Avior Healthcare Security Compliance Webcast Final1


Published on

Slides from Avior HIPAA compliance webcast

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Avior Healthcare Security Compliance Webcast Final1

  1. 1. Webcast: Complying with HIPAA Privacy and C l i ith Pi d Security Standards
  2. 2. Agenda: • Healthcare IT Trends  Jim Hietala, Compliance Research Group • Recovery Act of 2009, and HITECH Act, Security   and Compliance Implications  Karl Muenzinger, Janus Associates Karl Muenzinger Janus Associates • Overview of Avior Computing Solutions Bruce Beck, VP Business Development, Avior Bruce Beck, VP Business Development, Avior • Demonstration: Converged privacy/security  assessments for healthcare organizations g Jeri Teller‐Kanzler, President Risk‐ Jeri Teller‐Kanzler, President Risk‐Mapp • Q&A
  3. 3. Trends in IT and Healthcare Government: • Electronic Health Record adoption push Electronic Health Record adoption push • Health Information Networks (HIE’s, RHIN’s,  NHIN) IT Access and Network Changes: • Growth in wireless network adoption, mobility Growth in wireless network adoption mobility • Guest network access • I te i i of IT a d li i al de i e i Intermixing of IT and clinical devices in  healthcare networks
  4. 4. 2009 Stimulus Bill  Brings New HIPAA Requirements The Health Information Technology for Economic  and Clinical Health (HITECH) Act • I l d d i th A Included in the American Recovery and Reinvestment Act of 2009 (ARRA) i R dR i t t A t f 2009 (ARRA) Data Breach Protections • Prevent Data Breaches of Protected Health Records (PHR) Prevent Data Breaches of Protected Health Records (PHR) • Increase penalties August 2009:  Guidance from HHS and FTC • HHS Office of Civil Rights takes over HIPAA enforcement • Interim final rule for Breach Notification for Unsecured Protected Health  Information (45 CFR Parts 160 and 164) • The Federal Trade Commission Health Breach Notification Rule: (16 CFR Part  ( 318) and Notice of Breach of Health Information (procedure)
  5. 5. The Impact on HIPAA Compliance An increase in SCOPE ‐ More organizations are subject to HIPAA An Increase in DEPTH ‐ HIPAA compliance programs require greater due‐diligence HIPAA compliance programs require greater due‐ An increase in ENFORCEMENT: A i An increase in ENFORCEMENT: i ENFORCEMENT ‐ More government oversight, higher penalties PENALTIES FOR HIPAA VIOLATIONS Prior  ARRA / HITECH penalties Amount per violation $100 $100 ‐ $50,000 Maximum per year $25,000 $5,000,000
  6. 6. Data Breach “the unauthorized acquisition, access, use or disclosure of PHI” “the unauthorized acquisition access use or disclosure of PHI” Data Breach Notification Law: Protect PHI  ‐ Encryption during Transmission ‐ Encryption during Storage ‐ Secure Disposal of PHI on paper, film, or disk Public Notification of Data Breaches  starting in September 2009  ‐ Covered Entities and Business Associates will be required to Covered Entities and Business Associates will be required to  notify the public ‐ HHS will post a public list of major data breaches: increase in  reputational risk p ‐ The FTC must be notified, for organizations not otherwise  covered by HIPAA
  7. 7. The Increased Oversight of Business  Associates Business Associates must comply with HIPAA  Business Associates must comply with HIPAA Privacy and Security rules (sec 13401.(a)) ‐ Civil and criminal penalties (sec 13401) ‐ Data Transmission Service Providers are included (sec 13408) Data Transmission Service Providers are included (sec 13408) Covered Entities are accountable for their  Business Associates ‐ Data Breach Notification rules for Covered Entities include data  breaches of their Business Associates (sec 13402) ‐ Business Associate Agreements must be revised by February 17,  2010 ‐ Best Practices: require Business Associates to agree to  independent inspection of security controls
  8. 8. Compliance and Risk Assessments of Business Associates of Bu i e A o iate Locate and document all PHI sent to third parties Assign the controls required for each Business Associate • Specify all data‐handling requirements in Business Associate Agreements Specify all data‐ Collect Evidence of Controls for each Business Associate Assess the evidence identify risks take action Assess the evidence, identify risks, take action   
  9. 9. Strategies for Covered Entities and  Business Associates Business Associates Covered Entities: • Used a Tiered Approach: Categorize your Business Associates ‐ based on the PHI being handled, and other risk factors • Tailor the Assessment methodology for each Tier  ‐ Efficiently expending resources on the tiers of highest risk. • Use Risk Assessments to Reduce Business Associate risks  ‐ Leverage the results during negotiations for future outsourced services Business Associates: • Establish a HIPAA Compliance Program:  p g ‐ Conduct a HIPAA Risk Assessment and Gap Analysis • Coordinate with the Compliance teams of your customers ‐ Align your policies and procedures proactively Both: Your customers will be asking more about your security B th Y t ill b ki b t it • Honesty Builds Trust – Trust Leads to Investment   Honesty Builds Trust –
  10. 10. About JANUS Associates: J Focused on Information Security and Business  Continuity consulting for two decades • St f d Alb Stamford, Albany, Boston, Baltimore, Silver Spring MD  B t B lti Sil S i MD • Privately held, independent, woman‐owned business Privately held, independent, woman‐ Consulting Services: • Information Security & Privacy Information Security & Privacy • Business Continuity/Pandemic/DR Planning • Regulatory Compliance, including PCI • Security Awareness Training • Breach Response and Computer Forensics • Electronic Discovery Avior business partner www.JANUSassociates.com 203‐251‐ 203‐251‐0200
  11. 11. Bruce Beck, VP Business Development Compliance… Know it Now! www.aviorcomputing.com
  12. 12. Risk & Compliance Process Risk Assessment Scope People Distribute Review and Assessment Remediation Questionnaires Process Technology Reporting Manage And Analysis Collection Process
  13. 13. Risk & Compliance Chaos
  14. 14. Adding to the Challenge Many overlapping compliance  requirements Fragmented compliance projects  F t d li j t spread over many regulations,  business units & third party  providers…silos  id il “70% of organizations are treating each compliance regulation 70% of organizations are treating each compliance regulation  as a silo; Inefficient, expensive, Can’t leverage common controls  and assessments, Annoying to business owners and vendors” – Compliance Marketing Group
  15. 15. Survey Fatigue “Assessment is the cornerstone of any GRC methodology; you  have to know where you are with risk to know where you need  h t k h ith i k t k h d to go. Avior provides a platform to make this process easy,  repeatable and sustain‐able across your entire enterprise.” repeatable and sustain‐ p y p ‐ Steve Katz, Fmr. CISO,  Citigroup and JP Morgan  Overlapping regulations & standards   create “survey fatigue” for business  y g owners and suppliers
  16. 16. Bring order to Chaos Optimize Control Framework  Pre‐ Pre‐configured, Dynamic  mapping of Regulations,  Standards, Frameworks and  Policies P li i Mappings & content are kept  current for you by Avior Advanced scoring and  weighting rubric Assess Once, comply many  times, to many things
  17. 17. Avior’s Solution Dynamic Assessment & Remediation Executive Dashboards Reporting  Repurposing   • Visibility,  Reporting & Analysis • Managing Assessment and Remediation Managing Assessment and Remediation  Process • Creating, Weighting & Scoring Assessments Assessment Designer Associator  ‐ Associator  ‐ Avior ClearView
  18. 18. Map & Associate • Subscription Based Offering • Updated quarterly Updated quarterly  • Custom Configured  authoritative sources authoritative sources • Easily integrate your policies  and corporate objectives p j
  19. 19. Enhanced Assessment Experience • Easy to use assess e t edito Easy to use assessment editor • Incorporate notes and attachments • Weight the response to questions Weight the response to questions • User Friendly Workflow • Intuitive responder interface Intuitive responder interface 
  20. 20. Remediation • Classifying & Tracking  the  Remediation  Process • Full Reporting Capabilities • Allocate Remediation Resources
  21. 21. Visibility ‐ Visibility ‐ Reporting & Dashboards  • Executive Level User Interface • D Dynamic Data Rendering  i D t R d i • Standard Suite of Reports • Role Based Reporting Role Based Reporting  • PDF, excel & Graphical
  22. 22. Avior automated risk & compliance workflow Risk Assessment • Develop assessments • Set Frequency Scope • Determine scoring Risk process lifecycle support Linked to remediation management Prebuilt assessment library Dynamic mapping • Ensure completion Distribute • Determine risks to Review and Assessment •Determine business owners remediate Remediation R di ti Questionnaires •Manage • Manage remediation distribution workflow Automated review, scoring, and reporting Workflow management Forced evidence collection Response weighting Reporting Manage • Score results • Manage Reminders And Analysis Collection Process • Escalate as necessary • Determine key risks • Report to management • Review for completeness
  23. 23. Achieve better results • Significant reduction in governance,  p risk and compliance costs  • Improve control of risk management  and compliance  p = Improved • Increase  executive visibility of  management enterprise  risks  p • Organize compliance with a  repeatable and sustainable process p p
  24. 24. Risk & Compliance ‐ Risk & Compliance  Know it Now! Risk & Compliance ‐ Know it Now!
  25. 25. Jeri Teller‐ Jeri Teller‐Kanzler President of Risk‐ President of Risk President of Risk‐Mapp Demonstration of ClearView and Demonstration of ClearView and  BenchMark H lh Healthcare assessment addressing HIPAA,  dd i HIPAA and new healthcare guidance Mapping of HIPAA, NIST 800‐ Mapping of HIPAA, NIST 800‐66, and other  standards and regulations
  26. 26. Questions & Answers Questions & Answers For Additional Information: For Additional Information: Avior Computing • Bruce Beck Bruce Beck BBeck@Aviorcomputing.com 603‐964‐ 603‐964‐8040 Janus Associates • James Adams jamesa@janusassociates.com ja e a@ja u a o iate o 203‐251‐ 203‐251‐0200 26
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.