2. Agenda:
• Healthcare IT Trends
Jim Hietala, Compliance Research Group
• Recovery Act of 2009, and HITECH Act, Security
and Compliance Implications
Karl Muenzinger, Janus Associates
Karl Muenzinger Janus Associates
• Overview of Avior Computing Solutions
Bruce Beck, VP Business Development, Avior
Bruce Beck, VP Business Development, Avior
• Demonstration: Converged privacy/security
assessments for healthcare organizations
g
Jeri Teller‐Kanzler, President Risk‐
Jeri Teller‐Kanzler, President Risk‐Mapp
• Q&A
3. Trends in IT and Healthcare
Government:
• Electronic Health Record adoption push
Electronic Health Record adoption push
• Health Information Networks (HIE’s, RHIN’s,
NHIN)
IT Access and Network Changes:
• Growth in wireless network adoption, mobility
Growth in wireless network adoption mobility
• Guest network access
• I te i i of IT a d li i al de i e i
Intermixing of IT and clinical devices in
healthcare networks
4. 2009 Stimulus Bill
Brings New HIPAA Requirements
The Health Information Technology for Economic
and Clinical Health (HITECH) Act
• I l d d i th A
Included in the American Recovery and Reinvestment Act of 2009 (ARRA)
i R dR i t t A t f 2009 (ARRA)
Data Breach Protections
• Prevent Data Breaches of Protected Health Records (PHR)
Prevent Data Breaches of Protected Health Records (PHR)
• Increase penalties
August 2009: Guidance from HHS and FTC
• HHS Office of Civil Rights takes over HIPAA enforcement
• Interim final rule for Breach Notification for Unsecured Protected Health
Information (45 CFR Parts 160 and 164)
• The Federal Trade Commission Health Breach Notification Rule: (16 CFR Part
(
318) and Notice of Breach of Health Information (procedure)
5. The Impact on HIPAA Compliance
An increase in SCOPE
‐ More organizations are subject to HIPAA
An Increase in DEPTH
‐ HIPAA compliance programs require greater due‐diligence
HIPAA compliance programs require greater due‐
An increase in ENFORCEMENT:
A i
An increase in ENFORCEMENT:
i ENFORCEMENT
‐ More government oversight, higher penalties
PENALTIES FOR HIPAA VIOLATIONS Prior ARRA / HITECH
penalties
Amount per violation $100 $100 ‐ $50,000
Maximum per year $25,000 $5,000,000
6. Data Breach
“the unauthorized acquisition, access, use or disclosure of PHI”
“the unauthorized acquisition access use or disclosure of PHI”
Data Breach Notification Law: Protect PHI
‐ Encryption during Transmission
‐ Encryption during Storage
‐ Secure Disposal of PHI on paper, film, or disk
Public Notification of Data Breaches
starting in September 2009
‐ Covered Entities and Business Associates will be required to
Covered Entities and Business Associates will be required to
notify the public
‐ HHS will post a public list of major data breaches: increase in
reputational risk
p
‐ The FTC must be notified, for organizations not otherwise
covered by HIPAA
7. The Increased Oversight of Business
Associates
Business Associates must comply with HIPAA
Business Associates must comply with HIPAA
Privacy and Security rules (sec 13401.(a))
‐ Civil and criminal penalties (sec 13401)
‐ Data Transmission Service Providers are included (sec 13408)
Data Transmission Service Providers are included (sec 13408)
Covered Entities are accountable for their
Business Associates
‐ Data Breach Notification rules for Covered Entities include data
breaches of their Business Associates (sec 13402)
‐ Business Associate Agreements must be revised by February 17,
2010
‐ Best Practices: require Business Associates to agree to
independent inspection of security controls
8. Compliance and Risk Assessments
of Business Associates
of Bu i e A o iate
Locate and document all PHI sent to third parties
Assign the controls required for each Business Associate
• Specify all data‐handling requirements in Business Associate Agreements
Specify all data‐
Collect Evidence of Controls for each Business Associate
Assess the evidence identify risks take action
Assess the evidence, identify risks, take action
9. Strategies for Covered Entities and
Business Associates
Business Associates
Covered Entities:
• Used a Tiered Approach: Categorize your Business Associates
‐ based on the PHI being handled, and other risk factors
• Tailor the Assessment methodology for each Tier
‐ Efficiently expending resources on the tiers of highest risk.
• Use Risk Assessments to Reduce Business Associate risks
‐ Leverage the results during negotiations for future outsourced services
Business Associates:
• Establish a HIPAA Compliance Program:
p g
‐ Conduct a HIPAA Risk Assessment and Gap Analysis
• Coordinate with the Compliance teams of your customers
‐ Align your policies and procedures proactively
Both: Your customers will be asking more about your security
B th Y t ill b ki b t it
• Honesty Builds Trust – Trust Leads to Investment
Honesty Builds Trust –
10. About JANUS Associates:
J
Focused on Information Security and Business
Continuity consulting for two decades
• St f d Alb
Stamford, Albany, Boston, Baltimore, Silver Spring MD
B t B lti Sil S i MD
• Privately held, independent, woman‐owned business
Privately held, independent, woman‐
Consulting Services:
• Information Security & Privacy
Information Security & Privacy
• Business Continuity/Pandemic/DR Planning
• Regulatory Compliance, including PCI
• Security Awareness Training
• Breach Response and Computer Forensics
• Electronic Discovery
Avior business partner
www.JANUSassociates.com 203‐251‐
203‐251‐0200
11. Bruce Beck, VP Business Development
Compliance… Know it Now!
www.aviorcomputing.com
12. Risk & Compliance Process
Risk
Assessment
Scope
People Distribute
Review and
Assessment
Remediation
Questionnaires
Process Technology
Reporting Manage
And Analysis Collection Process
14. Adding to the Challenge
Many overlapping compliance
requirements
Fragmented compliance projects
F t d li j t
spread over many regulations,
business units & third party
providers…silos
id il
“70% of organizations are treating each compliance regulation
70% of organizations are treating each compliance regulation
as a silo; Inefficient, expensive, Can’t leverage common controls
and assessments, Annoying to business owners and vendors”
– Compliance Marketing Group
19. Enhanced Assessment Experience
• Easy to use assess e t edito
Easy to use assessment editor
• Incorporate notes and attachments
• Weight the response to questions
Weight the response to questions
• User Friendly Workflow
• Intuitive responder interface
Intuitive responder interface
21. Visibility ‐
Visibility ‐ Reporting & Dashboards
• Executive Level User Interface
• D
Dynamic Data Rendering
i D t R d i
• Standard Suite of Reports
• Role Based Reporting
Role Based Reporting
• PDF, excel & Graphical
22. Avior automated risk & compliance workflow
Risk
Assessment • Develop assessments
• Set Frequency
Scope • Determine scoring
Risk process lifecycle support
Linked to remediation management Prebuilt assessment library
Dynamic mapping
• Ensure completion Distribute
• Determine risks to Review and Assessment
•Determine
business owners
remediate Remediation
R di ti Questionnaires •Manage
• Manage remediation
distribution
workflow
Automated review, scoring, and reporting Workflow management
Forced evidence collection
Response weighting
Reporting Manage
• Score results • Manage Reminders
And Analysis Collection Process • Escalate as necessary
• Determine key risks
• Report to management • Review for completeness
23. Achieve better results
• Significant reduction in governance,
p
risk and compliance costs
• Improve control of risk management
and compliance
p
= Improved
• Increase executive visibility of management
enterprise risks
p
• Organize compliance with a
repeatable and sustainable process
p p
25. Jeri Teller‐
Jeri Teller‐Kanzler
President of Risk‐
President of Risk
President of Risk‐Mapp
Demonstration of ClearView and
Demonstration of ClearView and
BenchMark
H lh
Healthcare assessment addressing HIPAA,
dd i HIPAA
and new healthcare guidance
Mapping of HIPAA, NIST 800‐
Mapping of HIPAA, NIST 800‐66, and other
standards and regulations
26. Questions & Answers
Questions & Answers
For Additional Information:
For Additional Information:
Avior Computing
• Bruce Beck
Bruce Beck
BBeck@Aviorcomputing.com
603‐964‐
603‐964‐8040
Janus Associates
• James Adams
jamesa@janusassociates.com
ja e a@ja u a o iate o
203‐251‐
203‐251‐0200 26