310 likes | 747 Views
Is Your Business Continuity Plan HIP AA ?. Jerry Reick, CBCP, CHS-II Global Business Continuity Lead Rockwell Automation. Alternate Titles. “Don’t HIPAA COW, Man …………Bart Simpson”. Alternate Titles. “DR and BC……It’s HIP AA to prepare.”. Background.
E N D
Is Your Business Continuity Plan HIPAA ? Jerry Reick, CBCP, CHS-II Global Business Continuity Lead Rockwell Automation Company Confidential
Alternate Titles “Don’t HIPAA COW, Man…………Bart Simpson”
Alternate Titles “DR and BC……It’s HIPAA to prepare.”
Background • 6 years experience as a Business Continuity Professional at two International Companies with multiple facilities and data centers • 15 years experience in IT, software development and management • Industry experience; banking, insurance, financial services, healthcare, manufacturing. • Certified Business Continuity Planner - CBCP (Disaster Recovery Institute International). Certified Homeland Security, Level II – CHS-II • 23+ years military experience w/10 years in planning and operations
Objectives • Have FUN, a free exchange of ideas • Overview of Disaster Recovery and Business Continuity • Discuss the needs and goals for HIPAA • Discuss the touch points, where HIPAA effects your organization • Identify specific threats and explore possible controls
Disclaimer The terminology and processes presented here are based on the best practices and professional principles established by the Disaster Recovery Institute International (DRII). The terminology and processes presented here are based on the best practices and professional principles established by the Disaster Recovery Institute International The DRII is a non-profit organization who’s mission all business continuity and disaster recovery planners and organizations The DRII is a non-profit organization who’s mission is to provide the leadership and best practices that serve as a base of common knowledge for all business continuity and disaster recovery planners and organizations in the industry. Company Confidential
Professional Standards The terminology and processes presented here are based on the best practices and professional principles established by the Disaster Recovery Institute International (DRII). The DRII is a non-profit organization who’s mission is to provide the leadership and best practices that serve as a base of common knowledge for all business continuity and disaster recovery planners and organizations in the industry. Company Confidential
Acronyms • Disaster Recovery Planning – DRP • Business Resumption Planning - BRP • Business Continuity Planning– BCP • Risk Assessment – RA • Business Impact Analysis – BIA
Disaster Recovery vs Business Continuity Disaster Recovery – Process of developing advanced arrangements and procedures that enable an organization to respond to a disaster and resume critical business functions in a predetermined amount of time, minimize that amount of loss and repair or replace damaged facilities and equipment as soon as possible. Business Continuity – Process of developing advanced arrangements and procedures that enable an organization to respond to an event or interruption in a manner that enables critical business functions to resume without interruption or essential change.
The Journey from DR to BC 1970’sPost Y2K IT Centric Business Centric Simple Environment Complex Environment Reactive Proactive
Uncle Jerry’s Tenets of BC • First things first; understand the threats, and outside influences (Risk Analysis) • Know what’s at risk • Know your companies risk appetite • Build and implement a solution that fits
BC Considerations • BCP is an INITIATIVE not a project • It is not IT specific. Rather, it has a business-centric focus and involves all primary and support components for a product/process. • The ultimate goal of Business Continuity Planning is to identify critical processes and components that are susceptible to an interruption or outage and make them more resilient. • An effective BC program is; cost-efficient and scaled to meet the needs of the Company
BC Program Drivers • Regulatory & Agency Compliance: • SOX, HIPAA, ?????? • NFPA, FEMA, FFIEC, FED, FERC • Response to Industry needs and customer requirements/inquiries • Global nature of Business • New awareness and response of the World Situation; Homeland Security
Benefits of a BC Program • Audit and map processes – may lead to further efficiencies, process improvements, reduce waste and costs • Identify critical components and single points of failure – “If something happens to this facility, process or hardware, how will it effect my ability to conduct business?” • Clearer definition and understanding of downtime costs – Tangible and intangible impacts of a business interruption. • Meet regulatory and audit requirements – SOX, HIPAA, ??? • Once implemented - In the event of an unplanned outage, shorten downtime and reduce the impact on the business to acceptable levels.
HIPAA Defined Health Insurance Portability and Accountability Act (HIPAA) of 1996 • Passed by Congress to reform the insurance market and simplify the health care administrative process in order to realize long term benefits in the areas of; • Portability, privacy and security of patient data, • lowering administrative costs (currently at 26%), • enhancing accuracy of data and reports, • increasing customer satisfaction, • reducing cycle time and • improving cash management.
HIPAA Goals • Administrative simplification - reduce the number of forms and methods of completing claims, and other payment-related documents, • Establish universal identifier and code sets for providers of health care. • Increase the use and efficiency of computer-to-computer methods of exchanging standard health care information via EDI (Electronic Data Interchange - standard electronic file formats).
HIPAA Touchpoints Information Technology systems • Internal Business use • Claims • Records inquiries, (EDI) Medical equipment that holds patient data • MRI • CT • EEG • Ultrasound machines
HIPAA Touchpoints Patient interface • Contact by primary care and support staff • Other patients Employee Conduct • Human error • Fraudulent activity • Malicious behavior
HIPAA Touchpoints Administrative processing • Admissions, • Ordering medications, tests, etc. • Claim and insurance processing Handling, security and storage of medical records • On-site • Off-site
Threats and Controls External intrusion / compromise of computer systems and equipment that holds patient data • Viruses, Worms, Spyware, etc. • Outside monitoring and data mining (think wireless) • Exploitation of router vulnerabilities, e.g. denial of service Controls • Anti-virus, intrusion detection software, etc. • Restrict and monitor employee internet access • Block ranges of IP addresses, etc.
Threats and Controls Patient interface and employee conduct • Misuse of information by employees, temps or consultants • Acts of sabotage by disgruntled employees • Exploitation of patients by other patients Controls • Strengthen hiring policies - Vetting of workers, background and reference checks • Security controls for systems and facility access • Monitor patient behavior, CCTV, restrict use of patient SSN.
Threats and Controls Exploitation of Medical Records Controls • Policies on the use of SSN as patient numbers • Enhanced physical security • Aggressive password rules, auto-logoff functions, etc • Data encryption on storage devices • Use an insured and bonded off-site storage provider
Threats and Controls Errors or exploitation of administrative processes • Human Error • Malicious behavior • Compromise of electronic files Controls • Role based systems access • Enhanced application controls, change management • Audit trails • Use of standard formats and encryption schemes
Examples of HIPAA Risks • Loss of financial cash flow • Permanent loss or corruption of electronic protected health information (ePHI) • Temporary loss or unavailability of medical records • Unauthorized access to or disclosure of ePHI • Loss of physical assets (computers, etc.) • Damage to reputation and public confidence • Threats to patient and/or employee safety
Risk Analysis Identify Threats, Vulnerabilities and Assess Controls • Risk Analysis is the methodology and structure used to identify threats, determine vulnerabilities and identify at risk elements of the organization. • Risk Assessment is stating the amount of damage, loss or value that might be incurred. • Vulnerability is the exposure to damage or an event that can cause actual loss to company assets. Sometimes referred to as probability. • Controls are; processes, hardware or procedures that are put in place to mitigate, or reduce, the exposure to a threat.
What Can I Do?? Be intimately familiar with applicable regulations Be aware of and understand the threats and your exposures – get involved in risk assessment Ask questions and gather facts • Do we have a business continuity program and disaster recovery plan? • What are our security policies? • Is the IT organization aware of HIPAA, what’s the plan? Take every opportunity to educate
Continuous Improvement Establish and enforce best practices in the areas of: • Business continuity methodology and implementation • Standardization of systems hardware, software and monitoring tools • Review and modify policies and procedures • Regulatory compliance • Internal & external security • Process for handling and storing data
Final Thoughts You are a KEY player in the success of your Business Security and compliance are everybody’s job Privacy and Security are co-joined twins Never Stop Challenging the Norm and Asking, “WHAT IF ?”