SlideShare a Scribd company logo

Introduction to Health Informatics Ch11 power point

Download as PPTX, PDF
B
bradleyl2

Slide Share Power Point Chapter 11

Healthcare
1 of 60
© 2013© 2013 Chapter 11 Security for Healthcare Informatics Introduction to Healthcare Informatics
© 2013 Objectives • Differentiate between addressable and required implementation specifications • Describe what a security risk analysis entails • Differentiate between the concepts of vulnerabilities, risks, and threats • Provide examples of administrative, physical, and technical safeguards • Appreciate the foundational importance of confidentiality, integrity, and availability in regard to the HIPAA Security Rule
© 2013 Objectives • Articulate the HIPAA Security Rule complaint and enforcement process • Identify the agencies responsible for HIPAA Security Rule enforcement • Describe civil and criminal penalties and the tiered penalty approach • Explain how HITECH modifies the HIPAA Security Rule • Define medical identity theft
© 2013 Objectives • Discuss the potential impacts of medical identity theft on patients and other stakeholders • Describe the steps required for conducting a business impact analysis • Delineate the concerns, challenges, and potential solutions involved in preparing a full-fledged information and organizational disaster preparedness plan
© 2013 Types of Standards • Flexible, scalable, technology-neutral solutions and alternatives • Implementation specifications o Required—must be implemented as described in the regulation o Addressable—should be implemented unless an organization determines the specification is not reasonable and appropriate. Organization must document assessment and decision
© 2013 Foundation • ePHI—electronic protected health information • Security incident—the attempted or successful unauthorized access, use, disclosure, modification, or destruction or interference with systems operations in an information system
© 2013 Security Risk Analysis • Full evaluation of the methods, operational practices, and policies by the covered entity to secure ePHI • Structural framework to build HIPAA Security Plan • Required for Meaningful Use
© 2013 NIST Guidance on Risk Analysis • Have you identified the ePHI within your organization? This includes ePHI that you create, receive, maintain or transmit. • What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain, or transmit ePHI? • What are the human, natural, and environmental threats to information systems that contain ePHI? (NIST SP 800- 66 2008)
© 2013 Vulnerabilities • An inherent weakness or absence of a safeguard that can be exploited by a threat • Inappropriate protective methods o Technical • Firewalls, Virus blocker o Nontechnical • Policies and procedures
© 2013 Threat • The potential for exploitation of a vulnerability or potential danger to a computer, network, or data • Natural—storms, earthquakes, etc. • Human o Intentional—hacking o Unintentional—Forgetting to log off • Environmental—power failure
© 2013 Risks • The probability of incurring injury or loss • Compare the probability to the potential impact
© 2013 Mandated Risk Analysis Elements • Scope of the Risk Analysis • Data Collection • Identify and Document Potential Threats and Vulnerabilities • Assess Current Security Measures • Determine the Likelihood of Threat Occurrence • Determine the Potential Impact of Threat Occurrence • Determine the Level of Risk • Finalize Documentation • Periodic Review and Updates to the Risk Assessment
© 2013 Administrative Safeguard Standards • Policies and procedures o Manage the selection, development, implementation and maintenance of security measures to protect ePH o Manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of the information
© 2013 Security Management Process Standard—Required • Risk analysis • Risk management element o Communication of security processes o Leadership involvement with risk mitigation • Sanctions policy—how noncompliance will be addressed • Information systems activity review— procedures for monitoring system use
© 2013 Security Officer • The official who is responsible for the development and implementation of the required Security Rule policies and procedures
© 2013 Workforce Security Standard— Addressable • Authorization and supervision— determining the level of access for each workforce member • Workforce clearance procedures— determining that access to ePHI is appropriate • Termination procedures—removal of access privileges when employment ends
© 2013 Information Access Management Standard—Required and Addressable • Required—healthcare clearinghouses must segregate their data from other activities • Addressable o Access authorization—policies and procedures for granting access o Authorization and access establishment and modification—policies and procedures to establish, document, review and modify a user’s right of access
© 2013 Security Awareness and Training Standard—Addressable • All existing workforce members must receive training and periodic training on updates o Security reminders—pop-up for log-off o Protection from malicious software— guidance for opening attachments o Log-in monitoring—lockout after 3 unsuccessful log-in attempts o Password protection—creation, changing and safeguarding passwords
© 2013 Security Incident Procedures Standard—Addressable • Response and reporting—identify and respond to suspected or known security incidents; mitigate the harmful effects; document security incidents and their outcomes
© 2013 Contingency Plan Standards— Required and Addressable • Data back-up plan o What data needs to be backed up from which sources • Disaster recovery plan o Procedures for the restoration of any loss of data • Emergency mode operation plan o Continuation of critical business processes while operating in emergency mode
© 2013 Contingency Plan Standards— Required and Addressable (continued) • Addressable o Testing and revision of required contingency plans—organizational size and resources o Criticality analysis of applications and data • Balance recovery and management with the criticality of the system • Update when new systems added or changes made
© 2013 Evaluation Standard—Required • Perform periodic evaluations, in response to environmental or operational changes, to determine whether security policies and procedures meet the requirements of the Security Rule
© 2013 Business Associate Contracts and Other Arrangements—Required • Business associates must o Follow the Security Rule for ePHI. o Have business associate agreements with their subcontractors who must also follow the security rule for ePHI. Covered entities do not have business associate agreements with these subcontractors. o Obtain authorization prior to marketing
© 2013 Physical Safeguard Standards • Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion
© 2013 Facility Access Control Standard—Addressable • Contingency operations—procedures to restore lost data • Security plan—safeguard the facility and equipment from unauthorized physical access tampering and theft • Access control and validation procedures—based on role • Maintenance records—document repairs and modifications related to security
© 2013 Workstation Use Standard • Includes onsite and offsite workstations • Policies and procedures for proper function • Surroundings of the workstation • Allowed access—workstation must be encrypted
© 2013 Workstation Security Standard • Physical safeguards for all workstations that access ePHI to restrict access to authorized users • Policies and procedures for how workstations are used and protected
© 2013 Device and Media Controls Standard—Addressable and Required • Disposal—must be unreadable and unusable • Media reuse—internal and external • Accountability—movements of hardware and electronic media • Data back-up and storage—create retrievable, exact copy
© 2013 Technical Safeguards Standards • Increased opportunity also increases organizational risk • Technology and the policy and procedures for its use that protect electronic protected health information and control access to it
© 2013 Access Control Standard— Required and Addressable • Allow access only to those persons or software programs with granted access rights • Unique user identification • Emergency access procedure • Automatic logoff • Encryption and decryption
© 2013 Audit Control Standards • Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information • Track and record user activities to monitor intentional and unintentional actions
© 2013 Integrity Standard—Addressable • Protect ePHI from improper alteration or destruction • The extent to which healthcare data are complete, accurate, consistent, and timely • Ensure data are not improperly altered or destroyed
© 2013 Person or Entity Authentication Standard • Verify that a person or entity seeking access to ePHI is the one claimed o Are users who they claim to be? o Methods • Passwords • Smart cards • Tokens • Fobs • Biometrics
© 2013 Transmission Security Standard— Addressable • ePHI being transmitted over an electronic communications network MUST be secured • Integrity controls—electronically transmitted ePHI cannot be improperly modified • Encryption—ePHI must be encrypted whenever appropriate
© 2013 Confidentiality, Integrity and Availability • Confidentiality—ePHI is accessible only by authorized people and processes • Integrity—ePHI is not altered or destroyed in an unauthorized manner • Availability—ePHI can be accessed as needed by authorized users
© 2013 Enforcement • Department of Health and Human Services Office of Civil Rights (OCR) • Must investigate all reported violations and appropriately initiate investigations for cause in absence of a reported violation
© 2013 Civil Penalties • Fines or money damages to sanction violators • Prior to 2/18/2009 o Limit of $100 per violation o Limit of $25,000 for identical violations during a calendar year
© 2013 Civil Penalties, continued • No more than $1,500,000 for identical violations each year in any situation • Inadvertent violation with reasonable diligence o Between $100 to $50,000 for each violation • Violation due to reasonable cause and not to willful neglect o Between $1,000 to $50,000 for each violation
© 2013 Civil Penalties, continued • Violation due to willful neglect, corrected during 30-day period CE knew or would have known of the violation o Between $10,000 to $50,000 for each violation • Violation due to willful neglect and not corrected during 30-day period CE knew or would have known of the violation o $50,000 for each violation
© 2013 Criminal Penalties • OCR refers cases it determines to be of a criminal nature to the Department of Justice. OCR and DOJ cooperate to pursue possible violators. o Must knowingly commit a HIPAA violation o There HAVE been criminal convictions • Most complaints found to be not relevant
© 2013 Breach Notification • Finalized in 2013 • CEs and BAs MUST report breaches of unsecured PHI • Unsecured PHI—PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology
© 2013 Breach Notification, continued • Breach—the acquisition, access, use or disclosure or protected health information in a manner not permitted….which compromises the security or privacy of the PHI • Reporting requirement mandates o Notification of the individual whose information was breached o If more than 500 individuals, notify the media and the Secretary of HHS
© 2013 Breach Notification, continued • Breach notification exception o CE or BA workforce unintentionally acquires, uses, or discloses PHI under the authority of the CE or BA o When authorized workforce member inadvertently discloses PHI to another authorized workforce member in the same CE or BA setting o CE or BA who made inadvertent disclosure has reason to believe the PHI recipient would not have been able to retain the information
© 2013 Risk Assessment • Assess potential risks and areas of vulnerability related to the security of the ePHI
© 2013 Medical Identity Theft • The assumption of a person’s name and/or other parts of his or her identity without the victim’s knowledge or consent to obtain medical services or good, or • When someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims
© 2013 Medical Identity Theft Risks • Financial loss • Clinical risks if critical conditions, procedures, medications, allergies and other information are incorrectly omitted or included
© 2013 Cascading Effect of Medical Identity Theft
© 2013 Red Flag Rules • Issued by the Federal Trade Commission, Department of the Treasury, Federal Reserve System, Federal Deposit Insurance Corporation, and the National Credit Union Administration • Requires creditor and financial institutions to implement an Identity Theft Prevention Program.
© 2013 Red Flag Rules, continued • Federal Trade Commission enforces the rules that apply to healthcare organizations • Red Flags: o Suspicious documents—do they appear to have been altered? o Suspicious information—addresses do not match between ID and insurance o Suspicious behaviors—confused about type of insurance
© 2013 Identity Theft Prevention Program • Identify Covered Accounts • Identify Relevant Red Flags • Detect Red Flags • Respond to Red Flags • Oversee the Program • Train Employees • Oversee Service Provider Arrangements • Approve the Identity Theft Prevention Program • Provide Reports and Periodic Updates
© 2013 Identity Theft Operational Recommendations • Urge and education consumers to adopt preventive measures o Exercise caution when sharing personal information o Monitor EOB received from insurance o Maintain copies of healthcare records o Monitor credit reports for unexpected medical charges o Protect all health insurance and financial information
© 2013 Identity Theft Operational Recommendations (continued) • Establish organizational methods to prevent and detect medical identity theft o Annual security risk analysis o Background checks when hiring o Patient ID verification processes o Minimize use of SSN o Policies and procedures to safeguard info o Create plan to handle suspicious activity o Ongoing staff training
© 2013 Identity Theft Operational Recommendations (continued) • Data in the patient record o Policies and procedures to allow victims access to their patient records o Establish mechanisms to correct inaccurate information o Keep current with medical identity theft legislation and regulations o Provide victims with resources and tools for easier recovery
© 2013 Disaster Preparedness • Ensure protection of organizational information assets • Ensure information functions can continue when disasters occur
© 2013 Protecting Information Assets • NIST Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems • NIST Special Publication 800-30, Rev. 1, Guide for Conducting Risk Assessments • Business impact analysis—evaluate and prioritize all potential risks
© 2013 Business Impact Analysis • Recovery Point Objective—length of time the organization can operate without an application • Recovery Time Objective—maximum amount of time tolerable for data loss and capture
© 2013 Business Impact Analysis (continued) 1. What are the minimal resources for operations? 2. What are the business recovery objectives and assumptions? 3. What is the order for restoration of services? 4. What would be the operational, financial, and reputational impact of loss of data?
© 2013 Information Security Threat Analysis Backup Data Facilities • Hot Site • Warm Site • Code Site
© 2013 Disaster Planning • Organizations need to help their employees be prepared • Planning • Preparedness o Training o Testing • Response and Recovery
© 2013 Summary • Security Risk Analysis is essential • Medical Identity Theft • Disaster Planning

Recommended

Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
3 02
3 023 02
3 02Pranaya Krishna
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Shivani shukla_B38_KnowledgeManagement
Shivani shukla_B38_KnowledgeManagementShivani shukla_B38_KnowledgeManagement
Shivani shukla_B38_KnowledgeManagementshivanishuks
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesCMDLMS
 

Recommended

Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
3 02
3 023 02
3 02Pranaya Krishna
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Shivani shukla_B38_KnowledgeManagement
Shivani shukla_B38_KnowledgeManagementShivani shukla_B38_KnowledgeManagement
Shivani shukla_B38_KnowledgeManagementshivanishuks
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesCMDLMS
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule updateO'Connor Davies CPAs
 
Secuntialesse
SecuntialesseSecuntialesse
SecuntialesseAnne Starr
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesCMDLMS
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset SecurityMaganathin Veeraragaloo
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersNUS-ISS
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHostway|HOSTING
 
)k
)k)k
)kAnne Starr
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)OnRamp
 
Sec4
Sec4Sec4
Sec4Anne Starr
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesCole Libby
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013warhorsepao
 
Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606warhorsepao
 

More Related Content

What's hot

Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesCMDLMS
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersNUS-ISS
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHostway|HOSTING
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)OnRamp
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesCole Libby
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 

What's hot (20)

HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
Secuntialesse
SecuntialesseSecuntialesse
Secuntialesse
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
 
Information security
Information securityInformation security
Information security
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
 
)k
)k)k
)k
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
 
Sec4
Sec4Sec4
Sec4
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 

Viewers also liked

Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013warhorsepao
 
Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606warhorsepao
 
Warhorse pride vol 2 issue 11 20140523
Warhorse pride vol 2 issue 11 20140523Warhorse pride vol 2 issue 11 20140523
Warhorse pride vol 2 issue 11 20140523warhorsepao
 
Kompetensi my presentation
Kompetensi my presentationKompetensi my presentation
Kompetensi my presentationurusansaya
 
Definiciones Básicas de una Red LAN
Definiciones Básicas de una Red LANDefiniciones Básicas de una Red LAN
Definiciones Básicas de una Red LANDaniel Valdez
 
Visionarios empresariales (Emprendimiento y gestión empresarial)
Visionarios empresariales (Emprendimiento y gestión empresarial)Visionarios empresariales (Emprendimiento y gestión empresarial)
Visionarios empresariales (Emprendimiento y gestión empresarial)CTeI Putumayo
 
Designing and teaching classroom behavioral expectations
Designing and teaching classroom behavioral expectationsDesigning and teaching classroom behavioral expectations
Designing and teaching classroom behavioral expectationsUO_AcademicExtension
 

Viewers also liked (9)

Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013
 
Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606
 
Warhorse pride vol 2 issue 11 20140523
Warhorse pride vol 2 issue 11 20140523Warhorse pride vol 2 issue 11 20140523
Warhorse pride vol 2 issue 11 20140523
 
Kompetensi my presentation
Kompetensi my presentationKompetensi my presentation
Kompetensi my presentation
 
Definiciones Básicas de una Red LAN
Definiciones Básicas de una Red LANDefiniciones Básicas de una Red LAN
Definiciones Básicas de una Red LAN
 
Visionarios empresariales (Emprendimiento y gestión empresarial)
Visionarios empresariales (Emprendimiento y gestión empresarial)Visionarios empresariales (Emprendimiento y gestión empresarial)
Visionarios empresariales (Emprendimiento y gestión empresarial)
 
Designing and teaching classroom behavioral expectations
Designing and teaching classroom behavioral expectationsDesigning and teaching classroom behavioral expectations
Designing and teaching classroom behavioral expectations
 
(CCNA, RHCE, CEH)
(CCNA, RHCE, CEH)(CCNA, RHCE, CEH)
(CCNA, RHCE, CEH)
 
Elastic search
Elastic searchElastic search
Elastic search
 

Similar to Introduction to Health Informatics Ch11 power point

Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxShreeveni
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practiceZoneFox
 
Presentation topic Software Security.pptx
Presentation topic Software Security.pptxPresentation topic Software Security.pptx
Presentation topic Software Security.pptxrehanmughal18
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001PECB
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentjenito21
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology 20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology Kathirvel Ayyaswamy
 
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Armstrong Teasdale
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
Human rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptxHuman rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptxdrluminajulier
 

Similar to Introduction to Health Informatics Ch11 power point (20)

Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
 
ISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An IntorductionISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An Intorduction
 
File000169
File000169File000169
File000169
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
 
Presentation topic Software Security.pptx
Presentation topic Software Security.pptxPresentation topic Software Security.pptx
Presentation topic Software Security.pptx
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
 
Intro.ppt
Intro.pptIntro.ppt
Intro.ppt
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
insider threat research
insider threat researchinsider threat research
insider threat research
 
R.a 1
R.a 1R.a 1
R.a 1
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology 20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Human rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptxHuman rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptx
 

Recently uploaded

No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...Vip call girls In Chandigarh
 
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591adityaroy0215
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...indiancallgirl4rent
 
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near MeVIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Memriyagarg453
 
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaHot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaRussian Call Girls in Ludhiana
 
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...High Profile Call Girls Chandigarh Aarushi
 
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...Sheetaleventcompany
 
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋Sheetaleventcompany
 
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...Call Girls Service Chandigarh Ayushi
 
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girls Service Chandigarh Ayushi
 
Udaipur Call Girls 📲 9999965857 Call Girl in Udaipur
Udaipur Call Girls 📲 9999965857 Call Girl in UdaipurUdaipur Call Girls 📲 9999965857 Call Girl in Udaipur
Udaipur Call Girls 📲 9999965857 Call Girl in Udaipurseemahedar019
 
Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...
Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...
Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...Call Girls Noida
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meetpriyashah722354
 
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near MeVIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Memriyagarg453
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...High Profile Call Girls Chandigarh Aarushi
 
Basics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxBasics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxAyush Gupta
 
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591adityaroy0215
 
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service MohaliCall Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service MohaliHigh Profile Call Girls Chandigarh Aarushi
 

Recently uploaded (20)

No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
 
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
VIP Call Girl Sector 88 Gurgaon Delhi Just Call Me 9899900591
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
 
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near MeVIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
 
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaHot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
 
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
 
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
Call Girl In Zirakpur ❤️♀️@ 9988299661 Zirakpur Call Girls Near Me ❤️♀️@ Sexy...
 
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
 
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
 
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
 
College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
 
Udaipur Call Girls 📲 9999965857 Call Girl in Udaipur
Udaipur Call Girls 📲 9999965857 Call Girl in UdaipurUdaipur Call Girls 📲 9999965857 Call Girl in Udaipur
Udaipur Call Girls 📲 9999965857 Call Girl in Udaipur
 
Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...
Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...
Vip sexy Call Girls Service In Sector 137,9999965857 Young Female Escorts Ser...
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
 
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near MeVIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
 
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service LucknowVIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
 
Basics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptxBasics of Anatomy- Language of Anatomy.pptx
Basics of Anatomy- Language of Anatomy.pptx
 
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
 
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service MohaliCall Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
Call Girls in Mohali Surbhi ❤️🍑 9907093804 👄🫦 Independent Escort Service Mohali
 

Introduction to Health Informatics Ch11 power point

  • 1. © 2013© 2013 Chapter 11 Security for Healthcare Informatics Introduction to Healthcare Informatics
  • 2. © 2013 Objectives • Differentiate between addressable and required implementation specifications • Describe what a security risk analysis entails • Differentiate between the concepts of vulnerabilities, risks, and threats • Provide examples of administrative, physical, and technical safeguards • Appreciate the foundational importance of confidentiality, integrity, and availability in regard to the HIPAA Security Rule
  • 3. © 2013 Objectives • Articulate the HIPAA Security Rule complaint and enforcement process • Identify the agencies responsible for HIPAA Security Rule enforcement • Describe civil and criminal penalties and the tiered penalty approach • Explain how HITECH modifies the HIPAA Security Rule • Define medical identity theft
  • 4. © 2013 Objectives • Discuss the potential impacts of medical identity theft on patients and other stakeholders • Describe the steps required for conducting a business impact analysis • Delineate the concerns, challenges, and potential solutions involved in preparing a full-fledged information and organizational disaster preparedness plan
  • 5. © 2013 Types of Standards • Flexible, scalable, technology-neutral solutions and alternatives • Implementation specifications o Required—must be implemented as described in the regulation o Addressable—should be implemented unless an organization determines the specification is not reasonable and appropriate. Organization must document assessment and decision
  • 6. © 2013 Foundation • ePHI—electronic protected health information • Security incident—the attempted or successful unauthorized access, use, disclosure, modification, or destruction or interference with systems operations in an information system
  • 7. © 2013 Security Risk Analysis • Full evaluation of the methods, operational practices, and policies by the covered entity to secure ePHI • Structural framework to build HIPAA Security Plan • Required for Meaningful Use
  • 8. © 2013 NIST Guidance on Risk Analysis • Have you identified the ePHI within your organization? This includes ePHI that you create, receive, maintain or transmit. • What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain, or transmit ePHI? • What are the human, natural, and environmental threats to information systems that contain ePHI? (NIST SP 800- 66 2008)
  • 9. © 2013 Vulnerabilities • An inherent weakness or absence of a safeguard that can be exploited by a threat • Inappropriate protective methods o Technical • Firewalls, Virus blocker o Nontechnical • Policies and procedures
  • 10. © 2013 Threat • The potential for exploitation of a vulnerability or potential danger to a computer, network, or data • Natural—storms, earthquakes, etc. • Human o Intentional—hacking o Unintentional—Forgetting to log off • Environmental—power failure
  • 11. © 2013 Risks • The probability of incurring injury or loss • Compare the probability to the potential impact
  • 12. © 2013 Mandated Risk Analysis Elements • Scope of the Risk Analysis • Data Collection • Identify and Document Potential Threats and Vulnerabilities • Assess Current Security Measures • Determine the Likelihood of Threat Occurrence • Determine the Potential Impact of Threat Occurrence • Determine the Level of Risk • Finalize Documentation • Periodic Review and Updates to the Risk Assessment
  • 13. © 2013 Administrative Safeguard Standards • Policies and procedures o Manage the selection, development, implementation and maintenance of security measures to protect ePH o Manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of the information
  • 14. © 2013 Security Management Process Standard—Required • Risk analysis • Risk management element o Communication of security processes o Leadership involvement with risk mitigation • Sanctions policy—how noncompliance will be addressed • Information systems activity review— procedures for monitoring system use
  • 15. © 2013 Security Officer • The official who is responsible for the development and implementation of the required Security Rule policies and procedures
  • 16. © 2013 Workforce Security Standard— Addressable • Authorization and supervision— determining the level of access for each workforce member • Workforce clearance procedures— determining that access to ePHI is appropriate • Termination procedures—removal of access privileges when employment ends
  • 17. © 2013 Information Access Management Standard—Required and Addressable • Required—healthcare clearinghouses must segregate their data from other activities • Addressable o Access authorization—policies and procedures for granting access o Authorization and access establishment and modification—policies and procedures to establish, document, review and modify a user’s right of access
  • 18. © 2013 Security Awareness and Training Standard—Addressable • All existing workforce members must receive training and periodic training on updates o Security reminders—pop-up for log-off o Protection from malicious software— guidance for opening attachments o Log-in monitoring—lockout after 3 unsuccessful log-in attempts o Password protection—creation, changing and safeguarding passwords
  • 19. © 2013 Security Incident Procedures Standard—Addressable • Response and reporting—identify and respond to suspected or known security incidents; mitigate the harmful effects; document security incidents and their outcomes
  • 20. © 2013 Contingency Plan Standards— Required and Addressable • Data back-up plan o What data needs to be backed up from which sources • Disaster recovery plan o Procedures for the restoration of any loss of data • Emergency mode operation plan o Continuation of critical business processes while operating in emergency mode
  • 21. © 2013 Contingency Plan Standards— Required and Addressable (continued) • Addressable o Testing and revision of required contingency plans—organizational size and resources o Criticality analysis of applications and data • Balance recovery and management with the criticality of the system • Update when new systems added or changes made
  • 22. © 2013 Evaluation Standard—Required • Perform periodic evaluations, in response to environmental or operational changes, to determine whether security policies and procedures meet the requirements of the Security Rule
  • 23. © 2013 Business Associate Contracts and Other Arrangements—Required • Business associates must o Follow the Security Rule for ePHI. o Have business associate agreements with their subcontractors who must also follow the security rule for ePHI. Covered entities do not have business associate agreements with these subcontractors. o Obtain authorization prior to marketing
  • 24. © 2013 Physical Safeguard Standards • Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion
  • 25. © 2013 Facility Access Control Standard—Addressable • Contingency operations—procedures to restore lost data • Security plan—safeguard the facility and equipment from unauthorized physical access tampering and theft • Access control and validation procedures—based on role • Maintenance records—document repairs and modifications related to security
  • 26. © 2013 Workstation Use Standard • Includes onsite and offsite workstations • Policies and procedures for proper function • Surroundings of the workstation • Allowed access—workstation must be encrypted
  • 27. © 2013 Workstation Security Standard • Physical safeguards for all workstations that access ePHI to restrict access to authorized users • Policies and procedures for how workstations are used and protected
  • 28. © 2013 Device and Media Controls Standard—Addressable and Required • Disposal—must be unreadable and unusable • Media reuse—internal and external • Accountability—movements of hardware and electronic media • Data back-up and storage—create retrievable, exact copy
  • 29. © 2013 Technical Safeguards Standards • Increased opportunity also increases organizational risk • Technology and the policy and procedures for its use that protect electronic protected health information and control access to it
  • 30. © 2013 Access Control Standard— Required and Addressable • Allow access only to those persons or software programs with granted access rights • Unique user identification • Emergency access procedure • Automatic logoff • Encryption and decryption
  • 31. © 2013 Audit Control Standards • Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information • Track and record user activities to monitor intentional and unintentional actions
  • 32. © 2013 Integrity Standard—Addressable • Protect ePHI from improper alteration or destruction • The extent to which healthcare data are complete, accurate, consistent, and timely • Ensure data are not improperly altered or destroyed
  • 33. © 2013 Person or Entity Authentication Standard • Verify that a person or entity seeking access to ePHI is the one claimed o Are users who they claim to be? o Methods • Passwords • Smart cards • Tokens • Fobs • Biometrics
  • 34. © 2013 Transmission Security Standard— Addressable • ePHI being transmitted over an electronic communications network MUST be secured • Integrity controls—electronically transmitted ePHI cannot be improperly modified • Encryption—ePHI must be encrypted whenever appropriate
  • 35. © 2013 Confidentiality, Integrity and Availability • Confidentiality—ePHI is accessible only by authorized people and processes • Integrity—ePHI is not altered or destroyed in an unauthorized manner • Availability—ePHI can be accessed as needed by authorized users
  • 36. © 2013 Enforcement • Department of Health and Human Services Office of Civil Rights (OCR) • Must investigate all reported violations and appropriately initiate investigations for cause in absence of a reported violation
  • 37. © 2013 Civil Penalties • Fines or money damages to sanction violators • Prior to 2/18/2009 o Limit of $100 per violation o Limit of $25,000 for identical violations during a calendar year
  • 38. © 2013 Civil Penalties, continued • No more than $1,500,000 for identical violations each year in any situation • Inadvertent violation with reasonable diligence o Between $100 to $50,000 for each violation • Violation due to reasonable cause and not to willful neglect o Between $1,000 to $50,000 for each violation
  • 39. © 2013 Civil Penalties, continued • Violation due to willful neglect, corrected during 30-day period CE knew or would have known of the violation o Between $10,000 to $50,000 for each violation • Violation due to willful neglect and not corrected during 30-day period CE knew or would have known of the violation o $50,000 for each violation
  • 40. © 2013 Criminal Penalties • OCR refers cases it determines to be of a criminal nature to the Department of Justice. OCR and DOJ cooperate to pursue possible violators. o Must knowingly commit a HIPAA violation o There HAVE been criminal convictions • Most complaints found to be not relevant
  • 41. © 2013 Breach Notification • Finalized in 2013 • CEs and BAs MUST report breaches of unsecured PHI • Unsecured PHI—PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology
  • 42. © 2013 Breach Notification, continued • Breach—the acquisition, access, use or disclosure or protected health information in a manner not permitted….which compromises the security or privacy of the PHI • Reporting requirement mandates o Notification of the individual whose information was breached o If more than 500 individuals, notify the media and the Secretary of HHS
  • 43. © 2013 Breach Notification, continued • Breach notification exception o CE or BA workforce unintentionally acquires, uses, or discloses PHI under the authority of the CE or BA o When authorized workforce member inadvertently discloses PHI to another authorized workforce member in the same CE or BA setting o CE or BA who made inadvertent disclosure has reason to believe the PHI recipient would not have been able to retain the information
  • 44. © 2013 Risk Assessment • Assess potential risks and areas of vulnerability related to the security of the ePHI
  • 45. © 2013 Medical Identity Theft • The assumption of a person’s name and/or other parts of his or her identity without the victim’s knowledge or consent to obtain medical services or good, or • When someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims
  • 46. © 2013 Medical Identity Theft Risks • Financial loss • Clinical risks if critical conditions, procedures, medications, allergies and other information are incorrectly omitted or included
  • 47. © 2013 Cascading Effect of Medical Identity Theft
  • 48. © 2013 Red Flag Rules • Issued by the Federal Trade Commission, Department of the Treasury, Federal Reserve System, Federal Deposit Insurance Corporation, and the National Credit Union Administration • Requires creditor and financial institutions to implement an Identity Theft Prevention Program.
  • 49. © 2013 Red Flag Rules, continued • Federal Trade Commission enforces the rules that apply to healthcare organizations • Red Flags: o Suspicious documents—do they appear to have been altered? o Suspicious information—addresses do not match between ID and insurance o Suspicious behaviors—confused about type of insurance
  • 50. © 2013 Identity Theft Prevention Program • Identify Covered Accounts • Identify Relevant Red Flags • Detect Red Flags • Respond to Red Flags • Oversee the Program • Train Employees • Oversee Service Provider Arrangements • Approve the Identity Theft Prevention Program • Provide Reports and Periodic Updates
  • 51. © 2013 Identity Theft Operational Recommendations • Urge and education consumers to adopt preventive measures o Exercise caution when sharing personal information o Monitor EOB received from insurance o Maintain copies of healthcare records o Monitor credit reports for unexpected medical charges o Protect all health insurance and financial information
  • 52. © 2013 Identity Theft Operational Recommendations (continued) • Establish organizational methods to prevent and detect medical identity theft o Annual security risk analysis o Background checks when hiring o Patient ID verification processes o Minimize use of SSN o Policies and procedures to safeguard info o Create plan to handle suspicious activity o Ongoing staff training
  • 53. © 2013 Identity Theft Operational Recommendations (continued) • Data in the patient record o Policies and procedures to allow victims access to their patient records o Establish mechanisms to correct inaccurate information o Keep current with medical identity theft legislation and regulations o Provide victims with resources and tools for easier recovery
  • 54. © 2013 Disaster Preparedness • Ensure protection of organizational information assets • Ensure information functions can continue when disasters occur
  • 55. © 2013 Protecting Information Assets • NIST Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems • NIST Special Publication 800-30, Rev. 1, Guide for Conducting Risk Assessments • Business impact analysis—evaluate and prioritize all potential risks
  • 56. © 2013 Business Impact Analysis • Recovery Point Objective—length of time the organization can operate without an application • Recovery Time Objective—maximum amount of time tolerable for data loss and capture
  • 57. © 2013 Business Impact Analysis (continued) 1. What are the minimal resources for operations? 2. What are the business recovery objectives and assumptions? 3. What is the order for restoration of services? 4. What would be the operational, financial, and reputational impact of loss of data?
  • 58. © 2013 Information Security Threat Analysis Backup Data Facilities • Hot Site • Warm Site • Code Site
  • 59. © 2013 Disaster Planning • Organizations need to help their employees be prepared • Planning • Preparedness o Training o Testing • Response and Recovery
  • 60. © 2013 Summary • Security Risk Analysis is essential • Medical Identity Theft • Disaster Planning