Security and Privacy Governance Program Guidelines

Similar documents
MNsure Privacy Program Strategic Plan FY

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

a publication of the health care compliance association MARCH 2018

NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2018

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

CISM Certified Information Security Manager

Putting It All Together:

Risk Advisory Academy Training Brochure

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

NERC Staff Organization Chart Budget 2017

VII. GUIDE TO AGENCY PROGRAMS

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

NERC Staff Organization Chart Budget 2017

Security Director - VisionFund International

Cyber Security Program

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

01.0 Policy Responsibilities and Oversight

HIPAA Security and Privacy Policies & Procedures

Continuity of Operations During Disasters: Electronic Systems and Medical Records

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Avanade s Approach to Client Data Protection

Importance of the Data Management process in setting up the GDPR within a company CREOBIS

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Information Technology Branch Organization of Cyber Security Technical Standard

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

CCISO Blueprint v1. EC-Council

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

POSITION DESCRIPTION

International Atomic Energy Agency Meeting the Challenge of the Safety- Security Interface

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Continuous protection to reduce risk and maintain production availability

locuz.com SOC Services

STRATEGIC PLAN

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

EU General Data Protection Regulation (GDPR) Achieving compliance

INTELLIGENCE DRIVEN GRC FOR SECURITY

Canada Life Cyber Security Statement 2018

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Seven Requirements for Successfully Implementing Information Security Policies and Standards

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Protecting your data. EY s approach to data privacy and information security

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

A Global Look at IT Audit Best Practices

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

POSITION DESCRIPTION

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

DEFINITIONS AND REFERENCES

Bringing Cybersecurity to the Boardroom Bret Arsenault

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Ensuring System Protection throughout the Operational Lifecycle

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

DETAILED POLICY STATEMENT

STRATEGIC PLAN. USF Emergency Management

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

CHARTER OUR MISSION OUR OBJECTIVES OUR GUIDING PRINCIPLES

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

Bored with Your Board s Involvement with Privacy/Security Program?

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Green Treatment Center

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

THE POWER OF TECH-SAVVY BOARDS:

Candidate Profile for the Position of Vice President, Education and Certification

FDIC InTREx What Documentation Are You Expected to Have?

Google Cloud & the General Data Protection Regulation (GDPR)

Position Description IT Auditor

HIPAA For Assisted Living WALA iii

CYBER RISK MANAGEMENT

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

POSITION DESCRIPTION

The NIST Cybersecurity Framework

Hong Kong Accountability Benchmarking Micro-Study. Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Rethinking Information Security Risk Management CRM002

Cyber Risks in the Boardroom Conference

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Network Performance, Security and Reliability Assessment

State of South Carolina Interim Security Assessment

Accreditation Services Council Governing Charter

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Drive Your Career Forward IIA Certifications and Qualifications

SAVANNAH LAKES VILLAGE PROPERTY OWNERS ASSOCIATION, INC. JOB DESCRIPTION

Business Continuity Management Standards A Side-by-Side Comparison

Information Systems Security Requirements for Federal GIS Initiatives

Cybersecurity and the Board of Directors

Digital Health Cyber Security Centre

Transcription:

Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by the Board and senior leaders to direct and oversee the Program, based on organization s mission, goals, and requirements for protecting information assets. These guidelines can be used to establish and measure Security and Privacy Program structure and processes, with governance as the foundation. Establish governance that includes and specifies the oversight role of the Board of Directors. The Board is responsible for oversight of security and privacy, including the responsibility that risk analysis and risk mitigation activities are duly considered as integral to the organization s overall risk profile. Security and privacy program oversight must be included in Board Bylaws and operating rules. Select a board committee to oversee the Security and Privacy Programs. Security and Privacy Program oversight responsibilities should be included in the committee s charter. Ideally, if there were a Board risk committee, security and privacy would be under this committee. Other committees that can assume responsibility include the Safety Committee, Quality Committee, Compliance and Audit Committee. The decision as to which committee should have oversight depends on the committee structure and trustee skills that can guide the programs. The committee should approve the annual work plan for the Security and Privacy Programs and advise on key expenditures and initiatives. The committee should assure that the full board receives regular reports regarding goals, accomplishments, and activities of the programs. The committee should oversee the evaluation of the Security and Privacy Programs. The committee should assure that board members and senior leaders receive ongoing training regarding their responsibilities with respect to the Security and Privacy Programs. The committee should assure that board members and senior leaders are briefed on the organization s Breach Notification Policy. Committee members and senior leaders should have a general awareness of the administrative, physical and technical safeguards in place. l 914-696-3622 l INFO@phyllispatrick.com

Train new and established board members and senior leaders. As with other areas the Board oversees, Security and Privacy Program issues may change over time. New risks, changes in technology, EHR development, patient portals and patient engagement are just a few areas where security and privacy will affect the organization. While it is challenging to find the time for trustees and senior leaders to devote to furthering their knowledge of security and privacy as key risk areas, it is critical that they do so. Having effective and robust security and privacy programs is key to avoiding reputation, regulatory, and financial risk. Just as boards and senior leaders are trained in quality and safety, they also need to devote adequate time to understanding their roles and responsibilities with respect to security and privacy. Establish a reporting structure for Security and Privacy Programs that enables the Officers to be effective, and emphasizes visibility and relationships. The most important aspect of the reporting relationship for the Security and Privacy Officers is to report to a senior leader who can serve as champion and advocate for the programs, someone who understands the basic components of the programs and can communicate appropriate and clear messages to other senior leaders. This champion supports the programs in the context of the overall organizational mission/vision/values. The champion assists in program development and change, within the constraints of financial stewardship and maintaining the organization s sustainability. Management responsibility for the Security and Privacy Programs may be combined under one senior Officer. Combining the jobs and placing the function with a chief risk officer may be ideal for some organizations. This assures that the position will be viewed as a senior role, with responsibility and accountability for overall program planning and development. The Information Security Officer should not report to the Chief Information Officer or to the Information Technology function, as this can create conflicts of interest in terms of achieving security compliance and protecting information assets. The ISO must be independent. There is a myth that security is a very technical discipline. Within the field of security, there are roles that require technical expertise (e.g., network engineering, implementation of technical tools such as data loss prevention, mobile security, and others); however, the senior role in Security requires communicating with clinical and operations leaders, understanding needs of the health care enterprise, having basic knowledge as to how the revenue cycle works, and being a master at explaining risks. The ISO should have the ability to present options for managing risks that take into account people, process, and technology. 2

Ideally, the budget for security should be separate from the IT budget. With this design, security does not have to compete for resources with other functions in IT. In the past, and in still in some organizations today, it is not uncommon that a security officer includes an item (e.g., encryption) in the IT budget for several years before the item gets due consideration for funding in capital and operating budgets, based on risk analysis or regulatory requirements. The Privacy Officer should not report to Health Information Management (HIM). While HIM background is ideal for a privacy officer, reporting to HIM places the position too low in the organization. Unfortunately, many senior leaders and others do not take the function as seriously as the HIM manager may have less visibility in many hospitals. Other options for reporting, depending upon the skills of the incumbents (both the champion for the functions and the officer), include legal services, compliance, chief executive officer, chief operating officer, and chief quality officer. Be clear about expectations and define essential duties of Security and Privacy Officers. The roles and responsibilities of the Security and Privacy Officers should be clearly delineated, as they serve as a check/balance to protect the organization against possible security and privacy issues that can increase risk; jeopardize the organization s mission/vision/values; or cause reputational, financial, and regulatory harm. The Security and Privacy Officer is responsible for: Strategic planning Policy development and communication Oversight and guidance of risk analysis and risk management processes Contract negotiation Oversight of training and awareness program development and success Budgeting Coordinating safeguards for physical security with facilities Leading investigations of incidents and possible breaches Program operations, Program evaluation Reporting of metrics The Officer is often the first point of contact for many outside agencies, such as health information exchanges, regulatory bodies such as OCR and state agencies, safety organizations, law enforcement, and patients/patient groups. 3

The Security and Privacy Officer is responsible for forging strong connections with key stakeholders and departments, serving as a champion of security and privacy but also helping department heads and leaders to understand their roles and responsibilities with respect to security and privacy for the functions they oversee. The Security and Privacy Officer should coordinate the selection, tailoring, and use of industryaccepted frameworks for security and privacy. A security framework (e.g., NIST standards) and a privacy framework (e.g., privacy by design) should be selected as the basis on which to develop the programs. HIPAA is the floor when it comes to designing and growing the programs. There are a myriad of other federal and state requirements that affect security and privacy of information. And, increasing patient engagement and patient expectations for accessing and managing their medical information will influence how the programs develop. The Security and Privacy Officer should partner with the organization s safety officer, clinicians, biomedical engineering staff, and others to deploy electronic health records that meet security and privacy requirements. EHRs are the focus of health care coordination and the Officer should be involved at all stages of EHR selection, implementation, change, and maintenance. The Security and Privacy Officer should champion and communicate Program objectives. These include, among others: Protecting confidential and sensitive information Managing risks associated with safeguarding patient and other confidential information Assuring data integrity Assuring that all program components are in place (e.g., auditing and monitoring, security incident response planning, business continuity, notice of privacy practices) Responding to patient complaints and inquiries Responding to regulatory requirements Enhancing compliance strategies Carefully consider the background, training, certification, skills sets, and knowledge requirements for the job. An ideal background for Security and Privacy Officers includes operations experience. Officers should have overall knowledge of the business of health care. The individual should have experience and skills in strategic planning, negotiating, and budgeting, as well as a track record of excellent communication and facilitation skills. Clinical expertise, HIM experience, IT background (infrastructure and/or applications), and knowledge of revenue cycle are a plus. A legal background may be helpful, however, legal training without the benefit of operations experience may be limiting in being able to perform the duties most effectively. 4

These skills sets will enable the Security and Privacy Professional to bridge the gap between the view that security and privacy programs are basically regulatory in nature, to the paradigm shift that is coming, i.e., an emerging model of information risk management, information governance, protection and optimization. Ensure that Security and Privacy Officers obtain ongoing education and training opportunities. Security and Privacy Officers represent relatively new professions in health care. The fields are undergoing considerable change, ranging from new and ongoing developments in regulatory and compliance requirements, new cyber security threats, increasing and changing expectations of patients and communities, new technologies, proliferation of EHRs, changes in needs of clinicians, changes in physical security requirements, and expansion of health information exchanges. Serious Security and Privacy Professionals are trained and credentialed. Security and Privacy responsibilities and accountability should not represent add-on duties to other functions such that the Officers do not have adequate time or resources to manage the functions. Security and Privacy Professionals must be permitted the time and resources to pursue ongoing training opportunities, including learning about new technologies and strategies for protecting information, and remain current in the field. Leverage resources and consider de-centralizing some functions of Security and Privacy where it makes sense to do so. Some functions of Security and Privacy may reside in other areas, depending on the skills sets of departmental personnel and organizational resources. Consider the following options: HIM may take the lead in developing and implementing an ongoing auditing and monitoring program for security and privacy. IT may include an IT security group responsible for managing security infrastructure, network monitoring, firewall tuning and vigilance, use of data loss prevention/data loss detection (DLP/DLD), audit log management, application security, mobile device security management, compiling and reporting IT security metrics, and managing technical tools. The Legal department may oversee business associate agreements, as part of its ongoing contracts and internal consulting responsibilities. Internal Audit may perform various audits in security and privacy, focusing on key risk areas and providing value to the officers by making recommendations for strengthening the programs, based on independent audit results. 5

IT auditors can assist in evaluating security of specific applications, providing neutral and independent appraisals and uncovering data integrity issues that may need attention. Human Resources and/or Training and Development may be responsible for developing, implementing, and evaluating overall training and awareness programs, with guidance provided by the Security and Privacy Officer. With a de-centralized model, the Security and Privacy Officer should remain the guiding partner and spokesperson for the program. The roles of Information Security and Privacy Officers are expanding and changing. Their influence in organizations will increase, but so will their challenges. In the future, the role of the Security and Privacy Officer will be re-defined in terms of information risk, information/data governance, policy, and strategy. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback