cert symposium cyber security incident management for
play

CERT Symposium: Cyber Security Incident Management for Health - PowerPoint PPT Presentation

Nov 09, 2022 •573 likes •916 views

Pennsylvania eHealth Partnership Authority Pennsylvanias Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh, PA The Journey to the Triple AI

  1. Pennsylvania eHealth Partnership Authority Pennsylvania’s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh, PA

  2. The Journey to the Triple AI M 21 st Century Upgrade for the Triple Aim: • Better care for individuals • Better health for populations • Lower per-capita costs Slide adapted from Trudi Matthews, HealthBridge/Greater Cincinnati Beacon Collaboration Presentation at ONC Meeting 4/3/13

  3. Makeover for Healthcare • Uncoordinated care • Team-based approach • Over-loaded schedule • Open access • Physician & practice-centric • Patient engagement & empanelment • Arbitrary quality improvement projects • Data directed quality improvement efforts • Lack of clear leadership & support (for patient centered primary care) • Engaged leadership 3 Slide adapted from Trudi Matthews, HealthBridge/Greater Cincinnati Beacon Collaboration Presentation at ONC Meeting 4/3/13

  4. PA’s Transform ation Journey Collaborative “system” to achieve consensus and produce outcomes  Diverse stakeholder engagement in open and transparent manner  Data driven decision-making  Iterative and layered approach to design and problem solving Blended diverse views create better steps forward ~ ~ Incrementally address issues 4

  5. Pennsylvania HI E Strategic Plan Stakeholders Recommended: • Establish public/private authority to become overarching HIE governing entity after federal grant ends and then transition to independent non-profit organization • Authority will provide “community shared services” to enable and advance health information exchange within and beyond PA among disparate organizations • Federated model - all participants maintain their own information and no health data will be centrally stored • One-to-many connection to achieve related efficiencies for public and private sector health information exchanges • Multiple exchange ‘tools’ 5

  6. Stakeholder Collaboration Participant Workgroup engaged to: • Recommend approach for technical infrastructure and services • Identify policy and operational framework and training considerations related to privacy and security • Solidify sustainability model • Establish criteria for certification program 6

  7. Pennsylvania eHealth Partnership Authority

  8. Planned HI E Coverage

  9. Legal, Privacy and Security

  10. Legal, Privacy and Security The Nationwide Privacy and Security Framework 8 Principles (ONC, 2008) 1) INDIVIDUAL ACCESS. Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format 2) CORRECTION. Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied 10

  11. Legal, Privacy and Security The 8 Principles (ONC, 2008), continued 3) OPENNESS AND TRANSPARENCY. There should be openness and transparency about policies, procedures and technologies that directly affect individuals and/or their individually identifiable health information 4) INDIVIDUAL CHOICE. Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information 11

  12. Legal, Privacy and Security The 8 Principles (ONC, 2008), continued 5 ) COLLECTION, USE, AND DISCLOSURE LIMITATION . Individually identifiable health information should be collected, used and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately 6) DATA QUALITY AND INTEGRITY. Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner 12

  13. Legal, Privacy and Security The 8 Principles (ONC, 2008), continued 7) SAFEGUARDS . Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure 8) ACCOUNTABILITY. These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches 13

  14. Policy and Operations Tiger Team Policies and Documents produced: • PA HIE-Network Privacy Policy P&P • PA HIE-Network User Management Policy P&P • PA HIE-Network Monitor-Audit-Breach Policy P&P • Draft Notice Privacy Practices for HIE • Draft Statewide form for Opt Out • PAePA DURSA (between Community Shared Services (CSS) and Certified Participant(CP)) • PAePA BA Agreement (between CP and Member Organization (MO)) • PAePA MO DURSA (between CP and MO) 14

  15. Policy and Operations Tiger Team Electronic Sharing of Health Records Containing Super Protected Data (SPD): • Ideal – Software/EHRs capable of sorting and segmenting SPD from the primary record, so that SPD is not improperly shared • Current Compromise – expansion of the CSS Opt Out (Consent) Registry to include specialized SPD sharing permissions from patients who wish their SPD to be available for targeted sharing 15

  16. HISP Certification

  17. HI SP Operations/ Certification PA HISP Trust Community consists of any certified HISP that demonstrates ability to: • Exchange secure, encrypted and authenticated emails using DIRECT specifications with other certified HISPs • Ensures adherence to Authority requirements to protect PA citizens and their PHI 17

  18. HI E Certification

  19. HI E Operations/ Certification • Certification program will be finalized based on details of CSS technical deployment  Certified participants (CP)  Member organizations (MO) • Aligned with HIPAA, HITECH and commonwealth laws and regulations • Security of information is of highest importance to Authority 19

  20. Monitoring, Auditing and Breach Notification Policy

  21. Purpose of Policy • Implementation of effective system auditing and monitoring practices to detect inappropriate access to PHI and hold accountable those who violate privacy requirements; and • Compliance with Federal and state legal requirements for the reporting of privacy violations and security breaches to the appropriate entities and to affected individuals. 21

  22. Scope of Policy • The document applies to all Certified Participants connected to the Pennsylvania HIE-Network Community Shared Services (CSS), and their Member Organizations, Users and workforce members (as defined by HIPAA). 22

  23. Scope, continued • This policy is intended to be consistent with and does not replace or supersede any Federal regulations or laws (such as HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH)) or State privacy and security laws and regulations. 23

  24. Objectives of Policy • Define the requirements of the Authority and Certified Participants to establish policies and procedures for the auditing and monitoring of system transactions and ensuring accountability by attributing activities to individuals and enforcing consequences for privacy violations. 24

  25. Objectives, continued • Establish the responsibility of the Authority and Certified Participants to comply with Federal (HITECH) and State laws with regard to reporting and notification of a breach. • Assign responsibility to the Authority to facilitate awareness and compliance with this policy. 25

  26. Breaches • All PHI incidents are now considered breaches, unless conclusively proven otherwise. • Old Standard : Notification of breach was required only where “significant risk of financial, reputational, or other harm to individual”. Burden was on the covered entity or business associate to show there was no “significant risk”. 26

  27. Breaches • New Standard: Outside of certain existing exceptions, any use or disclosure of unsecured PHI in violation of the Privacy Rule is presumed a breach unless can demonstrate low probability that PHI has been compromised based on a risk assessment involving at least these factors: – Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification – Unauthorized person who used the PHI or to whom disclosure was made – Whether PHI was acquired or actually viewed – Extent of mitigation of risk to PHI 27

  28. Breaches – Response Roles • Certified Participant and Member Organization : Identify breach, notify Authority, notify affected persons, address security issue • Authority : Preliminary investigation, action plan recommendations to Board, actions recommended by Board, follow up on any required action plans, possible HHS notification • Stakeholder CP Oversight Committee(s) : Trust community action as to continued access of CP/MO to CSS or any other projected system or agreement impact 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Incident Discovery and Correlation on .Gov Networks Cory Mazzola, MSIA, CISSP US-CERT

Security Incident Discovery and Correlation on .Gov Networks Cory Mazzola, MSIA, CISSP US-CERT

Security Incident Discovery and Correlation on .Gov Networks Cory Mazzola, MSIA, CISSP US-CERT Surface Analysis Group Timothy Tragesser US-CERT Fusion Analysis & Development Agenda Overview Data Collection Malware Activity

353 views • 34 slides
Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55

Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55

Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55 Incident Reporting Forms CERT Coordination Center (CERT/CC) Federal Computer Incident Response Capability (FedCIRC) National

437 views • 9 slides
Security Innovation The Israeli Eco System National Risk Management & Innovation REFAEL

Security Innovation The Israeli Eco System National Risk Management & Innovation REFAEL

Second Annual Event Encouraging Digital Security Innovation The Israeli Eco System National Risk Management & Innovation REFAEL FRANCO Deputy Director General Head of Robustness Division CERT IL 3 Israel cyber eco system Israeli CERT

1.01k views • 52 slides
Cyber Security Incident Reporting Notice of Proposed Rulemaking Update --- Patricia Eke Energy

Cyber Security Incident Reporting Notice of Proposed Rulemaking Update --- Patricia Eke Energy

Supply Chain Risk Management Reliability Standard and Cyber Security Incident Reporting Notice of Proposed Rulemaking Update --- Patricia Eke Energy Industry Analyst Office of Electric Reliability June 7, 2018 6/7/2018 Disclaimer The

460 views • 12 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September

CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September

Eric Weston Wally Magda, CISSP, PSP, CISA Compliance Auditor, Cyber Compliance Auditor, Cyber Security Security CIP 101 Training CIP-007-3a Cyber Security System Security Management Overview September 24-25, 2013 Salt Lake City, UT No

2.02k views • 198 slides
Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a focus on services for specialized public service providers, finance industry and corporations with high data sensitivity. NRDCS.L T TIMETABLE FOR

612 views • 12 slides
CVD model in Latvia attempts and failures Baiba Kakina, CERT.LV Brussels, 29.11.2017.

CVD model in Latvia attempts and failures Baiba Kakina, CERT.LV Brussels, 29.11.2017.

CVD model in Latvia attempts and failures Baiba Kakina, CERT.LV Brussels, 29.11.2017. CERT.LV Information Technology Security Incident Response Institution of the Republic of Latvia Operates on basis of IT Security Law State

442 views • 15 slides
CSIRTs are to Product Security as Ferries are to Islands Speakers: Erka Koivunen, Head of CERT-FI

CSIRTs are to Product Security as Ferries are to Islands Speakers: Erka Koivunen, Head of CERT-FI

CSIRTs are to Product Security as Ferries are to Islands Speakers: Erka Koivunen, Head of CERT-FI Anu Puhakainen, Head of Ericsson PSIRT Introduction to both CERT teams Ericsson Product Security Incident Response Team has been officially

608 views • 4 slides
Cyber Incident Management -National and Regional Lessons Learned- Masanori Sasaki Deputy

Cyber Incident Management -National and Regional Lessons Learned- Masanori Sasaki Deputy

ARF Seminar on Operationalizing Cyber CBMs at Singapore 21 22 October 2015 Cyber Incident Management -National and Regional Lessons Learned- Masanori Sasaki Deputy Counsellor, NISC, Cabinet Secretariat, Japan Our organization NISC : N

229 views • 5 slides
NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT

NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT

NATIONAL NETWORK FOR SPAM MONITORING Juan Dez Gonzlez Security Technician - INTECO-CERT April, 2008 20th Annual FIRST Conference on Computer Security Incident Handling Summary 1. INTECO and INTECO-CERT 2. Spam Monitoring Network 1.

675 views • 33 slides
CERT-MU Computer Emergency Response Team of Mauritius National Cybersecurity Drills: An Effort

CERT-MU Computer Emergency Response Team of Mauritius National Cybersecurity Drills: An Effort

CERT-MU Computer Emergency Response Team of Mauritius National Cybersecurity Drills: An Effort Towards Effective Response to Cyber Threats Jennita Appanah Appayya Information Security Consultant CERT-MU| National Computer Board Cyber threat

574 views • 11 slides
Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler

Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler

Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler robert.pitcher@ps.gc.ca Public Safety Canada FIRST Conference 15 June 2011 Agenda Canadian Cyber Incident Response Centre Roles and Responsibilities

408 views • 21 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC

Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC

Maritime cyber security Jakob P. Larsen, Head of Maritime Security jpl@bimco.org 2019 ReCAAP ISC Piracy and Sea Robbery Conference Agenda The regulatory framework Shipping industry guidance Cyber incident examples from real life

355 views • 10 slides
2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action April 11, 2018 Contact Information Theodore J. Kobus, III Casie D. Collignon Leader, Privacy and Data Protection Practice

448 views • 23 slides
Leveraging Health Information Exchange in Texas Presentation to DSRI P Regions 9 , 1 0 and 1 8

Leveraging Health Information Exchange in Texas Presentation to DSRI P Regions 9 , 1 0 and 1 8

Leveraging Health Information Exchange in Texas Presentation to DSRI P Regions 9 , 1 0 and 1 8 Texas Medicaid is evolving Medicaid 1115 Waiver Special Terms and Conditions require a Health I T Plan be adopted by October 2019

358 views • 16 slides
Health Information Exchange Health Information Exchange Cooperative Agreement Program:

Health Information Exchange Health Information Exchange Cooperative Agreement Program:

Health Information Exchange Health Information Exchange Cooperative Agreement Program: Cooperative Agreement Program: Cooperative Agreement Program: Cooperative Agreement Program: Background and Governance Background and Governance Candice

277 views • 24 slides
MEETING APRIL 19 TH , 2016 AGENDA SLIDE TITLE Topic Time Call to Order 5 mins Chris

MEETING APRIL 19 TH , 2016 AGENDA SLIDE TITLE Topic Time Call to Order 5 mins Chris

EHEALTH COMMISSION MEETING APRIL 19 TH , 2016 AGENDA SLIDE TITLE Topic Time Call to Order 5 mins Chris Underwood, Interim Director, Office of eHealth Innovation Old Business Approval of Minutes and SOPs 5 mins Commission Members Vote

761 views • 42 slides
4/ 17/ 2017 1 2 Lets S et the Tone WHY is there the for HIE? Healt h Informat ion

4/ 17/ 2017 1 2 Lets S et the Tone WHY is there the for HIE? Healt h Informat ion

4/ 17/ 2017 1 2 Lets S et the Tone WHY is there the for HIE? Healt h Informat ion Exchange (HIE): Over the last several years there have been presentations about being a data driven Impact on t he Behavioral Health and organizat

402 views • 7 slides
Federal Ef deral Efforts t s to Adv Advance Data Sharing nce Data Sharing Christi Christi

Federal Ef deral Efforts t s to Adv Advance Data Sharing nce Data Sharing Christi Christi

Federal Ef deral Efforts t s to Adv Advance Data Sharing nce Data Sharing Christi Christi Dant, Dant, State Systems Coordinator, Division of Data and Improvement (DDI), ACF, OPRE Chris T Chris Traver, Senior Advisor and Interoperability

408 views • 9 slides
Key Terminology Health Information Technology (HIT) - Computer systems and electronic technologies

Key Terminology Health Information Technology (HIT) - Computer systems and electronic technologies

Key Terminology Health Information Technology (HIT) - Computer systems and electronic technologies used for health and health care purposes Health Information Exchange (HIE) - An electronic means to share computerized health information, it can

451 views • 13 slides
FACA for Facilitators FACA for Facilitators Charles Howton, GSA Charles Howton, GSA Charles

FACA for Facilitators FACA for Facilitators Charles Howton, GSA Charles Howton, GSA Charles

FACA for Facilitators FACA for Facilitators Charles Howton, GSA Charles Howton, GSA Charles Howton, GSA Charles Howton, GSA Marilyn Kuray, EPA Marilyn Kuray, EPA Arthur Gary, DOI Arthur Gary, DOI Deborah Dalton, EPA Deborah Dalton, EPA 2

944 views • 40 slides
New York Health Benefit Exchange Update on State Implementation of Federal Health Care Reform

New York Health Benefit Exchange Update on State Implementation of Federal Health Care Reform

New York Health Benefit Exchange Update on State Implementation of Federal Health Care Reform Danielle Holahan Lisa Sbrana New York State Health Benefit Exchange Planning June 15, 2012 New Yorks Uninsured Nearly 2.7 million New Yorkers under

184 views • 15 slides

More recommend