SlideShare a Scribd company logo
TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
HIPAA - Privacy & Security in Heath Care IT
Ray Trygstad
ITM 478/578
Spring 2004
Master of Information Technology & Management Program
CenterforProfessional Development
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson the
student should be able to:
– Discuss information security implications of
the Health Insurance Portability and
Accountability Act (HIPPA)
– Discuss information security impact of the
HIPAA Privacy Rule
– Describe key components and
implemetation of the HIPAA Security Rule
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
What is HIPAA?
 Health Insurance Portability and
Accountability Act (HIPAA)
– Signed into law August 1996
 Part of this Act, Administrative
Simplification, intends to reduce
administrative costs and burdens
in the health care industry
 Requires Department of Health and Human
Services to adopt national uniform standards
for electronic transmission of certain health
information
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Who is Affected? (“covered entities”)
 All healthcare
organizations
 All health care
providers (even
1-physician offices)
 Health plans
 Employers
 Public health 
authorities
 Life insurers
 Clearinghouses
 Billing agencies
 Information 
systems vendors
 Service organizations
 Universities with
health care curricula
or even just student
health services
Anyone that transmits any health information in electronic
formin connection with healthcare transactions
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards for Electronic Transactions
 Standards for electronic health information
transactions
 Within 18 months HHS Secretary required to adopt
standards from among those already approved by
standards organizations for certain electronic health
transactions including:
– Claims
– Enrollment
– Eligibility
– Payment
– Coordination of benefits
 Standards also must address security of electronic
health information systems.
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
(18 Months?)
It’s now been six years and standards
are still not fully in place!
 Will not go into full effect until 2005!
Isn’t government wonderful?)
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
More on the HIPAA Bill
 Providers and health plans required to use
standards for specified electronic transactions
24 months after adoption
 Plans and providers may comply directly or
use a health care clearinghouse
 HIPAA supersedes state laws except state
laws that impose more stringent
requirements
 HIPPA imposes civil money penalties and
prison for certain violations
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Penalties for Violations
Fines up to $25,000 for multiple
violations of the same standard in a
calendar year
Fines up to $250K and/or imprisonment
up to 10 years for knowing misuse of
individually identifiable health
information
!!!
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy
HIPAA Privacy Rule went into effect
in April 2003
Restricts how covered entities may use
and disclose individually identifiable
health information
Requires security for such data
Grants individuals certain rights to
access and correct their personal
health information
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements
 HIPAA requires covered entities to:
– Have written privacy procedures, including
• Description of staff granted access to protected
information
• How it will be used
• When it may be disclosed
• Business associates (including IT vendors!) with access
to protected information must agree to same limitations
on use and disclosure of that information
– Train employees in privacy procedures
– Designate someone responsible for ensuring
procedures are followed (the “HIPAA czar”)
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements
 Rule permits covered entities to disclose health
information for specific public responsibilities:
– emergency circumstances
– identification of the body of a deceased person, or the cause
of death
– public health needs
– research that with limited data or independently approved
by a Review Board or privacy board
– oversight of the health care system
– judicial and administrative proceedings
– limited law enforcement activities
– activities related to national defense and security
 Equivalent Requirements exist for Government
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
 First government-mandated framework
for an information security policy covering
non-governmental entities
 Published in February 2003
 Covered entities (CEs) must be in compliance
April 21, 2005
 Portions of Security Rule that implement the
Privacy Rule were effective last April
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
Covered entities required to observe
Privacy Rule requirements with
respect to all Patient Health
Information (PHI) in any form,
electronic or not, but the Security
Rule only applies to PHI in
electronic form
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements of HIPAA Security Rule
 Maintain reasonable & appropriate
administrative, technical and physical
safeguards to
– Ensure the integrity and confidentiality of
information
– Protect against
• any reasonably anticipated threats or hazards to the
security or integrity of the information
• unauthorized uses or disclosures of the information,
i.e. any reasonably anticipated uses or disclosures not
permitted by Privacy Rule
– Otherwise to ensure compliance with this part by
officers & employees
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
The rule outlines 3 categories of
safeguards to establish a minimum
level of protection:
– Administrative safeguards
– Physical safeguards
– Technical safeguards
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
 Administrative safeguards: Ensures that
formal policies for overseeing
implementation and management of security
measures are established and implemented
 Physical safeguards: Ensures facilities where
electronic information systems are stored are
protected from intrusions and other hazards
 Technical safeguards: Ensures only
authorized access to electronic personal
health information is permitted, through
implementation of firewalls, passwords, and
other measures
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule
 Scalability
– Any size healthcare entity must be able to comply
with the rule
 Comprehensiveness
– Meant to result in a unified system of protection
for PHI
– CEs must use a defense in depth security
approach
 Technology neutral
– No specific technology recommendations (e.g.,
specific type of firewall, IDS, access control
system).
– Each CE must choose appropriate technology to
protect PHI.
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule
 Internal and external security threats
– Must protect PHI against both internal and
external threats
 Minimum standard
– Defines the least that CEs must do to protect
PHI (they may choose to do more)
 Risk analysis
– Requires CEs to conduct thorough & accurate
risk analysis that considers “all relevant losses”
that would be expected if specific security
measures are not in place
– “Relevant losses” include losses caused by
unauthorized use and disclosure of data and
unauthorized modification of data
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts
 Principle based
– Presents a series of security best practices and
principles with which CEs must comply
– Step by step checklists not provided
 Reasonableness
– CEs must do everything appropriate to avert
all reasonably anticipated risks to PHI
– CEs must balance resources and business
requirements against risks to PHI
 Full compliance
– All CE staff, including management and those
working at home, must comply
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts
 Developed from multiple security guidelines and
standards
– Those creating the rule found no existing single security
standard or best practice that described how to
comprehensively protect PHI
– Therefore the rule is based on many different security
guidelines, standards, and best practices
 Documentation
– CEs must document a variety of security processes, policies,
and procedures
– CEs must document Security Rule implementation decisions
 Ongoing compliance
– CEs must regularly train employees
– CEs must revise security policies and procedures as needed
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards & Specifications
 Rule breaks down into 18 standards and
36 implementation specifications
 A standard explains what a CE must do
 An implementation specification explains
how to do it
 12 standards have associated
implementation specifications; 6 do not
 14 implementation specifications are
required; 22 are addressable
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements & Structure
Requirements (Physical, Administrative, Technical Safeguards)Requirements (Physical, Administrative, Technical Safeguards)
StandardsStandardswithwith ImplementationImplementation
Specifications (12)Specifications (12)
witho utwitho ut ImplementationImplementation
Specifications (6)Specifications (6)
Implementation SpecificationsImplementation Specifications
Required (14)Required (14)
Addressable (22)Addressable (22)
Source: Weil, Steven HIPAAConsensus ResearchProject SANS Institute, 2003; http://www.sans.org/projects/hipaa.php
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Required and Addressable
 Required specifications are, well, required
and must be implemented
 Addressable implementation specifications
leave CEs with three possible choices
– Implement specification if reasonable and
appropriate
– Implement an alternative security measure to
accomplish purposes of the standard
– Implement nothing if specification is not
reasonable & appropriate and the standard
can still be met
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
 If implementation specification is reasonable
& appropriate, CE must implement it
 If implementation specification not
reasonable & appropriate, but standards
cannot be met without an appropriate
security measure, CE must
– Document why it would not be reasonable &
appropriate to implement
– Implement & document alternative security
measure(s) that accomplishes the same purpose
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
 If implementation specifications not
reasonable & appropriate, but standards
can be met without an appropriate
security measure, CE must
– Document decision not to implement
– Document why it would not be reasonable &
appropriate to implement
– Document how the standard is being met
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
 Factors to take into account when deciding
how to respond to addressable
specifications:
– Size, complexity, & capabilities of the
organization
– Existing technical infrastructure, hardware,
and software security capabilities
– Costs of security measures
– Likelihood & seriousness of potential risks to
PHI
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Implementing HIPAA
Specifications can be implemented in
any order, as long as standards are met
by the deadline
May use any security measures
allowing the CE to reasonably and
appropriately implement the rule
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Breakdown of Specifications
Administrative Safeguards (55%)
– 12 Required, 11 Addressable
Physical Safeguards (24%)
– 4 Required, 6 Addressable
Technical Safeguards (21%)
– 4 Requirements, 5 Addressable
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security management process
– Risk analysis (R)
– Risk management (R)
– Sanction policy (R)
– Information system activity review (R)
Assigned security responsibility
– One individual (not an organization)
with responsibility (R)
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Assessment / Analysis
Each CE must:
– Assess security risks
– Determine risk tolerance or risk aversion
– Devise, implement, and maintain appropriate
security to address business requirements
• Does not imply that organizations are given complete
discretion to make their own rules
– Document security decisions
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Assigned Security Responsibility
 Chief Information Security Officer (CISO) or
Information Security Officer (ISO)
 Large organizations may have site-security
coordinators working with CISO/ISO
 Security standards extend to CE employees
even if they work at home as do many
transcriptionists
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Workforce Security
– Authorization and/or supervision (A)
– Workforce clearance procedure (A)
– Termination procedures (A)
Information access management
– Minimum necessary rule
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Workforce Security
Authorization controls verify identity
of employees permitted to access PHI
Clearance procedure describes types
of background checks that will be
conducted for employees
Termination procedures include
collecting access control devices or
changing door locks, etc.
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security Awareness and Training
– Security Reminders (A)
– Protection from Malicious Software (A)
– Log-in Monitoring (A)
– Password Management (A)
Security Incident Procedures
– Response and Reporting (R)
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Contingency Plan
– Data Backup Plan (R)
– Disaster Recovery Plan (R)
– Emergency Mode Operation Plan (R)
– Testing and Revision Procedure (A)
– Applications and Data Criticality
Analysis (A)
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Awareness & Training
 “Security awareness training is a critical
activity, regardless of an organization’s size.”
 Training, Education and Awareness (TEA)
– Awareness training for all personnel (including
management)
– Periodic security reminders
– User education concerning virus protection
– User education in importance of monitoring login
success or failure, and how to report discrepancies
– User education in password management
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Incident Procedures
Provides methods for users to report
unusual security occurrences or
breaches to patient confidentiality
Goals:
– Identify
– Contain
– Correct
– Prevent
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Evaluation
– Periodic review of technical controls and
procedural review of the security program
Business Associate contracts
– Written Contract or Other Arrangement (R)
•Identify business associates who receive or
have access to PHI
•Tie efforts with Privacy initiative
•Establish rules for vendor remote access
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Facility Access Controls
– Contingency operations (A)
– Facility Security Plan (A)
– Access Control and Validation
Procedures (A)
– Maintenance Records (A)
Workstation Use
– Includes portable devices
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Facility Access Control
Goal is to protect buildings, systems,
and data media from natural and
environmental hazards and
unauthorized access or intrusions
Ensure records are kept of all
maintenance, especially locksmith
work
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Workstation Security
Device and Media Controls
– Disposal (R)
– Media re-use (R)
– Accountability (A)
– Data backup and Storage (A)
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Workstation Use & Security
Both standards could be covered in
one policy
Ensure workstation locations will not
allow casual viewing by unauthorized
personnel
Audit systems to ensure all PCs/laptops
have latest version of virus definitions
installed
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Device & Media Controls
“Device” was included to address
storage devices such as PDAs
Media re-use requires sanitization of
media using DOD-style standards
(overwriting an entire disk with ones
and zeros repeatedly)
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Access Control
– Unique user identification (R)
– Emergency access procedure (R)
– Automatic logoff (A)
– Encryption and decryption (A)
Audit Controls
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Integrity
– Mechanism to Authenticate Electronic
PHI (A)
Person or entity authentication
Transmission security
– Integrity controls (A)
– Encryption (A)
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Access Control
 Unique user identification for accountability
is critical for clinical applications
– Disallows use of Windows 98/ME
(weak user identification & controls)
 Automatic logoff permits an equivalent
measure to restrict access (Password
protected screen saver? XP user switching?)
 Encryption serves as an access control
method for data at rest
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Controls
 Risk assessment and analysis can be used
to determine necessary intensity of audit
trails
 Audit trail trigger events must be jointly
determined by the data owners and the
Privacy and Security Officers
 Store audit logs on a separate server
 Do not allow system administrator access
to audit logs
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Transmission Security
“…When electronic protected health
information is transmitted from one
point to another, it must be protected
in a manner commensurate with the
associated risk.”
There is no simple, interoperable
solution to encrypting e-mail
containing PHI; hopefully HIPAA
compliance will drive better solutions
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Organizational Requirements
Business Associate (BA) Agreements
– Contractual agreements required before
BAs can access PHI
– BAs must follow HIPAA Business
Associate rules (next slide)
– Applies to subcontractors of BAs as well
A CE may require a business associate
to meet even higher security standards
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Implement safeguards that
reasonably and appropriately protect
the confidentiality, integrity and
availability of PHI they access on
behalf of the CE
Ensure that anyone else to whom
they provide PHI agrees to
implement reasonable and
appropriate safeguards
Report any security incident to the
CE
ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Make policies, procedures and
required documentation relating to
the safeguards available to HHS to
determine CE compliance with the
security rule
Authorize termination of the BA
contract by the CE if the CE
determines that the BA has violated
a material term of the contract
ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Policy & Procedure Documentation
Implement reasonable and
appropriate policies and procedures
Documentation
– Retain documents for 6 years
– Make documents available
– Review and update documentation
periodically
ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Resources
 Works used in the preparation of this lecture:
– Beaver, Kevin (2003) HIPAA Security Rule FAQ. Principle Logic, accessed at
http://www.principlelogic.com/docs/HIPAA_Security_Rule_FAQ.pdf
– Birnbach, Deborah S. and Gametchu, Mayeti (2003) “How HIPAA's security rule
could affect IT” Computerworld April 30, 2003, accessed at
http://www.computerworld.com/securitytopics/security/story/0,10801,80816,00.html
– Higher Education Information Technology (HEIT) Alliance (undated) Privacy.
Accessed at http://www.heitalliance.org/issues/privacy.asp
– Hollander, Jay (2003) Medical Privacy: Understanding HIPAA's Security Rule.
Accessed at http://www.gigalaw.com/articles/2003-all/hollander-2003-04-all.html
– New Hampshire Developmental Disabilities Services System, Information
Technology Initiatives (undated) HIPAA Overview. Accessed at
http://www.nhdds.org/nhddsit/HIPAA/overview.html
– Walsh, Tom (2001) Developing an Effective Information Security Training and
Awareness Program. Healthcare Computing Strategies, Inc. , accessed at
http://www.himss.org/content/files/proceedings/2001/workshop/wslides/wksll.pdf
– Walsh, Tom (2003) HIPAA Security: Complying with the HIPAA Security Rule
Implementation Specifications – Are you Correctly Addressing Them? (Powerpoint
presentation) Tom Walsh Consulting LLC
– Weil, Steven (2003) HIPAA Consensus Research Project. The SANS Institute,
accessed at http://www.sans.org/projects/hipaa.php
ITM 578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Questions?

More Related Content

What's hot

Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
parves kamal
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
padler01
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
IGN MANTRA
 
Case Study
Case StudyCase Study
Case Study
lneut03
 
Secure physical infrastructure
Secure physical infrastructureSecure physical infrastructure
Secure physical infrastructure
Pallavi Agarwal
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1
Maxpromotion
 
Information Security Identity and Access Management Administration 07072016
Information Security   Identity and Access Management Administration 07072016Information Security   Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
CUNIX INDIA
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information Security
Ana Meskovska
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
Cat21:Development Mangement Information Systems
Cat21:Development Mangement Information SystemsCat21:Development Mangement Information Systems
Cat21:Development Mangement Information Systems
Simeon Ogao
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Elumalai Vasan
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 

What's hot (20)

Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Case Study
Case StudyCase Study
Case Study
 
Secure physical infrastructure
Secure physical infrastructureSecure physical infrastructure
Secure physical infrastructure
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1Jupiter physical security ppt 2016 1
Jupiter physical security ppt 2016 1
 
Information Security Identity and Access Management Administration 07072016
Information Security   Identity and Access Management Administration 07072016Information Security   Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information Security
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Cat21:Development Mangement Information Systems
Cat21:Development Mangement Information SystemsCat21:Development Mangement Information Systems
Cat21:Development Mangement Information Systems
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 

Viewers also liked

Risk management ii
Risk management iiRisk management ii
Risk management ii
Dhani Ahmad
 
Database - Design & Implementation - 1
Database - Design & Implementation - 1Database - Design & Implementation - 1
Database - Design & Implementation - 1
Trivuz ত্রিভুজ
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02
Beni Krisbiantoro
 
Information system
Information systemInformation system
Information system
Dhani Ahmad
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issues
Dhani Ahmad
 
Islamic information seeking behavior
Islamic information seeking behaviorIslamic information seeking behavior
Islamic information seeking behavior
Dhani Ahmad
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Islamic information management
Islamic information managementIslamic information management
Islamic information management
Dhani Ahmad
 
Security technologies
Security technologiesSecurity technologies
Security technologies
Dhani Ahmad
 
Strategic planning
Strategic planningStrategic planning
Strategic planning
Dhani Ahmad
 
Types of islamic institutions and records
Types of islamic institutions and recordsTypes of islamic institutions and records
Types of islamic institutions and records
Dhani Ahmad
 
Opportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisOpportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysis
Dhani Ahmad
 
Islamic information management sources in islam
Islamic information management sources in islamIslamic information management sources in islam
Islamic information management sources in islam
Dhani Ahmad
 
Database design
Database designDatabase design
Database design
Dhani Ahmad
 
Information resource management
Information resource managementInformation resource management
Information resource management
Dhani Ahmad
 
Lecture 07 relational database management system
Lecture 07 relational database management systemLecture 07 relational database management system
Lecture 07 relational database management system
emailharmeet
 
Lecture 08 distributed dbms
Lecture 08 distributed dbmsLecture 08 distributed dbms
Lecture 08 distributed dbms
emailharmeet
 
Lecture 09 dblc centralized vs decentralized design
Lecture 09   dblc centralized vs decentralized designLecture 09   dblc centralized vs decentralized design
Lecture 09 dblc centralized vs decentralized design
emailharmeet
 
Lecture 06 relational algebra and calculus
Lecture 06 relational algebra and calculusLecture 06 relational algebra and calculus
Lecture 06 relational algebra and calculus
emailharmeet
 
Lecture 10 distributed database management system
Lecture 10   distributed database management systemLecture 10   distributed database management system
Lecture 10 distributed database management system
emailharmeet
 

Viewers also liked (20)

Risk management ii
Risk management iiRisk management ii
Risk management ii
 
Database - Design & Implementation - 1
Database - Design & Implementation - 1Database - Design & Implementation - 1
Database - Design & Implementation - 1
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02
 
Information system
Information systemInformation system
Information system
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issues
 
Islamic information seeking behavior
Islamic information seeking behaviorIslamic information seeking behavior
Islamic information seeking behavior
 
Security policy
Security policySecurity policy
Security policy
 
Islamic information management
Islamic information managementIslamic information management
Islamic information management
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
Strategic planning
Strategic planningStrategic planning
Strategic planning
 
Types of islamic institutions and records
Types of islamic institutions and recordsTypes of islamic institutions and records
Types of islamic institutions and records
 
Opportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisOpportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysis
 
Islamic information management sources in islam
Islamic information management sources in islamIslamic information management sources in islam
Islamic information management sources in islam
 
Database design
Database designDatabase design
Database design
 
Information resource management
Information resource managementInformation resource management
Information resource management
 
Lecture 07 relational database management system
Lecture 07 relational database management systemLecture 07 relational database management system
Lecture 07 relational database management system
 
Lecture 08 distributed dbms
Lecture 08 distributed dbmsLecture 08 distributed dbms
Lecture 08 distributed dbms
 
Lecture 09 dblc centralized vs decentralized design
Lecture 09   dblc centralized vs decentralized designLecture 09   dblc centralized vs decentralized design
Lecture 09 dblc centralized vs decentralized design
 
Lecture 06 relational algebra and calculus
Lecture 06 relational algebra and calculusLecture 06 relational algebra and calculus
Lecture 06 relational algebra and calculus
 
Lecture 10 distributed database management system
Lecture 10   distributed database management systemLecture 10   distributed database management system
Lecture 10 distributed database management system
 

Similar to Privacy & security in heath care it

It industry regulations
It industry regulationsIt industry regulations
It industry regulations
Nicholas Davis
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
Nicholas Davis
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
mohammedfootwear
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
DoubleHorn
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
CMDLMS
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
Black Duck by Synopsys
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
Security policy and standards
Security policy and standardsSecurity policy and standards
Security policy and standards
Wilson Musyoka
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
Michigan Primary Care Association
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
Stephen Cobb
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
LiiewaOfficial
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
Michigan Primary Care Association
 
HIPAA TITLE II (2)
HIPAA TITLE II (2)HIPAA TITLE II (2)
HIPAA TITLE II (2)
Quinnipiac University
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
MichaelRodriguesdosS1
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
abdukadirabdullahuad
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 
2021FSAConfSession22.pptx
2021FSAConfSession22.pptx2021FSAConfSession22.pptx
2021FSAConfSession22.pptx
ssuser4102fa
 

Similar to Privacy & security in heath care it (20)

It industry regulations
It industry regulationsIt industry regulations
It industry regulations
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
 
Security policy and standards
Security policy and standardsSecurity policy and standards
Security policy and standards
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
HIPAA TITLE II (2)
HIPAA TITLE II (2)HIPAA TITLE II (2)
HIPAA TITLE II (2)
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
 
2021FSAConfSession22.pptx
2021FSAConfSession22.pptx2021FSAConfSession22.pptx
2021FSAConfSession22.pptx
 

More from Dhani Ahmad

Strategic information system planning
Strategic information system planningStrategic information system planning
Strategic information system planning
Dhani Ahmad
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effort
Dhani Ahmad
 
Implementing security
Implementing securityImplementing security
Implementing security
Dhani Ahmad
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
Dhani Ahmad
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Topic 12 report & presentations
Topic 12   report & presentationsTopic 12   report & presentations
Topic 12 report & presentations
Dhani Ahmad
 
Topic 11 data management
Topic 11   data managementTopic 11   data management
Topic 11 data management
Dhani Ahmad
 
Topic 10 sample designs & procedures
Topic 10   sample designs & proceduresTopic 10   sample designs & procedures
Topic 10 sample designs & procedures
Dhani Ahmad
 
Topic 9 secondary data sources
Topic 9   secondary data sourcesTopic 9   secondary data sources
Topic 9 secondary data sources
Dhani Ahmad
 
Topic 8 questionnaire design
Topic 8   questionnaire designTopic 8   questionnaire design
Topic 8 questionnaire design
Dhani Ahmad
 
Topic 7 measurement in research
Topic 7   measurement in researchTopic 7   measurement in research
Topic 7 measurement in research
Dhani Ahmad
 

More from Dhani Ahmad (12)

Strategic information system planning
Strategic information system planningStrategic information system planning
Strategic information system planning
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effort
 
Implementing security
Implementing securityImplementing security
Implementing security
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Topic 12 report & presentations
Topic 12   report & presentationsTopic 12   report & presentations
Topic 12 report & presentations
 
Topic 11 data management
Topic 11   data managementTopic 11   data management
Topic 11 data management
 
Topic 10 sample designs & procedures
Topic 10   sample designs & proceduresTopic 10   sample designs & procedures
Topic 10 sample designs & procedures
 
Topic 9 secondary data sources
Topic 9   secondary data sourcesTopic 9   secondary data sources
Topic 9 secondary data sources
 
Topic 8 questionnaire design
Topic 8   questionnaire designTopic 8   questionnaire design
Topic 8 questionnaire design
 
Topic 7 measurement in research
Topic 7   measurement in researchTopic 7   measurement in research
Topic 7 measurement in research
 

Recently uploaded

Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
ssuser2f6682
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
ffg01100
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
ffg01100
 
Iot-Internet-of-Things_Industrial revolution 4.0-ppt.pptx
Iot-Internet-of-Things_Industrial revolution 4.0-ppt.pptxIot-Internet-of-Things_Industrial revolution 4.0-ppt.pptx
Iot-Internet-of-Things_Industrial revolution 4.0-ppt.pptx
DeepakKumar862274
 
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
paridubey2024#G05
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
elbertablack
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
Sweet Potato Tec
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
OkgatoSemadi1
 
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy FearsTarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
VPN Server
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
Zsolt Nemeth
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
ธนาพัฒน์ ลิ้มสายพรหม
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
AirtoryInc
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
Thierry TROUIN ☁
 
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaipromInformation Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
TanapatLimsaiprom1
 
Network Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptxNetwork Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptx
cossykin19
 
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsJarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
exgf28
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
shamrisumri
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
Dolphin Data Lab
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
ffg01100
 

Recently uploaded (20)

Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
 
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
202254.com全网最高清影视香蕉影视,热门电影推荐,热门电视剧在线观看,免费电影,电影在线,在线观看。球华人在线電視劇,免费点播,免费提供最新高清的...
 
Iot-Internet-of-Things_Industrial revolution 4.0-ppt.pptx
Iot-Internet-of-Things_Industrial revolution 4.0-ppt.pptxIot-Internet-of-Things_Industrial revolution 4.0-ppt.pptx
Iot-Internet-of-Things_Industrial revolution 4.0-ppt.pptx
 
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
 
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy FearsTarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy Fears
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
 
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaipromInformation Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
 
Network Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptxNetwork Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptx
 
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsJarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
 

Privacy & security in heath care it

  • 1. TransformingLives. InventingtheFuture. www.iit.edu I ELLINOIS T UINS TI T OF TECHNOLOGY ITM 578 1 HIPAA - Privacy & Security in Heath Care IT Ray Trygstad ITM 478/578 Spring 2004 Master of Information Technology & Management Program CenterforProfessional Development
  • 2. ITM 578 2 ILLINOIS INSTITUTE OF TECHNOLOGY Learning Objectives: Upon completion of this lesson the student should be able to: – Discuss information security implications of the Health Insurance Portability and Accountability Act (HIPPA) – Discuss information security impact of the HIPAA Privacy Rule – Describe key components and implemetation of the HIPAA Security Rule
  • 3. ITM 578 3 ILLINOIS INSTITUTE OF TECHNOLOGY What is HIPAA?  Health Insurance Portability and Accountability Act (HIPAA) – Signed into law August 1996  Part of this Act, Administrative Simplification, intends to reduce administrative costs and burdens in the health care industry  Requires Department of Health and Human Services to adopt national uniform standards for electronic transmission of certain health information
  • 4. ITM 578 4 ILLINOIS INSTITUTE OF TECHNOLOGY Who is Affected? (“covered entities”)  All healthcare organizations  All health care providers (even 1-physician offices)  Health plans  Employers  Public health  authorities  Life insurers  Clearinghouses  Billing agencies  Information  systems vendors  Service organizations  Universities with health care curricula or even just student health services Anyone that transmits any health information in electronic formin connection with healthcare transactions
  • 5. ITM 578 5 ILLINOIS INSTITUTE OF TECHNOLOGY Standards for Electronic Transactions  Standards for electronic health information transactions  Within 18 months HHS Secretary required to adopt standards from among those already approved by standards organizations for certain electronic health transactions including: – Claims – Enrollment – Eligibility – Payment – Coordination of benefits  Standards also must address security of electronic health information systems.
  • 6. ITM 578 6 ILLINOIS INSTITUTE OF TECHNOLOGY (18 Months?) It’s now been six years and standards are still not fully in place!  Will not go into full effect until 2005! Isn’t government wonderful?)
  • 7. ITM 578 7 ILLINOIS INSTITUTE OF TECHNOLOGY More on the HIPAA Bill  Providers and health plans required to use standards for specified electronic transactions 24 months after adoption  Plans and providers may comply directly or use a health care clearinghouse  HIPAA supersedes state laws except state laws that impose more stringent requirements  HIPPA imposes civil money penalties and prison for certain violations
  • 8. ITM 578 8 ILLINOIS INSTITUTE OF TECHNOLOGY Penalties for Violations Fines up to $25,000 for multiple violations of the same standard in a calendar year Fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information !!!
  • 9. ITM 578 9 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Privacy HIPAA Privacy Rule went into effect in April 2003 Restricts how covered entities may use and disclose individually identifiable health information Requires security for such data Grants individuals certain rights to access and correct their personal health information
  • 10. ITM 578 10 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Privacy Requirements  HIPAA requires covered entities to: – Have written privacy procedures, including • Description of staff granted access to protected information • How it will be used • When it may be disclosed • Business associates (including IT vendors!) with access to protected information must agree to same limitations on use and disclosure of that information – Train employees in privacy procedures – Designate someone responsible for ensuring procedures are followed (the “HIPAA czar”)
  • 11. ITM 578 11 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Privacy Requirements  Rule permits covered entities to disclose health information for specific public responsibilities: – emergency circumstances – identification of the body of a deceased person, or the cause of death – public health needs – research that with limited data or independently approved by a Review Board or privacy board – oversight of the health care system – judicial and administrative proceedings – limited law enforcement activities – activities related to national defense and security  Equivalent Requirements exist for Government
  • 12. ITM 578 12 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Security Rule  First government-mandated framework for an information security policy covering non-governmental entities  Published in February 2003  Covered entities (CEs) must be in compliance April 21, 2005  Portions of Security Rule that implement the Privacy Rule were effective last April
  • 13. ITM 578 13 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Security Rule Covered entities required to observe Privacy Rule requirements with respect to all Patient Health Information (PHI) in any form, electronic or not, but the Security Rule only applies to PHI in electronic form
  • 14. ITM 578 14 ILLINOIS INSTITUTE OF TECHNOLOGY Requirements of HIPAA Security Rule  Maintain reasonable & appropriate administrative, technical and physical safeguards to – Ensure the integrity and confidentiality of information – Protect against • any reasonably anticipated threats or hazards to the security or integrity of the information • unauthorized uses or disclosures of the information, i.e. any reasonably anticipated uses or disclosures not permitted by Privacy Rule – Otherwise to ensure compliance with this part by officers & employees
  • 15. ITM 578 15 ILLINOIS INSTITUTE OF TECHNOLOGY Three Categories of Safeguards The rule outlines 3 categories of safeguards to establish a minimum level of protection: – Administrative safeguards – Physical safeguards – Technical safeguards
  • 16. ITM 578 16 ILLINOIS INSTITUTE OF TECHNOLOGY Three Categories of Safeguards  Administrative safeguards: Ensures that formal policies for overseeing implementation and management of security measures are established and implemented  Physical safeguards: Ensures facilities where electronic information systems are stored are protected from intrusions and other hazards  Technical safeguards: Ensures only authorized access to electronic personal health information is permitted, through implementation of firewalls, passwords, and other measures
  • 17. ITM 578 17 ILLINOIS INSTITUTE OF TECHNOLOGY Principles of the Security Rule  Scalability – Any size healthcare entity must be able to comply with the rule  Comprehensiveness – Meant to result in a unified system of protection for PHI – CEs must use a defense in depth security approach  Technology neutral – No specific technology recommendations (e.g., specific type of firewall, IDS, access control system). – Each CE must choose appropriate technology to protect PHI.
  • 18. ITM 578 18 ILLINOIS INSTITUTE OF TECHNOLOGY Principles of the Security Rule  Internal and external security threats – Must protect PHI against both internal and external threats  Minimum standard – Defines the least that CEs must do to protect PHI (they may choose to do more)  Risk analysis – Requires CEs to conduct thorough & accurate risk analysis that considers “all relevant losses” that would be expected if specific security measures are not in place – “Relevant losses” include losses caused by unauthorized use and disclosure of data and unauthorized modification of data
  • 19. ITM 578 19 ILLINOIS INSTITUTE OF TECHNOLOGY Security Rule Key Concepts  Principle based – Presents a series of security best practices and principles with which CEs must comply – Step by step checklists not provided  Reasonableness – CEs must do everything appropriate to avert all reasonably anticipated risks to PHI – CEs must balance resources and business requirements against risks to PHI  Full compliance – All CE staff, including management and those working at home, must comply
  • 20. ITM 578 20 ILLINOIS INSTITUTE OF TECHNOLOGY Security Rule Key Concepts  Developed from multiple security guidelines and standards – Those creating the rule found no existing single security standard or best practice that described how to comprehensively protect PHI – Therefore the rule is based on many different security guidelines, standards, and best practices  Documentation – CEs must document a variety of security processes, policies, and procedures – CEs must document Security Rule implementation decisions  Ongoing compliance – CEs must regularly train employees – CEs must revise security policies and procedures as needed
  • 21. ITM 578 21 ILLINOIS INSTITUTE OF TECHNOLOGY Standards & Specifications  Rule breaks down into 18 standards and 36 implementation specifications  A standard explains what a CE must do  An implementation specification explains how to do it  12 standards have associated implementation specifications; 6 do not  14 implementation specifications are required; 22 are addressable
  • 22. ITM 578 22 ILLINOIS INSTITUTE OF TECHNOLOGY Requirements & Structure Requirements (Physical, Administrative, Technical Safeguards)Requirements (Physical, Administrative, Technical Safeguards) StandardsStandardswithwith ImplementationImplementation Specifications (12)Specifications (12) witho utwitho ut ImplementationImplementation Specifications (6)Specifications (6) Implementation SpecificationsImplementation Specifications Required (14)Required (14) Addressable (22)Addressable (22) Source: Weil, Steven HIPAAConsensus ResearchProject SANS Institute, 2003; http://www.sans.org/projects/hipaa.php
  • 23. ITM 578 23 ILLINOIS INSTITUTE OF TECHNOLOGY Required and Addressable  Required specifications are, well, required and must be implemented  Addressable implementation specifications leave CEs with three possible choices – Implement specification if reasonable and appropriate – Implement an alternative security measure to accomplish purposes of the standard – Implement nothing if specification is not reasonable & appropriate and the standard can still be met
  • 24. ITM 578 24 ILLINOIS INSTITUTE OF TECHNOLOGY Addressable Specification Choices  If implementation specification is reasonable & appropriate, CE must implement it  If implementation specification not reasonable & appropriate, but standards cannot be met without an appropriate security measure, CE must – Document why it would not be reasonable & appropriate to implement – Implement & document alternative security measure(s) that accomplishes the same purpose
  • 25. ITM 578 25 ILLINOIS INSTITUTE OF TECHNOLOGY Addressable Specification Choices  If implementation specifications not reasonable & appropriate, but standards can be met without an appropriate security measure, CE must – Document decision not to implement – Document why it would not be reasonable & appropriate to implement – Document how the standard is being met
  • 26. ITM 578 26 ILLINOIS INSTITUTE OF TECHNOLOGY Addressable Specification Choices  Factors to take into account when deciding how to respond to addressable specifications: – Size, complexity, & capabilities of the organization – Existing technical infrastructure, hardware, and software security capabilities – Costs of security measures – Likelihood & seriousness of potential risks to PHI
  • 27. ITM 578 27 ILLINOIS INSTITUTE OF TECHNOLOGY Implementing HIPAA Specifications can be implemented in any order, as long as standards are met by the deadline May use any security measures allowing the CE to reasonably and appropriately implement the rule
  • 28. ITM 578 28 ILLINOIS INSTITUTE OF TECHNOLOGY Breakdown of Specifications Administrative Safeguards (55%) – 12 Required, 11 Addressable Physical Safeguards (24%) – 4 Required, 6 Addressable Technical Safeguards (21%) – 4 Requirements, 5 Addressable
  • 29. ITM 578 29 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Security management process – Risk analysis (R) – Risk management (R) – Sanction policy (R) – Information system activity review (R) Assigned security responsibility – One individual (not an organization) with responsibility (R)
  • 30. ITM 578 30 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Assessment / Analysis Each CE must: – Assess security risks – Determine risk tolerance or risk aversion – Devise, implement, and maintain appropriate security to address business requirements • Does not imply that organizations are given complete discretion to make their own rules – Document security decisions
  • 31. ITM 578 31 ILLINOIS INSTITUTE OF TECHNOLOGY Assigned Security Responsibility  Chief Information Security Officer (CISO) or Information Security Officer (ISO)  Large organizations may have site-security coordinators working with CISO/ISO  Security standards extend to CE employees even if they work at home as do many transcriptionists
  • 32. ITM 578 32 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Workforce Security – Authorization and/or supervision (A) – Workforce clearance procedure (A) – Termination procedures (A) Information access management – Minimum necessary rule
  • 33. ITM 578 33 ILLINOIS INSTITUTE OF TECHNOLOGY Workforce Security Authorization controls verify identity of employees permitted to access PHI Clearance procedure describes types of background checks that will be conducted for employees Termination procedures include collecting access control devices or changing door locks, etc.
  • 34. ITM 578 34 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Security Awareness and Training – Security Reminders (A) – Protection from Malicious Software (A) – Log-in Monitoring (A) – Password Management (A) Security Incident Procedures – Response and Reporting (R)
  • 35. ITM 578 35 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Contingency Plan – Data Backup Plan (R) – Disaster Recovery Plan (R) – Emergency Mode Operation Plan (R) – Testing and Revision Procedure (A) – Applications and Data Criticality Analysis (A)
  • 36. ITM 578 36 ILLINOIS INSTITUTE OF TECHNOLOGY Awareness & Training  “Security awareness training is a critical activity, regardless of an organization’s size.”  Training, Education and Awareness (TEA) – Awareness training for all personnel (including management) – Periodic security reminders – User education concerning virus protection – User education in importance of monitoring login success or failure, and how to report discrepancies – User education in password management
  • 37. ITM 578 37 ILLINOIS INSTITUTE OF TECHNOLOGY Security Incident Procedures Provides methods for users to report unusual security occurrences or breaches to patient confidentiality Goals: – Identify – Contain – Correct – Prevent
  • 38. ITM 578 38 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Evaluation – Periodic review of technical controls and procedural review of the security program Business Associate contracts – Written Contract or Other Arrangement (R) •Identify business associates who receive or have access to PHI •Tie efforts with Privacy initiative •Establish rules for vendor remote access
  • 39. ITM 578 39 ILLINOIS INSTITUTE OF TECHNOLOGY Physical Safeguards Facility Access Controls – Contingency operations (A) – Facility Security Plan (A) – Access Control and Validation Procedures (A) – Maintenance Records (A) Workstation Use – Includes portable devices
  • 40. ITM 578 40 ILLINOIS INSTITUTE OF TECHNOLOGY Facility Access Control Goal is to protect buildings, systems, and data media from natural and environmental hazards and unauthorized access or intrusions Ensure records are kept of all maintenance, especially locksmith work
  • 41. ITM 578 41 ILLINOIS INSTITUTE OF TECHNOLOGY Physical Safeguards Workstation Security Device and Media Controls – Disposal (R) – Media re-use (R) – Accountability (A) – Data backup and Storage (A)
  • 42. ITM 578 42 ILLINOIS INSTITUTE OF TECHNOLOGY Workstation Use & Security Both standards could be covered in one policy Ensure workstation locations will not allow casual viewing by unauthorized personnel Audit systems to ensure all PCs/laptops have latest version of virus definitions installed
  • 43. ITM 578 43 ILLINOIS INSTITUTE OF TECHNOLOGY Device & Media Controls “Device” was included to address storage devices such as PDAs Media re-use requires sanitization of media using DOD-style standards (overwriting an entire disk with ones and zeros repeatedly)
  • 44. ITM 578 44 ILLINOIS INSTITUTE OF TECHNOLOGY Technical Safeguards Access Control – Unique user identification (R) – Emergency access procedure (R) – Automatic logoff (A) – Encryption and decryption (A) Audit Controls
  • 45. ITM 578 45 ILLINOIS INSTITUTE OF TECHNOLOGY Technical Safeguards Integrity – Mechanism to Authenticate Electronic PHI (A) Person or entity authentication Transmission security – Integrity controls (A) – Encryption (A)
  • 46. ITM 578 46 ILLINOIS INSTITUTE OF TECHNOLOGY Access Control  Unique user identification for accountability is critical for clinical applications – Disallows use of Windows 98/ME (weak user identification & controls)  Automatic logoff permits an equivalent measure to restrict access (Password protected screen saver? XP user switching?)  Encryption serves as an access control method for data at rest
  • 47. ITM 578 47 ILLINOIS INSTITUTE OF TECHNOLOGY Audit Controls  Risk assessment and analysis can be used to determine necessary intensity of audit trails  Audit trail trigger events must be jointly determined by the data owners and the Privacy and Security Officers  Store audit logs on a separate server  Do not allow system administrator access to audit logs
  • 48. ITM 578 48 ILLINOIS INSTITUTE OF TECHNOLOGY Transmission Security “…When electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.” There is no simple, interoperable solution to encrypting e-mail containing PHI; hopefully HIPAA compliance will drive better solutions
  • 49. ITM 578 49 ILLINOIS INSTITUTE OF TECHNOLOGY Organizational Requirements Business Associate (BA) Agreements – Contractual agreements required before BAs can access PHI – BAs must follow HIPAA Business Associate rules (next slide) – Applies to subcontractors of BAs as well A CE may require a business associate to meet even higher security standards
  • 50. ITM 578 50 ILLINOIS INSTITUTE OF TECHNOLOGY Rules for Business Associates Implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI they access on behalf of the CE Ensure that anyone else to whom they provide PHI agrees to implement reasonable and appropriate safeguards Report any security incident to the CE
  • 51. ITM 578 51 ILLINOIS INSTITUTE OF TECHNOLOGY Rules for Business Associates Make policies, procedures and required documentation relating to the safeguards available to HHS to determine CE compliance with the security rule Authorize termination of the BA contract by the CE if the CE determines that the BA has violated a material term of the contract
  • 52. ITM 578 52 ILLINOIS INSTITUTE OF TECHNOLOGY Policy & Procedure Documentation Implement reasonable and appropriate policies and procedures Documentation – Retain documents for 6 years – Make documents available – Review and update documentation periodically
  • 53. ITM 578 53 ILLINOIS INSTITUTE OF TECHNOLOGY Resources  Works used in the preparation of this lecture: – Beaver, Kevin (2003) HIPAA Security Rule FAQ. Principle Logic, accessed at http://www.principlelogic.com/docs/HIPAA_Security_Rule_FAQ.pdf – Birnbach, Deborah S. and Gametchu, Mayeti (2003) “How HIPAA's security rule could affect IT” Computerworld April 30, 2003, accessed at http://www.computerworld.com/securitytopics/security/story/0,10801,80816,00.html – Higher Education Information Technology (HEIT) Alliance (undated) Privacy. Accessed at http://www.heitalliance.org/issues/privacy.asp – Hollander, Jay (2003) Medical Privacy: Understanding HIPAA's Security Rule. Accessed at http://www.gigalaw.com/articles/2003-all/hollander-2003-04-all.html – New Hampshire Developmental Disabilities Services System, Information Technology Initiatives (undated) HIPAA Overview. Accessed at http://www.nhdds.org/nhddsit/HIPAA/overview.html – Walsh, Tom (2001) Developing an Effective Information Security Training and Awareness Program. Healthcare Computing Strategies, Inc. , accessed at http://www.himss.org/content/files/proceedings/2001/workshop/wslides/wksll.pdf – Walsh, Tom (2003) HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications – Are you Correctly Addressing Them? (Powerpoint presentation) Tom Walsh Consulting LLC – Weil, Steven (2003) HIPAA Consensus Research Project. The SANS Institute, accessed at http://www.sans.org/projects/hipaa.php
  • 54. ITM 578 54 ILLINOIS INSTITUTE OF TECHNOLOGY The End… Questions?

Editor's Notes

  1. Learning Objectives: Upon completion of this material you should be able to: Understand the conceptual need for physical security. Identify threats to information security that are unique to physical security. Describe the key physical security considerations for selecting a facility site. Identify physical security monitoring components. Grasp the essential elements of access control within the scope of facilities management. Understand the criticality of fire safety programs to all physical security programs. Describe the components of fire detection and response. Grasp the impact of interruptions in the service of supporting utilities. Understand the technical details of uninterruptible power supplies and how they are used to increase availability of information assets. Discuss critical physical environment considerations for computing facilities. Discuss countermeasures to the physical theft of computing devices.