SlideShare une entreprise Scribd logo

Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Information Security

Redspin, Inc.
Redspin, Inc.

A step by step approach to meeting security, privacy, and compliance goals through a focus on value creation.

Technologie
1  sur  8
Télécharger pour lire hors ligne
Ensuring security, privacy, and compliance while creating value with healthcare IT A step by step approach 6450 Via Real, Suite 3 Carpinteria,CA 93013 800-721-9177 805-684-6858 www.redspin.com White Paper
Ensuring security, privacy, and compliance while creating value with healthcare IT From electronic health record adoption to clinical A step by step approach to meeting security, workflow automation, healthcare increasingly runs privacy, and compliance goals through a focus on information. Yet, healthcare has traditionally on value creation. lagged other industry segments in terms of IT spending. As a percent of revenue, IT spending Spiraling costs and a lack of global competitive- represents just over 5% for the healthcare industry ness are often cited as major problems with the segment versus 11% for financial services (For- U.S. healthcare system. Information technology rester Research). More importantly IT spending can be a significant part of the solution to these in healthcare has not been aligned with achieving problems. In fact, industry leaders and the gov- objectives. Given the rising demands for overall ernment sector have begun to focus resources, transformation of the healthcare industry and the management attention, and funding towards IT competitive pressures on U.S. provider organiza- investments. Yet historically, IT has been viewed tions, healthcare urgently needs the improvements as a cost center rather than as an investment. As IT can enable. Information security must play a an element of that cost center, spending on IT central role in this transformation both in terms of security, privacy, and compliance has been typi- ensuring patient trust through proper use of their cally budgeted at the minimum level necessary to data and protecting the business from threats rang- meet regulatory requirements. A new perspective ing from cyber crime to brand damage associated is required, where investing in IT is understood to with data breaches. create value by increasing competiveness, lowering costs, and increasing the quality of patient care. IT Value Oriented, Performance Driven thus becomes a large part of the solution to the Fortunately, this transition to value-oriented, per- problems facing the healthcare industry. formance driven healthcare is underway in several leading providers such as Kaiser Permanente, Part- This paper examines a general process for manag- ners Healthcare System and Geisinger. A common ing healthcare IT investments and specifically out- denominator among these companies is that IT lines a step by step approach to meeting security, and the information security program are viewed privacy, and compliance goals through a focus on as creating value rather than cost centers. From a value creation and risk management. Information process perspective these leaders have also devel- security programs in the healthcare sector have of- oped similar methods for aligning IT investments ten been driven by reactive approaches and ad hoc with value to the business. This involves defining a compliance oriented processes. These approaches set of observable, quantifiable operational metrics. view “success” as avoiding security incidents and Broad categories include benefits to patient safety, passing compliance audits with the minimum quality of care, staff productivity, employee satis- amount of investment. We will examine why this faction, revenue enhancement, and cost optimiza- approach is unsustainable and show how it be- tion. In this manner IT investments are evaluated lies widely-accepted risk management principles. in terms of how well they help the organization Instead, we will offer a results-oriented alterna- meet business objectives. Another critical common tive that ensures security, compliance, and privacy factor in these organizations is a system of risk programs that support the overall healthcare IT management for continuously optimizing security, mission of creating value and meeting business privacy, and compliance initiatives. Throughout the objectives. rest of this paper we will discuss the step by step Page 1 l www.redspin.com
process of deploying a successful information risk Organizing For Performance (Figure 1) management program. The major steps associated with a successful infor- mation risk management program are as follows: 1. Organizing for performance 2. Assessing risk 3. Decision analysis 4. Policy implementation 5. Measuring program effectiveness 6. Repeat steps 2-5, adjust the organization defined in step 1 to evolving business re- quirements The objective of the information risk management The first step in the process involves organizing program is to minimize risk to information that for performance. There are two critical compo- is critical to the business while enabling business nents for success. The first component is execu- goals. The primary interactions in this area are tive sponsorship. Executive sponsorship is not with the line of business, finance, and legal teams. a passive role. The executive sponsor is typically The security team must codify the net results in the CIO or CISO and is responsible for funding, terms of policy that will drive operational as well authority, and support of the information risk as quality and performance management decisions. management program. This role also serves as Information security management is owned by the the final escalation point to define acceptable risk security team but interacts and primarily leverages to the business. The second critical component operations, IT, and HR. Information generated for success is integration of the information risk at this point contributes to the overall picture of management program with the rest of the orga- situational awareness that guides both the business nization. A program that does not leverage other and the information risk management program. functional units will have difficultly aligning with The security relevant aspects of quality and perfor- business goals and ultimately fail. mance management for the business are owned by the security team but must work with the audit, de- A successful organizational structure for carrying velopment, and QA teams. This function generates out the step by step information risk management the reporting metrics (e.g. compliance to internal plan outlined above is shown in Figure 1. policies and regulatory requirements) that drive decisions for the business and the security team as well as contributing to the overall situational awareness picture. The overall output of this cycle is not simply to protect information but to allow better decisions to be made that drive the business forward. Page 2 l www.redspin.com
With this organization in place the information PHI/PII Risk Indication (Figure 2) risk management program can be set in motion. Before describing the process in detail it is useful to consider alternative approaches. With pressure to meet the more stringent regulatory requirements imposed by the HITECH act, urgent deadlines to meet meaningful use requirements, and the need to react to day to day incidents, it is easy for a program to become derailed. Let’s consider the re- quirements required to comply with the HITECH act. Organizations must do the following: • Implement a data classification policy that describes the processes used to identify, classify, store, secure, and monitor access to PHI data. • Implement a process to detect a potential data breach and carry out an incident response plan. • Implement a notification process to inform Developing a broader view of risk to the business affected parties after a discovery of a breach allows the information risk management team to of security to PHI without unrea-sonable delay. avoid acting narrowly. For example, rather than a siloed effort to develop policies and implement • Implement policies, processes, and procedures controls to comply with the HITECH Act, a pro- for security awareness and training. gram can be put in place that addresses the unified regulatory requirements associated with PHI/PII • Encrypt PHI data – at rest and in transit. data. Immediately launching an effort to address these Now let’s examine each of the steps to carry out requirements is tempting, but fraught with peril. the information risk management program. The Many HIPAA security programs focused on creat- continuous nature of this process is illustrated in ing policies and procedures as a starting point. Figure 3. Frequently, there was a disconnection between policies and actual technical and procedural safe- Risk Management Process (Figure 3) guards. Further, there is not a clear understanding of the broader risk picture and integration with the business context. A more informed view is shown in Figure 2. Page 3 l www.redspin.com
Step 1. Assess Risk a. Ensure that policy specifications are enforce- The first step in the process involves identification able. and prioritization of risks to the business. b. Apply a comprehensive approach that inte- a. Plan data gathering. Identify key success grates process automation, people, and tech- factors and preparation guidance. nology in the mitigation solution. b. Gather risk data. Outline the data collection c. Focus on defense in depth by coordinating process and analysis. application, system, data, and network controls to meet business objectives. c. Prioritize risks. Use qualitative and quantitative risk analysis to drive prioritization. d. Communicate policies and control responsibili- ties throughout the organization. Step 2. Decision Analysis The second step covers the processes for evaluat- Step 4. Measure Effectiveness ing requirements, understanding possible solutions, The fourth step consists of developing and dis- selecting controls, estimating costs, and choosing seminating reports as well as providing managment the most effective mitigation strategy. a dashboard to understand program effectiveness. a. Define functional requirements to mitigate a. Develop and continuously update a manage risks. ment dashboard that summarizes the organiza- tion’s risk profile. b. Outline possible control solutions. Keep in mind that these include not only technical con- b. Report on changes under consideration and trols but people-driven processes (e.g., separa- summarize changes that are underway. tion of duties) and service level agreements. c. Communicate the effectiveness of the control c. Estimate risk reduction. Understand the solutions in mitigating risk. probability of risks and the impact of reduced exposure. d. Report on the existing environment in terms of threats, vulnerabilities and risk profile. d. Estimate solution cost. Reflect direct and indirect costs associated with mitigation Key Success Factors solutions. As noted earlier a major element contributing to the success of an information risk manage- e. Choose mitigation strategy. Complete a cost- ment program is involvement of functional units benefit analysis to identify the most effective throughout the organization. The information risk mitigation solution. management team needs to take responsibility for educating the organization on the process and de- Step 3. Policy Implementation veloping the thorough understanding of risk that The third step addresses policy implementation will allow the business to take specific action when and the acquisition and deployment of controls to managing it. carry out the policy. Page 4 l www.redspin.com
An effective method to get this process underway • Critical - Corrective measures are required im- is to view risk across four simple categories. This mediately. provides a straightforward way to clarify trad- eoffs and make decisions. These categories can be • High - Strong need for corrective measures. thought of as the four A’s: An action plan must be put in place as soon as possible. Availability: This means keeping the systems run- • Medium - Corrective actions are needed ning. IT needs to communicate regularly to execu- and a plan must be developed to incorporate tive staff on the availability risk to major business these actions within a reasonable period of time. processes and ensure there is a business continuity plan in case of failure. • Low - Management must determine whether corrective actions are required, or decide to ac- Access: This is defined as ensuring access to cept the risk. systems and data. IT is responsible for provid- ing the right people with the access they need and • Informational - The issue does not indicate ensuring that sensitive information is not misused. a material policy violation but is something The IT organization must regularly discuss risks for management to consider for enhancing the associated with data loss, privacy violations, and overall security posture. inappropriate use. Drive these definitions into risk mitigation pro- Accuracy: This means providing complete, timely grams, policy specifications and controls. and correct information that meets the require- ments of customers, suppliers, regulators and Next, everyone in the organization needs a clear management. Compliance with HIPAA/HITECH and consistent definition of risk. In this context, and Sarbanes-Oxley are common sources of ac- risk is the probability of a vulnerability being ex- curacy risk for enterprises in the United States. ploited in the current environment, leading to a IT should review with management the sources of degree of loss of confidentiality, integrity or avail- accuracy risk (and risk mitigation programs) such ability of an asset. The diagram shown in Figure as the inability to get an accurate, consistent view 4 illustrates the relationships of each element of of patient records or clinical workflow effective- risk. ness. Component of Risk (Figure 4) Agility: This is defined as the ability to make the necessary business changes with appropriate cost and speed. A specific example of agil- ity risk would be the delay or cancellation of a merger because of the risk of integrating IT systems. The IT organization needs to dis- cuss these risks so that management can make informed decisions and not hedge their bets be- cause they don’t believe IT can deliver on time. Another area to look at is consistent usage of risk severity levels and the associated actions. At Redspin we use five levels: Page 5 l www.redspin.com
To illustrate the usage of a risk statement in prac- strongly with management. However, such a pro- tice let’s look at an example focusing on risk to cess is resource intensive and thus more expensive PHI data. so broad based coverage is challenging. Therefore, focusing on high impact areas with quantitative The assets (what you are trying to protect is PHI) methods and driving coverage with qualitative approaches tends to produce the best results. • You need to know where it is, how it is used, and how it is transported over the network. A final consideration in terms of key success factors is the timing for repeating the process. The threats (what are you afraid of happening) Each cycle starts with a new risk assessment. The frequency will vary from organization to organiza- • Sophisticated cybercriminals stealing account tion. Many companies find that annual recurren- credentials, credit card records, or medical ceis sufficient so long as the information security history to file false claims. team is proactively monitoring for new threats, vulnerabilities, and assets. • Hackers using application attacks to gain access to database records. In summary, you can expect investment in an information risk management program to bring • Insiders gathering inappropriate data through important business benefits. Some of these include misconfigured access control. the following: The vulnerabilities (how could the threat occur) • Risk reduction allows deployment of new busi- ness processes that were not previously possible. • Targeted social engineering attacks; malware exploiting Adobe .pdf and MS office .doc vul- • Confidence in brand protection can result in nerabilities new revenue generating programs. • Application vulnerabilities (e.g., SQL injection, command injection) • Trust in service availability means that existing programs can generate more revenue and more • Misconfigured database access controls profitably. Current mitigation (what is currently reducing • Confidence in risk mitigation efforts ranging the risk) from technical controls to effective service level agreements decrease program launch time. • Staff • Clear guidance on security requirements associ- • Technology ated with new business unit projects accelerates time to revenue. • Processes Another key success factor is development of an effective methodology for risk assessment. There are many different approaches but most are quali- tative or quantitative methods or a combination of the two. A quantitative approach allows risk to be expressed with financial values and thus resonates Page 6 l www.redspin.com
How Redspin Can Help Redspin has invested heavily in the healthcare in- dustry segment for several years and has built deep understanding of security, privacy, and compliance issues. Specific service offerings include: • HIPAA security risk assessment • HIE security assessment • Infrastructure assessment • Application security assessment Given our healthcare domain expertise and experi- ence with security assessments, we can serve as an effective partner in getting your information risk management program started or optimizing an existing program. About Redspin Redspin delivers the highest quality information security assessments through technical expertise, business acumen, and objectivity. Redspin cus- tomers include leading companies in healthcare, financial services, media/entertainment, retail, and technology. Some of the largest communica- tions providers and commercial banks rely upon Redspin to provide an effective managerial, op- erational and technical solution tailored to their business context, allowing them to reduce risk, maintain compliance, and increase the value of their business unit and IT portfolios. Page 7 l www.redspin.com © 2010 Redspin, Inc. All rights reserved.

Recommandé

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRCanand choudhary
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar ProposalAbsar Husain
 
Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Visionagiliancecommunity
 
Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Lennart Bredberg
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 

Recommandé

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRCanand choudhary
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar ProposalAbsar Husain
 
Agiliance Risk Vision
Agiliance Risk VisionAgiliance Risk Vision
Agiliance Risk Visionagiliancecommunity
 
Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Lennart Bredberg
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
The Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster RecoveryThe Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster Recoverycadavis22
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 
it grc
it grc it grc
it grc 9535814851
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementWilliam McBorrough
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance TemplateFlevy.com Best Practices
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandKienbaum Consultants
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
Chapter003
Chapter003Chapter003
Chapter003Jeanie Delos Arcos
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Stepsagiliancecommunity
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Lennart Bredberg
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperNetIQ
 
Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfkimangeloullero
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergHealthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergLennart Bredberg
 
It Budget Tips
It Budget TipsIt Budget Tips
It Budget Tipsagiliancecommunity
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...The Economist Media Businesses
 

Contenu connexe

Tendances

The Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster RecoveryThe Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster Recoverycadavis22
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementWilliam McBorrough
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandKienbaum Consultants
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Lennart Bredberg
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperNetIQ
 

Tendances (17)

Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
The Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster RecoveryThe Revere Group - Making A Case For Disaster Recovery
The Revere Group - Making A Case For Disaster Recovery
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
 
it grc
it grc it grc
it grc
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability Statement
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile Island
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practices
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal Presentation
 
Chapter003
Chapter003Chapter003
Chapter003
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 
Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1Bearing solutions healthcare security ver 0.1
Bearing solutions healthcare security ver 0.1
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White Paper
 

Similaire à Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Information Security

Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfkimangeloullero
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergHealthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergLennart Bredberg
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...The Economist Media Businesses
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
NQA - Information security best practice guide
NQA - Information security best practice guideNQA - Information security best practice guide
NQA - Information security best practice guideNA Putra
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A ProjectChristina Valadez
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Protecting PHi- 1-2016
Protecting PHi- 1-2016Protecting PHi- 1-2016
Protecting PHi- 1-2016Bill Steuer
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
The CDO and the Delivery of Enterprise Value
The CDO and the Delivery of Enterprise ValueThe CDO and the Delivery of Enterprise Value
The CDO and the Delivery of Enterprise ValueMark Albala
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 

Similaire à Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Information Security (20)

Chapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdfChapter 1-3 - Information Assurance Basics.pptx.pdf
Chapter 1-3 - Information Assurance Basics.pptx.pdf
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart BredbergHealthcare Security by Senior Security Consultant Lennart Bredberg
Healthcare Security by Senior Security Consultant Lennart Bredberg
 
It Budget Tips
It Budget TipsIt Budget Tips
It Budget Tips
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_Intindolo
 
Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
NQA - Information security best practice guide
NQA - Information security best practice guideNQA - Information security best practice guide
NQA - Information security best practice guide
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A Project
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Protecting PHi- 1-2016
Protecting PHi- 1-2016Protecting PHi- 1-2016
Protecting PHi- 1-2016
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
The CDO and the Delivery of Enterprise Value
The CDO and the Delivery of Enterprise ValueThe CDO and the Delivery of Enterprise Value
The CDO and the Delivery of Enterprise Value
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance Program
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 

Plus de Redspin, Inc.

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateRedspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedRedspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Redspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin, Inc.
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security PolicyRedspin, Inc.
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security riskRedspin, Inc.
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineRedspin, Inc.
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felonyRedspin, Inc.
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationRedspin, Inc.
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Redspin, Inc.
 

Plus de Redspin, Inc. (20)

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 

Dernier

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Dernier (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Information Security

  • 1. Ensuring security, privacy, and compliance while creating value with healthcare IT A step by step approach 6450 Via Real, Suite 3 Carpinteria,CA 93013 800-721-9177 805-684-6858 www.redspin.com White Paper
  • 2. Ensuring security, privacy, and compliance while creating value with healthcare IT From electronic health record adoption to clinical A step by step approach to meeting security, workflow automation, healthcare increasingly runs privacy, and compliance goals through a focus on information. Yet, healthcare has traditionally on value creation. lagged other industry segments in terms of IT spending. As a percent of revenue, IT spending Spiraling costs and a lack of global competitive- represents just over 5% for the healthcare industry ness are often cited as major problems with the segment versus 11% for financial services (For- U.S. healthcare system. Information technology rester Research). More importantly IT spending can be a significant part of the solution to these in healthcare has not been aligned with achieving problems. In fact, industry leaders and the gov- objectives. Given the rising demands for overall ernment sector have begun to focus resources, transformation of the healthcare industry and the management attention, and funding towards IT competitive pressures on U.S. provider organiza- investments. Yet historically, IT has been viewed tions, healthcare urgently needs the improvements as a cost center rather than as an investment. As IT can enable. Information security must play a an element of that cost center, spending on IT central role in this transformation both in terms of security, privacy, and compliance has been typi- ensuring patient trust through proper use of their cally budgeted at the minimum level necessary to data and protecting the business from threats rang- meet regulatory requirements. A new perspective ing from cyber crime to brand damage associated is required, where investing in IT is understood to with data breaches. create value by increasing competiveness, lowering costs, and increasing the quality of patient care. IT Value Oriented, Performance Driven thus becomes a large part of the solution to the Fortunately, this transition to value-oriented, per- problems facing the healthcare industry. formance driven healthcare is underway in several leading providers such as Kaiser Permanente, Part- This paper examines a general process for manag- ners Healthcare System and Geisinger. A common ing healthcare IT investments and specifically out- denominator among these companies is that IT lines a step by step approach to meeting security, and the information security program are viewed privacy, and compliance goals through a focus on as creating value rather than cost centers. From a value creation and risk management. Information process perspective these leaders have also devel- security programs in the healthcare sector have of- oped similar methods for aligning IT investments ten been driven by reactive approaches and ad hoc with value to the business. This involves defining a compliance oriented processes. These approaches set of observable, quantifiable operational metrics. view “success” as avoiding security incidents and Broad categories include benefits to patient safety, passing compliance audits with the minimum quality of care, staff productivity, employee satis- amount of investment. We will examine why this faction, revenue enhancement, and cost optimiza- approach is unsustainable and show how it be- tion. In this manner IT investments are evaluated lies widely-accepted risk management principles. in terms of how well they help the organization Instead, we will offer a results-oriented alterna- meet business objectives. Another critical common tive that ensures security, compliance, and privacy factor in these organizations is a system of risk programs that support the overall healthcare IT management for continuously optimizing security, mission of creating value and meeting business privacy, and compliance initiatives. Throughout the objectives. rest of this paper we will discuss the step by step Page 1 l www.redspin.com
  • 3. process of deploying a successful information risk Organizing For Performance (Figure 1) management program. The major steps associated with a successful infor- mation risk management program are as follows: 1. Organizing for performance 2. Assessing risk 3. Decision analysis 4. Policy implementation 5. Measuring program effectiveness 6. Repeat steps 2-5, adjust the organization defined in step 1 to evolving business re- quirements The objective of the information risk management The first step in the process involves organizing program is to minimize risk to information that for performance. There are two critical compo- is critical to the business while enabling business nents for success. The first component is execu- goals. The primary interactions in this area are tive sponsorship. Executive sponsorship is not with the line of business, finance, and legal teams. a passive role. The executive sponsor is typically The security team must codify the net results in the CIO or CISO and is responsible for funding, terms of policy that will drive operational as well authority, and support of the information risk as quality and performance management decisions. management program. This role also serves as Information security management is owned by the the final escalation point to define acceptable risk security team but interacts and primarily leverages to the business. The second critical component operations, IT, and HR. Information generated for success is integration of the information risk at this point contributes to the overall picture of management program with the rest of the orga- situational awareness that guides both the business nization. A program that does not leverage other and the information risk management program. functional units will have difficultly aligning with The security relevant aspects of quality and perfor- business goals and ultimately fail. mance management for the business are owned by the security team but must work with the audit, de- A successful organizational structure for carrying velopment, and QA teams. This function generates out the step by step information risk management the reporting metrics (e.g. compliance to internal plan outlined above is shown in Figure 1. policies and regulatory requirements) that drive decisions for the business and the security team as well as contributing to the overall situational awareness picture. The overall output of this cycle is not simply to protect information but to allow better decisions to be made that drive the business forward. Page 2 l www.redspin.com
  • 4. With this organization in place the information PHI/PII Risk Indication (Figure 2) risk management program can be set in motion. Before describing the process in detail it is useful to consider alternative approaches. With pressure to meet the more stringent regulatory requirements imposed by the HITECH act, urgent deadlines to meet meaningful use requirements, and the need to react to day to day incidents, it is easy for a program to become derailed. Let’s consider the re- quirements required to comply with the HITECH act. Organizations must do the following: • Implement a data classification policy that describes the processes used to identify, classify, store, secure, and monitor access to PHI data. • Implement a process to detect a potential data breach and carry out an incident response plan. • Implement a notification process to inform Developing a broader view of risk to the business affected parties after a discovery of a breach allows the information risk management team to of security to PHI without unrea-sonable delay. avoid acting narrowly. For example, rather than a siloed effort to develop policies and implement • Implement policies, processes, and procedures controls to comply with the HITECH Act, a pro- for security awareness and training. gram can be put in place that addresses the unified regulatory requirements associated with PHI/PII • Encrypt PHI data – at rest and in transit. data. Immediately launching an effort to address these Now let’s examine each of the steps to carry out requirements is tempting, but fraught with peril. the information risk management program. The Many HIPAA security programs focused on creat- continuous nature of this process is illustrated in ing policies and procedures as a starting point. Figure 3. Frequently, there was a disconnection between policies and actual technical and procedural safe- Risk Management Process (Figure 3) guards. Further, there is not a clear understanding of the broader risk picture and integration with the business context. A more informed view is shown in Figure 2. Page 3 l www.redspin.com
  • 5. Step 1. Assess Risk a. Ensure that policy specifications are enforce- The first step in the process involves identification able. and prioritization of risks to the business. b. Apply a comprehensive approach that inte- a. Plan data gathering. Identify key success grates process automation, people, and tech- factors and preparation guidance. nology in the mitigation solution. b. Gather risk data. Outline the data collection c. Focus on defense in depth by coordinating process and analysis. application, system, data, and network controls to meet business objectives. c. Prioritize risks. Use qualitative and quantitative risk analysis to drive prioritization. d. Communicate policies and control responsibili- ties throughout the organization. Step 2. Decision Analysis The second step covers the processes for evaluat- Step 4. Measure Effectiveness ing requirements, understanding possible solutions, The fourth step consists of developing and dis- selecting controls, estimating costs, and choosing seminating reports as well as providing managment the most effective mitigation strategy. a dashboard to understand program effectiveness. a. Define functional requirements to mitigate a. Develop and continuously update a manage risks. ment dashboard that summarizes the organiza- tion’s risk profile. b. Outline possible control solutions. Keep in mind that these include not only technical con- b. Report on changes under consideration and trols but people-driven processes (e.g., separa- summarize changes that are underway. tion of duties) and service level agreements. c. Communicate the effectiveness of the control c. Estimate risk reduction. Understand the solutions in mitigating risk. probability of risks and the impact of reduced exposure. d. Report on the existing environment in terms of threats, vulnerabilities and risk profile. d. Estimate solution cost. Reflect direct and indirect costs associated with mitigation Key Success Factors solutions. As noted earlier a major element contributing to the success of an information risk manage- e. Choose mitigation strategy. Complete a cost- ment program is involvement of functional units benefit analysis to identify the most effective throughout the organization. The information risk mitigation solution. management team needs to take responsibility for educating the organization on the process and de- Step 3. Policy Implementation veloping the thorough understanding of risk that The third step addresses policy implementation will allow the business to take specific action when and the acquisition and deployment of controls to managing it. carry out the policy. Page 4 l www.redspin.com
  • 6. An effective method to get this process underway • Critical - Corrective measures are required im- is to view risk across four simple categories. This mediately. provides a straightforward way to clarify trad- eoffs and make decisions. These categories can be • High - Strong need for corrective measures. thought of as the four A’s: An action plan must be put in place as soon as possible. Availability: This means keeping the systems run- • Medium - Corrective actions are needed ning. IT needs to communicate regularly to execu- and a plan must be developed to incorporate tive staff on the availability risk to major business these actions within a reasonable period of time. processes and ensure there is a business continuity plan in case of failure. • Low - Management must determine whether corrective actions are required, or decide to ac- Access: This is defined as ensuring access to cept the risk. systems and data. IT is responsible for provid- ing the right people with the access they need and • Informational - The issue does not indicate ensuring that sensitive information is not misused. a material policy violation but is something The IT organization must regularly discuss risks for management to consider for enhancing the associated with data loss, privacy violations, and overall security posture. inappropriate use. Drive these definitions into risk mitigation pro- Accuracy: This means providing complete, timely grams, policy specifications and controls. and correct information that meets the require- ments of customers, suppliers, regulators and Next, everyone in the organization needs a clear management. Compliance with HIPAA/HITECH and consistent definition of risk. In this context, and Sarbanes-Oxley are common sources of ac- risk is the probability of a vulnerability being ex- curacy risk for enterprises in the United States. ploited in the current environment, leading to a IT should review with management the sources of degree of loss of confidentiality, integrity or avail- accuracy risk (and risk mitigation programs) such ability of an asset. The diagram shown in Figure as the inability to get an accurate, consistent view 4 illustrates the relationships of each element of of patient records or clinical workflow effective- risk. ness. Component of Risk (Figure 4) Agility: This is defined as the ability to make the necessary business changes with appropriate cost and speed. A specific example of agil- ity risk would be the delay or cancellation of a merger because of the risk of integrating IT systems. The IT organization needs to dis- cuss these risks so that management can make informed decisions and not hedge their bets be- cause they don’t believe IT can deliver on time. Another area to look at is consistent usage of risk severity levels and the associated actions. At Redspin we use five levels: Page 5 l www.redspin.com
  • 7. To illustrate the usage of a risk statement in prac- strongly with management. However, such a pro- tice let’s look at an example focusing on risk to cess is resource intensive and thus more expensive PHI data. so broad based coverage is challenging. Therefore, focusing on high impact areas with quantitative The assets (what you are trying to protect is PHI) methods and driving coverage with qualitative approaches tends to produce the best results. • You need to know where it is, how it is used, and how it is transported over the network. A final consideration in terms of key success factors is the timing for repeating the process. The threats (what are you afraid of happening) Each cycle starts with a new risk assessment. The frequency will vary from organization to organiza- • Sophisticated cybercriminals stealing account tion. Many companies find that annual recurren- credentials, credit card records, or medical ceis sufficient so long as the information security history to file false claims. team is proactively monitoring for new threats, vulnerabilities, and assets. • Hackers using application attacks to gain access to database records. In summary, you can expect investment in an information risk management program to bring • Insiders gathering inappropriate data through important business benefits. Some of these include misconfigured access control. the following: The vulnerabilities (how could the threat occur) • Risk reduction allows deployment of new busi- ness processes that were not previously possible. • Targeted social engineering attacks; malware exploiting Adobe .pdf and MS office .doc vul- • Confidence in brand protection can result in nerabilities new revenue generating programs. • Application vulnerabilities (e.g., SQL injection, command injection) • Trust in service availability means that existing programs can generate more revenue and more • Misconfigured database access controls profitably. Current mitigation (what is currently reducing • Confidence in risk mitigation efforts ranging the risk) from technical controls to effective service level agreements decrease program launch time. • Staff • Clear guidance on security requirements associ- • Technology ated with new business unit projects accelerates time to revenue. • Processes Another key success factor is development of an effective methodology for risk assessment. There are many different approaches but most are quali- tative or quantitative methods or a combination of the two. A quantitative approach allows risk to be expressed with financial values and thus resonates Page 6 l www.redspin.com
  • 8. How Redspin Can Help Redspin has invested heavily in the healthcare in- dustry segment for several years and has built deep understanding of security, privacy, and compliance issues. Specific service offerings include: • HIPAA security risk assessment • HIE security assessment • Infrastructure assessment • Application security assessment Given our healthcare domain expertise and experi- ence with security assessments, we can serve as an effective partner in getting your information risk management program started or optimizing an existing program. About Redspin Redspin delivers the highest quality information security assessments through technical expertise, business acumen, and objectivity. Redspin cus- tomers include leading companies in healthcare, financial services, media/entertainment, retail, and technology. Some of the largest communica- tions providers and commercial banks rely upon Redspin to provide an effective managerial, op- erational and technical solution tailored to their business context, allowing them to reduce risk, maintain compliance, and increase the value of their business unit and IT portfolios. Page 7 l www.redspin.com © 2010 Redspin, Inc. All rights reserved.