O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Csa security risks_compliance_ramadoss_11102016_mo_d

111 visualizações

Publicada em

Csa security risks_compliance_ramadoss_11102016_mo_d

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Csa security risks_compliance_ramadoss_11102016_mo_d

  1. 1. www.cloudsecurityalliance.org Healthcare Information Security Risks and Compliance 2016 Colorado CSA Fall Summit | November 10, 2016 Ram Ramadoss, Vice President, CRP Privacy, Information Security and EHR Compliance Oversight, Catholic Health Initiatives Copyright © 2016 Cloud Security Alliance
  2. 2. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Overview • About Catholic Health Initiatives • Healthcare Industry Overview • Top Technology Trends • HIPAA Compliance/Risk Assessment • OCR’s Cloud Computing Guidance • Q&A
  3. 3. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Catholic Health initiatives • The nation’s third-largest nonprofit health system • CHI operates in 19 states and comprises 103 hospitals; Four academic health centers and major teaching hospitals as well as 30 critical-access facilities; Home Health, Senior Living Facilities • Other facilities and services that span the inpatient and outpatient continuum of care
  4. 4. Healthcare Industry
  5. 5. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Overview • Current state • Evolution • Complexity • Challenges and Opportunities
  6. 6. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Evolution • Major consolidation of Healthcare providers • Small and Medium sized practices are struggling • A major movement to Electronic Health Record systems • We are seeing an increasing shift towards outsourcing • Competing priorities and budget limitations • Consumerization
  7. 7. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Complexity • A significant number of legacy electronic systems • 20 plus years retention timeframe for medical records • Legacy medical devices / wireless capability
  8. 8. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Security Challenges Unique to the Healthcare Sector • Protected Health Information (PHI) includes fundamental, unchanging facts about a patient • An average security breach cost - $363 per record in healthcare versus $154 per record in other industries • In 2015 alone,113 million patients were affected by breaches • Fraud opportunities for criminals include:  Identity theft  Exploitation of insurance details  Prescription drug benefits
  9. 9. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Challenges and Opportunities Challenges: • Vulnerabilities and weak security controls • Aggressive Threat Landscape • HIPAA regulatory requirements Opportunities: • Desperately looking for technology solutions • An open minded approach with outsourcing • Exploring efficiency and automation opportunities
  10. 10. Top Technology Trends
  11. 11. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The Consumerization of Healthcare • Consumer connected to the New Healthcare Economy • A greater expectation for personalized experience • Business intelligence tools to derive patterns and consumer trends
  12. 12. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Big Data • 360-degree view of customers/patients • Unstructured data to help with predictive analytics • Increasing focus on Health Clouds • Medium size providers – huge opportunity • Large Healthcare providers - partnerships
  13. 13. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Mobile Devices/Applications • Not just the Millennials • Access to Health Information using smartphones • Online scheduling / Insurance shopping / Virtual care drive off • Developing a digital eco-system • Patient/Physician portals; information sharing  Engagement and interactions with patients
  14. 14. Patient Data vs Patient Safety Focus
  15. 15. HIPAA Compliance and Risk Assessments
  16. 16. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Business Associate Agreements (BAA) • A contractual agreement between a Covered Entity (CE) and any third party company with access to patient information (Business Associate) • A mandatory requirement – HIPAA Administrative Safeguard • Key provisions include but not limited to:  Return or Destruction of Protected Health Information (PHI) upon Termination  Safeguard the ePHI and Breach Notification
  17. 17. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Information Security Amendments • Additional language regarding a minimum security program • Security provisions regarding access from foreign locations and storage of data outside the country • Risk stratification of partners and Business Associates • Monitoring of partners security and compliance
  18. 18. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Suppliers/Business Associates Facts: • Increasing outsourcing activities (Business Process/IT) • Cloud-based electronic health record systems • Patient care program is reliant upon the support received from partners / BAs Mitigation: • Cybersecurity insurance coverage • BAAs and security amendments • Access and storage outside the United States • Supplier risk management program
  19. 19. The Office for Civil Rights’ (OCR) Cloud Computing Guidance
  20. 20. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • Covered Entities (CE) must execute BAAs with Cloud Service Providers (OCR’s recent fines against a CE) • Risk Analysis – both CE and CSP • Service Level Agreements must include:  System availability and reliability  Back-up and data recovery  Manner in which data will be returned to the customer after service use termination  Security responsibility  Use, retention and disclosure limitations
  21. 21. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • CSP is directly liable under the HIPAA Privacy Rule  Use and disclosure of data not authorized by the contract, law and HIPAA • CSP is directly liable under the HIPAA Security Rule  Failure to safeguard ePHI  Failure to notify a Covered Entity regarding a breach • CSP’s are still considered Business Associates:  If the data is encrypted  Even if the CSPs do not have access to data
  22. 22. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • Can a CSP be considered to be a “conduit” like the postal service?  the conduit exception is limited to transmission-only services for PHI including any temporary storage of PHI • Lack of actual knowledge by CSPs that their services are used to handle ePHI  Affirmative defense - address compliance within 30 days • Breach Notification – CSPs must implement:  Policies and Procedures  Document security incidents  Report incidents to CEs and Business Associates
  23. 23. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Cloud Computing Guidance • CSPs must return or destroy all PHI at the termination of the BAA where feasible  If such return or destruction is not feasible, the BAA must extend the privacy and security protections • HIPAA rule does not restrict storage of data outside the US  Risk Assessment is the key • Customers may require additional assurances from CSPs such as the documentation of safeguards or audits • De-identified ePHI per HIPAA Privacy Rule  CSP is not a Business Associate
  24. 24. 24 Thank You

×