Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision.

Published byKarin Parsons Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision."— Presentation transcript:

1 Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision HIPAA Collaborative of Wisconsin Fall 2010 Conference

2  Survey Results  Why Data Protection is More Important Today  Challenges to Maintain Security & Compliance  Why Should You Have Business Process Management Controls  Review of Common Process Frameworks  Keys to Successful Business Process Management  Recommended Next Steps  Open Discussion

3  Top Challenges  Current Frameworks in Use (by department or enterprise wide)

4  Security has become a fundamental need and mandate  The risk and exposure to data and security breaches carries an increased cost ◦ Recovering from a security breach could cost thousands of dollars ◦ You may lose patient confidence and trust, whereby your reputation damages may not be recoverable  Medical Identity Theft is a Major Problem: http://money.cnn.com/2010/01/13/news/ec onomy/health_care_fraud/index.htm http://money.cnn.com/2010/01/13/news/ec onomy/health_care_fraud/index.htm

5  Limited budget dollars for adequate security controls  Limited formal written policies, standards and procedures  Risk and Security Assessments not conducted on a regular basis, or have never been conducted

6  Limited: ◦ Audit mechanisms to identify and report on security breaches ◦ Malware protection controls ◦ Written Incident Response Procedures  Unfinished or outdated Disaster Recovery & Business Continuance Plans  Inadequate Workforce Security Awareness Training

7  Actual practices do not match formal policies, standards and procedures. For example: ◦ Mis-configured systems that do not match configuration and change management standards ◦ Weak passwords ◦ Shared accounts and passwords ◦ Unencrypted ePHI when sent through Internet (email & FTP) ◦ Audit controls do not detect modifications or deletes to medical records

8

9

10  End Goal = Improved Process  Focus on: ◦ Efficiency ◦ Effectiveness ◦ Governance ◦ Reasonable & Manageable Budgets  Control Processes ◦ Leadership Involvement ◦ Configuration ◦ Change ◦ Problems & Incidents ◦ Security – CIA Triad Elements

11 Access, Authorization and Authentication ControlsEncryption and Digital Signature Practices Anti-Malware PracticesIncident Handling Practices Application Development PracticesLogging and Auditing Practices Asset Classification and Sensitivity PracticesOrganizational Security Policy Asset Management PracticesPassword Protection Practices Acquisition of New Company PracticesPatch Management Practices Change Management PracticesPersonnel Security Controls Configuration Management PracticesPhysical and Environmental Controls Communications and Operations ManagementRemote Access and VPN Practices Computer System Acceptable Use PracticesRisk Assessment Practices Data Backup PracticesSecurity Awareness Practices Data Retention PracticesSoftware Licensing Practices Disaster Recovery & Business Continuity PracticesWireless Security Practices

12 ServersWorkstations Intrusion Detection/Prevention SystemsSecurity Information & Event Management Systems Two-Factor Authentication SystemsData Leakage Protection Systems Database Access Monitoring SystemsIntegrated Security Appliances Firewalls / VPNVulnerability Management Systems Secure Cloud Computing InitiativesNetwork Admission Control Systems Encryption and Digital Control SystemsVirtualization Configuration Management Database SystemsHost Based Malware Controls

13

14  Conduct a gap analysis to identify obvious processes that are not effective or efficient  Implement a process improvement project for these obvious process weaknesses ◦ Identify Key Leadership Stakeholders and Sponsors ◦ Budget for and Prioritize Project ◦ Identify Resources  Map workflow for each process  Define KPIs

15  Create strategic and tactical documents for each process (Business Plans, Policies, Standards, Procedures, etc)  Monitor Progress  Add more processes until all key processes are included in the Process Improvement Program  Continually optimize

16  ITIL Official Site - http://www.itil-officialsite.com/home/home.asphttp://www.itil-officialsite.com/home/home.asp  Six Sigma - http://www.isixsigma.com/http://www.isixsigma.com/  COBIT - http://www.isaca.org/Knowledge- Center/COBIT/Pages/Overview.aspxhttp://www.isaca.org/Knowledge- Center/COBIT/Pages/Overview.aspx  CMMI - http://www.sei.cmu.edu/cmmi/http://www.sei.cmu.edu/cmmi/  Center for Medicare & Medicaid Services: (https://www.cms.gov/hipaageninfo/)https://www.cms.gov/hipaageninfo/  Center for Internet Security for IT Component Best Practices: (http://cisecurity.org/)http://cisecurity.org/  National Institute of Standard and Technologies (NIST) for Best Practices Guides: (http://csrc.nist.gov/publications/PubsSPs.html)http://csrc.nist.gov/publications/PubsSPs.html  U.S. Department of Health & Family Services HIPAA Page: (http://www.hhs.gov/ocr/privacy/)http://www.hhs.gov/ocr/privacy/  Health Information Trust Alliance (HITRUST) site dedicated to HIPAA: (http://www.hitrustalliance.net/)http://www.hitrustalliance.net/  Site for more HIPAA information: (http://www.hipaa.org/)http://www.hipaa.org/

17 Thank you Larry Boettger Director, InfoSec Security & Compliance Group adtec Services, Inc. 2801 International Lane, Ste. 101 Madison, WI 53704 Office: (608) 245-9910 ext. 306 Cell: (608) 228-1678 Fax: (608) 245-9885 lboettger@adtecservices.com http://www.adtecservices.com/ LinkedIn Profile: http://www.linkedin.com/in/larryboettger lboettger@adtecservices.com http://www.adtecservices.com/http://www.linkedin.com/in/larryboettger

Download ppt "Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Health information security & compliance

Health information security & compliance
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Control and Accounting Information Systems

Control and Accounting Information Systems
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA HIPAA Basic.

HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.

Similar presentations

Ads by Google