Healthcare It Security Risk 0310


Published on

Healthcare IT security and risk management

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Healthcare It Security Risk 0310

  1. 1. Redspin Information Security and Risk Management for Healthcare LeadersJohn RenoMarch 2010<br />1<br />
  2. 2. Information Security and Risk Management for Healthcare Leaders<br />Introduction <br />The threat environment<br />The state of healthcare information security<br />Information security issues<br />Risk management<br />Customer case study<br />Summary <br />2<br />
  3. 3. Introduction<br />Redspin offers information security assessment services<br />Creates value for your business<br />Reduces risk, maintains compliance<br />Healthcare IT security problems solved<br />Save time and resources<br />Risk reduction<br />Avoidance of reputational damage<br /> Avoidance of regulatory fines<br />Brand protection<br />Service availability <br />Employee productivity<br />3<br />
  4. 4. Threat Environment<br />Well funded cybercrime<br />Malware, command/control and mule networks that were highly refined in financial services fraud have adapted to healthcare claim fraud<br />Internal malicious activity<br />Down economy, disgruntled employees drives theft and business disruption<br />Lack of control over business associates<br />By definition healthcare providers rely upon a diverse and largely insecure partner network<br />4<br />
  5. 5. Threat Environment <br />The impact of these threats<br />Regulatory fines<br />Brand damage<br />Downtime for revenue generating services<br />Downtime leading to non-productive employees<br />Reputational damage<br />5<br />
  6. 6. Threat Environment<br />Average cost of a breach in the healthcare industry was $282 per record; higher than the average across all industries<br />Ponemon Institute 2009 study<br />Over 220 healthcare data breaches reported by in the last two years<br />PSA Healthcare, 51,000 records; Tenet Healthcare, 37,000 records; Cascade Healthcare, 11,500 records; Cogent Healthcare, 6,400 records …<br />Fines and civil penalties becoming more commonplace<br />6<br />
  7. 7. State of Healthcare Information Security<br />Information security and privacy is not simply about protection<br />Secure information management can create competitive business advantage:<br />Improved quality of care, reduced cost and more effective processes<br />Some examples:<br />Reducing reliance on physicians’ (often illegible) handwritten and faxed prescriptions and notes <br />Facilitating the measurement of outcomes and comparison of treatment effectiveness<br />Streamlining medical research<br />Facilitating the detection of potential health threats to the public<br />7<br />
  8. 8. Information Security Issues<br />Latest HHS and FTC guidelines<br />Focus on data<br />Require encryption during transmission, encryption during storage<br />Secure disposal of PHI data on disk, paper or film<br />Focus on business associates<br />Locate and document all PHI<br />Collect evidence of controls for each business associate<br />Assess the evidence, identify the risks, take action<br />8<br />
  9. 9. What Our Customers Are Telling Us<br />Increasing IT Compliance Complexity<br />“It’s too expensive and manual to make sure we’re addressing all the necessary regulations. And then we have to do it all over again for the next time.”<br />IT Risk Management<br />“I don’t have good visibility over my IT risks across my company. I can’t determine if a risk is getting worse, before it gets really serious.”<br />Escalating Compliance Costs<br />“Many of my compliance controls are either manual, or duplicated, or both. I don’t have an efficient compliance infrastructure. And, worse, I can’t even tell what my total compliance costs are.”<br />Compliance Program Management<br />“I need better information about my projects’ status, resource utilization, and costs.”<br />Inadequate Oversight<br />“I can’t tell the current status of my IT risk and compliance activities, so I can’t tell if it is being managed effectively.”<br />9<br />
  10. 10. Security, Risk and Compliance issues<br />10<br /><ul><li> Compliance is managed on a per-regulation basis
  11. 11. Inability to view risk across the organization
  12. 12. Silos create control gaps and duplication
  13. 13. Controls testing is manual and is often done repeatedly
  14. 14. Controls information becomes outdated quickly</li></ul>Source: OCEG<br />
  15. 15. Risk and Compliance – Challenge and Opportunity<br />What we know about risk and compliance<br />It’s not going away<br />More regulations are coming<br />Failure is not an option <br />Turning risk and compliance into a competitive advantage<br />Reduce costs<br />Reduce disruptions<br />Drive operational improvements<br />11<br />
  16. 16. How We Can Help<br />Infrastructure assessment <br />Application security assessment<br />Social engineering and security awareness<br />Risk assessment<br />Risk management program development<br />12<br />
  17. 17. 13<br />Risk Management Process<br />Measure Effectiveness<br /><ul><li>Develop metrics
  18. 18. Measure control effectiveness</li></ul>Risk Assessment<br /><ul><li>Gather risk data
  19. 19. Prioritize risks</li></ul>Control Implementation<br /><ul><li>Gather risk data
  20. 20. Prioritize risks</li></ul>Decision Support<br /><ul><li>Identify controls
  21. 21. Select risk mitigation approach</li></li></ul><li>Risk Management Process<br />14<br />Risk<br />
  22. 22. Benefits of Risk Management<br />Use risk management to provide the mechanism to demonstrate business enablement<br />Risk reduction allows deployment of new business processes that were not previously possible<br />Confidence in brand protection can result in new revenue generating programs<br />Trust in service availability means that existing programs can generate more revenue, more profitably<br />Confidence in security service level agreements decrease program launch time<br />Clear guidance on security requirements associated with new business unit projects accelerates time to revenue<br />15<br />
  23. 23. Summary<br />Services enable customers to rapidly adopt information risk management<br />Solve the most pressing problems immediately<br />Offerings across the entire information risk management system<br />Risk based approach creates processes, procedures and practices for security program optimization<br />Business driven perspective<br />Methodology and deliverables ensure measurable business benefit<br />16<br />