Hello and welcome to the Cyber Security 90. Learning course. Implementing a HIPPA compliance program for leadership. My name is Kevin Mayo, your instructor. It's with great pleasure that the Cyber 18 brings to you what we think is an instrumental course that will provide every security and I t professional the knowledge regarding one of the very first adopted standards for protecting an individual's privacy.
The Health Information Portability and Accountability Act,
or HIPPA. And it's HIPPA the change forever. How covered entities protect the privacy and confidentiality oven Individuals Protected Health information. Ph. I If you're a department manager, a team leader or privacy or compliance officer that must implement and enforce your organization's privacy and security policies, well, this course is going to be for you. And now let's go have some fun.
Hello, and you are watching and listening to the Cyber Bury Implementing a HIPAA compliance program for leadership course hip, a foundational learning in advanced topics. HIPPA Program management and HIPPA compliance. My name is Kevin Mayo and I'm your Sai Buri instructor,
so welcome to the implementing a HIPPA compliance program for leadership, which is not just learning about HIPPA. The health information Portability and Accountability Act, but you will actually be learning how to implement the hip. A program in a role is a CSO director, manager or compliance officer.
The implementing a HIPAA compliance program for leadership course will help the students understand the components of the hippie security standards, including the hippie security rule, privacy rules and enforcement rules. You will learn the controls of protected health information, PH. I and the electronic version of it. E P H I, including the administrative controls things like policy,
physical controls, controlling the physical access to patient data
and the technical controls like encryption and the technical monitoring and logging of your patient data. You will learn about the requirements of maintaining a compliance programs, such as the need of your organization to have a compliance officer. And your security programs need to maintain vulnerability management in system hardening programs.
And we have an entire module dedicated to actually implementing a hip of compliance program.
As a member of leadership of a health care organization, you yourself will help your security program early in its infancy grow and mature into a HIPPA compliance security program. So we're going to cover a lot in this course on, we're gonna try to have some fun along the way doing it.
There are no technical prerequisites for this course. Yea, but unfortunately for some of you were not going to get the chance to review access control list in your firewall or data loss prevention rules in your email security proxy. I know that sounds like fun, but instead we're gonna have a different kind of fun learning and implementing HIPPA. There is a lot to hip
and just the published security rule from the Department of Health and Human Services HHS, published in February 2000 and three
is 49 pages. We will cover in depth the foundational concepts of HIPPA. But if you're to be a successful leader in your hip a program, you need to have mastery of the hippest standards, which includes the security rule, privacy rule, compliance and enforcement breach notification, omnibus rule covered entities and business associates,
patient safety risk, business continuity and disaster recovery,
employee training and more. We will be reviewing the policies, procedures and methodologies of a security program that protects the confidentiality, integrity and availability of patient data, and then we will actually implement our hip, a security program and hopefully have some fun along the way.
So a little bit about me. I've been in the Enterprise Network for more than 20 years and several roles, including Sales Engineer Solutions, architect, Cisco, Practice, lead and currently the director of cybersecurity and virtual sea. So for a leading integrator in the Pacific Northwest,
I have helped improve the wired and wireless networks, data centers, cloud migrations and security programs of state agencies,
commercial enterprises and healthcare organizations across the Pacific Northwest. I currently maintain over 40 i t. Certifications, and you can find me on my linked in page Facebook and via my Blawg secure giraffe dot com
module. One of the course is comprised of eight lectures or recover the hip of security, privacy enforcement and omnibus rules in depth we. Then we'll cover the HIPPA concepts of user responsibility and meaningful use. This thing we hope we don't have to announce to the world a data breach. Public health records where we managed once are now in the open public domain and on the dark Web.
And so now what are our responsibilities?
Who and when do we have to notify due to the breach notification rule. We will review our responsibilities in sharing data with our partners via what is called business associate agreements, and that we have to care a lot more than just HIPPA and our security program because we have to manage other standards and guidelines like high trust and this cybersecurity framework
and why and when they apply to us.
The A lectures and module to is what we actually do to cure and manage the day to day feeding of our hipper program. We went over and module one the information that we have to protect to be HIPPA compliant. Now we go down the path and module to of going about the administrative, physical and technical controls of being compliant. We will review access controls to our
and the safeguards that need to be in place. We review technologies like data encryption making sure are protected. Health information is always available with our business continuity and disaster recovery programs. We review what it means to be compliant, using tools like monitoring, logging and reporting, and how we're addressing risk
and minimizing our risk because we have robust system hardening and vulnerability programs.
And yes, that's right, everybody's favorite. We document everything all the time everywhere, with a really nice size 12 calibri font
and in Module three, which I know will be your favorite module on favorite part of the course. We have eight lectures and actually implementing our HIPPA compliance program and coming out compliant on the other side will be learning about base lining our controls, performing gap and risk assessments, remediation and preparing for our audit,
usually conducted by a really scary looking consultant wearing a clown nose and has left over lunch on his tie with absolutely no sense of humor at all.
And then we cover the ongoing management were operations of her hip or program because the only constant in our environment is changed and your takeaways and next steps
So next up in our first lesson will be taking a deep dive into the hip of security Rule will be looking at the journey from paper and physical records today Standard three Elektronik Health Record, or E. HR platform that health agencies used. Now we'll look at the threats against Elektronik patient data and the risk to a health care organization, especially if there were a breach.
Who does HIPPA apply? Thio And if it applies, what is required from our organization to maintain patient confidentiality
and we will look at the hip of security general rules in the standard and the physical and technical safeguards needed to protect e p h. I.
So looking forward to seeing you in our first lecture of implementing a HIPPA compliance program for leadership. But on behalf of all of us here Cyber A, the content creators, course developers, instructors, teaching assistants Thanks so much for watching take care. See you next time and happy journeys.
Hello and welcome back to the Sai Buri Implementing a HIPPA compliance program for leadership. Siri's Today's lesson is to hit the security rule. Before the Health Information Portability and Accountability Act was adopted into law in 2000 and three, there was no standard to protect the confidentiality, integrity and availability of electronic health information
to protect the patients most critical information.
Their healthcare identity. HIPPA was to be the first standard in the health care industry that would address all aspects of the security of electronic health information while it is being stored, or during the exchange of that information between entities.
In today's lecture, we're gonna learn about the push in the health care system to abandon physical written patient data and records to the migration to digital electronic patient health information. Ah, very good example of what the technology industry calls digital transformation. So now that we're digital, we have new threats and new risk their security program has to prepare for, Well, HIPPA, who cares?
HIPAA doesn't apply to everybody, so we're gonna review who needs to care about patient privacy.
We're going to review the core elements of the hip of security rule and identify some of the physical and technical safeguards we need to have in place to protect our patients data. And at the end of this amazing lecture, we're gonna take an eight hour practical exam the equivalent of the medical college aptitude test or cat, just to make sure you have retained today's information. So if you're ready,
let's get this hip of security. Safari, started
in 2009, is part of the Health Information technology for Economic and clinical Health or high Tech Act. The federal government set aside 27 billion for an incentive program encouraging hospitals and providers to adopt electronic health records systems or E h ours. Billions more were allocated to help train health workers and assist hospitals in setting up the ZH ours.
So essentially the high tech act was going to push the health care industry down a path where paper files were virtually eliminated.
Hundreds of studies of VH ours were conducted. The demonstrated th Ours lead to better patient care with less drug interaction rates because now, prescriptions for medications where Elektronik Lee checked and validated against already prescribed drugs and the increased quality of patient care. UH, VH ours lead to lower mortality rates and lower nursing care costs
and is part of the federal reward system.
Higher physician payouts for Medicare eligible services. The physician was required to show meaningful use. Meaningful use meant that the doctor of the health care system is required to show that they achieve meaningful use of electronic health record systems in terms of improving patient care quality by being capable of e prescribing or reporting quality patient data
and exchanging Elektronik lee patient data
So, as the health care system migrated physical records to Elektronik, the threats and risks of our patient data had changed What was locked. File cabinets replicated hard copies at an archive storage facility. Fire suppression of fire alarm systems. Now, wherever our network devices lived, new threats and risks emerged.
Doctors wanted electronic records on laptops and smartphones, so we need a new technical controls
to protect our wired and wireless networks. We need a new policies and procedures for acceptable use of electronic patient data. And we need controlled access on Lee. The individuals with the appropriate privilege to read patient data, right patient data and share patient data were to be given privilege. So now there is a very keen focus on the technical controls.
Things like firewalls to protect the data
and encryption to keep the store data and data in transit. Confidential and triple A authentication, authorization and accounting. Validating acceptable use. Authorizing access based on privilege and group policy and accounting reporting on who did what with patient data.
We need a new business associate. Agreements are partners need to respect our policies and procedures
to protect patient data or they can be partners with our health care organization. We need proper and timely backups and data recovery capabilities. So there are patient data is always available when the patient or health care provider needs it, and our security program needs processes and procedures toe, identify, mitigate and reduce organizational risk.
So who needs to care about hip when talking about the hippo standards and its components? Like the privacy rule you'll see reference the term covered entities for HIPPA covered entity or health plans, healthcare clearinghouses and health care providers. Clearinghouses. Basically a data translator clearing house receives transactions from a health care provider
and translate them into acceptable forms that payers will process financial payments on
so clearinghouses or building services. Re pricing companies in firms with value added health management systems that assist with payer services. AH, healthcare provider who has a covered entity? Is any health care provider who transmits any health, information and electronic form in connection with the transaction. Doctors, dentists, physical therapist and mental health practitioners.
It's thes healthcare providers who hope to get Medicaid and Medicare reimbursements
that the hippo security, privacy and enforcement rules are governed to protect their health information of patients. Three. Government will not reimburse you for your patient services rendered unless you can show that you are protecting patient privacy and control meaningful use.
So, according to the American Medical Association, the HIPPO security rule can be broken down into four elements. The administrative safeguards, which are the administrative actions, policies and procedures to manage and maintain
the security measures to protect Elektronik protected health information. The technical safeguards are the technology as well as the policies and procedures to protect the e. P. H. I and control access to it. It's the technical safeguards, according to the A M A, that are the most difficult regulations to comprehend and to implement
and the physical safeguards and the physical structures of a covered entity.
And it's Elektronik equipment like keycard access to the Data center to satisfy the hip of security rule compliance and lastly, to comply with the security rules, implementation and its specifications. Covered entity is required to conduct risk assessments and risk analysis to determine threats or hazards to the security of E. P. H. I
and implement measures to protect against these threats
and behind every security compliance measure is the documentation requirement. Practically every facet of HIPPA compliance requires policies and procedures to be created and implemented, and these documents must be retained for at least six years, and state requirements may mandate longer retention periods,
according to the A M A. The hip of security rules intended to incorporate the concept of scalability, flexibility and generalization. The regulations do not expect the same security precautions from smaller rule providers as our demanded by large covered entities. With significant resource is, security is recognized as an evolving target,
so hipper requirements are not linked to specific technologies or products.
Instead, Hippeau focuses more on what needs to be done and less than how it should be accomplished. As such, the flexible, three tiered approach of the standards have requirements. All entities were expected to meet thes air categorized as required controls and the second tier of controls and requirements in terms addressable, meaning that your agency must address it by either a direct means
or have documented a less direct mechanism to meet the standards requirements.
An example of an addressable requirement would be that is a small regional hospital who can afford a multi factor authentication platform to confirm the identity of users accessing their E. P. H. I can address the requirement by implementing a password complexity policy and the implementation of role based access controls.
So now that we've learned about the hip of security rule, you're ready to take your medical college admission test your in cat. How about that? So break out your bubble marking pencil on. Let's get this open notes Open book Open Google Aptitude Test Started
Identify three reasons that led the health care industry to migrate to electronic health records. Hit Pause Google for your answers, or simply copy the answers from the students sitting to your left, who looks to be pretty smart, albeit not a very snappy dresser. That stripe shirt with final pants. Ouch! Okay, so let's look at some answers.
A bunch of studies were conducted in the HR is proved
that they helped deliver better patient care and reduce three overall mortality rates. Being able to keep track of a patient's prescriptions electronically made it easier to avoid negative drug interactions. Any HR showed that they could lower cost through efficiencies and by being more efficient, nurses had more time to focus on patients and less on building,
reducing a health care organizations overall nursing costs.
So in this video reviewed why it was so compelling for the industry in the federal government to provide financial incentives to migrate to Elektronik health records systems. But with this new form of electronic patient records came new threats and new risks we learned about which three covered entities were regulated by HIPPA, insurance providers, clearinghouses and health care providers.
And we broke down the hippo security rule into its four core elements.
Theo, administrative safeguards, technical safeguards and physical safeguards, and the process for analyzing, mitigating and reducing organizational risk. And in our next lecture, we're gonna be rolling up our sleeves and digging into the HIPAA privacy rule.
So thanks for sitting in this first lecture of the Sai Buri implementing a HIPPA compliance program. Siri's. We hope you learn a few things about the exciting world of hip and hip a security. For now, on behalf of the entire CyberRays Safari security team, Thank you for watching and be sure to be on the lookout for that hippopotamus.
You know that hip hip a hippopotamus because those guys air scary and honoree and just
plain nasty. So take care and happy adventures