|
Monday, September 26
9:15 - 9:45 a.m.
Plenary Session
Survey on AMC Security Practice Status
This session provides the results of a survey of security
practices taken from a representative sample of AMCs. The
survey allows for ranking AMCs and for describing the level
of HIPAA Security Rule compliance. The analysis will aid you
in addressing several questions including: How do you stack
up? Is anybody compliant today? Where are AMCs having trouble
with compliance?
Session Objectives:
- Describe the current state of compliance with the HIPAA
Security Rule among AMCs.
- List three areas in which most AMCs are having problems
and three key success factors in reaching compliance.
|
|
Monday, September 26
10:15 - 11:30 a.m.
Clinical Research Track
Managing High Profile Incidents and Breaches
What is an incident? A breach? Who is involved? What is different
with the high profile incidents and breaches? At long last
it has happened – a research MD has her laptop stolen
in the airport and her identifiable HIV research data are
lost with it. Now what? How do you handle the technical, legal,
regulatory and public relations issues associated with a high
profile security incident/breach? Do you come clean and go
public or hold back to better manage the potential fallout?
Should you change security practices? Does any of this involve
the ISO looking for another line of work? Hear the panel relate
their real and anticipated experiences. Come with your own
suggestions.
Session Objectives:
- Describe the dimensions of a major privacy incident and
at least one technique for addressing each.
- Describe how to prepare for such an incident.
|
|
Monday, September 26
10:15 - 11:30 a.m.
Future Track
Future Uses of Encryption
Hardly a week passes that we don’t hear about an incident
in which a database at a major institution (including many
AMCs) with sensitive health information is hijacked or lost.
Even with this high reporting rate, most observers think that
only a fraction of such incidents ever become public. What
can/will be done to protect this data? Will encryption of
databases be commonplace? Will separating the identifying
info from the content help protect confidentiality? Will spreading
data across multiple devices help both availability and confidentiality?
Will laws emerge to require such protections?
Session Objectives:
- Describe scenarios in which data encryption reduces risks
to confidentiality.
- Explain how at least one specific AMC is using encryption
of data at rest to better manage security risk.
|
|
Monday, September 26
1:00 - 2:15 p.m.
Clinical Research Track
Risk Assessments in Research
All AMCs manage research risk. This panel session will discuss
such risks as Intellectual Property thefts, ePHI loss, internal
intrusion, data continuity, and accounting for disclosure
inside smaller databases.
Session Objectives:
|
|
Monday, September 26
1:00 - 2:15 p.m.
Future Track
Evolving
Security & Privacy Laws & Regulations
The last few years have seen an explosion of laws and regulations
that related to privacy and security of sensitive data (e.g.,
GLBA, CLIA, JCAHO, SOX, HIPAA and FDA, Part 11). Taken together,
these federal laws and a growing number of state laws are
an attempt to assure that the growing dependence that our
institutions have on information systems does not lead to
abuses or institutional (especially AMC) collapse. But, how
do the requirements work in concert with each other within
and between AMCs? And, where are the next generation of legal/regulatory
requirements likely to take us? How can we leverage the experiences
of other countries that are addressing these issues?
Session Objectives:
- List the major national laws and describe whether/how
they apply to AMCs.
- List three trends in public policy that may impact how
AMCs manage information over the next 3-5 years.
|
|
Monday, September 26
1:00 - 2:15 p.m.
Security Track
Changing Your Corporate Information Security
Culture: The Battle for Hearts and Minds
Most AMCs list the need for “culture change”
as an important element in getting their security programs
to work. What are the elements of culture change? How can
AMCs be led by their ISO through these changes? How fast can
these changes be expected to take place? Hear the panel talk
about their successes and frustrations in this area. Offer
your own sage advice.
Session Objectives:
- Describe elements of culture change needed in the typical
AMC.
- Describe two or more techniques for effecting culture
change in the typical AMC.
|
|
Monday, September 26
2:45 - 4:00 p.m.
Clinical Research Track
Don't Just Say "No" to Multi-site
Research in this HIPAA Environment
The Privacy Rule allows research to be done under multiple
mechanisms: authorizations and waiver or alteration of authorization
are the primary ones. What are the AMCs doing to facilitate
multi-site research? What happens to the data when the rule
is interpreted differently by separate institutions? Is the
effort worth it? Separate vs. combined authorizations and
consent for research? Consistent language? Who reviews? The
FDA seems to have stuck its head in the sand, but most AMCs
subject all research to the Common Rule; are AMCs starting
to opt out of the joint compliance to reduce the administrative
burden?
Databases for future, unspecified research (at Pharma) are
a challenge for IRBs under the Common Rule and ignored by
the FDA. How are AMCs addressing them? This panel will represent
several of the different models that are used by AMCs to accomplish
research and remain compliant with institutional IRB approval
and monitoring guidelines.
Session Objectives:
- Identify the relative advantages of combined vs. separate
consents and authorizations.
- Identify two of the challenges of multi-site research.
|
|
Monday, September 26
2:45 - 4:00 p.m.
Future Track
State Laws & Regulations: Current
Trends and Their Implications to AMCs
HIPAA’s Privacy and Security Rules are superseded by
more stringent (i.e. more protective) state law. When the
HIPAA Privacy and Security Rules went into effect, approximately
half of the states had some related laws that were more stringent.
States like California and Washington have been active in
increasing their privacy and security protections since then.
Where is this matrix of more stringent state law going? What
does it mean to institutions doing business across state lines?
Which states are leading the charge and who is following?
Session Objectives:
- List three ways in which states are employing laws that
are more stringent than HIPAA.
- Describe two specific state privacy-related laws that
are being considered for replication by other states and
what effect these laws are expected to have.
|
|
Monday, September 26
2:45 - 4:00 p.m.
Security Track
Seeking Your Contingency Plan: Are You
Hot, Cold or Warm?
Many AMCs are motivated to support extensive contingency plans
both because of HIPAA’s requirement to have a contingency
plan and because of their growing concern about the loss of
availability of key systems. But these are expensive functions
to support to reduce the risk of very low frequency events.
How do you balance cost and benefit? How much testing is enough?
How do you choose between onsite backup, hot sites, cold sites,
and warm sites? Is business continuity insurance a part of
the plan? Hear the panel share their experience with addressing
these questions and respond to your questions.
Session Objectives:
- Describe the major factors involved in choosing which
type of recovery facility to use.
- Discuss whether other AMCs have chosen to have significant
recovery capabilities.
|
|
Monday, September 26
4:30 - 5:45 p.m.
Clinical Research Track
Beyond HIPAA Regulation Inside the Research
Quadrant
What about other federal laws and their impact on AMC behaviors
in research (e.g., NIH and FDA)? What are the expectations
for compliance with other mandates to protect patient data?
How do these regulations overlap with the Security rule?
Session Objectives:
- Describe other laws to protect patient data.
- Discuss how these other laws overlap with the HIPAA Security
Rule.
|
|
Monday, September 26
4:30 - 5:45 p.m.
Future Track
Identity and Access Management
Having closer and more centralized management of identities
and user access rights can be a challenge for many AMCs. There
is increasing pressure to better secure health information
and to ensure that only the people who have a need and right
to the information can access it. This session will address
the many challenges of managing identities and implementing
more granular access controls in an AMC setting. This includes
the types of strategies, solutions and practical implications
that AMCs are contemplating over the next 3-5 years.
Session Objectives:
|
|
Monday, September 26
4:30 - 5:45 p.m.
Security Track
Logging and Review: HIPAA Style
The HIPAA Security Rule requirements to log security-related
system activity and to review the logs for potential breaches
leaves many AMCs wondering how to operationalize these ideas.
Hear the panel talk about how their AMCs are dealing wit this
issue. Bring your own concerns and answers to share.
Session Objectives:
- Describe who other AMCs are interpreting the logging/review
requirement.
- Describe at least two approaches to assuring that the
reviews are being carried out.
|
|
Tuesday, September 27
9:15 - 10:15 a.m.
Plenary Session
Future AMC Privacy & Security Issues
When you consider the 3+ year time frame, what scenarios will
give rise to new challenges and opportunities in the area
of information privacy and security for AMCs? What can they
do to set the stage now for these scenarios and monitor their
development? Do implanted ID chips have a future? What would
happen with massive use of health records on smart cards?
These and other scenarios will be explored.
Session Objectives:
- Describe at least three likely scenarios that will require
a large change in information security and privacy programs.
- Describe at least three ways in which you can prepare
for these scenarios at your AMC.
|
|
Tuesday, September 27
12:30 - 1:45 p.m.
Clinical Research Track
Evaluating the Effectiveness of Your
Privacy and Security Programs
How are your privacy and security programs performing? What
is the compliance level with your various privacy and security
policies? What changes have been reasonably effective? How
have your privacy and security programs changed the overall
culture? The panelists will discuss these topics as seen from
their respective AMCs.
Session Objectives:
|
|
Tuesday, September 27
12:30 - 1:45 p.m.
Future Track
The Future of the Common Rule & its
Effect on Privacy & Security
The Common Rule was originally designed to support a common
set of requirements in the area of privacy for medical research
done with federal support. It was touted as a major improvement
over the 10+ rule sets in place before. Now HIPAA has added
its effects, the problems of dealing with multiple IRBs when
engaged in the increasingly popular multi-site trials has
emerged, and other nations are writing laws to support privacy.
Where is this complex of requirements for protecting privacy
when conducting medical research going over the next few years?
Session Objectives:
- List three problems that medical research will face over
the next 3-5 years in managing privacy.
- List three potential approaches to managing these problems.
|
|
Tuesday, September 27
2:15 - 3:30 p.m.
Clinical Research Track
The Impact of HIPAA Privacy on the Recruitment
Efforts for Clinical Trials
Now that the Privacy Rule is in place, what has happened with
the recruitment for clinical trials efforts? Are the restrictions
for candidate contact so tight that recruitment is hampered?
Listen to leading institutions who have varying experiences
discuss the impact of the HIPAA Privacy Rule on their recruitment
efforts.
Session Objectives:
|
|
Tuesday, September 27
2:15 - 3:30 p.m.
Future Track
International Security & Privacy:
Effects from Outsourced Services, International Medicine &
Research
Along with other industries, healthcare has become a more
global enterprise over the last few years. Single medical
research projects go on across national boundaries. Outsourced
services such as transcription are undertaken to save money
but raise privacy concerns. If the next deadly virus should
arrive on the afternoon flight, how should the public’s
health and the privacy issues be balanced? The panel will
explore these topics and how their AMCs are addressing them.
Session Objectives:
- List three ways in which AMC privacy and security management
is being affected by the globalization of the healthcare
industry.
- Discuss trends related to privacy, security and global
health expected to affect AMCs over the next 3-5 years.
|
|
Tuesday, September 27
2:15 - 3:30 p.m.
Security Track
Emailing ePHI
Most AMCs are ambivalent about how to manage the emailing
of ePHI. While most see that the privacy/security of traditional
email is low, the attractiveness of using traditional email
is high. What to do? Should you require encryption? How can
you make secure messaging easy enough to win over clinicians?
Should you use a web site and SSL to support messaging? Will
having your patients accept the privacy risk if they want
to use email work? The panel members relate the considerations
and outcomes of the debate at their AMCs on this topic.
Session Objectives:
- Describe the major techniques for providing secure email.
- Describe rejected alternatives from at least two AMCs.
|
|
Tuesday, September 27
4:00 - 5:15 p.m.
Clinical Research Track
Information Risk Mitigation in the Conduct
of Research
Once risks are identified, they must be managed in order to
maintain institutional integrity and HIPAA compliance. Regardless
of the AMC’s designation model, risks exist in the creation,
use, storage or transmission of data. This panel will discuss
mitigation plans used to manage such occurrences through federal
mandates, encryption standards, vendor agreements, sanctions,
etc.
Session Objectives:
|
|
Tuesday, September 27
4:00 - 5:15 p.m.
Future Track
RHIOs: New Security and Privacy Issues
The introduction of information systems at more health care
sites and functions is being pursued enthusiastically at conferences,
by government, and at AMCs. Further, the typical vision calls
for widespread sharing of individual health data to improve
safety, effectiveness and efficiency. But doing so introduces
problems and opportunities in privacy and security that are
not part of our current world. How can the problems be engaged
and the opportunities exploited to assure that the confidentiality,
availability and integrity of data are maintained or improved?
How do patients perceive this move to greater connectivity
and information sharing?
Session Objectives:
- List four problems and opportunities associated with the
widespread use of interconnected health information systems.
- Identify three key early efforts to solve these problems
and/or exploit the opportunities.
|
|
Tuesday, September 27
4:00 - 5:15 p.m.
Security Track
Risky Business: Analyzing Your AMC's
Security Risk
Volumes have been written about doing security risk analysis.
Yet carrying out this HIPAA-required process seems to leave
many AMC security leaders concerned and perplexed. Do you
need an overall analysis for your AMC, one for each system,
or something in between? Which risks are “reasonably
anticipated”? The panel offers their expert advice on
how to carry out the risk analysis process in an effective
and efficient way.
Session Objectives:
- Describe how at least two AMCs manage their risk analysis
process.
- Discuss how to determine whether a proposed risk is reasonably
anticipated or not.
|
|
Wednesday, September 28
9:00 - 10:15 a.m.
Clinical Research Track
Tying Up Loose Ends in Research
There are a plethora of disclosures subject to accounting.
We get the obvious ones – required by law, communicable
diseases, tumor registries, law enforcement. But what about
some of the others – CMS submissions through your ORYX
vendor, research disclosures without individual authorization,
disclosures allowed under the transition provisions. Hear
your panelists talk about how their AMCs have addressed these
and others documentation and logging processes. What is happening
in those organizations that are creating their own research
software? What are the issues of access logging and change
control that they face?
Session Objectives:
|
|
Wednesday, September 28
9:00 - 10:15 a.m.
Future and Security Track
Authentication: Traditional & Innovative
Techniques
What kind of password policies are AMCs using now? Have group
accounts really gone away? Are any AMCs using biometrics,
smart cards or proximity detectors to aid in authentication?
Is single sign-on in use anywhere? The panel discusses what
their AMCs are doing with today’s tools for authentication.
Bring your own hot question or brilliant solution to authentication
to this session.
Session Objectives:
- Describe how AMCs are assuring that passwords are robust.
- Describe what uses AMCs are making of smart cards and
biometrics to authenticate users.
|
