Jerry Reick, CBCP, CHSII - PowerPoint PPT Presentation
1 / 31
Title:
Jerry Reick, CBCP, CHSII
Description:
... Plan HIPAA ? Alternate Titles 'Don't HIPAA COW, Man.Bart Simpson' ... Privacy and Security are co-joined twins. Never Stop Challenging the Norm and Asking, ... – PowerPoint PPT presentation
Number of Views:33
Avg rating:3.0/5.0
Title: Jerry Reick, CBCP, CHSII
1
Is Your Business Continuity Plan HIPAA ?
- Jerry Reick, CBCP, CHS-II
- Global Business Continuity Lead
- Rockwell Automation
2
Alternate Titles
- Dont HIPAA COW, ManBart Simpson
3
Alternate Titles
- DR and BCIts HIPAA to prepare.
4
Background
- 6 years experience as a Business Continuity
Professional at two International Companies with
multiple facilities and data centers - 15 years experience in IT, software development
and management - Industry experience banking, insurance,
financial services, healthcare, manufacturing. - Certified Business Continuity Planner - CBCP
(Disaster Recovery Institute International).
Certified Homeland Security, Level II CHS-II - 23 years military experience w/10 years in
planning and operations
5
Objectives
- Have FUN, a free exchange of ideas
- Overview of Disaster Recovery and Business
Continuity - Discuss the needs and goals for HIPAA
- Discuss the touch points, where HIPAA effects
your organization - Identify specific threats and explore possible
controls
6
Disclaimer
- The terminology and processes presented here are
based on the best practices and professional
principles established by the Disaster Recovery
Institute International (DRII). - The terminology and processes presented here are
based on the best practices and professional
principles established by the Disaster Recovery
Institute International The DRII is a non-profit
organization whos mission all business
continuity and disaster recovery planners and
organizations - The DRII is a non-profit organization whos
mission is to provide the leadership and best
practices that serve as a base of common
knowledge for all business continuity and
disaster recovery planners and organizations in
the industry.
7
Professional Standards
- The terminology and processes presented here are
based on the best practices and professional
principles established by the Disaster Recovery
Institute International (DRII). - The DRII is a non-profit organization whos
mission is to provide the leadership and best
practices that serve as a base of common
knowledge for all business continuity and
disaster recovery planners and organizations in
the industry.
8
Acronyms
- Disaster Recovery Planning DRP
- Business Resumption Planning - BRP
- Business Continuity Planning BCP
- Risk Assessment RA
- Business Impact Analysis BIA
9
Disaster Recovery vs Business Continuity
- Disaster Recovery Process of developing
advanced arrangements and procedures that enable
an organization to respond to a disaster and
resume critical business functions in a
predetermined amount of time, minimize that
amount of loss and repair or replace damaged
facilities and equipment as soon as possible. - Business Continuity Process of developing
advanced arrangements and procedures that enable
an organization to respond to an event or
interruption in a manner that enables critical
business functions to resume without interruption
or essential change.
10
The Journey from DR to BC
- 1970s Post Y2K
- IT Centric Business Centric
- Simple Environment Complex Environment
- Reactive Proactive
11
Uncle Jerrys Tenets of BC
- First things first understand the threats, and
outside influences (Risk Analysis) - Know whats at risk
- Know your companies risk appetite
- Build and implement a solution that fits
12
BC Considerations
- BCP is an INITIATIVE not a project
- It is not IT specific. Rather, it has a
business-centric focus and involves all primary
and support components for a product/process. - The ultimate goal of Business Continuity Planning
is to identify critical processes and components
that are susceptible to an interruption or outage
and make them more resilient. - An effective BC program is cost-efficient and
scaled to meet the needs of the Company
13
BC Program Drivers
- Regulatory Agency Compliance
- SOX, HIPAA, ??????
- NFPA, FEMA, FFIEC, FED, FERC
- Response to Industry needs and customer
requirements/inquiries - Global nature of Business
- New awareness and response of the World
Situation Homeland Security
14
Benefits of a BC Program
- Audit and map processes may lead to further
efficiencies, process improvements, reduce waste
and costs - Identify critical components and single points of
failure If something happens to this facility,
process or hardware, how will it effect my
ability to conduct business? - Clearer definition and understanding of downtime
costs Tangible and intangible impacts of a
business interruption. - Meet regulatory and audit requirements SOX,
HIPAA, ??? - Once implemented - In the event of an unplanned
outage, shorten downtime and reduce the impact on
the business to acceptable levels.
15
HIPAA Defined
- Health Insurance Portability and Accountability
Act (HIPAA) of 1996 - Passed by Congress to reform the insurance market
and simplify the health care administrative
process in order to realize long term benefits in
the areas of - Portability, privacy and security of patient
data, - lowering administrative costs (currently at 26),
- enhancing accuracy of data and reports,
- increasing customer satisfaction,
- reducing cycle time and
- improving cash management.
16
HIPAA Goals
- Administrative simplification - reduce the number
of forms and methods of completing claims, and
other payment-related documents, - Establish universal identifier and code sets for
providers of health care. - Increase the use and efficiency of
computer-to-computer methods of exchanging
standard health care information via EDI
(Electronic Data Interchange - standard
electronic file formats).
17
HIPAA Touchpoints
- Information Technology systems
- Internal Business use
- Claims
- Records inquiries, (EDI)
- Medical equipment that holds patient data
- MRI
- CT
- EEG
- Ultrasound machines
18
HIPAA Touchpoints
- Patient interface
- Contact by primary care and support staff
- Other patients
- Employee Conduct
- Human error
- Fraudulent activity
- Malicious behavior
19
HIPAA Touchpoints
- Administrative processing
- Admissions,
- Ordering medications, tests, etc.
- Claim and insurance processing
- Handling, security and storage of medical records
- On-site
- Off-site
20
Threats and Controls
- External intrusion / compromise of computer
systems and equipment that holds patient data - Viruses, Worms, Spyware, etc.
- Outside monitoring and data mining (think
wireless) - Exploitation of router vulnerabilities, e.g.
denial of service - Controls
- Anti-virus, intrusion detection software, etc.
- Restrict and monitor employee internet access
- Block ranges of IP addresses, etc.
21
Threats and Controls
- Patient interface and employee conduct
- Misuse of information by employees, temps or
consultants - Acts of sabotage by disgruntled employees
- Exploitation of patients by other patients
- Controls
- Strengthen hiring policies - Vetting of workers,
background and reference checks - Security controls for systems and facility access
- Monitor patient behavior, CCTV, restrict use of
patient SSN.
22
Threats and Controls
- Exploitation of Medical Records
- Controls
- Policies on the use of SSN as patient numbers
- Enhanced physical security
- Aggressive password rules, auto-logoff functions,
etc - Data encryption on storage devices
- Use an insured and bonded off-site storage
provider
23
Threats and Controls
- Errors or exploitation of administrative
processes - Human Error
- Malicious behavior
- Compromise of electronic files
- Controls
- Role based systems access
- Enhanced application controls, change management
- Audit trails
- Use of standard formats and encryption schemes
24
Examples of HIPAA Risks
- Loss of financial cash flow
- Permanent loss or corruption of electronic
protected health information (ePHI) - Temporary loss or unavailability of medical
records - Unauthorized access to or disclosure of ePHI
- Loss of physical assets (computers, etc.)
- Damage to reputation and public confidence
- Threats to patient and/or employee safety
25
Risk Analysis
- Identify Threats, Vulnerabilities and Assess
Controls - Risk Analysis is the methodology and structure
used to identify threats, determine
vulnerabilities and identify at risk elements of
the organization. - Risk Assessment is stating the amount of damage,
loss or value that might be incurred. - Vulnerability is the exposure to damage or an
event that can cause actual loss to company
assets. Sometimes referred to as probability.
- Controls are processes, hardware or procedures
that are put in place to mitigate, or reduce, the
exposure to a threat.
26
What Can I Do??
- Be intimately familiar with applicable
regulations - Be aware of and understand the threats and your
exposures get involved in risk assessment - Ask questions and gather facts
- Do we have a business continuity program and
disaster recovery plan? - What are our security policies?
- Is the IT organization aware of HIPAA, whats the
plan? - Take every opportunity to educate
27
Continuous Improvement
- Establish and enforce best practices in the areas
of - Business continuity methodology and
implementation - Standardization of systems hardware, software and
monitoring tools - Review and modify policies and procedures
- Regulatory compliance
- Internal external security
- Process for handling and storing data
28
- Summary
29
Final Thoughts
- You are a KEY player in the success of your
Business - Security and compliance are everybodys job
- Privacy and Security are co-joined twins
- Never Stop Challenging the Norm and Asking,
- WHAT IF ?
30
- Questions?
31
- Thank You for your Time and Attention!
Recommended
CrystalGraphics Presentations
![[PDF] DOWNLOAD Jerry Orbach, Prince of the City: His Way from The Fant PowerPoint PPT Presentation](https://s3.amazonaws.com/images.powershow.com/10095308.th0.jpg?_=20240810092)
