SlideShare a Scribd company logo

McMahon & Associates Risk Management Strategy

Download as DOCX, PDF
Matthew J McMahon
Matthew J McMahon

Risk Management Strategy for a Fictitious Clinical Practice

Healthcare
1 of 8
McMahon & Associates Clinical Services Risk Management Strategy Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University May 04, 2017
2 Contents Executive Summary……………………………………………………………………...…..........3 About McMahon & Associates Clinical Services…………...………..………………….….........3 CHAPTER ONE. Reducing Third Party Risk…………………………………………...…..........3 CHAPTER TWO. Cyber Insurance…………...……...……………………………………...........4 CHAPTER THREE. Workforce Development….……...…………………………………............5 CHAPTER FOUR. Risk Management Frameworks………………….…………..………............6 CHAPTER Five. Secure Data Usage...….……...…………..……………………….....................7 Conclusion……………………………..………………………………………………………….8 Revision History…………...………………………..…………………………………………….8
3 Executive Summary In today’s day and age, cyber-attacks on hospitals are becoming more and more prevalent. Of all of the United States Critical Infrastructures the healthcare sector is the most targeted by persistent cyber-attacks.1 In a threat landscape where a medical record sells for ten times on the dark web what a credit card record does it is imperative that McMahon & Associates Clinical Services create and implement a comprehensive Risk Management Strategy.2 About McMahon & Associates Clinical Services McMahon & Associates Clinical Services is a small, twelve provider clinical counseling service which resides in a small office located at 123 Main Street in Sharon, Massachusetts. The organization rents office space in the same building as a law firm and a doctor’s office but is separated from these businesses by two sets of locked steel doors. The office receives patients on an appointment only basis and operates between the hours of 8:00 AM EST and 8:00 PM EST. The facility utilizes the Athena Health cloud based software platform for clinical documentation, scheduling, routine paperwork and billing purposes. It also utilizes Outlook for email. CHAPTER ONE Reducing Third Party Risk McMahon & Associates Clinical Services has opted to utilize Athena Health as their cloud based clinical documentation, scheduling and billing software solution. An extensive cloud usage strategy report has already been completed in McMahon & Associates Clinical Services Cloud Usage Strategy Report.3 This risk management strategy paper will only touch on applicable highlights from that report. The McMahon & Associates Clinical Services Cloud Usage Strategy Report, extensively details the criteria used for selecting Athena Health among the other vendors that were reviewed.4 Chilmark Researches’ EHR Vendors’ Capabilities for Interoperability, report was an essential tool in comparing and contrasting Athena Health with its ten closest competitors in terms of data privacy and security compliance, secure connection controls, pricing structure, customer reviews, satisfaction ratings and overall functionality.5 1 Hacking Healthcare IT in 2016: Lessons the Healthcare Industry can Learn From the OPM Breach. Institute for Critical Infrastructure Technology. (January, 2016) 2 See note 1 above. 3 McMahon,Matthew. McMahon & Associates Clinical Services Cloud Usage Strategy Report. April (2017) 4 See note 1 above. 5 Chilmark Research. EHR Vendors’ Capabilities for Interoperability. July (2015)
4 The driving force in the choice of Athena Health was its ability to essentially eliminate the need for a traditional IT department.6 This not only reduces overhead but also liability associated with maintaining and securing a traditional IT infrastructure.7 The solution utilizes the software as a solution (SaaS) cloud model which allows for varying levels of role based access.8 Providers access and enter patient health information (PHI) only after accessing the password protected, secure (https) Athena Health website over a secure internet connection.9 While Athena Health is typically thought of as a small electronic medical record (EMR) provider in light of it’s much larger competitors such as MEDITECH, EPIC and Cerner its market share entails servicing over 62,000 providers and is steadily growing. Athena Health’s interfacing capabilities are well demonstrated with over 30 strategic interfacing partners and a fulltime dedicated interface team to build new links from Athena to other third party software vendors.10 Before making the final decision to choose Athena Health as the SaaS cloud based EMR vendor for McMahon & Associates a risk assessment was completed per the specifications laid out by the National Institute of Standards and Technology (NIST.)11 This risk assessment included visiting the Athena Health facilities located at 311 Arsenal Street in Watertown, Massachusetts where decision makers were given a tour of the campus and provided detailed descriptions of secure offsite data storage facilities.12 After reviewing the vendors applicable security documentation for its SaaS cloud based EMR system which included the industry standard manufacturers disclosure statement for medical device security (MDS2) and product specific security whitepaper, which have been kept on file, it was determined that the software solution meets all relevant regulatory compliance measures defined in the Health Information Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.13 CHAPTER TWO Cyber Insurance Cyber liability is a major concern for healthcare providers. Most general healthcare provider insurance policies exclude liability coverage associated to cybersecurity.14 Cybersecurity insurance is filling this gap and will drastically change the hospital IT landscape, improving patient privacy protections and underwriting the risk associated with operating a 6 ClearDATA. Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud. 7 See note 5 above. 8 Cloud Computing Standards Council. Impact of Cloud Computing on Healthcare. November (2012) 9 Murphy,Sean. Healthcare Information Security and Privacy. Frankfurt: Wall Street Journal, March 5 (2015) 10 Athenahealth . What Cloud-based Services Can Do for Your Medical Practice Whitepaper. January (2012) 11 See note 3 above. 12 AthenaHealth Website https://www.athenahealth.com 13 See note 3 above. 14 Schinnerer, Victor O. Protecting Hospitals and Healthcare Operations from Cyber Liability. Healthcare Report . (2011)
5 healthcare organization.15 General security requirements as a precursor to insurability and the ability to conduct timely and efficient security audits will revolutionize the healthcare sector in the future, driving new legislation and best practice guidance.16 Some liability is transferred from McMahon & Associates to Athena Health by the use of a third party, cloud based SaaS EMR system, hosted by Athena Health as Athena then becomes a “business associate,” of McMahon & Associates and inherits certain responsibilities for data protection under HIPAA.17 Even with the utilization of a third party cloud based EMR the acquisition of cyber insurance is strongly recommended. It has the potential to cover the organization should PHI be compromised via Outlook or other business tools or if office property is stolen and breached. Cyber insurance may also cover a breach or data loss by a third party or business associate such as Athena Health. It should be noted though that irresponsible data protection behavior such as sending PHI data via unencrypted email or leaving an unencrypted laptop is a car which is then stolen may not be covered by cyber insurance as the incident does not meet the insurance provider’s minimum protections requirements. CHAPTER THREE Workforce Development In the cybersecurity realm the weakest link is often the human factor. In response to this, even a small twelve practitioner clinical office needs to incorporate a cybersecurity workforce development program. In the industry currently there is a massive shortage of skilled cybersecurity professionals.18 This shortage makes internal training programs all the more imperative. As McMahon & Associated is a small office the third party online cybersecurity vendor Pluralsight will be utilized for employee cybersecurity training with specific courses required at the beginning of their employment and refreshers every six month thereafter.19 The vendor offers comprehensive security trainings delivered in an interesting and interactive video format. The Pluralsight requirements for employees will be managed by President and defacto IT manager Matthew McMahon. Coming from the corporate cybersecurity realm, Matthew holds various certifications in the security realm and regularly stays abreast of new security developments and trends by attending regular security conferences as well as subscribing to popular security publications. Another important component of training is the consideration of third parties training processes, evident by the now infamous Target hack that was the result of an improperly trained 15 McArdle, Jennifer. Incident Response and Cyber Insurance.(Presentation, Salve Regina University, Newport, RI 2016) 16 Yaraghi, Niam. Hackers, Phishers and Disappearing Thumb Drives: Lessons Learned From Major Healthcare Breaches. Brookings. (May 2016.) 17 See note 9 above. 18 Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills. Intel Security. 19 Pluralsight. https://www.pluralsight.com/
6 third party vendor employee clicking on a link in an email that launched an attack.20 Having extensively accessed the security training methods of Athena Health employees via Athena’s product security whitepapers it appears that the company has done its due diligence in training its employee’s in cyber protections.21 CHAPTER FOUR Risk Management Frameworks McMahon & Associates Clinical Services understands that a large part of staying secure means keeping up to date with industry standards. The organization recognizes and adheres to the following security policies; Common Security Framework (CSF,) Health Information Trust Alliance (HITRUST) as well as the International Organization for Standardization (ISO.)22 Employee security trainings specifically target covering content recommended by these advisory bodies. The organization also aims to adhere to all relevant legislation, FDA guidance documents and mandates. Notably these documents include Executive Order 13636 which calls for the protection of our nation’s critical infrastructure, to include the healthcare sector.23 This Executive Order directly contributed to FDA Guidance documents that describe medical software and device best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff24 Also, pertinent is Executive Order 13691 which calls for the sharing of cyber defense information among government entities and for-profit companies.25 While McMahon & Associates has not directly engaged in the sharing of security related information in an industry forum it realizes the eventual need for this and will participate in future discussions with other small businesses and government entities. While there has been some debate on this McMahon & Associates concludes that medical software (Athena Health) should be classified as a “medical device,” and in so doing also adheres the following FDA Guidance documents that describe best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff26 as well as the Guidance for Industry Part 11, Electronic Records; Electronic Signatures, Scope and Application. The NIST document Framework for Improving Critical Infrastructure Cybersecurity is also relevant27 In addition to these general guidance documents McMahon & Associates has adopted the Advanced Cybersecurity Group List 20 Ormes, Eric and Herr, Trey. Understanding Information Assurance. (October, 2016) 21 See note 9 above. 22 See note 4 above. 23 Executive Order 13636—Improving Critical Infrastructure Cybersecurity 24 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 25 Executive Order 13691—Promoting Private Sector Cybersecurity Information Sharing 26 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 27 FDA. Framework for Improving Critical Infrastructure Cybersecurity
7 Checklist, as it model for measuring and quantifying risk assessment and used this form during the review process of Athena Health as it’s SaaS cloud based EMR solution.28 McMahon & Associates regularly conducts security threat and risk assessments (TRA’s) on the tools it utilizes such as Athena Health for clinical documentation as well as Outlook for secure email among others. When completing these assessments it uses the Common Vulnerability Scoring System v3.0.29 These TRA’s are completed by President and defacto IT manager Matthew McMahon, whom congruent with risk management framework guidance has been deemed the responsible person to manage cyber security for the system. In his absence, responsibility and decision making in the realm of cyber security are passed along to company Vice President Carl Jung who has been properly trained as the Presidents backup and currently holds the following certifications: CompTIA Security +, Network + and has attended the SANS SEC401 Security Bootcamp course. CHAPTER Five Secure Data Usage Secure data usage is a top priority for McMahon & Associates. A study recently completed by the Ponemon Institute showed that of employees sampled over one third admitted that they were aware of coworkers that were not adhering to proper data usage company policies and sharing restricted data outside of their companies firewall.30 To assure data protection the organization has crafted its data usage policy to closely follow the CIA triad of Confidentiality, Integrity and Availability of data. Security relating to confidentiality is partially handled by our business partner Athena Health that manages the EMR. Because of this relationship Athena Health is responsible for securing all hardware and database configurations. McMahon & Associates responsibilities rely on assuring secure access and proper access control utilizing the least privileges model. Users accessing Athena Health’s online portal should create robust passwords that are regularly updated.31 Employees no longer in the employ of McMahon & Associates should have access immediately revoked. PHI should also only be emailed when absolutely necessary and when necessary utilize encryption and two factor authentication which requires both a password and public key identification (PKI) card to access. All paper PHI should be shredded. All company phones and laptops used to access patient data shall utilize encryption. McMahon and Associates has a firm no bring your own device (BYOD) policy for accessing patient data. The integrity component of McMahon & Associates data usage policy is again largely handled by our business associate Athena Health who utilizes checksum technology to assure data entered by a software user is uploaded correctly. The utilization on an EMR is in itself a 28 Spidalieri, Francesca and Hancock, Geoff. Advanced Cybersecurity Group List Checklist. (May 27, 2015.) 29 Common Vulnerability Scoring System v3.0 Specification Document. www.First.org 30 Breaking Bad: The Risk of Unsecure File Sharing. Ponemon Institute. (October 2014) 31 McArdle, Jennifer. Cybersecurity Fundamentals and Digital Health Information. (Presentation, Salve Regina University, Newport, RI 2016)
8 method to protect the integrity of data. All data is entered into the Athena Health system and displayed clearly. Audit logging shows who entered data and when. Most data is not able to be edited but if editing is allowed for certain features such as clinical notes that information is logged and auditable.32 The availability component of the triad was one of the main driving factors in deciding to utilize Athena Health as an EMR. McMahon & Associates data is backed up to several different databases on various secure servers scattered around the globe so the risk of the software being unavailable is unlikely. In the event of the software system being down staff are to return to a paper documentation system until the system is back online. As the office is a clinical counseling practice and does not practice emergency medicine, nor does it administer medication the risk associated with documenting on paper is minimal.33 Conclusion It is the goal of McMahon & Associates Counseling Services to not only provide the highest quality of clinical care to our customers but to also prioritize the security of our customers protected health information. It is our belief that this risk management strategy report is a step towards that goal but understands that to achieve a robust security posture an organization and its policies must be fluid and keep up with the threat landscape. This document is meant to be general guidance and not an all-encompassing. Review Process This document shall be reviewed and updated once a year during the month of May. A record of reviews, edits and updates shall be recorded below for posterity. Revision Date Author(s) (Changed By) Change(s) 00 2017-05-04 Matthew J McMahon Initial version 01 02 03 32 See Note 5 Above. 33 Ibid.

Recommended

Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskhusseinalshomali
 
La cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiLa cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiVincenzo Calabrò
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal templateMoti Sagey מוטי שגיא
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Secure cloud storage
Secure cloud storageSecure cloud storage
Secure cloud storageALIN BABU
 
Impact of Zero Trust Cyber Security on Healthcare 4.0
Impact of Zero Trust Cyber Security on Healthcare 4.0 Impact of Zero Trust Cyber Security on Healthcare 4.0
Impact of Zero Trust Cyber Security on Healthcare 4.0 Glorium Tech
 

Recommended

Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskhusseinalshomali
 
La cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiLa cybersecurity e la protezione dei dati
La cybersecurity e la protezione dei datiVincenzo Calabrò
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal templateMoti Sagey מוטי שגיא
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Secure cloud storage
Secure cloud storageSecure cloud storage
Secure cloud storageALIN BABU
 
Impact of Zero Trust Cyber Security on Healthcare 4.0
Impact of Zero Trust Cyber Security on Healthcare 4.0 Impact of Zero Trust Cyber Security on Healthcare 4.0
Impact of Zero Trust Cyber Security on Healthcare 4.0 Glorium Tech
 
General Awareness On Cyber Security
General Awareness On Cyber SecurityGeneral Awareness On Cyber Security
General Awareness On Cyber SecurityDominic Rajesh
 
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptx
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptxC2M2 V2.1 Self-Evaluation Workshop Kickoff.pptx
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptxssusere84743
 
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoro
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoroIl sistema legislativo in materia di salute e sicurezza nei luoghi di lavoro
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoroSafer - Formazione e Consulenza
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectivessombat nirund
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Information security
Information security Information security
Information security AishaIshaq4
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171Corserva
 
Sklm webinar
Sklm webinarSklm webinar
Sklm webinarLuigi Perrone
 
Social engineering
Social engineeringSocial engineering
Social engineeringyousefbokari
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Iftikhar Ali Iqbal
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the WorkplaceJohn Macasio
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowCompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowInfosec
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Database Security & Encryption
Database Security & EncryptionDatabase Security & Encryption
Database Security & EncryptionTech Sanhita
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfLBagger1
 
McMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMcMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMatthew J McMahon
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaperTony Amaddio
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare SecurityAngel Villar Garea
 

More Related Content

What's hot

General Awareness On Cyber Security
General Awareness On Cyber SecurityGeneral Awareness On Cyber Security
General Awareness On Cyber SecurityDominic Rajesh
 
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptx
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptxC2M2 V2.1 Self-Evaluation Workshop Kickoff.pptx
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptxssusere84743
 
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoro
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoroIl sistema legislativo in materia di salute e sicurezza nei luoghi di lavoro
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoroSafer - Formazione e Consulenza
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectivessombat nirund
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Information security
Information security Information security
Information security AishaIshaq4
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171Corserva
 
Social engineering
Social engineeringSocial engineering
Social engineeringyousefbokari
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Nada G.Youssef
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control ManagementNada G.Youssef
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Iftikhar Ali Iqbal
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the WorkplaceJohn Macasio
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowCompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowInfosec
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Database Security & Encryption
Database Security & EncryptionDatabase Security & Encryption
Database Security & EncryptionTech Sanhita
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfLBagger1
 

What's hot (18)

General Awareness On Cyber Security
General Awareness On Cyber SecurityGeneral Awareness On Cyber Security
General Awareness On Cyber Security
 
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptx
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptxC2M2 V2.1 Self-Evaluation Workshop Kickoff.pptx
C2M2 V2.1 Self-Evaluation Workshop Kickoff.pptx
 
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoro
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoroIl sistema legislativo in materia di salute e sicurezza nei luoghi di lavoro
Il sistema legislativo in materia di salute e sicurezza nei luoghi di lavoro
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectives
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Information security
Information security Information security
Information security
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
 
Sklm webinar
Sklm webinarSklm webinar
Sklm webinar
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security
 
Chapter 9: Access Control Management
Chapter 9: Access Control ManagementChapter 9: Access Control Management
Chapter 9: Access Control Management
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the Workplace
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowCompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
 
Information Security
Information SecurityInformation Security
Information Security
 
Database Security & Encryption
Database Security & EncryptionDatabase Security & Encryption
Database Security & Encryption
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdf
 

Similar to McMahon & Associates Risk Management Strategy

McMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMcMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMatthew J McMahon
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaperTony Amaddio
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare SecurityAngel Villar Garea
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
DHS look at Cyber Insurance
DHS look at Cyber InsuranceDHS look at Cyber Insurance
DHS look at Cyber InsuranceDavid Sweigert
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)Dr Dev Kambhampati
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrptmadhu ck
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptMarket Engel SAS
 

Similar to McMahon & Associates Risk Management Strategy (20)

McMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMcMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy Paper
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response Plan
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaper
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare Security
 
AICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for CybersecurityAICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for Cybersecurity
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
DHS look at Cyber Insurance
DHS look at Cyber InsuranceDHS look at Cyber Insurance
DHS look at Cyber Insurance
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrpt
 

More from Matthew J McMahon

Past and Future Speaking Engagements
Past and Future Speaking EngagementsPast and Future Speaking Engagements
Past and Future Speaking EngagementsMatthew J McMahon
 
DC617 Medical Device Presentation
DC617 Medical Device PresentationDC617 Medical Device Presentation
DC617 Medical Device PresentationMatthew J McMahon
 
HCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportHCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportMatthew J McMahon
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiMatthew J McMahon
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...Matthew J McMahon
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...Matthew J McMahon
 
HCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attackHCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attackMatthew J McMahon
 
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
The Top Five Essential Cybersecurity Protections for Healthcare FacilitiesThe Top Five Essential Cybersecurity Protections for Healthcare Facilities
The Top Five Essential Cybersecurity Protections for Healthcare FacilitiesMatthew J McMahon
 
Can international organizations like the IMF control the externality costs of...
Can international organizations like the IMF control the externality costs of...Can international organizations like the IMF control the externality costs of...
Can international organizations like the IMF control the externality costs of...Matthew J McMahon
 

More from Matthew J McMahon (10)

Past and Future Speaking Engagements
Past and Future Speaking EngagementsPast and Future Speaking Engagements
Past and Future Speaking Engagements
 
DC617 Medical Device Presentation
DC617 Medical Device PresentationDC617 Medical Device Presentation
DC617 Medical Device Presentation
 
HCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportHCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat report
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
 
HCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attackHCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attack
 
Case brief US v batti
Case brief US v battiCase brief US v batti
Case brief US v batti
 
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
The Top Five Essential Cybersecurity Protections for Healthcare FacilitiesThe Top Five Essential Cybersecurity Protections for Healthcare Facilities
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
 
Can international organizations like the IMF control the externality costs of...
Can international organizations like the IMF control the externality costs of...Can international organizations like the IMF control the externality costs of...
Can international organizations like the IMF control the externality costs of...
 

Recently uploaded

Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...Oleg Kshivets
 
Critical Advancements in Healthcare Software Development | smartData Enterpri...
Critical Advancements in Healthcare Software Development | smartData Enterpri...Critical Advancements in Healthcare Software Development | smartData Enterpri...
Critical Advancements in Healthcare Software Development | smartData Enterpri...amynickle2106
 
Exploring the Integration of Homeopathy and Allopathy in Healthcare.pdf
Exploring the Integration of Homeopathy and Allopathy in Healthcare.pdfExploring the Integration of Homeopathy and Allopathy in Healthcare.pdf
Exploring the Integration of Homeopathy and Allopathy in Healthcare.pdfDharma Homoeopathy
 
办理西安大略大学毕业证成绩单|购买加拿大UWO文凭证书
办理西安大略大学毕业证成绩单|购买加拿大UWO文凭证书办理西安大略大学毕业证成绩单|购买加拿大UWO文凭证书
办理西安大略大学毕业证成绩单|购买加拿大UWO文凭证书zdzoqco
 
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTSSARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTSNehaSaini499770
 
Artificial Intelligence Robotics & Computational Fluid Dynamics
Artificial Intelligence Robotics & Computational Fluid DynamicsArtificial Intelligence Robotics & Computational Fluid Dynamics
Artificial Intelligence Robotics & Computational Fluid DynamicsParag Kothawade
 
TEENAGE PREGNANCY PREVENTION AND AWARENESS
TEENAGE PREGNANCY PREVENTION AND AWARENESSTEENAGE PREGNANCY PREVENTION AND AWARENESS
TEENAGE PREGNANCY PREVENTION AND AWARENESSPeterJamesVitug
 
Immediate care of newborn, midwifery and obstetrical nursing
Immediate care of newborn, midwifery and obstetrical nursingImmediate care of newborn, midwifery and obstetrical nursing
Immediate care of newborn, midwifery and obstetrical nursingNursing education
 
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书rnrncn29
 
EMS Response to Terrorism involving Weapons of Mass Destruction
EMS Response to Terrorism involving Weapons of Mass DestructionEMS Response to Terrorism involving Weapons of Mass Destruction
EMS Response to Terrorism involving Weapons of Mass DestructionJannelPomida
 
Clinical Education Presentation at Accelacare
Clinical Education Presentation at AccelacareClinical Education Presentation at Accelacare
Clinical Education Presentation at Accelacarepablor40
 
Innovations in Nephrology by Dr. David Greene Stem Cell Potential and Progres...
Innovations in Nephrology by Dr. David Greene Stem Cell Potential and Progres...Innovations in Nephrology by Dr. David Greene Stem Cell Potential and Progres...
Innovations in Nephrology by Dr. David Greene Stem Cell Potential and Progres...Dr. David Greene Arizona
 
Globalny raport: „Prawdziwe piękno 2024" od Dove
Globalny raport: „Prawdziwe piękno 2024" od DoveGlobalny raport: „Prawdziwe piękno 2024" od Dove
Globalny raport: „Prawdziwe piękno 2024" od Doveagatadrynko
 
What are weight loss medication services?
What are weight loss medication services?What are weight loss medication services?
What are weight loss medication services?Optimal Healing 4u
 
Back care and back massage. powerpoint presentation
Back care and back massage. powerpoint presentationBack care and back massage. powerpoint presentation
Back care and back massage. powerpoint presentationpratiksha ghimire
 
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfChampions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfeurohealthleaders
 
Mobile Health And Apps (mhealth) How to design Application for medical App.pptx
Mobile Health And Apps (mhealth) How to design Application for medical App.pptxMobile Health And Apps (mhealth) How to design Application for medical App.pptx
Mobile Health And Apps (mhealth) How to design Application for medical App.pptxMahesh Chopra
 

Recently uploaded (20)

Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
Local Advanced Esophageal Cancer (T3-4N0-2M0): Artificial Intelligence, Syner...
 
Critical Advancements in Healthcare Software Development | smartData Enterpri...
Critical Advancements in Healthcare Software Development | smartData Enterpri...Critical Advancements in Healthcare Software Development | smartData Enterpri...
Critical Advancements in Healthcare Software Development | smartData Enterpri...
 
Exploring the Integration of Homeopathy and Allopathy in Healthcare.pdf
Exploring the Integration of Homeopathy and Allopathy in Healthcare.pdfExploring the Integration of Homeopathy and Allopathy in Healthcare.pdf
Exploring the Integration of Homeopathy and Allopathy in Healthcare.pdf
 
办理西安大略大学毕业证成绩单|购买加拿大UWO文凭证书
办理西安大略大学毕业证成绩单|购买加拿大UWO文凭证书办理西安大略大学毕业证成绩单|购买加拿大UWO文凭证书
办理西安大略大学毕业证成绩单|购买加拿大UWO文凭证书
 
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTSSARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
SARS Cov-2 INFECTION AND ITS EMERGING VARIANTS
 
Artificial Intelligence Robotics & Computational Fluid Dynamics
Artificial Intelligence Robotics & Computational Fluid DynamicsArtificial Intelligence Robotics & Computational Fluid Dynamics
Artificial Intelligence Robotics & Computational Fluid Dynamics
 
DELIRIUM psychiatric delirium is a organic mental disorder
DELIRIUM psychiatric delirium is a organic mental disorderDELIRIUM psychiatric delirium is a organic mental disorder
DELIRIUM psychiatric delirium is a organic mental disorder
 
TEENAGE PREGNANCY PREVENTION AND AWARENESS
TEENAGE PREGNANCY PREVENTION AND AWARENESSTEENAGE PREGNANCY PREVENTION AND AWARENESS
TEENAGE PREGNANCY PREVENTION AND AWARENESS
 
Immediate care of newborn, midwifery and obstetrical nursing
Immediate care of newborn, midwifery and obstetrical nursingImmediate care of newborn, midwifery and obstetrical nursing
Immediate care of newborn, midwifery and obstetrical nursing
 
Check Your own POSTURE & treat yourself.pptx
Check Your own POSTURE & treat yourself.pptxCheck Your own POSTURE & treat yourself.pptx
Check Your own POSTURE & treat yourself.pptx
 
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
『澳洲文凭』买莫道克大学毕业证书成绩单办理澳洲Murdoch文凭学位证书
 
EMS Response to Terrorism involving Weapons of Mass Destruction
EMS Response to Terrorism involving Weapons of Mass DestructionEMS Response to Terrorism involving Weapons of Mass Destruction
EMS Response to Terrorism involving Weapons of Mass Destruction
 
Clinical Education Presentation at Accelacare
Clinical Education Presentation at AccelacareClinical Education Presentation at Accelacare
Clinical Education Presentation at Accelacare
 
Innovations in Nephrology by Dr. David Greene Stem Cell Potential and Progres...
Innovations in Nephrology by Dr. David Greene Stem Cell Potential and Progres...Innovations in Nephrology by Dr. David Greene Stem Cell Potential and Progres...
Innovations in Nephrology by Dr. David Greene Stem Cell Potential and Progres...
 
Globalny raport: „Prawdziwe piękno 2024" od Dove
Globalny raport: „Prawdziwe piękno 2024" od DoveGlobalny raport: „Prawdziwe piękno 2024" od Dove
Globalny raport: „Prawdziwe piękno 2024" od Dove
 
What are weight loss medication services?
What are weight loss medication services?What are weight loss medication services?
What are weight loss medication services?
 
Back care and back massage. powerpoint presentation
Back care and back massage. powerpoint presentationBack care and back massage. powerpoint presentation
Back care and back massage. powerpoint presentation
 
Dr Sujit Chatterjee Hiranandani Hospital Kidney.pdf
Dr Sujit Chatterjee Hiranandani Hospital Kidney.pdfDr Sujit Chatterjee Hiranandani Hospital Kidney.pdf
Dr Sujit Chatterjee Hiranandani Hospital Kidney.pdf
 
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdfChampions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
Champions of Health Spotlight On Leaders Shaping Denmark's Healthcare.pdf
 
Mobile Health And Apps (mhealth) How to design Application for medical App.pptx
Mobile Health And Apps (mhealth) How to design Application for medical App.pptxMobile Health And Apps (mhealth) How to design Application for medical App.pptx
Mobile Health And Apps (mhealth) How to design Application for medical App.pptx
 

McMahon & Associates Risk Management Strategy

  • 1. McMahon & Associates Clinical Services Risk Management Strategy Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University May 04, 2017
  • 2. 2 Contents Executive Summary……………………………………………………………………...…..........3 About McMahon & Associates Clinical Services…………...………..………………….….........3 CHAPTER ONE. Reducing Third Party Risk…………………………………………...…..........3 CHAPTER TWO. Cyber Insurance…………...……...……………………………………...........4 CHAPTER THREE. Workforce Development….……...…………………………………............5 CHAPTER FOUR. Risk Management Frameworks………………….…………..………............6 CHAPTER Five. Secure Data Usage...….……...…………..……………………….....................7 Conclusion……………………………..………………………………………………………….8 Revision History…………...………………………..…………………………………………….8
  • 3. 3 Executive Summary In today’s day and age, cyber-attacks on hospitals are becoming more and more prevalent. Of all of the United States Critical Infrastructures the healthcare sector is the most targeted by persistent cyber-attacks.1 In a threat landscape where a medical record sells for ten times on the dark web what a credit card record does it is imperative that McMahon & Associates Clinical Services create and implement a comprehensive Risk Management Strategy.2 About McMahon & Associates Clinical Services McMahon & Associates Clinical Services is a small, twelve provider clinical counseling service which resides in a small office located at 123 Main Street in Sharon, Massachusetts. The organization rents office space in the same building as a law firm and a doctor’s office but is separated from these businesses by two sets of locked steel doors. The office receives patients on an appointment only basis and operates between the hours of 8:00 AM EST and 8:00 PM EST. The facility utilizes the Athena Health cloud based software platform for clinical documentation, scheduling, routine paperwork and billing purposes. It also utilizes Outlook for email. CHAPTER ONE Reducing Third Party Risk McMahon & Associates Clinical Services has opted to utilize Athena Health as their cloud based clinical documentation, scheduling and billing software solution. An extensive cloud usage strategy report has already been completed in McMahon & Associates Clinical Services Cloud Usage Strategy Report.3 This risk management strategy paper will only touch on applicable highlights from that report. The McMahon & Associates Clinical Services Cloud Usage Strategy Report, extensively details the criteria used for selecting Athena Health among the other vendors that were reviewed.4 Chilmark Researches’ EHR Vendors’ Capabilities for Interoperability, report was an essential tool in comparing and contrasting Athena Health with its ten closest competitors in terms of data privacy and security compliance, secure connection controls, pricing structure, customer reviews, satisfaction ratings and overall functionality.5 1 Hacking Healthcare IT in 2016: Lessons the Healthcare Industry can Learn From the OPM Breach. Institute for Critical Infrastructure Technology. (January, 2016) 2 See note 1 above. 3 McMahon,Matthew. McMahon & Associates Clinical Services Cloud Usage Strategy Report. April (2017) 4 See note 1 above. 5 Chilmark Research. EHR Vendors’ Capabilities for Interoperability. July (2015)
  • 4. 4 The driving force in the choice of Athena Health was its ability to essentially eliminate the need for a traditional IT department.6 This not only reduces overhead but also liability associated with maintaining and securing a traditional IT infrastructure.7 The solution utilizes the software as a solution (SaaS) cloud model which allows for varying levels of role based access.8 Providers access and enter patient health information (PHI) only after accessing the password protected, secure (https) Athena Health website over a secure internet connection.9 While Athena Health is typically thought of as a small electronic medical record (EMR) provider in light of it’s much larger competitors such as MEDITECH, EPIC and Cerner its market share entails servicing over 62,000 providers and is steadily growing. Athena Health’s interfacing capabilities are well demonstrated with over 30 strategic interfacing partners and a fulltime dedicated interface team to build new links from Athena to other third party software vendors.10 Before making the final decision to choose Athena Health as the SaaS cloud based EMR vendor for McMahon & Associates a risk assessment was completed per the specifications laid out by the National Institute of Standards and Technology (NIST.)11 This risk assessment included visiting the Athena Health facilities located at 311 Arsenal Street in Watertown, Massachusetts where decision makers were given a tour of the campus and provided detailed descriptions of secure offsite data storage facilities.12 After reviewing the vendors applicable security documentation for its SaaS cloud based EMR system which included the industry standard manufacturers disclosure statement for medical device security (MDS2) and product specific security whitepaper, which have been kept on file, it was determined that the software solution meets all relevant regulatory compliance measures defined in the Health Information Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.13 CHAPTER TWO Cyber Insurance Cyber liability is a major concern for healthcare providers. Most general healthcare provider insurance policies exclude liability coverage associated to cybersecurity.14 Cybersecurity insurance is filling this gap and will drastically change the hospital IT landscape, improving patient privacy protections and underwriting the risk associated with operating a 6 ClearDATA. Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud. 7 See note 5 above. 8 Cloud Computing Standards Council. Impact of Cloud Computing on Healthcare. November (2012) 9 Murphy,Sean. Healthcare Information Security and Privacy. Frankfurt: Wall Street Journal, March 5 (2015) 10 Athenahealth . What Cloud-based Services Can Do for Your Medical Practice Whitepaper. January (2012) 11 See note 3 above. 12 AthenaHealth Website https://www.athenahealth.com 13 See note 3 above. 14 Schinnerer, Victor O. Protecting Hospitals and Healthcare Operations from Cyber Liability. Healthcare Report . (2011)
  • 5. 5 healthcare organization.15 General security requirements as a precursor to insurability and the ability to conduct timely and efficient security audits will revolutionize the healthcare sector in the future, driving new legislation and best practice guidance.16 Some liability is transferred from McMahon & Associates to Athena Health by the use of a third party, cloud based SaaS EMR system, hosted by Athena Health as Athena then becomes a “business associate,” of McMahon & Associates and inherits certain responsibilities for data protection under HIPAA.17 Even with the utilization of a third party cloud based EMR the acquisition of cyber insurance is strongly recommended. It has the potential to cover the organization should PHI be compromised via Outlook or other business tools or if office property is stolen and breached. Cyber insurance may also cover a breach or data loss by a third party or business associate such as Athena Health. It should be noted though that irresponsible data protection behavior such as sending PHI data via unencrypted email or leaving an unencrypted laptop is a car which is then stolen may not be covered by cyber insurance as the incident does not meet the insurance provider’s minimum protections requirements. CHAPTER THREE Workforce Development In the cybersecurity realm the weakest link is often the human factor. In response to this, even a small twelve practitioner clinical office needs to incorporate a cybersecurity workforce development program. In the industry currently there is a massive shortage of skilled cybersecurity professionals.18 This shortage makes internal training programs all the more imperative. As McMahon & Associated is a small office the third party online cybersecurity vendor Pluralsight will be utilized for employee cybersecurity training with specific courses required at the beginning of their employment and refreshers every six month thereafter.19 The vendor offers comprehensive security trainings delivered in an interesting and interactive video format. The Pluralsight requirements for employees will be managed by President and defacto IT manager Matthew McMahon. Coming from the corporate cybersecurity realm, Matthew holds various certifications in the security realm and regularly stays abreast of new security developments and trends by attending regular security conferences as well as subscribing to popular security publications. Another important component of training is the consideration of third parties training processes, evident by the now infamous Target hack that was the result of an improperly trained 15 McArdle, Jennifer. Incident Response and Cyber Insurance.(Presentation, Salve Regina University, Newport, RI 2016) 16 Yaraghi, Niam. Hackers, Phishers and Disappearing Thumb Drives: Lessons Learned From Major Healthcare Breaches. Brookings. (May 2016.) 17 See note 9 above. 18 Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills. Intel Security. 19 Pluralsight. https://www.pluralsight.com/
  • 6. 6 third party vendor employee clicking on a link in an email that launched an attack.20 Having extensively accessed the security training methods of Athena Health employees via Athena’s product security whitepapers it appears that the company has done its due diligence in training its employee’s in cyber protections.21 CHAPTER FOUR Risk Management Frameworks McMahon & Associates Clinical Services understands that a large part of staying secure means keeping up to date with industry standards. The organization recognizes and adheres to the following security policies; Common Security Framework (CSF,) Health Information Trust Alliance (HITRUST) as well as the International Organization for Standardization (ISO.)22 Employee security trainings specifically target covering content recommended by these advisory bodies. The organization also aims to adhere to all relevant legislation, FDA guidance documents and mandates. Notably these documents include Executive Order 13636 which calls for the protection of our nation’s critical infrastructure, to include the healthcare sector.23 This Executive Order directly contributed to FDA Guidance documents that describe medical software and device best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff24 Also, pertinent is Executive Order 13691 which calls for the sharing of cyber defense information among government entities and for-profit companies.25 While McMahon & Associates has not directly engaged in the sharing of security related information in an industry forum it realizes the eventual need for this and will participate in future discussions with other small businesses and government entities. While there has been some debate on this McMahon & Associates concludes that medical software (Athena Health) should be classified as a “medical device,” and in so doing also adheres the following FDA Guidance documents that describe best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff26 as well as the Guidance for Industry Part 11, Electronic Records; Electronic Signatures, Scope and Application. The NIST document Framework for Improving Critical Infrastructure Cybersecurity is also relevant27 In addition to these general guidance documents McMahon & Associates has adopted the Advanced Cybersecurity Group List 20 Ormes, Eric and Herr, Trey. Understanding Information Assurance. (October, 2016) 21 See note 9 above. 22 See note 4 above. 23 Executive Order 13636—Improving Critical Infrastructure Cybersecurity 24 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 25 Executive Order 13691—Promoting Private Sector Cybersecurity Information Sharing 26 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 27 FDA. Framework for Improving Critical Infrastructure Cybersecurity
  • 7. 7 Checklist, as it model for measuring and quantifying risk assessment and used this form during the review process of Athena Health as it’s SaaS cloud based EMR solution.28 McMahon & Associates regularly conducts security threat and risk assessments (TRA’s) on the tools it utilizes such as Athena Health for clinical documentation as well as Outlook for secure email among others. When completing these assessments it uses the Common Vulnerability Scoring System v3.0.29 These TRA’s are completed by President and defacto IT manager Matthew McMahon, whom congruent with risk management framework guidance has been deemed the responsible person to manage cyber security for the system. In his absence, responsibility and decision making in the realm of cyber security are passed along to company Vice President Carl Jung who has been properly trained as the Presidents backup and currently holds the following certifications: CompTIA Security +, Network + and has attended the SANS SEC401 Security Bootcamp course. CHAPTER Five Secure Data Usage Secure data usage is a top priority for McMahon & Associates. A study recently completed by the Ponemon Institute showed that of employees sampled over one third admitted that they were aware of coworkers that were not adhering to proper data usage company policies and sharing restricted data outside of their companies firewall.30 To assure data protection the organization has crafted its data usage policy to closely follow the CIA triad of Confidentiality, Integrity and Availability of data. Security relating to confidentiality is partially handled by our business partner Athena Health that manages the EMR. Because of this relationship Athena Health is responsible for securing all hardware and database configurations. McMahon & Associates responsibilities rely on assuring secure access and proper access control utilizing the least privileges model. Users accessing Athena Health’s online portal should create robust passwords that are regularly updated.31 Employees no longer in the employ of McMahon & Associates should have access immediately revoked. PHI should also only be emailed when absolutely necessary and when necessary utilize encryption and two factor authentication which requires both a password and public key identification (PKI) card to access. All paper PHI should be shredded. All company phones and laptops used to access patient data shall utilize encryption. McMahon and Associates has a firm no bring your own device (BYOD) policy for accessing patient data. The integrity component of McMahon & Associates data usage policy is again largely handled by our business associate Athena Health who utilizes checksum technology to assure data entered by a software user is uploaded correctly. The utilization on an EMR is in itself a 28 Spidalieri, Francesca and Hancock, Geoff. Advanced Cybersecurity Group List Checklist. (May 27, 2015.) 29 Common Vulnerability Scoring System v3.0 Specification Document. www.First.org 30 Breaking Bad: The Risk of Unsecure File Sharing. Ponemon Institute. (October 2014) 31 McArdle, Jennifer. Cybersecurity Fundamentals and Digital Health Information. (Presentation, Salve Regina University, Newport, RI 2016)
  • 8. 8 method to protect the integrity of data. All data is entered into the Athena Health system and displayed clearly. Audit logging shows who entered data and when. Most data is not able to be edited but if editing is allowed for certain features such as clinical notes that information is logged and auditable.32 The availability component of the triad was one of the main driving factors in deciding to utilize Athena Health as an EMR. McMahon & Associates data is backed up to several different databases on various secure servers scattered around the globe so the risk of the software being unavailable is unlikely. In the event of the software system being down staff are to return to a paper documentation system until the system is back online. As the office is a clinical counseling practice and does not practice emergency medicine, nor does it administer medication the risk associated with documenting on paper is minimal.33 Conclusion It is the goal of McMahon & Associates Counseling Services to not only provide the highest quality of clinical care to our customers but to also prioritize the security of our customers protected health information. It is our belief that this risk management strategy report is a step towards that goal but understands that to achieve a robust security posture an organization and its policies must be fluid and keep up with the threat landscape. This document is meant to be general guidance and not an all-encompassing. Review Process This document shall be reviewed and updated once a year during the month of May. A record of reviews, edits and updates shall be recorded below for posterity. Revision Date Author(s) (Changed By) Change(s) 00 2017-05-04 Matthew J McMahon Initial version 01 02 03 32 See Note 5 Above. 33 Ibid.