Session 203 MGMA Culture of Compliance and Security Final security...Microsoft PowerPoint - Session...
Transcript of Session 203 MGMA Culture of Compliance and Security Final security...Microsoft PowerPoint - Session...
9/26/2017
1
Security Awareness & Best Practices: How Your Staff’s Behavior Can Boost or Break Your Practice’s Defenses
Ben SchmerlerSenior IT Risk Advisor
DP Solutions
All organizations that manage ePHI are responsible for maintaining HIPAA/HITECH compliance for that data
Three Important Elements For Data Management:
1. Privacy
2. Integrity
3. Availability
Technical and Behavioral Controls Important
Introduction
9/26/2017
2
Agenda
Examine HIPAA Elements
Define and Consider Technical/Behavioral Controls
Coming Up With a Risk Assessment Process
Post Assessment: Risk Management Plan
Remediation Efforts
The “Culture” of Compliance
Q&A
Protecting and Identifying Assets
Where are your assets located and who can access
them?
Who do you share assets with?
Is there “Data Sprawl”?
What is the actual value of these assets? (productivity, liability, and business integrity)
9/26/2017
3
Why is this Important?A real life example
Texas hospital fined $3.2 million for HIPAA breach!
Health care industry is a top target
The importance of complying with HIPAA
“The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Texas hospital $3.2 million for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA) over multiple years.”
Privacy
Patient data is for the patient, and exposure to
unauthorized third parties is not
acceptable in any form.
Integrity
Patient data must be maintained. Loss or tampering of data is not acceptable.
Availability
Patient data must be accessible in a reasonable amount of time, regardless of other challenges.
Important HIPAA Data Factors
9/26/2017
4
Technical Security Philosophy
Data Assets get the most protection. Data should be classified based on value.
Privacy of Data Flow is a MUST
End‐User Knowledge of the Value of Assets
P.S. You don’t have to focus on the “how” of technical security. You should focus on the “why”, so the parameters of a technical solution defines itself.
Backups, Recovery & Availability – tied to the
value of the asset
Unique User Names/Passwords
Account Timeouts/Lockouts
Anti‐virus/Anti‐malware/Anti‐whateverware
Firewall
Data Backups, onsite and off
Spam Filters
Technical Controls: Your System’s Ability To Fight Off Disease
9/26/2017
5
Encryption• At Rest: Coding data so that it cannot be read on a storage device unless you have the key.
• In Transit: Coding in the same way, but while data moves from a source to a destination.
Disaster Recovery System• Beyond data backup.• DR is concerned with recovering during a major event, typically within minutes, to make your system operational and not just recover information.
More Sophisticated Technical Controls
Even More Sophisticated Technical Controls
Intrusion Detection / Protection Systems
Web Application Firewalls
Traffic Monitoring Solutions
Data Loss Prevention
9/26/2017
6
Technical Security Is NOT Enough
The safe isn’t secure if you leave it unlocked.
Behavioral policies reinforce and strengthen technical controls.
Inversely, bad behaviors make technical security worthless!
Define Sensitive Data: Outline what “sensitive data” means to the organization, and why it is of value. You want to get staff emotionally invested in protecting data.
Acceptable Use: The basic rules about what is and is not allowed to be done on computer systems. Can be difficult to balance security/risk with productivity.
Security Incident: Defines what an incident is, staff roles, communication channels, and other expectations for behaviors when in the midst of a security incident, as well as post incident follow up.
Behavioral Controls
The Rules, Policies, and Procedures Designed to Protect ePHI Regardless of Technology
9/26/2017
7
HIPAA awareness training. Varies based on role.
“Minimum Necessary”
Enforcement Rules
Business Associate Agreements
Breach Notification Procedures
Termination Procedures
Access Authorization Procedures
More Behavioral Controls
No!
Technical solutions must fit the system, organization, and data assets in order to be effective and provide value
If only there was some kind of process we could take to figure out what our risks are and come up with a plan to respond to them…
Uhhh…so do I have to get all this stuff?
9/26/2017
8
Identify Risks of PHI breach or loss (both electronic
and paper)
Measure likelihood and impact of those
risks
Prepare for implementation of Risk Management Plan based on
results
Risk Assessment Process
For example…• Unauthorized transmission, both internal and external• Hacks• Data “corruption”• System failure
• Each Risk Assessment is scoped and managed differently based on the organization.
• Amount of PHI, size of practice, system / workflow organization, etc. will impact how this process occurs and what specific steps are taken.
Where your assets are stored
Vendors/Partners who are part of
your PHI Workflow
Your last assessment
The overall evolution of your organization & technology
If an incident has already occurred
Factors to Consider
9/26/2017
9
A Risk Management Plan is an internal document for decision makers to use to acknowledge their risks and rationalize their approach for dealing with them
Typically a reflection of the assessment
An evolving standard; subject to change.
Since it’s a plan, you probably can’t do everything at once, and some risks may not be addressable in the short (or long) term anyway
Risk Management Plan
Based on the Risk Management Plan
Not all remediation is “fixing” stuff.
Sometimes it is policy acknowledgement, HIPAA training, research for the future so the Risk Management Plan can be updated, etc.
Not everything can be remediated.
Measure impact vs. risk.
Remediation
9/26/2017
10
If nobody cares, then everything we have done is practically worthless.
Some expect to buy compliance, but you can’t buy, for example, something that will stop a staff member from taking a picture of a chart and sending a text to someone else.
“Culture” of Compliance
GOAL: Create a workplace where staff is aware of what they are working with, why it matters, and their particular role in the Risk Management Plan, even if it is just reporting and communicating.
We want everyone to care about what we seek to protect, and not just the asset owners.
Questions?
9/26/2017
11
Next Steps
Let’s Chat!Quick conversation to discuss your company's particular security risks and concerns.
Meet me after the presentation or visit our booth!
410.720.3300 x106
www.dpsolutions.com
Thank You!
Ben SchmerlerSenior IT Risk Advisor