Download
1 / 82
820 likes | 930 Vues
IT Information Security Services. Presented to OUHSC Policies and Procedures Workshop. Agenda:. Information Security Program. Business Value Business Drivers Managing Risk Building Trust. Business Value of Information Security:. Protection of mission critical information.
E N D
IT Information Security Services Presented to OUHSC Policies and Procedures Workshop
Agenda: Information Security Program Business Value Business Drivers Managing Risk Building Trust
Business Value of Information Security: • Protection of mission critical information
Protection of mission critical information: • Electronic Health Records
Protection of mission critical information: • Credit Card Numbers
Protection of mission critical information: • Student Records
Protection of mission critical information: • Personally Identifiable Information
Information Security provides: • Confidentiality • Availability • Integrity
Information Security provides: The right data to the right people at the right time
Business Value of information Security: Maximize Business Opportunities
Business opportunity: $19.2 billion from ARRA Incentives: Payments of $44,000 - $64,000 Per Physician to Providers who… Demonstrate proper implementation of EHR
Business opportunity: Electronic commerce 100,000 cc transactions $17,500,000 annual amount
Business Value of Information Security: • Protection of mission critical information • In order to: • Minimize Risk • Support academic, research and health care business continuity and opportunities
Business value: • A reputation that took decades to build can be threatened by a single event.
Information Security • Business Drivers
Business Drivers Clinical systems (managed university computer, protected network)
Business Drivers • Research systems • (semi-managed computer, open network)
Business Drivers Business/Financial/Legal systems (managed university computer, protected network)
Business Drivers Classroom/library systems (managed and unmanaged computers, open network)
Business Drivers Student systems (unmanaged computer, open network)
Business Drivers Mobile systems (managed and unmanaged computer, open network)
Business Drivers Home systems (unmanaged computer, open network)
Business Drivers Criminal systems
Business Drivers: Our diverse IT environment • Different management, connectivity needs, risks • IT’s a jungle out there!
Business Drivers: Increasing risks of doing business
Business Drivers: Regulations • The government responds: • HIPAA • Health Information Technology for Economic and Clinical Health (HITECH) Act • Payment Card Industry (PCI) Data Security Standard • eDiscovery Rules of Civil Procedure • State Data Breach Notification • FTC Red Flag Identity Theft Prevention • Family Educational Rights and Privacy Act (FERPA)- rev x
Regulations: HIPAA • Health Insurance Portability and Accountability Act
Regulations: HIPAA Health Insurance Portability and Accountability Act • Encourage use of Electronic Health Record (EHR) • Ensure the privacy and security of the EHR
HIPAA: General Rules • Implement safeguards that reasonably and appropriately protect • Confidentiality • Integrity • Availability of Electronic Protected Health Information (ePHI)
HIPAA: Security Categories • Administrative safeguards • Physical safeguards • Technical safeguards
HIPAA: Security Categories • Administrative safeguards: • Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entity’s workforce in relation to the protection of ePHI.
HIPAA: Administrative Safeguards • Security Management Process • Assigned Security Responsibility • Workforce Security • Information Access Management • Security Awareness and Training • Security Incident Procedures • Contingency Plan • Evaluation • Business Associate Contracts and other arrangements
HIPAA: Administrative Safeguards • Security Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations. • Risk analysis (R) • Risk management (R) • Sanction Policy (R) • Information system activity review (R)
HIPAA: Security Categories • Physical safeguards: • Physical measures, policies, and procedures to protect a covered entity’s electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion.
HIPAA: Physical Safeguards • Facility Access Controls • Workstation Use • Workstation Security • Device and Media Controls
HIPAA: Security Categories • Technical safeguards: • The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it.
HIPAA: Technical Safeguards • Access Controls • Audit Controls • Integrity • Person or Entity Authentication • Transmission Security
Information Security: HIPAA/HITECH Update Health Information Technology for Economic and Clinical Health
Information Security: HIPAA/HITECH Update HITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA) Enacted on February 17, 2009 Compliant on February 17, 2010
Information Security: HIPAA/HITECH Update Goal : • Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians HITECH affects HIPAA… • HITECH directly regulates business associates for the first time
Information Security: HIPAA/HITECH Update • Penalties • Establishes a tiered system of civil penalties • Civil penalties on a covered entity if the violation is due to “willful neglect” • Covered entities may not know it violated HIPAA • Current max. penalty of $100 per violation, up to $25,000 per year for each type of violation • Violation due to “reasonable cause” • $1,000/$100,000 • Violation due to “willful neglect” • $500,000/$1.5 million
HITECH Act (Effective immediately) • Breach notification (for unsecured PHI) • You are required to notify each individual affected by a security breach…
Information Security: HIPAA/HITECH Update • Breach Notification • Notify individuals without “unreasonable delay” • <60 days • Letter or e-mail (if preferred by individual) • Website posting • >500 individuals in a state, “prominent media outlets” • Notify HHS – listed on their website
Information Security: HIPAA/HITECH Update “unsecured PHR identifiable information” : Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary’s guidance.
HITECH Act (encryption and destruction) Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: • Encryption • Destruction
Information Security: PCI DSS Payment Card Industry Data Security Standards
Information Security: PCI DSS • Payment Card Industry Data Security Standards (PCI DSS) • Technical and operational requirements • Any entity that stores, transmits, or processes cardholder data must comply with the PCI DSS • Non-compliance • Large fines • Legal contract breach • Loss of ability to accept payments via credit cards
Payment Card Industry Data Security Standard (PCI-DSS) • Annual assessment process required for 100+ business units on OUHSC and Tulsa campuses
Regulations: • What do they all have in common? • Adopt security to minimize risks to Information
Managing Risk: Bryan starts here • Managing Risk
