarl Muenzinger, Janus AssociatesKarl Muenzinger, Janus Associates
••Overview of Avior Computing SolutionsOverview of Avior Computing SolutionsBruce Beck, VP Business Development, AviorBruce Beck, VP Business Development, AviorBruce Beck, VP Business Development, AviorBruce Beck, VP Business Development, Avior
•• Demonstration: Converged privacy/security Demonstration: Converged privacy/security assessments for healthcare organizationsassessments for healthcare organizationsgg
Jeri TellerJeri Teller‐‐Kanzler, President RiskKanzler, President Risk‐‐MappMapp
••Q&AQ&A
Trends in IT and HealthcareTrends in IT and HealthcareGovernment:Government:•• Electronic Health Record adoption pushElectronic Health Record adoption pushElectronic Health Record adoption pushElectronic Health Record adoption push••Health Information Networks (HIE’s, RHIN’s, Health Information Networks (HIE’s, RHIN’s, NHIN)NHIN)NHIN)NHIN)
IT Access and Network Changes:IT Access and Network Changes:••Growth in wireless network adoption mobilityGrowth in wireless network adoption mobility••Growth in wireless network adoption, mobilityGrowth in wireless network adoption, mobility••Guest network accessGuest network access•• I te i i of IT a d li i al de i e iI te i i of IT a d li i al de i e i•• Intermixing of IT and clinical devices in Intermixing of IT and clinical devices in healthcare networkshealthcare networks
2009 Stimulus Bill 2009 Stimulus Bill Brings New HIPAA RequirementsBrings New HIPAA Requirements
The Health Information Technology for Economic The Health Information Technology for Economic and Clinical Health (HITECH) Actand Clinical Health (HITECH) Act
I l d d i th A i R d R i t t A t f 2009 (ARRA)I l d d i th A i R d R i t t A t f 2009 (ARRA)•• Included in the American Recovery and Reinvestment Act of 2009 (ARRA)Included in the American Recovery and Reinvestment Act of 2009 (ARRA)
Data Breach ProtectionsData Breach Protections•• Prevent Data Breaches of Protected Health Records (PHR)Prevent Data Breaches of Protected Health Records (PHR)•• Prevent Data Breaches of Protected Health Records (PHR)Prevent Data Breaches of Protected Health Records (PHR)•• Increase penaltiesIncrease penalties
August 2009: Guidance from HHS and FTCAugust 2009: Guidance from HHS and FTC•• HHS Office of Civil Rights takes over HIPAA enforcementHHS Office of Civil Rights takes over HIPAA enforcement•• Interim final rule for Breach Notification for Unsecured Protected Health Interim final rule for Breach Notification for Unsecured Protected Health
Information (45 CFR Parts 160 and 164)Information (45 CFR Parts 160 and 164)•• The Federal Trade Commission Health Breach Notification Rule: (16 CFR Part The Federal Trade Commission Health Breach Notification Rule: (16 CFR Part ((
318) and Notice of Breach of Health Information (procedure)318) and Notice of Breach of Health Information (procedure)
The Impact on HIPAA ComplianceThe Impact on HIPAA ComplianceAn increase in SCOPEAn increase in SCOPE
‐‐ More organizations are subject to HIPAAMore organizations are subject to HIPAA
An Increase in DEPTHAn Increase in DEPTH‐‐ HIPAA compliance programs require greater dueHIPAA compliance programs require greater due‐‐diligencediligence
A i i ENFORCEMENTA i i ENFORCEMENTAn increase in ENFORCEMENTAn increase in ENFORCEMENT::‐‐ More government oversight, higher penaltiesMore government oversight, higher penalties
PENALTIES FOR HIPAA VIOLATIONS Prior penalties
ARRA / HITECH
Amount per violation $100 $100 ‐ $50,000
Maximum per year $25,000 $5,000,000
Data BreachData Breach“the unauthorized acquisition access use or disclosure of PHI”“the unauthorized acquisition access use or disclosure of PHI”“the unauthorized acquisition, access, use or disclosure of PHI”“the unauthorized acquisition, access, use or disclosure of PHI”Data Breach Notification Law: Protect PHI Data Breach Notification Law: Protect PHI ‐‐ Encryption during TransmissionEncryption during Transmission‐‐ Encryption during StorageEncryption during Storage‐‐ Secure Disposal of PHI on paper, film, or diskSecure Disposal of PHI on paper, film, or disk
Public Notification of Data Breaches Public Notification of Data Breaches starting in September 2009 starting in September 2009 ‐‐ Covered Entities andCovered Entities and Business Associates will be required toBusiness Associates will be required to‐‐ Covered Entities and Covered Entities and Business Associates will be required to Business Associates will be required to
notify the publicnotify the public‐‐ HHS will post a public list of major data breaches: increase in HHS will post a public list of major data breaches: increase in
reputational riskreputational riskpp‐‐ The FTC must be notified, for organizations not otherwise The FTC must be notified, for organizations not otherwise
covered by HIPAAcovered by HIPAA
The Increased Oversight of Business The Increased Oversight of Business AssociatesAssociatesAssociatesAssociates
Business Associates must comply with HIPAABusiness Associates must comply with HIPAABusiness Associates must comply with HIPAA Business Associates must comply with HIPAA Privacy and Security rules (sec 13401.(a))Privacy and Security rules (sec 13401.(a))‐‐ Civil and criminal penalties (sec 13401)Civil and criminal penalties (sec 13401)‐‐ Data Transmission Service Providers are included (sec 13408)Data Transmission Service Providers are included (sec 13408)Data Transmission Service Providers are included (sec 13408)Data Transmission Service Providers are included (sec 13408)
Covered Entities are accountable for their Covered Entities are accountable for their Business AssociatesBusiness Associates‐‐ Data Breach Notification rules for Covered Entities include data Data Breach Notification rules for Covered Entities include data
breaches of their Business Associates (sec 13402)breaches of their Business Associates (sec 13402)‐‐ Business Associate Agreements must be revised by February 17, Business Associate Agreements must be revised by February 17,
2010201020102010‐‐ Best Practices: require Business Associates to agree to Best Practices: require Business Associates to agree to
independent inspection of security controlsindependent inspection of security controls
Compliance and Risk AssessmentsCompliance and Risk Assessmentsof Bu i e A o iateof Bu i e A o iateof Business Associatesof Business Associates
Locate and document all PHI sent to third partiesLocate and document all PHI sent to third parties
Assign the controls required for each Business AssociateAssign the controls required for each Business Associate•• Specify all dataSpecify all data‐‐handling requirements in Business Associate Agreementshandling requirements in Business Associate Agreements
Collect Evidence of Controls for each Business AssociateCollect Evidence of Controls for each Business Associate
Assess the evidence identify risks take actionAssess the evidence identify risks take actionAssess the evidence, identify risks, take action Assess the evidence, identify risks, take action
Strategies for Covered Entities and Strategies for Covered Entities and Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates
Covered Entities:Covered Entities:•• Used a Tiered Approach: Categorize your Business AssociatesUsed a Tiered Approach: Categorize your Business Associates
‐‐ based on the PHI being handled, and other risk factorsbased on the PHI being handled, and other risk factors•• Tailor the Assessment methodology for each Tier Tailor the Assessment methodology for each Tier
‐‐ Efficiently expending resources on the tiers of highest risk.Efficiently expending resources on the tiers of highest risk.•• Use Risk Assessments to Reduce Business Associate risks Use Risk Assessments to Reduce Business Associate risks
‐‐ Leverage the results during negotiations for future outsourced servicesLeverage the results during negotiations for future outsourced services
Business Associates:Business Associates:•• Establish a HIPAA Compliance Program: Establish a HIPAA Compliance Program: p gp g
‐‐ Conduct a HIPAA Risk Assessment and Gap AnalysisConduct a HIPAA Risk Assessment and Gap Analysis•• Coordinate with the Compliance teams of your customersCoordinate with the Compliance teams of your customers
‐‐ Align your policies and procedures proactivelyAlign your policies and procedures proactively
B th Y t ill b ki b t itB th Y t ill b ki b t itBoth: Your customers will be asking more about your securityBoth: Your customers will be asking more about your security•• Honesty Builds Trust Honesty Builds Trust –– Trust Leads to Investment Trust Leads to Investment
About JANUS Associates:About JANUS Associates:JJFocused on Information Security and Business Focused on Information Security and Business Continuity consulting for two decadesContinuity consulting for two decades•• St f d Alb B t B lti Sil S i MDSt f d Alb B t B lti Sil S i MD•• Stamford, Albany, Boston, Baltimore, Silver Spring MD Stamford, Albany, Boston, Baltimore, Silver Spring MD •• Privately held, independent, womanPrivately held, independent, woman‐‐owned businessowned businessConsulting Services:Consulting Services:•• Information Security & PrivacyInformation Security & Privacy•• Information Security & PrivacyInformation Security & Privacy•• Business Continuity/Pandemic/DR PlanningBusiness Continuity/Pandemic/DR Planning•• Regulatory Compliance, including PCIRegulatory Compliance, including PCI•• Security Awareness TrainingSecurity Awareness Training•• Breach Response and Computer ForensicsBreach Response and Computer Forensics•• Electronic DiscoveryElectronic DiscoveryAvior business partnerAvior business partner
www.JANUSassociates.comwww.JANUSassociates.com 203203‐‐251251‐‐02000200
Bruce Beck, VP Business DevelopmentBruce Beck, VP Business Development
Compliance… Know it Now!Compliance… Know it Now!
www.aviorcomputing.com
Compliance… Know it Now!Compliance… Know it Now!
Risk & Compliance ProcessRisk & Compliance Process
RiskRiskAssessment Assessment
ScopeScope
DistributeDistributeReview andReview andPeoplePeople
AssessmentAssessmentQuestionnairesQuestionnaires
Review andReview andRemediationRemediation
ProcessProcess TechnologyTechnology
Manage Manage ReportingReportingCollection ProcessCollection ProcessAnd AnalysisAnd Analysis
Risk & Compliance ChaosRisk & Compliance Chaos
Adding to the ChallengeAdding to the Challenge
Many overlapping compliance Many overlapping compliance requirementsrequirementsF t d li j tF t d li j tFragmented compliance projects Fragmented compliance projects spread over many regulations, spread over many regulations, business units & third party business units & third party
id ilid ilproviders…silos providers…silos
“70% of organizations are treating each compliance regulation“70% of organizations are treating each compliance regulation70% of organizations are treating each compliance regulation 70% of organizations are treating each compliance regulation as a silo; Inefficient, expensive, Can’t leverage common controls as a silo; Inefficient, expensive, Can’t leverage common controls and assessments, Annoying to business owners and vendors”and assessments, Annoying to business owners and vendors”
–– Compliance Marketing GroupCompliance Marketing Group
Survey FatigueSurvey Fatigue
“Assessment is the cornerstone of any GRC methodology; you “Assessment is the cornerstone of any GRC methodology; you h t k h ith i k t k h dh t k h ith i k t k h dhave to know where you are with risk to know where you need have to know where you are with risk to know where you need to go.to go. Avior provides a platform to make this process easy, Avior provides a platform to make this process easy, repeatable and sustainrepeatable and sustain‐‐able across your entire enterprise.”able across your entire enterprise.”pp y py p‐‐ Steve Katz, Fmr. CISO, Steve Katz, Fmr. CISO, Citigroup and JP Morgan Citigroup and JP Morgan
Overlapping regulations & standards Overlapping regulations & standards create “survey fatigue” for business create “survey fatigue” for business y gy gowners and suppliersowners and suppliers
Bring order to ChaosBring order to Chaos
Optimize Control Framework Optimize Control Framework PrePre‐‐configured, Dynamic configured, Dynamic mapping of Regulations, mapping of Regulations, Standards, Frameworks and Standards, Frameworks and P li iP li iPoliciesPoliciesMappings & content are kept Mappings & content are kept current for you by Aviorcurrent for you by AviorAdvanced scoring and Advanced scoring and weighting rubricweighting rubricAssess Once, comply many Assess Once, comply many times, to many thingstimes, to many things
Avior’s SolutionAvior’s Solution
DynamicDynamicAssessment & RemediationAssessment & Remediation Executive DashboardsExecutive Dashboards Reporting Reporting Repurposing Repurposing
•• Visibility, Reporting & AnalysisVisibility, Reporting & AnalysisManaging Assessment and RemediationManaging Assessment and Remediation•• Managing Assessment and Remediation Managing Assessment and Remediation ProcessProcess
•• Creating, Weighting & Scoring AssessmentsCreating, Weighting & Scoring Assessments
Assessment DesignerAssessment Designer Associator Associator ‐‐ Avior ClearViewAvior ClearView
Map & AssociateMap & Associate
•• Subscription Based OfferingSubscription Based Offering
•• Updated quarterlyUpdated quarterly•• Updated quarterly Updated quarterly
•• Custom Configured Custom Configured authoritative sourcesauthoritative sourcesauthoritative sourcesauthoritative sources
•• Easily integrate your policies Easily integrate your policies and corporate objectivesand corporate objectivesp jp j
Enhanced Assessment ExperienceEnhanced Assessment Experience
••Easy to use assessment editorEasy to use assessment editorEasy to use assess e t editoEasy to use assess e t edito
•• Incorporate notes and attachmentsIncorporate notes and attachments
••Weight the response to questionsWeight the response to questions••Weight the response to questionsWeight the response to questions
••User Friendly WorkflowUser Friendly Workflow
•• Intuitive responder interfaceIntuitive responder interface•• Intuitive responder interface Intuitive responder interface
RemediationRemediation
•• Classifying & Tracking the Classifying & Tracking the Remediation ProcessRemediation Process
•• Full Reporting CapabilitiesFull Reporting Capabilities
•• Allocate Remediation ResourcesAllocate Remediation Resources
Visibility Visibility ‐‐ Reporting & Dashboards Reporting & Dashboards
•• Executive Level User InterfaceExecutive Level User Interface
D i D t R d iD i D t R d i•• Dynamic Data Rendering Dynamic Data Rendering
•• Standard Suite of ReportsStandard Suite of Reports
•• Role Based ReportingRole Based Reporting•• Role Based Reporting Role Based Reporting
•• PDF, excel & GraphicalPDF, excel & Graphical
AviorAvior automated risk & compliance workflowautomated risk & compliance workflow
• Develop assessments • Set Frequency • Determine scoring
Risk process lifecycle support
RiskRiskAssessment Assessment
ScopeScope
•Determine business owners
• Ensure completion• Determine risks to
Prebuilt assessment libraryDynamic mapping
Risk process lifecycle supportLinked to remediation management
DistributeDistributeAssessmentAssessmentReview andReview and
R di tiR di ti business owners•Manage distribution
remediate• Manage remediation
workflow
Workflow managementForced evidence collection
Automated review, scoring, and reporting
QuestionnairesQuestionnairesRemediationRemediation
• Manage Reminders• Escalate as necessary• Review for completeness
• Score results• Determine key risks • Report to management
Response weighting
Manage Manage Collection ProcessCollection Process
ReportingReportingAnd AnalysisAnd Analysis
Review for completeness• Report to management
Achieve better resultsAchieve better results
••Significant reduction in governance, Significant reduction in governance, risk and compliance costs risk and compliance costs pp
••Improve control of risk management Improve control of risk management and compliance and compliance
= Improved = Improved managementmanagement
pp
••Increase executive visibility of Increase executive visibility of enterprise risks enterprise risks pp
••Organize compliance with a Organize compliance with a repeatable and sustainable processrepeatable and sustainable processp pp p
Risk & ComplianceRisk & Compliance Know it Now!Know it Now!Risk & Compliance Risk & Compliance ‐‐ Know it Now!Know it Now!
Jeri TellerJeri Teller‐‐KanzlerKanzlerPresident of RiskPresident of Risk MappMappPresident of RiskPresident of Risk‐‐MappMapp
Demonstration of ClearView andDemonstration of ClearView andDemonstration of ClearView and Demonstration of ClearView and BenchMarkBenchMarkH l h dd i HIPAAH l h dd i HIPAAHealthcare assessment addressing HIPAA, Healthcare assessment addressing HIPAA, and new healthcare guidanceand new healthcare guidanceMapping of HIPAA, NIST 800Mapping of HIPAA, NIST 800‐‐66, and other 66, and other standards and regulationsstandards and regulations
Questions & AnswersQuestions & AnswersQuestions & AnswersQuestions & Answers
For Additional Information:For Additional Information:For Additional Information:For Additional Information:
Avior ComputingAvior Computing•• Bruce BeckBruce Beck•• Bruce BeckBruce Beck
[email protected]@Aviorcomputing.com603603‐‐964964‐‐80408040
Janus AssociatesJanus Associates•• James AdamsJames Adams
ja e a@ja u a o iate oja e a@ja u a o iate o2626
[email protected]@janusassociates.com203203‐‐251251‐‐02000200