how to perform a large scale hipaa security gap analysis as a means of performance improvement roy...
TRANSCRIPT
![Page 1: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/1.jpg)
How to Perform a Large Scale HIPAA Security Gap
Analysis as a Means of Performance Improvement
Roy G. Clay III, BSCS, CDPHIPAA Security Project Coordinator
Louisiana State University Health Sciences CenterNew Orleans, LA
![Page 2: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/2.jpg)
Louisiana State University
A Hybrid Entity
Louisiana State University
A Hybrid EntityCovered Component
Health Sciences CenterPennington Biomedical
Research CenterDefinity Health Plan
Non-Covered ComponentAgricultural & Mechanical
CollegeLaw SchoolAgricultural CenterLSU at EuniceLSU at AlexandriaLSU at ShreveportUniversity of New Orleans
![Page 3: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/3.jpg)
LSU Health Sciences Center
LSU Health Sciences Center
S h re v ep or t C a m p usU n iv e rs i ty Ho sp ita l
S cho o ls o f M e d ic ine , G M EG rad ua te S tu d ie s , A llie d H ea lth
H e a lth C are S e rv ices D iv is ion(H C S D )
9 Ho sp ita ls
N e w O r lea n s C a m p usM ed icin e , D en tis try
N u rs ing , G rad u ate S tud iesA llie d He a lth
V ice P res ide n to f He a lth A ffa irs
![Page 4: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/4.jpg)
Health Care Services Division
(Large Scale)
Health Care Services Division
(Large Scale)5000+ Inpatient
Admissions/mo.30000+ Outpatient
visits/mo.600+ Deliveries/mo.1,000,000 Lab tests/mo.14,000 Prescriptions
filled/mo.
3000+ Surgical Procedures/mo.
28000 ED visits/mo.32,000+ Diagnostic
Radiology procedures/mo.2000+ Medical Staff
members10000+ Employees
![Page 5: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/5.jpg)
ChallengesChallenges
Large multi-entity organization.Distributed authority.Heterogeneous infrastructure.Budget. (What budget?)Poor organizational communication.Lack of computer literacy.Good practices in some areas but other areas
overlooked.Little (if any) documentation.
![Page 6: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/6.jpg)
Gap Analysis ProcessGap Analysis Process
Appoint Security Officer and Give Him the Authority to Perform the Gap Analysis.
Iterative Discovery Process.Compile Results and Make Recommendations.
![Page 7: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/7.jpg)
Educate Your New Security Officer
Educate Your New Security Officer
Security NPRM - http://aspe.hhs.gov/admnsimp/bannerps.htm#security
AAMC Guidelines - http://www.aamc.org/members/gir/gasp/hipaaresources.htm
WEDI SNIP Whitepapers - http://snip.wedi.org/public/articles/index.cfm?Cat=17
![Page 8: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/8.jpg)
Iterative Discovery Process
Iterative Discovery Process
Where is the data?Surveys.Interviews.
![Page 9: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/9.jpg)
Where is the Data?Where is the Data?
LSUHSCTulane
C entrally Adm inis teredSystem s
PatientM anagem ent LIS
A u g u s t 8 , 2 0 0 1
LSUHSC HCSD HIPAA Gap Analysis ProjectApplication Adm inistration
H ospitalAdm inisteredSystem s
N ovell N etw ork
Vendor Adm inisteredSystem s
M edical T ranscription
N ew Pharm acy System
H L7 Interface
Vendor Adm inisteredSystem s
C learinghouseVendor Blue C ross
W indow s N T N etw ork
LH NLSU H SC C linics
D epartm entAdm inistered System s
PAC S/R M S Biom edM edical R ecordsStorage
Academ ic System s
C oding
![Page 10: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/10.jpg)
Top Down SurveysTop Down Surveys
A pp lica tionL ev e l
S ite /C a m p usL ev e l
E n te rp riseL ev e l
![Page 11: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/11.jpg)
InterviewsInterviews
Five Targeted GroupsExecutive Staff (Including Medical)Human ResourcesTrainingInformation TechnologySystem Users
Use responses from surveys to guide your interviews.
![Page 12: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/12.jpg)
Results and Recommendations
Results and Recommendations
Don’t wait to complete your surveys and interviews to begin compiling recommendations.
Provide management with alternatives wherever possible.
Make sure your recommendations are supported by your results.
![Page 13: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/13.jpg)
RememberRemember
Be prepared to go over things again and again. Plan for items to be late.Know how to escalate. Make every step educate as well as collect
information.
![Page 14: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/14.jpg)
Caveat Emptor!Caveat Emptor!
“20% of HIPAA attorneys are passing incorrect information to their clients.” – Alan Mertz, Executive Vice-President, Healthcare Leadership Council
HIPAA is new. Most of the consultants got to be experts on HIPAA by reading about it.
Vendors probably know less about HIPAA Security than you do.
![Page 15: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/15.jpg)
Performance ImprovementPerformance Improvement
Security Management ProcessPolicies, Standards, and Procedures (PSP Not
P&P)Change ManagementMeasurements
![Page 16: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/16.jpg)
Security Management Process
Security Management Process
Include other areas essential to the security process. (Facilities, Hospital Police, etc.)
This group is the primary security policy making body.
Recommends security projects to be included in overall project list.
![Page 17: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/17.jpg)
Policies, Standards, and Procedures
Policies, Standards, and Procedures
P roced ures
S tan d ards
P o licies
![Page 18: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/18.jpg)
Policies, Standards, and Procedures
Policies, Standards, and Procedures
Policies are developed from the security management process.
Policies should be simple and concise. Standards are set and revised by the appropriate group
(usually IT) as specified in the policy. Procedures are developed to meet the requirements of
policies and standards as needed. http://www.iso-17799.com/iso.htm
![Page 19: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/19.jpg)
StandardsStandards
As few as possible but sufficient to cover all situations.
Must be written.All projects, grants, construction, etc. must be
checked for adherence to standards.
![Page 20: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/20.jpg)
Change ManagementChange Management
Communications Tool.Automate workstation patches.Keep logbooks on servers. Use request form to initiate and track changes.
![Page 21: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/21.jpg)
MeasurementsMeasurements
Identify and track critical statistics. Make sure your measurements make sense from
the users’ perspective. Scan your network.
![Page 22: How to Perform a Large Scale HIPAA Security Gap Analysis as a Means of Performance Improvement Roy G. Clay III, BSCS, CDP HIPAA Security Project Coordinator](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f0b5503460f94c1e7ad/html5/thumbnails/22.jpg)
FinallyFinally
Gap analysis provides a database than can be mined for performance improvement.