Managing Increased Security and Privacy Risks in Health Enterprises (Mon. 9:00-10:15 am)
Over the last few years, security and privacy risks for large health enterprises have shifted. This shift has created a need to adjust programs in AMCs and other large health enterprises. For example, attacks have moved from being primarily single-actor attacks to attacks by organized, well-paid gangs and even nation-state actors. Regulatory oversight has increased and moved somewhat from an “education” posture to an “enforcement” posture. Individual and class-action legal challenges related to information breaches have increased accountability of institutions and their leadership. Come to hear our panel discuss how they perceive this risk shift and what adjustments they see as needed to compensate.
- List three security/privacy risks for large health enterprises that have emerged or notably changed in the last few years.
- List three security/privacy risk management actions for large health enterprises that are intended to compensate for these new/increased risks.
- List at least one security/privacy risk for which adequate risk management techniques are not yet available or are not widely implemented.
- Jessica Nye (FBI)
- Robert Parisi (Marsh)
- Suzanne Schwartz (FDA)
Quiz the Regulator (Tues. 9:00-10:15 am)
Each year the AMC conference is pleased to host a key staff member from HHS engaged in HIPAA support, enforcement, and related duties. A key facet of this session is a long Q&A period where you can ask questions. This is a good time to get a specific question answered and to understand OCR’s announced plans for regulation development, enforcement, auditing, guidance development, etc. Come curious! Leave informed!
- Describe OCR’s recent accomplishments.
- Discuss the enforcement program status and plans.
- Describe the audit program status and plans.
Presenter: Marissa Gordon-Nguyen, Senior HIPAA Policy Specialist, Office for Civil Rights, U.S. Department of Health and Human Services.
Compliance / Risk / Governance Track
The Patient Portal: Privacy & Security Considerations (Mon. 10:45 am – noon)
As providers continue to engage with patients in new and different ways, patient portals present new opportunities for providers to improve patient satisfaction, make health information available, and interact with their patient population. Providers who provide a patient portal service must continue to manage the privacy requirements and security risks of making medical records available via a portal. Our panel will discuss the privacy and security framework for the patient portal, walk through a recent patient portal data breach and discuss lessons learned, and host a question and answer session.
- Review and discuss the regulatory landscape for patient portal privacy and security, including HIPAA/HITECH, Meaningful Use, and general state law issues.
- Discuss practical issues in securely implementing patient portals, managing challenges that arise from making the personal health record available to patients, and managing the relationship with the patient portal vendor.
- Discuss security risks and some strategies for reducing and managing risk.
- Discuss at a high level common contract and licensing issues with patient portals.
- Adam Bennett (Cloudburst Security)
- Michael Berwanger (MedCost)
- David Holtzman (CynergisTek)
Cyber Security Litigation – Claims, Defenses & Defendants (Mon. 1:00-2:15 pm)
What if despite your conscientious efforts, PHI or other protected data is released or exposed, whether through employee error, internal intentional misconduct, or hostile attack from outside? What is the risk that litigation will ensue? What bases for relief exist under applicable statutory and common law for plaintiffs, and what are some of the available strategies and remedies for plaintiffs’ attorneys, including class action suits, and what are some key defensive strategies that can be pursued before or after a breach has occurred.
- Describe bases for relief available to plaintiffs whose information is exposed, and the essential elements of proof required for recovery
- Discuss the level and kinds of exposure possible to defendants, including from class action claims
- Discuss preventive measures and defensive strategies available when confronted with litigation
- Identify and discuss some of the key case law in this substantial and quickly evolving area of the law
- Dickson Phillips (Robinson Bradshaw)
- John Conley (Robinson Bradshaw)
- Colleen Ebel (UNC Health Care)
- Mark Hiller (Robinson Bradshaw)
Key Issues & Ingredients of Compliant & Effective Information Governance: Compliance with Respect to Handling Data from Inside & Outside the US (Mon. 2:45-4:00 pm)
This panel will provide practical advice and insights on building and sustaining an effective information governance program in an academic medical center setting. The panelists will address questions such as:
- Tackling “can we” (compliance) versus “should we” (ethical) concerns that distinguish compliance from governance
- The role of compliance in the information governance process
- Use cases as a tool to vet business proposals for information use
- Tips to achieve consistent outcomes over time
- Considerations when engaging with Service Providers and Business Associates
- Example governance processes and structures
- Describe the different models for information governance.
- Discuss some of the key issues the governance process can address.
- Explain how the process complements and contrasts with compliance efforts.
- Judy Beach (Quintiles)
- Zachariah DeMeola (Baker Hostetler)
- Elizabeth Johnson (Wyrick Robbins LLP)
- Alex Pearce (SAS)
Capturing the Synergy Between Information Security & Internal Audit/Compliance: Challenges, Benefits & Opportunities (Mon. 4:30-5:45 pm)
The constantly evolving threat environment in which covered entities, business associates and subcontractors operate continues to present challenges in protecting the organization’s information assets. Chief Audit Officers (CAOs) and Chief Information Security Officers (CISOs) have skills to assess risks, coordinate risk profiles, and develop and implement risk mitigation plans in a variety of ways. CAOs and CISOs are in a unique position to understand and interpret risks. Both play a role in information governance for the organization, and both serve as advisers to the board and senior leaders. Internal audits involve a set of periodic, pro-active reviews that help in assessing information security control processes. The internal audit function brings a systematic, disciplined approach to evaluate and assess threat risks. CAOs and CISOs are working together to meet these challenges and to leverage skills and analytics for the benefit of their organizations.
- Explain the different perspectives and skills of the CAO and the CISO in protecting the organization’s information assets.
- Discuss how to develop and exploit the synergy between information security and internal audit in assessing risk and protecting information from a variety of risks.
- Describe what other organizations are doing and what lessons can be learned from case scenarios.
- Phyllis Patrick (Phyllis Patrick & Associates, LLC)
- Alan Mitchell (Hanger, Inc.)
- Alan Moorhead (Hanger, Inc.)
- Patricia Skarulis (Memorial Sloan Kettering Cancer Center)
- Ed Taliaferro (Memorial Sloan Kettering Cancer Center)
Developing & Maintaining an Effective Program for Data Integrity (Tues. 10:45 am – noon)
This session will discuss the importance of maintaining an effective data integrity program, focusing on the accuracy and consistency of stored data through the use of standards and procedures. Ongoing project planning, training and consistent supervision of employees can contribute to risk mitigation, which leads to both prevention and a reduction in data-related integrity violations. Practical examples of both successful programs and reasons why data integrity violations occur will be discussed throughout this session.
- Identify a strategy for creating and maintaining a successful data integrity program.
- Explain opportunities which contribute to data compromise and leave an organization vulnerable.
- Describe program elements which contribute to risk mitigation.
- Discuss the impact to HIEs, patient safety and research.
- Angel Hoffman (Advanced Partners in Health Care Compliance)
- Adam Bennett (Cloudburst Security)
- Maureen Saxon-Gioia (OSPTA Home Health Care)
Handling Small Breaches: Policies, Procedures & Best Practices (Tues. 1:00-2:15 pm)
With several years of experience handling privacy incidents and breaches under their collective belts, the panel have a number of lessons to share. This session will examine the common ways investigations can be handled and where the landmines may appear. The panel will highlight how organizations have worked to standardize their processes, leverage internal and external resources, and strive toward consistency in the day-to-day logistics of privacy investigations to handle incidents and breaches.
- Describe common pitfalls encountered when dealing with breaches.
- Discuss strategies for realizing consistency and efficiency in investigating privacy incidents and handling breaches.
- Explain how various functions – privacy, compliance, security, legal, and business – may collaborate to respond to and potentially reduce small incident and breach occurrences.
- Pat Corn (Wake Forest Baptist Health)
- Michael Berwanger (MedCost)
- JT Moser (Wake Forest Baptist Health)
- Campbell Tucker (Novant Health)
AMC’s and BA’s Complex Privacy and Data Security Compliance: Practical Ideas for HIPAA and Beyond (Tues. 2:45-4:00 pm)
The panelists will address some of the complex compliance challenges that arise for AMCs and business associates as they endeavor to comply with not only HIPAA but also other privacy and data security compliance requirements. For example, reporting a data breach can involve synthesizing dozens of applicable laws to comply, reporting to multiple regulatory bodies (including state attorneys general), and facing several agency’s follow-up questions regarding the incident. The panel will explore this and other areas of complexity in multi-jurisdictional compliance and offer practical advice about dealing with them. Participants will learn about:
- Actual examples of state and federal enforcement, including discussion of the largest OCR-imposed CAP to-date
- The seemingly uneven nature of enforcement, including discussion of states that are active and others that are not
- How to conduct a risk analysis, a complex compliance requirement and a key area of focus for OCR in audits and compliance reviews
- Practical tips for identifying business associates, also a complex and potentially time consuming compliance challenge and key focus for OCR
- Examples of state regulatory priorities that necessitate expanding AMC’s and BA’s view beyond HIPAA
- Describe how to conduct a risk analysis
- Explain how to identify business associates
- Discuss state regulatory priorities that necessitate expanding AMC’s and BA’s view beyond HIPAA
- Susan Miller, JD
- Elizabeth Johnson (Wyrick Robbins LLP)
- Karen Pagliaro-Meyer (Columbia University Medical Center)
Late-Breaking Topics (Wed. 9:00-10:15 am)
- Sissy Holloman (LabCorp)
- John Parmigiani (John C. Parmigiani & Associates)
Applications / Users Track
eConsent Guidance & Use Cases (Mon. 10:45 am – noon)
Traditional informed consent (via paper forms) has specific requirements that must be satisfied. As entities adopt electronic consent platforms, certain elements may be more challenging to satisfy requirements. Additionally, an electronic platform may add risk for information security that does not exist in the typical paper consent form process. This session will present use cases for electronic consent in context of privacy-preserving, regulatory oversight and security requirements.
- Describe informed consent (IC) requirements in context of electronic platforms.
- Discuss challenges and benefits of electronic IC use cases.
- Identify specific privacy and security challenges in eIC.
- Colleen Lawrence (Vanderbilt University)
- Jody Power (Duke University Health System IRB)
Apple Research Kit (Mon. 1:00-2:15 pm)
Individuals are using mobile technology as a way to track personal health information. Apple has introduced a pair of new technologies designed to make health information gathered from mobile devices more easily available for clinical and research purposes. In this session, the panel will review Apple ResearchKit use cases, and examine the security and privacy challenges of these technologies in context of ResearchKit apps that are actively collecting data.
- Explain how Apple’s ResearchKit applications function.
- Discuss benefits and challenges from implemented ResearchKit applications.
- Discuss potential security and privacy concerns around these technologies and how they may be addressed, including whether to implement at the individual app level or institutional level.
- Helen Egger (Duke University
- Cory Ennis (Duke University School of Medicine)
Data Segmentation for Privacy (DS4P) Initiative (Mon. 2:45 – 4:00 pm)
Data Segmentation for Privacy (DS4P) is an initiative to improve sensitive information flow using privacy and security policies and data classification and tagging. Initial work completed in 2014 produced multiple pilots aimed at improving efficiency and accuracy in sharing of sensitive data.
- Discuss the HL7 Healthcare Privacy and Security Classification System in context of tagging and segmentation of sensitive data to enforce privacy and security policies.
- Describe outcomes from the DS4P initiative, including initial pilots.
- Jeremy Maxwell (ONC)
Remote Monitoring (Mon. 4:30-5:45 pm)
This session presents the requirements of both the FDA and HIPAA related to confidentiality in remote monitoring of clinical research studies. This is a new approach supported by a number of government agencies, including the FDA. However, these approaches present challenges to AMCs to ensure appropriate use and control of data accessed remotely. How can the contract, authorization and remote monitoring plans work most efficiently? How can AMCs manage privacy and security risk to ensure human subject protections, minimum disclosure necessary, privacy rights, and regulatory compliance? How can AMCs realize the benefits of new approaches to remote monitoring source data?
- Describe the challenges of obtaining agreements for remote monitoring access.
- Evaluate how research operations may be impacted by remote monitoring.
- Describe the benefits, privacy and security risks and limitations of remote monitoring.
- Discuss use cases of remote monitoring implementation at AMCs.
- Lindsey Spangler, JD (Duke University School of Medicine)
- Christine Nelson (UNC Chapel Hill)
- Sam Sather (Clinical Pathways)
Science DMZ (Tues. 10:45 am – noon)
AMC networks must support multiple organizational missions and be built for security, but must also be flexible enough to support research, which depends upon sharing, storing and analyzing data from multiple sources. The resource-intensive data needs of the research may compete for network resources and cause performance issues for other areas of the network. The Science DMZ is a scalable, incrementally deployable, and easily adaptable sub-net designed to incorporate emerging technologies such as 100 Gigabit Ethernet services, virtual circuits, and software-defined networking capabilities. Free of the restrictions that come with the support of general-purpose business connectivity needs, it is typically straightforward to allow local resources to take advantage of wide area network services.
- Describe the history and purpose of Science DMZ
- Discuss practical use cases of Science DMZ.
- Discuss the institutional resources and controls around Science DMZ.
- William Barnett (Indiana University)
- Richard Biever (Duke University)
Contract Use Cases (Tues. 1:00-2:15 pm)
Many organizations have established pathways for contract negotiation, but end users still engage in contracts that don’t involve payments that may circumvent these pathways. Click agreements, trial software, and non-disclosure agreements are examples of contracts that are often directly agreed to by end users. This session will overview the risks of these types of contracts and explore ways that AMCs monitor end users direct engagements.
- Describe risks from end user agreements.
- Discuss strategies employed by organizations to control agreements that do not run through central pathways.
- Tatiana Melnik (Melnik Legal PLLC)
- Kevin Lanning (UNC Chapel Hill)
Data Loss Prevention (Tues. 2:45-4:00 pm)
Data Loss Prevention (DLP) is a strategy employed by institutions to ensure that end users do not send sensitive or protected information outside the network. There are software products that can help network administrators control and monitor what data end users are transferring outside the entity. This session will overview DLP strategies and use cases to ensure privacy and security at AMCs and other organizations.
- Discuss existing uses cases for institutions with a DLP solution enabled.
- Describe benefits and challenges of implementation of a DLP solution to monitor/restrict sensitive data flow.
- Discuss use of security tools to enable privacy controls.
- Craig Barber (Duke Medicine)
- Jeremy Wittkop (InteliSecure)
Late-Breaking Topics (Wed. 9:00-10:15 am)
- Jennifer Anderson (NCHICA)
- Shelly Epps (Duke Medicine)
- Denise Snyder (Duke Medicine)
Operations / Technology Track
Lessons Learned in the Incident Command Center (Mon. 10:45 am – noon)
Every so often an active threat or management directive prompts an all-hands-on-deck security or privacy response exercise run from a central operations command center. Depending upon the initiative’s nature, mass communications, incoming call lines, multiple service levels and triage, issue tracking, status reporting, and team management are required. These exercises in organized mayhem invariably result in lists of things that work well and things that perhaps require different approaches the next time the flag is raised. This session will feature war stories and lessons learned — good, bad and ugly — by colleagues who have led or served in incident command centers.
- Describe essential functions of a command center.
- Explain justification for establishing command centers to manage incident response.
- Describe pitfalls to avoid, and successful and unsuccessful approaches to operational aspects.
- Mike Dockery (Cincinnati Insurance Companies)
- Lee Olson (Mayo Clinic)
Biomedical Device Security (Mon. 1:00-2:15 pm)
Inadequate biomedical device security was once an unaddressed security pain point that grew with the computerization of critical point-of-care electronic equipment. The good news is that as cyber security awareness grows, healthcare organizations are partnering with medical device vendors to secure and test their products. This session will explore medical device trends and recent collaborative successes, along with ways that healthcare providers can drive advances in medical device security and patient safety.
- Describe the respective responsibilities of both manufacturers and healthcare organizations that use the devices.
- Enumerate recent successes of manufacturers and healthcare organizations working together to improve biomedical device security.
- Discuss opportunities for healthcare providers to drive change in the medical device security status quo.
- Clyde Hewitt (Allscripts)
- Angel Hoffman (Advanced Partners in Health Care Compliance)
- Ken Lobenstein (Deloitte)
Pharmaceutical Diversion Prevention, Detection & Incident Response (Mon. 2:45-4:00 pm)
The healthcare and pharmaceutical industries have a narcotics diversion problem: no academic medical center is immune to instances of its occurrence. There are important privacy, security and patient safety issues entailed by this problem. Mature organizations have developed diversion prevention task forces comprised of a multidisciplinary team including departments of pharmacy, safety and security, anesthesiology, nursing, legal counsel, and human resources. The panel will assist those interested in starting a narcotics diversion prevention, and aid those with existing programs in reviewing best practices.
- Describe best practices for building a narcotic diversion prevention program.
- Discuss methods for detecting diversion, with a special emphaisis on the auditing of ADMs (Automatic Dispensing Machines).
- Explain the essentials of responding to diversion incidents.
- Ray Shelton (Mount Sinai Health System)
- Lucy Cannizzaro (Mount Sinai Brooklyn)
- Kimberly New (International Health Facility Diversion Association)
- Bruce Sackman (Society of Professional Investigators)
Building a Security Team (Mon. 4:30-5:45 pm)
Until recently, many healthcare organizations haven’t had the resources to stand up dedicated information security teams. However, with the fast pace of changes to the regulatory and threat landscapes, many are now trying to create information security offices to provide focused effort on these critical functions. But even after securing the budgetary commitment to build a team, many struggle to find, hire, onboard, and nurture people with the right skill sets in a job market where the ideal candidates are scarce. In this session, you will hear how security leaders have addressed these challenges by using recruiters, social media, job boards, professional organizations, existing staff, student internships, and selective outsourcing.
- Describe approaches to organizing the functions of a security office, and the skill required to fulfill those functions.
- List the key characteristics to look for in candidates for information security roles, including educational background, work experience, certifications, and mindset.
- Discuss how to establish and grow a security team over time, including where it may make sense to outsource some functions.
- Jennings Aske (New York Presbyterian Hospital)
- Jigar Kadakia (Partners HealthCare)
Resilience: A Breach-focused Approach to Cyber Security (Tues. 10:45 am – noon)
Resilience is a newly emerging approach that is taking a fresh look at cyber security. With news of successful cyber attacks now routine, there is a growing realization that the approach used so far may not be enough to tackle the formidable combination of a rapidly changing threat landscape, a persistent adversary, and users who are easily led astray. Turning the idea of traditional cyber security on its head, resilience begins with the idea of breaches as a given. Instead of focusing on security controls, or risk, it takes a holistic view of the problem, framing the solution in a manner analogous to how professional medicine manages disease. The pieces are not new, but the mindset is. This session will focus both on pieces – prevention, diagnosis, response, and maintenance – and how they can be combined to achieve resilience.
- Describe the concept of resilience and how it can be used to develop a cyber security strategy.
- Explain the four components of resilience: prevention, diagnosis, response, and maintenance.
- Discuss case studies where the resilience method is being applied as part of building and running a cyber security program.
- Anurag Shankar (Indiana University)
- Franklin Witter (Cisco)
Malware Trends: The Rise of Ransomware (Tues. 1:00-2:15 pm)
Attackers are no longer content to just steal your data. As shown by recent outbreaks of Cryptowall and Cryptolocker, now they want to hold your data hostage, forcing you to pay a ransom to recover your files. There are indications that some attackers may even be threatening to publicly post sensitive data unless a ransom is paid. In this session, panelists will discuss how their organizations have been affected by ransomware, and the steps that they are taking to address the threats.
- Discuss how attackers are changing their objectives from simply stealing data to using extortion to compel the victim to pay a ransom.
- Idenfity new techniques that attackers are using in developing malware that can evade traditional detection techniques.
- Describe approaches that can be used to address these new threats.
- Jon Sternstein (Stern Security)
- Peter Nelson (WakeMed)
- John Maser (FBI)
Creating an Integrated Strategy for Information Security (Tues. 2:45-4:00 pm)
Completing a risk assessment is a huge and necessary step, but it’s only the first step in improving an organization’s security stance. Perhaps even more daunting than the risk assessment itself is the challenge of remediating the identified issues, many of which will require a significant commitment of human and capital resources over long periods of time. Accomplishing this goal requires aligning the security strategy with the rest of the business. In this session, the panel will describe how information security leaders have worked together with others in their organizations to create security strategies that are integrated with the overall IT and business strategies.
- Explain how to identify and engage the key stakeholders who need to be involved in establishing an integrated security strategy.
- Discuss methods that may be used to organize and prioritize risk assessment findings into a cohesive security strategy.
- Describe approaches for aligning the security strategy with other IT business goals to ensure appropriate resourcing.
- Clyde Hewitt (Allscripts)
- Chuck Kesler (Duke Medicine)
Integrating Security into Project Management Methods & Processes (Wed. 9:00-10:15 am)
A lot of industry attention has focused on incorporating security best practices into the software development lifecycle (SDLC). However, according to HIMSS/Gartner, the national average of custom developed software applications at Healthcare institutions is only X%. What do we do about the other Y%? As we implement more and more third-party products, resulting in less control, we still need to ensure sufficient controls and standards are met to reduce our security risk. The best way to achieve this goal is to integrate security best practices into all of our projects, and not just the custom-developed ones. This session will focus on examples of security methodology integration into existing project management tools and discuss some on-going programs and controls to improve your security posture.
- Describe three new ways to consistently integrate security best-practices into your project management practices.
- Identify your security-cycle feedback loops to continuously improve security controls within your project management lifecycle.
- Explain how to better, faster, and more easily integrate security controls into all of your projects.
- Adam Brown (Mount Sinai Hospital)
- Kaali Daas (Cisco)
- Ken Lobenstein (Deloitte)
Click here to register.