Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision.

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Health information security & compliance
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Control and Accounting Information Systems
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works
Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Session 3 – Information Security Policies
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
Chapter 4 Internal Controls McGraw-Hill/Irwin
Information Security Information Technology and Computing Services Information Technology and Computing Services
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
SEC835 Database and Web application security Information Security Architecture.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Implementing and Auditing Ethics Programs
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Note1 (Admi1) Overview of administering security.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Privacy, Confidentiality, and Security Component 2/Unit 8c.
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Managing your Institution-Specific HIPAA Compliance Policies and Procedures Cutting Edge Issues Thursday, December 13, 2007.
New A.M. Best Cyber Questionnaire
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
Chapter 1: Security Governance Through Principles and Policies
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Business Continuity Disaster Planning
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
New A.M. Best Cyber Questionnaire
Presenter: Mohammed Jalaluddin
Security Standard: “reasonable security”
I have many checklists: how do I get started with cyber security?
County HIPAA Review All Rights Reserved 2002.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision HIPAA Collaborative of Wisconsin Fall 2010 Conference

 Survey Results  Why Data Protection is More Important Today  Challenges to Maintain Security & Compliance  Why Should You Have Business Process Management Controls  Review of Common Process Frameworks  Keys to Successful Business Process Management  Recommended Next Steps  Open Discussion

 Top Challenges  Current Frameworks in Use (by department or enterprise wide)

 Security has become a fundamental need and mandate  The risk and exposure to data and security breaches carries an increased cost ◦ Recovering from a security breach could cost thousands of dollars ◦ You may lose patient confidence and trust, whereby your reputation damages may not be recoverable  Medical Identity Theft is a Major Problem: onomy/health_care_fraud/index.htm onomy/health_care_fraud/index.htm

 Limited budget dollars for adequate security controls  Limited formal written policies, standards and procedures  Risk and Security Assessments not conducted on a regular basis, or have never been conducted

 Limited: ◦ Audit mechanisms to identify and report on security breaches ◦ Malware protection controls ◦ Written Incident Response Procedures  Unfinished or outdated Disaster Recovery & Business Continuance Plans  Inadequate Workforce Security Awareness Training

 Actual practices do not match formal policies, standards and procedures. For example: ◦ Mis-configured systems that do not match configuration and change management standards ◦ Weak passwords ◦ Shared accounts and passwords ◦ Unencrypted ePHI when sent through Internet ( & FTP) ◦ Audit controls do not detect modifications or deletes to medical records

 End Goal = Improved Process  Focus on: ◦ Efficiency ◦ Effectiveness ◦ Governance ◦ Reasonable & Manageable Budgets  Control Processes ◦ Leadership Involvement ◦ Configuration ◦ Change ◦ Problems & Incidents ◦ Security – CIA Triad Elements

Access, Authorization and Authentication ControlsEncryption and Digital Signature Practices Anti-Malware PracticesIncident Handling Practices Application Development PracticesLogging and Auditing Practices Asset Classification and Sensitivity PracticesOrganizational Security Policy Asset Management PracticesPassword Protection Practices Acquisition of New Company PracticesPatch Management Practices Change Management PracticesPersonnel Security Controls Configuration Management PracticesPhysical and Environmental Controls Communications and Operations ManagementRemote Access and VPN Practices Computer System Acceptable Use PracticesRisk Assessment Practices Data Backup PracticesSecurity Awareness Practices Data Retention PracticesSoftware Licensing Practices Disaster Recovery & Business Continuity PracticesWireless Security Practices

ServersWorkstations Intrusion Detection/Prevention SystemsSecurity Information & Event Management Systems Two-Factor Authentication SystemsData Leakage Protection Systems Database Access Monitoring SystemsIntegrated Security Appliances Firewalls / VPNVulnerability Management Systems Secure Cloud Computing InitiativesNetwork Admission Control Systems Encryption and Digital Control SystemsVirtualization Configuration Management Database SystemsHost Based Malware Controls

 Conduct a gap analysis to identify obvious processes that are not effective or efficient  Implement a process improvement project for these obvious process weaknesses ◦ Identify Key Leadership Stakeholders and Sponsors ◦ Budget for and Prioritize Project ◦ Identify Resources  Map workflow for each process  Define KPIs

 Create strategic and tactical documents for each process (Business Plans, Policies, Standards, Procedures, etc)  Monitor Progress  Add more processes until all key processes are included in the Process Improvement Program  Continually optimize

 ITIL Official Site -  Six Sigma -  COBIT - Center/COBIT/Pages/Overview.aspxhttp:// Center/COBIT/Pages/Overview.aspx  CMMI -  Center for Medicare & Medicaid Services: (  Center for Internet Security for IT Component Best Practices: (  National Institute of Standard and Technologies (NIST) for Best Practices Guides: (  U.S. Department of Health & Family Services HIPAA Page: (  Health Information Trust Alliance (HITRUST) site dedicated to HIPAA: (  Site for more HIPAA information: (

Thank you Larry Boettger Director, InfoSec Security & Compliance Group adtec Services, Inc International Lane, Ste. 101 Madison, WI Office: (608) ext. 306 Cell: (608) Fax: (608) LinkedIn Profile:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.