Health Care Security Essentials
Health Care Security Essentials is designed to provide SANS students with an introduction to current and emerging issues in health care information security and regulatory compliance. The class provides a foundational set of skills and knowledge for health care security professionals by integrating case studies, hands-on labs, and tips for securing and monitoring electronic Protected Health Information ("ePHI"). Administrative insights for those managing the many aspects of health care security operations will also be discussed. The goal of the course is to present a substantive overview and analysis of relevant information security subject matter that is having a direct and material impact on the U.S. health care system.
|HST.1: Day 1|
Module 1: Overview of Health Care Information Security
The theft of sensitive health care information continues to challenge covered entities and business associates alike. Increased regulation combined with a dynamic threat landscape requires today's health care information security professional to not only understand the intent of relevant legislation but also how they can best assist the business with meeting regulatory demands while monitoring and sustaining the protection of patient data and customer information.
The first module of the class focuses on current threats to health care information systems and data. We will examine the 'how' and 'why' patient information is being targeted as well as key trends, including, but not limited to, the commercialization of malicious software , medical identity theft, insider threats, mobile device proliferation, cloud computing, and poor operational governance. The module will conclude with a discussion on common sources of health care data breaches and practical countermeasures.
Module 2: HIPAA Security 2.0
The HIPAA Security Rule has presented its share of challenges for health care organizations over the past several years, yet relatively lax enforcement led many covered entities to delay their commitment to a sustainable compliance program. However, the final omnibus rule has made notable changes to HIPAA compliance obligations while also broadening the laws enforcement provisions.
Module 2 will provide attendees with and overview of the HIPAA Security Rule and its context, with close attention paid to the rules structure, safeguards, and the implementation specifications governing ePHI. Students will also examine breach notification requirements and conclude the module by reviewing the security implications of Electronic Medical Records ("EMR's") and Meaningful Use.
CPE/CMU Credits: 6
|HST.2: Day 2|
Module 3: Risk Analysis & Management
The risk analysis requirement of the Security Rule, รยง164.308(a)(1)(ii)(A), is a critical compliance component of any HIPAA Security audit program, yet, as recent Centers for Medicaid and Medicare Services ("CMS") audit findings have confirmed, continues to challenge many covered entities and business associates. Day 2 will begin with a discussion on a risk based guidance framework to assist health care based organizations and other custodians of personal health information with developing an effective risk assessment program, one specifically designed to identify risks to the confidentiality, integrity, and availability of ePHI while meeting Office for Civil Rights ("OCR") expectations.
Module 4: Medical Device Security
The course will conclude by taking the lessons learned from previous modules and attempting to understand their applicability to medical device management. Medical devices, large and small alike, continue to play an essential and growing role in patient care. Today's security professional must understand the risks medical devices may present to wired and/or wireless networks, patient data, and end users and how those risks should be appropriately managed.
CPE/CMU Credits: 6
Students are required to bring a laptop running Windows or Linux. OS X will work too.
Laptops running Windows or Linux should have VMware Workstation or Player. OS X users should have VMware Fusion.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
*CPE/CMU credits not offered for the SelfStudy delivery method