copyright notice · 2014. 8. 12. · 1. define and understand basic hipaa-hitech relevant terms and...
TRANSCRIPT
8/12/2014
1
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are
protected by United States copyright law and may not be
reproduced, distributed, transmitted, displayed, published, or
broadcast without the prior, express written permission of Clearwater
Compliance LLC. You may not alter or remove any copyright or
other notice from copies of this content.
For reprint permission and information, please direct your inquiry to
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for
educational purposes only. This information is based on current federal law and
subject to change based on changes in federal law or subsequent interpretative
guidance. Since this information is based on federal law, it must be modified to
reflect state law where that state law is more stringent than the federal law or other
state law exceptions apply. This information is intended to be a general information
resource regarding the matters covered, and may not be tailored to your specific
circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND
ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR
OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational
reference in any of the following materials should not be assumed as an
endorsement by Clearwater Compliance LLC.
8/12/2014
2
© Clearwater Compliance LLC | All Rights Reserved 3
Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance…
© Clearwater Compliance LLC | All Rights Reserved
Some Ground Rules
4
1. Slide materials A.Check “Chat” or “Question” area on GoToWebinar
Control panel to copy/paste link and download materials
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode
5. Please complete Exit Survey, when you leave session
6. Recorded version and final slides within 48 hours
8/12/2014
3
© Clearwater Compliance LLC | All Rights Reserved 5
How to Meet HIPAA-HITECH Encryption Requirements & Beyond
WEBINAR
August 12, 2014
Stephen Treglia, JD Legal Counsel, Recovery Section Absolute Software Corporation (877) 600-2293 [email protected]
Bob Chaput, CISSP, HCISPP,CIPP-US CEO & Founder Clearwater Compliance LLC 615-656-4299 or 800-704-3394 [email protected]
© Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not practicing law!
2. The Omnibus has arrived!
3. Lots of different interpretations!
So there!
6
8/12/2014
4
© Clearwater Compliance LLC | All Rights Reserved
• Legal Counsel, Absolute’s Investigations & Recovery Section 2010 – present
• Prosecutor in New York 1980-2010
• Investigated/prosecuted Organized Crime 1985-1995
• Used computers, seized computers
• Started investigating/prosecuting computer crime 1996
• Created one of first Technology Crime Units 1997, headed it to 2010
• Started investigating/prosecuting Absolute cases in 2006
Stephen Treglia, JD
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput MA, CISSP, HCISPP, CIPP/US
8
• CEO – Clearwater Compliance LLC • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Retail, Legal
• Member: IAPP, ISC2, ISACA, HIMSS, ISSA, HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards
http://www.linkedin.com/in/BobChaput
8/12/2014
5
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives 1. Define and understand basic HIPAA-
HITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next steps
to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough! 9
© Clearwater Compliance LLC | All Rights Reserved 10
1. Secure Your PHI Avoid the “Wall
of Shame” …Get Started Now
Answer Page!
2. Technology solutions are an
important part, but only part of a
balanced Security Program
4. Encryption is likely not enough;
consider additional safeguards
3. Large or Small: Consider Getting
Help (Tools, Experts, etc)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policy!defines!an!organiza- on’s!values!&!expected!behaviors;!establishes!“good!faith”!intent!
People!must!include!
talented!privacy!&!security!&!technical!staff,!engaged!and!suppor- ve!
management!and!trained/aware!colleagues!
following!PnPs.!!
Procedures!or!processes!–!documented!F!provide!the!ac- ons!required!to!deliver!on!organiza- on’s!values.!
Safeguards11includes!the!various!families!of!administra- ve,!physical!or!
technical!security!controls!
Balanced Compliance
Program
Balanced1Compliance1Program1
Clearwater1Compliance1Compass™133
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policy!defines!an!organiza- on’s!values!&!expected!behaviors;!establishes!“good!faith”!intent!
People!must!include!
talented!privacy!&!security!&!technical!staff,!engaged!and!suppor- ve!
management!and!trained/aware!colleagues!
following!PnPs.!!
Procedures!or!processes!–!documented!F!provide!the!ac- ons!required!to!deliver!on!organiza- on’s!values.!
Safeguards11includes!the!various!families!of!administra- ve,!physical!or!
technical!security!controls!
Balanced Compliance
Program
Balanced1Compliance1Program1
Clearwater1Compliance1Compass™133
8/12/2014
6
© Clearwater Compliance LLC | All Rights Reserved
Oops! Missed That Safe Harbor Thingy!
11
AvMed, Inc. FL 1,220,000 12/10/2009 Theft Laptop
Cincinnati Children's Hospital Medical Center OH 60,998 3/27/2010 Theft Laptop
Praxair Healthcare Services, Inc. CT 54,165 2/18/2010 Theft Laptop
Thomas Jefferson University Hospitals, Inc. PA 21,000 6/14/2010 Theft Laptop
Aultman Hospital OH 13,867 6/7/2010 Theft Laptop
Department of Health Care Policy & Financing CO 105,470 5/17/2010 Theft Desktop Computer
Montefiore Medical Center NY 23,753 6/9/2010 Theft Desktop Computer
St. Joseph Heritage Healthcare CA 22,012 3/6/2010 Theft Desktop Computer
University of Oklahoma-Tulsa, Neurology ClinicOK 19,264 7/25/2010 Hacking/IT Incident Desktop Computer
Montefiore Medical Center NY 16,820 5/22/2010 Theft Desktop Computer
Geisinger Wyoming Valley Medical Center PA 2,928 11/6/2010 Unauthorized Access/DisclosureE-mail
The Children's Medical Center of Dayton OH 1,001 4/22/2010 Unauthorized Access/DisclosureE-mail
Sinai Hospital of Baltimore, Inc. MD 937 5/3/2010 Unauthorized Access/DisclosureE-mail
Reliant Rehabilitation Hospital North Houston TX 763 2/9/2010 Unauthorized Access/DisclosureE-mail
Blue Cross Blue Shield of Tennessee TN 1,023,209 10/2/2009 Theft Hard Drives
Providence Hospital MI 83,945 2/4/2010 Loss Hard Drives
Puerto Rico Department of Health PR 400,000 9/21/2010 Unauthorized Access/Disclosure, Hacking/IT IncidentNetwork Server
Triple-S Salud, Inc. PR 398,000 9/9/2010 Theft Network Server
Seacoast Radiology, PA NH 231,400 11/12/2010 Hacking/IT Incident Network Server
Ankle & foot Center of Tampa Bay, Inc. FL 156,000 11/10/2010 Hacking/IT Incident Network Server
Silicon Valley Eyecare Optometry and Contact LensesCA 40,000 4/2/2010 Theft Network Server
3,895,532
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
12
1. Define and understand basic HIPAA-
HITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next steps
to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
8/12/2014
7
© Clearwater Compliance LLC | All Rights Reserved 13
Key Terms & Concepts 1. Protected Health Information (PHI)
2. electronic PHI (ePHI)
3. Secured PHI
4. Unsecured PHI
5. Data Breach
6. Encryption
7. Destruction
8. Safe Harbor
9. Security Essentials
10. Required versus Addressable
© Clearwater Compliance LLC | All Rights Reserved
Protected Health Information
• Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.
14
• PHI is interpreted rather broadly and includes any part of a patient’s medical record or payment history
• …and, that is linked to personal (18) identifiers
8/12/2014
8
© Clearwater Compliance LLC | All Rights Reserved 15
Data Breach • A breach is, generally, an
impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
© Clearwater Compliance LLC | All Rights Reserved
Don’t Panic!
Event
16
Incident
Breach
?
?
8/12/2014
9
© Clearwater Compliance LLC | All Rights Reserved
Unsecured PHI
• Unsecured PHI is PHI that has NOT been rendered unusable, unreadable, or indecipherable
• CEs and BAs must only provide the required notification if the breach involved unsecured protected health information.
17
© Clearwater Compliance LLC | All Rights Reserved 18
Encryption Encryption means the use
of an algorithmic
process to transform
data into a form in
which there is a low
probability of assigning
meaning without use of
a confidential process
or key.1
145 C.F.R. § 164.304 Definitions
8/12/2014
10
© Clearwater Compliance LLC | All Rights Reserved
Safe Harbor “This guidance is intended to describe
the technologies and methodologies that
can be used to render PHI unusable,
unreadable, or indecipherable to
unauthorized individuals.
While covered entities and business
associates are not required to follow the
guidance, the specified technologies and
methodologies, if used, create the
functional equivalent of a safe harbor,
and thus, result in covered entities and
business associates not being required
to provide the notification otherwise
required by section 13402 in the event of
a breach.”1
19
1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health
Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health
Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
20
1. Define and understand basic HIPAA-
HITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next steps
to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
8/12/2014
11
© Clearwater Compliance LLC | All Rights Reserved
Security Rule & Encryption
Privacy Rule Reasonable
Safeguards for all PHI
Physical Safeguards for EPHI
Technical
Safeguards
for EPHI
Administrative Safeguards for EPHI
• Security Management Process • Security Officer • Workforce Security • Information Access Mgmt • Security Training • Security Incident Process • Contingency Plan • Evaluation • Business Associate Contracts
• Access Control • Audit Control • Integrity • Person or Entity Authentication • Transmission Security
• Facility Access Control • Workstation Use • Workstation Security • Device & Media Control
21
HIPAA ACTUALLY
SAYS LITTLE ABOUT
ENCRYPTION!
HIPAA ACTUALLY
SAYS LITTLE ABOUT
ENCRYPTION!
22 Security Standards
© Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.312(a)(1)
Standard: Access Control. (i) Implement technical policies and procedures for electronic
information systems that maintain electronic protected health
information to allow access only to those persons or software
programs that have been granted access rights as specified in
Sec.164.308(a)(4).
…
(2) Implementation specifications: (iv) Encryption and Decryption. (Addressable). Implement a
mechanism to encrypt and decrypt electronic protected health
information.
22
Access Control (think Data at Rest)
8/12/2014
12
© Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.312(e)(1)
Standard: Transmission Security. (i) Transmission Security -Section 164.312(e)(1) - Implement
technical security measures to guard against unauthorized
access to electronic protected health information that is being
transmitted over an electronic communications network.
(2) Implementation specifications: (ii) Encryption (Addressable). Implement a mechanism to
encrypt electronic protected health information whenever
deemed appropriate.
23
Transmission Security (think Data in Motion)
© Clearwater Compliance LLC | All Rights Reserved
The Security Rule Required vs. Addressable1
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and
(ii) As applicable to the entity—
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate—
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
24
ADDRESSABLE
≠ OPTIONAL
145 CFR 164.306(d)(3)
8/12/2014
13
© Clearwater Compliance LLC | All Rights Reserved 25
MU Stage 2 Requirements Objective: Protect electronic health information created
or maintained by the Certified EHR Technology through the
implementation of appropriate technical capabilities
Measure: Conduct or review a security risk analysis in
accordance with the requirements under 45 CFR
164.308(a)(1), including addressing the
encryption/security of data at rest in accordance with
requirements under 45 CFR 164.312(a)(2)(iv) and 45
CFR 164.306(d)(3), and implement security updates as
necessary and correct identified security deficiencies as
part of the provider's risk management process.
© Clearwater Compliance LLC | All Rights Reserved
The HITECH Act
THREE absolute “game changers”:
1) More Enforcement
2) Bigger fines
3) Wider Net Cast
26
8/12/2014
14
© Clearwater Compliance LLC | All Rights Reserved
HIPAA Rules Fall short… HITECH Addressed
• No definition of Secured or
Unsecured PHI in HIPAA!
• The HITECH Act Secretary
of Health and Human
Services must issue guidance
27
• Securing PHI as defined in the new guidance is important
because secured PHI is not subject to the breach
notification requirements of the HITECH Act.
© Clearwater Compliance LLC | All Rights Reserved
Encryption Definition 45 CFR 164.304 Definitions
• Encryption means the use of an algorithmic process to
transform data into a form in which there is a low
probability of assigning meaning without use of a
confidential process or key.
28
8/12/2014
15
© Clearwater Compliance LLC | All Rights Reserved
HHS / OCR Guidance1
• Two methodologies to secure PHI by making it
unusable, unreadable or indecipherable to
unauthorized persons:
• Encryption
• Destruction
• May be used to secure data in four commonly
recognized data states:
1. data in motion
2. data at rest
3. data in use
4. data disposed
29
1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render
Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under
Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009;
Request for Information
© Clearwater Compliance LLC | All Rights Reserved
Encryption Guidance Based on HHS/OCR Guidance1…
• Valid encryption processes for data at
rest are consistent with NIST Special
Publication 800-111, Guide to Storage
Encryption Technologies for End User
Devices.
30
• Valid encryption processes for data in motion are those
which comply, as appropriate, with: • NIST SP800-52, Guidelines for the Selection and Use of Transport Layer
Security (TLS) Implementations;
• NIST SP800-77, Guide to IPsec VPNs;
• NIST SP800-113, Guide to SSL VPNs,
• or others Federal Information Processing Standards (FIPS) 140-2 validated.
1http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
8/12/2014
16
© Clearwater Compliance LLC | All Rights Reserved
Destruction Guidance
• Must shred or destroy paper,
film or other media
• Electronic media cleared,
purged or destroyed
consistent with NIST SP 800-
88, Guidelines for Media
Sanitization
31
© Clearwater Compliance LLC | All Rights Reserved
2012 OCR Audit Protocol
32
Audit Procedures
1. Inquire of management as to whether an encryption mechanism is in place to protect ePHI.
2. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:
a. Type(s) of encryption used. b. How encryption keys are protected. c. Access to modify or create keys is restricted to appropriate
personnel. d. How keys are managed.
3. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.
8/12/2014
17
© Clearwater Compliance LLC | All Rights Reserved
Policy defines an
organization’s values & expected behaviors; establishes “good faith” intent
People must include
talented privacy & security & technical staff, engaged and supportive
management and trained/aware colleagues
following PnPs.
Procedures or
processes – documented - provide the actions required to deliver on organization’s values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”,
encryption, firewalls, anti-malware, intrusion detection, incident
management tools, etc.)
Balanced
Compliance
Program
Balanced Compliance Program
Clearwater Compliance Compass™ 33
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
34
1. Define and understand basic HIPAA-
HITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next
steps to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
8/12/2014
18
© Clearwater Compliance LLC | All Rights Reserved
Next Actions to Meet Requirements
1. Get Educated on Encryption
2. Determine Regulations that Apply to You
3. Include ALL “ePHI homes”
4. Decide If Encryption is Enough
5. Establish Selection Criteria
6. Identify Alternatives for Secure PHI
35
7. Test Top Alternatives Don’t Create Bricks!
8. Ensure Fit Into an Overall HIPAA Compliance Plan
9. Put BAs and Subcontractors on Notice
10. Seek Help, If Needed
© Clearwater Compliance LLC | All Rights Reserved
Session Objectives
36
1. Define and understand basic HIPAA-
HITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next steps
to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
8/12/2014
19
© Clearwater Compliance LLC | All Rights Reserved
Is Encryption Enough?
37
© Clearwater Compliance LLC | All Rights Reserved
Graphical representation of state laws
• NM, SD, Kentucky, Alabama lack statutes
• Darker colors – tougher laws
• Virginia considered toughest because of highest penalties
• California started this with law passed in 2002, effective 2003
• Generally applies to government agencies and businesses
• Some States also cover healthcare
8/12/2014
20
© Clearwater Compliance LLC | All Rights Reserved
What even constitutes a breach requiring notification?
• Again, varies State by State
• Typically, the release of a name and some other identifier
• Address, SSN, account number
• Some States have a harm requirement; some don’t
• Some require a minimum # breached before notification required
• Some make encryption a safe harbor; some don’t
© Clearwater Compliance LLC | All Rights Reserved
But does encryption always = “Safe Harbor”? • Those who claim encryption is a safe harbor to
HIPAA regulation should read 74 Federal Register 79 – issued 4/27/09
• Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
• At page 19009 – “(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.”
8/12/2014
21
© Clearwater Compliance LLC | All Rights Reserved
New York General Business Law § 899-aa Prior statute:
• "Personal identifying information" means personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record as the encrypted personal information or data element:
Current statute:
• "Private information" shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:
© Clearwater Compliance LLC | All Rights Reserved
Several States do allow encryption to be a safe harbor
Arizona 44-7501A
• 44-7501. Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions
A. When a person that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system. If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected.
8/12/2014
22
© Clearwater Compliance LLC | All Rights Reserved
What does all this volatility mean to you?
• Causes the most problems for multi-state entities
• How do compliance officers respond?
• They comply with “highest-denominator”
• Means they comply with the toughest State statues to play it safe
• If in compliance with the toughest
• They’re in compliance with the rest
• Why is staying compliant important?
© Clearwater Compliance LLC | All Rights Reserved
Consider More Robust Technology
44
8/12/2014
23
© Clearwater Compliance LLC | All Rights Reserved
Many Services/Many Solutions/Even Unique Ones
• Computrace/Lojack for Laptops/Patented Persistence – Unique to the industry
• Many devices/one solution – Also unique
• Recovery staff of 43 ex-law enforcement officers/over 1000 years experience – Also unique
• Encrypted devices/Encryption Reports
• Device Freeze/Data Delete
• Geo-fencing/Data Loss Prevention
• Forensic/Investigative Services
• Can tell what data is and isn’t seen/Report generated
45
© Clearwater Compliance LLC | All Rights Reserved
Compliance is important way beyond HIPAA penalties & fines
• Think as an ambulance-chasing attorney for a moment
• Each listing of a breached healthcare system is > 500 identities
• Generally, breached identity is valued at a minimum of $1000
• Class action lawsuit just waiting to happen
46
8/12/2014
24
© Clearwater Compliance LLC | All Rights Reserved
Shooting fish in a barrel
Shooting sitting ducks (from a blind that’s not all that blind)
Apropos analogies?
© Clearwater Compliance LLC | All Rights Reserved
A $4.9 BILLION Lawsuit
• U.S. Dept. of Defense defendant for theft of computer tape from car driven by employee of the subcontractor of one of its Business Associates
• Records of 4.9 million members of military on the tape
• $1000 per victim = $4.9 billion
• Business Associate also a defendant, but not the subcontractor (sue the entities with the biggest pockets)
8/12/2014
25
© Clearwater Compliance LLC | All Rights Reserved
Accretive Share Price & Story
49
July 2011 - Accretive
employee’s laptop computer,
containing 20 million pieces
of information on 23,000
patients, was stolen from
the passenger compartment
of the employee’s car
7/31/2012
$2.5M MN SAG
Settlement
1/19/2012 MN
SAG Suit 12/31/2013
FTC Settle.
6/13/2013
Class
Action Suit
03/14/2014
De-Listed
NYSE
4/2/2013
CEO
Replaced
8/26/2013
CFO
Replaced
9/27/2013
$14M Class
Settlement
01/2014
170 Job
Cuts
4/13/2013
COO
Replaced
© Clearwater Compliance LLC | All Rights Reserved
I’m sure you’ve heard…
• Although not a healthcare breach
• Important security lesson to be
learned
• Target HAD the bells & whistles in
place to avoid the breach!!!
• Either no one was listening or they
were listening & ignored
• What if they had the bells & whistles
and they had been turned off either
intentionally or unintentionally?
• This is what Absolute can prevent
8/12/2014
26
© Clearwater Compliance LLC | All Rights Reserved
Problem getting VERY serious in healthcare
• According to this article
• 90% of healthcare organizations
have reported at least 1 data
breach in the past 2 years
• More than 1/3 have reported
MORE THAN FIVE!!!
• The URL for this story is:
http://www.healthcareitnews.com/ne
ws/HIPAA-breach-response-tips-
experts?topic=18,30
© Clearwater Compliance LLC | All Rights Reserved 52
1. Secure Your PHI Avoid the “Wall
of Shame” …Get Started Now
Summary
2. Technology solutions are an
important part, but only part of a
balanced Security Program
3. Large or Small: Consider Getting
Help (Tools, Experts, etc)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policy!defines!an!organiza- on’s!values!&!expected!behaviors;!establishes!“good!faith”!intent!
People!must!include!
talented!privacy!&!security!&!technical!staff,!engaged!and!suppor- ve!
management!and!trained/aware!colleagues!
following!PnPs.!!
Procedures!or!processes!–!documented!F!provide!the!ac- ons!required!to!deliver!on!organiza- on’s!values.!
Safeguards11includes!the!various!families!of!administra- ve,!physical!or!
technical!security!controls!
Balanced Compliance
Program
Balanced1Compliance1Program1
Clearwater1Compliance1Compass™133
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policy!defines!an!organiza- on’s!values!&!expected!behaviors;!establishes!“good!faith”!intent!
People!must!include!
talented!privacy!&!security!&!technical!staff,!engaged!and!suppor- ve!
management!and!trained/aware!colleagues!
following!PnPs.!!
Procedures!or!processes!–!documented!F!provide!the!ac- ons!required!to!deliver!on!organiza- on’s!values.!
Safeguards11includes!the!various!families!of!administra- ve,!physical!or!
technical!security!controls!
Balanced Compliance
Program
Balanced1Compliance1Program1
Clearwater1Compliance1Compass™133
8/12/2014
27
© Clearwater Compliance LLC | All Rights Reserved 53
Resources Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-
guide-checklist/
Encryption & Risk Analysis Information:
http://abouthipaa.com/about-hipaa/hipaa-hitech-resources/
© Clearwater Compliance LLC | All Rights Reserved
Educational Opportunities
54
8/12/2014
28
© Clearwater Compliance LLC | All Rights Reserved
55
Clearwater Information Risk Management BootCamp™ Events
Take Your HIPAA Privacy
and Security Program to
a Better Place, Faster …
Earn CPE Credits!
2014-15 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • November 5-12-19 • February 5-12-19, 2015 • May 7-14-21, 2015
2014-15 Plans - Live, In-Person Events (9-hours): • October 16 - Los Angeles • December 4 – Tampa • January 22 – Dallas • April 30 – New Orleans
© Clearwater Compliance LLC | All Rights Reserved
Clearwater is Now an ISC2 Official Training Provider
56
Join Us in Nashville: 8/18-20
8/12/2014
29
© Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://clearwatercompliance.com/live-educational-webinars/
57
Resources
View pre-recorded Webinars like this one at:
http://clearwatercompliance.com/on-demand-webinars/
© Clearwater Compliance LLC | All Rights Reserved
58
Today’s Speakers
Stephen Treglia, JD Legal Counsel, Recovery Section Absolute Software Corporation (877) 600-2293 [email protected]
Bob Chaput, MA, CISSP, HCISPP, CIPP-US CEO & Founder Clearwater Compliance LLC 615-656-4299 or 800-704-3394 [email protected]
8/12/2014
30
© Clearwater Compliance LLC | All Rights Reserved