Security and Privacy Strategies for Expanded Communities (Mon. 9:00-10:15 am)
Many forces are influencing AMCs and other large healthcare entities to expand the community of people and institutions with which PHI and other confidential information is shared. Patient portals, regulation requirements, ACO development, community health program partnerships, HIEs, CTSAs (in research), and health system expansion are key factors in this expansion. How to assure the privacy and security of protected health information in this environment is not obvious or easy. Our panelists will discuss the strategies and approaches in their organizations for supporting data sharing in this environment.
- Identify three challenges facing AMCs in community data sharing.
- Describe three approaches to assuring privacy and security in AMC community data sharing programs.
- Discuss three approaches to managing realized risk (e.g. data breaches) in community data sharing environments.
Presenters: Florence Hudson (Internet2) and Deven McGraw (Manatt, Phelps & Phillips LLP)
Quiz the Regulator
Each year the AMC conference is pleased to host a key staff member from HHS engaged in HIPAA support, enforcement, and related duties. This year, we have Linda Sanches from the Office for Civil Rights presenting on HIPAA-related projects and events in OCR. A key facet of this session is a long Q&A period where you can ask questions. This is a good time to get a specific question answered and to understand OCR’s announced plans for regulation development, enforcement, auditing, guidance development etc. Come curious! Leave informed!
- Describe OCR’s recent accomplishments
- Discuss the enforcement program status and plans
- Describe the audit program status and plans
Presenter: Linda Sanches (HHS Office for Civil Rights)
Compliance / Risk / Governance Track
Your People are Likely Your Biggest Risks to Your Data Security and Your Organizational Compliance (Mon. 10:45 am – noon)
Your organization can have the best policies and procedures as well as significant technology features but if you don’t understand what your employees are doing and what technology is being made available to them you cannot fully understand your risk. This session will discuss the risky behavior including your employees using their own devices (BYOD) and their own accounts (cloud computing, survey tools, etc.) as well as noncompliance with organization policies. We will also discuss the methods to mitigate those risks such as the use of technology, policies, agreements, and focused training.
- Describe the risks associated with BYOD, Cloud computing and other employee-used tools
- Discuss the various approaches and methods used to mitigate those risks, emphasizing acceptable use policies, training, etc.
Panel Leader: Marti Arvin (UCLA Health System)
Panelists: Adam Greene (Davis Wright Tremaine) and JT Moser (Wake Forest Baptist Health)
The New Generation of Privacy Programs (Mon. 1:00-2:15 pm)
What does “privacy by design” mean in the context of complex, multi-partner healthcare environments? How can data sharing partners “build in” privacy to their business processes, especially in an era of Big Data and innovation? We will review the elements of a mature privacy program, where privacy is considered before, at the start of, and throughout the development and implementation of initiatives that involve the collection and handling patient information. What are practical ways you can mature and optimize data sharing and governance practices in a multi-institution environment? We also will review pertinent lessons from recent OCR enforcement under the federal Privacy rule.
- Describe HIPAA compliant data sharing in partnerships
- Describe how to meet OCR expectations
Panel Leader: Debora Marsden (New York Presbyterian Hospital)
Panelists: Jennifer Archie (Latham & Watkins) and Susanna Partrick (Weill Cornell Medical College)
It’s a New Regulatory Landscape: Do You Know where Your Business Associates are and What They are Doing? (Mon. 2:45-4:00 pm)
While business associates can be a real asset to covered entities in terms of providing necessary services, covered entities (and business associates who engage subcontractors) should know who their business associate are and whether they are in a position to comply with the applicable provisions of the HIPAA Privacy and Security Rules in order to avoid having those assets turn into liabilities. This panel will discuss the relatively new HIPAA obligations for business associates, what business associates are doing to comply with these obligations, and how covered entities are working with their business associate to ensure compliance.
- Identify who are business associates
- Describe business associate obligations
- Discuss what business associates and covered entities are doing to ensure compliance with these obligations
Panel Leader: Rebecca Fayed (The Advisory Board Company)
Panelists: Patricia Corn (Wake Forest Baptist Health) and Sam Sather (Clinical Pathways)
Data Sharing Issues in Accountable Care Organizations (Mon. 4:30-5:45 pm)
Healthcare is currently experiencing a critical shift: away from the current fee-for-service model to a robust, integrated model focusing on coordination of care across health system networks. This “value based care” is often organized in what is called an Accountable Care Organization (“ACO”). Accountable care is focused on increasing the quality of care rendered, increasing patient satisfaction with the health care system, and reducing cost, often referred to as the “triple aim.” In order for ACOs to be successful and change healthcare, ACOs must understand the regulatory landscape, and develop methods to innovatively capture, maintain, use, and share actionable and meaningful data, while maintaining confidentiality and security of that data. Both current and new demands for the security, exchange, maintenance, and confidentiality of health data ensure an ongoing evolution in the required information tools, processes, and compliance oversight needed to manage that data. Such challenges include FISMA, HIPAA, and practical governance regarding data sharing issues as well. This panel is a discussion of the regulatory landscape and security requirements and the challenges of governing data in an ACO.
- Describe the basic data compliance overview and framework for ACOs.
- Discuss the basic information security requirements for ACOs.
- Discuss information security and sharing requirements and challenges, from a practical, governance, investment, and technological perspective.
- Provide a framework for approaching data governance in ACOs involving an AMC.
Panel Leader: Michael Berwanger (Cornerstone Health Care, PA)
Panelists: Joel Garmon (Wake Forest Baptist Health) and Brian Vick (Blue Cross Blue Shield of NC)
Information Security Testing: How Do AMCs Ensure Your Networks are Secure? (Tues. 10:45 am – noon)
How do AMCs ensure that their networks are secure? The session will examine the AMC environment from three perspectives: the security contractor/vendor; the AMC customer; and the follow-up to assure that the process was conducted within the AMC-stated rules of engagement and how to best utilize the results.
- Describe what the vendor must do to adequately prepare and perform a penetration test – what information is needed, what precautions should be taken, and how to do the test.
- Discuss what the AMC customer should expect – AMC concerns, precautions to identify and provide for to reach an agreement with the vendor, and expected results and applicability of the test
- List the necessary steps to optimize the efficiency and effectiveness of the entire process
Panel Leader: Dennis Schmidt (UNC School of Medicine)
Panelists: Adam Bennett (Cloudburst Security) and Ray Hillen (Agio)
The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security (Tues. 1:00-2:15 pm)
Patient engagement is a key component of the Centers for Medicare and Medicaid Services (CMS) Electronic Health Record (EHR) Meaningful Use program. AMCs must provide patients the ability to view online, download, and transmit their health information while managing the privacy requirements and security risks that patient portals and personal health records bring. Join our panel to review the legal framework and practical considerations for managing patient portals and other electronic communications to and from patients.
- Review HIPAA/HITECH, Meaningful Use, Federal Trade Commission and general state law issues that portals and personal health records raise
- Identify contract issues to address between and among covered entities, their business associates, and patients
- Consider some of the practical issues involved with managing patient-directed disclosures, patient-managed access, email account sharing between individuals, and information needed from multiple vendors
Panel Leader: Amy Leopard, JD (Bradley Arant Boult Cummings LLP)
Panelists: Patricia Corn (Wake Forest Baptist Health) and Becky Tate (MEDHOST)
Achieving a Functioning Learning Health System by 2024: The Challenges and Benefits of a Successful Journey (Tues. 2:45-4:00 pm)
Having first been articulated by the Institute of Medicine in 2007, the concept of a Learning Health System (LHC) has gained visibility and increasing support as a vision of what our health and healthcare system should be. The LHC builds on the increasing use of digital data, informatics, and analytics, and the potential that big data brings to the aggregation of hundreds of millions of encounters and outcomes to derive knowledge that will inform individual clinical decisions at the point of care. The panel will address each of the significant, clinical, research, technical, and policy components to realize this vision.
- Describe the aspirations for achieving an operational LHS by 2024 that ONC has established as a core objective in their 10-year interoperability roadmap.
- Discuss the steps the research community is taking to identify, assemble, analyze and make data available to support an LHS.
- Discuss the work of a team of clinical, legal, and operational experts that have been charged to develop a policy and governance framework that will engender accountability and trust in the LHS.
Panel Leader: Holt Anderson (Learning Health Strategies)
Panelists: Charles Friedman (University of Michigan) and Angel Hoffman (Advanced Partners in Health Care Compliance, LLC)
Applications / Users Track
Building a Program for the Secure Usage of Cloud-based File Storage and Collaboration Tools (Mon. 10:45 am – noon)
Cloud-based file storage services have become one of the most ubiquitous examples of the consumerization of IT. Many healthcare users have adopted these tools to sync files between their mobile devices and to collaborate with others both inside and outside of their organizations. Unfortunately, this usually happens in the shadows of IT and compliance, and often in direct violation of policy, potentially putting healthcare organizations in violation of the Security and Privacy Rules. In this session, we will review how several organizations are attempting to reduce these risks by embracing and supporting some of these tools while still addressing security concerns.
- Discuss the use cases where cloud file storage services have been successfully implemented in academic medical centers.
- Discuss the technical and administrative controls that have been put in place to minimize the risk of using these services.
- Identify any ongoing challenges and risks that may need to be accepted when deciding to use cloud file storage services.
Panel Leader: William Barnett (Indiana University)
Panelists: Craig Barber (Duke Medicine) and Paul Howell (Internet2)
Implementing Multi-factor Authentication for Clinical Applications (Mon. 1:00-2:15 pm)
Perhaps the most significant IT security risk that any organization faces is the ease with which usernames and passwords can be compromised. Whether via malware, phishing, or other forms of social engineering, attackers can simply acquire valid login credentials that can be used to remotely access a system from anywhere in the world. In this session, we will examine how several organizations have successfully implemented multi-factor authentication to address these risks, with a focus how to overcome user resistance to the perceived complexity.
- Identify different types of multi-factor authentication solutions that have been successfully implemented for supporting clinical systems.
- Describe the user-facing challenges in implementing these solutions, and approaches that have been used to address them.
- Describe strategies for rolling out multi-factor authentication technology in phases across a healthcare organization.
Panel Leader: Todd Greene (Carolinas HealthCare)
Panelist: Jon Sternstein (Stern Security)
App Security in an Increasingly Mobile World: A Deeper Look at HealthKit and ResearchKit (Mon. 2:45-4:00 pm)
Recognizing that consumers are embracing “wearables” and mobile devices as a way to track their personal health information, Apple has recently introduced a pair of new technologies designed to make health information gathered from mobile devices more easily available for clinical and research purposes. In this session, we will review some examples of how Apple HealthKit and ResearchKit function, some of their potential use cases, and examine the security and privacy implications of these technologies.
- Describe how Apple HealthKit and ResearchKit function.
- Identify potential use cases where these technologies could add value by integrating the information they gather with the patient’s medical record.
- Discuss potential security and privacy concerns around these technologies, and how they may be addressed.
Panel Leader: Ricky Bloomfield, MD (Duke Medicine)
Panelist: Shelly Epps (Duke University)
Remote Monitoring of Clinical Trials and EMRs (Mon. 4:30-5:45 pm)
This session presents the requirements of both FDA and HIPAA related to confidentiality in the context of risk-based monitoring approaches that include remote review of original source data. How can be align the contract, authorization and monitoring plans to work more efficiently and manage risk to ensure: human subject protections, privacy rights, regulatory compliance and realize the benefits of new approaches to monitoring quality data.
- Discuss requirements necessary for remote monitoring in a HIPAA compliant manner.
- Evaluate how operations can be impacted by remote monitoring.
- Describe the benefits, risks and limitations of remote monitoring
Panel Leader: Sam Sather (Clinical Pathways)
Panelist: Lindsey Spangler (Duke University School of Medicine)
Security Awareness Training and Testing (Tues. 10:45 am – noon)
Creating and sustaining awareness of information security threats, policies, and procedures among the entire workforce is perhaps the most critical aspect of ensuring that patient information is properly protected. In this session, we will show the impact of security incidents involving human error and examine the use case for targeted enterprise phishing for assessing security awareness among end-users.
- Discuss current security incidents involving human error
- Explain data from entity phishing experiments
- Discuss the role of user training in preventing security attacks
Panel Leader: Kelli Tarala (Enclave Security)
Panelist: Chris Mayhorn (NC State University)
Using Enterprise Governance, Risk, and Compliance (EGRC) Tools for Improved Management of Security and Privacy (Tues. 1:00-2:15 pm)
Effectively managing security and privacy risks against compliance objectives across a large enterprise requires more than spreadsheets. In this session, we will explore how some academic medical centers are implementing Enterprise Governance, Risk, and Compliance (EGRC) applications that provide an integrated management system for compliance requirements, policy management, risk assessment, and remediation tracking.
- Define what EGRC applications are, and how they can benefit the management of security and privacy in a large healthcare organization.
- Examine case studies from several organizations that have implemented an EGRC application.
- Discuss the lessons learned from an EGRC implementation, and considerations that should be addressed before beginning an EGRC implementation.
Panel Leader: Jennings Aske (NY Presbyterian Hospital)
Panelists: Kim Catron (Duke Medicine) and Jigar Kadakia (Partners HealthCare)
The Data Governance, Information Governance and Data Protection Crosswalk (Tues. 2:45-4:00 pm)
Data governance provides the framework for the intersection of IT and the business working together to establish confidence and credibility in the health system’s information. Data governance establishes and integrates a set of rules – policies, guidelines, principles and standards – for managing the health system’s highly-valuable data assets that engage stakeholders from across the health system. Information governance is an organization-wide framework for managing information throughout its lifecycle and for supporting the organization’s strategy, operations, regulatory, legal, risk and environmental requirements. It is this information that empowers better decision-making at all levels of the organization, improves strategic planning, increases productivity, accelerates response times and catalyzes innovation operationally, clinically and financially.
Data and information governance are critical components of data protection strengthening the chain of trust between the producers and consumers of critical data, as well as those responsible for safeguarding it. This session will explore this intersection of data governance and information governance and how organizations can and should pursue both initiatives effectively and efficiently, with a deliberate connection to data protection programs. We will introduce key data and information governance principles, introduce the fundamentals of both data governance and information governance programs, and offer practical guidance on how to begin and/or advance the conversation about these critical initiatives in your organization. Key components of these program roadmaps and maturity models will be addressed as well.
- Describe the dimensions of strategic information management and how they inform data and information governance and data protection
- Explain the fundamental elements of a data and information governance programs
- Describe how data and information governance can be advanced from your current state, through an integrated roadmap that fosters efficiency and accelerates progress, and supports data protection programs and initiatives
Panelists: Stephanie Crabb (Immersive LLC) and Deborah Green (AHIMA)
Late-Breaking Topics: The Medical Device Vulnerability Reporting System & ONC’s Interoperability Roadmap (Wed. 9:00-10:15 am)
The Medical Device Innovation, Safety, and Security Consortium (MDISS), is a non-profit group that has been driving industry collaboration between medical device manufacturers and healthcare delivery organizations with the goal of improving the security of medical devices. Dr. Dale Nordenberg of MDISS will discuss the Vulnerability Reporting System initiative, which is meant to streamline the process for communicating about medical device vulnerabilities.
Interoperability is a key requirement for building the learning healthcare system. The Office of the National Coordinator (ONC) has been developing a 10-year roadmap that outlines critical actions for the public and industry to undertake to advance the state of interoperability. In this session, Jeremy Maxwell of ONC will provide an overview of the roadmap, focusing on the privacy & security areas of the roadmap, including cyber security, encryption, authentication, consent management, and the relationship to state privacy law.
Operations / Technology Track
Convergence of Information and Physical Security (Mon. 10:45 am – noon)
Security convergence combines the management of information and physical security within an organization. Risk assessment and risk management practices are the common ground, and efficiencies follow through realizing combined processes and technologies. This session will explore these aspects and recent convergence trends in healthcare, and those who have led these initiative will provide their first-hand experiences and insight.
- Describe attributes of successful convergence.
- Explain the benefits of combining forces to effectively manage risk.
- Describe the dos and don’ts of convergence.
Panel Leader: Ray Shelton (Mount Sinai Health System)
Panelists: Peter Ahearn, Jr. (FBI), Bruce Sackman (Society of Professional Investigators) and Michael Yaeger (Schulte Roth & Zabel LLP)
Biomedical Device Security: New Challenges and Opportunities (Mon. 1:00-2:15 pm)
The ability of a Black Hat attendee to remotely “hack” his own wireless insulin pump reinforced what we already know: that biomedical device manufacturers have not incorporated adequate security safeguards into their medical devices. But to quote Bob Dylan, “the times they are a-changin’.” As cyber security awareness grows, security professionals within some healthcare organizations are now working with medical device vendors to address this problem. Some leading edge healthcare organizations are even partnering with vendors to test medical devices. This session will explore medical device trends and opportunities, along with possible actions healthcare providers can take to drive change to improve medical device security and patient safety.
- Explain why biomedical devices have historically suffered from inadequate controls.
- Describe the respective responsibilities of both manufacturers and healthcare organizations that use these devices.
- Discuss opportunities for healthcare providers to drive change in the medical device security status quo.
Panel Leader: Debra Bruemmer (Mayo Clinic)
Panelist: Florence Hudson (Internet2)
Meaningful Use Security and Privacy Measures: Audit Preparedness (Mon. 2:45-4:00 pm)
Meaningful Use Stage 2 raised the bar for health information privacy and security, and auditors are validating that covered entities are achieving expectations. Hear from peer organizations about how they are scoping, conducting and documenting their risk assessments and corresponding risk management / mitigation plans. They’ll relate the controls and measures they’re invoking and documenting, and how third-party audits are evaluating appropriateness and effectiveness. Panelists will explain what to expect from audits, and share lessons learned from the process.
- Describe MU expectations for health information privacy and security including scope, appropriate controls, measures, and documentation requirements.
- Discuss how peer AMCs are complying with these requirements.
- Explain the audit program, what to expect in an audit, and how to prepare for one.
Panel Leader: David Holtzman (CynergisTek)
Panelist: Dori Ledford (Vidant Health)
The Privacy-Security Partnership in Managing Risk (Mon. 4:30-5:45 pm)
In a nutshell, privacy makes the information use and disclosure decisions, and security controls enforce those decisions. It’s easy to see that managing risks in the medical information realm takes effective teamwork. This session will describe these privacy and security partnerships and what makes them successful. The panelists will relate their experiences and provide examples where teamwork led to better outcomes.
- Describe the respective roles and responsibilities of privacy and security, and how they can benefit by working together.
- Explain opportunities for cross-training for enhanced effectiveness.
- Outline a strategy for assessing and managing privacy and security risks through teamwork.
Panel Leader: Angel Hoffman (Advanced Partners in Health Care Compliance, LLC)
Panelists: Dennis Schmidt (UNC Health Care) and Jay Trinckes, Jr. (Coalfire)
Mobile Health and BYOD (Tues. 10:45 am – noon)
Health systems are leveraging BYOD as a tool to drive mobile accessibility, increase IT oversight and enable employees to complete a business task at a moment’s notice, on whatever device is nearby. This session will explore the serious challenges for IT administrators, such as corporate security policies and safeguards and whether to deploy security software on every new device or implement internal security monitoring that proactively detects issues stemming from any device on the network.
- Describe the challenges for IT administrators on BYOD.
- Explain how you implemented your corporate security policy on BYOD and how you educated your workforce members.
- Discuss strategies for best practices on managing BYOD.
Panel Leader: Jason Cox (UNC Health Care)
Panelist: Ricky Bloomfield, MD (Duke University Health System)
Omnibus Breach Reporting: Lessons Learned over the Past Year Plus (Tues. 1:00-2:15 pm)
Although it’s been over a year since the HIPAA Omnibus Rule took effect, many CEs and BAs are still struggling with the requirements. Completing the required breach risk assessment is one of many challenges because of the lack of resources and no defined scope or guidance from OCR. The panelists will also relate their experience with increased breach reporting requirements since Omnibus.
- Outline the pattern of breaches that have been reported since enforcement of the HIPAA Omnibus rule 9/23/13.
- Explain how different organizations employ different methodologies/tools for completing breach risk assessments.
- Describe the impact of breach reporting pre-Omnibus vs post-Omnibus.
Panel Leader: Adam Greene (Davis Wright Tremaine LLP)
Panelists: Marti Arvin (UCLA Health System), Sophia Collaros (University of New Mexico) and JT Moser (Wake Forest Baptist Health)
Ongoing Challenges in Electronic Health Information Exchange (Tues. 2:45-4:00 pm)
Participation in one or more health information exchange (HIE) organizations, including the eHealth Exchange (formerly the NwHIN), enables health care providers to better coordinate care by having access to more information at the point of care, offers the potential to reduce duplicate services, and permits use of data analytics. As more information is stored and exchanged electronically, however, participating organizations will face ongoing challenges with data access, data privacy, and data management processes. In addition, when sharing data, participants need to ensure compliance with legal and regulatory restrictions. This panel will address some of the challenges of operating and participating in HIEs, including:
- The DURSA and other participation agreements: how do participants demonstrate to each other that their privacy and security infrastructures comply with the contract requirements?
- Sensitive information and patient opt-outs
- Data breach in the context of HIE
- Connecting with other HIEs
- Describe the purpose of, and the significant privacy and security obligations described in, HIE Participation Agreements, including the DURSA
- Describe the technical and administrative processes that providers use to assure other providers that their data is only accessed, used, and disclosed as permitted by the applicable Participation Agreement
- Discuss the distinction between a HITECH data breach and an eHealth Exchange breach and the time frames for responding to each
Panel Leader: James Black (Vidant Health)
Panelist: Patricia Markus (Smith Moore Leatherwood)
Defending against Cyber Attacks (Wed. 9:00-10:15 am)
FBI director James Comey recently stated, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.” Healthcare is not immune, pun intended. Nation states are at the top of the information security threat list and healthcare organizations are increasingly building and staffing infrastructure and monitoring / response functions to counter the threat. This session’s panelists will describe their experiences and directions in countering cyber attacks and lend insight to those who are ramping up these efforts within their own organizations.
- Articulate the most significant cyber threats facing healthcare today.
- Outline a strategy for defending against cyber attacks.
- Determine what his/her organization can do to improve its security posture against cyber attacks.
Panel Leader: Mike Dockery (Cincinnati Insurance Companies)
Panelists: Chris Beal (MCNC) and Paul Howell (Internet2)
Hacking for Managers (Wed. 1:00-4:00 pm)
Symantec will deliver an instructor-led walkthrough showing methods used by typical hackers to obtain information on their targets. This is a “capture-the-flag” style walkthrough, inspired by real-life security issues. This is a non-competitive learning event where participants can obtain hands-on experience. Learn about introductory ethical hacking skills such as reconnaissance, operating system and application attacks, forensics, and others in this hands-on, instructor led lab using Symantec’s virtual cyber range. Participants will need their own laptop to participate.
Click here to register.