up

2020-02-12

Sarbanes-Oxley (I think that’s how it’s spelled)

Must create controls

Control areas:

• access control
  • physical
  • electronic
• security
  • ‘be able to demonstrate protections against data breaches’
• data backup
  • SOX-compliant off-site backups of all financial records
• change management
  • People
  • software
  • other things

Types of control:

• Detective
• preventative
• corrective

Areas:

• 302
  • Execs verify accuracy of financial reports
• 404
  • Execs and auditors confirm effectiveness of internal controls

Frameworks for SOX guidance:

• COBIT
  • Control Objectives for Information Technology
• COSO
  • Committee of Sponsoring Organizations
• PCAOB
  • Public company accounting oversight board
  • Develops auditing standards and trains auditors on best practices
• ITGI
  • Information Technology Governance Institute
  • Framework using standards from both COBIT and COSO - focuses on security rather than general compliance

HiTrust is a framework I’ve used before for HIPAA

The ‘right approach’ is to implement as many best practices as possible. Get legal counsel involved to recommend best fit.

HIPAA

It’s HIPAA with Two A’s.

• health insurance portability and accountability act
  • Federal law, 1996
  • Deployed in 2002
• why
  • Insurance portability
    • insurance providers used to terminate insurance on large life changes
  • Data privacy accountability

Covered Entities must protect individually identifiable health information against disclosure to unauthorized parties.

Covered entities includes physicians, health clearinghouses, and health plans.

HIPAA also gives patients access to their health records.

Title 2 - Standard electronic transaction record. Med records used to be stored in 400+ ways.

• Electronic Data Interchange (EDI)
  • ANSI X12N
  • Code Sets
• Penalties
  • up to 1.5M per incident
• Breach notifications
  • Covered entities and business associates must notify patients after a breach
  • Additional fines and potential criminal charges for violations
• Top 10 violations
  • Database breaches
  • Third party disclosure
  • Improper disposal
  • Mishandling records
  • Employees disclosing information
  • Not performing an organization-wide risk analysis
  • employees legally accessing patient files
  • lost or stolen devices
  • lack of training
  • not encrypting phi on portable devices
• compliance issues from OCR
  • Lack of PHI safeguards
  • Lack of phi patient access
  • others but stackpole is moving so so so fast like christ dude
• Data requests
  • When OCR wants to check something, you must get them the data within 10 days
• Preparing for a HIPAA audit
  • Things to consider
    • Risk analysis
    • risk management plan
    • list all business associates
    • addressable security standards
      • Not all hipaa standards are mandatory
    • breach notifications
      • p&p must be in place