• Save
Healthcare It Security Risk 0310
Upcoming SlideShare
Loading in...5

Healthcare It Security Risk 0310



Healthcare IT security and risk management

Healthcare IT security and risk management



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Healthcare It Security Risk 0310 Healthcare It Security Risk 0310 Presentation Transcript

  • Redspin Information Security and Risk Management for Healthcare LeadersJohn RenoMarch 2010
  • Information Security and Risk Management for Healthcare Leaders
    The threat environment
    The state of healthcare information security
    Information security issues
    Risk management
    Customer case study
  • Introduction
    Redspin offers information security assessment services
    Creates value for your business
    Reduces risk, maintains compliance
    Healthcare IT security problems solved
    Save time and resources
    Risk reduction
    Avoidance of reputational damage
    Avoidance of regulatory fines
    Brand protection
    Service availability
    Employee productivity
  • Threat Environment
    Well funded cybercrime
    Malware, command/control and mule networks that were highly refined in financial services fraud have adapted to healthcare claim fraud
    Internal malicious activity
    Down economy, disgruntled employees drives theft and business disruption
    Lack of control over business associates
    By definition healthcare providers rely upon a diverse and largely insecure partner network
  • Threat Environment
    The impact of these threats
    Regulatory fines
    Brand damage
    Downtime for revenue generating services
    Downtime leading to non-productive employees
    Reputational damage
  • Threat Environment
    Average cost of a breach in the healthcare industry was $282 per record; higher than the average across all industries
    Ponemon Institute 2009 study
    Over 220 healthcare data breaches reported by datalossDB.org in the last two years
    PSA Healthcare, 51,000 records; Tenet Healthcare, 37,000 records; Cascade Healthcare, 11,500 records; Cogent Healthcare, 6,400 records …
    Fines and civil penalties becoming more commonplace
  • State of Healthcare Information Security
    Information security and privacy is not simply about protection
    Secure information management can create competitive business advantage:
    Improved quality of care, reduced cost and more effective processes
    Some examples:
    Reducing reliance on physicians’ (often illegible) handwritten and faxed prescriptions and notes
    Facilitating the measurement of outcomes and comparison of treatment effectiveness
    Streamlining medical research
    Facilitating the detection of potential health threats to the public
  • Information Security Issues
    Latest HHS and FTC guidelines
    Focus on data
    Require encryption during transmission, encryption during storage
    Secure disposal of PHI data on disk, paper or film
    Focus on business associates
    Locate and document all PHI
    Collect evidence of controls for each business associate
    Assess the evidence, identify the risks, take action
  • What Our Customers Are Telling Us
    Increasing IT Compliance Complexity
    “It’s too expensive and manual to make sure we’re addressing all the necessary regulations. And then we have to do it all over again for the next time.”
    IT Risk Management
    “I don’t have good visibility over my IT risks across my company. I can’t determine if a risk is getting worse, before it gets really serious.”
    Escalating Compliance Costs
    “Many of my compliance controls are either manual, or duplicated, or both. I don’t have an efficient compliance infrastructure. And, worse, I can’t even tell what my total compliance costs are.”
    Compliance Program Management
    “I need better information about my projects’ status, resource utilization, and costs.”
    Inadequate Oversight
    “I can’t tell the current status of my IT risk and compliance activities, so I can’t tell if it is being managed effectively.”
  • Security, Risk and Compliance issues
    • Compliance is managed on a per-regulation basis
    • Inability to view risk across the organization
    • Silos create control gaps and duplication
    • Controls testing is manual and is often done repeatedly
    • Controls information becomes outdated quickly
    Source: OCEG
  • Risk and Compliance – Challenge and Opportunity
    What we know about risk and compliance
    It’s not going away
    More regulations are coming
    Failure is not an option
    Turning risk and compliance into a competitive advantage
    Reduce costs
    Reduce disruptions
    Drive operational improvements
  • How We Can Help
    Infrastructure assessment
    Application security assessment
    Social engineering and security awareness
    Risk assessment
    Risk management program development
  • 13
    Risk Management Process
    Measure Effectiveness
    • Develop metrics
    • Measure control effectiveness
    Risk Assessment
    • Gather risk data
    • Prioritize risks
    Control Implementation
    • Gather risk data
    • Prioritize risks
    Decision Support
    • Identify controls
    • Select risk mitigation approach
  • Risk Management Process
  • Benefits of Risk Management
    Use risk management to provide the mechanism to demonstrate business enablement
    Risk reduction allows deployment of new business processes that were not previously possible
    Confidence in brand protection can result in new revenue generating programs
    Trust in service availability means that existing programs can generate more revenue, more profitably
    Confidence in security service level agreements decrease program launch time
    Clear guidance on security requirements associated with new business unit projects accelerates time to revenue
  • Summary
    Services enable customers to rapidly adopt information risk management
    Solve the most pressing problems immediately
    Offerings across the entire information risk management system
    Risk based approach creates processes, procedures and practices for security program optimization
    Business driven perspective
    Methodology and deliverables ensure measurable business benefit