|
Webcast:
Applying NIST Standards to Address Compliance Mandates
June 8, 10:30 am central
The HITECH Act, the HIPAA Security Rule, State regulations, PCI DSS, FACTA and other mandates are resulting in covered entities and business associates to "reasonably and appropriately" secure sensitive information such as PHI or EPHI. Further, organizations need to establish that "reasonable and appropriate" steps have been implemented to manage all such sensitive and confidential patient or client data.
In this ecfirst Webcast, step through how to apply NIST Standards and guidelines to address critical compliance mandates for regulations such as HIPAA, HITECH as well as State requirements.
Register for this complimentary webcast at www.ecfirst.com. Webcast scheduled for June 8 at 10:30 am central (8:30 am pacific).
Organizations are increasingly considering applying NIST Standards to comply with national regulations such as HIPAA and HITECH and standards such as PCI DSS. NIST Standards and Guidance documents may be applied to develop policies, plans and procedures for security capabilities and controls.
Learning Objectives:
- Understand how NIST Standards provide best practice recommendations on information security management, risks and controls
- Examine how to apply NIST standards to address critical national and international privacy and security requirements.
- Step through NIST guidelines to address security challenges for disaster recovery and contingency planning.
- Apply NIST Standards to address data breach and security incident management.
- Identify critical policies and procedures, including security plans, that organizations must develop and update, to establish a baseline for controls and countermeasures.
|
|
POLICY HEADQUARTERS
HIPAA Privacy, HIPAA Security & HITECH Require Policies!
Ask about our New PCI DSS Policy Templates!
Policies set the "dial-tone" for meeting compliance mandates in your organization. Are your policies updated to meet the requirements of HIPAA Privacy, HIPAA Security and the HITECH Act?
Visit the ecfirst RESOURCE CENTER @ www.ecfirst.com to download privacy and security policies. ecfirst can customize the policies to meet the standards and requirements of your organization.
Call John Schelewitz at +1.480.663.3225 to discuss how to cost effectively address compliance mandates for policies. |
|
CHP + CSCS = 2 Highly Valued Credentials!
FREE iPad! Register
Today!
CHP PROGRAM PHOENIX, AZ - JUNE 7-8
LAS VEGAS, NV - JULY 13-14 Learn about key aspects of the HIPAA regulation including Transactions and Code Sets, Identifiers, Privacy and Security. Step through new requirements related to the HITECH Act. This is an exceptional program delivered by Lorna Waggoner, a HIPAA expert. To register, visit www.HIPAAAcademy.Net.
CSCS PROGRAM
PHOENIX, AZ - JUNE 9-10
LAS VEGAS, NV - JULY 15-16
To attend the only certification program in the industry that addresses PCI DSS, ISO 27001/27002, HIPAA, FISMA, and other information security regulations, please register at www.ecfirst.com, and click on the CSCS Program. The CSCS Program is presented by compliance and cyber security experts. CSCS is the world's first program focused exclusively on compliance and security. To register, please visit
www.ecfirst.com. Now! |
|
DID YOU KNOW?
Below Adam's Apple: The Thyroid
Located in the front part of the neck below the Adam's apple, the thyroid is a tiny gland with a big job. The butterfly-shaped powerhouse ontrols several critical functions including the body's energy level, heart rate, weight, blood pressure and temperature. |
|
Learn about key aspects of the HIPAA regulation including Transactions and Code Sets, Identifiers, Privacy and Security.
Step through new requirements related to the HITECH Act. Understand requirements for covered entities and business associates.
CSCS PROGRAM
To attend the only certification program in the industry that addresses PCI DSS, ISO 27001/27002, HIPAA, FISMA, and other information security regulations, please register at www.ecfirst.com, and click on the CSCS Program.
The CSCS Program is presented by compliance and cyber security experts. CSCS is the world's first program focused exclusively on compliance and security. |
|
Ali Pabrai Presentation at California's CHIA Conference
"Compliancy with California's Privacy and Security Mandates"
The California Health Information Association (CHIA) confirmed that Ali Pabrai, Chief Executive of ecfirst, will deliver an executive presentation on June 15, 2010 between the hours of 3:20 and 4:20pm.
The delivery will take place at: Hyatt Regency Sacramento, 1209 L. St., Sacramento, CA.
"We are very pleased that Mr. Pabrai will be presenting information about key California regulations and information on investigations and audits by the California Department of Public Health (CDPH). There are several regulations in the area of information privacy and security that impact all organizations that process personal information about a California resident"
stated LaVonne LaMoureaux, RHIA, CAE, Executive Director, CHIA
California is the most proactive state in the country with regards to safeguarding personal and health information.
California has enacted legislation forcing organizations to have to notify all members or citizens of California of a security breach.
In this unique delivery we closely examine the mandatory requirements of several California security regulations including SB 1386, AB 1950, AB 1298, AB 211, SB 541 and others. New regulations not only include "personal information," but also "medical information" and "health insurance information." Together we will step through frameworks that may be applied to enable your organization to comply with numerous California requirements for protecting personal information. |
|
| Applying NIST Standards to Comply with HIPAA/HITECH |
Covered entities and business associates have struggled to find valuable resources to reference as they look to manage their compliance activities for HIPAA and HITECH mandates. With the publication of the NIST Special Publication 800-66 Revsion 1 as well as the latest draft publication on Risk Analysis by OCR that directly references NIST Standards and guidance publications.
Compliance mandates that impact healthcare organizations include:
- HIPAA Privacy
- HIPAA Security
- HITECH Act
- State Regulations
- PCI DSS
Organizations can leverage the Standards and Guidance documents published by NIST to address compliance requirements in the areas of:
- Encryption
- Contingency Planning
- Policies
- Identity Management
- Incident Response (Data Breach Management)
- Security Training
To learn more about how NIST Standards can enable your organization to be so much more efficient in addressing compliance mandates, join the ecfirst complimentary Webcast on June 8, 10:30 am central. Register for the ecfirts/HIPAA Academy complimentary webcast @ www.ecfirst.com. |
OCR Guidance for Risk Analysis | |
The very first implementation specification in the HIPAA Security Rule is Risk Analysis. The Office for Civil Rights (OCR) recently published a (draft) guidance document to assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability (CIA) of electronic protected health information (EPHI).
The First Step
Conducting a risk analysis is the first step in identifying and implementing safeguards - your countermeasures or controls - that comply with and carry out the standards and implementation specifications in the HIPAA Security Rule. Given the requirements of the HIPAA Privacy Rule and the HITECH Act, organizations should look at all PHI it processes or manages, and not limit the analysis to EPHI.
HIPAA Security Rule
All EPHI created, received, maintained or transmitted by an organization is subject to the HIPAA Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of EPHI. As your organization - be it a covered entity or a business associate - look to comply with the HITECH Act and the HIPAA Security Rule - keep in mind that the risk analysis implementation specification is the first step in that process.
Critical Questions to Address
Critical questions that every covered entity and business associate impacted by the HIPAA regulation must address on regular basis include:
- Have you identified the EPHI as well as PHI within your organization? This includes PHI that you create, receive, maintain or transmit.
- What are the external sources of PHI? For example, do vendors or consultants create, receive, maintain or transmit PHI or EPHI?
- What are the human, natural, and environmental threats to information systems that contain EPHI and PHI?
Extent of Scope
Keep in mind that the scope of the risk analysis exercise encompasses - must be inclusive - of the potential risks and vulnerabilities to the confidentiality, availability and integrity of all EPHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes EPHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations.
To address HIPAA Privacy mandates and the requirements of the HITECH Act, an organization's risk analysis should take into account all of its PHI not just EPHI, regardless of the particular medium in which it is created, received, maintained or transmitted or the source or location of its PHI.
Assess Current Security Measures
Organizations should assess and document the security measures an entity uses to safeguard EPHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly.
Risk analysis is the first step in an organization's HIPAA and HITECH compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of not just EPHI, but all PHI.
Addressable is Not Optional
The OCR Risk Analysis Guidance document emphasizes that - an addressable implementation specification is not optional. If an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so.
More than ever, the Boards of Directors at hospitals, health systems, business associates and others are taking notice and asking an important question - "is the organization compliant with HIPAA and HITECH mandates?" Have you completed the first step - Risk Analysis?
For a complimentary private Webcast to learn more about how your organization can be better prepared for a HIPAA or a HITECH audit, please contact Audra Curtis at Audra.Curtis@ecfirst.com or at 1.877.899.9974 x16. |
Follow ecfirst on Twitter to receive special offers and updates! Special discounts are available for HIPAA, HITECH, ISO and PCI DSS policies on Twitter. Follow ecfirst on Twitter today!www.twitter.com/ecfirst
|
|
DID YOU KNOW?
The Health of Physicians
More than half of the doctors said they exercise at least three times a week for 30 to 60 minutes
40% of male physicians are overweight, and 23% are obese.
64% of postmenopausal female ob/gyns used hormone-replacement therapy - even though only 18% said they would recommend it to all their patients.
Doctors are more likely to drink alcohol, but less likely to binge.
About 43% of male doctors ate fish two to four times a week; 11% ate it five times a week.
WSJ, May 25, 2010 |
| Red Flags Rule Delayed |
The Federal Trade Commission (FTC) has pushed the Red Flags Rule deadline to December 31, 2010. The delay is an attempt to allow Congress more time to consider legislation that would exempt small businesses, including small practitioners. The AMA and other groups filed suit against the FTC on May 21 about the Rule. |
|
DID YOU KNOW?
Back Surgery
More than 1 million Americans undergo back surgery each year.
The spine is made up of 26-donut-shaped bones called vertebrae.Stacked one on top of the other, they're separated by small, gel-like disks, which act as protective cushions.
The vertebrae form a channel through which the spinal cord runs. Nerves brach out from the spinal cord, extending between each vertebrae.
|
|
On-Demand Compliance
Flat-Rate Solutions
We at ecfirst refer to this consulting model as - "you can do it, we can help." ecfirst resources may be applied to work along with your IT and compliance personnel to help create and update information security policies, technical procedures, processes, forms, supporting documentation and other required tasks.
The ecfirst On-Demand Solution is highly flexible and includes the following characteristics:
- Fixed, flat rate service
- Starting at a minimum 10-hour commitment
- Delivered anywhere in the United States or abroad
- Highly specialized information security skills
- Experienced compliance expertise
- Mix and match skills
- 2-page contract
- Get started with resource commitment immediately
To learn more about ecfirst On-Demand Compliance, please contact John Schelewitz at +1.480.663.3225 or at John.Schelewitz@ecfirst.com. |
| Conducted a Technical Vulnerability Assessment? |
TRACER is an ecfirst program targeted in the area of technical vulnerability assessment to address HIPAA and HITECH mandates to identify gaps that may be maliciously exploited.
A key requirement of the HIPAA Security Rule is that covered entities and business associates must conduct a comprehensive and thorough assessment of the potentials risks and vulnerabilities to the confidentiality, integrity, and availability (CIA) of all electronic Protected Health Information (EPHI).
ecfirst specializes in conducting comprehensive technical vulnerability assessments to address compliance mandates for HIPAA, HITECH and other regulations. Find out more about our services for external, internal, wireless, and DMZ/firewall assessments.
For more information about TRACER and our technical vulnerability assessments, please contact John.Schelewitz@ecfirst.com. |
|
|
