Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Security Framework For HIPAA HITECH
1. Patrick Angel, Assistant HealthCare CISO - CISM® CRISC® CISA®
www.RandomAccessTechnology.com
(214) 826-3812
Top 10 CxO Items for Framework for
HIPAA / HITECH Security Program
2. Top 10 CxO Items for Framework for
HIPAA / HITECH Security Program
1. Does Org have a CISO and a Security Program used across the Enterprise..?
2. Do you know what is PHI / IIHI data? versus IUO… versus ‘Other’ ?
3. Does Org have a CSIRT Security Team and doc’d Procedures and Exercises..?
4. Do you know where your Data is…? (spreadsheets, Laptop, internal-database)
5. Is there a Security-Training / Awareness Program (for all levels) ?
6. Are there documented Policies and Procedures ? Program Socialization…?
7. Does Org have PHI-Data-Handling and IT Security-Standards and Metrics ?
8. Are there Enterprise-Level Security Tools operating 24x7 ?
9. Does your Security-Program (process) cover ALL the ‘Bases’ (end-to-end) ?
( incl Hospital/Clinic intake, Xrays/Imaging, Med Records, Reporting, Database
Encryption, Sunset/End-of-Life Security-procedures…. Blue-Cross of Tennessee didn’t)
10. How to integrate new Regulatory (HIPAA / HITECH) standards ( IDC-10 and
version 5010 EDI Transactions). Can you / have you protect(ed) your Mobile-
Data ? (Hospital / Clinic Laptops, Customer’s Mobile-Media, Wireless access)
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
3. CISO and Security Program
(Enterprise-Level)
• Does your Organization take Security seriously…?
• Is there a CxO-Level Security Officer (CISO) identified ?
• Is there an Information-Security Policy (ISP) in place?
• Does Org-Level Information-Security Program exist..?
• Is there Budget and Staff to support Security Program ?
• Is the Security Program communicated and integrated
with the Risk-Management Program (and across all
LOBs / Depts)?
‘…we didn’t Plan to Fail – we Failed to Plan…’
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
4. Do you know what Data is Important…?
• Do you know where your data ‘lives’ ?
• Does your Management Team know what data is
important? (IIHI vs IUO vs PII vs ‘other’ …)
• ID which staff ‘need to know / access ’ the data?
• EHR – Electronic Health Record – what it means to you?
• Does your Staff know how to properly protect data?
• How do you ‘manage’ EPIC Health (software) data) ?
You can’t protect it if you don’t know where it ‘lives’
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
5. CSIRT Security-Team (and procedures)
‘Plan for the unexpected before it happens’
• Does a Computer-Security Team (CSIRT) exist for Org ?
• Are there procedures for the Security Team (CSIRT)
• Is the CSIRT Team Trained and do they go through
‘Zero-Day’ / ‘Red-Team’ exercises (to be ready)?
• Are there pre-defined steps for ‘common’ security
events?
• Is the ‘HelpDesk’ integrated, and know how to
determine if this is a ‘real Security Incident’..?
• Is there a ‘Calling-Tree’ and ‘Escalation-Procedures’?
• Does the Team have a ‘Forensics Kit’?
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
6. • Internal Database with no Encryption… ?
• Floating around company on ‘shared-network-drives’..?
• Extracts / Copies sitting on SME’s computers…?
• Laying exposed on Desktops at COB in printed Reports?
• Unprotected in Spreadsheets and local (Access)
Databases?
• Concentrated in Hospital Laptops, unencrypted, no
Password, with no central Inventory, List of Owners…?
• Can you tell if your Data is ‘walking out the door’…?
Where is your (Health / PHI) Data…?
‘Who cares if you protect your Data? Regulators.. and Investors’
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
7. • Consistent message to front-line (e.g. Hospitals, Clinics)
and ‘back-office’ staff (Central-Billing/CBO, IT Dept) ?
• Are you pro-actively ‘pushing out Security’ to all levels
in company?
• Are you Leveraging your biggest ‘Asset’ (employees) to
Protect Data ?
• Presenting key HIPAA / HITECH concepts to both
Management and End-Users
• Validation of concepts learned via ‘interactive learning
model’ and final ‘test’, with ‘assertion’..?
Security-Awareness / Training Program ?
Leverage your biggest asset(s) to take ‘ownership’ of Security
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
8. • Has Senior Management (CxO’s) set the ‘tone’ for
Security (importance) across the Enterprise?
• Has Management developed Security-Procedures
based on ‘Best-Practices’ and ‘Industry-Standards’?
• Are Policies and Procedures available to all Staff and
Vendors / Contractors ?
• Is the ‘importance / need for Security’ visible on a
regular basis (e.g. Posters, Emails, Newsletter) ?
• Has the Security-Program been ‘socialized’ across
Departments / Mgt and End-users for acceptance..?
• What about new Health Law requirements…?
( e.g. “meaningful use”, ICD-10 Coding, version 5010 EDI )
Security-Policies and Procedures
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
‘You can stitch on a new Arm, but will the (rest of) Body accept it..?
9. • Are there ‘specific procedures’ around PHI-Data (at
Hospitals, Clinics, and at HQ) and can you report on it?
• Is the Security-Department tracking / reporting the
right things (Metrics) including…?
– Length / Duration of Time-to-Patch, Password Strength,
– No. Security-events Reported, Email Traffic Analysis,
– No. Staff completed Security-Awareness
– Malware Statistics (e.g. viruses detected, worms stopped)
– Internet / Firewall Statistics (e.g. Hacking attempts stopped)
• Does Org have technical (I-T) security-standards
(‘hardening’) to help prevent security-events..?
PHI-Data Handling, Metrics
and Security-Standards
How does your Org compare against the industry ?
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
10. End-to-End Security Program
1. Verification from start – to finish… (peace of mind)
2. Prioritize – what can we do NOW? (build a 3-month-Plan,
then 6mo-1year Tactical Plan, and a Strategic 1-3 Year Long-
Term Plan – based on Risk)
3. Sunset / End-to-End Security-procedures – a standard
process could avoid the Blue Cross $18.5MM mistake…
‘An ounce of Prevention… is worth a Pound of Cure – or about $18.5MM+ ’
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
11. • How do you handle Customer-owned Technology ?
(e.g. Lawsuit from patient with Smartphone / Laptop recording
Audio / Video in Hospital)
• What about new Health Law requirements…?
( e.g. “meaningful use”, ICD-10 Coding, version 5010 EDI )
• How to keep Security-Staff trained - in-house Library of
Security reference material and publications (cross-
training, IT-Security Certifications, backup staff / skillsets)
• Is a Process defined to manage / coordinate any
changes or new Laws?
How do you integrate new Technology -
HIPAA / HITECH requirements
‘…standardize your process / activities – Don’t re-invent the Wheel.’
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
12. Get Started Now…
‘…Chance favors the prepared Mind’
For customers of Random Access Technologies, Inc. only - Patrick Angel, CISM®
www.RandomAccessTechnology.com
(214) 826-3812
13. About the Author
For customers of Random Access Technologies, Inc. only - Patrick Angel
Patrick Angel
• Roles: Assistant CISO / Director PMO / Enterprise I-T
Security-Architect / Risk-Management and Compliance Manager
• Areas: PCI, SOX, GLBA Privacy, Project-Auditing, Application-Security
Testing and Secure Development (SDLC)
• Education
– Bachelors in Information Systems (MIS)
• Dean’s List and Honor’s List
– Masters Business Administration (MBA)
• Years of Experience
• 20+ years in Information Systems
• 15+ years of P/M, SDLC and Governance, Risk and Compliance
• Hands-on Software Developer, Application-Testing, I-T Auditing
• Certifications and Associations include - (In-progress)