SlideShare a Scribd company logo

HealthCare Information Security Program Guidelines

Download as DOCX, PDF
S
Seema Mozaffar
1 of 2
1 | P a g e WisdomGlobal Private Limited Healthcare InformationSecurity ProgramDevelopment Guidelines Healthcare organizations are at a pivotal point in terms of the approach they need to undertake that comprehensively addresses the security requirements of Healthcare data. It is becoming significantly more expensive for organizations to do nothing about data security than to address it due to the increasing amount of ePHI (Electronic Protected Health Information). In addition, there is significantly more information available due to the EMR/EHR (Electronic Medical/Health Records) implementations over the last 5-7 years, which in turn is driving more requirements around securing patient data and assuring compliance. As a result, Healthcare organizations are moving in large numbers to implement corrective actions as quickly as possible. The security program development guidelines are designed with an objective to provide a step- by-step approach that can be easily understood and followed by wide spectrum of healthcare organizations. The steps are designed to be followed in a linear order, but some organizations may encounter situations where they will need to go back to earlier steps such as: Acquisitions and Mergers that have changed the entities on the network, or business changes that have significantly impacted the organization’s operational structure. In these situations, going back and starting from any step that makes sense to enable use of valid data is appropriate. When this occurs, the next step will always be to the next level from where the security program development process was discontinued. There are five steps that are required to build a security program for a Healthcare Organization. Accomplishment of these steps will deliver the Healthcare Organization with a mature Security Program. Step 1 Document and centralize all previous security findings within the organization Development of a security program is initiated by identifying and documenting all previous findings. This enables an organization to understand what has been measured, the associated story for those findings, as well as a good indicator of existing state of security processes. This step is absolutely critical in order to initiate the process of informing management and requesting related funding. Step 2 Implement an enterprise wide communication and reporting system After completing Step 1 an organization will reach a maturity level 1 and will have the data needed to start communicating and interacting within the organization and the management. Most likely additional resources and funding may be required. This will entail two primary elements. The first element is to build the mechanism to provide management with the information they need to make informed decisions and how to move ahead in terms of the security program development. As long as information about existing state has been provided to management, this is the point in the process when accountability for security transitions to management. The second element is to begin the security training and awareness component for the organization. From this point forward, the security effort will be interacting and communicating with every aspect of the organization. More educated and informed the business and the
2 | P a g e WisdomGlobal Private Limited individuals are the quicker the change can be implemented. Training and awareness programs will drive the security program forward. Step 3 Develop a Security Program Structure To move forward, Healthcare senior management are required to look at the existing situation and provide the best options from the available data. At this point, most of the tasks have been associated with collecting and organizing information about the gaps in the organization’s security profile. Information is used to develop and provide options for building a repeatable security program for remediating the gaps in the most effective way. There are many different types of security program structures that can work in varying situations. For example, perhaps the organization is a large health systemwith many individual hospitals and each having their own internet connection. In this situation, it may make sense to build a highly distributed security program structure with regional security teams and governance due to the nature of the risk distribution. Research shows that executive management responds better when potential options are provided with clear pros and cons supported by the information that has been collected. During Step 3 an organization has collected the necessary information to support the development of a custom-fit security program for their organization. A maturity level 3 supports the business in building the security program and then leading the way forward. Step 4 Development of a Security Risk Management Program Risk management is one of the most important processes that will be developed by the security program. The more efficient these processes are more precise information will be generated to take informed business decisions. At the conclusion of this step the healthcare organization will have a functioning risk management program as an integral part of the security program. Step 5 Implement Decisions of Management Healthcare organizations are “looking to information security to implement positive change and cost avoidance in their environment”. Step 5 focuses on techniques to best measure status on progress as well as implement the security program in the best manner possible. Note: The information of this paper is collated and summarized from multiple sources: white papers and articles. References can be shared on request.

Recommended

Chapter003
Chapter003Chapter003
Chapter003
Jeanie Delos Arcos
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?
Tieu Luu
 
Don't Let Cybersecurity Trip You Up
Don't Let Cybersecurity Trip You UpDon't Let Cybersecurity Trip You Up
Don't Let Cybersecurity Trip You Up
EAI Information Systems
 
Protecting PHi- 1-2016
Protecting PHi- 1-2016Protecting PHi- 1-2016
Protecting PHi- 1-2016
Bill Steuer
 
Breach response
Breach responseBreach response
Breach response
Claudiu Popa
 
SECURITY
SECURITYSECURITY
SECURITY
Tony Fanelli
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
ciso_insights
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Kienbaum Consultants
 

Recommended

Chapter003
Chapter003Chapter003
Chapter003
Jeanie Delos Arcos
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?
Tieu Luu
 
Don't Let Cybersecurity Trip You Up
Don't Let Cybersecurity Trip You UpDon't Let Cybersecurity Trip You Up
Don't Let Cybersecurity Trip You Up
EAI Information Systems
 
Protecting PHi- 1-2016
Protecting PHi- 1-2016Protecting PHi- 1-2016
Protecting PHi- 1-2016
Bill Steuer
 
Breach response
Breach responseBreach response
Breach response
Claudiu Popa
 
SECURITY
SECURITYSECURITY
SECURITY
Tony Fanelli
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
ciso_insights
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile IslandSafety & Asset Integrity Excellence - A Study of Three Mile Island
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Kienbaum Consultants
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
Tammy Clark
 
Paul Fleming, Member of the ICAO Air Navigation Commission
Paul Fleming, Member of the ICAO Air Navigation CommissionPaul Fleming, Member of the ICAO Air Navigation Commission
Paul Fleming, Member of the ICAO Air Navigation Commission
Colegio Oficial de Pilotos de la Aviación Comercial
 
3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations
AvePoint
 
Jeanette Rankins Patient Privacy Training
Jeanette Rankins Patient Privacy TrainingJeanette Rankins Patient Privacy Training
Jeanette Rankins Patient Privacy Training
JeanetteRankins
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
Hanaysha
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_Intindolo
John Intindolo
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
Kym Canty
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
Concetto Labs
 
Information classification
Information classificationInformation classification
Information classification
Jyothsna Sridhar
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
Isms info
Isms infoIsms info
Isms info
Abhisek Gupta
 
Joseph Sukhbir, Global Head of Technology Risk at EMI Group - Business Contin...
Joseph Sukhbir, Global Head of Technology Risk at EMI Group - Business Contin...Joseph Sukhbir, Global Head of Technology Risk at EMI Group - Business Contin...
Joseph Sukhbir, Global Head of Technology Risk at EMI Group - Business Contin...
Global Business Events
 
Top CISO Concerns Relating to Data Security
Top CISO Concerns Relating to Data SecurityTop CISO Concerns Relating to Data Security
Top CISO Concerns Relating to Data Security
Scale Venture Partners
 
Top Threats Facing Organizations Cloud / SaaS Data
Top Threats Facing Organizations Cloud / SaaS DataTop Threats Facing Organizations Cloud / SaaS Data
Top Threats Facing Organizations Cloud / SaaS Data
SysCloud
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 
Department of Homeland Security Guidance
Department of Homeland Security GuidanceDepartment of Homeland Security Guidance
Department of Homeland Security Guidance
Meg Weber
 
Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
Impact 2010 1162 - How to say less, yet communicate more, in solution designs...Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
Brian Petrini
 
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
IT Security and Compliance Program Plan for Maxistar Medical Supplies CompanyIT Security and Compliance Program Plan for Maxistar Medical Supplies Company
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
James Konderla
 

More Related Content

What's hot

Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
Tammy Clark
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
Hanaysha
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_Intindolo
John Intindolo
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
Kym Canty
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
Laurie Mosca-Cocca
 

What's hot (20)

Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Paul Fleming, Member of the ICAO Air Navigation Commission
Paul Fleming, Member of the ICAO Air Navigation CommissionPaul Fleming, Member of the ICAO Air Navigation Commission
Paul Fleming, Member of the ICAO Air Navigation Commission
 
3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations3 Steps to Automate Compliance for Healthcare Organizations
3 Steps to Automate Compliance for Healthcare Organizations
 
Jeanette Rankins Patient Privacy Training
Jeanette Rankins Patient Privacy TrainingJeanette Rankins Patient Privacy Training
Jeanette Rankins Patient Privacy Training
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_Intindolo
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
 
Information classification
Information classificationInformation classification
Information classification
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
Isms info
Isms infoIsms info
Isms info
 
Joseph Sukhbir, Global Head of Technology Risk at EMI Group - Business Contin...
Joseph Sukhbir, Global Head of Technology Risk at EMI Group - Business Contin...Joseph Sukhbir, Global Head of Technology Risk at EMI Group - Business Contin...
Joseph Sukhbir, Global Head of Technology Risk at EMI Group - Business Contin...
 
Top CISO Concerns Relating to Data Security
Top CISO Concerns Relating to Data SecurityTop CISO Concerns Relating to Data Security
Top CISO Concerns Relating to Data Security
 
Top Threats Facing Organizations Cloud / SaaS Data
Top Threats Facing Organizations Cloud / SaaS DataTop Threats Facing Organizations Cloud / SaaS Data
Top Threats Facing Organizations Cloud / SaaS Data
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Department of Homeland Security Guidance
Department of Homeland Security GuidanceDepartment of Homeland Security Guidance
Department of Homeland Security Guidance
 

Viewers also liked

Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
Impact 2010 1162 - How to say less, yet communicate more, in solution designs...Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
Brian Petrini
 
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
IT Security and Compliance Program Plan for Maxistar Medical Supplies CompanyIT Security and Compliance Program Plan for Maxistar Medical Supplies Company
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
James Konderla
 
Differentiating Your Telecom Cloud
Differentiating Your Telecom CloudDifferentiating Your Telecom Cloud
Differentiating Your Telecom Cloud
Eduardo Mendez Polo
 
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
North Texas Chapter of the ISSA
 
Principles of microservices velocity
Principles of microservices velocityPrinciples of microservices velocity
Principles of microservices velocity
Sam Newman
 

Viewers also liked (6)

Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
Impact 2010 1162 - How to say less, yet communicate more, in solution designs...Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
Impact 2010 1162 - How to say less, yet communicate more, in solution designs...
 
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
IT Security and Compliance Program Plan for Maxistar Medical Supplies CompanyIT Security and Compliance Program Plan for Maxistar Medical Supplies Company
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
 
Differentiating Your Telecom Cloud
Differentiating Your Telecom CloudDifferentiating Your Telecom Cloud
Differentiating Your Telecom Cloud
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
 
Principles of microservices velocity
Principles of microservices velocityPrinciples of microservices velocity
Principles of microservices velocity
 

Similar to HealthCare Information Security Program Guidelines

1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
durantheseldine
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
Laura Benitez
 
Please read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxPlease read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docx
LeilaniPoolsy
 
theprinciplesmaturitymodel
theprinciplesmaturitymodeltheprinciplesmaturitymodel
theprinciplesmaturitymodel
David Vickers
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
 
Auditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance PracticesAuditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance Practices
Mansoor Faridi, CISA
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
christiandean12115
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
CSCJournals
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
GrazynaBroyles24
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
adampcarr67227
 

Similar to HealthCare Information Security Program Guidelines (20)

Five steps to achieve success with application security
Five steps to achieve success with application securityFive steps to achieve success with application security
Five steps to achieve success with application security
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
 
Please read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docxPlease read the instructions and source that provided, then decide.docx
Please read the instructions and source that provided, then decide.docx
 
theprinciplesmaturitymodel
theprinciplesmaturitymodeltheprinciplesmaturitymodel
theprinciplesmaturitymodel
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
Auditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance PracticesAuditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance Practices
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
 

HealthCare Information Security Program Guidelines

  • 1. 1 | P a g e WisdomGlobal Private Limited Healthcare InformationSecurity ProgramDevelopment Guidelines Healthcare organizations are at a pivotal point in terms of the approach they need to undertake that comprehensively addresses the security requirements of Healthcare data. It is becoming significantly more expensive for organizations to do nothing about data security than to address it due to the increasing amount of ePHI (Electronic Protected Health Information). In addition, there is significantly more information available due to the EMR/EHR (Electronic Medical/Health Records) implementations over the last 5-7 years, which in turn is driving more requirements around securing patient data and assuring compliance. As a result, Healthcare organizations are moving in large numbers to implement corrective actions as quickly as possible. The security program development guidelines are designed with an objective to provide a step- by-step approach that can be easily understood and followed by wide spectrum of healthcare organizations. The steps are designed to be followed in a linear order, but some organizations may encounter situations where they will need to go back to earlier steps such as: Acquisitions and Mergers that have changed the entities on the network, or business changes that have significantly impacted the organization’s operational structure. In these situations, going back and starting from any step that makes sense to enable use of valid data is appropriate. When this occurs, the next step will always be to the next level from where the security program development process was discontinued. There are five steps that are required to build a security program for a Healthcare Organization. Accomplishment of these steps will deliver the Healthcare Organization with a mature Security Program. Step 1 Document and centralize all previous security findings within the organization Development of a security program is initiated by identifying and documenting all previous findings. This enables an organization to understand what has been measured, the associated story for those findings, as well as a good indicator of existing state of security processes. This step is absolutely critical in order to initiate the process of informing management and requesting related funding. Step 2 Implement an enterprise wide communication and reporting system After completing Step 1 an organization will reach a maturity level 1 and will have the data needed to start communicating and interacting within the organization and the management. Most likely additional resources and funding may be required. This will entail two primary elements. The first element is to build the mechanism to provide management with the information they need to make informed decisions and how to move ahead in terms of the security program development. As long as information about existing state has been provided to management, this is the point in the process when accountability for security transitions to management. The second element is to begin the security training and awareness component for the organization. From this point forward, the security effort will be interacting and communicating with every aspect of the organization. More educated and informed the business and the
  • 2. 2 | P a g e WisdomGlobal Private Limited individuals are the quicker the change can be implemented. Training and awareness programs will drive the security program forward. Step 3 Develop a Security Program Structure To move forward, Healthcare senior management are required to look at the existing situation and provide the best options from the available data. At this point, most of the tasks have been associated with collecting and organizing information about the gaps in the organization’s security profile. Information is used to develop and provide options for building a repeatable security program for remediating the gaps in the most effective way. There are many different types of security program structures that can work in varying situations. For example, perhaps the organization is a large health systemwith many individual hospitals and each having their own internet connection. In this situation, it may make sense to build a highly distributed security program structure with regional security teams and governance due to the nature of the risk distribution. Research shows that executive management responds better when potential options are provided with clear pros and cons supported by the information that has been collected. During Step 3 an organization has collected the necessary information to support the development of a custom-fit security program for their organization. A maturity level 3 supports the business in building the security program and then leading the way forward. Step 4 Development of a Security Risk Management Program Risk management is one of the most important processes that will be developed by the security program. The more efficient these processes are more precise information will be generated to take informed business decisions. At the conclusion of this step the healthcare organization will have a functioning risk management program as an integral part of the security program. Step 5 Implement Decisions of Management Healthcare organizations are “looking to information security to implement positive change and cost avoidance in their environment”. Step 5 focuses on techniques to best measure status on progress as well as implement the security program in the best manner possible. Note: The information of this paper is collated and summarized from multiple sources: white papers and articles. References can be shared on request.