1 / 82

Information Security Services: Maximizing Business Opportunities

This workshop agenda covers the business value of information security, managing risks, building trust, and protecting mission critical information such as electronic health records, credit card numbers, and personally identifiable information. Learn how information security can maximize business opportunities and support academic, research, and healthcare business continuity.

valeriew
Download Presentation

Information Security Services: Maximizing Business Opportunities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IT Information Security Services Presented to OUHSC Policies and Procedures Workshop

  2. Agenda: Information Security Program Business Value Business Drivers Managing Risk Building Trust

  3. Business Value of Information Security: • Protection of mission critical information

  4. Protection of mission critical information: • Electronic Health Records

  5. Protection of mission critical information: • Credit Card Numbers

  6. Protection of mission critical information: • Student Records

  7. Protection of mission critical information: • Personally Identifiable Information

  8. Information Security provides: • Confidentiality • Availability • Integrity

  9. Information Security provides: The right data to the right people at the right time

  10. Business Value of information Security: Maximize Business Opportunities

  11. Business opportunity: $19.2 billion from ARRA Incentives: Payments of $44,000 - $64,000 Per Physician to Providers who… Demonstrate proper implementation of EHR

  12. Business opportunity: Electronic commerce 100,000 cc transactions $17,500,000 annual amount

  13. Business Value of Information Security: • Protection of mission critical information • In order to: • Minimize Risk • Support academic, research and health care business continuity and opportunities

  14. Business value: • A reputation that took decades to build can be threatened by a single event.

  15. Information Security • Business Drivers

  16. Business Drivers Clinical systems (managed university computer, protected network)

  17. Business Drivers • Research systems • (semi-managed computer, open network)

  18. Business Drivers Business/Financial/Legal systems (managed university computer, protected network)

  19. Business Drivers Classroom/library systems (managed and unmanaged computers, open network)

  20. Business Drivers Student systems (unmanaged computer, open network)

  21. Business Drivers Mobile systems (managed and unmanaged computer, open network)

  22. Business Drivers Home systems (unmanaged computer, open network)

  23. Business Drivers Criminal systems

  24. Business Drivers: Our diverse IT environment • Different management, connectivity needs, risks • IT’s a jungle out there!

  25. Business Drivers: Increasing risks of doing business

  26. Business Drivers: Regulations • The government responds: • HIPAA • Health Information Technology for Economic and Clinical Health (HITECH) Act • Payment Card Industry (PCI) Data Security Standard • eDiscovery Rules of Civil Procedure • State Data Breach Notification • FTC Red Flag Identity Theft Prevention • Family Educational Rights and Privacy Act (FERPA)- rev x

  27. Regulations: HIPAA • Health Insurance Portability and Accountability Act

  28. Regulations: HIPAA Health Insurance Portability and Accountability Act • Encourage use of Electronic Health Record (EHR) • Ensure the privacy and security of the EHR

  29. HIPAA: General Rules • Implement safeguards that reasonably and appropriately protect • Confidentiality • Integrity • Availability of Electronic Protected Health Information (ePHI)

  30. HIPAA: Security Categories • Administrative safeguards • Physical safeguards • Technical safeguards

  31. HIPAA: Security Categories • Administrative safeguards: • Administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI, and for managing the conduct of the covered entity’s workforce in relation to the protection of ePHI.

  32. HIPAA: Administrative Safeguards • Security Management Process • Assigned Security Responsibility • Workforce Security • Information Access Management • Security Awareness and Training • Security Incident Procedures • Contingency Plan • Evaluation • Business Associate Contracts and other arrangements

  33. HIPAA: Administrative Safeguards • Security Management Process: Covered entities must implement policies and procedures to prevent, detect, contain, and correct security violations. • Risk analysis (R) • Risk management (R) • Sanction Policy (R) • Information system activity review (R)

  34. HIPAA: Security Categories • Physical safeguards: • Physical measures, policies, and procedures to protect a covered entity’s electronic information systems, buildings, and equipment from natural and environmental hazards and unauthorized intrusion.

  35. HIPAA: Physical Safeguards • Facility Access Controls • Workstation Use • Workstation Security • Device and Media Controls

  36. HIPAA: Security Categories • Technical safeguards: • The technology and the policies and procedures governing its use in protecting ePHI and controlling access to it.

  37. HIPAA: Technical Safeguards • Access Controls • Audit Controls • Integrity • Person or Entity Authentication • Transmission Security

  38. Information Security: HIPAA/HITECH Update Health Information Technology for Economic and Clinical Health

  39. Information Security: HIPAA/HITECH Update HITECH is part of the $787 billion American Recovery and Reinvestment Act (ARRA) Enacted on February 17, 2009 Compliant on February 17, 2010

  40. Information Security: HIPAA/HITECH Update Goal : • Encourage the adoption of electronic health records (EHRs) through incentive payments to physicians HITECH affects HIPAA… • HITECH directly regulates business associates for the first time

  41. Information Security: HIPAA/HITECH Update • Penalties • Establishes a tiered system of civil penalties • Civil penalties on a covered entity if the violation is due to “willful neglect” • Covered entities may not know it violated HIPAA • Current max. penalty of $100 per violation, up to $25,000 per year for each type of violation • Violation due to “reasonable cause” • $1,000/$100,000 • Violation due to “willful neglect” • $500,000/$1.5 million

  42. HITECH Act (Effective immediately) • Breach notification (for unsecured PHI) • You are required to notify each individual affected by a security breach…

  43. Information Security: HIPAA/HITECH Update • Breach Notification • Notify individuals without “unreasonable delay” • <60 days • Letter or e-mail (if preferred by individual) • Website posting • >500 individuals in a state, “prominent media outlets” • Notify HHS – listed on their website

  44. Information Security: HIPAA/HITECH Update “unsecured PHR identifiable information” : Identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary’s guidance.

  45. HITECH Act (encryption and destruction) Two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: • Encryption • Destruction

  46. Information Security: PCI DSS Payment Card Industry Data Security Standards

  47. Information Security: PCI DSS • Payment Card Industry Data Security Standards (PCI DSS) • Technical and operational requirements • Any entity that stores, transmits, or processes cardholder data must comply with the PCI DSS • Non-compliance • Large fines • Legal contract breach • Loss of ability to accept payments via credit cards

  48. Payment Card Industry Data Security Standard (PCI-DSS) • Annual assessment process required for 100+ business units on OUHSC and Tulsa campuses

  49. Regulations: • What do they all have in common? • Adopt security to minimize risks to Information

  50. Managing Risk: Bryan starts here • Managing Risk

More Related