Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Healthcare IT Security Who's Responsible, Really?


Published on

An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and...

  • Be the first to comment

  • Be the first to like this

Healthcare IT Security Who's Responsible, Really?

  1. 1. Healthcare IT Security – Who’s responsible, really?In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligentlywhile at the same time prove a process of internal dispute resolutions. An information security program is one suchcomplex and multifarious business necessity. At its heart, information security is a method of managing risk toinformation and information systems, and reducing uncertainty relative to organizational objectives; it is a balance.But the success of an information security program depends upon the ability of an organization to establish a set ofcontrols based on a thoughtful and consistent design that was developed against carefully analyzed internal andexternal requirements. Relatively few companies approach the problem this way, so we thought wed offer someguidance based on Redspins 10+ years of IT security experience.The following describes an accountability-driven and risk-based approach to address the information securityexpectations of leaders, customers, citizens, partners, and investors.Creating an environment where operational units coordinate to achieve consistent and appropriate informationsecurity controls helps to ensure that the operation and security objectives of the organization are met. One way to dothis is to assign accountability and responsibilities in a way that makes internal parties accountable to one another,with guidance and input from subject matter experts. The following mutual accountability can be used to drivedecisions that align with your organization’s mission and goals:A Data Steward is a single person accountable for establishing policies for internal uses and conditions of internal andexternal disclosure. There is one steward for each domain of data across the entire organization. Domains aregenerally broad and easily identifiable, organizations having on average between 10 to 15 core domains.A Process Owner is a single person accountable for general processes (such as workforce acquisition andtermination). These individuals establish the minimum process control requirements, which may then be implementedin a centralized or decentralized manner. Each implementer is responsible for meeting the process owner’s controlrequirements and one or more data steward’s control requirements.System Sponsors are assigned to each application and system, from the department specific applications to generalutility applications such as email. These system sponsors are responsible for meeting the availability and processingquality requirements of the process owners (e.g. up time and stability), and the data confidentiality and integrityrequirements of the data stewards (e.g. patching and access controls). They are also responsible for justifying thecontinued existence of an application or system.Data Gatekeepers are accountable for disclosures to a particular audience. Some of these roles are historically wellestablished. For example, the senior public-relations official is accountable for responding to inquiries from the publicand the press, and the senior legal official is accountable for addressing inquires from the courts and, depending onthe organization, perhaps for inquiries from regulators and governments. Extending this concept to each uniqueaudience creates internal accountability. Audiences may include consumers, vendors, business customers, partners,local and foreign governments, and law enforcement and intelligence agencies. The data gatekeeper is answerable toone or more data Meaningful Healthcare IT Security™ 800.721.9177
  2. 2. Lets run this through an example to see how it works. USB thumb drives are prevalent, with organizations takingstances that range from very loose to very tight. Policies commonly ban the devices, dont mention them, or put IT inthe role of deciding who gets one. The first two positions generally fail to serve the organization, and the last requiresIT to make a business operations decision. To address this lets step back to ask ourselves a few questions. Whichprocess do the USB drives support and are the USB drives inherently required by those processes? Will the USBdrive contain controlled information and are the data stewards requirements met?Sales might use thumb drives to display presentations on clients equipment. This is clearly a sales process, and wouldbe under the purview of the most senior sales management position, perhaps a VP of Sales. The VP of Sales couldresponsibly and reasonably take a position that USB drives are required for external sales presentations. So long asthat drive contains only sales information, then the data in question is also under the purview of the VP of Sales.Changing the scenario for a moment, lets say a salesperson wants to include very sensitive discount information.In this case, the VP of Sales may have a policy that discount data is only shared with key members of the clientdecision team. The VP of Sales in a process owner role still approves the use of USB thumb drives for salespresentations, but the VP of Sales in a data steward role requires that the data be distributed in a limited andcontrolled manner.Changing the scenario even further, lets say that the client requests key financial information. Again the use of USBdrives is already approved by the VP of Sales. However, in this scenario the data in question is subject to the policiesof the CFO, who has the requirement that key financial data be stored only on company owned equipment and beencrypted at all times when not within company facilities. In this case, the sales person must use a company ownedand encrypted laptop for the presentation. If the VP of Sales doesnt like this and still wants to use USB drives, theissue is not between Sales and IT, its between Sales and Finance. We are effectively taking IT out of the middle, to arole where IT implements the decision of the parties who have the greatest stake in the decision.IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions.IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engageIT, and creating a way that provides the businesses with the right information to make decisions are key to theperceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it hasalso been shown to be a hallmark of successful organizations.IT has been put in the role of making business decisions, because organizations lack a framework for making data andsystem decisions. Providing a framework for decision making can become a key value that IT can provide. Even ifyour organization is not ready to formally adopt these concepts the thinking process, and the line of questions thatresult, will help you facilitate better security decision making within your Meaningful Healthcare IT Security™ 800.721.9177