9:00 - 9:45 AM, Monday, June 16th - General Session
What’s that reverberation you hear? It's the pace of change echoing throughout the healthcare industry thanks to non-stop advances in technology. That pace is dramatically changing our risk landscape, and healthcare privacy and security initiatives must evolve constantly to address new and growing threats.
In his keynote presentation, James Doggett, Senior Vice President and Chief Technology Risk Officer for Kaiser Permanente, will discuss the state of the health IT industry, how to protect your organization's technology assets and data and the role risk management will play in defining the future of healthcare.
In his highly engaging style, Jim will call on more than 20 years of information security experience to provide a big-picture perspective on, among other things:
1. Updating your technology risk model to take into account people, processes, and technology
2. Creating an organizational culture that embraces a shared responsibility for privacy and security
3. Convincing C-suite executives that privacy and security spending is a value-add and not just a cost
4. Using risk management for data loss prevention and other technology threats
Change is constant in healthcare and the related privacy and security threats can cause concern. Fortunately, as Jim will explain, there are ways to mitigate changes and the risks they represent so that you don’t get steamrolled by the future.
9:45 - 10:30 AM, Monday, June 16th - General Session
When it comes to cyber crime in healthcare, the numbers are truly scary: Criminal attacks on hospitals have jumped a whopping 100 percent from just four years ago, according to a recent industry report. And with the perception that healthcare security standards lag finance, insurance and other industries, many expect healthcare cyber attacks to jump as the crooks increasingly view provider organizations as low hanging fruit.
In this session, a leading “ethical hacker” will open with an overview of the state of cyber crime in the United States, putting healthcare in perspective and discussing the types of vulnerabilities hackers are currently exploiting (and how) and those vulnerabilities they are likely to exploit in the future. Then senior security officers from two leading healthcare organizations will discuss their experiences with cyber crime and the types of attacks they are seeing. Importantly, they’ll also share their priorities and best practices for thwarting cyber criminals. This session will provide a clear-eyed view of the state of cyber crime in healthcare, and plenty of takeaway that attendees can use to better protect their own organizations.
12:00 - 12:15 PM, Monday, June 16th - General Session
Cloud technology has increasingly become a solution that healthcare organizations consider as they evaluate their present and future health IT needs. The results of the First Annual HIMSS Analytics Cloud Survey explore the ways that healthcare organizations are leveraging cloud technology, as well as the role that privacy and security play in an organization’s decision to employ cloud technology.
This survey addresses a wide variety of privacy and security considerations, including the willingness of cloud providers to sign business associate agreements (BAAs), the role that privacy and security considerations play in selecting a cloud provider, and how cloud technology can support data back up and disaster recovery.
2:00 - 2:45 PM, Monday, June 16th - General Session
Meaningful Use Stage 2 requires that at least 5% of a provider's patients view, download or transmit their information. Patient portals have become a must-have, and a secure data exchange is one of the most important requirements for a portal system. This Stage 2 requirement has triggered an array of security and privacy concerns that ultimately fall to the health information management and information technology departments to handle.
The Mayo Clinic has developed a liberal policy for allowing patients to access a majority of their medical information online, including allergies, medications, problems, laboratory tests, radiology notes and provider documentation. This session will discuss the impact this policy has had on the health information department, and cover important privacy and security issues such as amendment requests, authentication (in-person vs. online, etc.), criteria for passwords and how to change passwords and issues involving minors. Additionally, attendees will learn how Mayo prevents interception during transmission to ensure secure messaging, and protects viewing.
3:15 - 3:30 PM, Monday, June 16th - General Session
In addition to needing to address reliability issues from their recently upgraded, but under-performing DMZ firewall, Ascension Health wanted to expand the functionality of their platform. Wishing to integrate point-solutions for IDS/IPS, content-filtering and application-monitoring, Ascension also needed solutions to manage third-party clinical devices. The Fortinet suite of firewall, analysis and reporting modules secured these new-technology endpoints.
3:30 - 4:15 PM, Monday, June 16th - General Session
The numbers are astounding: Since the HITECH Act went into effect in 2009, more than 800 large data breaches (breaches that affected more than 500 individuals) have compromised nearly 30 million patient records.
Will your healthcare organization experience a breach? Many would say it’s not if, but when. To minimize the damage – both financial and to your organization’s reputation – you must be prepared.
In this presentation, Gerry Hinkley, one of the healthcare IT industry’s foremost legal authorities, will describe the essential pre-breach planning that needs to take place so that the day of discovery is well-ordered and productive and the ensuing response is timely and effective. He’ll follow this with a step-by-step explanation of what an organization must do immediately after a breach is discovered, from communications strategy, investigation, analysis and notifications all the way to how to manage litigation and civil remedies processes.
Participants will come away with a clear and concise understanding of how to incorporate best practices for breach preparation and response into their organizations' approaches to HIPAA compliance.
4:15 - 5:00 PM Monday, June 16th - General Session
Medical devices, both remote and within the care environment, are no longer islands unto themselves. As more data from medical devices are fed into EHRs on a provider’s network, finding ways to secure and protect the devices from viruses and other cyber threats has become a vital part of any comprehensive security program.
This session covers key areas related to securing medical devices. It will:
Identify new drivers for an increased focus on medical device security and safety
Give an update on regulatory efforts to improve medical device security
Identify strategies for collaboration across medical device stakeholders to identify and mitigate medical device risks
Review and understand the vulnerabilities associated with wireless infrastructure
Attendees will leave this session with a much better understanding of the current state of medical device security, as well as how their own efforts to secure medical devices may – or may not – be falling short of industry best practice.
5:00 - 5:15 PM, Monday, June 16th - General Session
Today’s healthcare cloud conversations revolve around big data, analytics and data sharing. Important topics, for certain, but where is security in the discussion? And what about ensuring security without trading in performance requirements?
Kurt Hagerman, chief information security officer at FireHost, will lead this conversation about the healthcare discussion we should be having. One that focuses on security and performance in the cloud and provides specifics about how to choose providers and partners that can really protect PHI, versus only saying that they can.
10:00 - 10:45 AM, Tuesday, June 17th - General Session
The Health IT Policy Committee, through its Privacy and Security Tiger Team, has been the source of many of the privacy and security policies coming from ONC. In this session, we'll hear from the chair and co-chair of the Tiger Team, who will discuss some of their recent recommendations on accounting for disclosures and proxy access to health information through EHR portals, as well as some of the issues expected to be discussed in 2014, including activities of business associates, protections for minors' health information, privacy and security related to behavioral health records, and security standards. This session will help you stay on top of where ONC may be headed in the future with respect to privacy and security.
10:45 - 11:00 AM, Tuesday, June 17th - General Session
Organizations must balance the use of Big Data to drive business while protecting privacy (PHI and PII), maintaining HIPAA compliance, and minimizing the risks of exposure of legally protected or regulated data. Recent data breaches have demonstrated that perimeter-based and volume-encryption approaches to data security are not sufficient, especially against insider threats. Furthermore, given the growth rate of the massive amounts of structured and unstructured data compared to the modest growth rate for IT organizations, it’s clear that automation is essential to success.
In this session, we will highlight case studies of two healthcare organizations and share best practices for enabling data-centric security through automated discovery, masking and encryption of sensitive data.
10:45 - 11:00 AM, Tuesday, June 17th - General Session
Your users are bringing their own devices – and potentially a variety of security, legal and HR disasters – to and from work. With many unique roles and responsibilities within your organization, there are a variety of use cases related to BYOD. ZixCorp presents a fresh perspective and some real-world use cases and solutions for solving your most pressing BYOD challenges.
11:45 - 12:15 PM, Tuesday, June 17th - General Session
Within the next six months or so, the Office for Civil Rights at the U.S. Department of Health and Human Services will begin a new round of HIPAA compliance audits. And when the OCR comes knocking, providers must be ready, or, as we all know, huge fines could follow, and nobody wants that. Of course, conducting a HIPAA risk assessment and ongoing security risk analysis is easier said than done. Many providers lack either the financial resources or the in-house expertise. But with the right information at your fingertips, it can be done.
In this session, HIPAA privacy and security expert Kevin McDonald explains how even the smallest provider organization can conduct a security risk assessment that meets the OCR’s demanding standards. Attendees will learn:
What the OCR says it will be looking for when it conducts an audit
The key components of a HIPAA risk assessment
Why assembling an internal team to conduct a risk assessment is critical
What is reasonable for your organization so you don’t create more work than your staff and resources can handle
A risk assessment’s ROI – it can produce some significant workflow improvements
Kevin’s common sense approach to conducting a HIPAA risk assessment will shed some badly need light on this difficult process and help you prepare to pass an OCR audit.
12:15 - 1:00 PM, Tuesday, June 17th - General Session
When it comes to auditing eligible hospitals and professionals who received meaningful use incentive dollars, CMS has zero tolerance. If you’ve attested for meaningful use, but can’t prove that you’ve met every required core measure, prepare to return your incentive money. And when it comes to passing a meaningful use audit, the most significant fact may be this:
A “core measure” of meaningful use is the requirement to "conduct or review a security risk analysis," but failure to do that is the most common reason providers fail their EHR incentive audit, according to CMS.
But failure doesn’t have to be the default result. In this session, highly regarded meaningful use expert Jim Tate draws on his experience with numerous hospitals undergoing audits and highlights:
Potential red flags that could lead to failure – for example, your security risk analysis includes no action plan to address identified risks
Risk assessment “myths” (no, you don’t have to redo your SRA each year)
2:00 - 2:30 PM, Tuesday, June 17th - General Session
Medical identity theft and the resulting fraud is a serious and growing threat for stakeholders in the healthcare ecosystem – from healthcare providers and plans, to the service providers they work with, and to the consumer. Last year it affected nearly two million people at an estimated industry cost of over $40B. But this type of fraud is more than a financial loss. It can cost a life. The proliferation of electronic health data makes this crime a prime target. Research shows the chances of being a victim of fraud from a data breach is one in four. This session will discuss questions such as: What is medical identity fraud? What are the consequences? How do I prevent, detect and mitigate it? Learn about the trends of medical identity fraud, understand consumer attitudes and its effect on fraud, and find out about legislative and regulatory actions that could impact your operations.
2:30 - 3:15 PM, Tuesday, June 17th - General Session
The adminstrative leadership at St. Dominc Jackson Hospital in Jackson, Miss., got serious about privacy and security in 2007. That’s when a hospital VIP entered the hospital for treatment and some hospital employees snooped on his medical records. Once tipped off to the snooping, Dena Boggan, the hospital’s HIPAA privacy/security officer, tracked down the offenders, but it took her two months.
This was pre HITECH, and in those days the snooping did not lead to a fine, but eventually, Boggan knew, it would, and she drove that point home hard to St. Dominic’s leadership. A year later, the hospital invested in auditing technology, and began to develop an extensive employee education program around privacy and security. These days, everyone at St. Dominic – “from the person doing the laundry all the way up to the CEO” – realizes that when it comes to privacy and security, “it’s really important to do the right thing, even when no one is looking,” Boggan said.
Boggan kicks off this session by detailing how St. Dominic developed its culture of privacy and security. Then Shahid Shah, the indusry thought leader known across the internet as “The Healthcare IT Guy,” takes over, leading a group discussion on this critical topic: How can healthcare organizations develop cultures of privacy and security from the top down? What’s worked for you? What hasn’t? Learn from other attendees. This is peer-to-peer education at its best.
3:15 - 4:00 PM, Tuesday, June 17th - General Session
Cloud computing is all the buzz these days, and that buzz is likely to get louder. According to one estimate, the global cloud computing market for healthcare is increasing 20 percent a year and will reach $5.4 billion in 2017. It is easy to see why. Cloud-based technologies are scalable and promise to facilitate the exchange of patient information and provide IT services at lower costs and faster speeds.
Of course, those opportunities come with potential security risks, and those risks have kept some providers on the sidelines. Their greatest fears: Where is my data? Who has access to it? And how do I get it back?
This session will address those fears and explain how to choose a cloud computing vendor:
What due diligence should be performed?
What security controls or measures should be in place to make sure your organization is ready for the cloud?
How do you monitor the security performance of the cloud provider?
What are some best practices for contracting with cloud vendors and what should be included in a business associate agreement?
How should a cloud vendor share information about security incidents with your organization?
How often should your organization audit a cloud vendor and its data center?
In this session, you will hear expert perspective on these important questions and others, but you will also receive frontline input from a leading provider with deep experience with the cloud. Adopting a cloud solution does not mean your organization can be “hands off” about security. You still need to be proactive and vigilant, and this session will give you insights into how to do just that.