Submit Search
Upload
Introduction to Health Informatics Ch11 power point
•
Download as PPTX, PDF
•
0 likes
•
150 views
B
bradleyl2
Follow
Slide Share Power Point Chapter 11
Read less
Read more
Healthcare
Report
Share
Report
Share
1 of 60
Download now
Recommended
Security Architecture
Security Architecture
Priyank Hada
FRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
HIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
3 02
3 02
Pranaya Krishna
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
Shivani shukla_B38_KnowledgeManagement
Shivani shukla_B38_KnowledgeManagement
shivanishuks
Final Presentation
Final Presentation
chris odle
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slides
CMDLMS
Recommended
Security Architecture
Security Architecture
Priyank Hada
FRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
HIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
3 02
3 02
Pranaya Krishna
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
Shivani shukla_B38_KnowledgeManagement
Shivani shukla_B38_KnowledgeManagement
shivanishuks
Final Presentation
Final Presentation
chris odle
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slides
CMDLMS
HIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
Secuntialesse
Secuntialesse
Anne Starr
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
The Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
learfield
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
CMDLMS
Information security
Information security
Praveen Minz
Domain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
Hostway|HOSTING
)k
)k
Anne Starr
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
OnRamp
Sec4
Sec4
Anne Starr
Lesson 2
Lesson 2
MLG College of Learning, Inc
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
Cole Libby
The general data protection act overview
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
You and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
SECURITY AND CONTROL
SECURITY AND CONTROL
shinydey
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
Lesson 2
Lesson 2
MLG College of Learning, Inc
Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013
warhorsepao
Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606
warhorsepao
More Related Content
What's hot
HIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
Secuntialesse
Secuntialesse
Anne Starr
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
The Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
learfield
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
CMDLMS
Information security
Information security
Praveen Minz
Domain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
Hostway|HOSTING
)k
)k
Anne Starr
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
OnRamp
Sec4
Sec4
Anne Starr
Lesson 2
Lesson 2
MLG College of Learning, Inc
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
Cole Libby
The general data protection act overview
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
You and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
SECURITY AND CONTROL
SECURITY AND CONTROL
shinydey
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
Lesson 2
Lesson 2
MLG College of Learning, Inc
What's hot
(20)
HIPAA omnibus rule update
HIPAA omnibus rule update
Secuntialesse
Secuntialesse
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
The Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
Information security
Information security
Domain 2 - Asset Security
Domain 2 - Asset Security
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
)k
)k
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Sec4
Sec4
Lesson 2
Lesson 2
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
The general data protection act overview
The general data protection act overview
You and HIPAA - Get the Facts
You and HIPAA - Get the Facts
SECURITY AND CONTROL
SECURITY AND CONTROL
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Lesson 2
Lesson 2
Viewers also liked
Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013
warhorsepao
Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606
warhorsepao
Warhorse pride vol 2 issue 11 20140523
Warhorse pride vol 2 issue 11 20140523
warhorsepao
Kompetensi my presentation
Kompetensi my presentation
urusansaya
Definiciones Básicas de una Red LAN
Definiciones Básicas de una Red LAN
Daniel Valdez
Visionarios empresariales (Emprendimiento y gestión empresarial)
Visionarios empresariales (Emprendimiento y gestión empresarial)
CTeI Putumayo
Designing and teaching classroom behavioral expectations
Designing and teaching classroom behavioral expectations
UO_AcademicExtension
(CCNA, RHCE, CEH)
(CCNA, RHCE, CEH)
Anisur Rahman
Elastic search
Elastic search
BBVA Bancomer
Viewers also liked
(9)
Warhorse pride #123 april 18, 2013
Warhorse pride #123 april 18, 2013
Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 12 20140606
Warhorse pride vol 2 issue 11 20140523
Warhorse pride vol 2 issue 11 20140523
Kompetensi my presentation
Kompetensi my presentation
Definiciones Básicas de una Red LAN
Definiciones Básicas de una Red LAN
Visionarios empresariales (Emprendimiento y gestión empresarial)
Visionarios empresariales (Emprendimiento y gestión empresarial)
Designing and teaching classroom behavioral expectations
Designing and teaching classroom behavioral expectations
(CCNA, RHCE, CEH)
(CCNA, RHCE, CEH)
Elastic search
Elastic search
Similar to Introduction to Health Informatics Ch11 power point
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
n|u - The Open Security Community
ISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An Intorduction
n|u - The Open Security Community
File000169
File000169
Desmond Devendran
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
Shreeveni
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
Hernan Huwyler, MBA CPA
GDPR in practice
GDPR in practice
ZoneFox
Presentation topic Software Security.pptx
Presentation topic Software Security.pptx
rehanmughal18
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
PECB
Presentation2 (2)
Presentation2 (2)
ITNet
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
DrBasemMohamedElomda
Intro.ppt
Intro.ppt
RamaNingaiah
crisc_wk_5.pptx
crisc_wk_5.pptx
dotco
insider threat research
insider threat research
Asma Al-maskaria
R.a 1
R.a 1
jenito21
Risk Assessment
Risk Assessment
jenito21
Security Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
Kathirvel Ayyaswamy
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Armstrong Teasdale
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
Human rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptx
drluminajulier
Similar to Introduction to Health Informatics Ch11 power point
(20)
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
ISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An Intorduction
File000169
File000169
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
GDPR in practice
GDPR in practice
Presentation topic Software Security.pptx
Presentation topic Software Security.pptx
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
Presentation2 (2)
Presentation2 (2)
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
Intro.ppt
Intro.ppt
crisc_wk_5.pptx
crisc_wk_5.pptx
insider threat research
insider threat research
R.a 1
R.a 1
Risk Assessment
Risk Assessment
Security Organization/ Infrastructure
Security Organization/ Infrastructure
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Cyber Readiness in the Securities and Brokerage Industries Featuring Armstron...
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Human rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptx
Recently uploaded
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
daljeetkaur2026
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
Rashmi Entertainment
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
India Call Girls
Low Rate Call Girls Pune {9xx000xx09} ❤️VVIP NISHA Call Girls in Pune Maharas...
Low Rate Call Girls Pune {9xx000xx09} ❤️VVIP NISHA Call Girls in Pune Maharas...
Sheetaleventcompany
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
Mumbai Call girl
❤️ Call Girls service In Panchkula☎️9815457724☎️ Call Girl service in Panchku...
❤️ Call Girls service In Panchkula☎️9815457724☎️ Call Girl service in Panchku...
Rashmi Entertainment
💞 Safe And Secure Call Girls Nanded 🧿 9332606886 🧿 High Class Call Girl Servi...
💞 Safe And Secure Call Girls Nanded 🧿 9332606886 🧿 High Class Call Girl Servi...
India Call Girls
BLOOD-Physio-D&R-Agam blood physiology notes
BLOOD-Physio-D&R-Agam blood physiology notes
surgeryanesthesiamon
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
Sheetaleventcompany
DME deep margin elevation brief ppt.pptx
DME deep margin elevation brief ppt.pptx
mcrdalialsayed
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Sheetaleventcompany
Independent Call Girls Service Chandigarh | 8868886958 | Call Girl Service Nu...
Independent Call Girls Service Chandigarh | 8868886958 | Call Girl Service Nu...
Sheetaleventcompany
Call Girls Goa Just Call 9xx000xx09 Top Class Call Girl Service Available
Call Girls Goa Just Call 9xx000xx09 Top Class Call Girl Service Available
Sheetaleventcompany
❤️Amritsar Escort Service☎️9815674956☎️ Call Girl service in Amritsar☎️ Amrit...
❤️Amritsar Escort Service☎️9815674956☎️ Call Girl service in Amritsar☎️ Amrit...
Sheetaleventcompany
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
India Call Girls
mental health , characteristic of mentally healthy person .pptx
mental health , characteristic of mentally healthy person .pptx
Pupayumnam1
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
Sheetaleventcompany
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
Sheetaleventcompany
❤️Chandigarh Escorts Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ ...
❤️Chandigarh Escorts Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ ...
Sheetaleventcompany
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
maricelsampaga
Recently uploaded
(20)
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
Low Rate Call Girls Pune {9xx000xx09} ❤️VVIP NISHA Call Girls in Pune Maharas...
Low Rate Call Girls Pune {9xx000xx09} ❤️VVIP NISHA Call Girls in Pune Maharas...
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
❤️ Call Girls service In Panchkula☎️9815457724☎️ Call Girl service in Panchku...
❤️ Call Girls service In Panchkula☎️9815457724☎️ Call Girl service in Panchku...
💞 Safe And Secure Call Girls Nanded 🧿 9332606886 🧿 High Class Call Girl Servi...
💞 Safe And Secure Call Girls Nanded 🧿 9332606886 🧿 High Class Call Girl Servi...
BLOOD-Physio-D&R-Agam blood physiology notes
BLOOD-Physio-D&R-Agam blood physiology notes
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
DME deep margin elevation brief ppt.pptx
DME deep margin elevation brief ppt.pptx
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Independent Call Girls Service Chandigarh | 8868886958 | Call Girl Service Nu...
Independent Call Girls Service Chandigarh | 8868886958 | Call Girl Service Nu...
Call Girls Goa Just Call 9xx000xx09 Top Class Call Girl Service Available
Call Girls Goa Just Call 9xx000xx09 Top Class Call Girl Service Available
❤️Amritsar Escort Service☎️9815674956☎️ Call Girl service in Amritsar☎️ Amrit...
❤️Amritsar Escort Service☎️9815674956☎️ Call Girl service in Amritsar☎️ Amrit...
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
mental health , characteristic of mentally healthy person .pptx
mental health , characteristic of mentally healthy person .pptx
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
❤️Chandigarh Escorts Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ ...
❤️Chandigarh Escorts Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ ...
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
Introduction to Health Informatics Ch11 power point
1.
© 2013© 2013 Chapter
11 Security for Healthcare Informatics Introduction to Healthcare Informatics
2.
© 2013 Objectives • Differentiate
between addressable and required implementation specifications • Describe what a security risk analysis entails • Differentiate between the concepts of vulnerabilities, risks, and threats • Provide examples of administrative, physical, and technical safeguards • Appreciate the foundational importance of confidentiality, integrity, and availability in regard to the HIPAA Security Rule
3.
© 2013 Objectives • Articulate
the HIPAA Security Rule complaint and enforcement process • Identify the agencies responsible for HIPAA Security Rule enforcement • Describe civil and criminal penalties and the tiered penalty approach • Explain how HITECH modifies the HIPAA Security Rule • Define medical identity theft
4.
© 2013 Objectives • Discuss
the potential impacts of medical identity theft on patients and other stakeholders • Describe the steps required for conducting a business impact analysis • Delineate the concerns, challenges, and potential solutions involved in preparing a full-fledged information and organizational disaster preparedness plan
5.
© 2013 Types of
Standards • Flexible, scalable, technology-neutral solutions and alternatives • Implementation specifications o Required—must be implemented as described in the regulation o Addressable—should be implemented unless an organization determines the specification is not reasonable and appropriate. Organization must document assessment and decision
6.
© 2013 Foundation • ePHI—electronic
protected health information • Security incident—the attempted or successful unauthorized access, use, disclosure, modification, or destruction or interference with systems operations in an information system
7.
© 2013 Security Risk
Analysis • Full evaluation of the methods, operational practices, and policies by the covered entity to secure ePHI • Structural framework to build HIPAA Security Plan • Required for Meaningful Use
8.
© 2013 NIST Guidance
on Risk Analysis • Have you identified the ePHI within your organization? This includes ePHI that you create, receive, maintain or transmit. • What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain, or transmit ePHI? • What are the human, natural, and environmental threats to information systems that contain ePHI? (NIST SP 800- 66 2008)
9.
© 2013 Vulnerabilities • An
inherent weakness or absence of a safeguard that can be exploited by a threat • Inappropriate protective methods o Technical • Firewalls, Virus blocker o Nontechnical • Policies and procedures
10.
© 2013 Threat • The
potential for exploitation of a vulnerability or potential danger to a computer, network, or data • Natural—storms, earthquakes, etc. • Human o Intentional—hacking o Unintentional—Forgetting to log off • Environmental—power failure
11.
© 2013 Risks • The
probability of incurring injury or loss • Compare the probability to the potential impact
12.
© 2013 Mandated Risk
Analysis Elements • Scope of the Risk Analysis • Data Collection • Identify and Document Potential Threats and Vulnerabilities • Assess Current Security Measures • Determine the Likelihood of Threat Occurrence • Determine the Potential Impact of Threat Occurrence • Determine the Level of Risk • Finalize Documentation • Periodic Review and Updates to the Risk Assessment
13.
© 2013 Administrative Safeguard Standards •
Policies and procedures o Manage the selection, development, implementation and maintenance of security measures to protect ePH o Manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of the information
14.
© 2013 Security Management
Process Standard—Required • Risk analysis • Risk management element o Communication of security processes o Leadership involvement with risk mitigation • Sanctions policy—how noncompliance will be addressed • Information systems activity review— procedures for monitoring system use
15.
© 2013 Security Officer •
The official who is responsible for the development and implementation of the required Security Rule policies and procedures
16.
© 2013 Workforce Security
Standard— Addressable • Authorization and supervision— determining the level of access for each workforce member • Workforce clearance procedures— determining that access to ePHI is appropriate • Termination procedures—removal of access privileges when employment ends
17.
© 2013 Information Access
Management Standard—Required and Addressable • Required—healthcare clearinghouses must segregate their data from other activities • Addressable o Access authorization—policies and procedures for granting access o Authorization and access establishment and modification—policies and procedures to establish, document, review and modify a user’s right of access
18.
© 2013 Security Awareness
and Training Standard—Addressable • All existing workforce members must receive training and periodic training on updates o Security reminders—pop-up for log-off o Protection from malicious software— guidance for opening attachments o Log-in monitoring—lockout after 3 unsuccessful log-in attempts o Password protection—creation, changing and safeguarding passwords
19.
© 2013 Security Incident
Procedures Standard—Addressable • Response and reporting—identify and respond to suspected or known security incidents; mitigate the harmful effects; document security incidents and their outcomes
20.
© 2013 Contingency Plan
Standards— Required and Addressable • Data back-up plan o What data needs to be backed up from which sources • Disaster recovery plan o Procedures for the restoration of any loss of data • Emergency mode operation plan o Continuation of critical business processes while operating in emergency mode
21.
© 2013 Contingency Plan
Standards— Required and Addressable (continued) • Addressable o Testing and revision of required contingency plans—organizational size and resources o Criticality analysis of applications and data • Balance recovery and management with the criticality of the system • Update when new systems added or changes made
22.
© 2013 Evaluation Standard—Required •
Perform periodic evaluations, in response to environmental or operational changes, to determine whether security policies and procedures meet the requirements of the Security Rule
23.
© 2013 Business Associate
Contracts and Other Arrangements—Required • Business associates must o Follow the Security Rule for ePHI. o Have business associate agreements with their subcontractors who must also follow the security rule for ePHI. Covered entities do not have business associate agreements with these subcontractors. o Obtain authorization prior to marketing
24.
© 2013 Physical Safeguard
Standards • Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion
25.
© 2013 Facility Access
Control Standard—Addressable • Contingency operations—procedures to restore lost data • Security plan—safeguard the facility and equipment from unauthorized physical access tampering and theft • Access control and validation procedures—based on role • Maintenance records—document repairs and modifications related to security
26.
© 2013 Workstation Use
Standard • Includes onsite and offsite workstations • Policies and procedures for proper function • Surroundings of the workstation • Allowed access—workstation must be encrypted
27.
© 2013 Workstation Security
Standard • Physical safeguards for all workstations that access ePHI to restrict access to authorized users • Policies and procedures for how workstations are used and protected
28.
© 2013 Device and
Media Controls Standard—Addressable and Required • Disposal—must be unreadable and unusable • Media reuse—internal and external • Accountability—movements of hardware and electronic media • Data back-up and storage—create retrievable, exact copy
29.
© 2013 Technical Safeguards
Standards • Increased opportunity also increases organizational risk • Technology and the policy and procedures for its use that protect electronic protected health information and control access to it
30.
© 2013 Access Control
Standard— Required and Addressable • Allow access only to those persons or software programs with granted access rights • Unique user identification • Emergency access procedure • Automatic logoff • Encryption and decryption
31.
© 2013 Audit Control
Standards • Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information • Track and record user activities to monitor intentional and unintentional actions
32.
© 2013 Integrity Standard—Addressable •
Protect ePHI from improper alteration or destruction • The extent to which healthcare data are complete, accurate, consistent, and timely • Ensure data are not improperly altered or destroyed
33.
© 2013 Person or
Entity Authentication Standard • Verify that a person or entity seeking access to ePHI is the one claimed o Are users who they claim to be? o Methods • Passwords • Smart cards • Tokens • Fobs • Biometrics
34.
© 2013 Transmission Security
Standard— Addressable • ePHI being transmitted over an electronic communications network MUST be secured • Integrity controls—electronically transmitted ePHI cannot be improperly modified • Encryption—ePHI must be encrypted whenever appropriate
35.
© 2013 Confidentiality, Integrity
and Availability • Confidentiality—ePHI is accessible only by authorized people and processes • Integrity—ePHI is not altered or destroyed in an unauthorized manner • Availability—ePHI can be accessed as needed by authorized users
36.
© 2013 Enforcement • Department
of Health and Human Services Office of Civil Rights (OCR) • Must investigate all reported violations and appropriately initiate investigations for cause in absence of a reported violation
37.
© 2013 Civil Penalties •
Fines or money damages to sanction violators • Prior to 2/18/2009 o Limit of $100 per violation o Limit of $25,000 for identical violations during a calendar year
38.
© 2013 Civil Penalties,
continued • No more than $1,500,000 for identical violations each year in any situation • Inadvertent violation with reasonable diligence o Between $100 to $50,000 for each violation • Violation due to reasonable cause and not to willful neglect o Between $1,000 to $50,000 for each violation
39.
© 2013 Civil Penalties,
continued • Violation due to willful neglect, corrected during 30-day period CE knew or would have known of the violation o Between $10,000 to $50,000 for each violation • Violation due to willful neglect and not corrected during 30-day period CE knew or would have known of the violation o $50,000 for each violation
40.
© 2013 Criminal Penalties •
OCR refers cases it determines to be of a criminal nature to the Department of Justice. OCR and DOJ cooperate to pursue possible violators. o Must knowingly commit a HIPAA violation o There HAVE been criminal convictions • Most complaints found to be not relevant
41.
© 2013 Breach Notification •
Finalized in 2013 • CEs and BAs MUST report breaches of unsecured PHI • Unsecured PHI—PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology
42.
© 2013 Breach Notification,
continued • Breach—the acquisition, access, use or disclosure or protected health information in a manner not permitted….which compromises the security or privacy of the PHI • Reporting requirement mandates o Notification of the individual whose information was breached o If more than 500 individuals, notify the media and the Secretary of HHS
43.
© 2013 Breach Notification,
continued • Breach notification exception o CE or BA workforce unintentionally acquires, uses, or discloses PHI under the authority of the CE or BA o When authorized workforce member inadvertently discloses PHI to another authorized workforce member in the same CE or BA setting o CE or BA who made inadvertent disclosure has reason to believe the PHI recipient would not have been able to retain the information
44.
© 2013 Risk Assessment •
Assess potential risks and areas of vulnerability related to the security of the ePHI
45.
© 2013 Medical Identity
Theft • The assumption of a person’s name and/or other parts of his or her identity without the victim’s knowledge or consent to obtain medical services or good, or • When someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims
46.
© 2013 Medical Identity
Theft Risks • Financial loss • Clinical risks if critical conditions, procedures, medications, allergies and other information are incorrectly omitted or included
47.
© 2013 Cascading Effect
of Medical Identity Theft
48.
© 2013 Red Flag
Rules • Issued by the Federal Trade Commission, Department of the Treasury, Federal Reserve System, Federal Deposit Insurance Corporation, and the National Credit Union Administration • Requires creditor and financial institutions to implement an Identity Theft Prevention Program.
49.
© 2013 Red Flag
Rules, continued • Federal Trade Commission enforces the rules that apply to healthcare organizations • Red Flags: o Suspicious documents—do they appear to have been altered? o Suspicious information—addresses do not match between ID and insurance o Suspicious behaviors—confused about type of insurance
50.
© 2013 Identity Theft
Prevention Program • Identify Covered Accounts • Identify Relevant Red Flags • Detect Red Flags • Respond to Red Flags • Oversee the Program • Train Employees • Oversee Service Provider Arrangements • Approve the Identity Theft Prevention Program • Provide Reports and Periodic Updates
51.
© 2013 Identity Theft
Operational Recommendations • Urge and education consumers to adopt preventive measures o Exercise caution when sharing personal information o Monitor EOB received from insurance o Maintain copies of healthcare records o Monitor credit reports for unexpected medical charges o Protect all health insurance and financial information
52.
© 2013 Identity Theft
Operational Recommendations (continued) • Establish organizational methods to prevent and detect medical identity theft o Annual security risk analysis o Background checks when hiring o Patient ID verification processes o Minimize use of SSN o Policies and procedures to safeguard info o Create plan to handle suspicious activity o Ongoing staff training
53.
© 2013 Identity Theft
Operational Recommendations (continued) • Data in the patient record o Policies and procedures to allow victims access to their patient records o Establish mechanisms to correct inaccurate information o Keep current with medical identity theft legislation and regulations o Provide victims with resources and tools for easier recovery
54.
© 2013 Disaster Preparedness •
Ensure protection of organizational information assets • Ensure information functions can continue when disasters occur
55.
© 2013 Protecting Information
Assets • NIST Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems • NIST Special Publication 800-30, Rev. 1, Guide for Conducting Risk Assessments • Business impact analysis—evaluate and prioritize all potential risks
56.
© 2013 Business Impact
Analysis • Recovery Point Objective—length of time the organization can operate without an application • Recovery Time Objective—maximum amount of time tolerable for data loss and capture
57.
© 2013 Business Impact
Analysis (continued) 1. What are the minimal resources for operations? 2. What are the business recovery objectives and assumptions? 3. What is the order for restoration of services? 4. What would be the operational, financial, and reputational impact of loss of data?
58.
© 2013 Information Security
Threat Analysis Backup Data Facilities • Hot Site • Warm Site • Code Site
59.
© 2013 Disaster Planning •
Organizations need to help their employees be prepared • Planning • Preparedness o Training o Testing • Response and Recovery
60.
© 2013 Summary • Security
Risk Analysis is essential • Medical Identity Theft • Disaster Planning
Download now