privacy & security policy meets technology at the crossroads: best practice methods &...
TRANSCRIPT
Privacy & Security Policy Meets Technology at the Crossroads:
Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision
HIPAA Collaborative of Wisconsin Fall 2010 Conference
Survey Results Why Data Protection is More Important Today Challenges to Maintain Security & Compliance Why Should You Have Business Process
Management Controls Review of Common Process Frameworks Keys to Successful Business Process
Management Recommended Next Steps Open Discussion
Top Challenges Current Frameworks in Use (by department
or enterprise wide)
Security has become a fundamental need and mandate
The risk and exposure to data and security breaches carries an increased cost◦ Recovering from a security breach could cost
thousands of dollars◦ You may lose patient confidence and trust,
whereby your reputation damages may not be recoverable
Medical Identity Theft is a Major Problem: http://money.cnn.com/2010/01/13/news/economy/health_care_fraud/index.htm
Limited budget dollars for adequate security controls
Limited formal written policies, standards and procedures
Risk and Security Assessments not conducted on a regular basis, or have never been conducted
Limited:◦ Audit mechanisms to identify and report on
security breaches◦ Malware protection controls◦ Written Incident Response Procedures
Unfinished or outdated Disaster Recovery & Business Continuance Plans
Inadequate Workforce Security Awareness Training
Actual practices do not match formal policies, standards and procedures. For example:◦ Mis-configured systems that do not match
configuration and change management standards◦ Weak passwords◦ Shared accounts and passwords◦ Unencrypted ePHI when sent through Internet
(email & FTP)◦ Audit controls do not detect modifications or
deletes to medical records
End Goal = Improved Process Focus on:
◦ Efficiency◦ Effectiveness◦ Governance◦ Reasonable & Manageable Budgets
Control Processes◦ Leadership Involvement◦ Configuration◦ Change◦ Problems & Incidents◦ Security – CIA Triad Elements
Access, Authorization and Authentication Controls Encryption and Digital Signature PracticesAnti-Malware Practices Incident Handling PracticesApplication Development Practices Logging and Auditing PracticesAsset Classification and Sensitivity Practices Organizational Security PolicyAsset Management Practices Password Protection PracticesAcquisition of New Company Practices Patch Management PracticesChange Management Practices Personnel Security ControlsConfiguration Management Practices Physical and Environmental ControlsCommunications and Operations Management Remote Access and VPN PracticesComputer System Acceptable Use Practices Risk Assessment PracticesData Backup Practices Security Awareness PracticesData Retention Practices Software Licensing PracticesDisaster Recovery & Business Continuity Practices Wireless Security Practices
Servers WorkstationsIntrusion Detection/Prevention Systems Security Information & Event Management SystemsTwo-Factor Authentication Systems Data Leakage Protection SystemsDatabase Access Monitoring Systems Integrated Security AppliancesFirewalls / VPN Vulnerability Management SystemsSecure Cloud Computing Initiatives Network Admission Control SystemsEncryption and Digital Control Systems VirtualizationConfiguration Management Database Systems Host Based Malware Controls
Conduct a gap analysis to identify obvious processes that are not effective or efficient
Implement a process improvement project for these obvious process weaknesses◦ Identify Key Leadership Stakeholders and
Sponsors◦ Budget for and Prioritize Project◦ Identify Resources
Map workflow for each process Define KPIs
Create strategic and tactical documents for each process (Business Plans, Policies, Standards, Procedures, etc)
Monitor Progress Add more processes until all key processes
are included in the Process Improvement Program
Continually optimize
ITIL Official Site - http://www.itil-officialsite.com/home/home.asp Six Sigma - http://www.isixsigma.com/ COBIT -
http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx CMMI - http://www.sei.cmu.edu/cmmi/ Center for Medicare & Medicaid Services: (
https://www.cms.gov/hipaageninfo/) Center for Internet Security for IT Component Best Practices: (
http://cisecurity.org/) National Institute of Standard and Technologies (NIST) for Best Practices
Guides: (http://csrc.nist.gov/publications/PubsSPs.html) U.S. Department of Health & Family Services HIPAA Page:
(http://www.hhs.gov/ocr/privacy/) Health Information Trust Alliance (HITRUST) site dedicated to HIPAA:
(http://www.hitrustalliance.net/) Site for more HIPAA information: (http://www.hipaa.org/)
Thank you
Larry BoettgerDirector, InfoSec Security & Compliance Group
adtec Services, Inc.2801 International Lane, Ste. 101
Madison, WI 53704Office: (608) 245-9910 ext. 306
Cell: (608) 228-1678Fax: (608) 245-9885
[email protected] http://www.adtecservices.com/
LinkedIn Profile: http://www.linkedin.com/in/larryboettger