Privacy & Security Policy Meets Technology at the Crossroads:

Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision

HIPAA Collaborative of Wisconsin Fall 2010 Conference

Survey Results Why Data Protection is More Important Today Challenges to Maintain Security & Compliance Why Should You Have Business Process

Management Controls Review of Common Process Frameworks Keys to Successful Business Process

Management Recommended Next Steps Open Discussion

Top Challenges Current Frameworks in Use (by department

or enterprise wide)

Security has become a fundamental need and mandate

The risk and exposure to data and security breaches carries an increased cost◦ Recovering from a security breach could cost

thousands of dollars◦ You may lose patient confidence and trust,

whereby your reputation damages may not be recoverable

Medical Identity Theft is a Major Problem: http://money.cnn.com/2010/01/13/news/economy/health_care_fraud/index.htm

Limited budget dollars for adequate security controls

Limited formal written policies, standards and procedures

Risk and Security Assessments not conducted on a regular basis, or have never been conducted

Limited:◦ Audit mechanisms to identify and report on

security breaches◦ Malware protection controls◦ Written Incident Response Procedures

Unfinished or outdated Disaster Recovery & Business Continuance Plans

Inadequate Workforce Security Awareness Training

Actual practices do not match formal policies, standards and procedures. For example:◦ Mis-configured systems that do not match

configuration and change management standards◦ Weak passwords◦ Shared accounts and passwords◦ Unencrypted ePHI when sent through Internet

(email & FTP)◦ Audit controls do not detect modifications or

deletes to medical records

End Goal = Improved Process Focus on:

◦ Efficiency◦ Effectiveness◦ Governance◦ Reasonable & Manageable Budgets

Control Processes◦ Leadership Involvement◦ Configuration◦ Change◦ Problems & Incidents◦ Security – CIA Triad Elements

Access, Authorization and Authentication Controls Encryption and Digital Signature PracticesAnti-Malware Practices Incident Handling PracticesApplication Development Practices Logging and Auditing PracticesAsset Classification and Sensitivity Practices Organizational Security PolicyAsset Management Practices Password Protection PracticesAcquisition of New Company Practices Patch Management PracticesChange Management Practices Personnel Security ControlsConfiguration Management Practices Physical and Environmental ControlsCommunications and Operations Management Remote Access and VPN PracticesComputer System Acceptable Use Practices Risk Assessment PracticesData Backup Practices Security Awareness PracticesData Retention Practices Software Licensing PracticesDisaster Recovery & Business Continuity Practices Wireless Security Practices

Servers WorkstationsIntrusion Detection/Prevention Systems Security Information & Event Management SystemsTwo-Factor Authentication Systems Data Leakage Protection SystemsDatabase Access Monitoring Systems Integrated Security AppliancesFirewalls / VPN Vulnerability Management SystemsSecure Cloud Computing Initiatives Network Admission Control SystemsEncryption and Digital Control Systems VirtualizationConfiguration Management Database Systems Host Based Malware Controls

Conduct a gap analysis to identify obvious processes that are not effective or efficient

Implement a process improvement project for these obvious process weaknesses◦ Identify Key Leadership Stakeholders and

Sponsors◦ Budget for and Prioritize Project◦ Identify Resources

Map workflow for each process Define KPIs

Create strategic and tactical documents for each process (Business Plans, Policies, Standards, Procedures, etc)

Monitor Progress Add more processes until all key processes

are included in the Process Improvement Program

Continually optimize

ITIL Official Site - http://www.itil-officialsite.com/home/home.asp Six Sigma - http://www.isixsigma.com/ COBIT -

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx CMMI - http://www.sei.cmu.edu/cmmi/ Center for Medicare & Medicaid Services: (

https://www.cms.gov/hipaageninfo/) Center for Internet Security for IT Component Best Practices: (

http://cisecurity.org/) National Institute of Standard and Technologies (NIST) for Best Practices

Guides: (http://csrc.nist.gov/publications/PubsSPs.html) U.S. Department of Health & Family Services HIPAA Page:

(http://www.hhs.gov/ocr/privacy/) Health Information Trust Alliance (HITRUST) site dedicated to HIPAA:

(http://www.hitrustalliance.net/) Site for more HIPAA information: (http://www.hipaa.org/)

Thank you

Larry BoettgerDirector, InfoSec Security & Compliance Group

adtec Services, Inc.2801 International Lane, Ste. 101

Madison, WI 53704Office: (608) 245-9910 ext. 306

Cell: (608) 228-1678Fax: (608) 245-9885

lboettger@adtecservices.com http://www.adtecservices.com/

LinkedIn Profile: http://www.linkedin.com/in/larryboettger