103102 hipaasummit security

Information about 103102 hipaasummit security

Published on November 2, 2007

Author: Margot

Source: authorstream.com

Content

“Surviving Securely & Surviving Security -- Thoughts After 9/11” :  “Surviving Securely & Surviving Security -- Thoughts After 9/11” Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA Summit, Baltimore October 31, 2002 Overview:  Overview Today is Halloween -- How scared should we be? Of what? HIPAA and private sector security Why HIPAA security is scary hard Why it is not quite so hard Homeland security Bioterrorism and other issues post 9/11 Civil liberties, privacy & security Concluding thoughts My Background:  My Background Clinton Administration Chief Counselor for Privacy, 1999-2001 White House coordinator, HIPAA privacy rule Chair of White House working group to update wiretap and surveillance law Much work on computer security, encryption, and other security issues My current work:  My current work Professor, Moritz College of Law of the Ohio State University Based in D.C. Consultant, Morrison & Foerster LLP Nationwide HIPAA practice Writing on privacy & security issues Op-ed, Washington Post Testimony, House Judiciary See www.peterswire.net I. HIPAA and Private Sector Security:  I. HIPAA and Private Sector Security Today have heard the many, many components of state-of-the-art HIPAA security compliance Your possible concerns: Cost Lack of technical expertise Interfere with health care and other work No management support to get from here to there More to worry about:  More to worry about FTC and the Eli Lilly case Medi-messenger to remind users to refill prescriptions 669 names of Prozac users put in the “To” line rather than the “Bcc” line in June 2001 Everyone agrees was unintentional ACLU complained to the FTC Lilly case and the law:  Lilly case and the law Not a HIPAA case Rules not yet in effect Very likely not a covered entity FTC Act, Section 5 Prohibits “unfair and deceptive trade practices” Broad FTC jurisdiction (except insurance) Case law -- deceptive if break a material promise on your web site Lilly:  Lilly Lilly web site said: “Eli Lilly and Co. respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests’ privacy as they take advantage of this resource” FTC claimed deceptive because of failure to “implement internal measures appropriate under the circumstances to protect sensitive consumer information” Lilly Settlement, early 2002:  Lilly Settlement, early 2002 Create 4-stage information security program Designate appropriate managers to oversee Comprehensive assessment and addressing of security risks Annual written review by qualified persons of compliance Update program over time One-time negligence leads to federal case for “deceptive practices” Your HIPAA web policy and FTC enforcement New California Security Law:  New California Security Law S.B. 1386, signed Sept. 25 requiring notification of security breaches involving personal information If there is a security breach, then must disclose to any resident of California whose personal information was acquired by the unauthorized person Breach essentially means unauthorized acquisition of computerized data Takes effect July 1, 2003 New California Law:  New California Law Breach applies to “personal information” Name plus one or more of: Social Security number Driver’s license number, or Account numbers or passwords that permit access to individual financial accounts Safe harbor if you keep the data encrypted Private civil actions and injunctions Consider preparing your systems for HIPAA and S.B. 1386 together Security as Scary Hard:  Security as Scary Hard To summarize HIPAA security rule will come HIPAA privacy rule already will require reasonable physical and cyber safeguards Lilly case and deceptive practices New state law interest in assuring information security Security as Less Hard:  Security as Less Hard Draft HIPAA Security Rule Most of it is codified common sense Have backups, disaster recovery, good passwords, and so on How easy will it be for HHS to surprise everyone and have a much stricter and more regulatory security rule? Not very. Would be unfair surprise and more regulatory than the HIPAA privacy approach. HIPAA Security as Less Scary:  HIPAA Security as Less Scary Key concept of “scalability” Security plan for big research hospital Security plan for pediatrician office Rule contemplates they will be very different “Good faith”, “reasonableness” Enforcement Compliance oriented, not penalty oriented Limited staff at HHS/OCR Security in the Private Sector:  Security in the Private Sector Lilly as less scary: Limited FTC enforcement staff Settlement was essentially a good compliance plan going forward As a society We learned to lock our houses and cars Some have to do more -- jewelry stores Now are learning what good practices mean for our networked world II. Homeland Security after 9/11:  II. Homeland Security after 9/11 Clearly more focus on cyber-security & other homeland security issues Anthrax scare and bioterrorism USA-PATRIOT Act fall 2001 Homeland Security Department bill Proposals for state public health changes and more data uses Don’t Over-react to New Security Threats:  Don’t Over-react to New Security Threats My recent “State of the Union for Privacy, Fall 2002” Privacy, civil liberties and foreign intelligence laws today arose from previous pattern of systematic abuse “The Lawless State”:  “The Lawless State” Thousands of documented instances of lawbreaking by U.S. law enforcement and intelligence agencies 1950s-70s Bobby Kennedy & MLK, Jr. Infiltration of fringe groups KKK, Black Panthers Democratic Party, too Legal Safeguards in Reaction:  Legal Safeguards in Reaction Federal wiretap law, 1968 Privacy Act, 1974 Freedom of Information Act, 1974 Foreign Intelligence Surveillance Act, 1978 Electronic Communications Privacy Act, 1984 Others as well III. Privacy & Security After 9/11:  III. Privacy & Security After 9/11 Privacy vs. security Privacy and security How to build them together Security vs. Privacy:  Security vs. Privacy Security sometimes means greater surveillance, information gathering & information sharing New USA-PATRIOT surveillance provisions Err on the side of public health reporting In short, greater disclosure to build security Security and Privacy:  Security and Privacy Good data handling practices become more important -- good security protects PHI against unauthorized use Audit trails, accounting, are more obviously desirable -- helps with some privacy compliance Part of system upgrade for security can be system upgrade for other requirements, such as HIPAA privacy Building Them Together:  Building Them Together Step One: Does the new security proposal in fact improve security? Step Two: Is the new security proposal drafted consistently with privacy and other values? Step Three: Are the right checks and balances in place to achieve security and other goals over time? Conclusion:  Conclusion Many of our organizations need a security upgrade to comply with HIPAA But, meet other goals such as efficiency (good medical care), contain costs, etc. Many of our organizations need a security upgrade to create homeland security But, meet other goals such as efficiency (society’s business continues), contain costs, & privacy and civil liberties Conclusion:  Conclusion In both private and public sectors: Survive Securely -- move up the learning curve to better practices Survive Security -- do it without letting the security concerns prevent solid analysis of the other goals at stake Contact Information:  Contact Information Web: www.peterswire.net Email: [email protected] Phone: (240) 994-4142

Related presentations


Other presentations created by Margot

globalisation
28. 12. 2007
0 views

globalisation

Creativity
13. 12. 2007
0 views

Creativity

beng
27. 09. 2007
0 views

beng

AAAS 20060621
03. 10. 2007
0 views

AAAS 20060621

legionella111803
09. 10. 2007
0 views

legionella111803

undergroundrailroad
03. 12. 2007
0 views

undergroundrailroad

Section3Df2007
07. 11. 2007
0 views

Section3Df2007

visual
12. 11. 2007
0 views

visual

TDDFTRealtime
20. 11. 2007
0 views

TDDFTRealtime

sleep disorders 3 11 03
01. 12. 2007
0 views

sleep disorders 3 11 03

rowcliffe
19. 12. 2007
0 views

rowcliffe

KNS 422
07. 01. 2008
0 views

KNS 422

lec2 1
14. 11. 2007
0 views

lec2 1

romanesque
02. 11. 2007
0 views

romanesque

agmiklas
18. 12. 2007
0 views

agmiklas

MG
05. 01. 2008
0 views

MG

Library
20. 02. 2008
0 views

Library

WomensPlaceinKorea
24. 02. 2008
0 views

WomensPlaceinKorea

copyrightlawbasics
27. 02. 2008
0 views

copyrightlawbasics

ctlecture13a
05. 11. 2007
0 views

ctlecture13a

2004 DP Flex Rule
28. 11. 2007
0 views

2004 DP Flex Rule

Catton
05. 03. 2008
0 views

Catton

EMS 2007 for media kit
14. 03. 2008
0 views

EMS 2007 for media kit

chakavarti
27. 03. 2008
0 views

chakavarti

report to UNAIDS may12
30. 03. 2008
0 views

report to UNAIDS may12

hobday slides
13. 04. 2008
0 views

hobday slides

07 Gaines Caruso EMO 2007 r1
06. 12. 2007
0 views

07 Gaines Caruso EMO 2007 r1

01povraz
07. 01. 2008
0 views

01povraz

POSLink Overview
26. 11. 2007
0 views

POSLink Overview

StateAssocconfcall11 052007
23. 11. 2007
0 views

StateAssocconfcall11 052007

034
16. 11. 2007
0 views

034

Canned Food Drive General
05. 11. 2007
0 views

Canned Food Drive General

benke
23. 12. 2007
0 views

benke

stacey poster
15. 11. 2007
0 views

stacey poster

MelansonChp2
21. 12. 2007
0 views

MelansonChp2

Durhamo4
04. 01. 2008
0 views

Durhamo4