SlideShare a Scribd company logo

HIPAA Solutions on Cloud Foundry

Jim Shingler
Jim Shingler

This document provides an overview of implementing HIPAA compliance solutions on Cloud Foundry. It begins with introductions from Jim Shingler of Cardinal Health and Ralph Meira of Pivotal. It then covers topics like HIPAA history, regulations, terminology, compliance checklists, and implementing HIPAA-compliant technology on various cloud platforms like AWS, GCP, and Azure. It also discusses using blockchain to provide data lineage and integrity for protected health information. Throughout it emphasizes the general rule of assuming PHI data requires a HIPAA-safe computing environment.

Technology
1 of 40
Download to read offline
HIPAA Solutions on Cloud Foundry Jim Shingler, Cardinal Health Ralph Meira, Pivotal
Jim Shingler, Cardinal Health Office of Development Transformation Director of Software Engineering https://www.linkedin.com/in/jimshingler @JShingler
Ralph Meira, Pivotal Platform Architect Pivotal https://linkedin.com/in/ralph-meira-48530b/ @rm511130
Demographics Check Who do we have in the audience? -  Business Analysts -  Project Managers -  Developers -  Who's using Cloud Foundry? -  Who's got PHI flowing through CF?
HIPAA History
HIPAA $ Impact Examples $150K for Malware Infection Anchorage Community Mental Health Services (ACMHS) $1.7M for Theft of Unencrypted Laptop Concentra Health Services $4.8M for Lack of Firewall NY & Presbyterian Hospital $400K for Phishing of PHI Metro Community Provider Network Fines per Violation •  Did Not Know •  Reasonable Cause •  Willful Neglect (Corrected) •  Willful Neglect (Uncorrected) $100 - $50K $1K - $50K $10K - $50K $50K
Quick Facts about CF @ Cardinal -  Cardinal 1.5 years and 750 App Instances + SIs -  6 Foundations (FUSE + Enterprise IT) -  First 5 Apps were live within 1st month -  Multicloud Strategy: AWS + GCP (SandBox) -  No on-premise except for PCF Dev on LapTops -  CI/CD: Jenkins à Exploring Concourse (COJUG) -  Microservices, Spring Boot, Spring Cloud Services -  240 devs supported by 2 platform engineers
Quick Facts -  Tackling Biz IT (.NET) à using PCF Windows -  VMs: 6+ weeks lead time à on-demand self-service -  Strong CIO Leadership / Support -  Cost of a S/W Bug: -  Prod ($2 ~ $5K) - UAT 50% of Prod -  Integration 50% of UAT - Dev is 50% of Integration -  IT Costs only -  PCF Production has been 100% Up since day 1.
DevOps Lessons Learned -  Continual empowerment of Dev Teams -  Treat Dev Environment as Production -  Speed à created a demand for DevOps -  Organizational Re-orgs à To better support PCF -  Stress Legacy Processes (no sacred processes) -  Log aggregation, Metrics, Monitoring are key
HIPAA Info Actors & Stakeholders -  Patient -  Caregiver -  Physician -  Hospital -  Pharmacist -  Payor -  Insurance Co. -  Manufacturer
Risk -  Federated IDs for Business Partners (not Cardinal IDs) -  No enterprise should be pulling s/w from Docker Hub (we're looking to use Nexus). CI/CD internal repo only images can be used. -  CVE on a library à allows me to close loops because I know who's impacted. -  Easy: trust but verify vs. block & make it difficult
HIPAA Vocabulary and Concepts PHI  =  Anything  that  can  be    used  to  iden5fy  an  individual  in   the  context  of  Personal  Healthcare  Informa5on    
“Compliance” versus “Certification” The  use  of  the  product  meets  requirements.   The  product  itself  meets  requirements.   HIPAA Certification?
“Compliance” The  use  of  the  product  meets  requirements.   Unlike  PCI  (Payment  Card  Industry),  there  is  no  one  that  can  “cer5fy”  that  an  organiza5on  is  HIPAA  compliant.  The   Office  for  Civil  Rights  (OCR)  from  the  Department  of  Health  and  Human  Services  (HHS)  is  the  federal  governing  body   that  determines  compliance.  HHS  does  not  endorse  or  recognize  the  “cer5fica5ons”  made  by  private  organiza5ons.   There  is  an  evalua5on  standard  in  the  Security  Rule  §  164.308(a)(8),  and  it  requires  you  to  perform  a  periodic   technical  and  non-­‐technical  evalua5on  to  make  sure  that  your  security  policies  and  procedures  meet  the  security   requirements  outlined  in  the  rule.  HHS  doesn’t  es5pulate  whether  the  evalua5on  is  performed  internally  or  by  an   external  organiza5on.   HIPAA Certification?
HIPAA – Compliance Checklist hYp://www.hipaajournal.com/hipaa-­‐compliance-­‐checklist/   OCR  –  Office  for  Civil  Rights  
HIPAA - Technology -  Same tech on Prod & Non-Prod Parity -  IPSec, Disk Encryption -  File Integrity Monitoring -  ClamAV (accepting files) -  Container to Container -  Isolation Segments -  Dedicated Tenancy** General  Rule:  Assume   you  need  a  HIPAA  safe   environment   -  Availability Zones -  DR / HA -  3 R's (Future) -  CredHub (Future) **  h?ps://aws.amazon.com/blogs/apn/aws-­‐hipaa-­‐program-­‐update-­‐removal-­‐of-­‐dedicated-­‐instance-­‐requirement/  
HIPAA - Guidelines -  Never put prod data in non-prod environment -  We use the prod foundation w/ partners who are not ready… because it's all temporary, it's isolated. -  Production becomes our Temp Stage environment. General  Rule:  Assume   you  need  a  HIPAA  safe   environment  
HIPAA - Technology -  Even with SSL make sure your URL isn't carrying HIPAA data (regardless of cloud or not) -  Microservices = Antifragile Apps = Higher Up Times -  Eligible BAA Services
HIPAA on GCP The Google Cloud BAA covers GCP’s entire infrastructure (all regions, all zones, all network paths, all points of presence), and the following products: •  Google BigQuery •  Google Cloud Bigtable •  Google Cloud Data Loss Prevention API •  Google Cloud Dataflow •  Google Cloud Datalab •  Google Cloud Dataproc •  Google Cloud ML Engine •  Google Cloud Natural Language API •  Google Cloud Pub/Sub •  Google Cloud Speech API •  Google Cloud Stackdriver Logging •  Google Cloud Storage •  Google Cloud SQL for MySQL •  Google Cloud Translation API •  Google Compute Engine •  Google Container Engine •  Google Container Registry •  Google Genomics hYps://cloud.google.com/security/compliance/hipaa/#covered-­‐products  
HIPAA on AWS •  API Gateway (excl. caching) •  Aurora [MySQL-compatible only] •  CloudFront •  Cognito •  AWS Database Migration Service •  AWS Direct Connect •  Directory Services (excl. Simple AD & AD Connector) •  DynamoDB •  Elastic Block Store (EBS) •  Elastic Compute Cloud (EC2) •  Elastic Load Balancing •  Amazon Elastic MapReduce (EMR) hYps://aws.amazon.com/compliance/hipaa-­‐eligible-­‐services-­‐reference/   •  Glacier •  Redshift •  RDS [MySQL, Oracle, PostgreSQL] •  AWS Shield [Std & Adv] •  Simple Notification Service (SNS) •  Simple Queue Service (SQS) •  S3 [incld. S3 Transfer Acc] •  Snowball •  Virtual Private Cloud (VPC) •  Web Application Firewall (WAF) •  Amazon WorkSpaces
HIPAA on Azure •  API Management •  App Services (API, Logic, Mobile & Web) •  Application Gateway •  Application Insights •  Automation •  Active Directory (Free, Basic, B2C) & DNS •  Container Service •  Cosmos DB •  DevTest Labs •  Information Protection (incl. Rights Mgmt.) •  Azure Portal & Resource Manager •  Backup, Batch, Event Hubs, Scheduler •  Data Catalog & Data Factory •  Key Vault hYps://www.microso_.com/en-­‐us/TrustCenter/Compliance/HIPAA   •  BizTalk Services •  Cloud Services •  Data Lake Analytics •  Data Lake Store •  ExpressRoute •  Functions •  HDInsight •  Import/Export •  IoT Hub •  Load Balancer •  Log Analytics •  Machine Learning •  Media Services •  Multi-Factor Auth. •  Notification Hubs •  Power BI Embedded •  Redis Cache •  Security Center •  Service Bus & Fabric •  Site Recovery •  SQL DW & DB •  SQL Server Stretch DB •  Storage & StorSimple •  Stream Analytics •  VMs & Network •  VPN Gateway
HIPAA on VMware hYp://5nyurl.com/vmwarehipaa   …  
HIPAA on VMware hYp://5nyurl.com/vmwarehipaa  
HIPAA on VMware hYp://5nyurl.com/vmwarehipaa  
Area of Investigation: Blockchain -  Data Lineage -  The challenge: imagine you needed to implement a system that stores and manipulates PHI data. At any time, it must be possible for anyone to independently verify when the PHI Data entered the system, and that it has not been modified. The PHI Data must not be exposed publicly. hYps://content.pivotal.io/blog/blockchain-­‐use-­‐cases-­‐for-­‐blockchain-­‐on-­‐cloud-­‐foundry    
$100  DISCOUNT  CODE:  S1P_EVENT_CFS100  
Thank You
Reference  Slides  –  Backup  Material  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Business  Associates   Anyone  who  has  access  to  paJent  informaJon,   whether  directly,  indirectly,  physically  or  virtually.   AddiJonally,  any  organizaJon  that  provides  support   in  the  treatment,  payment  or  operaJons  is   considered  a  business  associate,  i.e.  an  IT  company   or  a  billing  and  claims  processing  company.  Other   examples  include  a  document  destrucJon   company,  a  telephone  service  provider,  accountant   or  lawyer.  The  business  associates  also  have  the   responsibility  to  achieve  and  maintain  HIPAA   compliance  in  terms  of  all  of  the  internal,   administraJve  and  technical  safeguards.  A  business   associate  does  not  work  under  the  covered  enJty’s   workforce,  but  instead  performs  some  type  of   service  on  their  behalf.   1  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Business  Associate  Agreement   The  agreement  standard  document  that  clearly   defines  the  roles  and  responsibiliJes  of  a  business   associate  and  the  covered  enJty.  The  other  key  piece   of  the  Business  Associates  Agreement  is  the  assurance   that  businesses  will  take  proper  steps  to  implement   the  appropriate  safeguards:  administraJve,  physical   and  technical.     Covered  EnJJes  (CE)   Anyone  who  provides  treatment,  payment  and   operaJons  in  healthcare:  a  doctor’s  office,  dental   office,  clinics,  psychologist,  nursing  home,  pharmacy,   hospital  or  home  healthcare  agency.  This  also  includes   health  plans,  health  insurance  companies,  HMOs,   company  health  plans  and  government  programs  that   pay  for  health  care.  Health  clearing  houses  are  also   considered  covered  enJJes.   2  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Electronic  Data  Interchange  (EDI)     The  communicaJon  or  exchange  of  business   documents  between  companies  via  computer  and   networks.     Electronic  Health  Records  (EHR)   Any  electronic  record  of  paJent  health  informaJon   generated  within  a  clinical  insJtuJon  or  environment,   such  as  a  hospital  or  doctor’s  office:  e.g.  medical   history,  laboratory  results,  immunizaJons,   demographics,  etc.     Electronic  Protected  Health  InformaJon  (EPHI)  All   individually  idenJfiable  health  informaJon  that  is   created,  maintained  or  transmi?ed  electronically.     Healthcare  Clearinghouse   An  organizaJon  that  standardizes  health  informaJon.   One  example  is  a  billing  company  that  processes  data   from  its  iniJal  format  into  a  standardized  billing   format.   3  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Health  InformaJon   PaJent  informaJon  collected  by  a  health  plan,  health   care  provider,  public  health  authority,  employer,   healthcare  clearinghouse  or  other  organizaJon  that   falls  under  covered  enJty.     Healthcare  Insurance  Portability  and  Accountability   Act  (HIPAA)   IniJally  created  in  1996  to  help  the  public  with   insurance  portability,  they  eventually  built   administraJve  simplificaJons  that  involved  electronic,   medical  record  technology  and  other  components.     HIPAA  ViolaJons   If  a  company  fails  to  comply  with  HIPAA  rules,  they   are  subject  to  both  civil  and  criminal  penalJes.   4  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   The  Health  InformaJon  Technology  for  Economic  and   Clinical  Health  (HITECH)   Act,  enacted  as  part  of  the  American  Recovery  and   Reinvestment  Act  of  2009,  was  signed  into  law  on   February  17,  2009,  to  promote  the  adopJon  and   meaningful  use  of  health  informaJon  technology.   The  act  included  incenJves  offered  to  physicians  in   private  pracJces,  as  well  as  insJtuJonal  pracJces  to   implement  and  adopt  electronic  medical  records.   In  addiJon  to  incenJves,  the  act  included  a  series  of   fines  to  help  enforce  HIPAA  rules.  HITECH  also   mandated  that  business  associates  of  covered  enJJes,   as  well  as  the  covered  enJJes  themselves,  were   responsible  for  the  same  level  of  HIPAA  compliance.   5  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   HIPAA  Audit    is  comprised  of  regulaJons,  standards   and  implementaJon  specificaJons.  The  audit  is  an   analysis  that  helps  pinpoint  the  organizaJon’s  current   state  and  what  steps  need  to  be  taken  to  get  the   organizaJon  compliant.     An  evaluaJon  is  part  of  the  audit  -­‐  a  company  must   perform  an  evaluaJon  and  undergo  periodic   evaluaJons,  at  a  minimum,  once  a  year.  As  technology   changes,  different  components  are  added  to  an   organizaJon’s  infrastructure  and  they  should  be  re-­‐ evaluated.     While  covered  enJJes  need  to  undergo  HIPAA  audits,   third-­‐party  business  associates  also  need  to  comply.   This  includes  any  company  that  might  provide  services   for  a  covered  enJty,  for  example,  an  applicaJon   hosted  in  a  cloud  and  provided  to  a  covered  enJty.   6  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Civil  PenalJes  established  by  the  American  Recovery   and  Reinvestment  Act  of  2009  (ARRA),  are  a  Jered   civil  penalty  structure  used  to  determine  the  cause   and  consequences  of  the  HIPAA  breaches.  The   Secretary  of  the  Department  of  Health  and  Human   Services  has  the  ability  to  ulJmately  determine  fines   and  penalJes  due  to  the  extent  of  the  violaJon  on  a   case-­‐by-­‐case  basis.     Due  Diligence   An  organizaJon  is  in  violaJon,  but  they  have  taken   every  possible  step  they  could  have  foreseen  to   prevent  that.     Minimum  fine:  $100  per  incident  with  annual   maximum  of  $25,000  for  repeat  violaJons     Maximum  fine:  $50,000  per  violaJon  with  annual   maximum  of  $1.5  million  for  repeat  violaJons   7  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Reasonable  Cause     The  steps  have  been  taken,  but  something  was  not   addressed.  For  example,  a  company  went  into  a   HIPAA  audit  and  provided  a  gap  analysis,  but   something  wasn’t  addressed  yet.  The  violaJon  is  due   to  reasonable  cause  and  not  willful  neglect.     Minimum  fine:  $1,000  per  incident  with  annual   maximum  of  $100,000  for  repeat  violaJons     Maximum  fine:  $50,000  per  incident  with  annual   maximum  of  $1.5  million  for  repeat  violaJons   8  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule     Willful  Neglect  -­‐  There  are  two  types  of  willful  neglect:     (1)  A  company  clearly  ignores  the  HIPAA  law  but   corrects  their  mistake  within  the  given  amount  of   Jme.     Minimum  fine:  $10,000  per  incident  with  annual   maximum  of  $1.5  million  for  repeat  violaJons     Maximum  fine:  $50,000  per  violaJon  with  annual   maximum  of  $1.5  million  for  repeat  violaJons     (2)  A  company  ignores  the  HIPAA  law  and  does  not   correct  their  mistake.     Minimum  fine:  $50,000  per  incident  with  annual   maximum  of  $250,000  for  repeat  violaJons     Maximum  fine:  $50,000  per  incident  with  annual   maximum  of  $250,000  for  repeat  violaJons   9  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Criminal  PenalJes  -­‐  The  U.S.  Department  of  JusJce   establishes  who  can  be  held  liable  for  HIPAA  violaJons   due  to  criminal  acJvity.  This  includes  covered  enJJes   and  any  specified  individual  working  under  a  covered   enJty.  Anyone  who  knowingly  misuses  health   informaJon  can  be  fined  up  to  $50,000  including  up  to   a  year  of  imprisonment.  More  serious  offenses  call  for   higher  fines  and  prison  Jme.     Individually  IdenJfiable  Health  InformaJon   A  subset  of  health  informaJon.  It  includes   demographic  informaJon  about  an  individual’s  health   that  idenJfies  or  can  be  used  to  idenJfy  the   individual:  e.g.  name,  address,  date  of  birth,  etc.       10  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   OCR  HIPAA  Audit  Protocol     Before  2012  there  was  no  federal  standard  for  third-­‐ party  auditors  to  conduct  a  HIPAA  audit.  With  the   publicaJon  of  the  new  Office  for  Civil  Rights  (OCR)   audit  protocol,  auditors  are  able  to  gain  a  more   consistent  direcJon  on  how  the  OCR  will  conduct   HIPAA  audits  in  the  future.  The  protocol  covers   requirements  found  in  the  HIPAA  Security  Rule,   Privacy  Rule  and  Breach  NoJficaJon  Rule.     Privacy  Rule   The  part  of  the  HIPAA  rule  that  addresses  the  saving,   accessing  and  sharing  of  medical  and  personal   informaJon  of  an  individual,  including  a  paJent’s  own   right  to  access.   11  of  12  
HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Protected  Health  InformaJon  (PHI)  includes  any   individually  idenJfiable  health  informaJon  collected   from  an  individual  by  a  healthcare  provider,  employer   or  plan  that  includes  name,  social  security  number,   phone  number,  medical  history,  current  medical   condiJon,  test  results  and  more.     Security  Rule   The  part  of  the  HIPAA  rule  that  outlines  naJonal   security  standards  intended  to  protect  health  data   created,  received,  maintained  or  transmi?ed   electronically.   12  of  12  

Recommended

Drug Discovery Innovation in a Precompetitive Cloud Platform (LFS302-S) - AWS...
Drug Discovery Innovation in a Precompetitive Cloud Platform (LFS302-S) - AWS...Drug Discovery Innovation in a Precompetitive Cloud Platform (LFS302-S) - AWS...
Drug Discovery Innovation in a Precompetitive Cloud Platform (LFS302-S) - AWS...Amazon Web Services
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle Developers
 
GDPR Crash Course
GDPR Crash CourseGDPR Crash Course
GDPR Crash CourseDataWorks Summit
 
Bringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopBringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopDataWorks Summit
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationWatchful Software
 
Complex Analytics using Open Source Technologies
Complex Analytics using Open Source TechnologiesComplex Analytics using Open Source Technologies
Complex Analytics using Open Source TechnologiesDataWorks Summit
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Sandesh Rao
 
Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...
Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...
Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...BigDataEverywhere
 

Recommended

Drug Discovery Innovation in a Precompetitive Cloud Platform (LFS302-S) - AWS...
Drug Discovery Innovation in a Precompetitive Cloud Platform (LFS302-S) - AWS...Drug Discovery Innovation in a Precompetitive Cloud Platform (LFS302-S) - AWS...
Drug Discovery Innovation in a Precompetitive Cloud Platform (LFS302-S) - AWS...Amazon Web Services
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle Developers
 
GDPR Crash Course
GDPR Crash CourseGDPR Crash Course
GDPR Crash CourseDataWorks Summit
 
Bringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopBringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopDataWorks Summit
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationWatchful Software
 
Complex Analytics using Open Source Technologies
Complex Analytics using Open Source TechnologiesComplex Analytics using Open Source Technologies
Complex Analytics using Open Source TechnologiesDataWorks Summit
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Sandesh Rao
 
Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...
Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...
Big Data Everywhere Chicago: The Big Data Imperative -- Discovering & Protect...BigDataEverywhere
 
A4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyA4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyDr. Wilfred Lin (Ph.D.)
 
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 Sandesh Rao
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...Sandesh Rao
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceMatthew R. Barrett
 
IHE on FHIR and DICOMweb 2017
IHE on FHIR and DICOMweb 2017IHE on FHIR and DICOMweb 2017
IHE on FHIR and DICOMweb 2017Brad Genereaux
 
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...Leverage Big Data to Enhance Customer Experience in Telecommunications – with...
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...Hortonworks
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraLuca Martelli
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthSandesh Rao
 
Harnessing Hadoop Distuption: A Telco Case Study
Harnessing Hadoop Distuption: A Telco Case StudyHarnessing Hadoop Distuption: A Telco Case Study
Harnessing Hadoop Distuption: A Telco Case StudyDataWorks Summit
 
Apache Atlas. Data Governance for Hadoop. Strata London 2015
Apache Atlas. Data Governance for Hadoop. Strata London 2015Apache Atlas. Data Governance for Hadoop. Strata London 2015
Apache Atlas. Data Governance for Hadoop. Strata London 2015Sean Roberts
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunVishwas Manral
 
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...Sandesh Rao
 
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision Making
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision MakingFast Data Mining: Real Time Knowledge Discovery for Predictive Decision Making
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision MakingCodemotion
 
Infosession for IQED dataproviders (14-22.04.2016)
Infosession for IQED dataproviders (14-22.04.2016)Infosession for IQED dataproviders (14-22.04.2016)
Infosession for IQED dataproviders (14-22.04.2016)healthdata be
 
AUSOUG Analytics Update - Nov 14 2018
AUSOUG Analytics Update - Nov 14 2018AUSOUG Analytics Update - Nov 14 2018
AUSOUG Analytics Update - Nov 14 2018Jason Lowe
 
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...StampedeCon
 
The 5 Biggest Data Myths in Telco: Exposed
The 5 Biggest Data Myths in Telco: ExposedThe 5 Biggest Data Myths in Telco: Exposed
The 5 Biggest Data Myths in Telco: ExposedCloudera, Inc.
 
2016 AWS Life Sciences Days | Boston, MA – May 17, 2016
2016 AWS Life Sciences Days | Boston, MA – May 17, 20162016 AWS Life Sciences Days | Boston, MA – May 17, 2016
2016 AWS Life Sciences Days | Boston, MA – May 17, 2016Amazon Web Services
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACSandesh Rao
 
Smoketest - Oracle Management Cloud
Smoketest - Oracle Management Cloud Smoketest - Oracle Management Cloud
Smoketest - Oracle Management Cloud Volker Linz
 
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Amazon Web Services
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 

More Related Content

What's hot

A4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyA4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyDr. Wilfred Lin (Ph.D.)
 
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 Sandesh Rao
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...Sandesh Rao
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceMatthew R. Barrett
 
IHE on FHIR and DICOMweb 2017
IHE on FHIR and DICOMweb 2017IHE on FHIR and DICOMweb 2017
IHE on FHIR and DICOMweb 2017Brad Genereaux
 
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...Leverage Big Data to Enhance Customer Experience in Telecommunications – with...
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...Hortonworks
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraLuca Martelli
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthSandesh Rao
 
Harnessing Hadoop Distuption: A Telco Case Study
Harnessing Hadoop Distuption: A Telco Case StudyHarnessing Hadoop Distuption: A Telco Case Study
Harnessing Hadoop Distuption: A Telco Case StudyDataWorks Summit
 
Apache Atlas. Data Governance for Hadoop. Strata London 2015
Apache Atlas. Data Governance for Hadoop. Strata London 2015Apache Atlas. Data Governance for Hadoop. Strata London 2015
Apache Atlas. Data Governance for Hadoop. Strata London 2015Sean Roberts
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunVishwas Manral
 
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...Sandesh Rao
 
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision Making
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision MakingFast Data Mining: Real Time Knowledge Discovery for Predictive Decision Making
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision MakingCodemotion
 
Infosession for IQED dataproviders (14-22.04.2016)
Infosession for IQED dataproviders (14-22.04.2016)Infosession for IQED dataproviders (14-22.04.2016)
Infosession for IQED dataproviders (14-22.04.2016)healthdata be
 
AUSOUG Analytics Update - Nov 14 2018
AUSOUG Analytics Update - Nov 14 2018AUSOUG Analytics Update - Nov 14 2018
AUSOUG Analytics Update - Nov 14 2018Jason Lowe
 
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...StampedeCon
 
The 5 Biggest Data Myths in Telco: Exposed
The 5 Biggest Data Myths in Telco: ExposedThe 5 Biggest Data Myths in Telco: Exposed
The 5 Biggest Data Myths in Telco: ExposedCloudera, Inc.
 
2016 AWS Life Sciences Days | Boston, MA – May 17, 2016
2016 AWS Life Sciences Days | Boston, MA – May 17, 20162016 AWS Life Sciences Days | Boston, MA – May 17, 2016
2016 AWS Life Sciences Days | Boston, MA – May 17, 2016Amazon Web Services
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACSandesh Rao
 
Smoketest - Oracle Management Cloud
Smoketest - Oracle Management Cloud Smoketest - Oracle Management Cloud
Smoketest - Oracle Management Cloud Volker Linz
 

What's hot (20)

A4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyA4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiency
 
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and Compliance
 
IHE on FHIR and DICOMweb 2017
IHE on FHIR and DICOMweb 2017IHE on FHIR and DICOMweb 2017
IHE on FHIR and DICOMweb 2017
 
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...Leverage Big Data to Enhance Customer Experience in Telecommunications – with...
Leverage Big Data to Enhance Customer Experience in Telecommunications – with...
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous Health
 
Harnessing Hadoop Distuption: A Telco Case Study
Harnessing Hadoop Distuption: A Telco Case StudyHarnessing Hadoop Distuption: A Telco Case Study
Harnessing Hadoop Distuption: A Telco Case Study
 
Apache Atlas. Data Governance for Hadoop. Strata London 2015
Apache Atlas. Data Governance for Hadoop. Strata London 2015Apache Atlas. Data Governance for Hadoop. Strata London 2015
Apache Atlas. Data Governance for Hadoop. Strata London 2015
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
 
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...
AUSOUG - Introducing New AI Ops Innovations in Oracle 19c Autonomous Health F...
 
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision Making
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision MakingFast Data Mining: Real Time Knowledge Discovery for Predictive Decision Making
Fast Data Mining: Real Time Knowledge Discovery for Predictive Decision Making
 
Infosession for IQED dataproviders (14-22.04.2016)
Infosession for IQED dataproviders (14-22.04.2016)Infosession for IQED dataproviders (14-22.04.2016)
Infosession for IQED dataproviders (14-22.04.2016)
 
AUSOUG Analytics Update - Nov 14 2018
AUSOUG Analytics Update - Nov 14 2018AUSOUG Analytics Update - Nov 14 2018
AUSOUG Analytics Update - Nov 14 2018
 
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...
Beyond a Big Data Pilot: Building a Production Data Infrastructure - Stampede...
 
The 5 Biggest Data Myths in Telco: Exposed
The 5 Biggest Data Myths in Telco: ExposedThe 5 Biggest Data Myths in Telco: Exposed
The 5 Biggest Data Myths in Telco: Exposed
 
2016 AWS Life Sciences Days | Boston, MA – May 17, 2016
2016 AWS Life Sciences Days | Boston, MA – May 17, 20162016 AWS Life Sciences Days | Boston, MA – May 17, 2016
2016 AWS Life Sciences Days | Boston, MA – May 17, 2016
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
 
Smoketest - Oracle Management Cloud
Smoketest - Oracle Management Cloud Smoketest - Oracle Management Cloud
Smoketest - Oracle Management Cloud
 

Similar to HIPAA Solutions on Cloud Foundry

Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Amazon Web Services
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Hardening Hadoop for Healthcare with Project Rhino
Hardening Hadoop for Healthcare with Project RhinoHardening Hadoop for Healthcare with Project Rhino
Hardening Hadoop for Healthcare with Project RhinoAmazon Web Services
 
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceSecuring Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceMarie-Michelle Strah, PhD
 
Hortonworks help customers building a HIPAA compliant Data Lake
Hortonworks help customers building a HIPAA compliant Data Lake Hortonworks help customers building a HIPAA compliant Data Lake
Hortonworks help customers building a HIPAA compliant Data Lake Vitor Lundberg
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeCompliancy Group
 
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPTAmazon Web Services
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containersAbhishek Sood
 
Secure Hadoop as a Service - Session Sponsored by Intel
Secure Hadoop as a Service - Session Sponsored by IntelSecure Hadoop as a Service - Session Sponsored by Intel
Secure Hadoop as a Service - Session Sponsored by IntelAmazon Web Services
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Avi Networks
 
OnRamp Customer Case Study - analyticsMD
OnRamp Customer Case Study - analyticsMDOnRamp Customer Case Study - analyticsMD
OnRamp Customer Case Study - analyticsMDJoshua Berman
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
 
Migrating Your HIPAA Compliant Healthcare Analytics to AWS
Migrating Your HIPAA Compliant Healthcare Analytics to AWSMigrating Your HIPAA Compliant Healthcare Analytics to AWS
Migrating Your HIPAA Compliant Healthcare Analytics to AWSGerry Miller
 
Building Real-Time Data Pipeline for Diabetes Medication Recommender System U...
Building Real-Time Data Pipeline for Diabetes Medication Recommender System U...Building Real-Time Data Pipeline for Diabetes Medication Recommender System U...
Building Real-Time Data Pipeline for Diabetes Medication Recommender System U...Databricks
 
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceSecuring Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceMarie-Michelle Strah, PhD
 
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...HPCC Systems
 
MuleSoft Manchester Meetup slides 4th July 2019
MuleSoft Manchester Meetup slides 4th July 2019MuleSoft Manchester Meetup slides 4th July 2019
MuleSoft Manchester Meetup slides 4th July 2019Anastasiia Linnas
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Cloudera, Inc.
 
AWS Summit Sydney 2014 | Secure Hadoop as a Service - Session Sponsored by Intel
AWS Summit Sydney 2014 | Secure Hadoop as a Service - Session Sponsored by IntelAWS Summit Sydney 2014 | Secure Hadoop as a Service - Session Sponsored by Intel
AWS Summit Sydney 2014 | Secure Hadoop as a Service - Session Sponsored by IntelAmazon Web Services
 

Similar to HIPAA Solutions on Cloud Foundry (20)

Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
Hardening Hadoop for Healthcare with Project Rhino
Hardening Hadoop for Healthcare with Project RhinoHardening Hadoop for Healthcare with Project Rhino
Hardening Hadoop for Healthcare with Project Rhino
 
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceSecuring Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH Compliance
 
Hortonworks help customers building a HIPAA compliant Data Lake
Hortonworks help customers building a HIPAA compliant Data Lake Hortonworks help customers building a HIPAA compliant Data Lake
Hortonworks help customers building a HIPAA compliant Data Lake
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challenge
 
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT Build HIPAA Eligible Solutions with AWS and APN Partners PPT
Build HIPAA Eligible Solutions with AWS and APN Partners PPT
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containers
 
Secure Hadoop as a Service - Session Sponsored by Intel
Secure Hadoop as a Service - Session Sponsored by IntelSecure Hadoop as a Service - Session Sponsored by Intel
Secure Hadoop as a Service - Session Sponsored by Intel
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
 
OnRamp Customer Case Study - analyticsMD
OnRamp Customer Case Study - analyticsMDOnRamp Customer Case Study - analyticsMD
OnRamp Customer Case Study - analyticsMD
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
 
Migrating Your HIPAA Compliant Healthcare Analytics to AWS
Migrating Your HIPAA Compliant Healthcare Analytics to AWSMigrating Your HIPAA Compliant Healthcare Analytics to AWS
Migrating Your HIPAA Compliant Healthcare Analytics to AWS
 
Building Real-Time Data Pipeline for Diabetes Medication Recommender System U...
Building Real-Time Data Pipeline for Diabetes Medication Recommender System U...Building Real-Time Data Pipeline for Diabetes Medication Recommender System U...
Building Real-Time Data Pipeline for Diabetes Medication Recommender System U...
 
Securing Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH ComplianceSecuring Microsoft Technologies for HITECH Compliance
Securing Microsoft Technologies for HITECH Compliance
 
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
Leveraging HPCC Systems as Part of an Information Security, Privacy, and Comp...
 
MuleSoft Manchester Meetup slides 4th July 2019
MuleSoft Manchester Meetup slides 4th July 2019MuleSoft Manchester Meetup slides 4th July 2019
MuleSoft Manchester Meetup slides 4th July 2019
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
 
AWS Summit Sydney 2014 | Secure Hadoop as a Service - Session Sponsored by Intel
AWS Summit Sydney 2014 | Secure Hadoop as a Service - Session Sponsored by IntelAWS Summit Sydney 2014 | Secure Hadoop as a Service - Session Sponsored by Intel
AWS Summit Sydney 2014 | Secure Hadoop as a Service - Session Sponsored by Intel
 

More from Jim Shingler

DevOps is a Journey, Not an Event
DevOps is a Journey, Not an EventDevOps is a Journey, Not an Event
DevOps is a Journey, Not an EventJim Shingler
 
Personal Healthcare IOT on PCF using Spring
Personal Healthcare IOT on PCF using SpringPersonal Healthcare IOT on PCF using Spring
Personal Healthcare IOT on PCF using SpringJim Shingler
 
S1 2GX 2011 - Content Management with a Custom CMS
S1 2GX 2011 - Content Management with a Custom CMS S1 2GX 2011 - Content Management with a Custom CMS
S1 2GX 2011 - Content Management with a Custom CMS Jim Shingler
 
S1 2GX 2011 - Using Grails on a public facing Fortune 500 website
S1 2GX 2011 - Using Grails on a public facing Fortune 500 website S1 2GX 2011 - Using Grails on a public facing Fortune 500 website
S1 2GX 2011 - Using Grails on a public facing Fortune 500 website Jim Shingler
 
Griffon In Front Grails In Back
Griffon In Front Grails In BackGriffon In Front Grails In Back
Griffon In Front Grails In BackJim Shingler
 
Gg Code Mash2009 20090106
Gg Code Mash2009 20090106Gg Code Mash2009 20090106
Gg Code Mash2009 20090106Jim Shingler
 

More from Jim Shingler (6)

DevOps is a Journey, Not an Event
DevOps is a Journey, Not an EventDevOps is a Journey, Not an Event
DevOps is a Journey, Not an Event
 
Personal Healthcare IOT on PCF using Spring
Personal Healthcare IOT on PCF using SpringPersonal Healthcare IOT on PCF using Spring
Personal Healthcare IOT on PCF using Spring
 
S1 2GX 2011 - Content Management with a Custom CMS
S1 2GX 2011 - Content Management with a Custom CMS S1 2GX 2011 - Content Management with a Custom CMS
S1 2GX 2011 - Content Management with a Custom CMS
 
S1 2GX 2011 - Using Grails on a public facing Fortune 500 website
S1 2GX 2011 - Using Grails on a public facing Fortune 500 website S1 2GX 2011 - Using Grails on a public facing Fortune 500 website
S1 2GX 2011 - Using Grails on a public facing Fortune 500 website
 
Griffon In Front Grails In Back
Griffon In Front Grails In BackGriffon In Front Grails In Back
Griffon In Front Grails In Back
 
Gg Code Mash2009 20090106
Gg Code Mash2009 20090106Gg Code Mash2009 20090106
Gg Code Mash2009 20090106
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

HIPAA Solutions on Cloud Foundry

  • 1. HIPAA Solutions on Cloud Foundry Jim Shingler, Cardinal Health Ralph Meira, Pivotal
  • 2. Jim Shingler, Cardinal Health Office of Development Transformation Director of Software Engineering https://www.linkedin.com/in/jimshingler @JShingler
  • 3. Ralph Meira, Pivotal Platform Architect Pivotal https://linkedin.com/in/ralph-meira-48530b/ @rm511130
  • 4. Demographics Check Who do we have in the audience? -  Business Analysts -  Project Managers -  Developers -  Who's using Cloud Foundry? -  Who's got PHI flowing through CF?
  • 6. HIPAA $ Impact Examples $150K for Malware Infection Anchorage Community Mental Health Services (ACMHS) $1.7M for Theft of Unencrypted Laptop Concentra Health Services $4.8M for Lack of Firewall NY & Presbyterian Hospital $400K for Phishing of PHI Metro Community Provider Network Fines per Violation •  Did Not Know •  Reasonable Cause •  Willful Neglect (Corrected) •  Willful Neglect (Uncorrected) $100 - $50K $1K - $50K $10K - $50K $50K
  • 7. Quick Facts about CF @ Cardinal -  Cardinal 1.5 years and 750 App Instances + SIs -  6 Foundations (FUSE + Enterprise IT) -  First 5 Apps were live within 1st month -  Multicloud Strategy: AWS + GCP (SandBox) -  No on-premise except for PCF Dev on LapTops -  CI/CD: Jenkins à Exploring Concourse (COJUG) -  Microservices, Spring Boot, Spring Cloud Services -  240 devs supported by 2 platform engineers
  • 8. Quick Facts -  Tackling Biz IT (.NET) à using PCF Windows -  VMs: 6+ weeks lead time à on-demand self-service -  Strong CIO Leadership / Support -  Cost of a S/W Bug: -  Prod ($2 ~ $5K) - UAT 50% of Prod -  Integration 50% of UAT - Dev is 50% of Integration -  IT Costs only -  PCF Production has been 100% Up since day 1.
  • 9. DevOps Lessons Learned -  Continual empowerment of Dev Teams -  Treat Dev Environment as Production -  Speed à created a demand for DevOps -  Organizational Re-orgs à To better support PCF -  Stress Legacy Processes (no sacred processes) -  Log aggregation, Metrics, Monitoring are key
  • 10. HIPAA Info Actors & Stakeholders -  Patient -  Caregiver -  Physician -  Hospital -  Pharmacist -  Payor -  Insurance Co. -  Manufacturer
  • 11. Risk -  Federated IDs for Business Partners (not Cardinal IDs) -  No enterprise should be pulling s/w from Docker Hub (we're looking to use Nexus). CI/CD internal repo only images can be used. -  CVE on a library à allows me to close loops because I know who's impacted. -  Easy: trust but verify vs. block & make it difficult
  • 12. HIPAA Vocabulary and Concepts PHI  =  Anything  that  can  be    used  to  iden5fy  an  individual  in   the  context  of  Personal  Healthcare  Informa5on    
  • 13. “Compliance” versus “Certification” The  use  of  the  product  meets  requirements.   The  product  itself  meets  requirements.   HIPAA Certification?
  • 14. “Compliance” The  use  of  the  product  meets  requirements.   Unlike  PCI  (Payment  Card  Industry),  there  is  no  one  that  can  “cer5fy”  that  an  organiza5on  is  HIPAA  compliant.  The   Office  for  Civil  Rights  (OCR)  from  the  Department  of  Health  and  Human  Services  (HHS)  is  the  federal  governing  body   that  determines  compliance.  HHS  does  not  endorse  or  recognize  the  “cer5fica5ons”  made  by  private  organiza5ons.   There  is  an  evalua5on  standard  in  the  Security  Rule  §  164.308(a)(8),  and  it  requires  you  to  perform  a  periodic   technical  and  non-­‐technical  evalua5on  to  make  sure  that  your  security  policies  and  procedures  meet  the  security   requirements  outlined  in  the  rule.  HHS  doesn’t  es5pulate  whether  the  evalua5on  is  performed  internally  or  by  an   external  organiza5on.   HIPAA Certification?
  • 15. HIPAA – Compliance Checklist hYp://www.hipaajournal.com/hipaa-­‐compliance-­‐checklist/   OCR  –  Office  for  Civil  Rights  
  • 16. HIPAA - Technology -  Same tech on Prod & Non-Prod Parity -  IPSec, Disk Encryption -  File Integrity Monitoring -  ClamAV (accepting files) -  Container to Container -  Isolation Segments -  Dedicated Tenancy** General  Rule:  Assume   you  need  a  HIPAA  safe   environment   -  Availability Zones -  DR / HA -  3 R's (Future) -  CredHub (Future) **  h?ps://aws.amazon.com/blogs/apn/aws-­‐hipaa-­‐program-­‐update-­‐removal-­‐of-­‐dedicated-­‐instance-­‐requirement/  
  • 17. HIPAA - Guidelines -  Never put prod data in non-prod environment -  We use the prod foundation w/ partners who are not ready… because it's all temporary, it's isolated. -  Production becomes our Temp Stage environment. General  Rule:  Assume   you  need  a  HIPAA  safe   environment  
  • 18. HIPAA - Technology -  Even with SSL make sure your URL isn't carrying HIPAA data (regardless of cloud or not) -  Microservices = Antifragile Apps = Higher Up Times -  Eligible BAA Services
  • 19. HIPAA on GCP The Google Cloud BAA covers GCP’s entire infrastructure (all regions, all zones, all network paths, all points of presence), and the following products: •  Google BigQuery •  Google Cloud Bigtable •  Google Cloud Data Loss Prevention API •  Google Cloud Dataflow •  Google Cloud Datalab •  Google Cloud Dataproc •  Google Cloud ML Engine •  Google Cloud Natural Language API •  Google Cloud Pub/Sub •  Google Cloud Speech API •  Google Cloud Stackdriver Logging •  Google Cloud Storage •  Google Cloud SQL for MySQL •  Google Cloud Translation API •  Google Compute Engine •  Google Container Engine •  Google Container Registry •  Google Genomics hYps://cloud.google.com/security/compliance/hipaa/#covered-­‐products  
  • 20. HIPAA on AWS •  API Gateway (excl. caching) •  Aurora [MySQL-compatible only] •  CloudFront •  Cognito •  AWS Database Migration Service •  AWS Direct Connect •  Directory Services (excl. Simple AD & AD Connector) •  DynamoDB •  Elastic Block Store (EBS) •  Elastic Compute Cloud (EC2) •  Elastic Load Balancing •  Amazon Elastic MapReduce (EMR) hYps://aws.amazon.com/compliance/hipaa-­‐eligible-­‐services-­‐reference/   •  Glacier •  Redshift •  RDS [MySQL, Oracle, PostgreSQL] •  AWS Shield [Std & Adv] •  Simple Notification Service (SNS) •  Simple Queue Service (SQS) •  S3 [incld. S3 Transfer Acc] •  Snowball •  Virtual Private Cloud (VPC) •  Web Application Firewall (WAF) •  Amazon WorkSpaces
  • 21. HIPAA on Azure •  API Management •  App Services (API, Logic, Mobile & Web) •  Application Gateway •  Application Insights •  Automation •  Active Directory (Free, Basic, B2C) & DNS •  Container Service •  Cosmos DB •  DevTest Labs •  Information Protection (incl. Rights Mgmt.) •  Azure Portal & Resource Manager •  Backup, Batch, Event Hubs, Scheduler •  Data Catalog & Data Factory •  Key Vault hYps://www.microso_.com/en-­‐us/TrustCenter/Compliance/HIPAA   •  BizTalk Services •  Cloud Services •  Data Lake Analytics •  Data Lake Store •  ExpressRoute •  Functions •  HDInsight •  Import/Export •  IoT Hub •  Load Balancer •  Log Analytics •  Machine Learning •  Media Services •  Multi-Factor Auth. •  Notification Hubs •  Power BI Embedded •  Redis Cache •  Security Center •  Service Bus & Fabric •  Site Recovery •  SQL DW & DB •  SQL Server Stretch DB •  Storage & StorSimple •  Stream Analytics •  VMs & Network •  VPN Gateway
  • 25. Area of Investigation: Blockchain -  Data Lineage -  The challenge: imagine you needed to implement a system that stores and manipulates PHI data. At any time, it must be possible for anyone to independently verify when the PHI Data entered the system, and that it has not been modified. The PHI Data must not be exposed publicly. hYps://content.pivotal.io/blog/blockchain-­‐use-­‐cases-­‐for-­‐blockchain-­‐on-­‐cloud-­‐foundry    
  • 26. $100  DISCOUNT  CODE:  S1P_EVENT_CFS100  
  • 28. Reference  Slides  –  Backup  Material  
  • 29. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Business  Associates   Anyone  who  has  access  to  paJent  informaJon,   whether  directly,  indirectly,  physically  or  virtually.   AddiJonally,  any  organizaJon  that  provides  support   in  the  treatment,  payment  or  operaJons  is   considered  a  business  associate,  i.e.  an  IT  company   or  a  billing  and  claims  processing  company.  Other   examples  include  a  document  destrucJon   company,  a  telephone  service  provider,  accountant   or  lawyer.  The  business  associates  also  have  the   responsibility  to  achieve  and  maintain  HIPAA   compliance  in  terms  of  all  of  the  internal,   administraJve  and  technical  safeguards.  A  business   associate  does  not  work  under  the  covered  enJty’s   workforce,  but  instead  performs  some  type  of   service  on  their  behalf.   1  of  12  
  • 30. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Business  Associate  Agreement   The  agreement  standard  document  that  clearly   defines  the  roles  and  responsibiliJes  of  a  business   associate  and  the  covered  enJty.  The  other  key  piece   of  the  Business  Associates  Agreement  is  the  assurance   that  businesses  will  take  proper  steps  to  implement   the  appropriate  safeguards:  administraJve,  physical   and  technical.     Covered  EnJJes  (CE)   Anyone  who  provides  treatment,  payment  and   operaJons  in  healthcare:  a  doctor’s  office,  dental   office,  clinics,  psychologist,  nursing  home,  pharmacy,   hospital  or  home  healthcare  agency.  This  also  includes   health  plans,  health  insurance  companies,  HMOs,   company  health  plans  and  government  programs  that   pay  for  health  care.  Health  clearing  houses  are  also   considered  covered  enJJes.   2  of  12  
  • 31. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Electronic  Data  Interchange  (EDI)     The  communicaJon  or  exchange  of  business   documents  between  companies  via  computer  and   networks.     Electronic  Health  Records  (EHR)   Any  electronic  record  of  paJent  health  informaJon   generated  within  a  clinical  insJtuJon  or  environment,   such  as  a  hospital  or  doctor’s  office:  e.g.  medical   history,  laboratory  results,  immunizaJons,   demographics,  etc.     Electronic  Protected  Health  InformaJon  (EPHI)  All   individually  idenJfiable  health  informaJon  that  is   created,  maintained  or  transmi?ed  electronically.     Healthcare  Clearinghouse   An  organizaJon  that  standardizes  health  informaJon.   One  example  is  a  billing  company  that  processes  data   from  its  iniJal  format  into  a  standardized  billing   format.   3  of  12  
  • 32. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Health  InformaJon   PaJent  informaJon  collected  by  a  health  plan,  health   care  provider,  public  health  authority,  employer,   healthcare  clearinghouse  or  other  organizaJon  that   falls  under  covered  enJty.     Healthcare  Insurance  Portability  and  Accountability   Act  (HIPAA)   IniJally  created  in  1996  to  help  the  public  with   insurance  portability,  they  eventually  built   administraJve  simplificaJons  that  involved  electronic,   medical  record  technology  and  other  components.     HIPAA  ViolaJons   If  a  company  fails  to  comply  with  HIPAA  rules,  they   are  subject  to  both  civil  and  criminal  penalJes.   4  of  12  
  • 33. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   The  Health  InformaJon  Technology  for  Economic  and   Clinical  Health  (HITECH)   Act,  enacted  as  part  of  the  American  Recovery  and   Reinvestment  Act  of  2009,  was  signed  into  law  on   February  17,  2009,  to  promote  the  adopJon  and   meaningful  use  of  health  informaJon  technology.   The  act  included  incenJves  offered  to  physicians  in   private  pracJces,  as  well  as  insJtuJonal  pracJces  to   implement  and  adopt  electronic  medical  records.   In  addiJon  to  incenJves,  the  act  included  a  series  of   fines  to  help  enforce  HIPAA  rules.  HITECH  also   mandated  that  business  associates  of  covered  enJJes,   as  well  as  the  covered  enJJes  themselves,  were   responsible  for  the  same  level  of  HIPAA  compliance.   5  of  12  
  • 34. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   HIPAA  Audit    is  comprised  of  regulaJons,  standards   and  implementaJon  specificaJons.  The  audit  is  an   analysis  that  helps  pinpoint  the  organizaJon’s  current   state  and  what  steps  need  to  be  taken  to  get  the   organizaJon  compliant.     An  evaluaJon  is  part  of  the  audit  -­‐  a  company  must   perform  an  evaluaJon  and  undergo  periodic   evaluaJons,  at  a  minimum,  once  a  year.  As  technology   changes,  different  components  are  added  to  an   organizaJon’s  infrastructure  and  they  should  be  re-­‐ evaluated.     While  covered  enJJes  need  to  undergo  HIPAA  audits,   third-­‐party  business  associates  also  need  to  comply.   This  includes  any  company  that  might  provide  services   for  a  covered  enJty,  for  example,  an  applicaJon   hosted  in  a  cloud  and  provided  to  a  covered  enJty.   6  of  12  
  • 35. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Civil  PenalJes  established  by  the  American  Recovery   and  Reinvestment  Act  of  2009  (ARRA),  are  a  Jered   civil  penalty  structure  used  to  determine  the  cause   and  consequences  of  the  HIPAA  breaches.  The   Secretary  of  the  Department  of  Health  and  Human   Services  has  the  ability  to  ulJmately  determine  fines   and  penalJes  due  to  the  extent  of  the  violaJon  on  a   case-­‐by-­‐case  basis.     Due  Diligence   An  organizaJon  is  in  violaJon,  but  they  have  taken   every  possible  step  they  could  have  foreseen  to   prevent  that.     Minimum  fine:  $100  per  incident  with  annual   maximum  of  $25,000  for  repeat  violaJons     Maximum  fine:  $50,000  per  violaJon  with  annual   maximum  of  $1.5  million  for  repeat  violaJons   7  of  12  
  • 36. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Reasonable  Cause     The  steps  have  been  taken,  but  something  was  not   addressed.  For  example,  a  company  went  into  a   HIPAA  audit  and  provided  a  gap  analysis,  but   something  wasn’t  addressed  yet.  The  violaJon  is  due   to  reasonable  cause  and  not  willful  neglect.     Minimum  fine:  $1,000  per  incident  with  annual   maximum  of  $100,000  for  repeat  violaJons     Maximum  fine:  $50,000  per  incident  with  annual   maximum  of  $1.5  million  for  repeat  violaJons   8  of  12  
  • 37. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule     Willful  Neglect  -­‐  There  are  two  types  of  willful  neglect:     (1)  A  company  clearly  ignores  the  HIPAA  law  but   corrects  their  mistake  within  the  given  amount  of   Jme.     Minimum  fine:  $10,000  per  incident  with  annual   maximum  of  $1.5  million  for  repeat  violaJons     Maximum  fine:  $50,000  per  violaJon  with  annual   maximum  of  $1.5  million  for  repeat  violaJons     (2)  A  company  ignores  the  HIPAA  law  and  does  not   correct  their  mistake.     Minimum  fine:  $50,000  per  incident  with  annual   maximum  of  $250,000  for  repeat  violaJons     Maximum  fine:  $50,000  per  incident  with  annual   maximum  of  $250,000  for  repeat  violaJons   9  of  12  
  • 38. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Criminal  PenalJes  -­‐  The  U.S.  Department  of  JusJce   establishes  who  can  be  held  liable  for  HIPAA  violaJons   due  to  criminal  acJvity.  This  includes  covered  enJJes   and  any  specified  individual  working  under  a  covered   enJty.  Anyone  who  knowingly  misuses  health   informaJon  can  be  fined  up  to  $50,000  including  up  to   a  year  of  imprisonment.  More  serious  offenses  call  for   higher  fines  and  prison  Jme.     Individually  IdenJfiable  Health  InformaJon   A  subset  of  health  informaJon.  It  includes   demographic  informaJon  about  an  individual’s  health   that  idenJfies  or  can  be  used  to  idenJfy  the   individual:  e.g.  name,  address,  date  of  birth,  etc.       10  of  12  
  • 39. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   OCR  HIPAA  Audit  Protocol     Before  2012  there  was  no  federal  standard  for  third-­‐ party  auditors  to  conduct  a  HIPAA  audit.  With  the   publicaJon  of  the  new  Office  for  Civil  Rights  (OCR)   audit  protocol,  auditors  are  able  to  gain  a  more   consistent  direcJon  on  how  the  OCR  will  conduct   HIPAA  audits  in  the  future.  The  protocol  covers   requirements  found  in  the  HIPAA  Security  Rule,   Privacy  Rule  and  Breach  NoJficaJon  Rule.     Privacy  Rule   The  part  of  the  HIPAA  rule  that  addresses  the  saving,   accessing  and  sharing  of  medical  and  personal   informaJon  of  an  individual,  including  a  paJent’s  own   right  to  access.   11  of  12  
  • 40. HIPAA  Terminology   Business  Associates   Business  Associate  Agreement     Covered  EnJJes  (CE)   Electronic  Data  Interchange  (EDI)   Electronic  Health  Records  (EHR)   Electronic  Protected  Health  InformaJon  (EPHI)   Healthcare  Clearinghouse   Health  InformaJon   HIPAA   HITECH   HIPAA  Audit   HIPAA  ViolaJons   Civil  PenalJes   Due  Diligence   Reasonable  Cause   Willful  Neglect   Criminal  PenalJes   Individually  IdenJfiable  Health  InformaJon   OCR  HIPAA  Audit  Protocol   Privacy  Rule   Protected  Health  InformaJon  (PHI)   Security  Rule   Protected  Health  InformaJon  (PHI)  includes  any   individually  idenJfiable  health  informaJon  collected   from  an  individual  by  a  healthcare  provider,  employer   or  plan  that  includes  name,  social  security  number,   phone  number,  medical  history,  current  medical   condiJon,  test  results  and  more.     Security  Rule   The  part  of  the  HIPAA  rule  that  outlines  naJonal   security  standards  intended  to  protect  health  data   created,  received,  maintained  or  transmi?ed   electronically.   12  of  12