Data breaches are quickly becoming a major threat to the healthcare environment. The steps following a data breach could potentially save your organization thousands of dollars. If a data breach occurred at your organization, would you know what to do? In this training session, you will learn:
Basic Training: HIPAA Privacy Post Omnibus Rule & Beyond
The Omnibus Final Rule implements changes enacted by the HITECH Act and makes other refinements to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. Subsequent guidance made further refinements to these rules. Learn the latest rules and get tips on steps you and your organization should take to maintain compliance with these updated requirements.
Preparing To Survive An OCR Audit
HITECH Act amendments to HIPAA require OCR to audit the compliance of covered entities and business associates with the HIPAA Privacy, Security and Breach Notification Rules. OCR officials recently have signaled that OCR is preparing to put new teeth in its audit program. To help participants prepare their organizations for an OCR audit, this session will help participants understand what OCR is likely to ask in an audit by looking at the latest OCR Audit Checklist, resolution agreements and other OCR guidance as well as share practical tips for structuring and documenting compliance audits and other HIPAA compliance activities to help their organization to prepare to respond to an OCR audit or enforcement action.
HIPAA Business Associate Contracting & Risk Management
OCR’s Final Omnibus HIPAA Rule implementing the HITECH Act’s changes to HIPAA’s business associate, breach notification and other rules elevated the complexity and importance of business associate contracting and risk management for both covered entities and their business associates. This session will examine the business associate coverage, contracting and breach notification requirements of the Final Omnibus HIPAA Rule and discuss contracting and risk management best practices to help covered entities and business associates manage their business associate responsibilities and risks in light of these expanded rules and exposures.
Strengthening Your Defenses Using The Rules Of Legal Evidence
In this hands-on lab, we will approaches for analyzing various types of electronic evidence.
Attendees will develop an understanding of what evidence can be retrieved from a disk image, memory image and log data and how to recognize evidence related to unauthorized activity.
Memory analysis techniques will cover analyzing injected processes, creation of IOC’s from indicators in memory and creating timelines from memory images. Disk analysis will cover techniques to identify when malware was created on the system, when it was executed, identifying signs of lateral movement and other internal reconnaissance activities. Log analysis techniques will help attendees identify scope of external threat activity and what tools may have been deployed and how were they used to access additional resources.
Attendees will learn how to analyze:
· Process lists
· Network connections
· Registry keys used for persistence
· Files used by malware
· Process injected binaries
· Identify configuration files used my malware
Effective external and internal crisis communication planning and execution plays a critical role in how patients, management, and the community react when health care providers, health plans give breach notifications required by HIPAA or other laws or delivering other bad news. Fresh off of his chairmanship of the Parkland Health & Hospital Board Audit Committee through difficult times, strategic communications consultant Eddie Reeves has been spotlighted nationally for his expertise in crisis communications. Eddie will share how you should build and use effective external and internal crisis communication planning and strategies to mitigate the damage to your organization and manage the difficult internal and external communications when you must share the bad news of a breach or other crisis with patients, the media, management, regulators and others in the community.
Fraud, quality, continuity, and the cost of providing care are some of the most significant issues facing the Healthcare industry today. It is not only patients that are affected, but all of society as we try to balance both moral and fiscal obligations.
Central to these challenges is being able to correctly identify those who provide and receive care. The inability to have a high degree of trust in knowing that the right person is receiving care, the right care, or the provider actually performing the procedures they are billing for translates into billions of dollars of fraud.
The reality is that their medical records are now in part or in whole, digital in various system repositories. Merging the legacy physical identity model with the growing digital one is very difficult, not only resulting in fraud but missed opportunities to improve care and lower costs.
This session will review key concepts of digital identity in healthcare and how forces such as HIPAA, Meaningful Use, ePrescribing and others are poised to change the way most organization approach and implement an identity program. Also to be reviewed are security concepts within identity, credentialing, use cases and fundamental concepts in Trust Frameworks that will play a central role in the provider, payer and patient landscape.
Attendees learn how to better assess their current state of preparedness, improve dialogue of cross-departmental stakeholders, and take away key points for next steps on a long-term strategic plan.
Information security management in a large academic medical center requires the ability to dynamically balance several conflicting business needs as well as trying to deal with decentralized workforce control and the research equivalent of “mergers and acquisitions” that may involve the on-boarding or off-boarding of entire labs, including staff and computer equipment that may not meet security standards. Our experience indicates that once computers are purchased with grant funds, rarely is there a way to get the grant to pay for upgrades or refreshes beyond the funding period of the grant, so it’s not uncommon to have very old computers that cannot be updated with current security patches. Additionally, the current research funding models foster multi-institution collaborate so it's not uncommon to have to setup shared access to documents and very large data sets with collaborators both nationally and internationally.
At times, it’s tempting to say “No, HIPAA won’t let you do that” but that may gloss over legitimate research or other academic requirements, with the result that very clever people find loopholes or workarounds that can make a network more insecure than the original request. The trick is to truly understand the academic/research requirements and collaborate with researchers to help develop a solution. In this presentation, we will review some strategies including setting up isolated networks, subsidizing the cost of centrally-managed storage, and upgrades, and establishing safety nets to compensate for gaps in access management.
A panel of speakers and other experts will reunite to help participants pull it all together and connect the dots. Panelist will share their perspectives, insights and tips on questions on knotty real world channels like strategies and best practices for dealing with management and interdepartmental challenges, managing risk on a limited budget, EMR, mobile device and other decision making and audience questions.
Users are the most vulnerable link if information systems security, probably because the level of security awareness is extremely poor. Most security awareness programs fail, because they focus on pushing information to people who are less than enthusiastic about receiving it. A properly designed awareness program doesn’t have to be that way, however most programs seem to focus on meeting compliance requirements than actually changing behaviors. Gamification is the practice of applying game principles to business problems; it is not developing a video game. By gamifying security awareness, your users want to practice good security behaviors and voluntarily seek out additional security related training.
This presentation will discuss how to create security awareness programs, and implement gamification techniques that actually make security awareness fun for people. Actual examples of successful gamification techniques will be presented.