hipaa hitech solutions…not theory · • the hipaa security rule went into effect in april ......
TRANSCRIPT
![Page 1: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/1.jpg)
HIPAA HITECH Solutions…Not Theory April 27, 2010
Risk Assessment
Policies and Procedures
Email Encryption
Breach Notification Plans
![Page 2: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/2.jpg)
HIPAA HITECH Solutions…Not Theory
Consulting Rebecca Herold [email protected] www.rebeccaherold.com
Risk Assessment Jack Kolk [email protected] www.acr2solutions.com
Policies and Procedures
Jack Anderson [email protected] www.compliancehelper.com
Email Encryption John Nail [email protected] www.radarmail360.com
Breach Notification Jeremy Henley [email protected] www.idexpertscorp.com
![Page 3: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/3.jpg)
Page 1© Rebecca Herold. All rights reserved.
Agenda
• HIPAA / HITECH Quick Overview
• Experiences
• Requirements and common risks and problems
![Page 4: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/4.jpg)
Page 2© Rebecca Herold. All rights reserved.
HIPAA is…
• On August 21, 1996, the U.S. Congress enacted the Health Insurance Portability and Accountability Act
(HIPAA).
• The HIPAA Privacy Rule went into effect in April 2001, and gave covered entities (CEs) two years to meet compliance.
• The HIPAA Security Rule went into effect in April 2003 and CEs had until April 2005 to get into compliance.
![Page 5: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/5.jpg)
Page 3© Rebecca Herold. All rights reserved.
HITECH is…
• The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.
• HIPAA now applies to CE business associates (BAs) directly.
• HITECH includes a statutory obligation for BAs to comply with HIPAA.
• HITECH also increased the penalties for HIPAA violations of HIPAA.
• HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.
![Page 6: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/6.jpg)
Page 4© Rebecca Herold. All rights reserved.
All BAs Must Comply!
• BAs of all sizes must comply with ALL the HIPAA Security Rule & Privacy Rule and HITECH requirements
• BAs that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity
• Each security and privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in a BA contract
![Page 7: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/7.jpg)
Page 5© Rebecca Herold. All rights reserved.
Experiences
• As an information security and privacy officer for a large healthcare insurer / financial organization, big
problems with brokers and agents
• ~200 business partner information security and privacy program reviews, big problems during business associate, partner and vendor reviews
![Page 8: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/8.jpg)
Page 6© Rebecca Herold. All rights reserved.
Common Risks & Problems (1)
No documented assigned responsibilities
![Page 9: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/9.jpg)
Page 7© Rebecca Herold. All rights reserved.
Common Risks & Problems (2)
No documented policies, procedures, forms
![Page 10: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/10.jpg)
Page 8© Rebecca Herold. All rights reserved.
Common Risks & Problems (3)
No training or awareness communications
![Page 11: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/11.jpg)
Page 9© Rebecca Herold. All rights reserved.
Common Risks & Problems (4)
No compliance monitoring
![Page 12: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/12.jpg)
Page 10© Rebecca Herold. All rights reserved.
Common Risks & Problems (5)
Non-compliance with contractual obligations
![Page 13: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/13.jpg)
Page 11© Rebecca Herold. All rights reserved.
Common Risks & Problems (6)
Un-secure disposal
![Page 14: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/14.jpg)
Page 12© Rebecca Herold. All rights reserved.
Common Risks & Problems (7)
Inappropriate sharing and subcontracting
![Page 15: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/15.jpg)
Page 13© Rebecca Herold. All rights reserved.
Common Risks & Problems (8)
No documented incident or breach response plans
![Page 16: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/16.jpg)
Page 14© Rebecca Herold. All rights reserved.
Common Risks & Problems (9)
Lack of logs and documentation
![Page 17: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/17.jpg)
Page 15© Rebecca Herold. All rights reserved.
Common Risks & Problems (10)
No mobile computing controls
![Page 18: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/18.jpg)
Page 16© Rebecca Herold. All rights reserved.
Common Risks & Problems (11)
No use of encryption
![Page 19: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/19.jpg)
Page 17© Rebecca Herold. All rights reserved.
Common Risks & Problems (12)
No Business Continuity / Disaster Recovery Plans
![Page 20: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/20.jpg)
Page 18© Rebecca Herold. All rights reserved.
Word To The Wise…Compliance is not a one-time event…
All CEs *AND* BAs must meet, and continuously stay in, compliance with all HIPAA and HITECH requirements or face stiff noncompliance
remediation requirements, penalties, fines or even jail time!
DonDonDonDon’’’’t be t be t be t be foolish, maintain foolish, maintain foolish, maintain foolish, maintain
compliance!compliance!compliance!compliance!
![Page 21: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/21.jpg)
Contact Information
Rebecca Herold & Associates, LLC“The Privacy Professor”®
1408 Quail Ridge Avenue
Van Meter, Iowa 50261
Phone 515-996-2199
Web sites: www.theprivacyprofessor.com
www.compliancehelper.com
Blog: www.realtime-itcompliance.com
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI
TwitterID: http://twitter.com/PrivacyProf
![Page 22: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/22.jpg)
ACR 2 Solutions, Inc.
Simplifying Information Security
ComplianceAutomating Risk
Assessments
using the Risk
Reporter Family
Lower your TCO
Meet your
requirements in a
fraction of the
time previously
required
![Page 23: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/23.jpg)
About ACR 2 Solutions
Focused on enterprise level real-time risk
management software
Simple, elegant, easy to use compliance solutions.
Tools to support regulatory laws and regulations
such as: FISMA, GLBA, HIPAA, NAIC, NERC and
PCI DSS.
Risk and Compliance solutions for public, private,
and government organizations.
Risk and Compliance solutions that lower the total
cost of (Information Security) Compliance (TCC).
![Page 24: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/24.jpg)
•Definitions and Relationships of Terms
Threat
Vulnerability
Risk
Safeguard
Exposure
Asset
Gives rise to
Exploits
Leads to
Can Damage
And cause an
Can be counter-measured by a
Directly Effects
![Page 25: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/25.jpg)
Risk Assessment
Definition of Risk
“Risk is the net negative impact of the
exercise of a vulnerability, considering
both the probability and the impact of
occurrence.” NIST 800-30, page 1
![Page 26: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/26.jpg)
Risk Assessment – 45 CFR Part
164.308 (HIPAA) - Required for
Meaningful Use Funding
(A)Risk analysis (Required). Conduct an
accurate and thorough assessment of the
potential risks and vulnerabilities to the
confidentiality, integrity, and availability of
electronic protected health information…
GLBA, FISMA, PCI, Sarbox have similar
requirements
![Page 27: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/27.jpg)
Calculation of Risk-NIST 800-30
Risk Score = Probability Score x Impact Score
(1-100) (0.1-1.0) (10-100)
Probability = F (Threat Source, Vulnerabilities,
Safeguards and IPS/AV Metrics)
Impact = F (Data Value, Vulnerabilities and
Safeguards)
![Page 28: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/28.jpg)
Manually Assess Risk – 1500 hours training,
30-60 Hours/site baseline, 5-15 hour/update
![Page 29: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/29.jpg)
How Does it Work?
Three types of input to a risk assessment:
Management Data
Policy Data
Technical Controls
Technical Controls is the most difficult to answer 630+ or more settings on every Windows machine x‟s the number of machines
SCAP Vulnerability Scanners
UTM / IPS / Firewall Syslogs
Generate the Compliance Reports
Use the „Gap‟ report to prioritize remediation and put safeguards in place
![Page 30: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/30.jpg)
Introducing Risk ReporterSingle Site Risk Assessment
![Page 31: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/31.jpg)
Introducing Risk Reporter
Enterprise Version
![Page 32: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/32.jpg)
ACR2 Megaprise VersionAllows management of multiple Enterprise
accounts
Megaprise
viewing of multiple
enterprises accounts
![Page 33: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/33.jpg)
Automated Risk Assessment
![Page 34: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/34.jpg)
Automated Risk Assessment
![Page 35: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/35.jpg)
Scan typical
workstations and
upload SCAP data
0.5 hours
Input policy data
3.5 hours
![Page 36: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/36.jpg)
![Page 37: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/37.jpg)
![Page 38: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/38.jpg)
Input UTM Data
0.5 hours
Request Assessment Report
0.1 hour
![Page 39: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/39.jpg)
Risk Scores Listed 1-100 (800-30, p25)
Calculated Risk Scores Table Calculated Risk Scores Graph
Threat Source Vulnerability Likelihood Impact Baseline Score
E1 Wind Roof damage M M 25
E2 Fire Smoke damage M M 25
E3 Flood Facility damage M M 25
E4 Power loss Loss of operations M M 25
E5 Power loss Damage to building M M 25
E6 Vehicle collision Facility damage M M 25
HE1 Human error Data acquisition M M 25
HE2 Human error Data storage M M 25
HE3 Human error Data retrieval M M 25
HE4 Human error Data modification M M 25
HE5 Human error Data transmission M L 25
HE6 Human error System design M M 5
HE7 Human error Procedure implementation M M 25
HE8 Human error Internal controls M M 25
MI1 Malicious insider Data acquisition M M 25
MI2 Malicious insider Data storage M M 25
M13 Malicious insider Data retrieval M M 25
M14 Malicious insider Data modification M M 25
M15 Malicious insider Data transmission M H 25
M16 Malicious insider System design M M 50
M17 Malicious insider Procedure implementation M M 25
M18 Malicious insider Internal controls M H 25
MO1 Malicious outsider Data acquisition M H 50
MO2 Malicious outsider Data storage M H 50
MO3 Malicious outsider Data retrieval M H 50
MO4 Malicious outsider Data modification M H 50
MO5 Malicious outsider Data transmission M H 50
MO6 Malicious outsider System design M L 50
MO7 Malicious outsider Procedure implementation M L 5
MO8 Malicious outsider Internal controls L L 1
0 10 20 30 40 50 60
E1
E2
E3
E4
E5
E6
HE1
HE2
HE3
HE4
HE5
HE6
HE7
HE8
MI1
MI2
M13
M14
M15
M16
M17
M18
MO1
MO2
MO3
MO4
MO5
MO6
MO7
MO8
![Page 40: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/40.jpg)
Risk Assessment Options
ACR2
Task Manual Automated
Training 1000 to1500 hrs 2 hrs
Initial Assessment 30-60 hrs 3-6 hrs
Updates 5-15 hrs < 1 hr
![Page 41: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/41.jpg)
Meaningful Use and ARRA
$19 billion in subsidies for firms that make
“meaningful use” of certified EMRs
Meaningful Use requires 45 CFR part
164.308 risk assessment
Frequently updated list of EMRs with
meaningful use status on ACR 2 website
![Page 42: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/42.jpg)
![Page 43: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/43.jpg)
Contact Information
ACR 2 Solutions Office (678) 261-8181
Jack Kolk, President, (770) 904-0997
![Page 44: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/44.jpg)
Comprehensive Privacy and Information Security Program
Small CEs and BAs Policies
Procedures Forms
Step by Step Process Personal Helper
Delivered over the Internet
Compliance Helper
![Page 45: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/45.jpg)
HIPAA HITECH KEY PHRASES “Willful Neglect”
“Reasonable and Applicable” “Satisfactory Assurances”
Compliance Helper
![Page 46: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/46.jpg)
Business Associates:
Can You Prove Your Compliance?
Compliance Helper
![Page 47: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/47.jpg)
The Compliance Meter™ Can
Compliance Helper
![Page 48: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/48.jpg)
How Does It Know?
Compliance Helper
![Page 49: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/49.jpg)
Compliance Helper
![Page 50: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/50.jpg)
• Screen Shot of Policies TOC with Section 1 open
Compliance Helper
![Page 51: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/51.jpg)
Compliance Helper
![Page 52: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/52.jpg)
Screen Shot of Policy:
Edited w/cursor over Submit
Compliance Helper
![Page 53: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/53.jpg)
Screen Shot of Policy:
Pending
Compliance Helper
![Page 54: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/54.jpg)
Screen Shot of Policy:
Approved
Compliance Helper
![Page 55: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/55.jpg)
Compliance Helper
![Page 56: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/56.jpg)
Compliance Helper
![Page 57: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/57.jpg)
Compliance Helper
![Page 58: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/58.jpg)
Compliance Helper
![Page 59: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/59.jpg)
Transparency
Compliance Helper
![Page 60: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/60.jpg)
Next Steps: Sign Up
Get Compliant Stay Compliant
Prove Compliance
Compliance Helper
![Page 61: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/61.jpg)
HIPAA HITECH Solutions…Not Theory April 27, 2010
Risk Assessment
Policies and Procedures
Email Encryption
Breach Notification Plans
![Page 62: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/62.jpg)
HIPAA HITECH Solutions…Not Theory
• Identity Theft
• EHR
• Healthcare Reform
• 47 State HIPAA/Breach Laws
• Gramm Leach Billey Privacy
• “Red Flag” i.e. Identity Theft Protection
• Data Encryption/Privacy Laws (MA, NV et al)
HIPAA HITECH Is Just Part of a Major Change Evolving Standard for Protecting Personal Information
![Page 63: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/63.jpg)
HIPAA HITECH Solutions…Not Theory
1. Proven to Meet Spectrum of Legal Requirements
2. Cover Threats to the Business
• Outbound Email
• Inbound Client Communication
3. Non Disruptive / Simple to Setup and Use
4. Cost Effective i.e. “Reasonable”
Email Encryption Assessment Criteria
![Page 64: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/64.jpg)
HIPAA HITECH Solutions…Not Theory
• Traded On Nazdaq – ZIXI
• Business is Encryption
• Impressive Client List
• Securities and Exchange Commission (SEC)
• FDIC
• Federal banking regulators (FFIEC)
• The Conference of State Bank Supervisors
• Members of the American Bankers' Association
• More than 1,000 hospitals across the United States
• More than 1000 financial institutions
Who Is ZixCorp
![Page 65: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/65.jpg)
The Power of the Zix Directory
Think of the Zix Network like “In Network” and “Out of Network” in a health plan. In the health plan cost is the differentiator. For email it is time, convenience, full HIPAA/HITECH compliant security and transparent communication.
Over 150 Health Insurers (with 100 Million+ Insured Lives), TPA’s and Other Benefits Services Providers 6
![Page 66: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/66.jpg)
HIPAA HITECH Solutions…Not Theory
• Outbound - Zix Gateway • Automatically encrypts outbound email • Via its rules based architecture • Transparent inbox to inbox solution • Users do nothing special to encrypt email, the rules
based system does it for them.
• Inbound - Zix Portal • User can retrieve and respond to messages • Initiate secure inbound PHI, personal data and
financial communication.
• Network Access - Zix Directory • Over 20 million people 150 healthplans use Zix
allowing you to connect directly to them, desktop to desktop.
Combining 3 Powerful Zix Tools delivered as SAAS
![Page 67: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/67.jpg)
User Retrieves, Responds ,
Attaches files etc. here in the message center
Automatic, Rules Based Encryption
The message in their inbox has a link to your Portal
“ Click here” takes user to secure portal embedded in
your Website reinforcing your Brand and web tools
How RadarMail 360 Works Best Protection - Outbound & Inbound
Inbox to Inbox for Staff & Zix Members | Website Portal for Clients (Retrieve, Respond, Initiate) | Best Client Service
Branded with your logo and
accessible from your website
Clients also login in to initiate communication, securely send files etc. eliminating the risk of
breach via normal email
Encrypted Responses go right to your team or Zix
Network member’s inbox
transparently
Blackberry Encryption Built In
Non Zix User gets Email like the one to the right
Inbox to Inbox Encryption to
any Zix Member Network user
8
![Page 68: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/68.jpg)
HIPAA HITECH Solutions…Not Theory
Other Communication Services
![Page 69: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/69.jpg)
10 www.theindustryradar.com | [email protected] | 404-418-5550
![Page 70: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/70.jpg)
Photo here
Delivering Positive Outcomes
COMPLETE DATA BREACH CARE
![Page 71: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/71.jpg)
DATA BREACH LIFECYCLE
Healthcare Data Breach Solutions 2
PREVENT
REMEDIATE
![Page 72: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/72.jpg)
WHY IS IT DIFFICULT TO ACHIEVE A POSITIVE OUTCOME?
» Data breaches are complex events. Challenges can include: • Diversity in demographics and needs of affected patients• Complexity of HITECH and state legal statutes• Making sense of products available and efficacy for
addressing PHI identity theft needs• Inexperience in communicating with attorney general with
jurisdiction • Difficulty in coordinating diverse legal, reputational,
privacy, patient and operational constituencies and issues• Lack of resources in an already overwhelmed medical
system
3Healthcare Data Breach Solutions
![Page 73: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/73.jpg)
HEALTHCARE DATA BREACHCREDIT MONITORING INSUFFICIENT
» For a positive outcome; you need to provide a complete patient solution:
4Healthcare Data Breach Solutions
• Necessary but not sufficient to address financial side of identity theftCredit Monitoring
• Proprietary ID Experts tools to enable breach victims to address medical identity theft issues
Healthcare Identity Protection Toolkit
• Protect patients from identity theft issues in the online world where IDs bought/sold
ID theft cyber-monitoring technology
• If patients fall victim to identity theft, have their problems solve by certified experts
Fully-managed identity restoration services
![Page 74: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/74.jpg)
THANK YOU
» Jeremy Henley» Director of Breach Protection» 760-304-4761» [email protected]» www.idexpertscorp.com
Healthcare Data Breach Solutions 5
![Page 75: HIPAA HITECH Solutions…Not Theory · • The HIPAA Security Rule went into effect in April ... Risk Assessment –45 CFR Part 164.308 (HIPAA) - Required for Meaningful Use Funding](https://reader034.vdocuments.net/reader034/viewer/2022050117/5f4de707457c72380929b44a/html5/thumbnails/75.jpg)
HIPAA HITECH Solutions…Not Theory
Consulting Rebecca Herold [email protected] www.rebeccaherold.com
Risk Assessment Jack Kolk [email protected] www.acr2solutions.com
Policies and Procedures
Jack Anderson [email protected] www.compliancehelper.com
Email Encryption John Nail [email protected] www.radarmail360.com
Breach Notification Jeremy Henley [email protected] www.idexpertscorp.com