Jerry reick cbcp chs ii global business continuity lead rockwell automation
Download
1 / 31

Jerry Reick - PowerPoint PPT Presentation


  • 381 Views
  • Uploaded on

Is Your Business Continuity Plan HIP AA ?. Jerry Reick, CBCP, CHS-II Global Business Continuity Lead Rockwell Automation. Alternate Titles. “Don’t HIPAA COW, Man …………Bart Simpson”. Alternate Titles. “DR and BC……It’s HIP AA to prepare.”. Background.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Jerry Reick' - flora


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Jerry reick cbcp chs ii global business continuity lead rockwell automation l.jpg

Is Your Business Continuity Plan HIPAA ?

Jerry Reick, CBCP, CHS-II

Global Business Continuity Lead

Rockwell Automation

Company Confidential


Alternate titles l.jpg
Alternate Titles

“Don’t HIPAA COW, Man…………Bart Simpson”


Alternate titles3 l.jpg
Alternate Titles

“DR and BC……It’s HIPAA to prepare.”


Background l.jpg
Background

  • 6 years experience as a Business Continuity Professional at two International Companies with multiple facilities and data centers

  • 15 years experience in IT, software development and management

  • Industry experience; banking, insurance, financial services, healthcare, manufacturing.

  • Certified Business Continuity Planner - CBCP (Disaster Recovery Institute International). Certified Homeland Security, Level II – CHS-II

  • 23+ years military experience w/10 years in planning and operations


Objectives l.jpg
Objectives

  • Have FUN, a free exchange of ideas

  • Overview of Disaster Recovery and Business Continuity

  • Discuss the needs and goals for HIPAA

  • Discuss the touch points, where HIPAA effects your organization

  • Identify specific threats and explore possible controls


Disclaimer l.jpg

Disclaimer

The terminology and processes presented here are based on the best practices and professional principles established by the Disaster Recovery Institute International (DRII).

The terminology and processes presented here are based on the best practices and professional principles established by the Disaster Recovery Institute International The DRII is a non-profit organization who’s mission all business continuity and disaster recovery planners and organizations

The DRII is a non-profit organization who’s mission is to provide the leadership and best practices that serve as a base of common knowledge for all business continuity and disaster recovery planners and organizations in the industry.

Company Confidential


Professional standards l.jpg

Professional Standards

The terminology and processes presented here are based on the best practices and professional principles established by the Disaster Recovery Institute International (DRII).

The DRII is a non-profit organization who’s mission is to provide the leadership and best practices that serve as a base of common knowledge for all business continuity and disaster recovery planners and organizations in the industry.

Company Confidential


Acronyms l.jpg
Acronyms

  • Disaster Recovery Planning – DRP

  • Business Resumption Planning - BRP

  • Business Continuity Planning– BCP

  • Risk Assessment – RA

  • Business Impact Analysis – BIA


Disaster recovery vs business continuity l.jpg
Disaster Recovery vs Business Continuity

Disaster Recovery – Process of developing advanced arrangements and procedures that enable an organization to respond to a disaster and resume critical business functions in a predetermined amount of time, minimize that amount of loss and repair or replace damaged facilities and equipment as soon as possible.

Business Continuity – Process of developing advanced arrangements and procedures that enable an organization to respond to an event or interruption in a manner that enables critical business functions to resume without interruption or essential change.


The journey from dr to bc l.jpg
The Journey from DR to BC

1970’sPost Y2K

IT Centric Business Centric

Simple Environment Complex Environment

Reactive Proactive


Uncle jerry s tenets of bc l.jpg
Uncle Jerry’s Tenets of BC

  • First things first; understand the threats, and outside influences (Risk Analysis)

  • Know what’s at risk

  • Know your companies risk appetite

  • Build and implement a solution that fits


Bc considerations l.jpg
BC Considerations

  • BCP is an INITIATIVE not a project

  • It is not IT specific. Rather, it has a business-centric focus and involves all primary and support components for a product/process.

  • The ultimate goal of Business Continuity Planning is to identify critical processes and components that are susceptible to an interruption or outage and make them more resilient.

  • An effective BC program is; cost-efficient and scaled to meet the needs of the Company


Bc program drivers l.jpg
BC Program Drivers

  • Regulatory & Agency Compliance:

    • SOX, HIPAA, ??????

    • NFPA, FEMA, FFIEC, FED, FERC

  • Response to Industry needs and customer requirements/inquiries

  • Global nature of Business

  • New awareness and response of the World Situation; Homeland Security


Benefits of a bc program l.jpg
Benefits of a BC Program

  • Audit and map processes – may lead to further efficiencies, process improvements, reduce waste and costs

  • Identify critical components and single points of failure – “If something happens to this facility, process or hardware, how will it effect my ability to conduct business?”

  • Clearer definition and understanding of downtime costs – Tangible and intangible impacts of a business interruption.

  • Meet regulatory and audit requirements – SOX, HIPAA, ???

  • Once implemented - In the event of an unplanned outage, shorten downtime and reduce the impact on the business to acceptable levels.


Hipaa defined l.jpg
HIPAA Defined

Health Insurance Portability and Accountability Act (HIPAA) of 1996

  • Passed by Congress to reform the insurance market and simplify the health care administrative process in order to realize long term benefits in the areas of;

    • Portability, privacy and security of patient data,

    • lowering administrative costs (currently at 26%),

    • enhancing accuracy of data and reports,

    • increasing customer satisfaction,

    • reducing cycle time and

    • improving cash management.


Hipaa goals l.jpg
HIPAA Goals

  • Administrative simplification - reduce the number of forms and methods of completing claims, and other payment-related documents,

  • Establish universal identifier and code sets for providers of health care. 

  • Increase the use and efficiency of computer-to-computer methods of exchanging standard health care information via EDI (Electronic Data Interchange - standard electronic file formats).


Hipaa touchpoints l.jpg
HIPAA Touchpoints

Information Technology systems

  • Internal Business use

  • Claims

  • Records inquiries, (EDI)

    Medical equipment that holds patient data

  • MRI

  • CT

  • EEG

  • Ultrasound machines


Hipaa touchpoints18 l.jpg
HIPAA Touchpoints

Patient interface

  • Contact by primary care and support staff

  • Other patients

    Employee Conduct

  • Human error

  • Fraudulent activity

  • Malicious behavior


Hipaa touchpoints19 l.jpg
HIPAA Touchpoints

Administrative processing

  • Admissions,

  • Ordering medications, tests, etc.

  • Claim and insurance processing

    Handling, security and storage of medical records

  • On-site

  • Off-site


Threats and controls l.jpg
Threats and Controls

External intrusion / compromise of computer systems and equipment that holds patient data

  • Viruses, Worms, Spyware, etc.

  • Outside monitoring and data mining (think wireless)

  • Exploitation of router vulnerabilities, e.g. denial of service

    Controls

  • Anti-virus, intrusion detection software, etc.

  • Restrict and monitor employee internet access

  • Block ranges of IP addresses, etc.


Threats and controls21 l.jpg
Threats and Controls

Patient interface and employee conduct

  • Misuse of information by employees, temps or consultants

  • Acts of sabotage by disgruntled employees

  • Exploitation of patients by other patients

    Controls

  • Strengthen hiring policies - Vetting of workers, background and reference checks

  • Security controls for systems and facility access

  • Monitor patient behavior, CCTV, restrict use of patient SSN.


Threats and controls22 l.jpg
Threats and Controls

Exploitation of Medical Records

Controls

  • Policies on the use of SSN as patient numbers

  • Enhanced physical security

  • Aggressive password rules, auto-logoff functions, etc

  • Data encryption on storage devices

  • Use an insured and bonded off-site storage provider


Threats and controls23 l.jpg
Threats and Controls

Errors or exploitation of administrative processes

  • Human Error

  • Malicious behavior

  • Compromise of electronic files

    Controls

  • Role based systems access

  • Enhanced application controls, change management

  • Audit trails

  • Use of standard formats and encryption schemes


Examples of hipaa risks l.jpg
Examples of HIPAA Risks

  • Loss of financial cash flow

  • Permanent loss or corruption of electronic protected health information (ePHI)

  • Temporary loss or unavailability of medical records

  • Unauthorized access to or disclosure of ePHI

  • Loss of physical assets (computers, etc.)

  • Damage to reputation and public confidence

  • Threats to patient and/or employee safety


Risk analysis l.jpg
Risk Analysis

Identify Threats, Vulnerabilities and Assess Controls

  • Risk Analysis is the methodology and structure used to identify threats, determine vulnerabilities and identify at risk elements of the organization.

  • Risk Assessment is stating the amount of damage, loss or value that might be incurred.

  • Vulnerability is the exposure to damage or an event that can cause actual loss to company assets. Sometimes referred to as probability.

  • Controls are; processes, hardware or procedures that are put in place to mitigate, or reduce, the exposure to a threat.


What can i do l.jpg
What Can I Do??

Be intimately familiar with applicable regulations

Be aware of and understand the threats and your exposures – get involved in risk assessment

Ask questions and gather facts

  • Do we have a business continuity program and disaster recovery plan?

  • What are our security policies?

  • Is the IT organization aware of HIPAA, what’s the plan?

    Take every opportunity to educate


Continuous improvement l.jpg
Continuous Improvement

Establish and enforce best practices in the areas of:

  • Business continuity methodology and implementation

  • Standardization of systems hardware, software and monitoring tools

  • Review and modify policies and procedures

    • Regulatory compliance

    • Internal & external security

    • Process for handling and storing data



Final thoughts l.jpg
Final Thoughts

You are a KEY player in the success of your Business

Security and compliance are everybody’s job

Privacy and Security are co-joined twins

Never Stop Challenging the Norm and Asking,

“WHAT IF ?”




ad