Your SlideShare is downloading. ×
0
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Technologies and procedures for HIPAA compliance
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Technologies and procedures for HIPAA compliance

1,126

Published on

Technologies and procedures for HIPAA compliance

Technologies and procedures for HIPAA compliance

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,126
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • That’s over 50% of the current US population
  • AKA Human Error.
  • Oh by the way – lest I forget..... We will talk about what some simple technologies could have done to have prevented this crisis
  • There are basically 7 relevant HIPAA rules surrounding technology. The third one is where a lot of companies fail
  • Largest percentage of “hacks” are done by disgruntled employees – or untrained employees making mistakes
  • Ok – let me take a poll of the people we have here. How many of you are from large organizations with 50 – 100 people or more? How many from small organizations with less than 50? A lot of what I’m talking about
  • This does require that you have a user account and password established on
  • But even still – you cannot simply throw this stuff over the wall. You have to be responsible for the data even after it leaves your shop. Run audits on your business partners to ensure compliance and reporting as well.
  • Audit account management – This will audit each event that is related to a user managing an account. Creating a user account Adding a user to a group, Renaming a user account, Changing a password for a user account - Really important to “watch the watchers”
  • These are the free tools. They work but they are a little cumbersome to use if you’re not a “techie” Especially DumpEvt Can give example – if time.
  • Now these are for the hardcore geeks and do it yourselfers.
  • For everyone else there are professional tools
  • Transcript

    • 1. Technologies and Procedures for HIPAA Compliance Jack L. Shaffer, Jr. CIO – Community Health Network of West Virginia
    • 2. Topics Covered Today
      • In the News
      • Acceptable Use Policies and Enforcement
      • Protecting PHI with Encryption Technologies
      • Auditing and Monitoring Tools
      • Questions and Answers
    • 3. “ Take-Aways”
      • HIPAA policy areas of concern
      • Target technology areas of concern
      • Sample products and techniques for auditing/monitoring
      • Hopefully a sense of urgency
    • 4. In the News - a.k.a. “data loss du jour” March 11, 2005 Kaiser Permanente (Oakland, CA) A disgruntled employee posted informaton on her blog noting that Kaiser Permanente included private patient information on systems diagrams posted on the Web. UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the confidential health information. Jan. 25, 2006 Providence Home Services (Portland, OR) Stolen backup tapes and disks containing Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen. UPDATE: (9/26/06) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs. Feb. 17, 2006 Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen) (Lewiston, NY) Two laptops containing date of birth, address and Social Security numbers of patients was stolen in an armed robbery in the New Jersey. Aug. 4, 2006 PSA HealthCare (Norcross, GA) A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims. Aug. 7, 2006 U.S. Dept. of Veteran's Affairs through its contractor Unisys Corp. (Reston, VA) Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations. Aug. 11, 2006 Madrona Medical Group (Bellingham, WA) On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested.
    • 5. “Data loss du jour”
      • TOTAL
      • number of records containing sensitive personal information involved in security breaches 2005 to present
      • 215,979,650
      • (source - Privacyrights.Org)
      • http:// www.privacyrights.org/ar/ChronDataBreaches.htm
      Feb. 2, 2007 U.S. Dept. of Veteran's Affairs, VA Medical Center (Birmingham, AL) An employee reported a portable hard drive stolen or missing that might contain personal information about veterans including Social Security numbers. UPDATE (2/10/07): VA increases number of affected veterans to 535,000, included in the total below. UPDATE (2/12/07): VA reported that billing information for 1.3 million doctors was also exposed, including names and Medicare billing codes, not included in the total below. UPDATE (3/19/07): The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations. UPDATE (6/18/07):More than $20 million to respond to its latest data breach, the breach potentially puts the identities of nearly a million physicians and VA patients.
    • 6. “Data loss du jour”
      • Most of the data losses occurred because of lack of policies and procedures OR the lack of auditing and monitoring of existing policies and procedures.
    • 7. “Data loss du jour” October 23, 2007 State info on 200,000 missing A computer tape containing personal information on about 200,000 current and past participants in state insurance programs was lost during shipment, the Public Employees Insurance Agency said Monday. The data file contained full names (including birth names), addresses, phone numbers, Social Security numbers and martial status for 200,000 people insured by the Public Employees Insurance Agency, the Children’s Health Insurance Program and Access West Virginia. The data was reported missing last week while being shipped via United Parcel Service to a data processing center in Pennsylvania, Department of Administration spokeswoman Diane Holley said Monday. She said UPS officials reported on Oct. 16 that the package containing the tape had broken open, and that the tape was missing. However, she said UPS officials believe the tape is somewhere in the distribution center in Louisville, Ky., and asked for time to conduct a search. With the tape still missing as of Monday, PEIA executives decided to send letters to all 200,000 people to notify them of the disappearance of the tape containing their personal data. She said the letters will provide information about identify theft, and will explain to recipients how they can place fraud alerts and security freezes on their credit reporting agency files, in the event their personal data is compromised. A security freeze blocks the credit reporting agencies from releasing information in an individual’s file, which could be used to obtain credit cards or other lines of credit, without that person’s authorization. The tape does not contain any information about individuals’ medical histories, or medical or prescription claims, Holley said. She said that, even if the tape were stolen, it cannot be “read” without access to specialized computer equipment. “It is a specialized computer tape,” she said. “It looks like an eight-track tape.” She said PEIA will operate a call center that people affected can call for updates on the status of the missing tape, or more information about protecting against credit fraud.
    • 8. Acceptable Use Policies and Enforcement
      • Relevant HIPAA rules
        • 164.308(a)(3)(i) – Workforce Security
          • Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
        • 164.308(a)(4)(i) – Information Access Management
          • Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
        • 164.308(a)(5)(i) – Security Awareness and Training
          • Implement a security awareness and training program for all members of its workforce (including management).
    • 9. Acceptable Use Policies and Enforcement
      • Relevant HIPAA rules
        • 164.310(b) – Workstation Use
          • Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
        • 164.310(c) – Workstation Security
          • Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
    • 10. Acceptable Use Policies and Enforcement
      • Relevant HIPAA rules
        • 164.310(d)(1) – Device and Media Controls
          • Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
        • 164.312(3)(1) – Transmission Security
          • Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
    • 11. Acceptable Use Policies and Enforcement
      • Acceptable Use Policies
        • Hardware
          • General Computer Use
            • No right to privacy
            • Company ownership
            • Right to monitor
            • Passwords
            • No disabling of system software such anti-virus or spyware filter
    • 12. Acceptable Use Policies and Enforcement
      • Acceptable Use Policies
        • Hardware
          • Laptop
            • Physical protection
            • Awareness
          • PDA/Blackberry/iPhone
            • Secure with passwords
            • No storing of passwords on memory sticks
            • Warnings about forwarding corporate E-mail using desktop redirector
          • Removable Media
            • Physical protection
            • No storing of passwords
            • No PHI without encryption
    • 13. Acceptable Use Policies and Enforcement
      • Acceptable Use Policies
        • E-mail
          • Right to monitor
          • No transmission of PHI unless encrypted
        • Internet Access
          • Right to monitor
          • Business use only
          • Stance on IM and other applications
    • 14. Acceptable Use Policies and Enforcement
      • Acceptable Use Policies
        • Access Control
          • Appropriate approvals
          • Proper identification methods of users
        • Transmission of information
          • Anytime data leaves
          • Periodic reviews
          • Encryption required
    • 15. Acceptable Use Policies and Enforcement
      • Human Beings are the weakest link
        • Do not underestimate or minimize this risk
        • Kevin Mitnick
          • The Art of Deception
        • Technology is complicated
          • Unrealistic to expect people to fully understand all of the risks on their own
        • Training is ESSENTIAL
          • That is why it is required under HIPAA
          • Best use of $$$
    • 16. Acceptable Use Policies and Enforcement
      • Enforcement Technologies
        • Windows Active Directory
          • Access Control / User Account Management
            • Password policies
            • Remote Access
          • Desktop / Workstation control with Group Policies
            • Control Internet / Email access
            • Deny removable media
    • 17. Acceptable Use Policies and Enforcement
      • Enforcement Technologies
        • Desktop (cont’d)
          • Most “hacks” happen here today
            • Botnets
          • Anti-virus
          • Firewall
          • Windows Update!
        • Auditing and Reporting
          • DumpSec
            • http:// www.systemtools.com
        • Email Filtering
          • Restrict use of Internet Email such as Yahoo, Hotmail, etc.
    • 18. Acceptable Use Policies and Enforcement
      • Enforcement Technologies
        • Internet / Content Security Filters
          • Sonicwall
            • www.sonicwall.com
          • iPrism / St. Bernard
            • http:// www.stbernard.com /
          • Surf Control
            • http:// www.surfcontrol.com /
    • 19. Acceptable Use Policies and Enforcement
      • Enforcement Technologies
        • PKI / Two Factor Authentication
          • RSA
            • http:// www.rsa.com /
          • Raak Technologies
            • http:// www.raaktechnologies.com/solutions/pki.html
        • Cardkey Access
          • Physical control
          • Auditing
    • 20. Acceptable Use Policies and Enforcement
      • Enforcement Technologies
        • Data Backup
          • Tapes
          • CDP
            • Sonicwall
          • Outsourced Services
            • Livevault
            • Carbonite
            • Evault
    • 21. Protecting PHI with Encryption Technologies
        • 164.310(d)(1) – Device and Media Controls
        • 164.312(3)(1) – Transmission Security
          • Key Area often overlooked
        • VPN’s
          • Wireless “hotspots”
          • Access from home
          • Tools
            • Microsoft
            • Cisco
    • 22. Protecting PHI with Encryption Technologies
        • Email encryption
          • Exchange environment
          • PGP
            • http:// www.pgp.com/downloads/datasheets/index.html
          • Tumbleweed
            • http:// www.tumbleweed.com/solutions/outbound_email.html
          • Public Key Infrastructure (PKI) Microsoft Outlook Express
          • Blackberry
    • 23. Protecting PHI with Encryption Technologies
        • File encryption
          • Mobile Devices
            • Establish user account and passwords to log on
          • Windows XP – Be Careful!
    • 24. Protecting PHI with Encryption Technologies
        • File encryption
          • OpenPGP
            • http:// www.pgp.com/downloads/datasheets/index.html
          • TrueCrypt (USB)
            • Open Source
            • How to:
            • http:// www.juand.ca/?page_id =3
          • Dekart Private Disk
            • http://www.dekart.com/products/encryption/
    • 25. Protecting PHI with Encryption Technologies
      • Encryption should absolutely be used in every transmission of PHI
      • Could have prevented the WV State’s problem with data loss mentioned earlier
    • 26. Protecting PHI with Encryption Technologies
        • Data Erasure Tools
          • Proper disposal
          • Jetico – BCWipe
            • http:// www.jetico.com /
          • Ontrack – DataEraser
            • http://www.ontrackdatarecovery.com/hard-drive-software/ontrack-eraser.aspx
          • Scrub – Lawrence Livermore Labs (Unix)
          • Shred (Unix)
    • 27. Auditing and Monitoring Tools
        • User Account Monitoring
          • Windows Auditing
    • 28. Auditing and Monitoring Tools
        • User Account Monitoring
          • Major area to watch
          • DumpSec
          • DumpEvt
    • 29. Auditing and Monitoring Tools
        • User Account Monitoring
          • Scripts from Microsoft
            • Report / disable user Accounts that have not logged on in 60 days
            • Users in specific authority groups
            • ( Hey, Scripting Guy...)
          • You can run similar scripts with Unix
            • i.e. Last command
    • 30. Auditing and Monitoring Tools
        • Security Level Reviews
          • ScriptLogic
            • Enterprise Security Reporter
    • 31. Auditing and Monitoring Tools
        • Access Logs and Reviews
          • GFI tools – Events Manager
    • 32. Auditing and Monitoring Tools
        • Access Logs and Reviews
          • GFI tools - LanGuard
    • 33. Auditing and Monitoring Tools
        • Access Logs and Reviews
          • GFI tools – Endpoint Control
    • 34. Summary
      • HIPAA policy areas of concern
      • Target technology areas of concern
      • Sample products and techniques for auditing/monitoring
      • Focus on people
    • 35. One last thought.....
      • CIO Magazine Study: Mobile Workforce Represents Security Threat in '08 Due to Lack of Training, Awareness
      • CIO Study
      • “Security is not a product, it is a process.”
    • 36. Questions?

    ×