1 / 14

AMC Security and Privacy Conference: Daily Track Report

AMC Security and Privacy Conference: Daily Track Report. For the Futures Track Track Co-chairs: Mariann Yeager myeager@truarx.com 703-519-0817 John Parmigiani jparmigiani@quickcompliance.net 410-750-2497. Sessions Being Reported On:. Future Uses of Encryption

truong
Télécharger la présentation

AMC Security and Privacy Conference: Daily Track Report

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AMC Security and Privacy Conference: Daily Track Report For the Futures Track Track Co-chairs: Mariann Yeager myeager@truarx.com 703-519-0817 John Parmigiani jparmigiani@quickcompliance.net 410-750-2497

  2. Sessions Being Reported On: • Future Uses of Encryption • Evolving Security & Privacy Laws & Regulations • State Laws & Regulations: Current Trends and Their Implications to AMCs • Identity and Access Management

  3. Key Points: Future Uses of Encryption • Data in transit (with open/untrusted networks or trading partners) - encryption commonly employed • Data at rest – greater risk to data, but also greater risk in implementing encryption (key management, training, etc.) No single solution/approach evident (Windows EFS, PGP, etc.) • E-mail issues still unresolved • Physician-patient portals are alternative • No single solution/approach evident – still in progress • User issues – cultural, behavioral are biggest challenge

  4. Key Instant Poll Results • Polled item: • Even though encryption is now an addressable implementation specification, will the need to protect ePHI make it a mandatory requirement in your AMC? • Poll results: • Majority – Agree • 7 Strongly Agree • Key observation: • Risks to ePHI necessitate additional protections and warrant some form of implementation of encryption • Informal poll - most institutions (approx. 75%) use encryption in some form today (e-mail or data) today

  5. Follow ups • Further explore encryption strategies – with particular emphasis on e-mail, data at rest and for portable devices

  6. Key Points: Evolving Security & Privacy Laws & Regulations • States taking lead in strong enforcement (e.g. CA, NC, etc.) as opposed to HHS • FTC Rules have teeth with security breaches (e.g. Eli Lily, BJs, Petco) • Managing Risk of FDA Devices – patching issues and approaches • Focus – to protect against identity theft - New driver – security breach notification • PR implications often more critical than enforcement penalties • Identity Theft Resource Center lists 19 Academic centers as representing >50% of the breaches. Top 100 list.

  7. Key Instant Poll Results • Polled item:Have you found the direction and trends discussed here to be also what you are experiencing at your institution? • Poll results: • Neither agree not disagree 1 • Agree 6 • Strongly agree 16 • Key observation:Need for centralized management of all regulatory compliance to tie security and privacy initiatives together

  8. Follow ups • Strategies require further discussion • For more information regarding incidents: • Privacyrights.org • Identity Theft Resource Center

  9. Key Points: State Laws & Regulations: Current Trends and Their Implications to AMCs • Terminology conflicts between state and federal laws for privacy and security • Lots of confusion / ambiguity even within state • Preemption issues are embedded within obscure state laws/regulations • Federal laws/regs (e.g. HIPAA, SOX, GLBA, etc.) becoming standard of care used in state law actions • Implied contract, Invasion of privacy, Intentional infliction of emotional, Negligence) • Could be used to create state-level right to action

  10. Key Instant Poll Results • Polled item: • My AMC is concerned about future state laws related to information security and privacy • Poll results: • Seasoned group (2+ years in their position • Neutral feedback – some concerned, some not as much • Key observation: • Have AMCs have done exhaustive preemption analysis that touches all state laws? • Nobody is fully compliant with either HIPAA and/or state laws concerning privacy and security

  11. Follow ups • Further work needed to explore issues around state preemption

  12. Key Points: Identity and Access Management • Identity management is more process than technology • Challenge of diverse and fluctuating populations at AMC • Important to establish “rules of engagement” within your AMC and when interacting with other institutions • Federated identity approach • I2 Middleware – Shibboleth • Can healthcare implement this effectively?

  13. Key Instant Poll Results • Polled item:Is your institution involved in an IAM initiative? • Poll results: • 2 considering it • 4 budgeted for it • 2 actively implementing • 1 implemented, but still working on it • Key observation: • IAM is in early stages at most institutions – although great progress is being made • Driver is not identity management per se, but to efficiently gain access to critical information

  14. Follow ups • Demonstration projects at AMCs • More education needed regarding IAM • Resources • www.nmi-edit.org – National Science Foundation Middleware Initiatives • www.incommonfederation.org • www.Inqueue.internet2.edu • www.shibboleth.internet2.edu

More Related