Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

Similar documents
Security and Privacy Governance Program Guidelines

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

The HIPAA Omnibus Rule

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Putting It All Together:

01.0 Policy Responsibilities and Oversight

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Security and Privacy Policies & Procedures

Information Security Policy

Health Care: Privacy & Security in a Digital Age

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Cybersecurity in Higher Ed

2015 HFMA What Healthcare Can Learn from the Banking Industry

The ABCs of HIPAA Security

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

Why you MUST protect your customer data

DETAILED POLICY STATEMENT

for the Dental Industry

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

IT Risk: Are You Prepared?

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

Cyber Risks in the Boardroom Conference

Bored with Your Board s Involvement with Privacy/Security Program?

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

HIPAA FOR BROKERS. revised 10/17

INTELLIGENCE DRIVEN GRC FOR SECURITY

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Subject: University Information Technology Resource Security Policy: OUTDATED

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

What is ISO ISMS? Business Beam

Keeping It Under Wraps: Personally Identifiable Information (PII)

HIPAA Privacy, Security and Breach Notification

Red Flags/Identity Theft Prevention Policy: Purpose

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

MNsure Privacy Program Strategic Plan FY

building a security culture to counter emerging cybersecurity threats

Healthcare Security Professional Roundtable. The Eighth National HIPAA Summit Monday, March 8, 2004

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Challenges to Implementation of [real] Information Security

Compliance With HIPAA Privacy Rule Before Security & Enforcement Rules are Final: Challenges in Practice

a publication of the health care compliance association MARCH 2018

Auditing and Access to Electronic Health Records. December 15, p (Eastern)

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

NYDFS Cybersecurity Regulations

DEFINITIONS AND REFERENCES

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

TEL2813/IS2820 Security Management

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

CISM Certified Information Security Manager

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

Sage Data Security Services Directory

Integrating HIPAA into Your Managed Care Compliance Program

Cybersecurity Fundamentals Paul Jones CIO Clerk & Comptroller Palm Beach County CISSP, ITIL Expert, Security+, Project+

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Security Policies and Procedures Principles and Practices

DeliverySlip for Dental Practices

HIPAA & Privacy Compliance Update

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Data Privacy Corporate Responsibility in Multi Polar World

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

UTAH VALLEY UNIVERSITY Policies and Procedures

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Compliance and OBS Online Backup

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

NERC Staff Organization Chart Budget 2018

Higher Education Privacy Update

Clarity on Cyber Security. Media conference 29 May 2018

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

Protecting Your Gear, Your Work & Cal Poly

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Healthcare HIPAA and Cybersecurity Update

Data Privacy & Protection

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Clearwater HIPAA Security Assessment Software. Demonstration

DeMystifying Data Breaches and Information Security Compliance

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

EU General Data Protection Regulation (GDPR) Achieving compliance

Keys to a more secure data environment

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Information Technology General Control Review

From Russia With Love

Incident Response and Cybersecurity: A View from the Boardroom

CYBER RISK MANAGEMENT

Transcription:

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

Balancing business & security Security & privacy not all technology Placement of privacy & security - Organizational oversight Importance of risk analysis Other non-technical requirements Selling security Q&A 12/12/2007 2

DoD protection not required Risks are unavoidable Remember profitability Privacy & security solutions need to represent sound practice for the industry & the size & complexity of the organization 12/12/2007 3

HIPAA security rule flexible take advantage of flexibility Expensive tools not always best protection Business needs to adopt security culture Users need to be involved greatest risk area 12/12/2007 4

HIPAA security rule more than 1/3 administrative security Technology section not predominant section support to administrative security Physical security may involve technology but often involves old fashioned keys & fire extinguishers 12/12/2007 5

Privacy requires appropriate security but not necessarily technically specific solutions Privacy (and security) more people focused Technology important but needs to support needs of the business and sound administrative/physicial security requirements 12/12/2007 6

Examples: Access control administrative safeguard Audit administrative & technical safeguard Risk analysis administrative safeguard Disaster recovery/emergency mode operations plans Training Policies & procedures 12/12/2007 7

Examples (continued): Patient privacy rights primarily paper interface Privacy covers non-electronic & many providers continue to rely on paper charts (even after EHR implementation) Appropriate application security (e.g., EHR, bio-medical devices, PHR, etc.) lacking in today s applications Secure e-mail relies on sender & recipient 12/12/2007 8

Variations between organizations who is appointed privacy and security officers (no matter the size) Generally security reports to IT Frequently privacy officer training lacking Frequently security officer nontechnical training lacking 12/12/2007 9

Authority & responsibility of privacy & security officers vary between organizations Sometimes only because HIPAA requires it Too often positions lack authority to force/effect change Often responsibility exceeds authority Important findings/risks overlooked 12/12/2007 10

Privacy & security officers organizational placement vary Placement in organization needs to consider position effectiveness and perceived neutrality Positions need to be view as positions of trust 12/12/2007 11

Appropriate placement of privacy officer in organization: Compliance office Legal CEO/president Senior executive with cross-organization responsibilities/authority 12/12/2007 12

Appropriate placement of security officer in organization: Compliance office Legal CEO/president Senior executive with cross-organization responsibilities/authority Not CIO 12/12/2007 13

Positions need to be visible in positive way Heavy visible engagement in audits, risk analysis, policy/procedure development, etc. Interaction with local, state, federal standards development projects & bodies required 12/12/2007 14

HIPAA security rule requires risk analysis conducted regularly Foundation for security program: Risk identification & mitigation Policy & procedure development/ amendment Disaster recovery/emergency mode operations plan building block Audit criteria development Workforce training content & requirements 12/12/2007 15

Conducted at least annually or when any major system or business change occurs Most health care organization haven t conducted risk analysis since security rule effective date Risk analysis reflects environmental, technical, business, etc. changes which don t stop 12/12/2007 16

Most health care organizations conduct qualitative or combined qualitative/ranking risk analysis Frequently risk analyses not standardized within organization Security controls evaluated often not technical Lack of follow through/mitigation an issue 12/12/2007 17

Organizations miss value data collected during sound risk analysis applicability to other standards & processes Security officer educational role Need to know business and assist in identifying risks to mitigate and risks to accept 12/12/2007 18

Balance identified risks between security, privacy & business needs Risk analysis should be globally rather than technically focused User involvement required employees often know of risks before management Match perception with reality 12/12/2007 19

Risk management ties it all together Proper training key to successful security & privacy program Remote users represent significant non-technical threat Physical security protect the infrastructure 12/12/2007 20

People most significant threat Role based access control appropriate, tracked and enforced Trading partners & business associates inter-organizational agreements/contracts Legal requirements (state, federal, case law) 12/12/2007 21

Security/privacy incident response Breach notification requirements Trust building between organizations and consumers Non-electronic data management Document/data retention & destruction (FRCP, HIPAA, etc.) 12/12/2007 22

ROI difficult to sell/demonstrate Package as insurance policy Identify damages caused by lax security Regulatory compliance Liability Business reputation Economic loss trust, trade secrets, etc. Lost data can bring down business 12/12/2007 23

Keep horror stories to a minimum Senior management focus on nontechnical risks (what will it cost in damages) Too much tech talk leads to glazed eyes Tie directly to business (must know the business) Clearly map to the risks (the value in pictures) 12/12/2007 24

Be reasonable remember organization size, complexity and financial viability Sell phased security/privacy Rely on fact & accurate business impact Clearly spell out costs: Solution cost (acquisition, installation, maintenance) Staff support requirements (implementation & maintenance Be prepared to negotiate 12/12/2007 25

Chris Apgar, CISSP President

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback