SlideShare a Scribd company logo

Security Framework For HIPAA HITECH

Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)

Key Slides for CxO\'s on Security Framework to address HIPAA / HITECH requirements based on Experience / Best Practices

Technology
1 of 13
Patrick Angel, Assistant HealthCare CISO - CISM® CRISC® CISA® www.RandomAccessTechnology.com (214) 826-3812 Top 10 CxO Items for Framework for HIPAA / HITECH Security Program
Top 10 CxO Items for Framework for HIPAA / HITECH Security Program 1. Does Org have a CISO and a Security Program used across the Enterprise..? 2. Do you know what is PHI / IIHI data? versus IUO… versus ‘Other’ ? 3. Does Org have a CSIRT Security Team and doc’d Procedures and Exercises..? 4. Do you know where your Data is…? (spreadsheets, Laptop, internal-database) 5. Is there a Security-Training / Awareness Program (for all levels) ? 6. Are there documented Policies and Procedures ? Program Socialization…? 7. Does Org have PHI-Data-Handling and IT Security-Standards and Metrics ? 8. Are there Enterprise-Level Security Tools operating 24x7 ? 9. Does your Security-Program (process) cover ALL the ‘Bases’ (end-to-end) ? ( incl Hospital/Clinic intake, Xrays/Imaging, Med Records, Reporting, Database Encryption, Sunset/End-of-Life Security-procedures…. Blue-Cross of Tennessee didn’t) 10. How to integrate new Regulatory (HIPAA / HITECH) standards ( IDC-10 and version 5010 EDI Transactions). Can you / have you protect(ed) your Mobile- Data ? (Hospital / Clinic Laptops, Customer’s Mobile-Media, Wireless access) For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
CISO and Security Program (Enterprise-Level) • Does your Organization take Security seriously…? • Is there a CxO-Level Security Officer (CISO) identified ? • Is there an Information-Security Policy (ISP) in place? • Does Org-Level Information-Security Program exist..? • Is there Budget and Staff to support Security Program ? • Is the Security Program communicated and integrated with the Risk-Management Program (and across all LOBs / Depts)? ‘…we didn’t Plan to Fail – we Failed to Plan…’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
Do you know what Data is Important…? • Do you know where your data ‘lives’ ? • Does your Management Team know what data is important? (IIHI vs IUO vs PII vs ‘other’ …) • ID which staff ‘need to know / access ’ the data? • EHR – Electronic Health Record – what it means to you? • Does your Staff know how to properly protect data? • How do you ‘manage’ EPIC Health (software) data) ? You can’t protect it if you don’t know where it ‘lives’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
CSIRT Security-Team (and procedures) ‘Plan for the unexpected before it happens’ • Does a Computer-Security Team (CSIRT) exist for Org ? • Are there procedures for the Security Team (CSIRT) • Is the CSIRT Team Trained and do they go through ‘Zero-Day’ / ‘Red-Team’ exercises (to be ready)? • Are there pre-defined steps for ‘common’ security events? • Is the ‘HelpDesk’ integrated, and know how to determine if this is a ‘real Security Incident’..? • Is there a ‘Calling-Tree’ and ‘Escalation-Procedures’? • Does the Team have a ‘Forensics Kit’? For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
• Internal Database with no Encryption… ? • Floating around company on ‘shared-network-drives’..? • Extracts / Copies sitting on SME’s computers…? • Laying exposed on Desktops at COB in printed Reports? • Unprotected in Spreadsheets and local (Access) Databases? • Concentrated in Hospital Laptops, unencrypted, no Password, with no central Inventory, List of Owners…? • Can you tell if your Data is ‘walking out the door’…? Where is your (Health / PHI) Data…? ‘Who cares if you protect your Data? Regulators.. and Investors’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
• Consistent message to front-line (e.g. Hospitals, Clinics) and ‘back-office’ staff (Central-Billing/CBO, IT Dept) ? • Are you pro-actively ‘pushing out Security’ to all levels in company? • Are you Leveraging your biggest ‘Asset’ (employees) to Protect Data ? • Presenting key HIPAA / HITECH concepts to both Management and End-Users • Validation of concepts learned via ‘interactive learning model’ and final ‘test’, with ‘assertion’..? Security-Awareness / Training Program ? Leverage your biggest asset(s) to take ‘ownership’ of Security For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
• Has Senior Management (CxO’s) set the ‘tone’ for Security (importance) across the Enterprise? • Has Management developed Security-Procedures based on ‘Best-Practices’ and ‘Industry-Standards’? • Are Policies and Procedures available to all Staff and Vendors / Contractors ? • Is the ‘importance / need for Security’ visible on a regular basis (e.g. Posters, Emails, Newsletter) ? • Has the Security-Program been ‘socialized’ across Departments / Mgt and End-users for acceptance..? • What about new Health Law requirements…? ( e.g. “meaningful use”, ICD-10 Coding, version 5010 EDI ) Security-Policies and Procedures For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® ‘You can stitch on a new Arm, but will the (rest of) Body accept it..?
• Are there ‘specific procedures’ around PHI-Data (at Hospitals, Clinics, and at HQ) and can you report on it? • Is the Security-Department tracking / reporting the right things (Metrics) including…? – Length / Duration of Time-to-Patch, Password Strength, – No. Security-events Reported, Email Traffic Analysis, – No. Staff completed Security-Awareness – Malware Statistics (e.g. viruses detected, worms stopped) – Internet / Firewall Statistics (e.g. Hacking attempts stopped) • Does Org have technical (I-T) security-standards (‘hardening’) to help prevent security-events..? PHI-Data Handling, Metrics and Security-Standards How does your Org compare against the industry ? For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
End-to-End Security Program 1. Verification from start – to finish… (peace of mind) 2. Prioritize – what can we do NOW? (build a 3-month-Plan, then 6mo-1year Tactical Plan, and a Strategic 1-3 Year Long- Term Plan – based on Risk) 3. Sunset / End-to-End Security-procedures – a standard process could avoid the Blue Cross $18.5MM mistake… ‘An ounce of Prevention… is worth a Pound of Cure – or about $18.5MM+ ’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
• How do you handle Customer-owned Technology ? (e.g. Lawsuit from patient with Smartphone / Laptop recording Audio / Video in Hospital) • What about new Health Law requirements…? ( e.g. “meaningful use”, ICD-10 Coding, version 5010 EDI ) • How to keep Security-Staff trained - in-house Library of Security reference material and publications (cross- training, IT-Security Certifications, backup staff / skillsets) • Is a Process defined to manage / coordinate any changes or new Laws? How do you integrate new Technology - HIPAA / HITECH requirements ‘…standardize your process / activities – Don’t re-invent the Wheel.’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
Get Started Now… ‘…Chance favors the prepared Mind’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® www.RandomAccessTechnology.com (214) 826-3812
About the Author For customers of Random Access Technologies, Inc. only - Patrick Angel Patrick Angel • Roles: Assistant CISO / Director PMO / Enterprise I-T Security-Architect / Risk-Management and Compliance Manager • Areas: PCI, SOX, GLBA Privacy, Project-Auditing, Application-Security Testing and Secure Development (SDLC) • Education – Bachelors in Information Systems (MIS) • Dean’s List and Honor’s List – Masters Business Administration (MBA) • Years of Experience • 20+ years in Information Systems • 15+ years of P/M, SDLC and Governance, Risk and Compliance • Hands-on Software Developer, Application-Testing, I-T Auditing • Certifications and Associations include - (In-progress)

Recommended

Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guidebupbechanhgmail
 
Spline ai short-overview-google_final
Spline ai short-overview-google_finalSpline ai short-overview-google_final
Spline ai short-overview-google_finalAvinash Chourasia
 
IT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowIT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowRochester Software Associates
 
Personal Healthcare IOT on PCF Using Spring
Personal Healthcare IOT on PCF Using SpringPersonal Healthcare IOT on PCF Using Spring
Personal Healthcare IOT on PCF Using SpringVMware Tanzu
 
From eHealth to mHealth
From eHealth to mHealthFrom eHealth to mHealth
From eHealth to mHealthWen-Pai Lu
 
Information technology in health care management
Information technology in health care managementInformation technology in health care management
Information technology in health care managementmohamedmoosa2
 
How to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureHow to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureShahid Shah
 
Bill_Haase_Resume Dec 2015
Bill_Haase_Resume Dec 2015Bill_Haase_Resume Dec 2015
Bill_Haase_Resume Dec 2015Bill Haase
 

Recommended

Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guidebupbechanhgmail
 
Spline ai short-overview-google_final
Spline ai short-overview-google_finalSpline ai short-overview-google_final
Spline ai short-overview-google_finalAvinash Chourasia
 
IT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowIT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowRochester Software Associates
 
Personal Healthcare IOT on PCF Using Spring
Personal Healthcare IOT on PCF Using SpringPersonal Healthcare IOT on PCF Using Spring
Personal Healthcare IOT on PCF Using SpringVMware Tanzu
 
From eHealth to mHealth
From eHealth to mHealthFrom eHealth to mHealth
From eHealth to mHealthWen-Pai Lu
 
Information technology in health care management
Information technology in health care managementInformation technology in health care management
Information technology in health care managementmohamedmoosa2
 
How to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureHow to emrace risk-based Security management in a compliance-driven culture
How to emrace risk-based Security management in a compliance-driven cultureShahid Shah
 
Bill_Haase_Resume Dec 2015
Bill_Haase_Resume Dec 2015Bill_Haase_Resume Dec 2015
Bill_Haase_Resume Dec 2015Bill Haase
 
Enlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter GridEnlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter Gridbradley_g
 
6 aproaches
6 aproaches6 aproaches
6 aproachesadeel hamid
 
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare ApplicationsAvaali-IOT HealthCare Applications
Avaali-IOT HealthCare ApplicationsAvaali Solutions
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
The BYOD Security Battleground
The BYOD Security BattlegroundThe BYOD Security Battleground
The BYOD Security BattlegroundWatchful Software
 
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...warezjoe
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistMatthew Rosenquist
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPandreasschuster
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by DesignUnisys Corporation
 
STEALTHbits Sensitive Data Discovery Solutions
STEALTHbits Sensitive Data Discovery SolutionsSTEALTHbits Sensitive Data Discovery Solutions
STEALTHbits Sensitive Data Discovery SolutionsSTEALTHbits Technologies
 
Data Leakage Prevention
Data Leakage Prevention Data Leakage Prevention
Data Leakage Prevention Dhananjay Aloorkar
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)OnRamp
 
2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINALRick Kingsley
 
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & BarcoMongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & BarcoMongoDB
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionDigital Guardian
 
downtime_solution_sheet
downtime_solution_sheetdowntime_solution_sheet
downtime_solution_sheetDiego Portilla
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 
Insecurity Through Technology
Insecurity Through TechnologyInsecurity Through Technology
Insecurity Through Technologydfroud
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentationJMS Secure Data
 
eHealth ….. How to trust a cloud?
eHealth ….. How to trust a cloud?eHealth ….. How to trust a cloud?
eHealth ….. How to trust a cloud?Mario Drobics
 
Патент на полезную модель Республики Беларусь
Патент на полезную модель Республики БеларусьПатент на полезную модель Республики Беларусь
Патент на полезную модель Республики БеларусьИван Иванов
 
SPA Poster - Airway ComplicationsJEF edits
SPA Poster - Airway ComplicationsJEF editsSPA Poster - Airway ComplicationsJEF edits
SPA Poster - Airway ComplicationsJEF editsVik Patel
 

More Related Content

What's hot

Enlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter GridEnlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter Gridbradley_g
 
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare ApplicationsAvaali-IOT HealthCare Applications
Avaali-IOT HealthCare ApplicationsAvaali Solutions
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
The BYOD Security Battleground
The BYOD Security BattlegroundThe BYOD Security Battleground
The BYOD Security BattlegroundWatchful Software
 
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...warezjoe
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistMatthew Rosenquist
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPandreasschuster
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by DesignUnisys Corporation
 
STEALTHbits Sensitive Data Discovery Solutions
STEALTHbits Sensitive Data Discovery SolutionsSTEALTHbits Sensitive Data Discovery Solutions
STEALTHbits Sensitive Data Discovery SolutionsSTEALTHbits Technologies
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)OnRamp
 
2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINALRick Kingsley
 
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & BarcoMongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & BarcoMongoDB
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionDigital Guardian
 
downtime_solution_sheet
downtime_solution_sheetdowntime_solution_sheet
downtime_solution_sheetDiego Portilla
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 
Insecurity Through Technology
Insecurity Through TechnologyInsecurity Through Technology
Insecurity Through Technologydfroud
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentationJMS Secure Data
 
eHealth ….. How to trust a cloud?
eHealth ….. How to trust a cloud?eHealth ….. How to trust a cloud?
eHealth ….. How to trust a cloud?Mario Drobics
 

What's hot (20)

Enlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter GridEnlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter Grid
 
6 aproaches
6 aproaches6 aproaches
6 aproaches
 
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare ApplicationsAvaali-IOT HealthCare Applications
Avaali-IOT HealthCare Applications
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
The BYOD Security Battleground
The BYOD Security BattlegroundThe BYOD Security Battleground
The BYOD Security Battleground
 
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
 
The Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew RosenquistThe Future of Cyber Security - Matthew Rosenquist
The Future of Cyber Security - Matthew Rosenquist
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
 
STEALTHbits Sensitive Data Discovery Solutions
STEALTHbits Sensitive Data Discovery SolutionsSTEALTHbits Sensitive Data Discovery Solutions
STEALTHbits Sensitive Data Discovery Solutions
 
Data Leakage Prevention
Data Leakage Prevention Data Leakage Prevention
Data Leakage Prevention
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
 
2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL
 
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & BarcoMongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
 
downtime_solution_sheet
downtime_solution_sheetdowntime_solution_sheet
downtime_solution_sheet
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
 
Insecurity Through Technology
Insecurity Through TechnologyInsecurity Through Technology
Insecurity Through Technology
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentation
 
eHealth ….. How to trust a cloud?
eHealth ….. How to trust a cloud?eHealth ….. How to trust a cloud?
eHealth ….. How to trust a cloud?
 

Viewers also liked

Патент на полезную модель Республики Беларусь
Патент на полезную модель Республики БеларусьПатент на полезную модель Республики Беларусь
Патент на полезную модель Республики БеларусьИван Иванов
 
SPA Poster - Airway ComplicationsJEF edits
SPA Poster - Airway ComplicationsJEF editsSPA Poster - Airway ComplicationsJEF edits
SPA Poster - Airway ComplicationsJEF editsVik Patel
 
LCC Network Management Plan
LCC Network Management PlanLCC Network Management Plan
LCC Network Management PlanMartin O'Connor
 
Letter of Recommendation Janine
Letter of Recommendation JanineLetter of Recommendation Janine
Letter of Recommendation JanineJanine Sweeney
 
Joseph Tanner Resume Redux
Joseph Tanner Resume ReduxJoseph Tanner Resume Redux
Joseph Tanner Resume ReduxJoseph Tanner
 
Holiday Class Party Ideas for Kids
Holiday Class Party Ideas for KidsHoliday Class Party Ideas for Kids
Holiday Class Party Ideas for KidsSignUp.com
 
Economic Profile for China
Economic Profile for ChinaEconomic Profile for China
Economic Profile for Chinatutor2u
 
"H καλύβα του μπαρμπα θωμά" Νεοελληνική Λογοτεχνία Γ΄ Γυμνασίου
"H καλύβα του μπαρμπα θωμά" Νεοελληνική Λογοτεχνία Γ΄ Γυμνασίου"H καλύβα του μπαρμπα θωμά" Νεοελληνική Λογοτεχνία Γ΄ Γυμνασίου
"H καλύβα του μπαρμπα θωμά" Νεοελληνική Λογοτεχνία Γ΄ ΓυμνασίουΕύα Ζαρκογιάννη
 
H έννοια της ομορφιάς Παρόν-Παρελθόν
H έννοια της ομορφιάς Παρόν-ΠαρελθόνH έννοια της ομορφιάς Παρόν-Παρελθόν
H έννοια της ομορφιάς Παρόν-ΠαρελθόνΕύα Ζαρκογιάννη
 

Viewers also liked (10)

Патент на полезную модель Республики Беларусь
Патент на полезную модель Республики БеларусьПатент на полезную модель Республики Беларусь
Патент на полезную модель Республики Беларусь
 
SPA Poster - Airway ComplicationsJEF edits
SPA Poster - Airway ComplicationsJEF editsSPA Poster - Airway ComplicationsJEF edits
SPA Poster - Airway ComplicationsJEF edits
 
LCC Network Management Plan
LCC Network Management PlanLCC Network Management Plan
LCC Network Management Plan
 
Letter of Recommendation Janine
Letter of Recommendation JanineLetter of Recommendation Janine
Letter of Recommendation Janine
 
Joseph Tanner Resume Redux
Joseph Tanner Resume ReduxJoseph Tanner Resume Redux
Joseph Tanner Resume Redux
 
Holiday Class Party Ideas for Kids
Holiday Class Party Ideas for KidsHoliday Class Party Ideas for Kids
Holiday Class Party Ideas for Kids
 
Ethics in HRD
Ethics in HRDEthics in HRD
Ethics in HRD
 
Economic Profile for China
Economic Profile for ChinaEconomic Profile for China
Economic Profile for China
 
"H καλύβα του μπαρμπα θωμά" Νεοελληνική Λογοτεχνία Γ΄ Γυμνασίου
"H καλύβα του μπαρμπα θωμά" Νεοελληνική Λογοτεχνία Γ΄ Γυμνασίου"H καλύβα του μπαρμπα θωμά" Νεοελληνική Λογοτεχνία Γ΄ Γυμνασίου
"H καλύβα του μπαρμπα θωμά" Νεοελληνική Λογοτεχνία Γ΄ Γυμνασίου
 
H έννοια της ομορφιάς Παρόν-Παρελθόν
H έννοια της ομορφιάς Παρόν-ΠαρελθόνH έννοια της ομορφιάς Παρόν-Παρελθόν
H έννοια της ομορφιάς Παρόν-Παρελθόν
 

Similar to Security Framework For HIPAA HITECH

Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research dataTomppa Järvinen
 
Compliance is a Team Project
Compliance is a Team ProjectCompliance is a Team Project
Compliance is a Team ProjectThe TNS Group
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
TLabs - deutsche telekom
TLabs - deutsche telekomTLabs - deutsche telekom
TLabs - deutsche telekomChristina Azzam
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
Security in Banks and ATM's
Security in Banks and ATM'sSecurity in Banks and ATM's
Security in Banks and ATM'sInttelix
 
Cst 610 Believe Possibilities / snaptutorial.com
Cst 610 Believe Possibilities / snaptutorial.comCst 610 Believe Possibilities / snaptutorial.com
Cst 610 Believe Possibilities / snaptutorial.comDavis10a
 
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)U.S. News Healthcare of Tomorrow
 
CST 610 Exceptional Education - snaptutorial.com
CST 610 Exceptional Education - snaptutorial.comCST 610 Exceptional Education - snaptutorial.com
CST 610 Exceptional Education - snaptutorial.comDavisMurphyA97
 
Csec 610 Believe Possibilities / snaptutorial.com
Csec 610 Believe Possibilities / snaptutorial.comCsec 610 Believe Possibilities / snaptutorial.com
Csec 610 Believe Possibilities / snaptutorial.comDavis10a
 
CST 610 RANK Remember Education--cst610rank.com
CST 610 RANK Remember Education--cst610rank.comCST 610 RANK Remember Education--cst610rank.com
CST 610 RANK Remember Education--cst610rank.comchrysanthemu49
 
CST 610 Effective Communication - snaptutorial.com
CST 610 Effective Communication - snaptutorial.comCST 610 Effective Communication - snaptutorial.com
CST 610 Effective Communication - snaptutorial.comdonaldzs7
 
CST 610 RANK Introduction Education--cst610rank.com
CST 610 RANK Introduction Education--cst610rank.comCST 610 RANK Introduction Education--cst610rank.com
CST 610 RANK Introduction Education--cst610rank.comagathachristie265
 
Construction board it engagement.pptx
Construction board it engagement.pptxConstruction board it engagement.pptx
Construction board it engagement.pptxDanny Mollah
 

Similar to Security Framework For HIPAA HITECH (20)

Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
Cybersecurity for Small Business
Cybersecurity for Small BusinessCybersecurity for Small Business
Cybersecurity for Small Business
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research data
 
Compliance is a Team Project
Compliance is a Team ProjectCompliance is a Team Project
Compliance is a Team Project
 
Orientation in IT Audit
Orientation in IT AuditOrientation in IT Audit
Orientation in IT Audit
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
TLabs - deutsche telekom
TLabs - deutsche telekomTLabs - deutsche telekom
TLabs - deutsche telekom
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
BYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO'sBYOD / Mobile-Device Security Guidelines for CxO's
BYOD / Mobile-Device Security Guidelines for CxO's
 
Security in Banks and ATM's
Security in Banks and ATM'sSecurity in Banks and ATM's
Security in Banks and ATM's
 
Cst 610 Believe Possibilities / snaptutorial.com
Cst 610 Believe Possibilities / snaptutorial.comCst 610 Believe Possibilities / snaptutorial.com
Cst 610 Believe Possibilities / snaptutorial.com
 
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
 
CST 610 Exceptional Education - snaptutorial.com
CST 610 Exceptional Education - snaptutorial.comCST 610 Exceptional Education - snaptutorial.com
CST 610 Exceptional Education - snaptutorial.com
 
Csec 610 Believe Possibilities / snaptutorial.com
Csec 610 Believe Possibilities / snaptutorial.comCsec 610 Believe Possibilities / snaptutorial.com
Csec 610 Believe Possibilities / snaptutorial.com
 
CST 610 RANK Remember Education--cst610rank.com
CST 610 RANK Remember Education--cst610rank.comCST 610 RANK Remember Education--cst610rank.com
CST 610 RANK Remember Education--cst610rank.com
 
CST 610 Effective Communication - snaptutorial.com
CST 610 Effective Communication - snaptutorial.comCST 610 Effective Communication - snaptutorial.com
CST 610 Effective Communication - snaptutorial.com
 
CST 610 RANK Introduction Education--cst610rank.com
CST 610 RANK Introduction Education--cst610rank.comCST 610 RANK Introduction Education--cst610rank.com
CST 610 RANK Introduction Education--cst610rank.com
 
Construction board it engagement.pptx
Construction board it engagement.pptxConstruction board it engagement.pptx
Construction board it engagement.pptx
 

Recently uploaded

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Security Framework For HIPAA HITECH

  • 1. Patrick Angel, Assistant HealthCare CISO - CISM® CRISC® CISA® www.RandomAccessTechnology.com (214) 826-3812 Top 10 CxO Items for Framework for HIPAA / HITECH Security Program
  • 2. Top 10 CxO Items for Framework for HIPAA / HITECH Security Program 1. Does Org have a CISO and a Security Program used across the Enterprise..? 2. Do you know what is PHI / IIHI data? versus IUO… versus ‘Other’ ? 3. Does Org have a CSIRT Security Team and doc’d Procedures and Exercises..? 4. Do you know where your Data is…? (spreadsheets, Laptop, internal-database) 5. Is there a Security-Training / Awareness Program (for all levels) ? 6. Are there documented Policies and Procedures ? Program Socialization…? 7. Does Org have PHI-Data-Handling and IT Security-Standards and Metrics ? 8. Are there Enterprise-Level Security Tools operating 24x7 ? 9. Does your Security-Program (process) cover ALL the ‘Bases’ (end-to-end) ? ( incl Hospital/Clinic intake, Xrays/Imaging, Med Records, Reporting, Database Encryption, Sunset/End-of-Life Security-procedures…. Blue-Cross of Tennessee didn’t) 10. How to integrate new Regulatory (HIPAA / HITECH) standards ( IDC-10 and version 5010 EDI Transactions). Can you / have you protect(ed) your Mobile- Data ? (Hospital / Clinic Laptops, Customer’s Mobile-Media, Wireless access) For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 3. CISO and Security Program (Enterprise-Level) • Does your Organization take Security seriously…? • Is there a CxO-Level Security Officer (CISO) identified ? • Is there an Information-Security Policy (ISP) in place? • Does Org-Level Information-Security Program exist..? • Is there Budget and Staff to support Security Program ? • Is the Security Program communicated and integrated with the Risk-Management Program (and across all LOBs / Depts)? ‘…we didn’t Plan to Fail – we Failed to Plan…’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 4. Do you know what Data is Important…? • Do you know where your data ‘lives’ ? • Does your Management Team know what data is important? (IIHI vs IUO vs PII vs ‘other’ …) • ID which staff ‘need to know / access ’ the data? • EHR – Electronic Health Record – what it means to you? • Does your Staff know how to properly protect data? • How do you ‘manage’ EPIC Health (software) data) ? You can’t protect it if you don’t know where it ‘lives’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 5. CSIRT Security-Team (and procedures) ‘Plan for the unexpected before it happens’ • Does a Computer-Security Team (CSIRT) exist for Org ? • Are there procedures for the Security Team (CSIRT) • Is the CSIRT Team Trained and do they go through ‘Zero-Day’ / ‘Red-Team’ exercises (to be ready)? • Are there pre-defined steps for ‘common’ security events? • Is the ‘HelpDesk’ integrated, and know how to determine if this is a ‘real Security Incident’..? • Is there a ‘Calling-Tree’ and ‘Escalation-Procedures’? • Does the Team have a ‘Forensics Kit’? For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 6. • Internal Database with no Encryption… ? • Floating around company on ‘shared-network-drives’..? • Extracts / Copies sitting on SME’s computers…? • Laying exposed on Desktops at COB in printed Reports? • Unprotected in Spreadsheets and local (Access) Databases? • Concentrated in Hospital Laptops, unencrypted, no Password, with no central Inventory, List of Owners…? • Can you tell if your Data is ‘walking out the door’…? Where is your (Health / PHI) Data…? ‘Who cares if you protect your Data? Regulators.. and Investors’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 7. • Consistent message to front-line (e.g. Hospitals, Clinics) and ‘back-office’ staff (Central-Billing/CBO, IT Dept) ? • Are you pro-actively ‘pushing out Security’ to all levels in company? • Are you Leveraging your biggest ‘Asset’ (employees) to Protect Data ? • Presenting key HIPAA / HITECH concepts to both Management and End-Users • Validation of concepts learned via ‘interactive learning model’ and final ‘test’, with ‘assertion’..? Security-Awareness / Training Program ? Leverage your biggest asset(s) to take ‘ownership’ of Security For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 8. • Has Senior Management (CxO’s) set the ‘tone’ for Security (importance) across the Enterprise? • Has Management developed Security-Procedures based on ‘Best-Practices’ and ‘Industry-Standards’? • Are Policies and Procedures available to all Staff and Vendors / Contractors ? • Is the ‘importance / need for Security’ visible on a regular basis (e.g. Posters, Emails, Newsletter) ? • Has the Security-Program been ‘socialized’ across Departments / Mgt and End-users for acceptance..? • What about new Health Law requirements…? ( e.g. “meaningful use”, ICD-10 Coding, version 5010 EDI ) Security-Policies and Procedures For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® ‘You can stitch on a new Arm, but will the (rest of) Body accept it..?
  • 9. • Are there ‘specific procedures’ around PHI-Data (at Hospitals, Clinics, and at HQ) and can you report on it? • Is the Security-Department tracking / reporting the right things (Metrics) including…? – Length / Duration of Time-to-Patch, Password Strength, – No. Security-events Reported, Email Traffic Analysis, – No. Staff completed Security-Awareness – Malware Statistics (e.g. viruses detected, worms stopped) – Internet / Firewall Statistics (e.g. Hacking attempts stopped) • Does Org have technical (I-T) security-standards (‘hardening’) to help prevent security-events..? PHI-Data Handling, Metrics and Security-Standards How does your Org compare against the industry ? For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 10. End-to-End Security Program 1. Verification from start – to finish… (peace of mind) 2. Prioritize – what can we do NOW? (build a 3-month-Plan, then 6mo-1year Tactical Plan, and a Strategic 1-3 Year Long- Term Plan – based on Risk) 3. Sunset / End-to-End Security-procedures – a standard process could avoid the Blue Cross $18.5MM mistake… ‘An ounce of Prevention… is worth a Pound of Cure – or about $18.5MM+ ’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 11. • How do you handle Customer-owned Technology ? (e.g. Lawsuit from patient with Smartphone / Laptop recording Audio / Video in Hospital) • What about new Health Law requirements…? ( e.g. “meaningful use”, ICD-10 Coding, version 5010 EDI ) • How to keep Security-Staff trained - in-house Library of Security reference material and publications (cross- training, IT-Security Certifications, backup staff / skillsets) • Is a Process defined to manage / coordinate any changes or new Laws? How do you integrate new Technology - HIPAA / HITECH requirements ‘…standardize your process / activities – Don’t re-invent the Wheel.’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
  • 12. Get Started Now… ‘…Chance favors the prepared Mind’ For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM® www.RandomAccessTechnology.com (214) 826-3812
  • 13. About the Author For customers of Random Access Technologies, Inc. only - Patrick Angel Patrick Angel • Roles: Assistant CISO / Director PMO / Enterprise I-T Security-Architect / Risk-Management and Compliance Manager • Areas: PCI, SOX, GLBA Privacy, Project-Auditing, Application-Security Testing and Secure Development (SDLC) • Education – Bachelors in Information Systems (MIS) • Dean’s List and Honor’s List – Masters Business Administration (MBA) • Years of Experience • 20+ years in Information Systems • 15+ years of P/M, SDLC and Governance, Risk and Compliance • Hands-on Software Developer, Application-Testing, I-T Auditing • Certifications and Associations include - (In-progress)