![Page 1: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/1.jpg)
Healthcare Security
Professional Roundtable
John Parmigiani National Practice DirectorRegulatory and Compliance
ServicesCTG HealthCare Solutions, Inc.
(Moderator)
![Page 2: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/2.jpg)
2
Panelists John Parmigiani (moderator)
Ali Pabrai
Ken Patterson
Tom Walsh
Drew Hunt
Richard Marks
![Page 3: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/3.jpg)
3
Agenda Individual Presentations on Key
Topic Areas
Familiarity with Polling Mechanism and Audience Views on Security Issues
Questions and Answers
![Page 4: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/4.jpg)
4
Presentation Topics Security Policies- John Parmigiani
Risk Analysis- Ali Uday
Password Authentication- Ken Patterson
Audit Control- Tom Walsh
Contingency Planning- Drew Hunt
Legal Considerations for Enforcement- Richard Marks
![Page 5: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/5.jpg)
5
John Parmigiani CTGHS National Practice Director for Regulatory and Compliance Services CTGHS National Practice Director of HIPAA Compliance Services HCS Director of Compliance Programs HIPAA Security Standards Government Chair/ HIPAA Infrastructure Group Directed development and implementation of security initiatives for HCFA
(now CMS)- Director of Enterprise Standards Security architecture Security awareness and training program Systems security policies and procedures E-commerce/Internet
Directed development and implementation of agency-wide information systems policy and standards and information resources management
AMC Workgroup on HIPAA Security and Privacy;Content Committee of CPRI-HOST/HIMSS Security and Privacy Toolkit; Editorial Advisory Boards of HIPAA Compliance Alert’s HIPAA Answer Book and HIPAA Training Line; Chair,HIPAA-Watch Advisory Board; Train for HIPAA Advisory Board; HIMSS Privacy and Security Task Force
![Page 6: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/6.jpg)
6
Security Goals Confidentiality Integrity Availability
of protected health information
![Page 7: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/7.jpg)
7
Good Security Practices Access Controls- restrict user
access to PHI based on need-to-know
Authentication- verify identity and allow access to PHI by only authorized users
Audit Controls- identify who did what and when relative to PHI
![Page 8: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/8.jpg)
8
Symbiotic Relationship
Privacy + Security = Confidentiality (the Present- HIPAA Compliance)
Electronic information security provides the necessary trusted environment for e-Health
(the Future- total e-Health)
![Page 9: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/9.jpg)
9
Immediate Steps Assign responsibility to one person-CSO and
establish a compliance program Conduct a risk analysis Develop/update policies, procedures, and
documentation as needed Deliver security training, education, and awareness
in conjunction with privacy Review and modify access (authentication) and
audit controls Establish security incident reporting and response
procedures Develop business continuity procedures
(contingency planning) Make sure your business associates and vendors
help enable your compliance efforts
![Page 10: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/10.jpg)
10
HIPAA = Culture ChangeOrganizational culture will have a greater impact on security than technology.
Must have people optimally interacting with technology to provide the necessary security to protect patient privacy. Open, caring-is-sharing environment replaced by “need to know” to carry out healthcare functions.
Organizatio
nal
Culture
Technology
20% technical80% policies & procedures !!!
![Page 11: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/11.jpg)
11
Policies, Procedures & Documentation
Policies
Procedures
Forms & Memos
Detail
High
Level
Low
Level
![Page 12: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/12.jpg)
12
Importance of Policies/Procedures
State the organization’s intent relative to what it will do to protect patient-identifiable and sensitive health information
Must be clear and concise and “actionable”
Must be implemented and enforced Foundation piece for helping to
prove “due diligence” along with other “documentation”
![Page 13: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/13.jpg)
13
Privacy Policies and Procedures
Corporate and department policies and procedures relating to: confidentiality, information security, information security incident reporting, disciplinary action and sanctions for security and confidentiality breaches, physical and technical security
Confidentiality agreements-employees and vendors
![Page 14: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/14.jpg)
14
Information Security Policy
The foundation for an Information Security Program
Defines the expected state of security for the organization
Defines the technical security controls for implementation
Without policies, there is no plan for an organization to design and implement an effective security program
Provides a basis for training Must be implemented and enforced or just
“shelf ware”
![Page 15: Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b527f8b9ab0599a8362/html5/thumbnails/15.jpg)
15