View
529
Download
1
Category
Preview:
Citation preview
HIPAA Workloads on AWS
CVS
• In 2009 fined $2.25 million
• Disposing of protected health information in public dumpsters
• OCR Findings:
• Did not have adequate policies and safeguards
Alaska Department of Health and Human Services
• In 2012, fined $1.7 million
• Unencrypted employee USB drive stolen from his car
• OCR Findings:
• Failed to complete risk analysis
• Failed to implement adequate security measures
• Neglected to have security training for its employees
WellPoint• In 2013, fined $1.7 million
• Protected Health Information (PHI) accessible over the internet for 5 months
• OCR Findings:
• Failed to perform an adequate technical evaluation in response to a software upgrade
• Neglected to implement user verification technology to the Web-based patient database
By: Ran Rothschild
Most frequent Violations1. Not permissible uses and disclosures of protected health
information
2. Lack of safeguards of protected health information
3. Lack of patient access to their protected health information
4. Lack of administrative safeguards of electronic protected health information
5. Use or disclosure of more than the minimum necessary protected health information
Most common types of covered entities that have been required to take corrective
action1. Private Practices
2. General Hospitals
3. Outpatient Facilities
4. Pharmacies
5. Health Plans (group health plans and health insurance issuers)
What is PHIHIPAA regulations list eighteen different personal identifiers which, when linked together, are classed as Protected Health Information
Who has responsibility to protect PHI?︎Co︎vered Entities︎, ︎Business Associates ︎ and ︎sub contractors
Achieving HIPAA Compliance on AWS
The 3 Pillars of HIPAA
Internal Procedures and Processes
Internal Procedures
and Processes
IT Environments
Internal Procedures
and Processes
IT Environments
Constant up2date
HIPAA Security Rule1. Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards
4. Policies, Procedures and Documentation governance
IT• Size does matter
• Complexity, capability, cost, probability and criticality of potential risk
• ‘Reasonable anticipated threats’
• Required vs. Addressable
Constant up2date and training• Risk analysis (part of admin. safeguards)
• HITECH
• US Department of Health and Human Services (HHS.gov)
• Office of Civil Rights (OCR)
AWS & HIPAAQ: Is AWS HIPAA Compliant? A: There is no HIPAA certification for a cloud provider such as AWS
Q: Will AWS sign BAA? A: Yes…but…
Q: Are all AWS services HIPAA compliant? A: No…Yes…PHI can only be stored, processed and transmitted in: DynamoDB, EBS, EC2, EMR, ELB, Glacier, RDS (MySQL & Oracle), Redshift, S3
Q: Are you aware of the Shared Responsibility Model?
Do you comply?1. Administrative – to create policies and procedures designed
to clearly show how the entity will comply with the act. 2. Physical – to control physical access to areas of data storage
to protect against inappropriate access 3. Technical – to protect communications containing PHI when
transmitted electronically over open networks
* Minimum information Necessary!!!
Thank You
Recommended