To be notified of upcoming events in your area, click here to sign up for our mailing list.

Loading Events
This event has passed.

CynergisTek will be speaking at the 2018 14th Academic Medical Center Security & Privacy Conference, in Chapel Hill, North Carolina, on June 11th. The conference provides an excellent opportunity for healthcare privacy, security and compliance professionals to learn how their peers are handling privacy and security challenges unique to AMCs and large healthcare delivery organizations.

A few of our experts from CynergisTek will be presenting at the conference.

Human vs. Machine: Embracing the Old or Exploring the New Frontiers

Monday, June 11th from 10:45 AM – 12:00 PM


  • Marti Arvin (CynergisTek)
  • Holly Benton (Duke University)
  • Lauren Steinfeld (Penn Medicine)

This session will focus on the relative merits of using technology versus human behavior to address diverse data risks for your privacy program. The discussion will address the pros and cons of:

  • Tighter role-based access to systems versus training and awareness of what is allowed
  • Privacy monitoring by human beings using experience and expertise versus behavioral analytics anomaly detection
  • Offering encrypted devices versus data loss protection settings to prevent storage on unencrypted devices
  • Implications of all of the above in the unique environment of an AMC

This panel of compliance and privacy professionals will draw on their experience of working in AMCs and understanding the complex environment.

NIST 800-63: Real World vs. Government Guidelines


  • John Nye (CynergisTek)
  • Sara Schweitzer (Mayo Clinic)

The speakers will present an overview of the realities of implementing NIST’s 800-63. They will provide a concise overview of what this regulation means to the modern healthcare organization, strategies for implementing these standards in a large teaching hospital, and how this standard has been used across numerous healthcare organizations.

Traps, Tricks & Trepidation in HIPAA & Hybrid Entity Designations at Universities & AMCs

Tuesday, June 12 from 10:45 AM -12:00 PM


  • Marti Arvin (CynergisTek)
  • Holly Benton (Duke University)
  • Lauren Steinfeld (Penn Medicine)

This session will focus on HIPAA and complexities of the hybrid entity designation issues particular to universities and AMCs. Topics include:

  • Determining whether a university is a hybrid entity and what the “covered components” are that must comply with HIPAA
  • Establishing correct HIPAA “relationships” between the university’s covered components, the affiliated AMC, and the affiliated faculty practice plan or physician groups, including when an affiliated covered entity (ACE) or an organized health care arrangement (OHCA) is appropriate
  • Addressing areas of vulnerability in HIPAA compliance resulting from the university-AMC-faculty practice plan relationships, including: when business associate agreements are needed between the entities; “co-employment arrangements” when physicians are employees of the university when performing research and employees of the AMC/faculty practice plan when performing clinical care; and controlling faculty and student access to health information for research

AMCs & the General Data Protection Regulation (GDPR): Does the New Law Apply to My Organization?

Tuesday, June 12 from 1:00-2:15 PM


  • David Holtzman (CynergisTek)
  • Karen Pagliaro-Meyer (Columbia University Medical Center)
  • Lynn Rohland (RGP)
  • Robert Webster (LabCorp)

Panel experts will review the basic provisions of the new law (effective May 25, 2018), discuss its relevancy to the healthcare sector and how it might apply to AMCs based in the US, and offer pragmatic approaches to address critical “must-have” components for GDPR compliance – inclusive of an AMC use case as an illustrative example. Session Objectives:

  • Review the regulatory requirements for GDPR
  • Evaluate how GDPR may apply to AMCs
  • Actionable steps to achieve compliance and mitigate risks

Hollywood’s Hype & the Harsh Reality of a Ransomware Attack


  • Clyde Hewitt (CynergisTek)
  • Dave Dillehunt (FirstHealth of the Carolinas)

No amount of advance planning can totally prepare an organization for a large-scale ransomware attack. From the moment of discovery, IT departments are aggressively fighting the clock to stop the spread to not only the EHR, biomedical, laboratory, and pharma systems, but also to the revenue cycle management, facilities, cafeteria, and supply-chain management systems. No endpoint is safe, including servers, workstations, printers, environmental control systems, or physical security controls. Healthcare executives are inclined to turn to the CIO to lead the initial recovery efforts but the recovery challenge transcends many different business units, including legal, finance, human resources, public relations, audit, and the entire compliance team (compliance, privacy and security). This presentation will provide lessons learned from actual ransomware attacks drawing on firsthand experience of working with multiple organizations that experienced a significant event in 2017. It will include the timeline from initial discovery through technical recovery and will also focus on the non-technical actions needed to meet the legal, regulatory, and contractual requirements. It will also address the human impacts of ransomware and strategies to help mitigate the negative effects. Attendees will gain a focused perspective on the human impact to the organization, explore the responsibilities of various departments following a serious security event, and review considerations that would help determine if the event is a reportable breach.


June 11, 2018
June 12, 2018
Event Category: