by: greg williams building a practical and meaningful ... · hipaa security program by: greg...
TRANSCRIPT
![Page 1: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/1.jpg)
Copyright 2012 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.
Building a Practical and Meaningful
HIPAA Security Program
By: Greg Williams
Security & Compliance
Consultant
![Page 2: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/2.jpg)
Copyright 2012 MMIC • All rights reserved
What is Risk?
• Risk is the potential of losing something of value
![Page 3: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/3.jpg)
Copyright 2012 MMIC • All rights reserved
Slow Pace of Regulation Timeline 1996 ‘98 2000 ‘03 ‘05 ‘08 ‘09 ‘10 2013
HIPAA signed into Law
PR
IVA
CY
Notice of Proposed Rule Making
Final Rule Published
Final Modifications Published
Compliance Deadline
Interim Rule Modifications (HITECH)
Final Rule Modifications (HITECH)
SE
CU
RIT
Y
Notice of Proposed Rule Making
Security Standards Published
Compliance Deadline
Interim Rule Modifications (HITECH)
Final Rule Modifications (Omnibus)
EN
FO
RC
E-
ME
NT
Civil Money Penalties Procedures
Breach Notification
Priva
cy R
ule
Fin
aliz
ed
First R
eso
lutio
n A
gre
em
en
t
First C
ivil
Mo
ne
y P
en
altie
s
Se
cu
rity
Ru
le F
ina
lize
d
Fin
al O
mn
ibu
s R
ule
HIP
AA
Be
co
me
s L
aw
AR
RA
/HIT
EC
H
![Page 4: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/4.jpg)
Copyright 2012 MMIC • All rights reserved
Timeline of Compliance Audits Date Action Taken
2008 – 2009 CMS HIPAA Compliance Reviews
2012 HIPAA Security audits conducted by KPMG
June 2012 HIPAA Audit Program Protocol released
November 2012 Medicate HER incentive program audits
![Page 5: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/5.jpg)
Copyright 2012 MMIC • All rights reserved
HIPAA Audit Program Protocol
• Three components:
– Privacy
– Security
– Breach Notification
“OCR established a comprehensive audit protocol that
contains the requirements to be assessed through these
performance audits.
![Page 6: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/6.jpg)
Copyright 2012 MMIC • All rights reserved
1996 Technology
![Page 7: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/7.jpg)
Copyright 2012 MMIC • All rights reserved
Missing from the Protocol?
• Smart phones
• Mobile devices
• Personally owned devices
• Portable media
• Data Loss Prevention
• Data Leakage
• Change Control
• Configuration Management
• BYOD
• MDM
• Wireless
• Texting
• Secure Messaging
• Web Portals
• Secure Web Sites
• Router, switches, firewalls
• Network Scans
![Page 8: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/8.jpg)
Copyright 2012 MMIC • All rights reserved
Also missing
• Biomed or Biomedical Devices
• Cloud
• Remote Access
• Telemedicine
• Social Security Numbers
• Credit Card Numbers – PCI/DSS
• Software Licensing
![Page 9: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/9.jpg)
Copyright 2012 MMIC • All rights reserved
Audit Test Procedures
• The three “P’s” to align: – Perception
– Policy
– Practice
• Policies – Updated
– Reviewed
– Approved
• Create the “Book of Evidence” – First impressions – Audits are conduced by humans!
– Proof of compliance
– Speed of response
![Page 10: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/10.jpg)
Copyright 2012 MMIC • All rights reserved
Government Audit
• OCR – Office for Civil Rights
– Our clients may receive a notice from OCR to their CEO stating
the organization is scheduled to be audited.
– List of requests – 15 days to respond
– Three Types of Audits (1200 for 2014)
• Investigation
– Trigger: reported breach or patient complaint
• Random
– Trigger: Not sure how entitlements get “selected”
• Meaningful Use
– Trigger: Entity received incentive money
– 2014 the OCR will conduct survey’s of CE and BA’s
![Page 11: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/11.jpg)
Copyright 2012 MMIC • All rights reserved
Most Common Areas of Concern
• Risk Assessment (Analysis)
– Should have been doing this since 2005
• Currency/Relevance of Policies and Procedures
• Security Awareness Training
• Workforce Clearance
• Workstation Security
• Encryption
• Business Associate Contracts & Other Agreements
![Page 12: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/12.jpg)
Copyright 2012 MMIC • All rights reserved
Case Example: December 27, 2013
Adult & Pediatric Dermatology, P.C., of Concord, Mass.,
(APDerm)
• Dermatology practice settles for HIPAA violations
– $150,000 Agreed Resolution Payment
– (OCR) opened an investigation of APDerm after reported
unencrypted thumb drive stolen from a staff vehicle
– Health Information of 2,200 individuals
• 1st Settlement for violation of HITECH (American Recovery and
Reinvestment Act) of 2009 (ARRA)
![Page 13: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/13.jpg)
Copyright 2012 MMIC • All rights reserved
Follow up Requirements
• In addition to a $150,000 resolution amount, the
settlement includes a corrective action plan requiring
APDerm to develop a:
– risk analysis and
– risk management plan
• to address and mitigate any security risks
• and vulnerabilities,
– as well as to provide an implementation report to OCR.
13
![Page 14: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/14.jpg)
Copyright 2013 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.
How to Create a Practical & Meaningful
Information Security Program
![Page 15: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/15.jpg)
Copyright 2012 MMIC • All rights reserved
Focus on the 4 “P”’s
![Page 16: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/16.jpg)
Copyright 2012 MMIC • All rights reserved
Risk Management
• Identify Assets
• Risk Analysis
• Plan Remediation
• Create Controls
• Track your risks
![Page 17: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/17.jpg)
Copyright 2012 MMIC • All rights reserved
Policy
• Develop Policies & Procedures from Best Practice
– Not a checklist
• Avoid the Danger of - Templates
• Review, Approve, Implement & Track
• Mapped to the organization’s controls
• Empowers audit process
![Page 18: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/18.jpg)
Copyright 2012 MMIC • All rights reserved
Processes
• Develop and Track
• Assign Ownership
• Include Vendor in the Training
• Create checks/balances
![Page 19: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/19.jpg)
Copyright 2012 MMIC • All rights reserved
Vulnerability Assessment
• Monthly Vulnerability Scan
• Monthly Report with Recommendations
• Update to Risk Management
![Page 20: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/20.jpg)
Copyright 2012 MMIC • All rights reserved
Vendor Management
• Manage Documents or Agreements
– Dates sent / received
• Create Master List
• Verify Controls
• Hosted Controls are Hosted Liability
![Page 21: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/21.jpg)
Copyright 2012 MMIC • All rights reserved
Training
• Make it Fun!
• Make it simple
• Do it often
• Create the Curriculum
• Log the Training
• Test for competency
• Create fire-drills
![Page 22: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/22.jpg)
Copyright 2012 MMIC • All rights reserved
Compliance Mapping
• Create Map of Governance
– HIPAA
– PIC / DSS
– Social Security Number Disclosure Act
– Breach Notification
• Logically Group Controls
![Page 23: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/23.jpg)
Copyright 2012 MMIC • All rights reserved
Incident Tracking
• Issues = Good Learning
• Create a good form
• Document all issues
• Use as Training Tools
![Page 24: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/24.jpg)
Copyright 2012 MMIC • All rights reserved
Audit
• Assess controls for effectiveness
• Show evidence
• Create Corrective Actions
• Technical and Non-Technical
• Include Vendors
![Page 25: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/25.jpg)
Copyright 2012 MMIC • All rights reserved
Services Process
Assess
Plan
Remediate
Controls Communicate
Train
Monitor
Security Committee
• Risk
• Policy & Process
• Vulnerability
• Vendor
• Training
• Compliance
• Incident
• Audit
![Page 26: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/26.jpg)
Copyright 2013 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.
Changing Controls
What does tomorrow bring?
![Page 27: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/27.jpg)
Copyright 2013 MMIC • All rights reserved STRENGTH. SERVICE. KNOW-HOW. VISION.
![Page 28: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/28.jpg)
Copyright 2012 MMIC • All rights reserved
![Page 29: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/29.jpg)
Copyright 2012 MMIC • All rights reserved
![Page 30: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/30.jpg)
Copyright 2012 MMIC • All rights reserved
![Page 31: By: Greg Williams Building a Practical and Meaningful ... · HIPAA Security Program By: Greg Williams Security & Compliance Consultant ... 2009 CMS HIPAA Compliance Reviews 2012 HIPAA](https://reader034.vdocuments.mx/reader034/viewer/2022050416/5f8c8559f679f9670826d662/html5/thumbnails/31.jpg)
Copyright 2012 MMIC • All rights reserved
STRENGTH. SERVICE. KNOW-HOW. VISION.
Questions? Greg Williams
Security & Compliance Consultant
952-838-6778 [email protected]