Past Events



Keynote: Manage Risk And Take Hold Of The Future

9:00 - 9:45 AM, Monday, June 16th - General Session

What’s that reverberation you hear? It's the pace of change echoing throughout the healthcare industry thanks to non-stop advances in technology. That pace is dramatically changing our risk landscape, and healthcare privacy and security initiatives must evolve constantly to address new and growing threats.

In his keynote presentation, James Doggett, Senior Vice President and Chief Technology Risk Officer for Kaiser Permanente, will discuss the state of the health IT industry, how to protect your organization's technology assets and data and the role risk management will play in defining the future of healthcare.

In his highly engaging style, Jim will call on more than 20 years of information security experience to provide a big-picture perspective on, among other things:

1.    Updating your technology risk model to take into account people, processes, and technology

2.    Creating an organizational culture that embraces a shared responsibility for privacy and security

3.    Convincing C-suite executives that privacy and security spending is a value-add and not just a cost

4.    Using risk management for data loss prevention and other technology threats

Change is constant in healthcare and the related privacy and security threats can cause concern. Fortunately, as Jim will explain, there are ways to mitigate changes and the risks they represent so that you don’t get steamrolled by the future. 


Jim Doggett

Senior Vice President, Chief Security Officer & Chief Technology Risk Officer
Kaiser Permanente

Frontline Perspective: Combating Cyber Crime In Healthcare

9:45 - 10:30 AM, Monday, June 16th - General Session

When it comes to cyber crime in healthcare, the numbers are truly scary: Criminal attacks on hospitals have jumped a whopping 100 percent from just four years ago, according to a recent industry report. And with the perception that healthcare security standards lag finance, insurance and other industries, many expect healthcare cyber attacks to jump as the crooks increasingly view provider organizations as low hanging fruit.

In this session, a leading “ethical hacker” will open with an overview of the state of cyber crime in the United States, putting healthcare in perspective and discussing the types of vulnerabilities hackers are currently exploiting  (and how) and those vulnerabilities they are likely to exploit in the future. Then senior security officers from two leading healthcare organizations will discuss their experiences with cyber crime and the types of attacks they are seeing. Importantly, they’ll also share their priorities and best practices for thwarting cyber criminals. This session will provide a clear-eyed view of the state of cyber crime in healthcare, and plenty of takeaway that attendees can use to better protect their own organizations.


Kevin Johnson

Secure Ideas


Ron Mehring

Senior Director, Chief Information Security Officer
Texas Health Resources

Michael Allred

Information Security Consultant/Identity and Access Team Manager
Intermountain Healthcare

Phil Alexander

Information Security Officer
University Medical Center

Cloud Use in the Healthcare Industry: Privacy & Security Considerations

12:00 - 12:15 PM, Monday, June 16th - General Session

Cloud technology has increasingly become a solution that healthcare organizations consider as they evaluate their present and future health IT needs. The results of the First Annual HIMSS Analytics Cloud Survey explore the ways that healthcare organizations are leveraging cloud technology, as well as the role that privacy and security play in an organization’s decision to employ cloud technology. 

This survey addresses a wide variety of privacy and security considerations, including the willingness of cloud providers to sign business associate agreements (BAAs), the role that privacy and security considerations play in selecting a cloud provider, and how cloud technology can support data back up and disaster recovery. 


Rick Bryant

National Solutions Architect
Symantec Corporation

Case Study: How the Mayo Clinic developed a robust, secure patient portal

2:00 - 2:45 PM, Monday, June 16th - General Session

Meaningful Use Stage 2 requires that at least 5% of a provider's patients view, download or transmit their information. Patient portals have become a must-have, and a secure data exchange is one of the most important requirements for a portal system. This Stage 2 requirement has triggered an array of security and privacy concerns that ultimately fall to the health information management and information technology departments to handle.

The Mayo Clinic has developed a liberal policy for allowing patients to access a majority of their medical information online, including allergies, medications, problems, laboratory tests, radiology notes and provider documentation. This session will discuss the impact this policy has had on the health information department, and cover important privacy and security issues such as amendment requests, authentication (in-person vs. online, etc.), criteria for passwords and how to change passwords and issues involving minors. Additionally, attendees will learn how Mayo prevents interception during transmission to ensure secure messaging, and protects viewing.


Mark A. Parkulo, MD

Vice-Chair, Meaningful Use Coordinating Group
Mayo Clinic

Barbara M. McCarthy

Health Information Management Services and Privacy Officer
Mayo Clinic, Florida

Leveraging Next Generation Firewall Functionality for Unique Healthcare Needs

3:15 - 3:30 PM, Monday, June 16th - General Session

In addition to needing to address reliability issues from their recently upgraded, but under-performing DMZ firewall, Ascension Health wanted to expand the functionality of their platform. Wishing to integrate point-solutions for IDS/IPS, content-filtering and application-monitoring, Ascension also needed solutions to manage third-party clinical devices. The Fortinet suite of firewall, analysis and reporting modules secured these new-technology endpoints.


Paul Smith

Network Manager for Information Services
Ascension Health

Planning For And Responding To A Breach

3:30 - 4:15 PM, Monday, June 16th - General Session

The numbers are astounding: Since the HITECH Act went into effect in 2009, more than 800 large data breaches (breaches that affected more than 500 individuals) have compromised nearly 30 million patient records.

Will your healthcare organization experience a breach? Many would say it’s not if, but when. To minimize the damage – both financial and to your organization’s reputation – you must be prepared.

In this presentation, Gerry Hinkley, one of the healthcare IT industry’s foremost legal authorities, will describe the essential pre-breach planning that needs to take place so that the day of discovery is well-ordered and productive and the ensuing response is timely and effective.  He’ll follow this with a step-by-step explanation of what an organization must do immediately after a breach is discovered, from communications strategy, investigation, analysis and notifications all the way to how to manage litigation and civil remedies processes. 

Participants will come away with a clear and concise understanding of how to incorporate best practices for breach preparation and response into their organizations' approaches to HIPAA compliance.


Gerry Hinkley

Pillsbury Winthrop Shaw Pittman

Best Practices for Medical Device Security

4:15 - 5:00 PM Monday, June 16th - General Session

Medical devices, both remote and within the care environment, are no longer islands unto themselves. As more data from medical devices are fed into EHRs on a provider’s network, finding ways to secure and protect the devices from viruses and other cyber threats has become a vital part of any comprehensive security program.

This session covers key areas related to securing medical devices. It will:

  • Identify new drivers for an increased focus on medical device security and safety
  • Give an update on regulatory efforts to improve medical device security
  • Identify strategies for collaboration across medical device stakeholders to identify and mitigate medical device risks
  • Review and understand the vulnerabilities associated with wireless infrastructure

Attendees will leave this session with a much better understanding of the current state of medical device security, as well as how their own efforts to secure medical devices may – or may not – be falling short of industry best practice.


Dale Nordenberg, MD

Co-founder, Executive Director
Medical Device Innovation, Safety & Security Consortium


Kevin Fu

Associate Professor of Electrical Engineering and Computer Science 
University of Michigan

Tom August

Director of Information Security
Sharp Healthcare

The Cornerstone of Any Healthy Cloud — How to Ensure Security Is Real

5:00 - 5:15 PM, Monday, June 16th - General Session

Today’s healthcare cloud conversations revolve around big data, analytics and data sharing. Important topics, for certain, but where is security in the discussion? And what about ensuring security without trading in performance requirements? 

Kurt Hagerman, chief information security officer at FireHost, will lead this conversation about the healthcare discussion we should be having. One that focuses on security and performance in the cloud and provides specifics about how to choose providers and partners that can really protect PHI, versus only saying that they can.


Kurt Hagerman

Chief Information Security Officer

Update From The ONC Privacy & Security Tiger Team

10:00 - 10:45 AM, Tuesday, June 17th - General Session

The Health IT Policy Committee, through its Privacy and Security Tiger Team, has been the source of many of the privacy and security policies coming from ONC.  In this session, we'll hear from the chair and co-chair of the Tiger Team, who will discuss some of their recent recommendations on accounting for disclosures and proxy access to health information through EHR portals, as well as some of the issues expected to be discussed in 2014, including activities of business associates, protections for minors' health information, privacy and security related to behavioral health records, and security standards.  This session will help you stay on top of where ONC may be headed in the future with respect to privacy and security.  


Erin McCann

Managing Editor 
Healthcare IT News


Deven McGraw

Partner, Healthcare Practice
Manatt, Phelps & Phillips

Micky Tripathi

President and CEO
Massachusetts eHealth Collaborative (MAeHC)

Big Data – Balancing Information, Privacy & Security

10:45 - 11:00 AM, Tuesday, June 17th - General Session

Organizations must balance the use of Big Data to drive business while protecting privacy (PHI and PII), maintaining HIPAA compliance, and minimizing the risks of exposure of legally protected or regulated data.  Recent data breaches have demonstrated that perimeter-based and volume-encryption approaches to data security are not sufficient, especially against insider threats. Furthermore, given the growth rate of the massive amounts of structured and unstructured data compared to the modest growth rate for IT organizations, it’s clear that automation is essential to success.

In this session, we will highlight case studies of two healthcare organizations and share best practices for enabling data-centric security through automated discovery, masking and encryption of sensitive data. 


Jeremy Stieglitz

Vice President of Product Management

BYOD: A Fresh Perspective - Avoid a Bring-Your-Own-DISASTER Scenario

10:45 - 11:00 AM, Tuesday, June 17th - General Session

Your users are bringing their own devices – and potentially a variety of security, legal and HR disasters – to and from work. With many unique roles and responsibilities within your organization, there are a variety of use cases related to BYOD. ZixCorp presents a fresh perspective and some real-world use cases and solutions for solving your most pressing BYOD challenges.


Geoff Bibby

Vice President Corporate Marketing

Best Practices For Passing An OCR Audit

11:45 - 12:15 PM, Tuesday, June 17th - General Session

Within the next six months or so, the Office for Civil Rights at the U.S. Department of Health and Human Services will begin a new round of HIPAA compliance audits. And when the OCR comes knocking, providers must be ready, or, as we all know, huge fines could follow, and nobody wants that. Of course, conducting a HIPAA risk assessment and ongoing security risk analysis is easier said than done. Many providers lack either the financial resources or the in-house expertise. But with the right information at your fingertips, it can be done.

In this session, HIPAA privacy and security expert Kevin McDonald explains how even the smallest provider organization can conduct a security risk assessment that meets the OCR’s demanding standards. Attendees will learn:

  • What the OCR says it will be looking for when it conducts an audit
  • The key components of a HIPAA risk assessment
  • Why assembling an internal team to conduct a risk assessment is critical
  • What is reasonable for your organization so you don’t create more work than your staff and resources can handle
  • A risk assessment’s ROI – it can produce some significant workflow improvements

Kevin’s common sense approach to conducting a HIPAA risk assessment will shed some badly need light on this difficult process and help you prepare to pass an OCR audit.



Kevin B. McDonald

Noloki Healthcare IT & Compliance

Meaningful Use Audit Red Flags: Pay Careful Attention To the Security Risk Analysis - or else

12:15 - 1:00 PM, Tuesday, June 17th - General Session

When it comes to auditing eligible hospitals and professionals who received meaningful use incentive dollars, CMS has zero tolerance. If you’ve attested for meaningful use, but can’t prove that you’ve met every required core measure, prepare to return your incentive money. And when it comes to passing a meaningful use audit, the most significant fact may be this:

A “core measure” of meaningful use is the requirement to "conduct or review a security risk analysis," but failure to do that is the most common reason providers fail their EHR incentive audit, according to CMS.

But failure doesn’t have to be the default result. In this session, highly regarded meaningful use expert Jim Tate draws on his experience with numerous hospitals undergoing audits and highlights:

  • Auditor expectations
  • Potential red flags that could lead to failure – for example, your security risk analysis includes no action plan to address identified risks
  • Risk assessment “myths” (no, you don’t have to redo your SRA each year)
  • Key requirements and deadlines.



Jim Tate

EMR Advocate

The High Price of Medical Identity Theft and Fraud

2:00 - 2:30 PM, Tuesday, June 17th - General Session

Medical identity theft and the resulting fraud is a serious and growing threat for stakeholders in the healthcare ecosystem – from healthcare providers and plans, to the service providers they work with, and to the consumer. Last year it affected nearly two million people at an estimated industry cost of over $40B. But this type of fraud is more than a financial loss. It can cost a life. The proliferation of electronic health data makes this crime a prime target. Research shows the chances of being a victim of fraud from a data breach is one in four. This session will discuss questions such as: What is medical identity fraud? What are the consequences? How do I prevent, detect and mitigate it? Learn about the trends of medical identity fraud, understand consumer attitudes and its effect on fraud, and find out about legislative and regulatory actions that could impact your operations.


Ann Patterson

Senior Vice President and Program Director 
Medical Identity Fraud Alliance (MIFA)

Group Discussion: How Do You Develop A Culture Of Privacy And Security?

2:30 - 3:15 PM, Tuesday, June 17th - General Session

The adminstrative leadership at St. Dominc Jackson Hospital in Jackson, Miss., got serious about privacy and security in 2007. That’s when a hospital VIP entered the hospital for treatment and some hospital employees snooped on his medical records. Once tipped off to the snooping, Dena Boggan, the hospital’s HIPAA privacy/security officer, tracked down the offenders, but it took her two months.

This was pre HITECH, and in those days the snooping did not lead to a fine, but eventually, Boggan knew, it would, and she drove that point home hard to St. Dominic’s leadership. A year later, the hospital invested in auditing technology, and began to develop an extensive employee education program around privacy and security. These days, everyone at St. Dominic – “from the person doing the laundry all the way up to the CEO” –  realizes that when it comes to privacy and security, “it’s really important to do the right thing, even when no one is looking,” Boggan said.

Boggan kicks off this session by detailing how St. Dominic developed its culture of privacy and security. Then Shahid Shah, the indusry thought leader known across the internet as “The Healthcare IT Guy,” takes over, leading a group discussion on this critical topic: How can healthcare organizations develop cultures of privacy and security from the top down? What’s worked for you? What hasn’t? Learn from other attendees. This is peer-to-peer education at its best.


Dena Boggan

HIPAA Privacy/Security Officer
St. Dominic Hospital

Minimize The Security Risks Of Health Data In The Cloud

3:15 - 4:00 PM, Tuesday, June 17th - General Session

Cloud computing is all the buzz these days, and that buzz is likely to get louder. According to one estimate, the global cloud computing market for healthcare is increasing 20 percent a year and will reach $5.4 billion in 2017. It is easy to see why. Cloud-based technologies are scalable and promise to facilitate the exchange of patient information and provide IT services at lower costs and faster speeds.

Of course, those opportunities come with potential security risks, and those risks have kept some providers on the sidelines. Their greatest fears: Where is my data? Who has access to it? And how do I get it back?

This session will address those fears and explain how to choose a cloud computing vendor:

  • What due diligence should be performed?
  • What security controls or measures should be in place to make sure your organization is ready for the cloud?
  • How do you monitor the security performance of the cloud provider?
  • What are some best practices for contracting with cloud vendors and what should be included in a business associate agreement?
  • How should a cloud vendor share information about security incidents with your organization?
  • How often should your organization audit a cloud vendor and its data center?

In this session, you will hear expert perspective on these important questions and others, but you will also receive frontline input from a leading provider with deep experience with the cloud. Adopting a cloud solution does not mean your organization can be “hands off” about security.  You still need to be proactive and vigilant, and this session will give you insights into how to do just that.


Lee Kim

Director, Privacy & Security 

John Houston

Vice President, Privacy and Information Security & Associate Counsel

Kurt Hagerman

Chief Information Security Officer

Learn more about the 2020 Event


Subscribe for updates