This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.cloudsecurityalliance.org
Healthcare Information Security Risks and Compliance2016 Colorado CSA Fall Summit | November 10, 2016
Ram Ramadoss, Vice President, CRP Privacy, Information Security and EHR Compliance Oversight, Catholic Health
• About Catholic Health Initiatives • Healthcare Industry Overview• Top Technology Trends• HIPAA Compliance/Risk Assessment• OCR’s Cloud Computing Guidance• Q&A
• The nation’s third-largest nonprofit health system• CHI operates in 19 states and comprises 103 hospitals; Four academic health centers and major teaching hospitals as well as 30 critical-access facilities; Home Health, Senior Living Facilities• Other facilities and services that span the inpatient and outpatient continuum of care
• Consumer connected to the New Healthcare Economy• A greater expectation for personalized experience• Business intelligence tools to derive patterns and consumer trends
• 360-degree view of customers/patients• Unstructured data to help with predictive analytics• Increasing focus on Health Clouds• Medium size providers – huge opportunity• Large Healthcare providers - partnerships
• Not just the Millennials• Access to Health Information using smartphones• Online scheduling / Insurance shopping / Virtual care drive off• Developing a digital eco-system• Patient/Physician portals; information sharing
• A contractual agreement between a Covered Entity (CE) and any third party company with access to patient information (Business Associate)• A mandatory requirement – HIPAA Administrative Safeguard• Key provisions include but not limited to:
Return or Destruction of Protected Health Information (PHI) upon Termination Safeguard the ePHI and Breach Notification
• Additional language regarding a minimum security program• Security provisions regarding access from foreign locations and storage of data outside the country• Risk stratification of partners and Business Associates• Monitoring of partners security and compliance
Facts:• Increasing outsourcing activities (Business Process/IT)• Cloud-based electronic health record systems • Patient care program is reliant upon the support received from partners / BAs
Mitigation:• Cybersecurity insurance coverage • BAAs and security amendments• Access and storage outside the United States• Supplier risk management program
Cloud Computing Guidance• Covered Entities (CE) must execute BAAs with Cloud Service Providers (OCR’s recent fines against a CE)• Risk Analysis – both CE and CSP • Service Level Agreements must include:
System availability and reliability Back-up and data recovery Manner in which data will be returned to the customer after service use termination Security responsibility Use, retention and disclosure limitations