Information security risk analysis is required for HIPAA Security Rule compliance and EHR incentive funding but is an unknown topic for many healthcare providers.
Why should you Attend:
Health Care entities are subject to a number of standards and regulations that require them to assess the risks to the personal and private information of their patients and take steps to reduce those risks where they can. In particular, the HIPAA Security Rule and the PCI Data Security Standard for payment card information, as well as state laws in Massachusetts and Nevada, require a thorough and complete risk analysis. In addition, if health care providers want to receive funding from the Federal government for the adoption of Electronic Health Records, one of the required standards for meaningful use is to protect the privacy and security of patient information by performing a risk analysis consistent with the requirements of the HIPAA Security Rule.
• And, new enforcement regulations for HIPAA include significant penalties starting at $10,000 for willful neglect of compliance, so even if a HIPAA covered entity doesn't want to accept funding for adopting an EHR or accept payment cards for services paid by the individual, it risks significant penalties if it hasn't performed a proper security risk analysis. With the increased focus on breaches and HIPAA compliance, if a healthcare organization hasn't yet performed an information security risk analysis, the time is now.
• Performing a HIPAA Risk Analysis can be a confusing, expensive, and time consuming process, but it doesn't have to be. By following a defined process that finds and focuses on the most significant risks, it is possible to make risk analysis easier and more effective, while meeting the requirements of the Federal government and the Payment Card Industry. Using an organized, simple approach can yield useful, actionable results that can make compliance easier today and going forward.
Description of the topic:
• This session will present the background of the regulations that call for information security risk analysis and show how it fits in to an overall information security management process. The risk analysis process will be presented within the context of the overall risk prioritization and risk mitigation process, using an example.
• The Information Security Risk Analysis Process presented utilizes a non-technical approach, involving interviewing staff knowledgeable about operations and systems to discover how information is retained and moved, and reveal the risks inherent in such storage and transmission. Interview content is organized as departmental stories that are successively refined into process descriptions, lists of information in place or in motion, diagrams of information flows, and lists of information systems and flows to be assessed for risks.
• Risk issues and recommendations for each system or information flow can then be described and organized into a table that is used to define the risks and prioritize their mitigation, using a straightforward high-medium-low stratification of potential likelihood and impact for each risk issue, following the risk determination method identified in the preamble to the HIPAA Security Rule and guidance from the US Department of Health and Human Services. Areas of high risk, as identified by respected industry organizations, will be identified to ensure that the most significant risks are discovered and adequately prioritized.
• The risk analysis process will be applied to a simplified example in order to relate the process to a real situation and drive home the usefulness of the process.
• Attendees will gain insights into the managment of risks and reduction of exposure to breaches and penalties, and will be able to implement new procedures that will reduce risks immediately.
Areas Covered in the Session:
o Learn how to conduct a
Why should you Attend:
Health Care entities are subject to a number of standards and regulations that require them to assess the risks to the personal and private information of their patients and take steps to reduce those risks where they can. In particular, the HIPAA Security Rule and the PCI Data Security Standard for payment card information, as well as state laws in Massachusetts and Nevada, require a thorough and complete risk analysis. In addition, if health care providers want to receive funding from the Federal government for the adoption of Electronic Health Records, one of the required standards for meaningful use is to protect the privacy and security of patient information by performing a risk analysis consistent with the requirements of the HIPAA Security Rule.
• And, new enforcement regulations for HIPAA include significant penalties starting at $10,000 for willful neglect of compliance, so even if a HIPAA covered entity doesn't want to accept funding for adopting an EHR or accept payment cards for services paid by the individual, it risks significant penalties if it hasn't performed a proper security risk analysis. With the increased focus on breaches and HIPAA compliance, if a healthcare organization hasn't yet performed an information security risk analysis, the time is now.
• Performing a HIPAA Risk Analysis can be a confusing, expensive, and time consuming process, but it doesn't have to be. By following a defined process that finds and focuses on the most significant risks, it is possible to make risk analysis easier and more effective, while meeting the requirements of the Federal government and the Payment Card Industry. Using an organized, simple approach can yield useful, actionable results that can make compliance easier today and going forward.
Description of the topic:
• This session will present the background of the regulations that call for information security risk analysis and show how it fits in to an overall information security management process. The risk analysis process will be presented within the context of the overall risk prioritization and risk mitigation process, using an example.
• The Information Security Risk Analysis Process presented utilizes a non-technical approach, involving interviewing staff knowledgeable about operations and systems to discover how information is retained and moved, and reveal the risks inherent in such storage and transmission. Interview content is organized as departmental stories that are successively refined into process descriptions, lists of information in place or in motion, diagrams of information flows, and lists of information systems and flows to be assessed for risks.
• Risk issues and recommendations for each system or information flow can then be described and organized into a table that is used to define the risks and prioritize their mitigation, using a straightforward high-medium-low stratification of potential likelihood and impact for each risk issue, following the risk determination method identified in the preamble to the HIPAA Security Rule and guidance from the US Department of Health and Human Services. Areas of high risk, as identified by respected industry organizations, will be identified to ensure that the most significant risks are discovered and adequately prioritized.
• The risk analysis process will be applied to a simplified example in order to relate the process to a real situation and drive home the usefulness of the process.
• Attendees will gain insights into the managment of risks and reduction of exposure to breaches and penalties, and will be able to implement new procedures that will reduce risks immediately.
Areas Covered in the Session:
o Learn how to conduct a
