Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
HealthCare Information Security Program Guidelines
1. 1 | P a g e WisdomGlobal Private Limited
Healthcare InformationSecurity ProgramDevelopment Guidelines
Healthcare organizations are at a pivotal point in terms of the approach they need to undertake
that comprehensively addresses the security requirements of Healthcare data. It is becoming
significantly more expensive for organizations to do nothing about data security than to address
it due to the increasing amount of ePHI (Electronic Protected Health Information).
In addition, there is significantly more information available due to the EMR/EHR (Electronic
Medical/Health Records) implementations over the last 5-7 years, which in turn is driving more
requirements around securing patient data and assuring compliance. As a result, Healthcare
organizations are moving in large numbers to implement corrective actions as quickly as
possible.
The security program development guidelines are designed with an objective to provide a step-
by-step approach that can be easily understood and followed by wide spectrum of healthcare
organizations. The steps are designed to be followed in a linear order, but some organizations
may encounter situations where they will need to go back to earlier steps such as: Acquisitions
and Mergers that have changed the entities on the network, or business changes that have
significantly impacted the organization’s operational structure.
In these situations, going back and starting from any step that makes sense to enable use of
valid data is appropriate. When this occurs, the next step will always be to the next level from
where the security program development process was discontinued.
There are five steps that are required to build a security program for a Healthcare Organization.
Accomplishment of these steps will deliver the Healthcare Organization with a mature Security
Program.
Step 1 Document and centralize all previous security findings within the organization
Development of a security program is initiated by identifying and documenting all previous
findings. This enables an organization to understand what has been measured, the associated
story for those findings, as well as a good indicator of existing state of security processes. This
step is absolutely critical in order to initiate the process of informing management and
requesting related funding.
Step 2 Implement an enterprise wide communication and reporting system
After completing Step 1 an organization will reach a maturity level 1 and will have the data
needed to start communicating and interacting within the organization and the management.
Most likely additional resources and funding may be required. This will entail two primary
elements.
The first element is to build the mechanism to provide management with the information they
need to make informed decisions and how to move ahead in terms of the security program
development. As long as information about existing state has been provided to management,
this is the point in the process when accountability for security transitions to management.
The second element is to begin the security training and awareness component for the
organization. From this point forward, the security effort will be interacting and communicating
with every aspect of the organization. More educated and informed the business and the
2. 2 | P a g e WisdomGlobal Private Limited
individuals are the quicker the change can be implemented. Training and awareness programs
will drive the security program forward.
Step 3 Develop a Security Program Structure
To move forward, Healthcare senior management are required to look at the existing situation
and provide the best options from the available data. At this point, most of the tasks have been
associated with collecting and organizing information about the gaps in the organization’s
security profile. Information is used to develop and provide options for building a repeatable
security program for remediating the gaps in the most effective way.
There are many different types of security program structures that can work in varying
situations. For example, perhaps the organization is a large health systemwith many individual
hospitals and each having their own internet connection. In this situation, it may make sense to
build a highly distributed security program structure with regional security teams and
governance due to the nature of the risk distribution.
Research shows that executive management responds better when potential options are
provided with clear pros and cons supported by the information that has been collected.
During Step 3 an organization has collected the necessary information to support the
development of a custom-fit security program for their organization. A maturity level 3
supports the business in building the security program and then leading the way forward.
Step 4 Development of a Security Risk Management Program
Risk management is one of the most important processes that will be developed by the security
program. The more efficient these processes are more precise information will be generated to
take informed business decisions. At the conclusion of this step the healthcare organization will
have a functioning risk management program as an integral part of the security program.
Step 5 Implement Decisions of Management
Healthcare organizations are “looking to information security to implement positive change and
cost avoidance in their environment”. Step 5 focuses on techniques to best measure status on
progress as well as implement the security program in the best manner possible.
Note: The information of this paper is collated and summarized from multiple sources: white
papers and articles. References can be shared on request.