Imagining the Role of Academic Medical Centers in the New Information Era (Mon. 9:00-10:15 am)
Presenter: Rob Califf, MD, former FDA Commissioner
Quiz the Regulator (Tues. 9:00-10:15 am)
Each year the AMC conference is pleased to host a key staff member from HHS engaged in HIPAA support, enforcement, and related duties. A key facet of this session is a long Q&A period where you can ask questions. This is a good time to get a specific question answered and to understand OCR’s announced plans for regulation development, enforcement, auditing, guidance development etc. Come curious! Leave informed!
Presenter: Deven McGraw, Deputy Director, Health Information Privacy, Department of Health and Human Services & Acting Chief Privacy Officer, Office of the National Coordinator for Health IT
Medical Device Security as an Inventory Problem: The Five Second Rule for Mystery Meat on Clinical Networks (Tues. 1:00-2:15 pm)
Healthcare delivery organizations, medical device manufacturers, and regulators are experiencing the growing pains of cybersecurity. With the increase of ransomware and medical device hacking, there’s no shortage of fear and sensationalism. But what medical device security risks affect continuity of clinical operations and essential clinical performance, and which risks are merely cosmetic? Learn about the root causes of this mess, and how to dig yourself out.
Presenter: Kevin Fu, Co-founder & CEO, Virta Laboratories
Forum on Regulatory Compliance: How New Technologies, Regulations & Cybersecurity Threats will Affect Healthcare Organizations in 2017 (Wed. 9:00-10:00 am)
- New Technologies, Old Regulations: APIs. Wearables. Patient-driven apps. The list of new technologies goes on. In this session, we’ll examine how new technologies fit in with existing regulations such as HIPAA. (Jeremy Maxwell, Allscripts)
- Emerging Regulatory Obligations and Priorities for Privacy and Data Security: This session will highlighting evolving expectations and priorities related to privacy and data security and how they may affect health care initiatives. We will explore new requirements, enforcement actions, and other regulatory issues that impact compliance programs and innovation at health care organizations. (Elizabeth Johnson, Wyrick Robbins)
- WannaCry and Other Emerging Trends in Cyber-Attacks Against Healthcare Institutions: This presentation will provide an overview of emerging cybersecurity threats against healthcare institutions and will discuss future implications for business and legal risk management. In particular, the presentation will provide a detailed explanation of the WannaCry ransomware attack of May 12 that compromised 16 hospitals in the UK’s National Health Service. (Allen O’Rourke, Womble Carlyle)
Legal & Regulatory Compliance Track
Using Risk Assessments to Attack the Common Breach (Mon. 10:45 am-noon)
Too often privacy and security compliance become an exercise in chasing the latest threat, the latest technology, and the latest breach. Quickly, the urgent becomes the enemy of the important, and the latest crisis shapes the compliance program rather than vice versa. By using a risk assessment proactively, large organizations can more comfortably fit today’s concern into a broader approach to creating and maintaining trustworthy systems. Using real life examples from decades of in-house experience, this discussion will probe some of the more common types of breaches and risks and how the risk assessment, as one part of an over-arching risk mitigation strategy, can reduce the likelihood of, and damage caused by, a breach.
- Lori Feezor (New Hanover Regional Medical Center)
- Roy Wyman (Nelson Mullins)
Want to Participate in Research? There’s an App for That! (Mon. 1:00-2:15 pm)
In today’s connected world there are an increasing number of instances where researchers either wish to develop an application or to use an application for their research project. There are inherent risks in the use of a product that has not been fully developed or the use of a third party app. Researchers also want to transition to the use of current communication methods such as texting, instant messaging, social media and other methods in an effort to improve participation by subjects in the research project. This presentation will discuss the potential privacy and security risk associated with researchers creating apps as part of their research project to identify ways to improve clinical care and outcomes. It will also discuss the use of existing apps and connected devices as part of a research project. Finally it will discuss the use of texting, instant messaging, social media and other methods as a means of communicating with subjects and for data collection in research.
- Identify the privacy and security considerations for research projects beyond just the HIPAA regulations
- Identify privacy and security considerations for when the researcher wants to have subjects used a third party application or social media in the research project
- Explain some key considerations when the research project is the development of a clinical or quality improvement applications
- Marti Arvin (CynergisTek)
- Holly Benton (Duke University)
- Joseph Dickinson (Tucker Ellis, LLP)
Aligning Privacy and Security Programs to Enhance Data Protection Across the AMC Enterprise (Mon. 2:45-4:00 pm)
A discussion about the importance of building an integrated privacy and security program based on communication, trust and shared philosophical approaches to risk and data protection. A review of specific case examples highlighting the importance of coordinated, proactive compliance activities.
- Describe the scope of responsibilities and expectations of institutional Privacy and Security offices.
- Discuss the obstacles and challenges faced by both offices.
- Explain the importance of shared cores values and strategic vision as the foundation of the offices working together.
- Describe case examples with program specific recommendations that allow both offices to collaborate on compliance activities.
- David Behinfar & Colleen Ebel (UNC Health Care)
- Katherine Georger (University of Arizona)
- Terrence Ziemniak (Carolinas HealthCare System)
How to Align Governance with the Practical Aspects of Information Security (Tues. 10:45 am-noon)
Strong IT governance is necessary for today’s healthcare organizations. Without effective governance, the digital healthcare environment will never be secure, endangering patient care delivery and corporate success. While healthcare organizations adopted technology at an incredible pace, they rejected control and structure with the same vigor. IT governance is typically implemented as an afterthought and then only to ensure minimum compliance levels. These shortcuts have left patients, employees, and healthcare corporations vulnerable to both cyber-crime and self-inflicted wounds that cost millions of dollars, effect patient care and damage corporate reputation. IT security governance must be a priority at the highest levels of a healthcare corporation. The IT infrastructure and associated security is the logistic manifestation that provides both clinicians and office staff the ability to do their work. Without top down support, an environment of this complexity will not be efficient nor secure. IT governance needs to set the specific standards for security to be measured far beyond the goal of “minimum necessary” for compliance and the associated POAMs. Three fundamental areas of assessment are Data Inventory and Classification, Infiltration Events, and Ex-filtration Events. If a company cannot answer questions such as: where and what is our data, and how many external attacks have been successful, then the governance has failed.
- Describe the difference between compliance and security
- Explain what a security control is
- Describe how to align security controls and corporate policy
- Explain how to create reportable metrics that support security and compliance.
- Ryan Dobbins (infoLock Technologies)
- Karen Pagliaro-Meyer (Columbia University Medical Center)
- Robert Lord (Protenus)
Security, Compliance & Digital Transformation in Healthcare (Tues. 2:45-4:00 pm)
As healthcare continues its journey in digitally transforming its business, more workloads are finding their way into cloud computing platforms. The cloud provides the optimal cost-efficient and scalable platform to aggregate big data, medical device signals, and deep compute resources to perform the transformative insights and analytics that are needed to drive the changes needed to preemptively improve clinical outcomes, manage limited resources and power new digital technologies. As these workloads move completely or partially to the cloud, data and interactions need to be secure and compliant with government regulations and best practice protection against malicious entities. The goal is to provide an overview of best practices to maintain or enhance compliance and secure access for data and compute processes that live outside the traditional data center. The panelists will discuss the issues and concerns for AMCs and other healthcare organizations to efficiently and effectively migrate to a cloud environment while maintaining regulatory compliance and security. They will also provide an actual case study on how a successful migration to HIPAA compliance was accomplished.
- Steve Ordahl (Microsoft)
- Robert Webster (LabCorp)
How Do International Laws and Regulations Intersect with HIPAA and Other US Laws and Regulations? (Tues. 4:00-5:15 pm)
Although U.S. healthcare providers, insurers, and clearing houses are well aware of U.S. federal privacy requirements—notably requirements defined by HIPAA and the relevant state regulatory environments—the global privacy landscape is evolving in a very prescriptive way. With more and more health systems acting as referral points for patients from the European Union and elsewhere, the risk profile for handling personal data in the U.S. is increasing. The healthcare industry in this country is increasingly called upon to understand the onerous requirements for the protection of personal data and sensitive personal data belonging to residents of the European Union, despite the relative immaturity of U.S. privacy requirements. This presentation will help orient players in the healthcare industry to the global privacy environment, addressing the potential that the U.S. healthcare industry will be required to grow its privacy infrastructure to meet the standards for privacy in the EU, including the new General Data Protection Regulation (GDPR). Attendees will be invited to explore topics such as the process to legitimize the cross-border transfer of personal data, implementing privacy by design, conducting privacy impact assessments, and preparing for compliance with 72-hour breach notification requirements, among other compliance challenges. The discussion will also review the potential for onerous penalties for non-compliance under the GDPR, which is driving increased attention to and investment in privacy compliance readiness.
- Mark Steinhoff (Deloitte & Touche)
- Angel Hoffman (Advanced Partners in Health Care Compliance, LLC)
Business Associates & Technology Track
Do Your Partners Handle PHI with Care? Not Sure? (Mon. 10:45 am-noon)
Third-party vendors are sometimes the weakest link in a hospital’s security efforts, and their vulnerabilities can lead to your own organization being compromised, with all the cost and drama that result. With the increased sharing of digital data, OCR now recognizes that every partner to whom you grant network access represents a potential breach of patient privacy. The HIPAA Omnibus Final Rule requires hospitals to ensure that any business associate that creates, receives, maintains, or transmits PHI on the hospital’s behalf also complies with HIPAA requirements for patient privacy. Hospitals that fail to adequately monitor business associates are not only at risk of a breach, but also risk a charge of willful neglect. This presentation will use case studies to show you the steps to ensure due diligence with your third-party vendors. Successful organizations use a combination of questionnaires, third party audits, and assignment of vendor risk.
- Tim Burris (Iatric Systems)
- Karen Pagliaro-Meyer (Columbia University Medical Center)
Assessing Vendor Risk in a Non-Certified Vendor Population (Mon. 1:00-2:15 pm)
Only approximately 25% of vendors have a security certification to share with Healthcare customers. This session will explore the results of a study of over a 1000 companies providing products and services to the healthcare industry and their related security certifications. The panel will provide a breakdown of the certifications and their related pros and cons. They will also provide specific approaches for reviewing and validating SOC 2 and HITRUST certifications, as many organizations are surprised to find out that the certifications do not pertain to all of their data or includes major gaps in security practices. Since most vendors do not have security certifications, learn about approaches for assessing breach risk when these vendors have access to sensitive data. Topics will include best practices for questionnaires, validating responses and risk rating vendors. Panel:
- Cliff Baker (CORL Technologies)
- David Finkelstein (St. Lukes University Health Network)
Business Associate Management: Control, Contracts, and Lessons Learned from the Trenches (Mon. 2:45-4:00 pm)
No healthcare organization can effectively function without support from its third-party vendors. But, these third-party vendors are also a source of increased risks. For example, according to the Ponemon Institute 2016 Cost of a Data Breach Study, third party involvement and extensive migration to the cloud are the greatest source of increase for data breach costs, adding $20.30 and $15.40, respectively, to the per-record cost to respond to a data breach. Similarly, as of the end of January 2017, out of the top ten data breaches disclosed on the Office for Civil Rights website, four of them involved business associates. This session will focus on effective business associate management strategies, including practical tips for vendor vetting, holding vendors accountable, and risk mitigation options. The panel will also highlight key, and common, sticking points in negotiating business associate agreements and provide options for successfully resolving them.
- Tatiana Melnik (Melnik Legal PLLC)
- Ryan Vlcko (McLaren Health Care)
Insight into Healthcare Data Breaches & Protective Measures (Tues. 10:45 am-noon)
Since 2009, Health and Human Services has tracked data breaches within the healthcare industry. This data has been an important source of healthcare breach notification and awareness. In today’s discussion, we’ll bring this data to life and view healthcare breach trends, interactive graphs, and case studies. Additionally, we will discuss protective measures that work in healthcare organizations. Attendees can use this information to raise awareness and get the support they need within their respective organizations.
- Cheryl Lytle (UNC-Chapel Hill School of Medicine)
- Jon Sternstein (Stern Security)
Managing Business Partner Risks in an IoT and Cloud Universe (Tues. 2:45-4:00 pm)
Increasing dependence on cloud service providers (CSPs) and Internet of Things (IoT) devices is leading to paradigmatic shifts in the management of cyber risk. Traditional models for risk identification and remediation break down when applied to the cloud and IoT domains. Organizations need to accept the fact that cloud service providers cannot in general adopt the security controls of each of their customers. In fact, there is a need to analyze the root cause and the resulting inventory of risk that comes along with using cloud services, which can be achieved by following a life cycle governance approach. Similarly, a mature process needs to be developed and implemented to ensure that all bio-med devices are configured and running in a secure manner, in compliance with the organization’s overall security controls. The panel will cover techniques for identifying, quantifying and reducing business partner risks, with a focus on PHI in the context of medical devices and cloud-based service providers.
- Anant Sethi, Amit Sood & David Messerschmidt (Deloitte & Touche LLP)
Cybersecurity & Risk Management Track
Using Frameworks to Improve Your IT Risk Management Program (Mon. 10:45 am-noon)
Why does every OCR resolution agreement state the risk analysis is incomplete? Many organizations struggle with developing and then maturing a risk management program that allows them to not just identify risks, but also to close the gaps. The panel will cover the basics of risk management, as well as how to mature your program by using a variety of widely available risk management frameworks and resources.
- Jeff Bell (CareTech Solutions)
- Gary Daemer (InfusionPoints)
- Anurag Shankar (Indiana University)
Coming Together: Integrating Security and Privacy with Enterprise Risk Management (Mon. 1:00-2:15 pm)
Many AMCs have well established security and privacy programs. They also have well established Enterprise Risk Management (ERM) programs looking at patient safety, financial, and strategic risks. However, often security and privacy are not at the same table with the ERM program. The panel will examine how privacy and IT security programs can best fit into an overall ERM program. Panelists will discuss their experiences in building cross-functional ERM efforts that bring together these different perspectives to create an integrated approach to managing enterprise risks.
- Michael Berwanger (MedCost)
- Blair Kraft (Coastal Connect HIE)
- JT Moser (Wake Forest Baptist Health)
Adapting a Security Culture to Address Emerging Cybersecurity Threats (Mon. 2:45-4:00 pm)
The security culture is a critical control and is often overlooked. During 2016, the healthcare industry experienced a proliferation of new cyberattack vectors. Hackers are changing their approach to exploit new technologies, exploit immature controls, and look for ways to rapidly monetize their successes. The panel will provide guidance on strategy including how to enhance security architecture and mitigate controls, as well as practical tips on how to improve security posture and program effectiveness.
- Clyde Hewitt (CynergisTek)
- Chuck Kesler (Duke Health)
HIPAA, HITRUST, and NIST: Where Do We Start? (Tues. 10:45 am-noon)
At 21 years old, HIPAA has matured into its adulthood, but the security frameworks that can be used to implement the Security Rule are just entering high school. Like any teenager, these frameworks are maturing quickly, but can still be confusing. The panel will discuss how the NIST Cybersecurity Framework and the HITRUST Common Security Framework – both of which go by the acronym of CSF – can be used together or separately to build effective security and compliance programs.
- Vishal Gupta (Symantec)
- Alan Henton, Andrew Hutchinson & Bill Schultz (Vanderbilt University Medical Center)
Look Before You Leap: Network Access Control and Network Segmentation (Tues. 2:45-4:00 pm)
This panel will examine lessons learned when planning and deploying complex Network Access Control (NAC) and Network Segmentation (NS) solutions, with the goal of sharing insights into developing a methodology and approach for planning, testing and deploying NAC and NS. The panelists will provide both a client and vendor perspective as well as an in-process case study.
- James Bearce and Shane Swanson (Deloitte and Touche)
- Kurt Griggs (Mayo Clinic)
- Shawn Riley (State of North Dakota)
Being Prepared for the Worst: When It Doesn’t Just Hit the ‘FAN’, It Destroys the ‘FAN’ (Tues. 4:00-5:15 pm)
Managing security and privacy programs in an enterprise as complex as an Academic Medical Center is a huge undertaking, but dealing with a major breach can quickly turn any organization upside down, threatening to destroy its FAN – Finances, Accreditation, and Notoriety. When you have an incident that demands cross-functional response, do you have a comprehensive response plan? The panel will share their perspectives on how to prepare your organization to deal with one of those worst-case scenarios.
- Tatiana Melnik (Melnik Legal PLLC)
- JT Moser (Wake Forest Baptist Health)
- Derrick Whisel (Internetwork Engineering)
- Kurt Stakeman (Womble Carlyle Sandridge & Rice)