intro

agenda

sessions

presentations

speakers

credits

sponsors

exhibitors

registration

hotel

home

 

Session Descriptions

Sunday, June 10
Pre-Conference Training Session
12:30 - 4:30 p.m.

An Overview of the (ISC)2 Ten Domains of the Information Security Common Body of Knowledge (CBK)
IT security and privacy requirements for protecting health information are becoming more and more challenging. Healthcare professionals are beginning to confront the additional security planning and process definition needed for exchanging information among entities across regional networks. (ISC)2 has been a leader in information security certification for nearly two decades. Its Certified Information Systems Security Professional (CISSP©) certification is recognized as the premier across industries and national boundaries. The Ten Domains of the Security CBK characterize the security structure within most organizations, and are consistent with approaches in a number of other standards initiatives.

This session will provide a familiarization with each of the Ten Domains - referencing the (ISC)2 framework within the Study Guide - with emphasis on healthcare environments and protecting private health information. The objectives will be to introduce to the material needed to prepare for the CISSP exam and to offer a structured study plan for further preparation for the CISSP and/or other related certifications, such as the Certified Healthcare Security & Privacy Professional (CHPS).

Audience: Information systems professionals, healthcare attorneys, and CIOs seeking to obtain a grounding in information security concepts, principles, practices, and terms.

Cost: $500 includes lunch, ½ day registration, and copy of the Official (ISC)2 Guide to the CISSP Exam, November, 2006 edition.

Instructor: James C. Murphy MSIS; GSEC, CISSP-ISSMP, CISA (NC DHHS Office of MMIS Services)

Sunday, June 10
Pre-Conference Workshop
12:30 - 4:30 p.m.

Business Continuity Planning Workgroup for Healthcare Organizations (BCPWHO) Workshop

  • Overview of BCPWHO
  • Certification Process - Education Track
  • Standards - HIPAA Security Regulations
  • JCAHO / NFPA 1600 Standards
  • Disaster Recovery and Business Continuity Planning for Clinical Environments

Disaster programs within healthcare organizations continue to evolve from IT recovery to the continuity of hospital operations and patient care, building and personnel safety, and emergency management. Ensuring that patient care and operations are not compromised during a hospital or community disaster requires more resources, planning, training, and exercising. Business Continuity professionals are now collaborating with other private and healthcare organizations, local, state and federal governments to develop community-wide disaster strategies.

The first two sessions will introduce the attendees to BCPWHO, the Business Continuity Planning Workgroup for Health Organizations. BCPWHO will inform the attendees on how these collaborative disaster strategies are changing the profession and the educational opportunities to keep abreast.

The standards session will offer guidance on how to craft policies and plans that will comply with HIPAA, NFPA 1600, and JCAHO's standards.

The final session on disaster recovery and business continuity for clinical environments will provide an overview on risk management, data criticality, and how to develop recovery time objectives that support your organizations' critical missions.

Audience: Business continuity and disaster planners, facilities operations and emergency managers, and healthcare system/network security professionals seeking to improve professional knowledge and career opportunities; Privacy and Security officials seeking more understanding of the breadth of disaster planning

Cost: $100 includes lunch, ½ day registration, session presentations, and disaster planning and testing workbook to include Business Impact Analysis templates, System Criticality Ranking & Criteria, Risk Assessment Worksheet & Criteria, Project Go Live Checklist, Emergency Preparedness Checklists, Hospital JCAHO Drill Evaluation Forms and more.

Instructors: Anne Marie Turner, CBCP (University of Rochester Medical Center and Strong Health) and Kevin Chenoweth (Vanderbilt University Medical Center Informatics Center)

Monday, June 11
Plenary Session
9:00 - 10:15 a.m.

Preparing Your AMC Privacy and Security Programs for the New e-Discovery Rules
The new (now active) e-discovery rules amend the Federal Rules of Civil Procedure to describe what responsibilities an AMC (or any party) has to preserve and provide electronic information relevant to federal litigation. Is your AMC prepared to provide the required data? Could you practically limit your disclosures to only the required data? The panelists will discuss approaches to the new rules.

Session Objectives:

  • List at least three areas of an AMC's electronic information practices affected by the new rules
  • Describe at least approaches to complying with the new rules

Panel Leader: Sissy Holloman (UNC)
Panel: Clyde Hewitt, Sharon Klein (Pepper Hamilton LLP)

Monday, June 11
Compliance/Governance Track
10:45 a.m. - noon

Identity Management and Federated IdM in the AMC Setting
The numbers and frequency of user changes with Academic Medical Centers strain traditional user/access provisioning processes. Contemporary identity management and/or user provisioning systems may present an alternative solution. Federated ID management solutions may provide a dynamic and flexible enhancement to traditional ID management solutions.

Session Objectives:

  • Identify whether there is a need for considering an identity management and or Federated systems in AMCs
  • Describe the pros and cons of implementing identity management systems
  • Discuss opportunities and challenges in designing/selecting identity management systems

Panel Leader: Gary Christoph (Teradata Government Systems, Inc.)
Panel: Michael Gettes (Internet2), Ron Martin (Initiate Systems), Rob Montgomery (Argosy Omnimedia), Bill Willis (NC OITS)

Monday, June 11
Research Track
10:45 a.m. - noon

Centralized Research Computing Facilities: Security and Privacy Improvements
Organizations who have not done so in the past are considering ways to establish a research computing facility (RCF) to cater to the unique needs of research under the operational direction of a group dedicated to providing the one-off services and solutions.

Session Objectives:

  • Describe some of the investment challenges associated with a research computing facility
  • Discuss the major political hurdles that AMCs face in the development of these facilities
  • List the current means of protecting the data management

Panel Leader: James Kaylor (University of Pennsylvania School of Medicine)
Panel: Jerry York (University of Texas Health Science Center)

Monday, June 11
Security Track
10:45 a.m. - noon

Business Continuity Management: Governing a Critical AMC Function
The landscape for managing risk has changed and Business Continuity Management has now become a mainstream corporate-level management function. Business requirements have elevated availability of mission critical functions from days to hours or minutes. Panelists will share their experiences on the ever-expanding roles of disaster recovery, business continuity planning and recovery.

Session Objectives:

  • Desribe at least one key difference between disaster recovery, business continuity planning and recovery.
  • List at least three critical aspects of business impact analysis, recovery time objective, and recovery point objective and how they comprise a disaster recovery strategy.

Panel Leader: Rod Lanners (Mayo Clinic)
Panel: Philip Curran (Cooper University Hospital)

Monday, June 11
Compliance/Governance Track
1:00 - 2:15 p.m.

A Common Language for Compliance Audits
Traditional compliance programs may not be adequate to address the auditing environment present in the regulatory requirements of Academic Medical Centers. A common language defining the IT governance model and security/privacy program can clarify the compliance audit process.

Session Objectives:

  • Identify whether there is a need for considering a common language for compliance audits
  • Describe the pros and cons of using a common language
  • Discuss opportunities and challenges in creating a common language

Panel Leader: Phyllis Patrick (Hospital for Special Surgery)
Panel: Joan Podleski (Washington University in St. Louis), Juliann Tenney (Duke University)

Monday, June 11
Research Track
1:00 - 2:15 p.m.

Where Are We in Meeting the Institutional Challenges of Incorporating Effective Privacy Mechanisms into the Research Process?
The privacy regulation has evolved over the years, in particular, to address many of the concerns presented by the research community. This session will explore how institutions are preparing their investigators and IRBs to manage issues such as recruitment and data sets appropriately.

Session Objectives:

  • Discuss current guidance as it pertains to research
  • Describe the education of investigators and IRBs and the recruitment communication with both investigators and participants
  • List data-sharing approaches

Panel Leader: Mark Weiner (University of Pennsylvania)

Monday, June 11
Security Track
1:00 - 2:15 p.m.

Business Continuity Management: Planning and Execution
When disaster strikes and contingency plans are invoked, preparedness pays off as primary business functions recover at secondary locations. Panelists will share their perspectives, strategies and experiences on operationalizing plans and avoiding pitfalls.

Session Objective:

  • List at least three ways to continue your primary business functions at your recovery location and to return to your primary location.

Panel Leader: Rod Lanners (Mayo Clinic)
Panel: Philip Curran (Cooper University Hospital)

Monday, June 11
Compliance/Governance Track
2:45 - 4:00 p.m.

How Do You Protect Your PHI and Your Compliance Posture with Your Private Physician Practices?
Physician and AMC relationships can be complicated by IT and network support considerations and further complicated by disparate practice management systems. These relationships and interactions can cause the liability of the AMC to be heavily disproportionate if there is a privacy breach/security incident, despite any existing Business Associate Agreements (BAA). At a minimum, the AMC could suffer adverse publicity, regardless of any regulatory, monetary and/or civil penalties.

Session Objectives:

  • Describe various approaches to limit liability through the establishment of rules of engagement
  • Identify mitigation tactics to effectively function in a multi-user, mobile and varied platform, and perimeter-less environment
  • Discuss practical methods of attaining and maintaining a sound privacy and security compliance posture for all authorized users of AMC ePHI, regardless of their relationship to the AMC

Panel Leader: Pete Chesterton (University of Rochester Medical Center)
Panel: Jim DiDonato (Bay State Health System), Wayne Martin (University of Virginia Health System)

Monday, June 11
Research Track
2:45 - 4:00 p.m.

How are AMCs Dealing with the New Security VA Rules of Engagement for Collaborative Research?
The VA, in response to a series of stolen laptops which bore patient data, have decided that they must protect VA data at all cost. What are these security changes going to mean to our AMCs who have invested in shared research with the VA? Who is going to pay for the certification and accreditation of the server environments?

Session Objectives:

  • Describe some of the lessons learned from HIPAA that may help leverage some of the required security measures
  • Discuss whether these mandates mean the end of mobile devices to AMCs who share data
  • Describe a systematic way to meet the requirements and maintain the valuable research collaboration

Panel Leader: James McNamee (University of Maryland School of Medicine)
Panel: Jerry York (University of Texas Health Science Center)

Monday, June 11
Security Track
2:45 - 4:00 p.m.

Emerging Security Threats and Countermeasures at AMCs
Managing security is an endless game of moves and countermoves. As threats continually evolve, so must countermeasures. Foreseeing emerging threats and managing to them requires security experts, visionaries, technologists and a bit of salesmanship. Discerning a clear and present danger from a falling sky is as much art form as science in AMCs where committees and consensus rule. This panel will describe how they handle these issues in their AMCs.

Session Objectives:

  • List three ways to form a consensus about which new threats to pursue in your AMC
  • Discuss three emerging security threats and three emerging security counter-measures for AMCs

Panel Leader: Ken Lobenstein (University of Missouri)

Monday, June 11
Plenary Session
4:30 - 5:45 p.m.

e-Discovery Management Practices: How Are We Going to Handle this e-Discovery Problem?
This session will look at the tactical issues associated with operating in a way that meets the requirements of the new e-Discovery Rules. A short mock deposition will serve as the springboard for the discussion. The session will complement the sessions on e-Discovery, Computer Forensics and Risk Management.

Session Objectives:

  • Describe how your institution can be prepared to comply with an e-Discovery request
  • List at least three ways in which your institution's risk from e-Discovery can be properly managed

Panel Leader: Sissy Holloman (UNC)
Panel: Clyde Hewitt, Sharon Klein (Pepper Hamilton LLP)

Tuesday, June 12
Plenary Session
9:00 - 10:15 a.m.

Privacy and Security Implications of Current and Proposed Large Data Sharing Projects/Proposals
AMCs are involved many large scale data sharing projects ranging from disease registries to tissue banks to RHIOS and the Nationawide Health Information Network. These all have privacy and security as key issues. How are these issues being addressed? The panelists will give insights from their work.

Session Objectives:

  • List at least three key privacy and/or security issues associated with large multi-institution projects that involve sharing protected health information
  • Discuss at least three aids in addressing the privacy/security issues

Panel Leader: Dave Kirby (Kirby IMC)
Panel: Beth DeLair (University of Wisconsin Hospitals & Clinics)

Tuesday, June 12
Compliance/Governance Track
10:45 a.m. - noon

The Information Security-Legal-Human Resources Partnership
The security-legal-human resource partnership embodies the cycle of information assurance through people, process and technology. Understanding and leveraging this relationship is critical in complex Academic Medical Center environments.

Session Objectives:

  • Identify whether the security-legal-human resources partnership is important for effective security/privacy management in the AMC setting
  • Describe the organizational considerations that can influence the security-legal-human resources partnership in the AMC setting
  • Discuss opportunities and challenges resulting from security-legal-human resources partnerships

Panel Leader: Linda Malek (Moses & Singer, LLP)
Panel: Leah Guidry (Huron Consulting Group), Donald Koenig, Jr. (Catholic Healthcare Partners), Daniel Lohr (Geisinger Medical System), Laurie Radler (Montefiore Medical Center)

Tuesday, June 12
Research Track
10:45 a.m. - noon

New Security Practices in Medical Research
This session will focus on tools being developed to improve security of research data and meet regulatory requirements. It will explore de-identification methods being utilized and the merits of new approaches, federated agreements and data-sharing applications.

Session Objectives:

  • Discuss how various AMCs are deidentify data
  • Describe federated trust agreements and their use for research
  • Identify access and auditing tools used by AMCs

Panel Leader: Bill Weems (University of Texas Health Science Center)
Panel: Doc Muhlbaier (Duke University School of Medicine)

Tuesday, June 12
Security Track
10:45 a.m. - noon

Remote Access: Who Can Get to Your Data?
How far does the medical practice extend? To the home, cabin, airport or cyber-café? Are some technologies more useful, supportable, secure or manageable than others for providing remote access? How does remote access impact the corporate risk model? The panel will explore these questions and offer practical advice and strategies to managing remote access risks in AMCs that know no boundaries.

Session Objective:

  • List at least three ways to mitigate risk in remote access

Panel Leader: Ed Plein (Mayo Clinic)
Panel: Jim Murphy (NC DHHS Office of MMIS Services)

Tuesday, June 12
Compliance/Governance Track
1:00 - 2:15 p.m.

Leveraging Automation for a More Effective Compliance Program
Exploring and leveraging automation tools may help to create more effective compliance programs. In addition, automation tools may help address the differing risk and audit requirements of the academic and medical sides of Academic Medical Centers.

Session Objectives:

  • Identify potential automation tools for creating a more effective compliance program in an AMC setting
  • Describe the pros and cons of automation tools in relation to the AMC setting
  • Discuss opportunities and challenges in designing/selecting automation tools for effective compliance programs on the academic and medical sides of AMCs

Panel Leader: Brian Bates (UAB Medical Center)
Panel: Joan Hicks (UAB Health System), Joan Podleski (Washington University in St. Louis), Patricia Pritchett (University of Alabama Health Services Foundation, PC)

Tuesday, June 12
Research Track
1:00 - 2:15 p.m.

Privacy and Security Issues Involved in the New Translational Science Centers Recently Funded by NIH
NIH has created a national consortium that will transform how clinical and translational research is conducted, ultimately enabling researchers to provide new treatments more efficiently and quickly to patients. But how will the privacy and security issues in the vast new initiatives be managed?

Session Objectives:

  • List the objectives of the CTSA consortium
  • Discuss the impact of workflow reengineering
  • Describe policy development for shared resources

Panel Leader: Robert Curley (University of Pennsylvania School of Medicine)
Panel: James Kaylor (University of Pennsylvania), Bill Weems (University of Texas Health Science Center)

Tuesday, June 12
Security Track
1:00 - 2:15 p.m.

Portable Device and Removable Media Security
As a confidentiality control, encryption has traditionally protected information transmitted over unsecured channels, such as the Internet. Increasingly it’s used as an access control for securing stored data. Either way, a myriad of regulations, strategies, best practices and commercial products have muddied the waters to where the average Joe is left scratching his head. AMCs must rise above the confusion to encrypt everything from high-risk e-mail to password files in applications to database fields containing Social Security numbers.

Session Objective:

  • List at least three scenarios in which it would be appropriate to employ encryption to protect information in transit and at rest

Panel Leader: Wayne Martin (University of Virginia Health System)
Panel: David Houlette (VCU Health System), Thi Nguyen-Huu (WinMagic Data Security)

Tuesday, June 12
Compliance/Governance Track
2:45 - 4:00 p.m.

Information Technology Governance in the AMC Setting
The different user populations, data requirements, and compliance environments represented in Academic Medical Center’s may require innovative and creative responses to traditional IT governance models.

Session Objectives:

  • Identify various governance models for available for use in AMC settings
  • Describe the pros and cons of associated with the IT governance models
  • Discuss opportunities and challenges posed by IT governance models in the AMC setting

Panel Leader: Sharon Budman (University of Miami Medical Center)
Panel: Colleen Ebel (University of Florida Health Science Center), Ross Jannsen (University of Minnesota), Ishwar Ramsingh (University of Miami)
Tuesday, June 12
Research Track
2:45 - 4:00 p.m.

Managing Privacy and Security in Multi-Center Research Programs
BIRN, caBIG and other large multi-institutional projects have spent the last several years tackling the tough issues around sharing of research resources and more importantly research data. The session will provide background on how the large projects have handled these issues to date.

Session Objectives:

  • Describe tools for data sharing used by other AMCs
  • Discuss how AMCs develop policies for data sharing

Panel Leader: David Fenstermacher (H. Lee Moffitt Cancer Center and Research Institute)
Panel: James Kaylor (University of Pennsylvania School of Medicine), Frank Manion (Fox Chase Cancer Center)

Tuesday, June 12
Security Track
2:45 - 4:00 p.m.

The Role of Computer Forensics in Managing Legal and Business Risk
Collecting, preserving and examining electronic evidence for admission in court is becoming the rule with technical investigations in AMCs. In this regard the information security function works with, and supports, other corporate risk management functions—legal, external counsel, human resources, audit, compliance and physical security. Lawsuits, research misconduct incidents, financial fraud and serious personnel matters warrant investigative diligence and rigor. This session will outline essential tools of the trade, chain of custody and the importance of working together with other corporate risk management groups.

Session Objective:

  • List at least three scenarios in which it would be appropraite to invoke computer forensics processes to help manage corporate legal risk

Panel Leader: Frank Krahn (Mayo Clinic)
Panel: Joe Colaiano, JD (Mayo Clinic), Mike Dockery (Cincinnati Insurance Companies)

Wednesday, June 13
Compliance/Governance Track
9:00 - 10:15 a.m.

Risk Management in the Academic Medical Center Setting
Security and privacy concerns of the academic and medical side of the Academic Medical Center setting pose unique issues related to risk identification and management. An effective risk management program in the context of the traditional openness of the academic setting versus the need-to-know of the medical setting may address these issues.

Session Objectives:

  • Identify the dynamics of the risk environments on the academic and medical sides of the AMC setting
  • Describe whether a single risk management strategy is appropriate in AMC settings
  • Discuss opportunities and challenges of designing/selecting an effective risk management strategy for an AMC

Panel Leader: Angel Hoffman (University of Pittsburgh Medical Center)
Panel: Jim DiDonato (Bay State Health System), Soumitra Sengupta (NY Presbyterian Hospital)

Wednesday, June 13
Research Track
9:00 - 10:15 a.m.

Managing Privacy and Security in Tissue Respositories
Human subject protections are applicable not only to clinical trials but also to the use of human biological materials in research studies, including basic science projects. AMCs conduct biomedical research to increase knowledge and understanding of biology, but how are they handling the sensitive privacy and cross-institutional security issues?

Session Objectives:

  • Describe how AMCs are maintaining linkage and identifiable data
  • Discuss how AMCs are managing future, unspecified research consent
  • Describe how AMCs can align activity with federal and local laws
  • List ways to maintain consistency in policy and forms across sites

Panel Leader: P. Pearl O'Rourke (Partners HealthCare System)
Panel: Doc Muhlbaier (Duke University School of Medicine)

Wednesday, June 13
Security Track
9:00 - 10:15 a.m.

Managing Security across an Organization in a Perimeter-less Environment
An effective security management program addresses threats at the infrastructure level, at the intersystem communication level and at the application level. From firewalls, intrusion detection and vulnerability scanning to functional area security administrators performing the hands-on role of access, authorization and audit control, multifaceted strategies are necessary to manage corporate risk. The panelists will share their approaches to this challenge.

Session Objectives:

  • List the three levels of information infrastructure to which security must be applied
  • Describe at least one good security management practice at each level

Panel Leader: Jon Brown (Wake Forest University Baptist Medical Center)
Panel: Ken Lobenstein (University of Missouri)

Wednesday, June 13
Plenary Session
10:45 a.m. - noon

Conference Wrap-Up & Discussion
As is our tradition, this session consists of a structured discussion facilitated by the conference co-chairs. What did you learm that was most valuable? What was less interesting than you thought at first? What do you expect to make use of quickly? How was the conference format/content generally? Do you want to do another conference and when? What should be different next time?

Session Objectives:

  • List at least three key useful results from the conference sessions
  • List at least three items you expect to use soon after returning home

Panel: Dave Kirby (Kirby IMC) and Doc Muhlbaier (Duke University School of Medicine)