Legal & Regulatory Compliance Track
Using Risk Assessments to Attack the Common Breach (Mon. 10:45 am-noon)
Too often privacy and security compliance become an exercise in chasing the latest threat, the latest technology, and the latest breach. Quickly, the urgent becomes the enemy of the important, and the latest crisis shapes the compliance program rather than vice versa. By using a risk assessment proactively, large organizations can more comfortably fit today’s concern into a broader approach to creating and maintaining trustworthy systems. Using real life examples from decades of in-house experience, this discussion will probe some of the more common types of breaches and risks and how the risk assessment, as one part of an over-arching risk mitigation strategy, can reduce the likelihood of, and damage caused by, a breach.
- Identify the privacy and security considerations for research projects beyond just the HIPAA regulations
- Identify privacy and security considerations for when the researcher wants to have subjects used a third party application or social media in the research project
- Explain some key considerations when the research project is the development of a clinical or quality improvement applications
- Lori Feezor (New Hanover Regional Medical Center)
- Roy Wyman (Nelson Mullins)
There’s an App for That: Use and Creation of Apps, Texting and Social Media in Research (Mon. 1:00-2:15 pm)
In today’s connected world there are an increasing number of instances where researchers either wish to develop an application or to use an application for their research project. There are inherent risks in the use of a product that has not been fully developed or the use of a third party app. Researchers also want to transition to the use of current communication methods such as texting, instant messaging, social media and other methods in an effort to improve participation by subjects in the research project. This presentation will discuss the potential privacy and security risk associated with researchers creating apps as part of their research project to identify ways to improve clinical care and outcomes. It will also discuss the use of existing apps and connected devices as part of a research project. Finally it will discuss the use of texting, instant messaging, social media and other methods as a means of communicating with subjects and for data collection in research.
- Marti Arvin (CynergisTek)
- Holly Benton (Duke)
- Joseph Dickinson (Tucker Ellis, LLP)
- Rosyln Mortorano (University of California)
Aligning Privacy and Security Programs to Enhance Data Protection Across the AMC Enterprise (Mon. 2:45-4:00 pm)
A discussion about the importance of building an integrated privacy and security program based on communication, trust and shared philosophical approaches to risk and data protection. A review of specific case examples highlighting the importance of coordinated, proactive compliance activities.
- Describe the scope of responsibilities and expectations of institutional Privacy and Security offices.
- Discuss the obstacles and challenges faced by both offices.
- Explain the importance of shared cores values and strategic vision as the foundation of the offices working together.
- Describe case examples with program specific recommendations that allow both offices to collaborate on compliance activities.
- David Behinfar & Colleen Ebel (UNC Health Care)
- Katherine Georger (University of Arizona)
- Terrence Ziemniak (Carolinas HealthCare System)
How to Align Governance with the Practical Aspects of Information Security (Tues. 10:45 am-noon)
Strong IT governance is necessary for today’s healthcare organizations. Without effective governance, the digital healthcare environment will never be secure, endangering patient care delivery and corporate success. While healthcare organizations adopted technology at an incredible pace, they rejected control and structure with the same vigor. IT governance is typically implemented as an afterthought and then only to ensure minimum compliance levels. These shortcuts have left patients, employees, and healthcare corporations vulnerable to both cyber-crime and self-inflicted wounds that cost millions of dollars, effect patient care and damage corporate reputation. IT security governance must be a priority at the highest levels of a healthcare corporation. The IT infrastructure and associated security is the logistic manifestation that provides both clinicians and office staff the ability to do their work. Without top down support, an environment of this complexity will not be efficient nor secure. IT governance needs to set the specific standards for security to be measured far beyond the goal of “minimum necessary” for compliance and the associated POAMs. Three fundamental areas of assessment are Data Inventory and Classification, Infiltration Events, and Ex-filtration Events. If a company cannot answer questions such as: where and what is our data, and how many external attacks have been successful, then the governance has failed.
- Describe the difference between compliance and security
- Explain what a security control is
- Describe how to align security controls and corporate policy
- Explain how to create reportable metrics that support security and compliance.
- Ryan Dobbins (infoLock Technologies)
- Karen Pagliaro-Meyer (Columbia University Medical Center)
How Do International Laws and Regulations Intersect with HIPAA and Other US Laws and Regulations? (Tues. 1:00-2:15 pm)
Although U.S. healthcare providers, insurers, and clearing houses are well aware of U.S. federal privacy requirements—notably requirements defined by HIPAA and the relevant state regulatory environments—the global privacy landscape is evolving in a very prescriptive way. With more and more health systems acting as referral points for patients from the European Union and elsewhere, the risk profile for handling personal data in the U.S. is increasing. The healthcare industry in this country is increasingly called upon to understand the onerous requirements for the protection of personal data and sensitive personal data belonging to residents of the European Union, despite the relative immaturity of U.S. privacy requirements. This presentation will help orient players in the healthcare industry to the global privacy environment, addressing the potential that the U.S. healthcare industry will be required to grow its privacy infrastructure to meet the standards for privacy in the EU, including the new General Data Protection Regulation (GDPR). Attendees will be invited to explore topics such as the process to legitimize the cross-border transfer of personal data, implementing privacy by design, conducting privacy impact assessments, and preparing for compliance with 72-hour breach notification requirements, among other compliance challenges. The discussion will also review the potential for onerous penalties for non-compliance under the GDPR, which is driving increased attention to and investment in privacy compliance readiness.
- Robert Glaser (Deloitte & Touche)
- Angel Hoffman (Advanced Partners in Health Care Compliance, LLC)
Practitioners’ Perspectives to Compliance in the Cloud (Tues. 2:45-4:00 pm)
As healthcare continues its journey in digitally transforming its business, more workloads are finding their way into cloud computing platforms. The cloud provides the optimal cost-efficient and scalable platform to aggregate big data, medical device signals, and deep compute resources to perform the transformative insights and analytics that are needed to drive the changes needed to preemptively improve clinical outcomes, manage limited resources and power new digital technologies. As these workloads move completely or partially to the cloud, data and interactions need to be secure and compliant with government regulations and best practice protection against malicious entities. The goal is to provide an overview of best practices to maintain or enhance compliance and secure access for data and compute processes that live outside the traditional data center. The panelists will discuss the issues and concerns for AMCs and other healthcare organizations to efficiently and effectively migrate to a cloud environment while maintaining regulatory compliance and security. They will also provide an actual case study on how a successful migration to HIPAA complaince was accomplished.
- Shreehari Desikan (Dataphilic)
- Steve Ordahl (Microsoft)
Business Associates & Technology Track
Do Your Partners Handle PHI with Care? Not Sure? (Mon. 10:45 am-noon)
Third-party vendors are sometimes the weakest link in a hospital’s security efforts, and their vulnerabilities can lead to your own organization being compromised, with all the cost and drama that result. With the increased sharing of digital data, OCR now recognizes that every partner to whom you grant network access represents a potential breach of patient privacy. The HIPAA Omnibus Final Rule requires hospitals to ensure that any business associate that creates, receives, maintains, or transmits PHI on the hospital’s behalf also complies with HIPAA requirements for patient privacy. Hospitals that fail to adequately monitor business associates are not only at risk of a breach, but also risk a charge of willful neglect. This presentation will use case studies to show you the steps to ensure due diligence with your third-party vendors. Successful organizations use a combination of questionnaires, third party audits, and assignment of vendor risk.
- Tim Burris & Rob Rhodes (Iatric Systems)
- Karen Pagliaro-Meyer (Columbia University Medical Center)
Assessing Vendor Risk in a Non-Certified Vendor Population (Mon. 1:00-2:15 pm)
Only approximately 25% of vendors have a security certification to share with Healthcare customers. This session will explore the results of a study of over a 1000 companies providing products and services to the healthcare industry and their related security certifications. The panel will provide a breakdown of the certifications and their related pros and cons. They will also provide specific approaches for reviewing and validating SOC 2 and HITRUST certifications, as many organizations are surprised to find out that the certifications do not pertain to all of their data or includes major gaps in security practices. Since most vendors do not have security certifications, learn about approaches for assessing breach risk when these vendors have access to sensitive data. Topics will include best practices for questionnaires, validating responses and risk rating vendors.
- Cliff Baker (CORL Technologies)
- David Finkelstein (St. Lukes University Health Network)
Business Associate Management: Control, Contracts, and Lessons Learned from the Trenches (Mon. 2:45-4:00 pm)
No healthcare organization can effectively function without support from its third-party vendors. But, these third-party vendors are also a source of increased risks. For example, according to the Ponemon Institute 2016 Cost of a Data Breach Study, third party involvement and extensive migration to the cloud are the greatest source of increase for data breach costs, adding $20.30 and $15.40, respectively, to the per-record cost to respond to a data breach. Similarly, as of the end of January 2017, out of the top ten data breaches disclosed on the Office for Civil Rights website, four of them involved business associates. This session will focus on effective business associate management strategies, including practical tips for vendor vetting, holding vendors accountable, and risk mitigation options. The panel will also highlight key, and common, sticking points in negotiating business associate agreements and provide options for successfully resolving them.
- Tatiana Melnik (Melnik Legal PLLC)
- Ryan Vlcko (McLaren Health Care)
New Insight into Healthcare Data Breaches (Tues. 10:45 am-noon)
Since 2009, Health and Human Services has tracked data breaches within the healthcare industry. Until now, this information has been used merely as a reference for new breaches that have occurred. Today, we have brought this data to life in a fresh, exciting, and more useful way. We will show healthcare data breaches in a new light. Attend this interactive discussion featuring open dialog, visual displays, and breach trends within the healthcare field. This information will be used to help healthcare organizations protect the most valuable data that patients trust us with. Additionally, this information will be used to help the necessary teams get the support they need in order to protect Protected Health Information (PHI).
- Cheryl Lytle (UNC Health Care)
- Jon Sternstein (Stern Security)
The Alexa Effect: Balancing Improved Outcomes and Security with Consumer AI Assistants (Tues. 1:00-2:15 pm)
The Amazon Echo and the Google Home artificial intelligence assistant devices have been among the hottest sellers in the consumer electronics industry for the past several months. What lies beneath an already robust set of AI skills for assisting us in the household are revolutionary improvements in the delivery of healthcare. Ultimately this technology and the hundreds of forthcoming apps will not only improve the quality of life for certain at-risk patients and produce better outcomes, but may also have a direct and positive impact on the hospital’s bottom line via reduced admissions and fewer unnecessary tests.
In this presentation, the panel will review the current and forecast landscape for how this technology will shape healthcare delivery and communications as more and more patients adopt the devices in their homes and with the associated mobile device apps. This will include a live demonstration with an Amazon Echo and a set of healthcare-oriented skills already deployed in the marketplace. Next will be what health systems and developers will need to do for aggressive security and privacy controls around access to this data starting early in the process, beginning with the SDLC and software architecture processes.
- Christopher Campbell (Agio)
- Scott Hondros (Infinite Leap)
Managing Business Partner Risks in an IoT and Cloud Universe (Tues. 2:45-4:00 pm)
Increasing dependence on cloud service providers (CSPs) and Internet of Things (IoT) devices is leading to paradigmatic shifts in the management of cyber risk. Traditional models for risk identification and remediation break down when applied to the cloud and IoT domains. Organizations need to accept the fact that cloud service providers cannot in general adopt the security controls of each of their customers. In fact, there is a need to analyze the root cause and the resulting inventory of risk that comes along with using cloud services, which can be achieved by following a life cycle governance approach. Similarly, a mature process needs to be developed and implemented to ensure that all bio-med devices are configured and running in a secure manner, in compliance with the organization’s overall security controls. The panel will cover techniques for identifying, quantifying and reducing business partner risks, with a focus on PHI in the context of medical devices and cloud-based service providers.
- Anant Sethi & Amit Sood (Deloitte & Touche LLP)
Cybersecurity & Risk Management Track
Using Frameworks to Improve Your IT Risk Management Program (Mon. 10:45 am-noon)
Why does every OCR resolution agreement state the risk analysis is incomplete? Many organizations struggle with developing and then maturing a risk management program that allows them to not just identify risks, but also to close the gaps. The panel will cover the basics of risk management, as well as how to mature your program by using a variety of widely available risk management frameworks and resources.
- Jeff Bell (CareTech Solutions)
- Gary Daemer (InfusionPoints)
- Anurag Shankar (Indiana University)
Coming Together: Integrating Security and Privacy with Enterprise Risk Management (Mon. 1:00-2:15 pm)
Many AMCs have well established security and privacy programs. They also have well established Enterprise Risk Management (ERM) programs looking at patient safety, financial, and strategic risks. However, often security and privacy are not at the same table with the ERM program. The panel will examine how privacy and IT security programs can best fit into an overall ERM program. Panelists will discuss their experiences in building cross-functional ERM efforts that bring together these different perspectives to create an integrated approach to managing enterprise risks.
- Michael Berwanger (MedCost)
- Blair Kraft (Coastal Connect HIE)
- JT Moser (Wake Forest Baptist Health)
Adapting a Security Culture to Address Emerging Cybersecurity Threats (Mon. 2:45-4:00 pm)
The security culture is a critical control and is often overlooked. During 2016, the healthcare industry experienced a proliferation of new cyberattack vectors. Hackers are changing their approach to exploit new technologies, exploit immature controls, and look for ways to rapidly monetize their successes. The panel will provide guidance on strategy including how to enhance security architecture and mitigate controls, as well as practical tips on how to improve security posture and program effectiveness.
- Clyde Hewitt (CynergisTek)
- Chuck Kesler (Duke Medicine)
HIPAA, HITRUST, and NIST: Where Do We Start? (Tues. 10:45 am-noon)
At 21 years old, HIPAA has matured into its adulthood, but the security frameworks that can be used to implement the Security Rule are just entering high school. Like any teenager, these frameworks are maturing quickly, but can still be confusing. The panel will discuss how the NIST Cybersecurity Framework and the HITRUST Common Security Framework – both of which go by the acronym of CSF – can be used together or separately to build effective security and compliance programs.
- Vishal Gupta (Symantec)
- Alan Henton, Andrew Hutchinson & Bill Schultz (Vanderbilt University Medical Center)
Being Prepared for the Worst: When It Doesn’t Just Hit the ‘FAN’, It Destroys the ‘FAN’ (Tues. 1:00-2:15 pm)
Managing security and privacy programs in an enterprise as complex as an Academic Medical Center is a huge undertaking, but dealing with a major breach can quickly turn any organization upside down, threatening to destroy its FAN – Finances, Accreditation, and Notoriety. When you have an incident that demands cross-functional response, do you have a comprehensive response plan? The panel will share their perspectives on how to prepare your organization to deal with one of those worst-case scenarios.
- Brian Balow (Dawda, Mann, Mulcahy & Sadler PLC)
- Tatiana Melnik (Melnik Legal PLLC)
- JT Moser (Wake Forest Baptist Health)
- Jason Smith (Internetwork Engineering)
Look Before You Leap: Network Access Control and Network Segmentation (Tues. 2:45-4:00 pm)
This panel will examine lessons learned when planning and deploying complex Network Access Control (NAC) and Network Segmentation (NS) solutions, with the goal of sharing insights into developing a methodology and approach for planning, testing and deploying NAC and NS. The panelists will provide both a client and vendor perspective as well as an in-process case study.
- James Bearce and Shane Swanson (Deloitte and Touche)
- Kurt Griggs and Shawn Riley (Mayo Clinic)