Like this? Share it with your network

Share

The HIPAA Security Rule: Yes, It's Your Problem

on

  • 1,554 views

An overview of the HIPAA Security Rule for office managers, receptionists, doctors, physicians, and IT professionals. Need to get HIPAA compliant? ...

An overview of the HIPAA Security Rule for office managers, receptionists, doctors, physicians, and IT professionals. Need to get HIPAA compliant?

Learn more here: www.securitymetrics.com/sm/pub/hipaa/overview

Statistics

Views

Total Views
1,554
Views on SlideShare
1,538
Embed Views
16

Actions

Likes
1
Downloads
17
Comments
0

2 Embeds 16

https://twitter.com 15
http://www.linkedin.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Comment from Bill: The message on the image seems very condescending to doctors. Am I reading that wrong?

The HIPAA Security Rule: Yes, It's Your Problem Presentation Transcript

  • 1. The HIPAA Security Rule:Yes, It’s Your ProblemAn overview for office administrators, receptionists, doctors, and IT professionals
  • 2. About Us• SecurityMetrics– Regulatory securitycompliance assessmentsand consulting– Digital forensics &penetration testing– Regulatory complianceprograms (validation,tracking, training, support)– Helped over 1 million small tolarge entities managesecurity compliance
  • 3. Scenario• Office managers/receptionists access Facebook,personal email, etc.• Accessed on same computer with patient records• All it takes is for a single click on a malicious linkand a key logger is installed• Key logger listens in for any sensitive data
  • 4. The Looming Problem“I’m alreadydoing HIPAA.”“I don’t have thetime or budgetfor this.”“My affiliatestake care ofHIPAA.”
  • 5. The Unfortunate Reality• Small covered entity (SCE)merchant processor, EHRvendor, IT specialists:– Don’t fulfill HIPAArequirements for a business– Won’t pay for a compromise– Don’t suffer brand damage ifa business is compromised• Risk and liability restentirely upon the SCE
  • 6. Why Would Anyone Steal From Me?• “My business isn’t large or importantenough for a criminal to steal from!”• Actually…hackers go after smaller entitiesbecause they spend less resources onbeefing up security• Criminals steal from entitiesthey know won’t catch them
  • 7. HIPAA Fines*U.S. Dept. of Health and Human Services
  • 8. Privacy vs. Security• Healthcare entities haven’t separatedSecurity/Privacy regulation, and leave manySecurity Rule regulations unfulfilled• Privacy Rule compliance doesn’t extend toSecurity Rule• To be truly HIPAA compliant,must comply with BOTH aspects.
  • 9. The HIPAA Privacy Rule• Federally protects healthinformation and patient rightsfrom unauthorized disclosure• Written policy proceduresmust include safeguards foradministration of PHI,electronic health information(ePHI), physical security, etc.• Implemented in healthcareindustry in 1996• Healthcare entities well-trained, understand PrivacyRule
  • 10. The HIPAA Security Rule• Requires covered entities,business associates,subcontractors to protectePHI• Implemented 2003-2005• HITECH Act 2009:increased the legal liabilityof non-compliance• Completely separate fromPrivacy Rule
  • 11. Security Rule Implementation Examples• As per HIPAA regulations:– Passwords must be changed every 90 days– Substantially different from last password– Contain 6 characters (min.)– Can’t use dictionary words, slang, propernames– Each user must use a different usernameand password• As per HIPAA regulations:– CE must protect electronic networks withWPA2– WEP must never be used• Are you implementing these policies?
  • 12. Policy vs. Implementation• Common to conglomerateHIPAA policies andimplementation• Healthcare religiouslygenerates Privacy Rulepolicies, but few implementprinciples• A policy doesn’t coverbusiness from compromise,but through implementation,you stand a fair chanceagainst data thieves
  • 13. Best Practices: Find Help• Acknowledge you (or IT specialist)don’t have the training/time topursue true HIPAA compliance• Find a provider to guide you– Caution: many HIPAA vendors don’t careabout policy implementation because itincreases their costs. Ensure your providerleads you through policy implementation.
  • 14. Best Practices: Who’s In Charge?• Identify who holds the assigned HIPAASecurity Rule responsibility• If you don’t have someone, assign aHIPAA Security ambassador
  • 15. Best Practices: What’s Your Budget?• Determine implementation budget:– Weigh ROI against custom loss estimate– This will tell you how much a breach wouldcost your organization.• Use NIST risk calculation worksheet:– http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
  • 16. Best Practices: Record• Review current policy and proceduredocumentation• Take record of which policies you currentlyimplement• What policies pertain toPrivacy and what pertainto Security?
  • 17. Best Practices: Don’t Assume• Don’t assume new technology issecure– “But the package says its a safeproduct!”– “But everyone says it’s invincible toviruses!”– “But the salesman at the HIPAA tradeshow says it follows HIPAA standards!”• Can’t believe what you read inmarketing materials, or what peopletell you about the security of a productor technology.• Counsel with your HIPAA advisor tolearn how to safely implement newtechnology
  • 18. Best Practices: Where Are The Gaps?• Discover current security gaps– Get a HIPAA audit– Easiest, most thorough way to discover gaps• Take action– Come up with a plan to remediate gaps
  • 19. The True Cost• How expensive isimplementation whencompared to cost ofcompromise?• Are you willing tosacrifice patient trust?
  • 20. Sound Familiar?• “If you want a healthy body, you have two choices”– Diet, exercise, healthy foods now (inexpensive)– Hospital, surgery, personal trainer later (expensive)• Identical to HIPAA• “If you want to be secure, you have two choices”– Take necessary security precautions now(inexpensive)– Pay for forensic investigations, auditing, fineslater(expensive)
  • 21. Contact UsHIPAA Compliance Team877.364.9183 | hipaa@securitymetrics.com