SlideShare a Scribd company logo

Healthcare Security Risk Assessment

Download as PPTX, PDF
O'Connor Davies CPAs
O'Connor Davies CPAs

Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.

BusinessTechnology
1 of 33
HealthCare Information Security An Evolving Regulatory Landscape with Increasing Stakes Thomas J. DeMayo Director IT Audit and Consulting Services TDeMayo@odpkf.com
HIPAA – The History • • • Health Insurance Portability and Accountability Act (“HIPAA”) was passed in 1996 to encourage electronic transmission of payer/patient information and payment Privacy Rule – (2003) Designed to ensure patient health information was guaranteed a minimum level of protection across all states Security Rule – (2005) Added administrative, technical and procedural safeguards to electronic protected health information (ePHI) – Compliments the Privacy Rule 2
HIPAA – The History • HITECH – (2009) Enacted to promote and expand the adoption of Health Information Technology – Added increased restrictions (e.g. Privacy and Security Rules now apply to Business Associates (“BA”) – enhanced civil monetary penalties – e.g. Tiered penalty structured with penalties up to $1.5m per year for each violation – Introduced the Breach Notification Rule – Required HHS to perform periodic audits of Covered Entities (“CE”) 3
HIPAA – The History • Omnibus Rule (2013) – Finalized and/or modified provisions of the Interim Rule and/or added additional provisions 4
Privacy Rule!!!!! • Sorry - We will not be discussing the Privacy Rule 5
Security Rule Changes • The Final Rule did not make any changes to the Security Rule – Confirmed that the Security Rule applies to business associates – Extended the application of the rule to subcontractors – Expanded liability for storage providers (e.g. Cloud Providers) 6
Security Rule Clarification • Health and Human Services (“HHS”) clarified: • “Flexibility of approach” or “Reasonableness” of the controls continue to apply; however, documentation of the approach and rationale is required • Internet, Extranets, and Intranets are forms of electronic transmission media – If they transmit ePHI they are in scope – Certain transmissions including paper via facsimile and of voice via telephone, are not considered transmission via electronic media if the information did not exist in electronic form immediately prior to transmission. • Copiers and fax machines that store ePHI are subject to the Security Rule requirements 7
What exactly is the Security Rule? • Consists of 78 standards that encompass administrative, technical, and physical safeguards – Administrative – policies, awareness training, assigning a security officer – Technical – passwords, antivirus, firewalls – Physical – physical storage of electronic media, positioning of equipment 8
What exactly is the Security Rule? • The standards (what must be done) contain implementation specifications (how it must be done) • Implementation Specifications are either: – Required – the specification must be implemented as stated 9
What exactly is the Security Rule? • Implementation Specifications are either: (cont…) – Addressable - Must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will: • Implement the addressable implementation specification as stated; • Implement an equivalent alternative measure that allows the entity to comply with the standard; or, • Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment 10
What exactly is the Security Rule? • Of the 78 standards: – 26 are Addressable – 52 are Required ***Addressable Does NOT imply OPTIONAL*** 11
Results of Office For Civil Rights Audit • Audits in 2012 showed that the Security Rule requirements are not being met by covered entities – Office for Civil Rights (“OCR”) officials have publicly stated this must change • Of the 159 covered entities audited – 10% of selectees had no audit findings – 10% of selectees were totally unprepared for audit 12
Results of OCR Audit • Of the 159 covered entities audited (cont…) – – – – Security accounted for more than 60% of audit findings Providers had greatest proportion of findings – 65% Smallest entities struggled the most in all three areas Significantly fewer findings for those entities who fully implemented addressable specifications – Most common excuse heard for non-compliance – “unaware of the requirement” – Lack of application of sufficient resources, incomplete implementation, complete disregard 13
Results of OCR Audit • Top Areas Reported – Security – Privacy • • • • Risk analysis Access control Contingency planning Media movement and disposal, • Audit controls and monitoring • Notice of privacy practices • Access of individuals • Minimum necessary, and • Authorizations 14
Results of OCR Audit 15
Risk Assessment – Why the Fuss? • Conducting a formalized Risk Assessment is essential • The HIPAA Security and Breach Rule Framework is built on the results of the Risk Assessment process – The results of the risk assessment are what will drive the compliance initiative and will be the foundation on which the security activities are built 16
Risk Assessment – Why the Fuss? • OCR has made it very clear that all covered entities must have a formalized risk assessment – Prediction – if your organization is selected for an audit your documented risk assessment will be one of the items selected for review 17
Risk Assessment Requirement • Required implementation specification at §164.308(a)(1)(ii)(A) – Requires a covered entity to “*c+onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” 18
Risk Management Requirement • Once the risks are identified they must be managed • Required implementation specification at §164.308(a)(1)(ii)(b) – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).” 19
§164.306 Security standards: General rules • §164.306(a) - Covered entities and business associates must do the following: – (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits – (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information – (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part – (4) Ensure compliance with this subpart by its workforce 20
Risk in Perspective 21
What are the steps? • Scope of the Analysis - the scope of the risk analysis includes all the people, processes and technology that are involved in the creation, transmission, maintenance and/or storage of ePHI • Data Collection – an organization must identify where data is being stored, received, maintained or transmitted. If your organization is hosting health information at a HIPAA compliant data center, the organization will need to contact their hosting provider to document where and how the data is stored • Identify and Document Potential Threats and Vulnerabilities – identify and document any reasonably anticipated threats to ePHI. Anticipating potential HIPAA violations can help your organization quickly and effectively reach a resolution 22
What are the steps? • Assess Current Security Measures – inventory all of the existing security controls implemented by the organization and determine how effective they are in managing the threats and vulnerabilities identified in the previous step • Determine the Likelihood of Threat Occurrence – for each threat event, determine how likely the event is to occur relative to the organization’s specific circumstances • Determine the Potential Impact of Threat Occurrence – by using either qualitative or quantitative methods, assess the maximum impact that a data threat would have on your organization – How many people could be affected? What extent of private data could be exposed – just medical records, or both health information and billing information combined? 23
What are the steps? • Determine the Level of Risk – combine the likelihood of the occurrence with the potential impact to determine the ultimate risk level. Documented risk levels should be accompanied by a list of corrective actions that would be performed to mitigate risk, should the resulting risk be too high • Finalize Documentation – summarize everything in an organized document – HHS doesn’t specify a specific format, but they do require the analysis in writing • Periodic Review and Updates to the Risk Assessment – it is important to ensure that the risk analysis process is ongoing – one requirement includes conducting a risk analysis on a regular basis ***Be sure the person conducting the risk assessment has the technical capacity to understand and communicate all the risks*** 24
Penalties for Non-Compliance • Tiered structure based on the level of culpability: – Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation – Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect – Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery – Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery 25
Penalties for Non-Compliance * CMP = Civil Monetary Penalty 26
Penalties for Non-Compliance • While the Final Rule includes many provisions that amplify the penalties associated with a violation of HIPAA, there is some flexibility built into the Final Rule with respect to imposition of such penalties as long as the violations are NOT due to Willful Neglect 27
Breach Notification Rule • HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI • Under the interim rule, the phrase “compromise” meant the inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm – Risk of harm standard was too subjective 28
Breach Notification Rule The Final Rule changed the term “compromise” to mean that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a "breach," unless the HIPAA-covered entity can demonstrate there is a low probability that the PHI has been compromised based upon, at minimum, a fourpart risk assessment 29
Breach Notification Rule • Four part Risk Assessment: – The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification – The unauthorized person who used the PHI or to whom the disclosure of PHI was made – Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired – The extent to which the risk to the PHI has been mitigated ***The Risk Assessment and results thereof must be documented and stored for reference*** 30
Notification Requirements • Varies based on the number of affected individuals – Must notify the individual, without unreasonable delay and in no case later than 60 days from discovery of the breach – If less than 500 people are affected, must notify the Secretary annually within 60 days after the end of the calendar year in which the breach occurred – If greater than 500 people affected, must notify the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach – If greater than 500 people affected in a single state or jurisdiction, must notify prominent media outlets 31
Notification Requirements Covered entities are ultimately responsible for notifying individuals. The task can be contracted to the business associate that “caused” the breach, but ultimately, HHS is going to hold the covered entity responsible for notification in a timely manner 32
Questions? Tom DeMayo, CISSP, CIPP, CPT, CEH, MCSE Director, IT Audit and Consulting Services TDeMayo@odpkf.com 646.449.6353 33

Recommended

Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementKeySys Health
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Reporttbeckwith
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentVinit Thakur
 

Recommended

Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementKeySys Health
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Reporttbeckwith
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentVinit Thakur
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework SummaryJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2BHUOnlineDepartment
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesCole Libby
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisCharles McNeil
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair ApproachMLG College of Learning, Inc
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalajcob123
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Schellman & Company
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know➲ Stella Bridges
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the CloudOnRamp
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 

More Related Content

What's hot

UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesCole Libby
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisCharles McNeil
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalajcob123
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know➲ Stella Bridges
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the CloudOnRamp
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 

What's hot (20)

Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-final
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
 
Security policy
Security policySecurity policy
Security policy
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 

Similar to Healthcare Security Risk Assessment

The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Get your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginGet your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginID Experts
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptxStevenTharp2
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023Conference Panel
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
E Discovery Risks for Risk Managers
E Discovery Risks for Risk ManagersE Discovery Risks for Risk Managers
E Discovery Risks for Risk ManagersFred Travis
 

Similar to Healthcare Security Risk Assessment (20)

The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Get your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to BeginGet your Ducks in a Row - The OCR Audit Season is About to Begin
Get your Ducks in a Row - The OCR Audit Season is About to Begin
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
The Top 10 Steps to a Successful HIPAA Risk Assessment in 2023
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Hi103 week 5 chpt 12
Hi103 week 5 chpt 12Hi103 week 5 chpt 12
Hi103 week 5 chpt 12
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
E Discovery Risks for Risk Managers
E Discovery Risks for Risk ManagersE Discovery Risks for Risk Managers
E Discovery Risks for Risk Managers
 

More from O'Connor Davies CPAs

March 15th Discrimination Testing Deadline
March 15th Discrimination Testing DeadlineMarch 15th Discrimination Testing Deadline
March 15th Discrimination Testing DeadlineO'Connor Davies CPAs
 
“California Competes” Credit Application
“California Competes” Credit Application“California Competes” Credit Application
“California Competes” Credit ApplicationO'Connor Davies CPAs
 
NY Nonprofit Revitalization Act 2014
NY Nonprofit Revitalization Act 2014NY Nonprofit Revitalization Act 2014
NY Nonprofit Revitalization Act 2014O'Connor Davies CPAs
 
Reimbursement Update Skilled Nursing Facilities
Reimbursement Update Skilled Nursing FacilitiesReimbursement Update Skilled Nursing Facilities
Reimbursement Update Skilled Nursing FacilitiesO'Connor Davies CPAs
 
Healthcare Reform Compliance Strategy
Healthcare Reform Compliance StrategyHealthcare Reform Compliance Strategy
Healthcare Reform Compliance StrategyO'Connor Davies CPAs
 
SEC Amends Definition of Accredited Investor
SEC Amends Definition of Accredited InvestorSEC Amends Definition of Accredited Investor
SEC Amends Definition of Accredited InvestorO'Connor Davies CPAs
 
FATCA Update - Additional Treasury Department Guidance
FATCA Update - Additional Treasury Department GuidanceFATCA Update - Additional Treasury Department Guidance
FATCA Update - Additional Treasury Department GuidanceO'Connor Davies CPAs
 

More from O'Connor Davies CPAs (13)

March 15th Discrimination Testing Deadline
March 15th Discrimination Testing DeadlineMarch 15th Discrimination Testing Deadline
March 15th Discrimination Testing Deadline
 
“California Competes” Credit Application
“California Competes” Credit Application“California Competes” Credit Application
“California Competes” Credit Application
 
NY Nonprofit Revitalization Act 2014
NY Nonprofit Revitalization Act 2014NY Nonprofit Revitalization Act 2014
NY Nonprofit Revitalization Act 2014
 
When Fraud Distorts Value
When Fraud Distorts ValueWhen Fraud Distorts Value
When Fraud Distorts Value
 
Accounting & Audit Update
Accounting & Audit UpdateAccounting & Audit Update
Accounting & Audit Update
 
Reimbursement Update Skilled Nursing Facilities
Reimbursement Update Skilled Nursing FacilitiesReimbursement Update Skilled Nursing Facilities
Reimbursement Update Skilled Nursing Facilities
 
Hot Topics in State Taxes
Hot Topics in State TaxesHot Topics in State Taxes
Hot Topics in State Taxes
 
Healthcare Reform Compliance Strategy
Healthcare Reform Compliance StrategyHealthcare Reform Compliance Strategy
Healthcare Reform Compliance Strategy
 
Individual Tax Planning
Individual Tax PlanningIndividual Tax Planning
Individual Tax Planning
 
Corporate Tax Update
Corporate Tax UpdateCorporate Tax Update
Corporate Tax Update
 
SEC Amends Definition of Accredited Investor
SEC Amends Definition of Accredited InvestorSEC Amends Definition of Accredited Investor
SEC Amends Definition of Accredited Investor
 
Trends in Fund Upstarts
Trends in Fund UpstartsTrends in Fund Upstarts
Trends in Fund Upstarts
 
FATCA Update - Additional Treasury Department Guidance
FATCA Update - Additional Treasury Department GuidanceFATCA Update - Additional Treasury Department Guidance
FATCA Update - Additional Treasury Department Guidance
 

Recently uploaded

Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...lizamodels9
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCRsoniya singh
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfCatalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfOrient Homes
 
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...Khaled Al Awadi
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCRsoniya singh
 
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...lizamodels9
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherA.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherPerry Belcher
 
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptx
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptxBanana Powder Manufacturing Plant Project Report 2024 Edition.pptx
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptxgeorgebrinton95
 

Recently uploaded (20)

Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfCatalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
 
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
 
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
 
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherA.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
 
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptx
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptxBanana Powder Manufacturing Plant Project Report 2024 Edition.pptx
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptx
 

Healthcare Security Risk Assessment

  • 1. HealthCare Information Security An Evolving Regulatory Landscape with Increasing Stakes Thomas J. DeMayo Director IT Audit and Consulting Services TDeMayo@odpkf.com
  • 2. HIPAA – The History • • • Health Insurance Portability and Accountability Act (“HIPAA”) was passed in 1996 to encourage electronic transmission of payer/patient information and payment Privacy Rule – (2003) Designed to ensure patient health information was guaranteed a minimum level of protection across all states Security Rule – (2005) Added administrative, technical and procedural safeguards to electronic protected health information (ePHI) – Compliments the Privacy Rule 2
  • 3. HIPAA – The History • HITECH – (2009) Enacted to promote and expand the adoption of Health Information Technology – Added increased restrictions (e.g. Privacy and Security Rules now apply to Business Associates (“BA”) – enhanced civil monetary penalties – e.g. Tiered penalty structured with penalties up to $1.5m per year for each violation – Introduced the Breach Notification Rule – Required HHS to perform periodic audits of Covered Entities (“CE”) 3
  • 4. HIPAA – The History • Omnibus Rule (2013) – Finalized and/or modified provisions of the Interim Rule and/or added additional provisions 4
  • 5. Privacy Rule!!!!! • Sorry - We will not be discussing the Privacy Rule 5
  • 6. Security Rule Changes • The Final Rule did not make any changes to the Security Rule – Confirmed that the Security Rule applies to business associates – Extended the application of the rule to subcontractors – Expanded liability for storage providers (e.g. Cloud Providers) 6
  • 7. Security Rule Clarification • Health and Human Services (“HHS”) clarified: • “Flexibility of approach” or “Reasonableness” of the controls continue to apply; however, documentation of the approach and rationale is required • Internet, Extranets, and Intranets are forms of electronic transmission media – If they transmit ePHI they are in scope – Certain transmissions including paper via facsimile and of voice via telephone, are not considered transmission via electronic media if the information did not exist in electronic form immediately prior to transmission. • Copiers and fax machines that store ePHI are subject to the Security Rule requirements 7
  • 8. What exactly is the Security Rule? • Consists of 78 standards that encompass administrative, technical, and physical safeguards – Administrative – policies, awareness training, assigning a security officer – Technical – passwords, antivirus, firewalls – Physical – physical storage of electronic media, positioning of equipment 8
  • 9. What exactly is the Security Rule? • The standards (what must be done) contain implementation specifications (how it must be done) • Implementation Specifications are either: – Required – the specification must be implemented as stated 9
  • 10. What exactly is the Security Rule? • Implementation Specifications are either: (cont…) – Addressable - Must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will: • Implement the addressable implementation specification as stated; • Implement an equivalent alternative measure that allows the entity to comply with the standard; or, • Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment 10
  • 11. What exactly is the Security Rule? • Of the 78 standards: – 26 are Addressable – 52 are Required ***Addressable Does NOT imply OPTIONAL*** 11
  • 12. Results of Office For Civil Rights Audit • Audits in 2012 showed that the Security Rule requirements are not being met by covered entities – Office for Civil Rights (“OCR”) officials have publicly stated this must change • Of the 159 covered entities audited – 10% of selectees had no audit findings – 10% of selectees were totally unprepared for audit 12
  • 13. Results of OCR Audit • Of the 159 covered entities audited (cont…) – – – – Security accounted for more than 60% of audit findings Providers had greatest proportion of findings – 65% Smallest entities struggled the most in all three areas Significantly fewer findings for those entities who fully implemented addressable specifications – Most common excuse heard for non-compliance – “unaware of the requirement” – Lack of application of sufficient resources, incomplete implementation, complete disregard 13
  • 14. Results of OCR Audit • Top Areas Reported – Security – Privacy • • • • Risk analysis Access control Contingency planning Media movement and disposal, • Audit controls and monitoring • Notice of privacy practices • Access of individuals • Minimum necessary, and • Authorizations 14
  • 15. Results of OCR Audit 15
  • 16. Risk Assessment – Why the Fuss? • Conducting a formalized Risk Assessment is essential • The HIPAA Security and Breach Rule Framework is built on the results of the Risk Assessment process – The results of the risk assessment are what will drive the compliance initiative and will be the foundation on which the security activities are built 16
  • 17. Risk Assessment – Why the Fuss? • OCR has made it very clear that all covered entities must have a formalized risk assessment – Prediction – if your organization is selected for an audit your documented risk assessment will be one of the items selected for review 17
  • 18. Risk Assessment Requirement • Required implementation specification at §164.308(a)(1)(ii)(A) – Requires a covered entity to “*c+onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” 18
  • 19. Risk Management Requirement • Once the risks are identified they must be managed • Required implementation specification at §164.308(a)(1)(ii)(b) – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).” 19
  • 20. §164.306 Security standards: General rules • §164.306(a) - Covered entities and business associates must do the following: – (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits – (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information – (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part – (4) Ensure compliance with this subpart by its workforce 20
  • 22. What are the steps? • Scope of the Analysis - the scope of the risk analysis includes all the people, processes and technology that are involved in the creation, transmission, maintenance and/or storage of ePHI • Data Collection – an organization must identify where data is being stored, received, maintained or transmitted. If your organization is hosting health information at a HIPAA compliant data center, the organization will need to contact their hosting provider to document where and how the data is stored • Identify and Document Potential Threats and Vulnerabilities – identify and document any reasonably anticipated threats to ePHI. Anticipating potential HIPAA violations can help your organization quickly and effectively reach a resolution 22
  • 23. What are the steps? • Assess Current Security Measures – inventory all of the existing security controls implemented by the organization and determine how effective they are in managing the threats and vulnerabilities identified in the previous step • Determine the Likelihood of Threat Occurrence – for each threat event, determine how likely the event is to occur relative to the organization’s specific circumstances • Determine the Potential Impact of Threat Occurrence – by using either qualitative or quantitative methods, assess the maximum impact that a data threat would have on your organization – How many people could be affected? What extent of private data could be exposed – just medical records, or both health information and billing information combined? 23
  • 24. What are the steps? • Determine the Level of Risk – combine the likelihood of the occurrence with the potential impact to determine the ultimate risk level. Documented risk levels should be accompanied by a list of corrective actions that would be performed to mitigate risk, should the resulting risk be too high • Finalize Documentation – summarize everything in an organized document – HHS doesn’t specify a specific format, but they do require the analysis in writing • Periodic Review and Updates to the Risk Assessment – it is important to ensure that the risk analysis process is ongoing – one requirement includes conducting a risk analysis on a regular basis ***Be sure the person conducting the risk assessment has the technical capacity to understand and communicate all the risks*** 24
  • 25. Penalties for Non-Compliance • Tiered structure based on the level of culpability: – Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation – Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect – Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery – Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery 25
  • 26. Penalties for Non-Compliance * CMP = Civil Monetary Penalty 26
  • 27. Penalties for Non-Compliance • While the Final Rule includes many provisions that amplify the penalties associated with a violation of HIPAA, there is some flexibility built into the Final Rule with respect to imposition of such penalties as long as the violations are NOT due to Willful Neglect 27
  • 28. Breach Notification Rule • HHS defines "breach" as the "acquisition, access, use, or disclosure" of PHI in violation of the Privacy Rule that "compromises the security or privacy" of the PHI • Under the interim rule, the phrase “compromise” meant the inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm – Risk of harm standard was too subjective 28
  • 29. Breach Notification Rule The Final Rule changed the term “compromise” to mean that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a "breach," unless the HIPAA-covered entity can demonstrate there is a low probability that the PHI has been compromised based upon, at minimum, a fourpart risk assessment 29
  • 30. Breach Notification Rule • Four part Risk Assessment: – The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification – The unauthorized person who used the PHI or to whom the disclosure of PHI was made – Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired – The extent to which the risk to the PHI has been mitigated ***The Risk Assessment and results thereof must be documented and stored for reference*** 30
  • 31. Notification Requirements • Varies based on the number of affected individuals – Must notify the individual, without unreasonable delay and in no case later than 60 days from discovery of the breach – If less than 500 people are affected, must notify the Secretary annually within 60 days after the end of the calendar year in which the breach occurred – If greater than 500 people affected, must notify the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach – If greater than 500 people affected in a single state or jurisdiction, must notify prominent media outlets 31
  • 32. Notification Requirements Covered entities are ultimately responsible for notifying individuals. The task can be contracted to the business associate that “caused” the breach, but ultimately, HHS is going to hold the covered entity responsible for notification in a timely manner 32
  • 33. Questions? Tom DeMayo, CISSP, CIPP, CPT, CEH, MCSE Director, IT Audit and Consulting Services TDeMayo@odpkf.com 646.449.6353 33

Editor's Notes

  1. Describe our combination and the benefits