Greenway Health, profile picture
Uploaded byGreenway Health
PPT, PDF5,869 views

Roadmap to IT Security Best Practices

The document discusses the importance of IT security best practices for healthcare organizations. It outlines why IT security is important, how to get started with a security program, and provides information on specific best practices. These include recommendations for securing remote users' access to protected health information, implementing system log management, and meeting meaningful use security criteria. The document aims to help healthcare organizations develop an IT security roadmap.

Embed presentation

Downloaded 390 times
Roadmap to IT Security Best Practices Justin Copeland President, Triggerfish Corporation
Outline Why is it important? How to start… Best practices Information you can use… Remote Users – CMS Guidance Meaningful Use – Security Risk Analysis Systems Log Management IT Security Roadmap
Objective of IT Security The ideal system will protect unauthorized use of information systems for one second longer than the maximum limits of frustration and tenacity of the worst hacker or until the information is no longer of value.
Why is it important? In a post HIPAA era, IT security is increasingly requiring us to operationalize many of the practices that have been contained in “policy” for several years. The risk of disclosure is quite real and the cost non-compliance is ever increasing. If it hasn’t already…IT Security will likely start showing up in your operating budget!
IT Security – How to start… Identify the protection needed Select the methods to protect Plan for detection recovery and response
Step 1 What to protect? Electronic Protected Health Information (EPHI) Billing systems Proprietary business information
Step 2 Identify most cost-effective methods to protect critical assets. Role-based security Policies & operational procedures Intrusion Detection and Response Auditing
Step 3 Pre-plan your response to an attack Identification of security breach scenarios Response procedures after an attack Incident reporting and corrective actions
Best Practices Strong Authentication of users Enterprise-wide authentication User access validation Expanded audit trails
Best Practices…People Security Background checks Auditing of system access Ensure credentials of system administrators are retrievable in the event of a separation Training
Best Practices…Social Engineering Use of non-technical means to get information that allows unauthorized access. Forbid exchange of passwords among employees for any reason Train staff to deal with social techniques used to gain unauthorized access to PHI
Best Practices…Policies User Passwords Physical Security Intrusion Detection Disaster Recovery testing
Best Practices…Process Security Integrate security into disaster recovery plan Regulatory requirements Accidental disclosures, deletions or alterations Threat Analysis Security Checklists Change control processes
Info you can use… Security Guidance for Remote Users http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
Security Guidance for Remote Users CMS has offered additional guidance related to safeguarding the confidentiality, integrity and availability of EPHI under the HIPAA Security Rule .
Security Guidance for Remote Users This guidance focuses on: The use of portable media/devices (such as USB flash drives) that store EPHI Offsite access or transport of EPHI via laptops, PDA’s, home computers or other non corporate equipment
Security Guidance for Remote Users Risk Analysis Three groupings of risk: Access Storage Transmission
Security Guidance for Remote Users Risk Analysis Policies require training Addressing security incidents and noncompliance Discuss possible Risk Management Strategies
Security Guidance for Remote Users Access Risk Mitigation Strategies Implement two-factor authentication Implement specific processes for authorizing remote users Establish procedures for session termination on inactive devices
Security Guidance for Remote Users Access Risk Mitigation Strategies Install personal firewall software on all devices that store EPHI Install, use and update virus-protection software on all devices that access EPHI
Security Guidance for Remote Users Storing Risk Mitigation Strategies Implement process for maintaining inventory and record of movement of devices containing EPHI Require lock-down of unattended laptops
Security Guidance for Remote Users Storing Risk Mitigation Strategies Password protect files and devices containing EPHI Require that portable devices containing EPHI employ encryption
Security Guidance for Remote Users Storing Risk Mitigation Strategies Develop processes to rollout security updates to portable devices Consider the use of biometrics on portable devices
Security Guidance for Remote Users Storing Risk Mitigation Strategies Establish EPHI deletion and media disposal policies Install virus-protection on devices that store EPHI
Security Guidance for Remote Users Transmitting Risk Mitigation Strategies Prohibit transmission of EPHI via open network Prohibit use of offsite devices or WAP for non-secure access to email
Security Guidance for Remote Users Transmitting Risk Mitigation Strategies Use more secure connections for email via SSL and the use of message-level standards such as S/MIME, SET, PEC, PGP, etc.
Security Guidance for Remote Users Transmitting Risk Mitigation Strategies Implement and mandate strong encryption solutions for transmission of EPHI (e.g. SSL, HTTPS, etc.)
Security Guidance for Remote Users Transmitting Risk Mitigation Strategies Install virus-protection software on portable devices that can be used to transmit EPHI
Info you can use… System Log File Management http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
System Log Management Establish policies and procedures for log management Prioritize Log Management appropriately throughout the organization
System Log Management Create and maintain a log management infrastructure Provide proper support for all staff with log management responsibilities
Info you can use… Stage One Criteria for Meaningful Use Core Measure “ Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”
Meaningful Use While this is really nothing new, this initiative requires participants to further demonstrate compliance to 45 CRF 164.308 (a)(1) of the Final Rule (HIPAA Security)
Meaningful Use Conduct or review a security risk analysis Implement security updates as necessary and correct identified security deficiencies as part of its risk management process This is not a “check the box” type of activity http :// www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
Sample Roadmap
Resources NIST http://csrc.nist.gov HIMSS Privacy & Security Toolkit http://www.himss.org
This PowerPoint was presented at the 2011 SuccessEHS Customer Conference. www.successehs.com

More Related Content

PDF
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
byEryk Budi Pratama
 
PPTX
The Zero Trust Model of Information Security
byTripwire
 
PDF
From Cybersecurity to Cyber Resilience
byaccenture
 
PDF
Security operations center 5 security controls
byAlienVault
 
PPTX
Introduction to Cybersecurity
byAdri Jovin
 
PPTX
microsoft-cybersecurity-reference-architectures (1).pptx
byGenericName6
 
PPTX
Optimizing Security Operations: 5 Keys to Success
bySirius
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
byEryk Budi Pratama
 
The Zero Trust Model of Information Security
byTripwire
 
From Cybersecurity to Cyber Resilience
byaccenture
 
Security operations center 5 security controls
byAlienVault
 
Introduction to Cybersecurity
byAdri Jovin
 
microsoft-cybersecurity-reference-architectures (1).pptx
byGenericName6
 
Optimizing Security Operations: 5 Keys to Success
bySirius
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 

What's hot

PDF
Zero trust in a hybrid architecture
byHybrid IT Europe
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
PDF
Penetration testing & Ethical Hacking
byS.E. CTS CERT-GOV-MD
 
PPTX
Roadmap to security operations excellence
byErik Taavila
 
PPTX
Cybersecurity Awareness Training
byDave Monahan
 
PPTX
Zero Trust
byBoaz Shunami
 
PPTX
Cybersecurity 1. intro to cybersecurity
bysommerville-videos
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
What is zero trust model (ztm)
byAhmed Banafa
 
PDF
Building a Next-Generation Security Operations Center (SOC)
bySqrrl
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PDF
Lessons Learned from the NIST CSF
byDigital Bond
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
PPTX
Awareness Security 123.pptx
byRajuSingh730938
 
PDF
Vulnerability and Patch Management
byn|u - The Open Security Community
 
PPTX
Cloud Security
byAWS User Group Bengaluru
 
PDF
End-User Security Awareness
bySurya Bathulapalli
 
PPTX
Zero Trust Network Access
byEr. Ajay Sirsat
 
PPTX
Security operation center (SOC)
byAhmed Ayman
 
PPTX
SOC and SIEM.pptx
bySandeshUprety4
 
Zero trust in a hybrid architecture
byHybrid IT Europe
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
Penetration testing & Ethical Hacking
byS.E. CTS CERT-GOV-MD
 
Roadmap to security operations excellence
byErik Taavila
 
Cybersecurity Awareness Training
byDave Monahan
 
Zero Trust
byBoaz Shunami
 
Cybersecurity 1. intro to cybersecurity
bysommerville-videos
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
What is zero trust model (ztm)
byAhmed Banafa
 
Building a Next-Generation Security Operations Center (SOC)
bySqrrl
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
Lessons Learned from the NIST CSF
byDigital Bond
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
Awareness Security 123.pptx
byRajuSingh730938
 
Vulnerability and Patch Management
byn|u - The Open Security Community
 
Cloud Security
byAWS User Group Bengaluru
 
End-User Security Awareness
bySurya Bathulapalli
 
Zero Trust Network Access
byEr. Ajay Sirsat
 
Security operation center (SOC)
byAhmed Ayman
 
SOC and SIEM.pptx
bySandeshUprety4
 

Viewers also liked

PDF
Building an effective Information Security Roadmap
byElliott Franklin
 
PPTX
Build an Information Security Strategy
byAndrew Byers
 
PDF
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
byXEventsHospitality
 
PPT
Security Maturity Assessment
byClaude Baudoin
 
PDF
Security Maturity Models.
byPriyanka Aash
 
PDF
National Cybersecurity - Roadmap and Action Plan
byDr David Probert
 
PDF
Information Security Benchmarking 2015
byCapgemini
 
PPTX
Cybersecurity Priorities and Roadmap: Recommendations to DHS
byJohn Gilligan
 
PPTX
Cyber security: A roadmap to secure solutions
bySchneider Electric
 
PDF
PhD and Post PhD Network Security Visualization Research
byKulsoom Abdullah
 
PDF
Network Security Visualization
by21CT Inc.
 
DOC
It security-plan-template
byjbmills1634
 
PPT
IT Compliance & Security
byIT Compliance & Security AnyHelp International
 
PDF
10 tips to prevent phishing attacks
byNamik Heydarov
 
PDF
Cybercrime 281210
byFrank Smilda
 
PPT
Sudarsan Jayaraman - Open information security management maturity model
bynooralmousa
 
PPTX
Security Best Practices
byClint Edmonson
 
PPTX
Security: more important than ever - Sophos Day Belux 2014
bySophos Benelux
 
PPT
Information Security Seminar
byAcend Corporate Learning
 
PPT
HR Outsourced Services
byGregory Guilford
 
Building an effective Information Security Roadmap
byElliott Franklin
 
Build an Information Security Strategy
byAndrew Byers
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
byXEventsHospitality
 
Security Maturity Assessment
byClaude Baudoin
 
Security Maturity Models.
byPriyanka Aash
 
National Cybersecurity - Roadmap and Action Plan
byDr David Probert
 
Information Security Benchmarking 2015
byCapgemini
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
byJohn Gilligan
 
Cyber security: A roadmap to secure solutions
bySchneider Electric
 
PhD and Post PhD Network Security Visualization Research
byKulsoom Abdullah
 
Network Security Visualization
by21CT Inc.
 
It security-plan-template
byjbmills1634
 
IT Compliance & Security
byIT Compliance & Security AnyHelp International
 
10 tips to prevent phishing attacks
byNamik Heydarov
 
Cybercrime 281210
byFrank Smilda
 
Sudarsan Jayaraman - Open information security management maturity model
bynooralmousa
 
Security Best Practices
byClint Edmonson
 
Security: more important than ever - Sophos Day Belux 2014
bySophos Benelux
 
Information Security Seminar
byAcend Corporate Learning
 
HR Outsourced Services
byGregory Guilford
 

Similar to Roadmap to IT Security Best Practices

PPT
PowerPoint-2b.-HIPAA-Security-Awareness-Training.ppt
byMayank Mathur
 
PPT
PowerPoint-2b.-HIPAA-Security-Awareness-Training.ppt
byslametarrokhim1
 
PPT
Medical Records on the Run: Protecting Patient Data with Device Control and...
byLumension
 
PDF
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
byErik Ginalick
 
PPTX
cyber.pptx security ppt security security security security
byharishg4741
 
PPT
Group presentation hippa ppt
byMari Mina
 
PDF
Meaningful Use Risk Analysis Webinar
bydata brackets
 
PPTX
The HIPAA Security Rule: Yes, It's Your Problem
bySecurityMetrics
 
PDF
HITRUST CSF Meaningful use risk assessment
byVinit Thakur
 
PDF
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
byHealth IT Conference – iHT2
 
PDF
BEST CYBER SECURITY PRACTICES
byHappiest Minds Technologies
 
PDF
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
byTrend Micro
 
PDF
Securing Microsoft Technologies for HITECH Compliance
byMarie-Michelle Strah, PhD
 
PPTX
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
byAggregage
 
PPTX
Securing Mobile Healthcare Application
byCitiusTech
 
PPT
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 
PPTX
Information+security rutgers(final)
byAmy Stowers
 
PPTX
Hipaa Reality Check
bySecurityMetrics
 
PDF
ONC Privacy and Security Best Practices for HIPAA
byDavid Sweigert
 
PDF
Electronic Health Information- Guide to Privacy & Security
byDr Dev Kambhampati
 
PowerPoint-2b.-HIPAA-Security-Awareness-Training.ppt
byMayank Mathur
 
PowerPoint-2b.-HIPAA-Security-Awareness-Training.ppt
byslametarrokhim1
 
Medical Records on the Run: Protecting Patient Data with Device Control and...
byLumension
 
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
byErik Ginalick
 
cyber.pptx security ppt security security security security
byharishg4741
 
Group presentation hippa ppt
byMari Mina
 
Meaningful Use Risk Analysis Webinar
bydata brackets
 
The HIPAA Security Rule: Yes, It's Your Problem
bySecurityMetrics
 
HITRUST CSF Meaningful use risk assessment
byVinit Thakur
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
byHealth IT Conference – iHT2
 
BEST CYBER SECURITY PRACTICES
byHappiest Minds Technologies
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
byTrend Micro
 
Securing Microsoft Technologies for HITECH Compliance
byMarie-Michelle Strah, PhD
 
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
byAggregage
 
Securing Mobile Healthcare Application
byCitiusTech
 
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 
Information+security rutgers(final)
byAmy Stowers
 
Hipaa Reality Check
bySecurityMetrics
 
ONC Privacy and Security Best Practices for HIPAA
byDavid Sweigert
 
Electronic Health Information- Guide to Privacy & Security
byDr Dev Kambhampati
 

More from Greenway Health

PDF
Big Data - Outcomes Performance Measured
byGreenway Health
 
PDF
Dentistry & Meaningful Use: Medicaid
byGreenway Health
 
PPT
Medicaid 2 - mdedit
byGreenway Health
 
PDF
Marketplace: Benefit Tiers, Individuals and SHOPs
byGreenway Health
 
PDF
The Marketplace: What you need to know
byGreenway Health
 
PDF
Accountable Care Organizations: 4 Physician Benefits
byGreenway Health
 
PDF
The Marketplace - Insurance Exchanges and Providers
byGreenway Health
 
PDF
6 Tips to Leverage EHR Patient Data Effectively
byGreenway Health
 
PDF
Addressing Top ICD-10 Concerns
byGreenway Health
 
PDF
4 Steps to Getting Started with PQRS
byGreenway Health
 
PDF
An Overview of Patient-Centered Care
byGreenway Health
 
PPT
Meaningful Use - 2013 State of the Union
byGreenway Health
 
PPT
Meet Your 113th Congress
byGreenway Health
 
PPT
Electronic Dental Records Adoption
byGreenway Health
 
PPT
Gartner's Top 10 Tech Trends through 2015
byGreenway Health
 
PPT
Patient Engagement & the Matrix: How plugged in are we?
byGreenway Health
 
PPT
Fraud, Waste & Abuse in Health Care
byGreenway Health
 
PDF
The Four Buckets of Meaningful Use
byGreenway Health
 
PDF
Medicaid Incentive Payouts and Stage 2 Meaningful Use
byGreenway Health
 
PDF
Medicare Meaningful Use Incentive Payouts
byGreenway Health
 
Big Data - Outcomes Performance Measured
byGreenway Health
 
Dentistry & Meaningful Use: Medicaid
byGreenway Health
 
Medicaid 2 - mdedit
byGreenway Health
 
Marketplace: Benefit Tiers, Individuals and SHOPs
byGreenway Health
 
The Marketplace: What you need to know
byGreenway Health
 
Accountable Care Organizations: 4 Physician Benefits
byGreenway Health
 
The Marketplace - Insurance Exchanges and Providers
byGreenway Health
 
6 Tips to Leverage EHR Patient Data Effectively
byGreenway Health
 
Addressing Top ICD-10 Concerns
byGreenway Health
 
4 Steps to Getting Started with PQRS
byGreenway Health
 
An Overview of Patient-Centered Care
byGreenway Health
 
Meaningful Use - 2013 State of the Union
byGreenway Health
 
Meet Your 113th Congress
byGreenway Health
 
Electronic Dental Records Adoption
byGreenway Health
 
Gartner's Top 10 Tech Trends through 2015
byGreenway Health
 
Patient Engagement & the Matrix: How plugged in are we?
byGreenway Health
 
Fraud, Waste & Abuse in Health Care
byGreenway Health
 
The Four Buckets of Meaningful Use
byGreenway Health
 
Medicaid Incentive Payouts and Stage 2 Meaningful Use
byGreenway Health
 
Medicare Meaningful Use Incentive Payouts
byGreenway Health
 

Recently uploaded

DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
AI Technology important knowledge ......
byutkarshj2007
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
In this document
Powered by AI

Overview of IT Security importance and roadmap to best practices.

Establishment of effective systems to prevent unauthorized access in a post-HIPAA environment.

Steps to identify protections needed for EPHI and establish methods for detection and response.

Overview of strong user authentication, personnel security, policies, and security processes.

Guidance for remote users on safeguarding EPHI through risk analysis and mitigation strategies.

Strategies for secure storage of EPHI, including device management and encryption.

Mitigation strategies for secure transmission of EPHI using encryption and secure connections.

Establishing policies for effective log management to enhance security oversight.

Requirements for demonstrating compliance with HIPAA security through risk assessments.

Visualization of a sample roadmap for IT security along with valuable resources for further guidance.

Roadmap to IT Security Best Practices

  • 1.
    Roadmap to ITSecurity Best Practices Justin Copeland President, Triggerfish Corporation
  • 2.
    Outline Why isit important? How to start… Best practices Information you can use… Remote Users – CMS Guidance Meaningful Use – Security Risk Analysis Systems Log Management IT Security Roadmap
  • 3.
    Objective of ITSecurity The ideal system will protect unauthorized use of information systems for one second longer than the maximum limits of frustration and tenacity of the worst hacker or until the information is no longer of value.
  • 4.
    Why is itimportant? In a post HIPAA era, IT security is increasingly requiring us to operationalize many of the practices that have been contained in “policy” for several years. The risk of disclosure is quite real and the cost non-compliance is ever increasing. If it hasn’t already…IT Security will likely start showing up in your operating budget!
  • 5.
    IT Security –How to start… Identify the protection needed Select the methods to protect Plan for detection recovery and response
  • 6.
    Step 1 Whatto protect? Electronic Protected Health Information (EPHI) Billing systems Proprietary business information
  • 7.
    Step 2 Identifymost cost-effective methods to protect critical assets. Role-based security Policies & operational procedures Intrusion Detection and Response Auditing
  • 8.
    Step 3 Pre-planyour response to an attack Identification of security breach scenarios Response procedures after an attack Incident reporting and corrective actions
  • 9.
    Best Practices StrongAuthentication of users Enterprise-wide authentication User access validation Expanded audit trails
  • 10.
    Best Practices…People SecurityBackground checks Auditing of system access Ensure credentials of system administrators are retrievable in the event of a separation Training
  • 11.
    Best Practices…Social EngineeringUse of non-technical means to get information that allows unauthorized access. Forbid exchange of passwords among employees for any reason Train staff to deal with social techniques used to gain unauthorized access to PHI
  • 12.
    Best Practices…Policies UserPasswords Physical Security Intrusion Detection Disaster Recovery testing
  • 13.
    Best Practices…Process SecurityIntegrate security into disaster recovery plan Regulatory requirements Accidental disclosures, deletions or alterations Threat Analysis Security Checklists Change control processes
  • 14.
    Info you canuse… Security Guidance for Remote Users http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
  • 15.
    Security Guidance forRemote Users CMS has offered additional guidance related to safeguarding the confidentiality, integrity and availability of EPHI under the HIPAA Security Rule .
  • 16.
    Security Guidance forRemote Users This guidance focuses on: The use of portable media/devices (such as USB flash drives) that store EPHI Offsite access or transport of EPHI via laptops, PDA’s, home computers or other non corporate equipment
  • 17.
    Security Guidance forRemote Users Risk Analysis Three groupings of risk: Access Storage Transmission
  • 18.
    Security Guidance forRemote Users Risk Analysis Policies require training Addressing security incidents and noncompliance Discuss possible Risk Management Strategies
  • 19.
    Security Guidance forRemote Users Access Risk Mitigation Strategies Implement two-factor authentication Implement specific processes for authorizing remote users Establish procedures for session termination on inactive devices
  • 20.
    Security Guidance forRemote Users Access Risk Mitigation Strategies Install personal firewall software on all devices that store EPHI Install, use and update virus-protection software on all devices that access EPHI
  • 21.
    Security Guidance forRemote Users Storing Risk Mitigation Strategies Implement process for maintaining inventory and record of movement of devices containing EPHI Require lock-down of unattended laptops
  • 22.
    Security Guidance forRemote Users Storing Risk Mitigation Strategies Password protect files and devices containing EPHI Require that portable devices containing EPHI employ encryption
  • 23.
    Security Guidance forRemote Users Storing Risk Mitigation Strategies Develop processes to rollout security updates to portable devices Consider the use of biometrics on portable devices
  • 24.
    Security Guidance forRemote Users Storing Risk Mitigation Strategies Establish EPHI deletion and media disposal policies Install virus-protection on devices that store EPHI
  • 25.
    Security Guidance forRemote Users Transmitting Risk Mitigation Strategies Prohibit transmission of EPHI via open network Prohibit use of offsite devices or WAP for non-secure access to email
  • 26.
    Security Guidance forRemote Users Transmitting Risk Mitigation Strategies Use more secure connections for email via SSL and the use of message-level standards such as S/MIME, SET, PEC, PGP, etc.
  • 27.
    Security Guidance forRemote Users Transmitting Risk Mitigation Strategies Implement and mandate strong encryption solutions for transmission of EPHI (e.g. SSL, HTTPS, etc.)
  • 28.
    Security Guidance forRemote Users Transmitting Risk Mitigation Strategies Install virus-protection software on portable devices that can be used to transmit EPHI
  • 29.
    Info you canuse… System Log File Management http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
  • 30.
    System Log ManagementEstablish policies and procedures for log management Prioritize Log Management appropriately throughout the organization
  • 31.
    System Log ManagementCreate and maintain a log management infrastructure Provide proper support for all staff with log management responsibilities
  • 32.
    Info you canuse… Stage One Criteria for Meaningful Use Core Measure “ Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”
  • 33.
    Meaningful Use Whilethis is really nothing new, this initiative requires participants to further demonstrate compliance to 45 CRF 164.308 (a)(1) of the Final Rule (HIPAA Security)
  • 34.
    Meaningful Use Conductor review a security risk analysis Implement security updates as necessary and correct identified security deficiencies as part of its risk management process This is not a “check the box” type of activity http :// www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
  • 35.
  • 36.
    Resources NIST http://csrc.nist.govHIMSS Privacy & Security Toolkit http://www.himss.org
  • 37.
    This PowerPoint waspresented at the 2011 SuccessEHS Customer Conference. www.successehs.com