1 / 15

HIPAA Security Rule Overview and Compliance Program

HIPAA Security Rule Overview and Compliance Program. Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager. The Hospital June 23 rd , 2012. Introduction.

tien
Télécharger la présentation

HIPAA Security Rule Overview and Compliance Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security RuleOverview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June 23rd, 2012

  2. Introduction • People’s Hospital has made a significant Financial and Human Resources investment to achieve HIPAA Security Rule Compliance • Healthcare delivery is undergoing significant changes in the regulatory environment as well as creation, access and uses of digital data and information • To ensure a trusted and growing relationship with the community we service, as well as to attract the leading clinical staff, the best evidence based toolsets must be available • This dynamic landscape of highly credentialed staff, delivering world class evidence based medicine, with emerging digital tools, mandates a HIPAA Security Rule program based on a continuously improving model

  3. HIPAA Security Rules Principles • Confidentiality - ePHI shall not be exposed to individuals without appropriate authorization (Access Control – Encryption – Data Loss Prevention) • Integrity - Intentional unauthorized and unintentional unauthorized modification to ePHI must not occur (Access Control – Integrity Checking, Constrained User Interfaces, Two-Factor Authentication) • Availability - ePHI data shall be available to authorized individuals when and where it is required to support the delivery of evidence based medicine (High Availability, Disaster Recovery, Continuity of Business, Data Back-Up)

  4. HIPAA Security Rules Highlights • HIPAA Privacy vs HIPAA Security Rules • Administrative Safeguard, Technical Safeguard, Physical Safeguard • Required Attributes vs Addressable Attributes • Non-Prescriptive to aid in adoption of new technologies, flexibility to support various organizational structures and foster alternatives to fulfilling desired outcomes • Business Partners interacting with ePHI classified as Covered Entity

  5. Impact on People’s Hospital - Lose of HIPAA Security Rule Non-Compliance • Unrealized gains from investments in achieving HIPAA Security Rule Compliance • Security Breaches • Social and Emotional Impact to Patient • Revenue Downturn to People’s Hospital • Lose of Patient Trust • Regulatory Fines • Civil Litigation from Patients • Civil Litigation form Business Partners • Criminal Litigation

  6. HIPAA Security Rule Operationalized HIPAA Security Rules People’s Hospital General Policies Clinical Unit Specific Policies Best Practice-Guidelines Minimum Controls for Security Device Standards Instructional Level Processes

  7. HIPAA Security Rule Risk Management Program Cycle Assess Risk and Determine Needs Implement Policies and Controls Central Management Monitor and Evaluate Promote Awareness

  8. Assess Risk and Determine Needs • Inventory of Systems - Flow of ePHI through Systems • Inventory of Business Partners accessing, generating or updating ePHI • Identify Owners of Systems and Data • Identify System and Data Custodians • Identify and Quantify Risk • Target HIPAA Compliance budget into Programs as directed by Board, based on formal risk management protocol • Do not forget about Physical access to areas hosting ePHI data

  9. Risk Management • Risk Must be Identified • Risk Avoidance • Risk Transference • Risk Mitigation • Risk Acceptance

  10. Monitor and Evaluate • Develop metrics for HIPAA Security Rule Compliance • Ensure methods are in place to capture and analyze HIPAA Security Rule Compliance metrics • Governance over Business Partners classified as covered entities, based on metrics • Audit Processes, Systems and Device Configurations • Vulnerability Testing of COT and Custom applications and devices • Remediate Systems based on audit and testing • Keep updates on regulatory and industry practices as it relates to HIPAA • Update General and Functional Polices as required • External / Third Party Audit

  11. Workforce Development • Awareness - General awareness related to Patient Privacy to all members of People’s Hospital such as awareness days, posters, password policies etc • Training - Training specifically focused on IT Technical Team and other members • as well as organizational specific training related to pharmacy, nursing, • Radiology etc. • Education - Formal Education on HIPAA Compliance Auditing and Security Management for People’s Hospital HIPAA Security Team

  12. Implement Policies and Controls • Formal Policy Development Process • Policies shall be high level • Policies shall be documented • Policies should be reviewed • Formal Review / Exception Process for Non-Compliance • Ramification for Non-Compliance without formal review and approval

  13. Summary • Security Policies • Controls • Metric based Audits • Governance • Risk Management • Leadership Support • Continuous Awareness, Training and Education • HIPAA Security Compliance requires a Continuously Improving Program, not a singular project or event.

  14. Thank you

  15. References: Health Insurance Reform: Security Standards; Final Rule. 45 CFR Parts 160, 162, and 164 (2003). Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf Kibbe, D. (2005). 10 steps to HIPAA security compliance. Family Practice Management. 12(4). Pp (43-49) Retrieved from: http://www.aafp.org/fpm/2005/0400/p43.html Bowen, P., Hash, J., & Wilson, M.. (2006). Information Security Handbook: A Guide for Managers Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-100 http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf Tipton, H. F. (2010). Official (isc)2 guide to the cissp cbk, second edition. Boca Raton: Auerbach Publications. Security Officers Management & Analysis Project http://www.somap.org/

More Related