Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

NVHIMA Presentation

advertisement

HIPAA Omnibus, SRA,

The Cloud etc…

EHR Buzzwords Demystified

Russell Suzuki, MSCIS

President, Falcon Technology

President, Nevada HIMSS Chapter

• “HIPAA Omnibus”

• “SRA”

• “The Cloud”

• “BYOD”

• “Two-Factor

Authentication”

Overview

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

HIPAA Omnibus Rule:

Background

• Became law on March 26th 2013

• HHS will be more aggressive with enforcement

• If willful neglect is involved in a violation, formal action will be taken.

• Fines for Business Associates are same as CEs

– $100/record, up to max of $1.5M

• Business Associates are Liable

– Their subcontractors too

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

HIPAA Omnibus Rule:

Action Checklist

• Appoint a privacy and security officer

• Update Binder, Notice of Privacy Practices

• Conduct a Security Risk Assessment ASAP

• Train all personnel on new HIPAA regulations

• Review all BAAs, modify by Sept 24, 2014

• BA subcontractors need BAAs by Sept 23, 2013

• Ask IT: Encrypt data “in motion” and “at rest”

• Email, Hard Drives, Fax via Email, Backup Tapes

• Interview compliance consultants

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

HIPAA Omnibus Rule:

Resources

Summary of HIPAA Privacy Rule

– http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

Summary of HIPAA Security Rule

– http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Sample BAA

– http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Safeguarding PHI on Digital Copiers

– http://business.ftc.gov/documents/bus43-copier-data-security

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

SRA: Security Risk Assessment

Background

• Required by Meaningful Usage and HIPAA

• Must be accomplished annually

– If getting Stimulus, must do during Attestation Periods

• Requires info from EHR and IT vendors, and internal organizational policies and procedures

• Can be outsourced to varying degrees

– Web-based documentation repositories

– Automated tools

– Local and/or Remote consultants and trainers

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

Security Risk Assessment:

Action Checklist

• Download CMS SRA checklist

• Capture Documentation of all Yes and No answers

• Identify and remediate all shortfalls, document

• Prepare mock response to Pre-Payment Audit

• Maintain unique, secret EHR passwords

– Change them regularly

• Interview compliance consultants

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

Security Risk Assessment:

Resources

CMS SRA Checklist

– http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

Summary of HIPAA Security Rule

– http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Sample BAA

– http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Safeguarding PHI on Digital Copiers

– http://business.ftc.gov/documents/bus43-copier-data-security

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

The Cloud : Background

• Can refer to any data or systems located offsite

– Hosted EHR, Online Backup, Gmail, Dropbox

• Accessed via website, PC software that syncs,

Remote Desktop (RDP, LogMeIn)

• Benefits:

– Access anywhere, data is backed up, no local data to lose, no server

• Risks:

– Anyone with a password can access your data

– Data center personnel need BAAs or have no access

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

The Cloud :

Action Checklist

• Get BAAs for all cloud services

– or ensure you have a second, private encryption key

• Don’t communicate PHI via email

– or utilize encryption

• Inventory all critical, unique local data, back it up

• Use the Cloud to provide protection and access during unexpected events

• Use a second, encryption password to bar the cloud service from data access

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

The Cloud :

Resources

• 5 Ways to Keep Your Information Secure in the Cloud

– http://computer.howstuffworks.com/cloud-computing/5-ways-to-keep-your-informationsecure-in-the-cloud.htm#page=0

Google Apps for Business

– http://www.google.com/intl/en/enterprise/apps/business/

Microsoft Office 365

– http://office.microsoft.com/en-us/business/office-365-small-business-premium-office-online-

FX103037625.aspx

Encrypted Email example:

– http://www.entrustedmail.com/

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

BYOD : Background

• B ring Y our O wn D evice

– Providers and staff have their own laptops, tablets and smartphones, and use them for company purposes

• Smartphones and tablets already outnumber PCs

• Benefits:

– Higher levels of productivity, user satisfaction, patient satisfaction

• Risks:

– PHI stored or accessible on devices is a primary liability

– Business and Personal may co-mingle

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

BYOD :

Action Checklist

• Have users sign confidentiality and usage letters

• Have method for immediately removing access and any stored data in the event of loss or firing

– Prohibit or encrypt storage of data to mobile device

– Consider mobile device management to enable remote location and/or data wipe

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

BYOD :

Resources

BYOD and the Consumerization of IT

– http://www.zdnet.com/topic-byod-and-the-consumerization-of-it/

Mobile Device Management

– http://www.zdnet.com/consumerization-byod-and-mdm-what-you-need-to-know-7000010205/

Vendor example: MaaS360

– http://www.maas360.com/

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

Two-Factor Authentication :

Background

• Passwords are no longer sufficient

– If you can remember your password, it is insecure

– Any 8 character password can now be guessed in hours

– Many people use a “public” password like password123

– Keyloggers

• 1. Something you know

– Password with 10 or more characters

• 2. Something you have

– Code texted to your phone

– Pre-authenticated device

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

Two-Factor Authentication :

Action Checklist

• Use password manager like LastPass

• Upgrade passwords to be unique, random, long

• Use 2 Factor Auth on your email and LastPass

• Require the same for all your providers and staff

• If your EMR is hosted, ask them about 2-Factor

– Examples: Only allow from VPNs or Static IP addresses

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

Two-Factor Authentication :

Resources

LastPass

– http://www.lastpass.com

Google Authenticator

– http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

Facebook Login Approvals

– http://www.facebook.com/note.php?note_id=10150172618258920

Yahoo Sign in Verification

– http://www.ymailblog.com/blog/2011/12/yahoo-introduces-stronger-user-authentication-

%E2%80%93-second-sign-in-verification/

Visit: www.falcontek.com Email: info@falcontek.com Call: 702.629.4945

Questions?

Russell Suzuki, MSCIS

President, Falcon Technology

President, Nevada HIMSS Chapter russell.suzuki@falcontek.com

702-629-4945x7000

Related documents
This is to certify that I, ______________________________________ (name of
This is to certify that I, ______________________________________ (name of
SCHOOL OF PSYCHOLOGY AND COUNSELING "Academically Excellent, Distinctively Christian"
SCHOOL OF PSYCHOLOGY AND COUNSELING "Academically Excellent, Distinctively Christian"
Download
advertisement