SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers. Download the webinar today!
Identity 360 - An Imprivata Blog
Mass 201 CMR 17.00: When State Compliance Kicks in, How Do You Respond?
March 11, 2010 at 8:08 PM by David TingWhile many of us were down at HIMSS 2010, on March 1, 2010, Mass 201 CMR 17.00 officially went into effect:
17.05: Compliance Deadline
(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.
We began talking about this Massachusetts data privacy regulation and what it means back in November 2008, and continued the discussion on this blog in September 2009 as the compliance deadline was pushed off numerous times throughout the course of 2009. Now, the day has finally come, and Mass 201 CMR 17.00 is officially here and active.
As you may know, Massachusetts is at the forefront with legislation that creates standards for protecting personal information in both paper and electronic format. A key purpose of the standards is to “protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer” and minimize overall security risk.
While we’ve examined the specific parameters in our previous blog posts on the topic, it’s important to recognize what companies must do now if they own or license information about a resident of the Commonwealth. A majority of the provisions in the Mass 201 CMR 17.00 standards center on securing access to data, so as such it’s crucial to:
• Map where personal information resides in your company
• Inventory which applications access and/or store personal information
• Understand what third-party service providers access this personal information
• Ensure only appropriate, authorized access to data by personnel by deploying appropriate user authentication technologies
• Assign unique identifications such as fingerprint biometrics plus strong passwords to fortify security and eliminate password sharing… then streamline log-on/off process by single sign-on enabling applications
• Monitor and report on access of personal information to ensure compliance
• Regularly educate and train users on appropriate system user and the importance of securing personal information
If you’ve accounted for the above, you’re well on your way toward compliance. If not, what are you going to do when the Commonwealth of Massachusetts comes knocking? Do you really want to find out?
--David
Share
FACEBOOK
LINKEDIN
DIGG
DIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUSHIMSS 2010: Meaningful Use, EMR Standards, Clinician Workflows, Security, Oh My!
March 7, 2010 at 6:38 PM by David TingThis year’s HIMSS was quite an active conference, with healthcare IT a national focal point with new legislation and stimulus funding being funneled into reform and modernization initiatives.
To kickoff the conference, Imprivata chief medical officer, Dr. Barry Chaiken, who is the current chair of HIMSS highlighted the need for healthcare IT solutions to drive positive industry change. Here are some pull-outs from an InformationWeek blog covering the event that capture the sentiment well:
In his opening keynote address at the conference, Dr. Barry Chaiken, HIMSS chairman and chief medical officer of Imprivata, put the onus on the industry to create "healthcare IT solutions that are so compelling, so irresistible, that people just want to use them. We cannot rely on incentive programs or executive orders. We must create demand."
There's a raw energy at HIMSS reminiscent of the broader IT industry's go-go days, when there were myriad vendors and incomplete standards and fractious debates and lots of customer uncertainty, but when there was an unshakeable belief that IT could still change the world.
In his opening address, Dr. Chaiken captured that vibe, calling on the HIMSS membership to rise to the challenge. "Through the implementation of compelling healthcare IT solutions, you must transform the way healthcare is provided in this country, not the president, not Congress, not clinicians--you. If you don't do it, it will not happen. You must step forward and you must lead."
At Imprivata’s booth, we had a constant flow of booth traffic, and we received great response to our interactive theater demonstrations – people loved watching our folks act out real-world scenarios vs. watching a canned demo loop on a monitor. Having a live operational system at the booth allowed us to explore details of the product with customers and prospects with specific questions.
People were especially excited about our OneSign Secure Walk-Away solution for protecting unattended hospital workstations from unauthorized access, and Privacy Alert spurred a lot of interest and engaging conversations with IT and Privacy executives alike. There were lots of high-energy discussions, mostly centered around definitions of meaningful use, EMR interoperability and the creation/non-existence of standards, clinical workflows, healthcare access management and data security breach issues – and more than few jabs on the outcome of the Olympics!
This set the tone for the entire conference, and everyone contributed to a great gathering focused on pushing industry progress forward – presenters, vendors and attendees alike. At Imprivata, we’re coming away from HIMSS 2010 energized for what the future holds in healthcare. We’re ready to make a difference. Are you?
Guest Post: ecfirst CEO, Ali Pabrai, on HITECH’s Meaningful Use and Compliance
February 23, 2010 at 12:35 PM by Ali PabraiThere’s a lot of discussion around meaningful use, its definition and how organizations can obtain the government incentives that recent legislation promises. However, in the dash for these types of healthcare IT investment reimbursements, one must not overlook the role of security risk in satisfying compliance requirements.
For instance, the Centers for Medicare & Medicare Services (CMS) will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved. At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve. For example, physicians are eligible to receive up to $44,000 in total incentives per physician from Medicare for “meaningful use” of a certified Electronic Health Record (EHR) starting in 2011. However, these EHR initiatives are coupled with strong mandates for privacy and security compliance that must be addressed.
In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Specifically, the investigation includes a review of IAM processes related to:
- Establishing user access for new and existing employees
- List of secure authentication methods for users authorized to access EPHI
- Monitoring systems use - authorized and unauthorized
- Granting, approving, and monitoring systems access (for example, by level, role, and job function)
- Termination of systems access
Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated.
Ali Pabrai, chief executive of ecfirst, is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.
Seven Critical Steps for Preparing for HIPAA & HITECH Audits
February 10, 2010 at 1:08 PM by David TingOn Thursday, Feb. 11 @ 1pm ET, please join me and cyber security and compliance expert Ali Pabrai of ecfirst for a can’t-miss Webinar outlining the critical steps for preparing for HITECH & HIPAA compliance audits. It’s a must-attend session with enforceable HITECH requirements taking effect Feb. 18, 2010 and HIMSS 2010 a short few weeks away.
To register for this event, please visit the Critical Steps for IAM Compliance page, which provides more details of what this Webinar will cover, including:
• Key considerations for IAM Compliance in healthcare organizations
• How to comply with security controls while maintaining a high-level of productivity
• A checklist to prepare for audits by the Office for Civil Rights (OCR) for HIPAA & HITECH
If you’re unable to attend the live Webinar, an archived version will soon be available on Imprivata’s Events Archive page, where you can find numerous topical Webinars that are useful for gaining insights from industry thought leaders and from real-world deployments of single sign-on and user authentication for securing user access to information.
--David