Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Csa security risks_compliance_ramadoss_11102016_mo_d

112 views

Published on

Csa security risks_compliance_ramadoss_11102016_mo_d

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Csa security risks_compliance_ramadoss_11102016_mo_d

  1. 1. www.cloudsecurityalliance.org Healthcare Information Security Risks and Compliance 2016 Colorado CSA Fall Summit | November 10, 2016 Ram Ramadoss, Vice President, CRP Privacy, Information Security and EHR Compliance Oversight, Catholic Health Initiatives Copyright © 2016 Cloud Security Alliance
  2. 2. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Overview • About Catholic Health Initiatives • Healthcare Industry Overview • Top Technology Trends • HIPAA Compliance/Risk Assessment • OCR’s Cloud Computing Guidance • Q&A
  3. 3. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Catholic Health initiatives • The nation’s third-largest nonprofit health system • CHI operates in 19 states and comprises 103 hospitals; Four academic health centers and major teaching hospitals as well as 30 critical-access facilities; Home Health, Senior Living Facilities • Other facilities and services that span the inpatient and outpatient continuum of care
  4. 4. Healthcare Industry
  5. 5. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Overview • Current state • Evolution • Complexity • Challenges and Opportunities
  6. 6. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Evolution • Major consolidation of Healthcare providers • Small and Medium sized practices are struggling • A major movement to Electronic Health Record systems • We are seeing an increasing shift towards outsourcing • Competing priorities and budget limitations • Consumerization
  7. 7. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Complexity • A significant number of legacy electronic systems • 20 plus years retention timeframe for medical records • Legacy medical devices / wireless capability
  8. 8. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Security Challenges Unique to the Healthcare Sector • Protected Health Information (PHI) includes fundamental, unchanging facts about a patient • An average security breach cost - $363 per record in healthcare versus $154 per record in other industries • In 2015 alone,113 million patients were affected by breaches • Fraud opportunities for criminals include:  Identity theft  Exploitation of insurance details  Prescription drug benefits
  9. 9. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Challenges and Opportunities Challenges: • Vulnerabilities and weak security controls • Aggressive Threat Landscape • HIPAA regulatory requirements Opportunities: • Desperately looking for technology solutions • An open minded approach with outsourcing • Exploring efficiency and automation opportunities
  10. 10. Top Technology Trends
  11. 11. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The Consumerization of Healthcare • Consumer connected to the New Healthcare Economy • A greater expectation for personalized experience • Business intelligence tools to derive patterns and consumer trends
  12. 12. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Big Data • 360-degree view of customers/patients • Unstructured data to help with predictive analytics • Increasing focus on Health Clouds • Medium size providers – huge opportunity • Large Healthcare providers - partnerships
  13. 13. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Mobile Devices/Applications • Not just the Millennials • Access to Health Information using smartphones • Online scheduling / Insurance shopping / Virtual care drive off • Developing a digital eco-system • Patient/Physician portals; information sharing  Engagement and interactions with patients
  14. 14. Patient Data vs Patient Safety Focus
  15. 15. HIPAA Compliance and Risk Assessments
  16. 16. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Business Associate Agreements (BAA) • A contractual agreement between a Covered Entity (CE) and any third party company with access to patient information (Business Associate) • A mandatory requirement – HIPAA Administrative Safeguard • Key provisions include but not limited to:  Return or Destruction of Protected Health Information (PHI) upon Termination  Safeguard the ePHI and Breach Notification
  17. 17. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Information Security Amendments • Additional language regarding a minimum security program • Security provisions regarding access from foreign locations and storage of data outside the country • Risk stratification of partners and Business Associates • Monitoring of partners security and compliance
  18. 18. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Suppliers/Business Associates Facts: • Increasing outsourcing activities (Business Process/IT) • Cloud-based electronic health record systems • Patient care program is reliant upon the support received from partners / BAs Mitigation: • Cybersecurity insurance coverage • BAAs and security amendments • Access and storage outside the United States • Supplier risk management program
  19. 19. The Office for Civil Rights’ (OCR) Cloud Computing Guidance
  20. 20. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • Covered Entities (CE) must execute BAAs with Cloud Service Providers (OCR’s recent fines against a CE) • Risk Analysis – both CE and CSP • Service Level Agreements must include:  System availability and reliability  Back-up and data recovery  Manner in which data will be returned to the customer after service use termination  Security responsibility  Use, retention and disclosure limitations
  21. 21. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • CSP is directly liable under the HIPAA Privacy Rule  Use and disclosure of data not authorized by the contract, law and HIPAA • CSP is directly liable under the HIPAA Security Rule  Failure to safeguard ePHI  Failure to notify a Covered Entity regarding a breach • CSP’s are still considered Business Associates:  If the data is encrypted  Even if the CSPs do not have access to data
  22. 22. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • Can a CSP be considered to be a “conduit” like the postal service?  the conduit exception is limited to transmission-only services for PHI including any temporary storage of PHI • Lack of actual knowledge by CSPs that their services are used to handle ePHI  Affirmative defense - address compliance within 30 days • Breach Notification – CSPs must implement:  Policies and Procedures  Document security incidents  Report incidents to CEs and Business Associates
  23. 23. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • CSPs must return or destroy all PHI at the termination of the BAA where feasible  If such return or destruction is not feasible, the BAA must extend the privacy and security protections • HIPAA rule does not restrict storage of data outside the US  Risk Assessment is the key • Customers may require additional assurances from CSPs such as the documentation of safeguards or audits • De-identified ePHI per HIPAA Privacy Rule  CSP is not a Business Associate
  24. 24. 24 Thank You

×