140 likes | 255 Views
AMC Security and Privacy Conference: Daily Track Report. For the Futures Track Track Co-chairs: Mariann Yeager myeager@truarx.com 703-519-0817 John Parmigiani jparmigiani@quickcompliance.net 410-750-2497. Sessions Being Reported On:. Future Uses of Encryption
E N D
AMC Security and Privacy Conference: Daily Track Report For the Futures Track Track Co-chairs: Mariann Yeager myeager@truarx.com 703-519-0817 John Parmigiani jparmigiani@quickcompliance.net 410-750-2497
Sessions Being Reported On: • Future Uses of Encryption • Evolving Security & Privacy Laws & Regulations • State Laws & Regulations: Current Trends and Their Implications to AMCs • Identity and Access Management
Key Points: Future Uses of Encryption • Data in transit (with open/untrusted networks or trading partners) - encryption commonly employed • Data at rest – greater risk to data, but also greater risk in implementing encryption (key management, training, etc.) No single solution/approach evident (Windows EFS, PGP, etc.) • E-mail issues still unresolved • Physician-patient portals are alternative • No single solution/approach evident – still in progress • User issues – cultural, behavioral are biggest challenge
Key Instant Poll Results • Polled item: • Even though encryption is now an addressable implementation specification, will the need to protect ePHI make it a mandatory requirement in your AMC? • Poll results: • Majority – Agree • 7 Strongly Agree • Key observation: • Risks to ePHI necessitate additional protections and warrant some form of implementation of encryption • Informal poll - most institutions (approx. 75%) use encryption in some form today (e-mail or data) today
Follow ups • Further explore encryption strategies – with particular emphasis on e-mail, data at rest and for portable devices
Key Points: Evolving Security & Privacy Laws & Regulations • States taking lead in strong enforcement (e.g. CA, NC, etc.) as opposed to HHS • FTC Rules have teeth with security breaches (e.g. Eli Lily, BJs, Petco) • Managing Risk of FDA Devices – patching issues and approaches • Focus – to protect against identity theft - New driver – security breach notification • PR implications often more critical than enforcement penalties • Identity Theft Resource Center lists 19 Academic centers as representing >50% of the breaches. Top 100 list.
Key Instant Poll Results • Polled item:Have you found the direction and trends discussed here to be also what you are experiencing at your institution? • Poll results: • Neither agree not disagree 1 • Agree 6 • Strongly agree 16 • Key observation:Need for centralized management of all regulatory compliance to tie security and privacy initiatives together
Follow ups • Strategies require further discussion • For more information regarding incidents: • Privacyrights.org • Identity Theft Resource Center
Key Points: State Laws & Regulations: Current Trends and Their Implications to AMCs • Terminology conflicts between state and federal laws for privacy and security • Lots of confusion / ambiguity even within state • Preemption issues are embedded within obscure state laws/regulations • Federal laws/regs (e.g. HIPAA, SOX, GLBA, etc.) becoming standard of care used in state law actions • Implied contract, Invasion of privacy, Intentional infliction of emotional, Negligence) • Could be used to create state-level right to action
Key Instant Poll Results • Polled item: • My AMC is concerned about future state laws related to information security and privacy • Poll results: • Seasoned group (2+ years in their position • Neutral feedback – some concerned, some not as much • Key observation: • Have AMCs have done exhaustive preemption analysis that touches all state laws? • Nobody is fully compliant with either HIPAA and/or state laws concerning privacy and security
Follow ups • Further work needed to explore issues around state preemption
Key Points: Identity and Access Management • Identity management is more process than technology • Challenge of diverse and fluctuating populations at AMC • Important to establish “rules of engagement” within your AMC and when interacting with other institutions • Federated identity approach • I2 Middleware – Shibboleth • Can healthcare implement this effectively?
Key Instant Poll Results • Polled item:Is your institution involved in an IAM initiative? • Poll results: • 2 considering it • 4 budgeted for it • 2 actively implementing • 1 implemented, but still working on it • Key observation: • IAM is in early stages at most institutions – although great progress is being made • Driver is not identity management per se, but to efficiently gain access to critical information
Follow ups • Demonstration projects at AMCs • More education needed regarding IAM • Resources • www.nmi-edit.org – National Science Foundation Middleware Initiatives • www.incommonfederation.org • www.Inqueue.internet2.edu • www.shibboleth.internet2.edu