SlideShare a Scribd company logo

Breach Notification Wizard Lessons

3Lions Publishing, Inc.
3Lions Publishing, Inc.

This slide deck focuses on providing stakeholders an example of how tacit knowledge is transferred into explicit knowledge through a review of our upcoming Breach Notification Wizard release; soon to be incorporated into Expresso: The Risk Assessment Express.

Healthcare
1 of 57
Download to read offline
Breach Notification Wizard: Lessons in Knowledge Management © 2019 3Lions Publishing, Inc. All rights reserved. 1
Carlos Leyva, Esq. CEO, 3Lions Publishing, Inc. HIPAA Survival Guide Publisher www.hipaasurvivalguide.com Attorney and Managing Partner Digital Business Law Group, P.A. Internet Law www.digitalbusinesslawgroup.com 2
Agenda • Introduction • Breach Notification: • When is it Triggered? • Notification to Stakeholders? • Tracking Security Incidents? • Knowledge Management • Q&A 3
Background 4
Intersection of HITECH & HIPAA5
When is Breach Notification Triggered? 6
Notification Analytical Framework 1.Was there an impermissible use or disclosure of unsecured PHI? 2. Does an exception to the breach rule apply? 3. Is there a low probability that the protected health information was compromised? See our Breach Notification Framework 7
Impermissible use or disclosure of unsecured PHI? Two component parts to this question: 1) Impermissible use or disclosure; and 2) Unsecured PHI? 8
What is unsecured PHI? Unsecured PHI: protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption or destruction. 9
PHI States & HHS Encryption Guidance State of PHI Specification to Meet or Exceed PHI at Rest NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices PHI in Motion NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140–2 validated. PHI Disposed The media on which the PHI is stored or recorded has been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction. (ii) Electronic media has been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. PHI in Use Data in use is data in the process of being created, retrieved, updated, or deleted. HHS did not issue guidance regarding PHI in Use, however standard access control technologies should suffice. 10
What is an impermissible use or disclosure? An impermissible use or disclosure is one that violates the HIPAA Privacy Rule… 11
Covering the Basics: Is it PHI? 12
Security Incident Document? 13
Is the PHI secured? 14
15 What is the bottom line? If PHI is secured according to the Secretary’s guidance then breach notification will never be triggered by definition. Essentially, securing PHI according to the guidance provides the ultimate breach notification “safe harbor.”
16 Security Rule Implications? • The Security Rule (“SR”) suggests but does NOT mandate the use of encryption and related technologies in order to secure PHI. See §164.312 (e) Technical safeguards. • A covered entity or business associate may be in compliance with the Security Rule despite the fact that technologies recommended by the Secretary are not used. • However, if the recommended technologies are not used then the PHI in question will be treated as unsecured and therefore breach notification may be triggered. See the Breach Notification Framework.
17 Security Rule Implications? • The practical reality is that business associates and covered entities will likely have some PHI encrypted (e.g. where an EHR vendor provides it as part of their offering) while other PHI will remain in paper form or stored electronically but not encrypted. • From a Security Rule compliance perspective, it is critical that the Required Security Rule Risk Analysis should capture where encryption and related technologies have been applied so as to facilitate a subsequent breach notification analysis. See §164.308(a)(1) (Administrative safeguards).
18 NIST Publication 800-111 • This is the NIST document that pertains to PHI at Rest. • PHI at Rest is best thought of as PHI that is “stored” in end user devices (e.g. desktops, laptops, etc.), in file and database servers, in consumer devices (e.g. personal digital assistance, smart phones, etc.) and in removable storage media (e.g., USB flash drives, memory cards, external hard drives, writeable CDs and DVDs). • PHI at Rest represents the “lion’s share” of the PHI that requires protection. It also represents the most significant challenge in terms of cost and operational complexity, especially because of the explosion in consumer devices and removable storage media. • Assume that not all PHI at Rest will be encrypted as required anytime in the foreseeable future, and plan accordingly. For example, the amount of paper based PHI not subject to encryption will remain significant for many years to come. Further, even a substantial amount of electronically stored PHI may remain “unsecured” due to operational considerations.
19 NIST Publication 800-52 • This is the NIST document that pertains to PHI in Motion. • PHI in Motion is best thought of as PHI that is “moving across the wire” either between applications that are communicating over the Internet or between applications communicating within the organization’s Intranet. • The technology that NIST recommends for securing PHI in Motion is Transport Layer Security (“TLS”). TLS is a protocol created to provide authentication, confidentiality and data integrity between two communicating applications. • TLS protects PHI in Motion at the transport layer of the ISO seven- layer communications model (also known as the seven-layer stack) and thereby allows two applications communicating PHI across the wire to secure communications without the need for intermediaries to participate. • The TLS protocol specifications use cryptographic mechanisms to implement the security services that establish and maintain a secure TCP/IP connection. The secure connection prevents eavesdropping, tampering, or message forgery and thereby protects PHI in Motion from unauthorized use.
The ISO Communications Stack Application Session Internet / Intranet(IP) Application Presentation Session Network (IP) Physical Data Link TLS TCPTransport Application Presentation Session Network (IP) Physical Data Link TLS TCP Transport TLS protects PHI in Motion across the wire
CMS Facility Lab Facility Radiology Facility RHIE Insurers Others Patient EHR Patient EHR Patient EHR Patient EHRs Insurers Insurers Lab FacilityLabsFacility Facility Facilities Other Provider Other Provider Other Provider Other Provider Other Providers RHIE RHIE RHIEs Agencies Radiology Facilities Agencies Others Others PHI “Touch Points” 21
22 NIST Publication 800-88 • This is the NIST document that pertains to PHI Disposed or “sanitized.” • When storage media are transferred, become obsolete, or are no longer usable or required by an information system containing PHI, it is important to ensure that residual magnetic, optical, electrical, or other representation of PHI that has been deleted (assuming that it has) is not easily recoverable. • Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that PHI may not be easily retrieved and reconstructed. • Covered entities and business associates must sanitize information system digital media containing PHI using approved equipment, techniques, and procedures prior to its release outside of the organization or if made available for alternative uses internally • Covered entities and business associates must track documents and sanitization and destruction actions and periodically tests PHI sanitization equipment/procedures to ensure correct performance.
23 Sanitization Methods Method Description Clearing Clearing is a method that protects the confidentiality of PHI against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. Clearing uses “overwrite” technology to remove all traces of PHI preventing most (but not all) unauthorized uses. Purging Purging is a sanitization method that protects the confidentiality of PHI against a laboratory attack. A laboratory attack involves a threat with the resources and knowledge to use nonstandard systems to conduct PHI recovery attempts on a device outside its normal operating environment. Degaussing is an example of a technology that can be use for purging. Destroying Destruction of PHI is the ultimate form of sanitization. After PHI is destroyed, it cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting depending on the media.
Is the PHI secured? 24
Impermissible use or disclosure? 25
26 Impermissible use or disclosure?
Does a Breach exception apply? • At this point you have determined that there has been an impermissible use or disclosure of unsecured PHI • Three Exceptions 1. Under certain conditions—any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or a BA…if no further use or disclosure is contemplated 2. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same covered entity or business associate… 3. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. 27
What is the probability? • At this point you have determined that no breach exceptions apply and therefore what remains to be determined is whether a there “was a low probability that the PHI in question was compromised?” • Risk Analysis Approach (“RA”)—Four Factors 1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 2. the unauthorized person who used the PHI or to whom the PHI was disclosed; 3. whether the PHI was actually acquired or viewed; and 4. the extent to which the risk to the PHI has been mitigated. 28
What is the probability? As discussed, the “Risk of Harm” analysis has been removed and replaced with a more objective “Risk Assessment” or “RA” approach. Therefore, breach notification is NOT required under the Omnibus Rule if a CE or BA demonstrates through the RA, that there is a low probability that the PHI has been compromised, rather than having to demonstrate that there is no significant risk of harm to the individual, as was provided for in the IFR. 29
• If there is not a low probability of compromise then notification is mandated Analytical Framework Revisited 30
Breach Notification Wizard? 31
32
33
34
35
36
37
38
39
40
41
Shameless Plug 42
Expresso® 43
44
45
46
47
Innovation Legal Methodology Products Support Services What makes us different from our competitors? 360 Degrees of Differentiation ! 48
We provide the recipe and not just the ingredients… store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903 49
We provide educational products you can execute on starting day one! 50
Agile Compliance Products! store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903 51
Agnostic! store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903 52
Wetware! store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903 53
Accept NO Substitute! store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903 54
Look Inside Click on any of the product covers to “look inside.” 55
Carlos Leyva CEO, 3Lions Publishing, Inc. Selected Products 1. HSG Subscription Plan $2,495 2. Comprehensive Training Modules 3. Business Associate Contract 4. Privacy Rule Checklist 5. Security Rule Checklist 6. CSMM Checklist 7. Breach Notification Framework AGILE Products Benefits • Live links to statutes and regulations • Easy to understand & actionable • Customizable to your requirements • Reusable • Save thousands on legal & technical consulting fees store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903 56
Thank you for attending Questions may be sent to support@3lionspublishing.com 57 store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903

Recommended

Feisal nanji himss 13 -- finalfinalfinal
Feisal nanji himss 13 -- finalfinalfinalFeisal nanji himss 13 -- finalfinalfinal
Feisal nanji himss 13 -- finalfinalfinalFeisal Nanji
 
Healthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthCareManagement
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Internet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsInternet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsHuntsman Security
 
Huntsman - Internet of things (for IAP2015)
Huntsman - Internet of things (for IAP2015)Huntsman - Internet of things (for IAP2015)
Huntsman - Internet of things (for IAP2015)Huntsman Security
 
International Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekInternational Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekDavid Knox
 
Information security
Information securityInformation security
Information securityVijayananda Mohire
 
08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239#TheFraudTube
 

Recommended

Feisal nanji himss 13 -- finalfinalfinal
Feisal nanji himss 13 -- finalfinalfinalFeisal nanji himss 13 -- finalfinalfinal
Feisal nanji himss 13 -- finalfinalfinalFeisal Nanji
 
Healthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthCareManagement
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Internet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsInternet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsHuntsman Security
 
Huntsman - Internet of things (for IAP2015)
Huntsman - Internet of things (for IAP2015)Huntsman - Internet of things (for IAP2015)
Huntsman - Internet of things (for IAP2015)Huntsman Security
 
International Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekInternational Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekDavid Knox
 
Information security
Information securityInformation security
Information securityVijayananda Mohire
 
08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239#TheFraudTube
 
How Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityHow Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityGreat Bay Software
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Cyber security event
Cyber security eventCyber security event
Cyber security eventTryzens
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsShawn Tuma
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsAbbie Hosta
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_CMR WORLD TECH
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoMark John Lado, MIT
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Huntsman Security
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Cloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryCloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryIntel IT Center
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
 
IT Security and Management - Security Policies
IT Security and Management - Security PoliciesIT Security and Management - Security Policies
IT Security and Management - Security PoliciesMark John Lado, MIT
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Mis
MisMis
Mismisecho
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small BusinessJulius Clark, CISSP, CISA
 
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...eFax Corporate®
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare ApplicationCitiusTech
 

More Related Content

What's hot

How Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityHow Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityGreat Bay Software
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Cyber security event
Cyber security eventCyber security event
Cyber security eventTryzens
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsShawn Tuma
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsAbbie Hosta
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_CMR WORLD TECH
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoMark John Lado, MIT
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Huntsman Security
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Cloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryCloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryIntel IT Center
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
 
IT Security and Management - Security Policies
IT Security and Management - Security PoliciesIT Security and Management - Security Policies
IT Security and Management - Security PoliciesMark John Lado, MIT
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 

What's hot (20)

How Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and SecurityHow Medical Devices Risk Patient Safety and Security
How Medical Devices Risk Patient Safety and Security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal Professionals
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal Threats
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John Lado
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Cloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research SummaryCloud Security Survey Peer Research Summary
Cloud Security Survey Peer Research Summary
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
 
IT Security and Management - Security Policies
IT Security and Management - Security PoliciesIT Security and Management - Security Policies
IT Security and Management - Security Policies
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Mis
MisMis
Mis
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
 

Similar to Breach Notification Wizard Lessons

Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...eFax Corporate®
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare ApplicationCitiusTech
 
Mha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentationMha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentationfalane
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...IT Network marcus evans
 
How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?Lepide USA Inc
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework- Mark - Fullbright
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceValdez Ladd MBA, CISSP, CISA,
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
1 introit security
1 introit security1 introit security
1 introit securityricharddxd
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMukesh Chinta
 
SEMHIMA Presentation Final 06052012
SEMHIMA Presentation Final 06052012SEMHIMA Presentation Final 06052012
SEMHIMA Presentation Final 06052012mrpchcchpc
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidancePam Gilmore
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
Case Study
Case StudyCase Study
Case Studylneut03
 

Similar to Breach Notification Wizard Lessons (20)

Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare Application
 
Mha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentationMha 690 week 1 discussion presentation
Mha 690 week 1 discussion presentation
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
 
How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?How to avoid being caught out by HIPAA compliance?
How to avoid being caught out by HIPAA compliance?
 
10 Things That Compromise Patient Data
10 Things That Compromise Patient Data10 Things That Compromise Patient Data
10 Things That Compromise Patient Data
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secret
 
1 introit security
1 introit security1 introit security
1 introit security
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
SEMHIMA Presentation Final 06052012
SEMHIMA Presentation Final 06052012SEMHIMA Presentation Final 06052012
SEMHIMA Presentation Final 06052012
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity Guidance
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
Case Study
Case StudyCase Study
Case Study
 
Audit Reality Webinar
Audit Reality WebinarAudit Reality Webinar
Audit Reality Webinar
 

Recently uploaded

Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Timedelhimodelshub1
 
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhHot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhVip call girls In Chandigarh
 
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋Sheetaleventcompany
 
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in LucknowRussian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknowgragteena
 
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetCall Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meetpriyashah722354
 
Leading transformational change: inner and outer skills
Leading transformational change: inner and outer skillsLeading transformational change: inner and outer skills
Leading transformational change: inner and outer skillsHelenBevan4
 
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service DehradunDehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service DehradunNiamh verma
 
(Dipika) Call Girl in Jaipur- 09001626015 Escorts Service 50% Off with Cash O...
(Dipika) Call Girl in Jaipur- 09001626015 Escorts Service 50% Off with Cash O...(Dipika) Call Girl in Jaipur- 09001626015 Escorts Service 50% Off with Cash O...
(Dipika) Call Girl in Jaipur- 09001626015 Escorts Service 50% Off with Cash O...indiancallgirl4rent
 
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near MeVIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Memriyagarg453
 
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaHot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaRussian Call Girls in Ludhiana
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meetpriyashah722354
 
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girls Service Chandigarh Ayushi
 
Russian Call Girls Hyderabad Indira 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Indira 9907093804 Independent Escort Service Hyd...Russian Call Girls Hyderabad Indira 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Indira 9907093804 Independent Escort Service Hyd...delhimodelshub1
 
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...Gfnyt.com
 
Call Girls Service Chandigarh Gori WhatsApp ❤9115573837 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤9115573837 VIP Call Girls Chandi...Call Girls Service Chandigarh Gori WhatsApp ❤9115573837 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤9115573837 VIP Call Girls Chandi...Niamh verma
 
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In RaipurCall Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipurgragmanisha42
 
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...delhimodelshub1
 

Recently uploaded (20)

Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Time
 
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhHot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
 
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
 
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in LucknowRussian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
Russian Escorts Aishbagh Road * 9548273370 Naughty Call Girls Service in Lucknow
 
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service LucknowCall Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
 
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetCall Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Call Girls Chandigarh 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
 
Leading transformational change: inner and outer skills
Leading transformational change: inner and outer skillsLeading transformational change: inner and outer skills
Leading transformational change: inner and outer skills
 
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service DehradunDehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 9675010100 👄🫦Independent Escort Service Dehradun
 
(Dipika) Call Girl in Jaipur- 09001626015 Escorts Service 50% Off with Cash O...
(Dipika) Call Girl in Jaipur- 09001626015 Escorts Service 50% Off with Cash O...(Dipika) Call Girl in Jaipur- 09001626015 Escorts Service 50% Off with Cash O...
(Dipika) Call Girl in Jaipur- 09001626015 Escorts Service 50% Off with Cash O...
 
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near MeVIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
 
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service GuwahatiCall Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
 
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaHot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
 
Call Girl Dehradun Aashi 🔝 7001305949 🔝 💃 Independent Escort Service Dehradun
Call Girl Dehradun Aashi 🔝 7001305949 🔝 💃 Independent Escort Service DehradunCall Girl Dehradun Aashi 🔝 7001305949 🔝 💃 Independent Escort Service Dehradun
Call Girl Dehradun Aashi 🔝 7001305949 🔝 💃 Independent Escort Service Dehradun
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
 
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
 
Russian Call Girls Hyderabad Indira 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Indira 9907093804 Independent Escort Service Hyd...Russian Call Girls Hyderabad Indira 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Indira 9907093804 Independent Escort Service Hyd...
 
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
 
Call Girls Service Chandigarh Gori WhatsApp ❤9115573837 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤9115573837 VIP Call Girls Chandi...Call Girls Service Chandigarh Gori WhatsApp ❤9115573837 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤9115573837 VIP Call Girls Chandi...
 
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In RaipurCall Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
 
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
Russian Call Girls Hyderabad Saloni 9907093804 Independent Escort Service Hyd...
 

Breach Notification Wizard Lessons

  • 1. Breach Notification Wizard: Lessons in Knowledge Management © 2019 3Lions Publishing, Inc. All rights reserved. 1
  • 2. Carlos Leyva, Esq. CEO, 3Lions Publishing, Inc. HIPAA Survival Guide Publisher www.hipaasurvivalguide.com Attorney and Managing Partner Digital Business Law Group, P.A. Internet Law www.digitalbusinesslawgroup.com 2
  • 3. Agenda • Introduction • Breach Notification: • When is it Triggered? • Notification to Stakeholders? • Tracking Security Incidents? • Knowledge Management • Q&A 3
  • 7. Notification Analytical Framework 1.Was there an impermissible use or disclosure of unsecured PHI? 2. Does an exception to the breach rule apply? 3. Is there a low probability that the protected health information was compromised? See our Breach Notification Framework 7
  • 8. Impermissible use or disclosure of unsecured PHI? Two component parts to this question: 1) Impermissible use or disclosure; and 2) Unsecured PHI? 8
  • 9. What is unsecured PHI? Unsecured PHI: protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption or destruction. 9
  • 10. PHI States & HHS Encryption Guidance State of PHI Specification to Meet or Exceed PHI at Rest NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices PHI in Motion NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140–2 validated. PHI Disposed The media on which the PHI is stored or recorded has been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction. (ii) Electronic media has been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. PHI in Use Data in use is data in the process of being created, retrieved, updated, or deleted. HHS did not issue guidance regarding PHI in Use, however standard access control technologies should suffice. 10
  • 11. What is an impermissible use or disclosure? An impermissible use or disclosure is one that violates the HIPAA Privacy Rule… 11
  • 12. Covering the Basics: Is it PHI? 12
  • 14. Is the PHI secured? 14
  • 15. 15 What is the bottom line? If PHI is secured according to the Secretary’s guidance then breach notification will never be triggered by definition. Essentially, securing PHI according to the guidance provides the ultimate breach notification “safe harbor.”
  • 16. 16 Security Rule Implications? • The Security Rule (“SR”) suggests but does NOT mandate the use of encryption and related technologies in order to secure PHI. See §164.312 (e) Technical safeguards. • A covered entity or business associate may be in compliance with the Security Rule despite the fact that technologies recommended by the Secretary are not used. • However, if the recommended technologies are not used then the PHI in question will be treated as unsecured and therefore breach notification may be triggered. See the Breach Notification Framework.
  • 17. 17 Security Rule Implications? • The practical reality is that business associates and covered entities will likely have some PHI encrypted (e.g. where an EHR vendor provides it as part of their offering) while other PHI will remain in paper form or stored electronically but not encrypted. • From a Security Rule compliance perspective, it is critical that the Required Security Rule Risk Analysis should capture where encryption and related technologies have been applied so as to facilitate a subsequent breach notification analysis. See §164.308(a)(1) (Administrative safeguards).
  • 18. 18 NIST Publication 800-111 • This is the NIST document that pertains to PHI at Rest. • PHI at Rest is best thought of as PHI that is “stored” in end user devices (e.g. desktops, laptops, etc.), in file and database servers, in consumer devices (e.g. personal digital assistance, smart phones, etc.) and in removable storage media (e.g., USB flash drives, memory cards, external hard drives, writeable CDs and DVDs). • PHI at Rest represents the “lion’s share” of the PHI that requires protection. It also represents the most significant challenge in terms of cost and operational complexity, especially because of the explosion in consumer devices and removable storage media. • Assume that not all PHI at Rest will be encrypted as required anytime in the foreseeable future, and plan accordingly. For example, the amount of paper based PHI not subject to encryption will remain significant for many years to come. Further, even a substantial amount of electronically stored PHI may remain “unsecured” due to operational considerations.
  • 19. 19 NIST Publication 800-52 • This is the NIST document that pertains to PHI in Motion. • PHI in Motion is best thought of as PHI that is “moving across the wire” either between applications that are communicating over the Internet or between applications communicating within the organization’s Intranet. • The technology that NIST recommends for securing PHI in Motion is Transport Layer Security (“TLS”). TLS is a protocol created to provide authentication, confidentiality and data integrity between two communicating applications. • TLS protects PHI in Motion at the transport layer of the ISO seven- layer communications model (also known as the seven-layer stack) and thereby allows two applications communicating PHI across the wire to secure communications without the need for intermediaries to participate. • The TLS protocol specifications use cryptographic mechanisms to implement the security services that establish and maintain a secure TCP/IP connection. The secure connection prevents eavesdropping, tampering, or message forgery and thereby protects PHI in Motion from unauthorized use.
  • 20. The ISO Communications Stack Application Session Internet / Intranet(IP) Application Presentation Session Network (IP) Physical Data Link TLS TCPTransport Application Presentation Session Network (IP) Physical Data Link TLS TCP Transport TLS protects PHI in Motion across the wire
  • 22. 22 NIST Publication 800-88 • This is the NIST document that pertains to PHI Disposed or “sanitized.” • When storage media are transferred, become obsolete, or are no longer usable or required by an information system containing PHI, it is important to ensure that residual magnetic, optical, electrical, or other representation of PHI that has been deleted (assuming that it has) is not easily recoverable. • Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that PHI may not be easily retrieved and reconstructed. • Covered entities and business associates must sanitize information system digital media containing PHI using approved equipment, techniques, and procedures prior to its release outside of the organization or if made available for alternative uses internally • Covered entities and business associates must track documents and sanitization and destruction actions and periodically tests PHI sanitization equipment/procedures to ensure correct performance.
  • 23. 23 Sanitization Methods Method Description Clearing Clearing is a method that protects the confidentiality of PHI against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. Clearing uses “overwrite” technology to remove all traces of PHI preventing most (but not all) unauthorized uses. Purging Purging is a sanitization method that protects the confidentiality of PHI against a laboratory attack. A laboratory attack involves a threat with the resources and knowledge to use nonstandard systems to conduct PHI recovery attempts on a device outside its normal operating environment. Degaussing is an example of a technology that can be use for purging. Destroying Destruction of PHI is the ultimate form of sanitization. After PHI is destroyed, it cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting depending on the media.
  • 24. Is the PHI secured? 24
  • 25. Impermissible use or disclosure? 25
  • 26. 26 Impermissible use or disclosure?
  • 27. Does a Breach exception apply? • At this point you have determined that there has been an impermissible use or disclosure of unsecured PHI • Three Exceptions 1. Under certain conditions—any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or a BA…if no further use or disclosure is contemplated 2. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same covered entity or business associate… 3. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. 27
  • 28. What is the probability? • At this point you have determined that no breach exceptions apply and therefore what remains to be determined is whether a there “was a low probability that the PHI in question was compromised?” • Risk Analysis Approach (“RA”)—Four Factors 1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 2. the unauthorized person who used the PHI or to whom the PHI was disclosed; 3. whether the PHI was actually acquired or viewed; and 4. the extent to which the risk to the PHI has been mitigated. 28
  • 29. What is the probability? As discussed, the “Risk of Harm” analysis has been removed and replaced with a more objective “Risk Assessment” or “RA” approach. Therefore, breach notification is NOT required under the Omnibus Rule if a CE or BA demonstrates through the RA, that there is a low probability that the PHI has been compromised, rather than having to demonstrate that there is no significant risk of harm to the individual, as was provided for in the IFR. 29
  • 30. • If there is not a low probability of compromise then notification is mandated Analytical Framework Revisited 30
  • 32. 32
  • 33. 33
  • 34. 34
  • 35. 35
  • 36. 36
  • 37. 37
  • 38. 38
  • 39. 39
  • 40. 40
  • 41. 41
  • 44. 44
  • 45. 45
  • 46. 46
  • 47. 47
  • 48. Innovation Legal Methodology Products Support Services What makes us different from our competitors? 360 Degrees of Differentiation ! 48
  • 49. We provide the recipe and not just the ingredients… store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903 49
  • 50. We provide educational products you can execute on starting day one! 50
  • 55. Look Inside Click on any of the product covers to “look inside.” 55
  • 56. Carlos Leyva CEO, 3Lions Publishing, Inc. Selected Products 1. HSG Subscription Plan $2,495 2. Comprehensive Training Modules 3. Business Associate Contract 4. Privacy Rule Checklist 5. Security Rule Checklist 6. CSMM Checklist 7. Breach Notification Framework AGILE Products Benefits • Live links to statutes and regulations • Easy to understand & actionable • Customizable to your requirements • Reusable • Save thousands on legal & technical consulting fees store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903 56
  • 57. Thank you for attending Questions may be sent to support@3lionspublishing.com 57 store.hipaasurvivalguide.com www.hipaasurvivalguide.com 3Lions Publishing, Inc. 800-516-7903