Abstract image of a woman sitting on books and studying on a laptop

HIPAA Compliant Cloud Computing, An Overview

Download as PDF, PPTX
C
ClearDATACloud

The document discusses HIPAA regulations and the importance of safeguarding electronic protected health information (ePHI) in healthcare. It highlights patient rights, the significance of Business Associate Agreements (BAAs), and the need for security risk assessments to prevent data breaches. Additionally, it addresses the role of cloud technology in enhancing healthcare security and efficiency while discussing real-world breaches as cautionary examples.

Healthcare
Related topics:
Healthcare TechnologyHIPAA Compliance GuideCloud Computing Insights
1 of 36
Download as PDF, PPTX
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
removing barriers to healthier healthcare HIPPA, Security & Cloud Presented  By: Chris  Bowen,  MBA,  CISSP,  CIPP/US,  CIPT Founder,  Chief  Privacy  &  Security  Officer Matt  Ferrari Chief  Technology  Officer Using  the  Cloud  as  an  enabler.
2PROPRIETARY AND CONFIDENTIAL Learning Objectives Understand   HIPAA  and  HIPAA Understand   the  patients’   rights  under   HIPAA  and  how   those  relate  to  the  BAA Examine  the  purpose   of  the  BAA  – what  it  is  designed   to  do Review   Meaningful   Use  and  its  place  in  driving   Security  Risk  Assessments Know   the  penalties   for  a  data  breach Understand   what  makes  up  a  SRA Discuss  some  real  breaches,   what  happened   and  how   it  could  have  been   prevented
3PROPRIETARY AND CONFIDENTIAL Objectives for HIPAA • Make  Health  Insurance  More  Portable • Reduce  Healthcare  Fraud • Improve  Efficiency  of  Payment,  Claims,  Etc. • Protect  Personal  Medical  Information • Gather  Statistical  Data  About  Diseases
4PROPRIETARY AND CONFIDENTIAL The HIPAA Security Rule • Establishes  national  standards  to  protect  ePHI  that  is  created,   received,  used,  or  maintained  by  a  covered  entity.   • Applies  to: – Covered  Entities – Business  Associates • Maintain  reasonable  and  appropriate – Administrative – Technical – Physical  safeguards  for  protecting  e-­PHI
5PROPRIETARY AND CONFIDENTIAL Specifically • Ensure  the  confidentiality,  integrity,  and  availability  of  all  e-­PHI   Covered  Entities  create,  receive,  maintain  or  transmit • Identify  and  protect  against  reasonably  anticipated  threats  to  the   security  or  integrity  of  the  information • Protect  against  reasonably  anticipated,  impermissible  uses  or   disclosures • Ensure  compliance  by  their  workforce.
6PROPRIETARY AND CONFIDENTIAL Patient Rights Under HIPAA • Right  to  receive  a  notice  of  privacy  practices • Right  to  copy  and  inspect  One’s  own  PHI • Right  to  request  PHI  Amendments • Right  to  restrict  disclosures  to  others • Right  to  receive  PHI  by  alternate  means – PO  Box  not  home  address,  for  example • Right  to  file  a  privacy  complaint  (anyone)
7PROPRIETARY AND CONFIDENTIAL The Business Associate Agreement • Covered  Entities  must  enter  into  these  with  service  providers  like   ClearDATA • ClearDATA  must  enter  into  these  with  our  service  providers • Three  Major  Obligations  of  a  BAA – Facilitate  Patient  Rights – Complete  Risk  Analysis,  Policies  and  Procedures – Report  Breaches  and  Liability
8PROPRIETARY AND CONFIDENTIAL BAA: Safeguarding Data • ClearDATA  and  our   subcontractors  (such  as   AWS)  must: – Assess  risk  and  implement   the  safeguards,  policies,   and  procedures.   – Conform  and  comply  with   the  HIPAA  Rules. – And  ensure  that  our   service  providers  do  the   same! Risk   Management Assess Evaluate Manage Measure
9PROPRIETARY AND CONFIDENTIAL Askew If  you  search  for  “Askew”  in Google,  the  content  will  tilt   slightly  to  the  right.
10PROPRIETARY AND CONFIDENTIAL Breach Notification • CE/BA  must  investigate  any  and  all  legitimate  potential  breaches   of  unsecured  PHI. • Investigation  Process: – Isolate – Investigate – Remediate – Report Unsuccessful   Security   Incidents Breaches  of   less  than  500   records Internal   Logging Successful   Security   Incidents Breaches  of   more  than   500  records   External   Reporting
11PROPRIETARY AND CONFIDENTIAL Meaningful Use: Basic Requirements 1. Use  of  certified  EHR  in  a  meaningful  manner   (e.g.,  e-­prescribing) 2. Use  of  certified  EHR  technology  for  electronic  exchange of   health  information  to  improve  quality  of  health  care 3. Use  of  certified  EHR  technology  to  submit  clinical  quality   measures (CQM) 4. Meaningful  Use  is  how  the  EHR  is  used.     This  is  the   responsibility  of  providers  with  assistance  from  local,  area,  and   national  staff
12PROPRIETARY AND CONFIDENTIAL Use vs. Meaningful Use Pumpkin Pumpkin Used  Meaningfully
13PROPRIETARY AND CONFIDENTIAL Meaningful Use 2009 HITECH  Policies 2011 Stage  1 Capture/Share Data 2014 Stage  2 Advanced  Care Processes   w/Decision   Support 2016 Stage  3 Improved   Outcomes
14PROPRIETARY AND CONFIDENTIAL Objective: 45 CFR 164.308 (a)(1) SRA  Objectives: Core  9  Meaningful  Use •Assessment  of  the  Administrative,  Physical  and  Technical   Safeguards  per  Security  Rule. •Review  of  physical  computing  environment. •Interrogation  of  security  software  &  protocols. •Assessment  of  electronic  transmission  procedures  for  PHI.   •Assess  vulnerabilities  to  the  confidentiality,  integrity                 and  availability  of  ePHI.
15PROPRIETARY AND CONFIDENTIAL Review of Safeguards Administrative Physical Technical Organizational 1 2 3 4
16PROPRIETARY AND CONFIDENTIAL OCR Audit Protocol New  &  Stricter  Requirements Preventative  Measures Written  Policies  &  Procedures Management  Accountability Significant  Documentation 1 2 3 4 5 ClearDATA’s  SRA  Meets  OCR  Audit  Protocol
17PROPRIETARY AND CONFIDENTIAL SRA Urgency $ Important  to  Avoid  Security  Breaches  &  Fine Required  to  Receive  Incentive  Funding Meaningful  Use  Requirement Required  Regularly  or  When  Systems  Change
18PROPRIETARY AND CONFIDENTIAL Source:  https://cybersponse.com/data-­breaches-­by-­the-­numbers
19PROPRIETARY AND CONFIDENTIAL Source:  https://cybersponse.com/data-­breaches-­by-­the-­numbers
20PROPRIETARY AND CONFIDENTIAL The Attack
21PROPRIETARY AND CONFIDENTIAL Breaches by Business Associates January  2014 -­ Blue  Cross  Blue  Shield  of  New  Jersey   Loss  of  data  affecting  839,711  individuals.  A  laptop  was  stolen – there  was   no  encryption. January  2014 -­ Triple-­C,  Inc.   Theft  of  data  affecting  398,000  individuals.  A  network  server  was  stolen – there  was  no  encryption. May  2014  -­ Sutherland  Healthcare  Solutions,  Inc.   Thieves  stole  eight  computers  from  Sutherland’s  Torrance,  Calif.  Office.   They  got  away  with  the  medical  records  of  342,197 individuals.  There  was   no  encryption.   August  2014 -­ Community  Health  Pro-­Services  Corporation Unauthorized access.  In  a  legal  dispute  with  Texas  HHS,  Xerox  removed   patient  records  from  servers  and  hard  drives  and  permitted  other  parties  to   view  the  records  of  2,000,000  individuals.   December  2014  -­ Senior  Health  Partners Theft  of  2,700  records  after  laptop  and  mobile  phone  belonging  to  a   registered  nurse  employed  by  its  business  associates  were  reported.   1 2 3 4 5
22PROPRIETARY AND CONFIDENTIAL Value of PHI 2%  -­ Credit  report  was   accessed  or  modified     29%  -­ Obtain  healthcare  services               or  treatments   28%  -­ Obtain  prescription  drugs   or  medical  equipment   Obtain  government  benefits  -­ 26%   Including  Medicare  or  Medicaid My  healthcare  records  -­ 11%   were  accessed  or  modified Obtain  fraudulent  – 2% credit  accounts  in  my  name 2%  -­ Don’t  know
23PROPRIETARY AND CONFIDENTIAL Why Breaches Are Occurring Hackers  have  incentive  and  opportunity A  single  stolen  password  tends  to  access  multiple  accounts Selling  personal  information  has  become  a  profitable  global  enterprise Weak  passwords  and  authentication  are  a  big  part  of  that  opportunity.
24PROPRIETARY AND CONFIDENTIAL The Aftermath Identity  Theft Espionage Future  AttacksMoney  Spent Reputations  Lost
25PROPRIETARY AND CONFIDENTIAL HIPAA Fines and Penalties Violation  Category Each  Violation All  Identical  Violations per  Calendar  Year Did  Not Know $100  -­ $50,000 $1,500,000 Reasonable Cause $1,000  -­ $50,000 $1,500,000 Willful  Neglect  -­ Corrected $10,000  -­ $50,000 $1,500,000 Willful  Neglect  – Not  Corrected $50,000 $1,500,000
26PROPRIETARY AND CONFIDENTIAL How Much This Graph Reminds Me of Mr. T Reminds  me  of  Mr.  T Still  kind  of  reminds me  of  Mr.  T
27PROPRIETARY AND CONFIDENTIAL More Learning Objectives Understand   Cloud   challenges   for  healthcare   and  how   we  solve  for  them Review   how   to  use  the  Cloud   to  overcome   security  challenges Discuss  trends  in  the  Cloud,   such  as  Multi-­cloud The  AWS  overlay   and  its  drivers Understand   how  to  get  the  best  out  of  both  worlds   – HIPAA  Managed   Services  +  Multi-­cloud Review   a  real-­world   example   – case  study
28PROPRIETARY AND CONFIDENTIAL The Cloud’s Role in Transforming Healthcare Data  Aggregation Centralized,  high-­performance  access Agility  /  Speed Speed  &  flexibility   to  implement  new  services   Simplicity No  hardware,  no  software,  no  new  staff Reduce  Costs Lower  costs,  no  capex,  pay  as  you  grow Security 70%  less  breach,  HITRUST  certified Reliability  /  Scalability Greater  uptime/redundancy,  SLAs,  scalability  
29PROPRIETARY AND CONFIDENTIAL Healthcare IT Transformation Challenges: Problems We Solve • Aging  infrastructure • Maintenance  costs • Support  costs • Standardization • Virtualization • Scalability  /  Reliability • Capital  &  Personnel   Constraints ~50%  of  Challenges  in   IT  Operations  and  Maintenance? Aging  Infrastructure,   Support  and  Maintenance? Healthcare  IT  Complexity   Increasing?  HIT  Know  How? Lack  of  IT  Visibility: Utilization  of  Systems,   Applications,   Data? Security  &  Compliance by  Application • Visibility,  What  is  Secure? • Compliancy  by  App • Maintaining  HIPAA  IT  Policy  and  Procedures   • Annual  Risk  Analysis 75%  Reduction   of  Breach  Potential • Application  sprawl • Data  sprawl • Image  /  archive • Intelligent  storage • Backups  /  DR • Agility • Impeding  Innovation • BYOD • Adoption  of  Advanced   Apps Innovation   Throttles  to  ~30%? • Multiple  IT  Portals • Increased  Regulatory  Compliance • IT  Transformation  Tech: Wireless,  BYOD,  Telemedicine,  Cloud,  Analytics Reduce  IT  Complexity  by  ~50%
30PROPRIETARY AND CONFIDENTIAL ClearDATA: The Vision for Transformation healthcare IT infrastructure, network, security secure patient data, data lifecycle management organize, normalize, access & share healthcare data + + + STORE MANAGE PROTECT SHARE fix and modernize the infrastructure, store HC applications and data
BAA Covered AWS Services ClearDATA Healthcare  Managed   Platform HealthDATA™ Cloud Suite HealthDATA™ Security & Privacy HealthDATA™ Management Healthcare IT Service & Support ClearDATA Enhanced Security, Compliance & BAA Risk Assessment Policy Development Advisory Services Hardened Hosting Complete Encryption HC PaaS Portal/API Scalable Hosting Flexible Interchange HC Analytics 24 x 7 Support Compliance Trained HIT ProServ Gov HealthcarePhysicians Medical  DevicesLife  SciencesHospitalsHealthcare  Software Compute Data Storage Network Services App Services
What  AWS  services  could  be  BAA  covered  today? DynamoDB – NoSQL Cloud Database Service Elastic Block Store (EBS) Elastic Compute Cloud (EC2) Elastic Map Reduce (EMR) Elastic Load Balancer (ELB) Glacier Relational Database Service (RDS) Redshift – Cloud Data Warehouse Simple Storage Service - S3
Managed  Service  overview Capability Customer ClearDATA ClearDATA with AWS Application development, deployment &monitoring X Option Compliance Scorecard X Cloud Infrastructure Healthcare Architecture, Optimization & Support X On demand Security Risk Assessments X Quarterly Vulnerability Scanning X Breach detection, notification & remediation X PHI and other data Encryption at rest and in motion including key management access X Intrusion Detection X OS deployment, hardening, patching X Managed Backup configuration & management X VPN & Firewall configuration & management X Anti virus configuration & management X Infrastructure Ecosystem X Infrastructure Development, Availability, Scaling, Security X Geo Diversity & Physical security X
34 ClearDATA 1600  W.  Broadway  Road  Ÿ Tempe,  AZ  85282 Ph:  (888)  899-­2066  Ÿ sales@cleardata.com  Ÿ www.cleardata.com   Healthcare Infrastructure That is Controlled, Managed, and Optimized By Our HealthDATA™ Platform Key  Benefits   • Healthcare  specific  portal for  all  managed  services • Cloud  automation,  templates  &  HIPAA  compliant  dashboard • API  for  direct  access  to  ClearDATA configured  AWS  services HealtDATA™ HIT & Cloud Management Platform • Centralizing  management  across  ClearDATA  products • Secure  support  request  management • ITIL-­Aligned  Configuration  Management  Database • Deploy  AWS  environments  with  Cloud  Formations • View  billing  and  invoice  information • Security  hardened  AMIs  for  common  services
35PROPRIETARY AND CONFIDENTIAL Questions
36 ClearDATA 1600  W.  Broadway  Road  Ÿ Tempe,  AZ  85282 Ph:  (888)  899-­2066  Ÿ sales@cleardata.com  Ÿ www.cleardata.com   Thank You For  additional information  please  contact: Joseph  Vadakkan Solution  Architect 480.939.3476 josephs.vadakkan@cleardata.com

More Related Content

PPTX
HIPAA Compliance: Simple Steps to the Healthcare Cloud
Hostway|HOSTING
 
PPTX
The Startup Path to HIPAA Compliance
Jim Anfield
 
PPTX
HIPAA
ravelo1212
 
PDF
Application Developers Guide to HIPAA Compliance
TrueVault
 
PDF
HIPAA Compliance for Developers
TrueVault
 
PPTX
HIPAA Security 2019
Jose Ivan Delgado, Ph.D.
 
PPTX
HIPPA Security Presentation
Rebecca Norman
 
PPTX
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
Hostway|HOSTING
 
The Startup Path to HIPAA Compliance
Jim Anfield
 
HIPAA
ravelo1212
 
Application Developers Guide to HIPAA Compliance
TrueVault
 
HIPAA Compliance for Developers
TrueVault
 
HIPAA Security 2019
Jose Ivan Delgado, Ph.D.
 
HIPPA Security Presentation
Rebecca Norman
 
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 

What's hot (20)

PDF
A brief introduction to hipaa compliance
Prince George
 
PPTX
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
PPTX
Health Insurance Portability and Accountability Act (HIPAA) Compliance
ControlCase
 
PDF
You and HIPAA - Get the Facts
resourceone
 
PDF
HIPAA Basic Healthcare Guide
Wirehead Technology
 
PPTX
Mha690 brittany koenig week 1 assignment2
bkoenig2010
 
PPTX
Assessing Your Hosting Environment for HIPAA Compliance
Hostway|HOSTING
 
PDF
HIPAA and How it Applies to You
Winston & Strawn LLP
 
PPSX
HIPAA HITECH training 7-9-12
O2 TESTING SERVICES
 
PDF
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
PPTX
HIPAA Audit Implementation
Valency Networks
 
PDF
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
PPT
Hipaa101 updated
kkurapat
 
PPTX
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
PDF
Cyberinsurance 111006
JNicholson
 
PPTX
The Health Insurance Portability and Accountability Act 
Kartheek Kein
 
PPTX
HIPAA | HITECH
rcabarloc
 
PDF
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
PPT
HIPAA
Karna *
 
PDF
HIPAA for Dummies
hipaacompliance
 
A brief introduction to hipaa compliance
Prince George
 
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
ControlCase
 
You and HIPAA - Get the Facts
resourceone
 
HIPAA Basic Healthcare Guide
Wirehead Technology
 
Mha690 brittany koenig week 1 assignment2
bkoenig2010
 
Assessing Your Hosting Environment for HIPAA Compliance
Hostway|HOSTING
 
HIPAA and How it Applies to You
Winston & Strawn LLP
 
HIPAA HITECH training 7-9-12
O2 TESTING SERVICES
 
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
HIPAA Audit Implementation
Valency Networks
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
Hipaa101 updated
kkurapat
 
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
Cyberinsurance 111006
JNicholson
 
The Health Insurance Portability and Accountability Act 
Kartheek Kein
 
HIPAA | HITECH
rcabarloc
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
HIPAA
Karna *
 
HIPAA for Dummies
hipaacompliance
 
Ad

Similar to HIPAA Compliant Cloud Computing, An Overview (20)

PDF
Upcoming New 2025 HIPAA Changes and Beyond
Conference Panel
 
PPTX
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
PPTX
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
PPTX
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
PDF
HIPAA, Texting, and E-mail — Using Appropriate Patient and Professional Commu...
Conference Panel
 
PDF
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
M2SYS Technology
 
PDF
Is it time for an IT Assessment?
Raffa Learning Community
 
PDF
How Safe is Your Patient Data?
Harmony Healthcare International (HHI)
 
PPTX
Confidentiality and information security33.pptx
fahmyahmed789
 
PDF
Health care compliance webinar may 10 2017
Kimberly Simon MBA
 
PDF
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Conference Panel
 
DOCX
Hi paa and eh rs
supportc2go
 
PDF
Cloud compliance test
Prancer Io
 
PPTX
Multi-faceted Cyber Security v1
Asad Zaman
 
PDF
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
PPSX
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
PDF
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
PDF
Insight into DHHS OCR Audit Protocols
David Sweigert
 
PPTX
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
PDF
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Conference – iHT2
 
Upcoming New 2025 HIPAA Changes and Beyond
Conference Panel
 
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
HIPAA, Texting, and E-mail — Using Appropriate Patient and Professional Commu...
Conference Panel
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
M2SYS Technology
 
Is it time for an IT Assessment?
Raffa Learning Community
 
How Safe is Your Patient Data?
Harmony Healthcare International (HHI)
 
Confidentiality and information security33.pptx
fahmyahmed789
 
Health care compliance webinar may 10 2017
Kimberly Simon MBA
 
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Conference Panel
 
Hi paa and eh rs
supportc2go
 
Cloud compliance test
Prancer Io
 
Multi-faceted Cyber Security v1
Asad Zaman
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
Insight into DHHS OCR Audit Protocols
David Sweigert
 
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Conference – iHT2
 
Ad

Recently uploaded (20)

PPTX
BP504T_PGPC_UNIT_II (1) (1)PHARMACOGNOSY AND PHYTOCHEMISTRY 2
AnshuMishra171506
 
PPTX
Seizures in paediatrics as a big cause of morbidity.pptx
TugumeFrancis1
 
PPTX
Common Bacterial infections-converted_64bcdc4f77a3b7b90bdeb611f66c6ddd.pptx
Moneesh4
 
PPTX
Single Visit Endodontics.pptx root canal treatment in one visit
KarishmaThakur35
 
PPTX
Water Diseases and their prevention.pptx
chiefzoche
 
PPTX
#15 ANS & SNS Anatomy BY DR. SADAKAT.pptx
SadakatBashir
 
PDF
SKELETAL SYSTEM PPT FOR THE BSN 1ST YEAR
jeubascar1
 
PDF
18-23_Weeks_Scan ultrsasound scan in medecine.pdf
OmarJoseph3
 
PDF
Mobile Radiography: Techniques, Applications, and Safety Measures
Shraddha Maurya
 
PPTX
Head Spine trauma assesment and managementATLS Final.pptx
premrajSingh6
 
PDF
Dental Implants Review : A detailed Review
Dr. Abhishek Ashok Sharma
 
PPTX
Pediatrics Hemodynamic monitoring in ICU.pptx
rattakarnyuwattana1
 
PPTX
OBSTRUCTIVE SLEEP APNOEA- features and management
x2fh9yr7z2
 
PPTX
anatomy and physiology of pharynx ( oro and naso and pharyngeal)
Brinjalmedia
 
PPTX
Emotional Well Being & Conflict Resolution_VKV.pptx
pinaradhruma
 
PPTX
Physiological Changes in Pregnancy.pptx..
UPUMS
 
PDF
Chapter 8. HHS Facility Design and Construction _ HHS.gov.pdf
jnewkirk3
 
PPT
53afocus7fluidelectrolytesacid-basebalance-121205082904-phpapp01.ppt
Bbbbbbb19
 
PPTX
Anti-depressant ggggghhhhhhhhhhhhhhhhhhh
mhmd5alil469
 
PPTX
Tuberculosis Control Bangladesh Current 2025.pptx
sadikrashid313
 
BP504T_PGPC_UNIT_II (1) (1)PHARMACOGNOSY AND PHYTOCHEMISTRY 2
AnshuMishra171506
 
Seizures in paediatrics as a big cause of morbidity.pptx
TugumeFrancis1
 
Common Bacterial infections-converted_64bcdc4f77a3b7b90bdeb611f66c6ddd.pptx
Moneesh4
 
Single Visit Endodontics.pptx root canal treatment in one visit
KarishmaThakur35
 
Water Diseases and their prevention.pptx
chiefzoche
 
#15 ANS & SNS Anatomy BY DR. SADAKAT.pptx
SadakatBashir
 
SKELETAL SYSTEM PPT FOR THE BSN 1ST YEAR
jeubascar1
 
18-23_Weeks_Scan ultrsasound scan in medecine.pdf
OmarJoseph3
 
Mobile Radiography: Techniques, Applications, and Safety Measures
Shraddha Maurya
 
Head Spine trauma assesment and managementATLS Final.pptx
premrajSingh6
 
Dental Implants Review : A detailed Review
Dr. Abhishek Ashok Sharma
 
Pediatrics Hemodynamic monitoring in ICU.pptx
rattakarnyuwattana1
 
OBSTRUCTIVE SLEEP APNOEA- features and management
x2fh9yr7z2
 
anatomy and physiology of pharynx ( oro and naso and pharyngeal)
Brinjalmedia
 
Emotional Well Being & Conflict Resolution_VKV.pptx
pinaradhruma
 
Physiological Changes in Pregnancy.pptx..
UPUMS
 
Chapter 8. HHS Facility Design and Construction _ HHS.gov.pdf
jnewkirk3
 
53afocus7fluidelectrolytesacid-basebalance-121205082904-phpapp01.ppt
Bbbbbbb19
 
Anti-depressant ggggghhhhhhhhhhhhhhhhhhh
mhmd5alil469
 
Tuberculosis Control Bangladesh Current 2025.pptx
sadikrashid313
 

HIPAA Compliant Cloud Computing, An Overview

  • 1. removing barriers to healthier healthcare HIPPA, Security & Cloud Presented  By: Chris  Bowen,  MBA,  CISSP,  CIPP/US,  CIPT Founder,  Chief  Privacy  &  Security  Officer Matt  Ferrari Chief  Technology  Officer Using  the  Cloud  as  an  enabler.
  • 2. 2PROPRIETARY AND CONFIDENTIAL Learning Objectives Understand   HIPAA  and  HIPAA Understand   the  patients’   rights  under   HIPAA  and  how   those  relate  to  the  BAA Examine  the  purpose   of  the  BAA  – what  it  is  designed   to  do Review   Meaningful   Use  and  its  place  in  driving   Security  Risk  Assessments Know   the  penalties   for  a  data  breach Understand   what  makes  up  a  SRA Discuss  some  real  breaches,   what  happened   and  how   it  could  have  been   prevented
  • 3. 3PROPRIETARY AND CONFIDENTIAL Objectives for HIPAA • Make  Health  Insurance  More  Portable • Reduce  Healthcare  Fraud • Improve  Efficiency  of  Payment,  Claims,  Etc. • Protect  Personal  Medical  Information • Gather  Statistical  Data  About  Diseases
  • 4. 4PROPRIETARY AND CONFIDENTIAL The HIPAA Security Rule • Establishes  national  standards  to  protect  ePHI  that  is  created,   received,  used,  or  maintained  by  a  covered  entity.   • Applies  to: – Covered  Entities – Business  Associates • Maintain  reasonable  and  appropriate – Administrative – Technical – Physical  safeguards  for  protecting  e-­PHI
  • 5. 5PROPRIETARY AND CONFIDENTIAL Specifically • Ensure  the  confidentiality,  integrity,  and  availability  of  all  e-­PHI   Covered  Entities  create,  receive,  maintain  or  transmit • Identify  and  protect  against  reasonably  anticipated  threats  to  the   security  or  integrity  of  the  information • Protect  against  reasonably  anticipated,  impermissible  uses  or   disclosures • Ensure  compliance  by  their  workforce.
  • 6. 6PROPRIETARY AND CONFIDENTIAL Patient Rights Under HIPAA • Right  to  receive  a  notice  of  privacy  practices • Right  to  copy  and  inspect  One’s  own  PHI • Right  to  request  PHI  Amendments • Right  to  restrict  disclosures  to  others • Right  to  receive  PHI  by  alternate  means – PO  Box  not  home  address,  for  example • Right  to  file  a  privacy  complaint  (anyone)
  • 7. 7PROPRIETARY AND CONFIDENTIAL The Business Associate Agreement • Covered  Entities  must  enter  into  these  with  service  providers  like   ClearDATA • ClearDATA  must  enter  into  these  with  our  service  providers • Three  Major  Obligations  of  a  BAA – Facilitate  Patient  Rights – Complete  Risk  Analysis,  Policies  and  Procedures – Report  Breaches  and  Liability
  • 8. 8PROPRIETARY AND CONFIDENTIAL BAA: Safeguarding Data • ClearDATA  and  our   subcontractors  (such  as   AWS)  must: – Assess  risk  and  implement   the  safeguards,  policies,   and  procedures.   – Conform  and  comply  with   the  HIPAA  Rules. – And  ensure  that  our   service  providers  do  the   same! Risk   Management Assess Evaluate Manage Measure
  • 9. 9PROPRIETARY AND CONFIDENTIAL Askew If  you  search  for  “Askew”  in Google,  the  content  will  tilt   slightly  to  the  right.
  • 10. 10PROPRIETARY AND CONFIDENTIAL Breach Notification • CE/BA  must  investigate  any  and  all  legitimate  potential  breaches   of  unsecured  PHI. • Investigation  Process: – Isolate – Investigate – Remediate – Report Unsuccessful   Security   Incidents Breaches  of   less  than  500   records Internal   Logging Successful   Security   Incidents Breaches  of   more  than   500  records   External   Reporting
  • 11. 11PROPRIETARY AND CONFIDENTIAL Meaningful Use: Basic Requirements 1. Use  of  certified  EHR  in  a  meaningful  manner   (e.g.,  e-­prescribing) 2. Use  of  certified  EHR  technology  for  electronic  exchange of   health  information  to  improve  quality  of  health  care 3. Use  of  certified  EHR  technology  to  submit  clinical  quality   measures (CQM) 4. Meaningful  Use  is  how  the  EHR  is  used.     This  is  the   responsibility  of  providers  with  assistance  from  local,  area,  and   national  staff
  • 12. 12PROPRIETARY AND CONFIDENTIAL Use vs. Meaningful Use Pumpkin Pumpkin Used  Meaningfully
  • 13. 13PROPRIETARY AND CONFIDENTIAL Meaningful Use 2009 HITECH  Policies 2011 Stage  1 Capture/Share Data 2014 Stage  2 Advanced  Care Processes   w/Decision   Support 2016 Stage  3 Improved   Outcomes
  • 14. 14PROPRIETARY AND CONFIDENTIAL Objective: 45 CFR 164.308 (a)(1) SRA  Objectives: Core  9  Meaningful  Use •Assessment  of  the  Administrative,  Physical  and  Technical   Safeguards  per  Security  Rule. •Review  of  physical  computing  environment. •Interrogation  of  security  software  &  protocols. •Assessment  of  electronic  transmission  procedures  for  PHI.   •Assess  vulnerabilities  to  the  confidentiality,  integrity                 and  availability  of  ePHI.
  • 15. 15PROPRIETARY AND CONFIDENTIAL Review of Safeguards Administrative Physical Technical Organizational 1 2 3 4
  • 16. 16PROPRIETARY AND CONFIDENTIAL OCR Audit Protocol New  &  Stricter  Requirements Preventative  Measures Written  Policies  &  Procedures Management  Accountability Significant  Documentation 1 2 3 4 5 ClearDATA’s  SRA  Meets  OCR  Audit  Protocol
  • 17. 17PROPRIETARY AND CONFIDENTIAL SRA Urgency $ Important  to  Avoid  Security  Breaches  &  Fine Required  to  Receive  Incentive  Funding Meaningful  Use  Requirement Required  Regularly  or  When  Systems  Change
  • 18. 18PROPRIETARY AND CONFIDENTIAL Source:  https://cybersponse.com/data-­breaches-­by-­the-­numbers
  • 19. 19PROPRIETARY AND CONFIDENTIAL Source:  https://cybersponse.com/data-­breaches-­by-­the-­numbers
  • 21. 21PROPRIETARY AND CONFIDENTIAL Breaches by Business Associates January  2014 -­ Blue  Cross  Blue  Shield  of  New  Jersey   Loss  of  data  affecting  839,711  individuals.  A  laptop  was  stolen – there  was   no  encryption. January  2014 -­ Triple-­C,  Inc.   Theft  of  data  affecting  398,000  individuals.  A  network  server  was  stolen – there  was  no  encryption. May  2014  -­ Sutherland  Healthcare  Solutions,  Inc.   Thieves  stole  eight  computers  from  Sutherland’s  Torrance,  Calif.  Office.   They  got  away  with  the  medical  records  of  342,197 individuals.  There  was   no  encryption.   August  2014 -­ Community  Health  Pro-­Services  Corporation Unauthorized access.  In  a  legal  dispute  with  Texas  HHS,  Xerox  removed   patient  records  from  servers  and  hard  drives  and  permitted  other  parties  to   view  the  records  of  2,000,000  individuals.   December  2014  -­ Senior  Health  Partners Theft  of  2,700  records  after  laptop  and  mobile  phone  belonging  to  a   registered  nurse  employed  by  its  business  associates  were  reported.   1 2 3 4 5
  • 22. 22PROPRIETARY AND CONFIDENTIAL Value of PHI 2%  -­ Credit  report  was   accessed  or  modified     29%  -­ Obtain  healthcare  services               or  treatments   28%  -­ Obtain  prescription  drugs   or  medical  equipment   Obtain  government  benefits  -­ 26%   Including  Medicare  or  Medicaid My  healthcare  records  -­ 11%   were  accessed  or  modified Obtain  fraudulent  – 2% credit  accounts  in  my  name 2%  -­ Don’t  know
  • 23. 23PROPRIETARY AND CONFIDENTIAL Why Breaches Are Occurring Hackers  have  incentive  and  opportunity A  single  stolen  password  tends  to  access  multiple  accounts Selling  personal  information  has  become  a  profitable  global  enterprise Weak  passwords  and  authentication  are  a  big  part  of  that  opportunity.
  • 24. 24PROPRIETARY AND CONFIDENTIAL The Aftermath Identity  Theft Espionage Future  AttacksMoney  Spent Reputations  Lost
  • 25. 25PROPRIETARY AND CONFIDENTIAL HIPAA Fines and Penalties Violation  Category Each  Violation All  Identical  Violations per  Calendar  Year Did  Not Know $100  -­ $50,000 $1,500,000 Reasonable Cause $1,000  -­ $50,000 $1,500,000 Willful  Neglect  -­ Corrected $10,000  -­ $50,000 $1,500,000 Willful  Neglect  – Not  Corrected $50,000 $1,500,000
  • 26. 26PROPRIETARY AND CONFIDENTIAL How Much This Graph Reminds Me of Mr. T Reminds  me  of  Mr.  T Still  kind  of  reminds me  of  Mr.  T
  • 27. 27PROPRIETARY AND CONFIDENTIAL More Learning Objectives Understand   Cloud   challenges   for  healthcare   and  how   we  solve  for  them Review   how   to  use  the  Cloud   to  overcome   security  challenges Discuss  trends  in  the  Cloud,   such  as  Multi-­cloud The  AWS  overlay   and  its  drivers Understand   how  to  get  the  best  out  of  both  worlds   – HIPAA  Managed   Services  +  Multi-­cloud Review   a  real-­world   example   – case  study
  • 28. 28PROPRIETARY AND CONFIDENTIAL The Cloud’s Role in Transforming Healthcare Data  Aggregation Centralized,  high-­performance  access Agility  /  Speed Speed  &  flexibility   to  implement  new  services   Simplicity No  hardware,  no  software,  no  new  staff Reduce  Costs Lower  costs,  no  capex,  pay  as  you  grow Security 70%  less  breach,  HITRUST  certified Reliability  /  Scalability Greater  uptime/redundancy,  SLAs,  scalability  
  • 29. 29PROPRIETARY AND CONFIDENTIAL Healthcare IT Transformation Challenges: Problems We Solve • Aging  infrastructure • Maintenance  costs • Support  costs • Standardization • Virtualization • Scalability  /  Reliability • Capital  &  Personnel   Constraints ~50%  of  Challenges  in   IT  Operations  and  Maintenance? Aging  Infrastructure,   Support  and  Maintenance? Healthcare  IT  Complexity   Increasing?  HIT  Know  How? Lack  of  IT  Visibility: Utilization  of  Systems,   Applications,   Data? Security  &  Compliance by  Application • Visibility,  What  is  Secure? • Compliancy  by  App • Maintaining  HIPAA  IT  Policy  and  Procedures   • Annual  Risk  Analysis 75%  Reduction   of  Breach  Potential • Application  sprawl • Data  sprawl • Image  /  archive • Intelligent  storage • Backups  /  DR • Agility • Impeding  Innovation • BYOD • Adoption  of  Advanced   Apps Innovation   Throttles  to  ~30%? • Multiple  IT  Portals • Increased  Regulatory  Compliance • IT  Transformation  Tech: Wireless,  BYOD,  Telemedicine,  Cloud,  Analytics Reduce  IT  Complexity  by  ~50%
  • 30. 30PROPRIETARY AND CONFIDENTIAL ClearDATA: The Vision for Transformation healthcare IT infrastructure, network, security secure patient data, data lifecycle management organize, normalize, access & share healthcare data + + + STORE MANAGE PROTECT SHARE fix and modernize the infrastructure, store HC applications and data
  • 31. BAA Covered AWS Services ClearDATA Healthcare  Managed   Platform HealthDATA™ Cloud Suite HealthDATA™ Security & Privacy HealthDATA™ Management Healthcare IT Service & Support ClearDATA Enhanced Security, Compliance & BAA Risk Assessment Policy Development Advisory Services Hardened Hosting Complete Encryption HC PaaS Portal/API Scalable Hosting Flexible Interchange HC Analytics 24 x 7 Support Compliance Trained HIT ProServ Gov HealthcarePhysicians Medical  DevicesLife  SciencesHospitalsHealthcare  Software Compute Data Storage Network Services App Services
  • 32. What  AWS  services  could  be  BAA  covered  today? DynamoDB – NoSQL Cloud Database Service Elastic Block Store (EBS) Elastic Compute Cloud (EC2) Elastic Map Reduce (EMR) Elastic Load Balancer (ELB) Glacier Relational Database Service (RDS) Redshift – Cloud Data Warehouse Simple Storage Service - S3
  • 33. Managed  Service  overview Capability Customer ClearDATA ClearDATA with AWS Application development, deployment &monitoring X Option Compliance Scorecard X Cloud Infrastructure Healthcare Architecture, Optimization & Support X On demand Security Risk Assessments X Quarterly Vulnerability Scanning X Breach detection, notification & remediation X PHI and other data Encryption at rest and in motion including key management access X Intrusion Detection X OS deployment, hardening, patching X Managed Backup configuration & management X VPN & Firewall configuration & management X Anti virus configuration & management X Infrastructure Ecosystem X Infrastructure Development, Availability, Scaling, Security X Geo Diversity & Physical security X
  • 34. 34 ClearDATA 1600  W.  Broadway  Road  Ÿ Tempe,  AZ  85282 Ph:  (888)  899-­2066  Ÿ [email protected]  Ÿ www.cleardata.com   Healthcare Infrastructure That is Controlled, Managed, and Optimized By Our HealthDATA™ Platform Key  Benefits   • Healthcare  specific  portal for  all  managed  services • Cloud  automation,  templates  &  HIPAA  compliant  dashboard • API  for  direct  access  to  ClearDATA configured  AWS  services HealtDATA™ HIT & Cloud Management Platform • Centralizing  management  across  ClearDATA  products • Secure  support  request  management • ITIL-­Aligned  Configuration  Management  Database • Deploy  AWS  environments  with  Cloud  Formations • View  billing  and  invoice  information • Security  hardened  AMIs  for  common  services
  • 36. 36 ClearDATA 1600  W.  Broadway  Road  Ÿ Tempe,  AZ  85282 Ph:  (888)  899-­2066  Ÿ [email protected]  Ÿ www.cleardata.com   Thank You For  additional information  please  contact: Joseph  Vadakkan Solution  Architect 480.939.3476 [email protected]