SlideShare a Scribd company logo

Defending Data in Healthcare: Securing Private Information to Ensure Ironclad HIPAA Compliance

Compliancy Group
Compliancy Group

go to www.compliancy-group.com/webinar to join our webinars or go to http://compliancy-group.com/past-webinars/ to download these and other past webinar slides!

Education
1 of 34
  Defending  Data  in  Healthcare:   Securing  Private  Information  to   Ensure  Ironclad  HIPAA  Compliance           © Copyright 2011 Axis Technology, LLC
Agenda   Non-­‐Compliance  -­‐  Potential  Consequences       How  to  Know  Exactly  Where  your  Sensitive  Data  is  and   Identify  Where  the  Real  Risks  Are       Protecting  Data  from  External  Threats       Securing  Data  from  Improper  Internal  Access       Protecting  PHI  When  Business  Associates  Are  Involved       The  Impact  of  Bring  Your  Own  Device  ("BYOD")      
Compliance is important but expensive Until Now The Guard Compliance Tracking Solution EASY Self Audit Questionnaires Gap Identification Reporting Remediation Management Policy and Procedure Templates Unlimited Number of Patients, Employees and Associates Document and Version Control Management Highly Secure No IT integration - Web Based Solution Become Compliant in 60 Days! Attest for HITECH, and Satisfy Meaningful Use Core Measure 15 To find out more or start a FREE 30 Day evaluation Visit www.compliancy-group.com (855) 85 HIPAA or (855) 854-4722
NON-­‐COMPLIANCE  -­‐  POTENTIAL   CONSEQUENCES      
Non-­‐Compliance  -­‐  Potential  Consequences     Overview  of  Breach  Reports   Data  breaches  increased  by  32%  in  2011   380  large  breaches  between  September  2009  and   October  2011   Over  30,000  plus  small  breaches  in  the  same  period   Over  18  million  effected  records   Breaches  by  Industry:     Threats  b Industry 2011 Ponemon Institute 2011 & Symantec Annual Threat Report 2011
Non-­‐Compliance  -­‐  Potential  Consequences     Large  Breaches   Source of 2of  Breach  (Breaches Cause   Large Count) Sept.   009  to  Dec.  2011 Affected Individuals Cause  of  Breach  (Affected  Individuals  ) Sept.  2009  to  Dec.  2011 Unknown Other 6   1   Improper  Disposal 2% 0% 149,398   1% Improper  Disposal, Other Loss,     20  ,  5% 344,579   7,291,355  ,  40% 2% Hacking/IT  Incident Theft, Hacking/IT  Incident 26   196  ,  52% 750,195   7% 4% Unknown,   Loss,   Unauthorized   1,911,160  ,  11% 55  ,  14% Access/Disclosure,     Theft,     857,939  ,  5% 6,755,205  ,  37% Unauthorized   Access/Disclosure,   75  ,  20% 9            Theft,  Unauthorized  Access  /                77%  of  affected   Disclosure  and  Loss  make  up   individuals  experience   86%  of  the  sources  of  Large   some  type  of  loss  or   Breaches   theft  
Non-­‐Compliance  -­‐  Potential  Consequences     Compliance  is  increasingly  an  issue   The number of HIPAA Privacy Rule compliance and enforcement complaints have continually increased over the years1. Privacy and Security Officer Concerns: What PHI is contained within enterprise? What PHI is provided to other organizations? 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
Non-­‐Compliance  -­‐  Potential  Consequences     Is  HIPAA  Compliance  Enough?   In addition to HIPAA, there are also a multitude of other laws enacted to govern data privacy including state laws, such as Massachusetts 201 CMR 17. Core Objectives for Stage 1 of Meaningful Use include utilization of Electronic Health Records Although not a government regulation, the Payment Card PCI specific industry security standard that applies to the use and storage of credit/debit card information. For Multi-Nationals, there are additional concerns such as the proposed European Union Data Privacy Regulation 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
Non-­‐Compliance  -­‐  Potential  Consequences     Breaches  Happen   In the event of a breach, costs to your organization will quickly start to mount up and can include one or more of the following: Notifying patients, FULL Investigating and controlling the breach, Cost of a Potential litigation and fines, Breach Intangible costs associated with: Damage to your brand, Loss of customers, Decline in value, and Reputation Management
Non-­‐Compliance  -­‐  Potential  Consequences     Compliance  Requires  Planning   Achieving compliance to HIPAA and other regulations requires a coordinated effort. The first step is to establish an overall outline of risks and controls. This is commonly known as Enterprise Governance, Risk and Compliance Develop a Risk Framework to measure the maturity of risk Control Items. Some examples of Control Item categories include: Sensitive Data Inventory Vulnerability assessment Entitlements Management Data Loss Detection / Prevention Data Governance 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
HOW  TO  KNOW  EXACTLY  WHERE   YOUR  SENSITIVE  DATA  IS  &  IDENTIFY   WHERE  THE  REAL  RISKS  ARE      
How  to  know  exactly  where  your  sensitive  data  is  and  identify  where  the  real  risks  are     Identifying  Location  of  Sensitive  Data   Which Data Requires Protection ? PHI  Data Employee  Data Company  Data Healthcare  and  Pharmaceutical  -­‐     Healthcare  and   Companies  required  to  follow  Gramm-­‐ required  to  secure  PHI  per  HIPAA   Pharmaceutical  -­‐     Leach-­‐Bliley  Financial  Services   Names   Geographic  subdivisions  smaller  than   required  to  secure  PHI   Modernization  Act  (1999)     a  State   per  HIPAA   Companies  required  to  follow  Sarbanes-­‐ All  elements  of  dates  (except  year)  for   dates  directly  related  to  an  individual   All  organizations  must   Oxley  Act  (2002)     Telephone  /  Fax  numbers   follow  their  state  privacy   Multi-­‐nationals  -­‐  face  requirements   Electronic  mail  addresses   Social  security  numbers   laws,  similar  to  Senate  Bill   including:   Medical  record  numbers   CANADA:  Jan  2005    Personal  Information   Health  plan  beneficiary  numbers   No  1386    State  of   Protection  and  Electronic  Documents  Act   Account  numbers   California   JAPAN:  Apr  2005    Personal  Information   Certificate/License  numbers   Employee  or  Corporate   Vehicle  identifiers  and  serial  numbers,   ID   Protection  Law     including  license  plate  numbers   Salary,  Benefits   FRANCE:  Oct  2005    Computing  and    Liberties   Device  identifiers  and  serial  numbers   Universal  Resource  Locators  (URLs)   HR  status   Act          (termination,   Internet  Protocol  (IP)  address   personnel  issues)     Vendor  Data   numbers   Family  data   Security  Identifiers   Biometric  identifiers,  including  finger   Manager  information   CUSIP,  ISIN,  SEDOL   and  voice  prints   Cost  Center  data Full  face  photographic  images  and  any   Other  Identifiers   comparable  images;  and   NAV,  type  of  Security   Any  other  unique  identifying   Name,  Number,  Symbol   information.   Activity   Companies  with  customers  in  MA   Account  balances,      transactions,  trade  date   per  MGL93H   Financials   All  organizations  must  follow  their   Price,  quantity,     state  privacy  laws,  similar  to    legal  fees,  vendor  payments   Assets/holdings   Senate  Bill  No  1386    State  of   Comment  fields   California   Trade  dates
How  to  know  exactly  where  your  sensitive  data  is  and  identify  where  the  real  risks  are     Lesson  1: Lesson  1: Major  Threat  Areas  And  more   You  should be  less   And  more   should be  less   You   concerned  with: concerned  with: External Threats concerned  with: Internal Threats concerned  with: Vulnerabilities can exist in many areas of our Environment 2 Privileged users Internal users 4 File To be complaint with HIPAA, External server covered entities must implement users File Firewall server technical policies and 1 5 procedures to allow access only Load to those persons and business balancer Web server App Databases Type of threat server ERP associates that absolutely 1. 2. External users / Hackers Internal users 3 6 require access (164.312(a)(1)). 3. 4. Files/web servers Administrators/DBAs/developers Backups 5. Database vulnerability 6. Data backup Insider threats are a concern: Forrester estimates that 75% of threats come from insiders and that 60% of internal breaches are undetected.
PROTECTING  DATA  FROM  EXTERNAL   AND  INTERNAL  THREATS        
Protecting  data  from  threats     Lesson  1: Lesson  1: You  should be  less   concerned  with: And  more   concerned  with: Threat  Deterrence   You  should be  less   concerned  with: And  more   concerned  with:   External  Threats:     Internal  Threats:   Physical  Security     Physical  Security     Encryption   Encryption           Cyber  Attack  Prevention   Entitlements  Management   Reducing  Instances  of  PHI   Restricting  Access  to  PHI          
Lesson  1: Lesson  1: Protecting  data  from  threats     You  should be  less   concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: Physical  Security     External  Threats:     Internal  Threats:   Ensuring  access  to  facilities  is   Ensuring  access  to  areas  where   carefully  managed.       PHI  is  handled  by  only  those   The  process  for  destruction  of   who  must  have  access  to  that   documents  should  be  clear  and   data.       workable  within  the  working   Clean  Desk  policies  need  to  be   environment  of  the  staff.         implemented.   Asset  controls  which  include   Clearly  marked  locked  bins  to   documentation  of  asset   house  documents  to  be   retirement  or  destruction   shredded  are  important.     should  be  implemented.            
Lesson  1: Lesson  1: Protecting  data  from  threats     You  should be  less   concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: Encryption     Any  devices  housing  sensitive  data  should  utilize  encrypted.           If  the  device  falls  into  the  wrong  hands  or  is  hacked,  this  will  provide  security  from  less       sophisticated  threats  and  buy  time  from  more  sophisticated  ones.           Prevents  unauthorized  access  by  Internal  Staff  and  Business  Associates.       Data  at  Rest     Structured  and  Unstructured  Data   Data  in  Motion   E-­‐mails  and  File  Transfers   Performance  Impacts   From  3%  and  up  to  30%     Key  Management   Administration  and  Operations  Overhead   For  thousands  of  servers   Legacy  Systems   Auditing  and  Reporting  
Lesson  1: Lesson  1: Protecting  data  from  threats     You  should be  less   concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: DLP               oversee  movement  of  data.     Discover  and  monitor  the  location  and  flow  of  sensitive  data     Enforce  controls  to  prevent  loss  of  sensitive  data  through  email,   the  internet  and  devices  that  are  used.   A  central  reporting  engine  for  policy  creation  and  management.   Out  of  the  box  support  for  HIPAA  and  other  regulations.  
Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Cyber  Attack  Prevention   Defending  against  Advanced  Persistent  Threats     Anomaly  detection  and  prevention     Detect  Intruders  in  real  time   Detailed  model  of  network  topology,  access  paths,  and  threats.   What-­‐if  analysis predicts  risk  behavior  and  business  impact   Achieve  compliance  with  cyber  security  regulations  such  as  NIST,  NERC  CIP,   FISMA   Cyber  Security  Audits   Cyber  attack  simulation,  Defenses  against  malware  and  Penetration  tests   Threat  and  vulnerability  analysis,     System  security  integration,  Definition  of  security  measures  and  counter-­‐  measures,   Inventories  of  authorized  and  unauthorized  hardware  and  software,   Secure  configurations  for  hardware,  software,  wireless  and  network  security  devices,   Controlled  access  and  administrative  privileges.   Verifying  the  Security  of  your  Business  Associates  
Lesson  1: Protecting  data  from  internal  threats     You  should be  less   concerned  with: And  more   concerned  with: Entitlements  Management   Understanding  who  has  access  to  what.   Ensuring  that  meaningful  entitlements  reviews  are   conducted  periodically.   Ensuring  that  processes  for  managing  entitlements  are   appropriate.   Significant  privacy  risk  exposure  exists  with  entitlements   that  do  not  conform  to  security  policies,  regulations,  and/or   best  practices  within  and  across  the  environment.   Enterprise  Entitlement  Solutions  typically  include  separate   mainframe,  application  specific  and  LDAP  based  solutions.   Reviewing  for  Toxic  Combinations.    
Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Reducing  Instances  of  PHI   PHI  may  exist  in  more  environments  than  you  realize.   Copies  may  exist  for  testing  purposes  as  well  as  sharing   with  third  parties.   So  you  are  really  protecting  an  environment  that  looks  like    
Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Reducing  Instances  of  PHI   QA  Testing     2 Privileged users Internal users Live  -­‐  Production   2 File 4 server Privileged users External Internal users users File 4 server Firewall File server External users 1 File server 5 Firewall Load balancer 1 5 UAT  Testing     2 Web server App server ERP Databases Load Privileged users balancer Internal users 3 6 Web server App Databases 4 File server ERP server Backups 3 6 External users File server Firewall Backups 1 5 Load balancer Web   2 server App server ERP Databases 3 6 Privileged users Internal users Copies  of  PHI  may  exist  in   File server 4 Backups multiple  locations  in  your   External users File environment.   server Firewall Each  of  these  locations  is  a   1 5 potential  target  from  external   Load balancer Web sources  and  needs  to  be   server App server ERP Databases protected.   3 6 De-­‐identification  technology  can   Backups be  used  in  these  environments.  
Lesson  1: Protecting  data  from  internal  threats     You  should be  less   concerned  with: And  more   concerned  with: Restricting  Access  to  PHI   For  exchange  of  data  with  business  associates  or  other  third  parties,   all  data  going  to  them  should  be  de-­‐identified  where  permissible.       For  purposes  of  internal  testing  by  our  own  employees  and  contracted   business  associates,  de-­‐identification  is  a  must.     PHI  that  exists  in  review  of  System  and  Database  Logs  should  be  de-­‐ identified.   Aggregation  and  analytics  should  be  good  candidates  for  de-­‐identified   data.   Live  production  reports  and  user  interfaces  should  be  reviewed  to   determine  where  de-­‐identified  data  can  be  substituted.   HIPAA  164.502(d)(2)  provides  for  the  uses  and  disclosures  of  de-­‐ identified  information  (aka  Masked,  Obfuscated,  Redacted).    Health   information  that  meets  the  requirements  for  de-­‐identification  is   considered  not  to  be  individually  identifiable  health  information.    
Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Restricting  Access  to  PHI   QA  Testing     2 Privileged users Internal users Live  -­‐  Production   2 File 4 server Privileged users External Internal users users File 4 server Firewall File server External users 1 File server 5 Firewall Load balancer 1 5 UAT  Testing     2 Web server App server ERP Databases Load Privileged users balancer Internal users 3 6 Web server App Databases 4 File server ERP server Backups 3 6 External users File server Firewall Backups 1 5 Load balancer Web   2 server App server ERP Databases 3 6 Privileged users Internal users Exchanges  of  Data.   File server 4 Backups External Internal  Testing   users File server Firewall System  and  Database  Logs   1 5 Aggregation  and  analytics       Load balancer Web server App Databases Reports  and  User  Interfaces     server ERP 6 3 De-­‐identification  technology  can   Backups be  used  in  these  situations.  
PROTECTING  PHI  WHEN  BUSINESS   ASSOCIATES  ARE  INVOLVED        
Protecting  PHI  when  business  associates  are  involved     Business  Associates   The HIPAA Privacy Rule places Minnesota Attorney General brought an responsibility for ensuring that Business enforcement action due to an action by a Associates maintain privacy on the business associate, Accretive Health, Inc., for an Covered Entity that they are associating alleged violation under HIPAA using authority with. under the HITECH Act. It requires that a covered entity obtain satisfactory assurances from its business Actions to take: associate that the business associate will appropriately safeguard the protected Have Formal Written Agreements with health information it receives or creates on Business Associates behalf of the covered entity. Minimize PHI that is accessible to Business The Office of Civil Rights ("OCR") is Associates required to impose penalties if the Perform Self-Testing which includes your covered entity or its business associate act Business Associates. with neglect, i.e., with "conscious, intentional failure or reckless indifference to the obligation to comply" with HIPAA requirements. [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
THE  IMPACT  OF  BRING  YOUR  OWN   DEVICE  ("BYOD")    
Protecting  PHI  when  business  associates  are  involved     BYOD   Understand where sensitive data Clearly define the scope of what we are trying to do including: exists in our environment. Protecting sensitive data that exists on a mobile device Develop plans to manage the sensitive Providing Secure channels of communication data that is in our inventory. Minimizing the amount of sensitive data Plan for getting to the appropriate level being sent to mobile devices of maturity to safe-guard data. And doing all this in a cost effective manner The protection requires a multi-layered And who we are doing it for: approach. Any sensitive data that resides on the devices Internal Employees should be encrypted. Business Partners / Associates A DLP solution should be used to manage the communication with endpoints. Clients / Third Parties Implement the ability to remotely disable devices that are impacted Minimize the amount of sensitive data being sent to these devices. 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
 
Risk  Based  Solutions   Axis  has  created  a  set  of  eGRC  related   solutions  that  leverage  our  overall   consulting  expertise  as  well  as  our   DMsuiteTM  and  product   implementation  capabilities     Enterprise Governance, Risk and Compliance Strategic Business Processes / Goals Enterprise Architecture Reference Models, Business Architecture, Application Architecture Drives Drives Information Security Architecture Regulatory & Corporate Requirements, Environment Maturity Assessment Data Masking Identity / Access Data Information (De-Identification) Management Management Security Drives Entitlements Data Sensitive Data Drives DMsuiteTM Management Governance Assessment Operational Environment
Data  De-­‐Identification  -­‐  DMsuiteTM   DMsuite  -­  A  robust, proprietary tool that has been deployed at clients for over 8 years with: Sensitive Data Discovery - HIPAA Ready Out of the Box, Data De-Identification and Auditing functionality.
Questions  or  Further  Discussions   Contact: Joe Santangelo Email: jsantangelo@axistechnologyllc.com Phone: (646) 596-2670 Twitter: @DataPrivacyDude
Compliance is important but expensive Until Now The Guard Compliance Tracking Solution EASY Self Audit Questionnaires Gap Identification Reporting Remediation Management Policy and Procedure Templates Unlimited Number of Patients, Employees and Associates Document and Version Control Management Highly Secure No IT integration - Web Based Solution Become Compliant in 60 Days! Attest for HITECH, and Satisfy Meaningful Use Core Measure 15 To find out more or start a FREE 30 Day evaluation Visit www.compliancy-group.com (855) 85 HIPAA or (855) 854-4722
  www.AxisTechnologyLLC.com       Thank  You!     185  Devonshire  Street   Boston,  MA  02110     (857)  445-­0110       © Copyright 2011 Axis Technology, LLC

Recommended

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016Compliancy Group
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud Compliancy Group
 
Business Associates: How to differentiate your organization using HIPAA compl...
Business Associates: How to differentiate your organization using HIPAA compl...Business Associates: How to differentiate your organization using HIPAA compl...
Business Associates: How to differentiate your organization using HIPAA compl...Compliancy Group
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...
HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...
HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...Compliancy Group
 

Recommended

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016Compliancy Group
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud Compliancy Group
 
Business Associates: How to differentiate your organization using HIPAA compl...
Business Associates: How to differentiate your organization using HIPAA compl...Business Associates: How to differentiate your organization using HIPAA compl...
Business Associates: How to differentiate your organization using HIPAA compl...Compliancy Group
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...
HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...
HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Pra...Compliancy Group
 
How to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsHow to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsCompliancy Group
 
Preparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practicePreparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practiceCompliancy Group
 
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...Compliancy Group
 
How to Survive a HIPAA Audit
How to Survive a HIPAA AuditHow to Survive a HIPAA Audit
How to Survive a HIPAA AuditCompliancy Group
 
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...Compliancy Group
 
Meaningful Use vs HIPAA
Meaningful Use vs HIPAAMeaningful Use vs HIPAA
Meaningful Use vs HIPAACompliancy Group
 
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...Compliancy Group
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceCompliancy Group
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeCompliancy Group
 
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDHIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDCompliancy Group
 
What you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperabilityWhat you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperabilityCompliancy Group
 
Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10Compliancy Group
 
Is Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for AuditingIs Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for AuditingCompliancy Group
 
Business Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance InfographicBusiness Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance InfographicCompliancy Group
 
Surving a HIPAA Audit Infographic
Surving a HIPAA Audit InfographicSurving a HIPAA Audit Infographic
Surving a HIPAA Audit InfographicCompliancy Group
 
Cyber & Privacy Risk Infographic
Cyber & Privacy Risk InfographicCyber & Privacy Risk Infographic
Cyber & Privacy Risk InfographicCompliancy Group
 
Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Compliancy Group
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
 
HIPAA Breach: Did You Know?
HIPAA Breach: Did You Know?HIPAA Breach: Did You Know?
HIPAA Breach: Did You Know?Compliancy Group
 
Maintaining HIPAA Compliance with Cloud Based Solutions
Maintaining HIPAA Compliance with Cloud Based SolutionsMaintaining HIPAA Compliance with Cloud Based Solutions
Maintaining HIPAA Compliance with Cloud Based SolutionsCompliancy Group
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 

More Related Content

More from Compliancy Group

How to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsHow to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsCompliancy Group
 
Preparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practicePreparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practiceCompliancy Group
 
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...Compliancy Group
 
How to Survive a HIPAA Audit
How to Survive a HIPAA AuditHow to Survive a HIPAA Audit
How to Survive a HIPAA AuditCompliancy Group
 
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...Compliancy Group
 
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...Compliancy Group
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceCompliancy Group
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeCompliancy Group
 
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDHIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDCompliancy Group
 
What you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperabilityWhat you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperabilityCompliancy Group
 
Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10Compliancy Group
 
Is Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for AuditingIs Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for AuditingCompliancy Group
 
Business Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance InfographicBusiness Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance InfographicCompliancy Group
 
Surving a HIPAA Audit Infographic
Surving a HIPAA Audit InfographicSurving a HIPAA Audit Infographic
Surving a HIPAA Audit InfographicCompliancy Group
 
Cyber & Privacy Risk Infographic
Cyber & Privacy Risk InfographicCyber & Privacy Risk Infographic
Cyber & Privacy Risk InfographicCompliancy Group
 
Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Compliancy Group
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
 
HIPAA Breach: Did You Know?
HIPAA Breach: Did You Know?HIPAA Breach: Did You Know?
HIPAA Breach: Did You Know?Compliancy Group
 
Maintaining HIPAA Compliance with Cloud Based Solutions
Maintaining HIPAA Compliance with Cloud Based SolutionsMaintaining HIPAA Compliance with Cloud Based Solutions
Maintaining HIPAA Compliance with Cloud Based SolutionsCompliancy Group
 

More from Compliancy Group (20)

How to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsHow to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 audits
 
Preparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practicePreparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practice
 
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
 
How to Survive a HIPAA Audit
How to Survive a HIPAA AuditHow to Survive a HIPAA Audit
How to Survive a HIPAA Audit
 
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
 
Meaningful Use vs HIPAA
Meaningful Use vs HIPAAMeaningful Use vs HIPAA
Meaningful Use vs HIPAA
 
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA Compliance
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challenge
 
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDHIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
 
What you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperabilityWhat you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperability
 
Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10
 
Is Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for AuditingIs Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for Auditing
 
Business Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance InfographicBusiness Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance Infographic
 
Surving a HIPAA Audit Infographic
Surving a HIPAA Audit InfographicSurving a HIPAA Audit Infographic
Surving a HIPAA Audit Infographic
 
Cyber & Privacy Risk Infographic
Cyber & Privacy Risk InfographicCyber & Privacy Risk Infographic
Cyber & Privacy Risk Infographic
 
Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
HIPAA Breach: Did You Know?
HIPAA Breach: Did You Know?HIPAA Breach: Did You Know?
HIPAA Breach: Did You Know?
 
Maintaining HIPAA Compliance with Cloud Based Solutions
Maintaining HIPAA Compliance with Cloud Based SolutionsMaintaining HIPAA Compliance with Cloud Based Solutions
Maintaining HIPAA Compliance with Cloud Based Solutions
 

Recently uploaded

18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 

Recently uploaded (20)

18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 

Defending Data in Healthcare: Securing Private Information to Ensure Ironclad HIPAA Compliance

  • 1.   Defending  Data  in  Healthcare:   Securing  Private  Information  to   Ensure  Ironclad  HIPAA  Compliance           © Copyright 2011 Axis Technology, LLC
  • 2. Agenda   Non-­‐Compliance  -­‐  Potential  Consequences       How  to  Know  Exactly  Where  your  Sensitive  Data  is  and   Identify  Where  the  Real  Risks  Are       Protecting  Data  from  External  Threats       Securing  Data  from  Improper  Internal  Access       Protecting  PHI  When  Business  Associates  Are  Involved       The  Impact  of  Bring  Your  Own  Device  ("BYOD")      
  • 3. Compliance is important but expensive Until Now The Guard Compliance Tracking Solution EASY Self Audit Questionnaires Gap Identification Reporting Remediation Management Policy and Procedure Templates Unlimited Number of Patients, Employees and Associates Document and Version Control Management Highly Secure No IT integration - Web Based Solution Become Compliant in 60 Days! Attest for HITECH, and Satisfy Meaningful Use Core Measure 15 To find out more or start a FREE 30 Day evaluation Visit www.compliancy-group.com (855) 85 HIPAA or (855) 854-4722
  • 4. NON-­‐COMPLIANCE  -­‐  POTENTIAL   CONSEQUENCES      
  • 5. Non-­‐Compliance  -­‐  Potential  Consequences     Overview  of  Breach  Reports   Data  breaches  increased  by  32%  in  2011   380  large  breaches  between  September  2009  and   October  2011   Over  30,000  plus  small  breaches  in  the  same  period   Over  18  million  effected  records   Breaches  by  Industry:     Threats  b Industry 2011 Ponemon Institute 2011 & Symantec Annual Threat Report 2011
  • 6. Non-­‐Compliance  -­‐  Potential  Consequences     Large  Breaches   Source of 2of  Breach  (Breaches Cause   Large Count) Sept.   009  to  Dec.  2011 Affected Individuals Cause  of  Breach  (Affected  Individuals  ) Sept.  2009  to  Dec.  2011 Unknown Other 6   1   Improper  Disposal 2% 0% 149,398   1% Improper  Disposal, Other Loss,     20  ,  5% 344,579   7,291,355  ,  40% 2% Hacking/IT  Incident Theft, Hacking/IT  Incident 26   196  ,  52% 750,195   7% 4% Unknown,   Loss,   Unauthorized   1,911,160  ,  11% 55  ,  14% Access/Disclosure,     Theft,     857,939  ,  5% 6,755,205  ,  37% Unauthorized   Access/Disclosure,   75  ,  20% 9            Theft,  Unauthorized  Access  /                77%  of  affected   Disclosure  and  Loss  make  up   individuals  experience   86%  of  the  sources  of  Large   some  type  of  loss  or   Breaches   theft  
  • 7. Non-­‐Compliance  -­‐  Potential  Consequences     Compliance  is  increasingly  an  issue   The number of HIPAA Privacy Rule compliance and enforcement complaints have continually increased over the years1. Privacy and Security Officer Concerns: What PHI is contained within enterprise? What PHI is provided to other organizations? 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  • 8. Non-­‐Compliance  -­‐  Potential  Consequences     Is  HIPAA  Compliance  Enough?   In addition to HIPAA, there are also a multitude of other laws enacted to govern data privacy including state laws, such as Massachusetts 201 CMR 17. Core Objectives for Stage 1 of Meaningful Use include utilization of Electronic Health Records Although not a government regulation, the Payment Card PCI specific industry security standard that applies to the use and storage of credit/debit card information. For Multi-Nationals, there are additional concerns such as the proposed European Union Data Privacy Regulation 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  • 9. Non-­‐Compliance  -­‐  Potential  Consequences     Breaches  Happen   In the event of a breach, costs to your organization will quickly start to mount up and can include one or more of the following: Notifying patients, FULL Investigating and controlling the breach, Cost of a Potential litigation and fines, Breach Intangible costs associated with: Damage to your brand, Loss of customers, Decline in value, and Reputation Management
  • 10. Non-­‐Compliance  -­‐  Potential  Consequences     Compliance  Requires  Planning   Achieving compliance to HIPAA and other regulations requires a coordinated effort. The first step is to establish an overall outline of risks and controls. This is commonly known as Enterprise Governance, Risk and Compliance Develop a Risk Framework to measure the maturity of risk Control Items. Some examples of Control Item categories include: Sensitive Data Inventory Vulnerability assessment Entitlements Management Data Loss Detection / Prevention Data Governance 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  • 11. HOW  TO  KNOW  EXACTLY  WHERE   YOUR  SENSITIVE  DATA  IS  &  IDENTIFY   WHERE  THE  REAL  RISKS  ARE      
  • 12. How  to  know  exactly  where  your  sensitive  data  is  and  identify  where  the  real  risks  are     Identifying  Location  of  Sensitive  Data   Which Data Requires Protection ? PHI  Data Employee  Data Company  Data Healthcare  and  Pharmaceutical  -­‐     Healthcare  and   Companies  required  to  follow  Gramm-­‐ required  to  secure  PHI  per  HIPAA   Pharmaceutical  -­‐     Leach-­‐Bliley  Financial  Services   Names   Geographic  subdivisions  smaller  than   required  to  secure  PHI   Modernization  Act  (1999)     a  State   per  HIPAA   Companies  required  to  follow  Sarbanes-­‐ All  elements  of  dates  (except  year)  for   dates  directly  related  to  an  individual   All  organizations  must   Oxley  Act  (2002)     Telephone  /  Fax  numbers   follow  their  state  privacy   Multi-­‐nationals  -­‐  face  requirements   Electronic  mail  addresses   Social  security  numbers   laws,  similar  to  Senate  Bill   including:   Medical  record  numbers   CANADA:  Jan  2005    Personal  Information   Health  plan  beneficiary  numbers   No  1386    State  of   Protection  and  Electronic  Documents  Act   Account  numbers   California   JAPAN:  Apr  2005    Personal  Information   Certificate/License  numbers   Employee  or  Corporate   Vehicle  identifiers  and  serial  numbers,   ID   Protection  Law     including  license  plate  numbers   Salary,  Benefits   FRANCE:  Oct  2005    Computing  and    Liberties   Device  identifiers  and  serial  numbers   Universal  Resource  Locators  (URLs)   HR  status   Act          (termination,   Internet  Protocol  (IP)  address   personnel  issues)     Vendor  Data   numbers   Family  data   Security  Identifiers   Biometric  identifiers,  including  finger   Manager  information   CUSIP,  ISIN,  SEDOL   and  voice  prints   Cost  Center  data Full  face  photographic  images  and  any   Other  Identifiers   comparable  images;  and   NAV,  type  of  Security   Any  other  unique  identifying   Name,  Number,  Symbol   information.   Activity   Companies  with  customers  in  MA   Account  balances,      transactions,  trade  date   per  MGL93H   Financials   All  organizations  must  follow  their   Price,  quantity,     state  privacy  laws,  similar  to    legal  fees,  vendor  payments   Assets/holdings   Senate  Bill  No  1386    State  of   Comment  fields   California   Trade  dates
  • 13. How  to  know  exactly  where  your  sensitive  data  is  and  identify  where  the  real  risks  are     Lesson  1: Lesson  1: Major  Threat  Areas  And  more   You  should be  less   And  more   should be  less   You   concerned  with: concerned  with: External Threats concerned  with: Internal Threats concerned  with: Vulnerabilities can exist in many areas of our Environment 2 Privileged users Internal users 4 File To be complaint with HIPAA, External server covered entities must implement users File Firewall server technical policies and 1 5 procedures to allow access only Load to those persons and business balancer Web server App Databases Type of threat server ERP associates that absolutely 1. 2. External users / Hackers Internal users 3 6 require access (164.312(a)(1)). 3. 4. Files/web servers Administrators/DBAs/developers Backups 5. Database vulnerability 6. Data backup Insider threats are a concern: Forrester estimates that 75% of threats come from insiders and that 60% of internal breaches are undetected.
  • 14. PROTECTING  DATA  FROM  EXTERNAL   AND  INTERNAL  THREATS        
  • 15. Protecting  data  from  threats     Lesson  1: Lesson  1: You  should be  less   concerned  with: And  more   concerned  with: Threat  Deterrence   You  should be  less   concerned  with: And  more   concerned  with:   External  Threats:     Internal  Threats:   Physical  Security     Physical  Security     Encryption   Encryption           Cyber  Attack  Prevention   Entitlements  Management   Reducing  Instances  of  PHI   Restricting  Access  to  PHI          
  • 16. Lesson  1: Lesson  1: Protecting  data  from  threats     You  should be  less   concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: Physical  Security     External  Threats:     Internal  Threats:   Ensuring  access  to  facilities  is   Ensuring  access  to  areas  where   carefully  managed.       PHI  is  handled  by  only  those   The  process  for  destruction  of   who  must  have  access  to  that   documents  should  be  clear  and   data.       workable  within  the  working   Clean  Desk  policies  need  to  be   environment  of  the  staff.         implemented.   Asset  controls  which  include   Clearly  marked  locked  bins  to   documentation  of  asset   house  documents  to  be   retirement  or  destruction   shredded  are  important.     should  be  implemented.            
  • 17. Lesson  1: Lesson  1: Protecting  data  from  threats     You  should be  less   concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: Encryption     Any  devices  housing  sensitive  data  should  utilize  encrypted.           If  the  device  falls  into  the  wrong  hands  or  is  hacked,  this  will  provide  security  from  less       sophisticated  threats  and  buy  time  from  more  sophisticated  ones.           Prevents  unauthorized  access  by  Internal  Staff  and  Business  Associates.       Data  at  Rest     Structured  and  Unstructured  Data   Data  in  Motion   E-­‐mails  and  File  Transfers   Performance  Impacts   From  3%  and  up  to  30%     Key  Management   Administration  and  Operations  Overhead   For  thousands  of  servers   Legacy  Systems   Auditing  and  Reporting  
  • 18. Lesson  1: Lesson  1: Protecting  data  from  threats     You  should be  less   concerned  with: And  more   concerned  with: You  should be  less   concerned  with: And  more   concerned  with: DLP               oversee  movement  of  data.     Discover  and  monitor  the  location  and  flow  of  sensitive  data     Enforce  controls  to  prevent  loss  of  sensitive  data  through  email,   the  internet  and  devices  that  are  used.   A  central  reporting  engine  for  policy  creation  and  management.   Out  of  the  box  support  for  HIPAA  and  other  regulations.  
  • 19. Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Cyber  Attack  Prevention   Defending  against  Advanced  Persistent  Threats     Anomaly  detection  and  prevention     Detect  Intruders  in  real  time   Detailed  model  of  network  topology,  access  paths,  and  threats.   What-­‐if  analysis predicts  risk  behavior  and  business  impact   Achieve  compliance  with  cyber  security  regulations  such  as  NIST,  NERC  CIP,   FISMA   Cyber  Security  Audits   Cyber  attack  simulation,  Defenses  against  malware  and  Penetration  tests   Threat  and  vulnerability  analysis,     System  security  integration,  Definition  of  security  measures  and  counter-­‐  measures,   Inventories  of  authorized  and  unauthorized  hardware  and  software,   Secure  configurations  for  hardware,  software,  wireless  and  network  security  devices,   Controlled  access  and  administrative  privileges.   Verifying  the  Security  of  your  Business  Associates  
  • 20. Lesson  1: Protecting  data  from  internal  threats     You  should be  less   concerned  with: And  more   concerned  with: Entitlements  Management   Understanding  who  has  access  to  what.   Ensuring  that  meaningful  entitlements  reviews  are   conducted  periodically.   Ensuring  that  processes  for  managing  entitlements  are   appropriate.   Significant  privacy  risk  exposure  exists  with  entitlements   that  do  not  conform  to  security  policies,  regulations,  and/or   best  practices  within  and  across  the  environment.   Enterprise  Entitlement  Solutions  typically  include  separate   mainframe,  application  specific  and  LDAP  based  solutions.   Reviewing  for  Toxic  Combinations.    
  • 21. Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Reducing  Instances  of  PHI   PHI  may  exist  in  more  environments  than  you  realize.   Copies  may  exist  for  testing  purposes  as  well  as  sharing   with  third  parties.   So  you  are  really  protecting  an  environment  that  looks  like    
  • 22. Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Reducing  Instances  of  PHI   QA  Testing     2 Privileged users Internal users Live  -­‐  Production   2 File 4 server Privileged users External Internal users users File 4 server Firewall File server External users 1 File server 5 Firewall Load balancer 1 5 UAT  Testing     2 Web server App server ERP Databases Load Privileged users balancer Internal users 3 6 Web server App Databases 4 File server ERP server Backups 3 6 External users File server Firewall Backups 1 5 Load balancer Web   2 server App server ERP Databases 3 6 Privileged users Internal users Copies  of  PHI  may  exist  in   File server 4 Backups multiple  locations  in  your   External users File environment.   server Firewall Each  of  these  locations  is  a   1 5 potential  target  from  external   Load balancer Web sources  and  needs  to  be   server App server ERP Databases protected.   3 6 De-­‐identification  technology  can   Backups be  used  in  these  environments.  
  • 23. Lesson  1: Protecting  data  from  internal  threats     You  should be  less   concerned  with: And  more   concerned  with: Restricting  Access  to  PHI   For  exchange  of  data  with  business  associates  or  other  third  parties,   all  data  going  to  them  should  be  de-­‐identified  where  permissible.       For  purposes  of  internal  testing  by  our  own  employees  and  contracted   business  associates,  de-­‐identification  is  a  must.     PHI  that  exists  in  review  of  System  and  Database  Logs  should  be  de-­‐ identified.   Aggregation  and  analytics  should  be  good  candidates  for  de-­‐identified   data.   Live  production  reports  and  user  interfaces  should  be  reviewed  to   determine  where  de-­‐identified  data  can  be  substituted.   HIPAA  164.502(d)(2)  provides  for  the  uses  and  disclosures  of  de-­‐ identified  information  (aka  Masked,  Obfuscated,  Redacted).    Health   information  that  meets  the  requirements  for  de-­‐identification  is   considered  not  to  be  individually  identifiable  health  information.    
  • 24. Lesson  1: Protecting  data  from  external  threats     You  should be  less   concerned  with: And  more   concerned  with: Restricting  Access  to  PHI   QA  Testing     2 Privileged users Internal users Live  -­‐  Production   2 File 4 server Privileged users External Internal users users File 4 server Firewall File server External users 1 File server 5 Firewall Load balancer 1 5 UAT  Testing     2 Web server App server ERP Databases Load Privileged users balancer Internal users 3 6 Web server App Databases 4 File server ERP server Backups 3 6 External users File server Firewall Backups 1 5 Load balancer Web   2 server App server ERP Databases 3 6 Privileged users Internal users Exchanges  of  Data.   File server 4 Backups External Internal  Testing   users File server Firewall System  and  Database  Logs   1 5 Aggregation  and  analytics       Load balancer Web server App Databases Reports  and  User  Interfaces     server ERP 6 3 De-­‐identification  technology  can   Backups be  used  in  these  situations.  
  • 25. PROTECTING  PHI  WHEN  BUSINESS   ASSOCIATES  ARE  INVOLVED        
  • 26. Protecting  PHI  when  business  associates  are  involved     Business  Associates   The HIPAA Privacy Rule places Minnesota Attorney General brought an responsibility for ensuring that Business enforcement action due to an action by a Associates maintain privacy on the business associate, Accretive Health, Inc., for an Covered Entity that they are associating alleged violation under HIPAA using authority with. under the HITECH Act. It requires that a covered entity obtain satisfactory assurances from its business Actions to take: associate that the business associate will appropriately safeguard the protected Have Formal Written Agreements with health information it receives or creates on Business Associates behalf of the covered entity. Minimize PHI that is accessible to Business The Office of Civil Rights ("OCR") is Associates required to impose penalties if the Perform Self-Testing which includes your covered entity or its business associate act Business Associates. with neglect, i.e., with "conscious, intentional failure or reckless indifference to the obligation to comply" with HIPAA requirements. [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  • 27. THE  IMPACT  OF  BRING  YOUR  OWN   DEVICE  ("BYOD")    
  • 28. Protecting  PHI  when  business  associates  are  involved     BYOD   Understand where sensitive data Clearly define the scope of what we are trying to do including: exists in our environment. Protecting sensitive data that exists on a mobile device Develop plans to manage the sensitive Providing Secure channels of communication data that is in our inventory. Minimizing the amount of sensitive data Plan for getting to the appropriate level being sent to mobile devices of maturity to safe-guard data. And doing all this in a cost effective manner The protection requires a multi-layered And who we are doing it for: approach. Any sensitive data that resides on the devices Internal Employees should be encrypted. Business Partners / Associates A DLP solution should be used to manage the communication with endpoints. Clients / Third Parties Implement the ability to remotely disable devices that are impacted Minimize the amount of sensitive data being sent to these devices. 1Source: The Department of Health and Human Services: Office of Civil Rights (OCR) Website
  • 29.  
  • 30. Risk  Based  Solutions   Axis  has  created  a  set  of  eGRC  related   solutions  that  leverage  our  overall   consulting  expertise  as  well  as  our   DMsuiteTM  and  product   implementation  capabilities     Enterprise Governance, Risk and Compliance Strategic Business Processes / Goals Enterprise Architecture Reference Models, Business Architecture, Application Architecture Drives Drives Information Security Architecture Regulatory & Corporate Requirements, Environment Maturity Assessment Data Masking Identity / Access Data Information (De-Identification) Management Management Security Drives Entitlements Data Sensitive Data Drives DMsuiteTM Management Governance Assessment Operational Environment
  • 31. Data  De-­‐Identification  -­‐  DMsuiteTM   DMsuite  -­  A  robust, proprietary tool that has been deployed at clients for over 8 years with: Sensitive Data Discovery - HIPAA Ready Out of the Box, Data De-Identification and Auditing functionality.
  • 32. Questions  or  Further  Discussions   Contact: Joe Santangelo Email: jsantangelo@axistechnologyllc.com Phone: (646) 596-2670 Twitter: @DataPrivacyDude
  • 33. Compliance is important but expensive Until Now The Guard Compliance Tracking Solution EASY Self Audit Questionnaires Gap Identification Reporting Remediation Management Policy and Procedure Templates Unlimited Number of Patients, Employees and Associates Document and Version Control Management Highly Secure No IT integration - Web Based Solution Become Compliant in 60 Days! Attest for HITECH, and Satisfy Meaningful Use Core Measure 15 To find out more or start a FREE 30 Day evaluation Visit www.compliancy-group.com (855) 85 HIPAA or (855) 854-4722
  • 34.   www.AxisTechnologyLLC.com       Thank  You!     185  Devonshire  Street   Boston,  MA  02110     (857)  445-­0110       © Copyright 2011 Axis Technology, LLC