e-Discovery Emerging Issues & Solutions
This session will explore the emerging issues and solutions around the legal discovery process as it affects electronic records. Policies and practices about record retention, selecting appropirate records in response to an e-discovery action, protecting the AMC while responding in good faith, and other relevant issues will be covered.

Session Objectives:

• Discuss three key issues in forming an e-discovery policy
• Describe at least one technique for balancing responsiveness to the e-discovery action with protection of the AMC and it clients

Regulatory Exchange
Potential changes in regulations that affect AMC privacy and security practices are always keen points of interest. Interest is increased at the start of a new federal administration -- both for AMCs and for the regulators. Come hear AMC leaders describe their regulatory interests to key privacy and security regulators, and listen to the regulators describe the agenda in their areas of responsibility. Bring your own concerns to the Q&A portion of the session.

Session Objectives:

• Describe at least three areas of interest among AMCs for changes in regulations affecting privacy and security
• Identify at least three areas in which regulatory change in the areas of privacy and security may occur over the following four years

The new "stimulus bill" has over $20B in spending to support health IT (HIT) along with several new additional privacy and security requirements for HIPAA covered entities and others. What will be the primary and secondary challenges and opportunities for AMCs from this legislation? How will the federal government structure that supports HIT change? How will the timing of the implementation of the provisions of the law matter? What will be the fallout for AMC privacy and security leaders? Join this session for a hearty discussion of these issues.

Session Objectives:

• Describe at least two major changes to privacy and security law affecting AMCs in the bill
• List the major areas for which the bill will appropriate money
• Discuss at least one way in which the federal governement's approach to HIT that affects AMCs will change
  

Health Information Sharing: A Plethora of Compliance, Privacy & Security Issues for AMCs
RHIOs, IHEs, Health information Registries, Health Information Trusts/Banks and Benchmarking: AMCs are bombarded with requests for PHI from many different sources. Some requests are justified as related to patient care, quality assurance or public health concerns. Others are questionable. Panelists and participants will discuss the myriad of common requests for sharing PHI and their approach to resolving which ones to participate in and how to carry out participation in a secure manner using the minimum necessary information.

Session Objectives:

• Describe the range and categories of requests for PHI sharing made of AMCs
• Distinguish which requests represent a beneficial participation from those to avoid
• Discuss the various approaches employed by AMCs to administer and follow-up on PHI sharing requests
• Evaluate the best methods for your institution for secure and minimum disclosures

An Overview of How AMCs are Managing Data in an Increasingly Complex Regulatory Environment
A complex regulatory environment emphasizes the need for a comprehensive data classification program. Such classification of information dictates the retention, use and disclosure of such data. An AMC may not have a good understanding of the types of data being collected, retained and used within its structure. Discussions will encompass potential data classes and the governance structure to manage the information life cycle of data from cradle to grave.

Session Objectives:

• Identify the various levels of data classification
• Describe how such classification and retention schemes may be implemented by an AMC
• Discuss the cooperation needed between IT, HIM, General Counsel, Compliance, Records Management and Leadership etc. to establish an information management program
  

Best Practices for Compliance
How are we organized for compliance? How do we educate about compliance? How do we audit compliance? AMCs face many challenges with respect to compliance. How do we reach all members of the staff, including physicians? Panelists and participants will exchange ideas for organization of compliance departments and policies, methods of educating throughout our organizations, and the best ways to audit compliance training efforts.

Session Objectives:

• Discuss the interaction and dependence of various AMC functions, both clinical and administrative, necessary for effective compliance
• Examine various approaches to productively organize and leverage all levels of the organization to attain overall governance and improved and sustainable compliance
• Describe the critical contribution of education of the entire workforce, and examine methods of delivery and maintaining awareness
• Identify the methods employed by AMCs in measuring and reporting critical success factors for overall compliance status
  

AMC Security, Policy & Training Responses to Protecting Sensitive Data in an Ever-Increasing Environment of Mobile Devices & Removable Media
This is a companion to a technical session on mobile security in the Security Track. Staff leave flash drives in coffee shops and laptops in unlocked cars. What’s an AMC to do? Share best practices for policies and education associated with mobile devices and removable media.

Session Objectives:

• Describe the vulnerabilities and associated threats that surround mobile devices, removable media, and remote access
• Discuss how AMCs are approaching safeguarding both the devices and the sensitive information they contain, with an emphasis on minimizing the human factor in the security equation
• Identify what training and specific policies are needed to enable compliance and mitigate risk
  

Tools for More Efficient & Effective Compliance: The What, How & How Much
Tools exist to assist AMCs in tracking and enforcing compliance. Panelists will provide information on available tools and their cost, and how to use the tools to your best advantage.

Session Objectives:

• Describe the costs of compliance, both direct, indirect and hidden
• Explain how some AMCs are approaching compliance on a cost/benefit basis
• Discuss what tools enable more effective and efficient compliance activities, and the effects of investment in these tools
  

Sleepless in the AMC: e-Discovery's New Challenges
A companion to the e-Discovery session in the Plenary Track. Now that we understand a bit more about how e-Discovery works, how can we best manage our information to respond appropriately?

Session Objectives:

• Describe AMC approaches to implementation of the e-Discovery mandates - what works, what doesn’t
• Discuss the nexus between effective e-Discovery and sound, enterprise-wide information management
• Describe the new means of data capture, routing and taxonomy being studied to improve accessibility, accuracy and response times

Compliance Issue Free-for-All: All You've Ever Wanted to Know About Compliance Issues in Information Management, but Were Afraid to Ask
A facilitated group discussion about pressing issues facing AMCs in compliance and governance.

CTSA Initiative: Impact on AMC Privacy & Security
Science is more collaborative and complex. The Clinical and Translational Science Awards (CTSA) consortium will require highly interactive human networks to share information in new ways. How are AMCs addressing the security and privacy issues inherent in the infrastructures that will be required?

Session Objectives:

• Identify where the CTSA program is driving AMCs
• Describe how the CTSA is addressing security and privacy considerations for collaborative environments
• Discuss the tools and resources being developed by the CTSA program or sites
  

Privacy & Security Aspects of Clinical Trials
AMCs are creating vibrant sites for translational medicine and using clinical trials systems to their advantages. This session explores some of the issues and best practices in this area.

Session Objectives:

• Describe the differences between operational and research computing and why AMCs are struggling with this
• Discuss strategies AMC are employing to reuse and leverage data
• Identify the federal regulations that apply and how to manage them

FISMA Compliance: Exploring the AMC Impact
The Federal Information Security Management Act of 2002 (FISMA) has many components, but most relevant to AMCs is a consistent framework for information security across the entire federal government. FISMA is intended to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information. Is it the right approach for AMCs? Can we leverage current security efforts to address FISMA?

Session Objectives:

• Discuss FISMA requirements for shared data access
• Describe the FISMA risk management framework
  

VA Information Security & Clinical Research Policies
In 2007, the Department of Veterans Affairs (VA) implemented a privacy and information technology security policy and data security requirements for all research within the VA. How has this affected AMCs who work closely with the VA on research?

Session Objectives:

• Discuss the technical requirements for systems compliance
• Describe efforts of AMC to address the VA security policy
• Identify options that will enable institutions to comply with the policy
  

Managing Informatics Resources for Collaborative Research
Strides in biomedical research portals to share information and support research will require organizations to develop methods to manage this information in a secure manner.

Session Objectives:

• Discuss ways to enforce compliance with data standards and data security standards
• Describe the strategies developed by AMCs
  

Genetic Privacy & Personalized Medicine: The Impact on AMC Research
One aspect of personalized medicine is to bring research and clinical information together to predict potential aspects of a person's future health. There has been a great deal of press around personalized medicine and its potential benefit to society. However, progress has lingered due to the many unaddressed privacy and security issues related to incorporating such sensitive information as genetic markers into patient records.

Session Objectives:

• Discuss the concept of personalized medicine and current genetic legislation
• Describe how some organizations are addressing the policy issues
• Identify options that will enable institutions to prepare for the privacy and security requirements of personalized medicine
  

Conflict & Synergy in Privacy & Security Practices & Policies Between AMCs & Their Associated Universities
Many AMCs are closely associated with a university and negotiate privacy and security practices in the context of this association in order to reduce costs, simplify policy, and smooth practice. But AMCs and universities have differing priorities that give rise to needs for some difference in policy and practice (e.g. patient privacy vs. academic freedom). This session explores how such AMCs negotiate their policy and practice connections in the areas of privacy and security with their associated universities.

Session Objectives:

• Identify at least three issues in which AMCs and their associated universitities ususally find some differences that require compromise
• Describe at least three areas in which AMC and university cooperation yeilds a win-win

Late-Breaking Issues
Emerging research issues.

The Role of Computer Forensics in Managing Legal & Business Risk
Collecting, preserving and examining electronic evidence for admission in court is becoming the rule with technical investigations in AMCs. In this regard the information security function works with, and supports, other corporate risk management functions -- legal, external counsel, human resources, audit, compliance and physical security. Lawsuits, research misconduct incidents, financial fraud and serious personnel matters warrant investigative diligence and rigor. This session will outline essential tools of the trade, chain of custody and the importance of working together with other corporate risk management groups.

Session Objective:

• Describe the security - legal partnership required to conduct technical investigations and e-discovery

PCI- DSS Strategy
The Purchase Card Industry Data Security Standards (PCI-DSS) have many new requirements that AMCs are finding challenging, such as encryption of data at rest and third party vulnerability testing. The typical AMC has dozens to hundreds of such accounts. Is your AMC compliant? Can you put the fines on your credit card? Objectives for the session include a high-level understanding of requirements, conducting a risk analysis and sizing the work, developing a policy and cross-departmenta /cross-site team(s) to conduct compliance work, and developing a process to ensure ongoing compliance and streamline evaluation of new merchant accounts.

Session Objective:

• Discuss strategies for complying with PCI requirements
  

Managing Sensitive Electronic Information on Mobile Devices & Removable Media
Big data losses, including the loss that kicked off the VA security policy changes, have been high profile events and have led to a new level of attention to securing laptops. In this session we’ll explore practical approaches and security solutions to securing laptops, convergent technology devices and media. We’ll also discuss the appropriateness of technical controls vs. “soft” controls, e.g., policy, education and awareness training. We’ll include suggested outlines of business considerations for an enterprise laptop encryption solution with an eye toward contracts and licensing, centralized management and reporting, key escrow, user considerations, rollout and integration with other services and infrastructure.

Session Objectives:

• Describe the risks of mobile computing and removable media
• Discuss available countermeasures to reduce likelihood of losses and compromises
  

Measuring the Success of Your Security Programs: Information Security Metrics
Standards-driven security programs require metrics to evaluate the effectiveness of controls. Measures across the business lines of medicine, research, education and administration (including finance, for-profit entities, insurance companies, etc.) mapped against risk are needed to provide the data necessary to manage programs. Measures also support reduced insurance premiums for risk associated with security losses. The challenge with security metrics is measuring what's prevented and doesn't occur. This session will outline the characteristics of good metrics and types of insurance risk transfer options, and include examples that meaningfully measure the effectiveness of controls.

Session Objective:

• List at least two ways to measure the effectiveness of security controls
• Describe at least one way in which security measures may lower insurance premiums related to security breaches
• List at least two good metrics characteristics

Securing Remote Access
How far does the medical practice extend? To the home, cabin, airport or cyber-café? Are some technologies more useful, supportable, secure or manageable than others for providing remote access? What are some methods for centralizing and automating administrative processes? How can Network Access Control make remote access services more secure? The panel will explore these questions and offer practical advice and strategies for managing remote access risks in AMCs that know no boundaries. Attendees will hear perspectives on remote access risk management and see examples of risk mitigation.

Session Objectives:

• Describe how some AMCs are administratively and technically managing remote access risks
• Develop useful strategies for centralizing and automating these services

CMS & OIG HIPAA Security Rule Enforcement (So You're Being Audited, What Do You Do?)
Many AMCs have noted recent announcements and press communiqués related to increased HIPAA Security reviews. This session will offer practical advice to prepare for the G-Men. With the understanding that these reviews will focus top-down on how entities have incorporated the requirements into holistic security programs rather than taking a typical bottom-up audit approach, the session will discuss some of the most important aspects of an information security program from a regulatory context: assigned responsibility, overall risk analysis and risk management, documentation, and ongoing assurance of program effectiveness and appropriateness.

Session Objectives:

• Discuss how AMCs are preparing for evaluation of their security programs
• Identify how to prepare your organization for a security audit
  

Legal Aspects for Offshoring
International business ventures raise information security challenges requiring mitigation through administrative processes such as creative contracting, third-party security certifications and strong information security-legal partnerships to manage risks associated with international jurisdiction and asset ownership and control. The session will explore existing international standards, best practices and the trust relationships necessary to make them work.

Session Objective:

• Discuss strategies for managing risks inherent in offshore business operations
  

Preparing for an External Audit of Your Information Security Program
Standards-based information security management can streamline the process of serving several regulatory masters – HIPAA, Joint Commission, Sarbanes-Oxley, the FDA and others. The overlap in controls requirements amongst regulations is considerable, and demonstrating satisfaction of a set of ISO standards can, in turn, satisfy regulatory compliance requirements and industry security initiatives like PCI. This session will explore the overlap in regulatory controls requirements and how they map to ISO standards, and offer practical advice for implementing a standards-based information security program.

Session Objectives:

• List the key overlapping security management standards for AMCs
• Describe at least three strategies to provide concurrent compliance with many of these standards