Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007.

Published byBerenice Morton Modified over 9 years ago

Similar presentations

Presentation on theme: "Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007."— Presentation transcript:

1 Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

2  Balancing business & security  Security & privacy not all technology  Placement of privacy & security - Organizational oversight  Importance of risk analysis  Other non-technical requirements  Selling security  Q&A 12/12/20072Apgar & Associates, LLC (c) 2007

3  DoD protection not required  Risks are unavoidable  Remember profitability  Privacy & security solutions need to represent sound practice for the industry & the size & complexity of the organization 12/12/20073Apgar & Associates, LLC (c) 2007

4  HIPAA security rule flexible – take advantage of flexibility  Expensive tools not always best protection  Business needs to adopt security culture  Users need to be involved – greatest risk area 12/12/20074Apgar & Associates, LLC (c) 2007

5  HIPAA security rule – more than 1/3 administrative security  Technology section not predominant section – support to administrative security  Physical security may involve technology but often involves old fashioned keys & fire extinguishers 12/12/20075Apgar & Associates, LLC (c) 2007

6  Privacy requires appropriate security but not necessarily technically specific solutions  Privacy (and security) more people focused  Technology important but needs to support needs of the business and sound administrative/physicial security requirements 12/12/20076Apgar & Associates, LLC (c) 2007

7  Examples: ◦ Access control administrative safeguard ◦ Audit administrative & technical safeguard ◦ Risk analysis administrative safeguard ◦ Disaster recovery/emergency mode operations plans ◦ Training ◦ Policies & procedures 12/12/20077Apgar & Associates, LLC (c) 2007

8  Examples (continued): ◦ Patient privacy rights – primarily paper interface ◦ Privacy covers non-electronic & many providers continue to rely on paper charts (even after EHR implementation) ◦ Appropriate application security (e.g., EHR, bio-medical devices, PHR, etc.) lacking in today’s applications ◦ Secure e-mail relies on sender & recipient 12/12/20078Apgar & Associates, LLC (c) 2007

9  Variations between organizations – who is appointed privacy and security officers (no matter the size)  Generally security reports to IT  Frequently privacy officer training lacking  Frequently security officer non- technical training lacking 12/12/20079Apgar & Associates, LLC (c) 2007

10  Authority & responsibility of privacy & security officers vary between organizations ◦ Sometimes “only because HIPAA requires it” ◦ Too often positions lack authority to force/effect change ◦ Often responsibility exceeds authority ◦ Important findings/risks overlooked 12/12/200710Apgar & Associates, LLC (c) 2007

11  Privacy & security officers organizational placement vary  Placement in organization needs to consider position effectiveness and perceived neutrality  Positions need to be view as positions of trust 12/12/200711Apgar & Associates, LLC (c) 2007

12  Appropriate placement of privacy officer in organization: ◦ Compliance office ◦ Legal ◦ CEO/president ◦ Senior executive with cross-organization responsibilities/authority 12/12/200712Apgar & Associates, LLC (c) 2007

13  Appropriate placement of security officer in organization: ◦ Compliance office ◦ Legal ◦ CEO/president ◦ Senior executive with cross-organization responsibilities/authority ◦ Not CIO 12/12/200713Apgar & Associates, LLC (c) 2007

14  Positions need to be visible in positive way  Heavy visible engagement in audits, risk analysis, policy/procedure development, etc.  Interaction with local, state, federal standards development projects & bodies required 12/12/200714Apgar & Associates, LLC (c) 2007

15  HIPAA security rule requires risk analysis conducted regularly  Foundation for security program: ◦ Risk identification & mitigation ◦ Policy & procedure development/ amendment ◦ Disaster recovery/emergency mode operations plan building block ◦ Audit criteria development ◦ Workforce training content & requirements 12/12/200715Apgar & Associates, LLC (c) 2007

16  Conducted at least annually or when any major system or business change occurs  Most health care organization haven’t conducted risk analysis since security rule effective date  Risk analysis reflects environmental, technical, business, etc. changes which don’t stop 12/12/200716Apgar & Associates, LLC (c) 2007

17  Most health care organizations conduct qualitative or combined qualitative/ranking risk analysis  Frequently risk analyses not standardized within organization  Security controls evaluated often not technical  Lack of follow through/mitigation an issue 12/12/200717Apgar & Associates, LLC (c) 2007

18  Organizations miss value – data collected during sound risk analysis applicability to other standards & processes  Security officer – educational role  Need to know business and assist in identifying risks to mitigate and risks to accept 12/12/200718Apgar & Associates, LLC (c) 2007

19  Balance identified risks between security, privacy & business needs  Risk analysis should be globally rather than technically focused  User involvement required – employees often know of risks before management  Match perception with reality 12/12/200719Apgar & Associates, LLC (c) 2007

20  Risk management ties it all together  Proper training key to successful security & privacy program  Remote users represent significant non-technical threat  Physical security – protect the infrastructure 12/12/200720Apgar & Associates, LLC (c) 2007

21  People most significant threat  Role based access control – appropriate, tracked and enforced  Trading partners & business associates – inter-organizational agreements/contracts  Legal requirements (state, federal, case law) 12/12/200721Apgar & Associates, LLC (c) 2007

22  Security/privacy incident response  Breach notification requirements  Trust building between organizations and consumers  Non-electronic data management  Document/data retention & destruction (FRCP, HIPAA, etc.) 12/12/200722Apgar & Associates, LLC (c) 2007

23  ROI difficult to sell/demonstrate  Package as insurance policy  Identify damages caused by lax security ◦ Regulatory compliance ◦ Liability ◦ Business reputation ◦ Economic loss – trust, trade secrets, etc. ◦ Lost data can bring down business 12/12/200723Apgar & Associates, LLC (c) 2007

24  Keep horror stories to a minimum  Senior management – focus on non- technical risks (what will it cost in damages)  Too much tech talk leads to glazed eyes  Tie directly to business (must know the business)  Clearly map to the risks (the value in pictures) 12/12/200724Apgar & Associates, LLC (c) 2007

25  Be reasonable – remember organization size, complexity and financial viability  Sell phased security/privacy  Rely on fact & accurate business impact  Clearly spell out costs: ◦ Solution cost (acquisition, installation, maintenance) ◦ Staff support requirements (implementation & maintenance  Be prepared to negotiate 12/12/200725Apgar & Associates, LLC (c) 2007

26 Chris Apgar, CISSP President

Download ppt "Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
Data Breach Risks Overview Heather Pixton www2.idexpertscorp.com

Data Breach Risks Overview Heather Pixton www2.idexpertscorp.com
1 Red Flags Rule: Implementing an Identity Theft Prevention Program Health Managers Network May 25. 2010 Chris Apgar, CISSP President, Apgar & Associates,

1 Red Flags Rule: Implementing an Identity Theft Prevention Program Health Managers Network May Chris Apgar, CISSP President, Apgar & Associates,
Security and Personnel

Security and Personnel
Security Controls – What Works

Security Controls – What Works
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
12 th National HIPAA Summit – Managing a Data Security Audit Program 2.05, 1:15 PM Chris Apgar, CISSP Apgar & Associates, LLC.

12 th National HIPAA Summit – Managing a Data Security Audit Program 2.05, 1:15 PM Chris Apgar, CISSP Apgar & Associates, LLC.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google