An Integrated Approach to Technology Risk Management and Compliance

Similar documents
SESSION 201 Monday, November 2, 11:30am - 12:30pm Track: The Beginner's View

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

INTELLIGENCE DRIVEN GRC FOR SECURITY

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure?

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

CipherCloud CASB+ Connector for ServiceNow

Business continuity management and cyber resiliency

Managing Cybersecurity Risk

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

HEALTH CARE AND CYBER SECURITY:

Cloud Communications for Healthcare

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Ponemon Institute s 2018 Cost of a Data Breach Study

Compliance and Controls Frameworks. Vishal Gupta

HIMSS 15 Doing Better Business in the Era of Data Security and Privacy

Effective Strategies for Managing Cybersecurity Risks

Cybersecurity in Higher Ed

LEADING WITH GRC. Common Controls Framework. Sundar Venkat, Sr. Director Technology Compliance Salesforce

HIPAA Compliance is not a Cybersecurity Strategy

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

PULSE TAKING THE PHYSICIAN S

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

HITRUST Common Security Framework - Are you prepared?

The Customer Relationship:

Rethinking Information Security Risk Management CRM002

Background FAST FACTS

DeMystifying Data Breaches and Information Security Compliance

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Healthcare HIPAA and Cybersecurity Update

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Global Headquarters: 5 Speen Street Framingham, MA USA P F

align security instill confidence

Compliance in 5 Steps

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

Cybersecurity The Evolving Landscape

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

PROFESSIONAL SERVICES (Solution Brief)

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cyber Risk and Third Party Risk Management. Lisa Murphy First Horizon National Corporation

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Security and Privacy Governance Program Guidelines

Introduction to the HITRUST CSF. Version 9.1

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Continuity of Operations During Disasters: Electronic Systems and Medical Records

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

How to get the Enterprise to Understand the Value of Security

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

HIPAA Case Study. Long Term Care (LTC) Industry. October 26, Presented by: James Pfeiffer Brian Zoeller

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

Introduction to the HITRUST CSF. Version 8.1

Exam : Title : ASAM Advanced Security for Account Managers Exam. Version : Demo

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

The Cost of Denial-of-Services Attacks

at Kaiser Permanente Mary Henderson HIPAA Program Director Kaiser Permanente

The Evolving Threat to Corporate Cyber & Data Security

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

MITIGATE CYBER ATTACK RISK

What It Takes to be a CISO in 2017

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

The New Healthcare Economy is rising up

Incident Response and Cybersecurity: A View from the Boardroom

SECURETexas Health Information Privacy & Security Certification Program

Business Context: Key for Successful Risk Management

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

locuz.com SOC Services

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Not Just Another Day of HIPAA


Cybersecurity for Health Care Providers

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

Escalated Threats to PHI Require a New Approach to Privacy and Security Wednesday, March 2, 2016

Security Metrics Establishing unambiguous and logically defensible security metrics. Steven Piliero CSO The Center for Internet Security

Anticipating the wider business impact of a cyber breach in the health care industry

Combating Cyber Risk in the Supply Chain

SOC for cybersecurity

Securing Digital Transformation

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CCISO Blueprint v1. EC-Council

The Need For A New IT Security Architecture: Global Study On The Risk Of Outdated Technologies

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Transcription:

An Integrated Approach to Technology Risk Management and Compliance Kerry Bryan, Sr. Manager Policy & Guidance Michael Makstman, Sr. Director Sherrie Osborne, Director, HIPAA Security Program Technology Technology Risk Management, Kaiser Permanente Governance, Risk & Compliance G22

An Integrated Approach to Technology Risk Management (TRM) and Compliance Kaiser Permanente Foundations of Technology Risk Office Key Business Drivers What Could Go Wrong The Regulatory Compliance Challenge Integrating TRM and Compliance @ Kaiser Permanente Value Proposition Lessons Learned Q&A 2

Kaiser Permanente integrated Northwest 9.3 million members Northern California Southern California Hawaii Colorado Mid-Atlantic Georgia 17,000+ physicians 49,000+ nurses 192,000+ employees 8 states + District of Columbia 38 hospitals 600+ medical offices $53 billion operating revenue Nation s largest not-for-profit health plan Scope includes ambulatory, inpatient, ACS, behavioral health, SNF, home health, hospice, pharmacy, imaging, laboratory, optical, dental, and insurance 3

Foundations of Technology Risk Office (TRO) Organization Coordinating the IT Security Compliance Efforts (HIPAA, SOX, PCI) TRO Cyber Security. IT Compliance. Technology Risk Management (TRM). Other functions. TRM Focus Technology risk and control framework. Technology risk management standard. Policies, standards, and guidance. Technology control and risk assessment methods. Technology risk portfolio management. 4

Key Business Drivers What is Driving Technology Risk Management and Compliance? External Regulatory requirements (specifically HIPAA Security, SOX, and PCI). Electronic health record, bio med and mobile devices, and all things attached to the network (e.g., communications) providing new attack vectors. Threat landscape has become more sophisticated. Criminals have figured out how to monetize health care. Internal Protection of member/patient and other sensitive data is a top priority. An information security or data breach compromising the ability to provide member/patient care. Business model complexity Information security controls not standard across the company, nor yet mature. 5

What Could Go Wrong? Consequences of an Information Security or Data Breach Member/patient care delivery and services compromised. Damage to member/patient confidence. Medicare / Medicaid fraud. Damage to reputation. Fines/penalties. Increased regulatory scrutiny. 6

Data Breach Cost Per Record Cost of an Information Security or Data Breach Certain industries have higher data breach costs. Figure 4 reports the per capita* costs for the 2012 study by industry classification... Specifically, heavily regulated industries such as healthcare, communications, pharmaceuticals and financial services tend to have a per capita data breach cost substantially above the overall mean of $188.. * Per capita cost is defined as the total cost of data breach divided by the size of the data breach in terms of the number of lost or stolen records. 2013 Cost of Data Breach Study:United States, Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute LLC; May 2013 7

Data Breach Investigations Analysis 2014 Verizon Vertical Insight - Data Breach Investigations Report HEALTHCARE 8

The Regulatory Compliance Challenge Multiple Risk & Control Assessment Methods & Tools HIPAA/HITECH, SOX, PCI, and Other Information Security Requirements Various Risk Models & Standards High Cost of Compliance Organizational Frustration & Compliance Fatigue Multiple Risk & Control Frameworks 9

Day in the Life A Conversation With the Information Consumers All of the change is just too much! Competing priorities protect the information while maintaining reasonable access We are a health care company. Electronic protected health information (ephi) is a vital component of our every-day jobs. 10

Day in the Life (cont d) A Conversation With the Information Consumers Confusing landscape confusing direction Convoluted, technical and conflicting requirements (HIPAA, SOX, PCI). Too many policies, procedures and rules to meaningfully understand them all. Resources not able to spend time doing what they were hired to do. 11

Day in the Life (cont d) A Conversation With the Information Consumers The Needs of the Information Consumers seem to have been forgotten Should be considered when proposing anything that may impact our access to the data. 12

Integrating Technology Risk Management and Compliance at KP (HIPAA/SOX/PCI) What do we mean by integrated? An approach that aligns the guidance and methods to address the three primary regulatory requirements into a cohesive framework and delivery model. Why integrate? Reduce redundancy, resource contention and compliance fatigue. Consistently align compliance requirements. Improve compliance results. Improve risk decision making. Reduce cost of technology risk management and compliance. 13

An Integrated Approach To Technology Risk Management and Compliance (HIPAA/SOX/PCI) Technology Risk Management Standard Standardized Risk Response Technology Risk & Controls Framework Standardized Assessments Integrated Compliance Guidance 14

Technology Risks and Controls Framework Technology Risks and Controls (TRC) Framework A hierarchical catalog of KP technology processes, risks and controls. Reference architecture for risk aggregation, analysis and reporting. Aligned to KP policies, applicable laws, regulations, and leading industry practices. Enterprise Process Directory Policies / Standards Low level IT Processes 169 Process Risks 169 Control Objectives 172 Control Description s 302 Control Requirements Network Host Databas e Application Data NIST BITS ITIL PMBOK Regulatory Requirements and Industry Practices 15

Technology Risk Management Standard The standard provides: terminology related to the words used Intake Risk Profiling life cycle processes by which risk management is carried out organization structure and managing framework for risk management Reporting & Analytics STANDARD STATEMENT PURPOSE SCOPE/COVERAGE TERMS AND DEFINITIONS PRINCIPLES FRAMEWORK PROCESS Risk Assessment objective, scope and principles for risk management Risk Response Risk Classification & Evaluation 16

Integrated Compliance Guidance Integrating Regulatory and Information Security Compliance Requirements Multiple Inputs Evaluated and Guidance to Create (continued) an Integrated Baseline in a Set of Compliance Manuals for HIPAA, SOX, and PCI Collaborate with Stakeholders Identify relevant HIPAA Standards/ Implementation Specifications Develop HIPAA- SOX-PCI Compliance Baseline Draft and Develop HIPAA- SOX-PCI Interpretation of Requirements Language Objective Socialize HIPAA- SOX-PCI Guidance Deliver Integrated Compliance Guidance (ICG) Manual HITRUST HIPAA Security Rule TRC Framework SOX, PCI Other Authoritative Sources (HITRUST, ISO 27002, NIST 800-53, NIST 800-66) Internal Policy & Standards Stakeholder feedback/comments on draft HIPAA-SOX- PCI guidance

Standardized Assessments ASSESSMENT MODEL FUTURE STATE Test Once, Use Many HIPAA SOX PCI Vendor Integrated Compliance Guidance Technical Risk and Controls Framework (TRC) Standardized Assessments Internal Reporting External Compliance Reporting Risk Analysis 18

Standardized Risk Response Risk Treatment Risk Response Process, activities, and decisions for managing risk that has been assessed and classified. Management chooses to remediate or pursue risk acceptance considering: Compliance goals. Business goals. Risk tolerance. 19

Value Proposition By integrating Technology Risk Management and compliance we are delivering real value to the enterprise. Improved program integration and alignment. Decreased frustration. Improved visibility into the risk landscape. Decreased cost of technology risk management and compliance. 20

Lessons Learned Restructuring was required to incorporate in sustaining organizations. Program integration and alignment is a longterm proposition. It s challenging to change the engine on the plane while you re flying it. 21

Q&A 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback