This document discusses information security for informatics professionals. It begins with an introduction of the speaker, Amy Walker, which details her experience in healthcare, informatics, and security. The presentation will cover IT security pillars, constructing policies and procedures, security standards and risk assessment strategies, system architecture and design, and an overview of security issues and solutions. Examples of data breaches and related fines are provided to illustrate security risks faced by healthcare organizations. Frameworks and best practices for security are also outlined to help attendees strengthen their organization's security posture.

1. INFORMATION SECURITY FOR
INFORMATICS PROFESSIONALS
Amy M. Walker, MS, RN, CPHQ, FACHE, NEA-BC
CEO OptimizeIT Consulting LLC
Healthcare IT Strategist
A Proud EDWOSB, Cage Code 6 TH50

2. Amy Walker MS, RN, CPHQ, FACHE,
NEA-BC
.
 Healthcare System
 Critical Care RN, Certified and Nurse Manager
 Director of Informatics, CIO Boot Camp-CHIME
 Chief Clinical Information Officer (CCIO)
 Technology Provider-Large Scale
 Development
 Implementation
 Strategic Account Management
 Consulting
 DoD Health Affairs
 HIPAA, Healthcare Compliance, Security, and Data Exchange
 Interim CIO
 Entrepreneur
 Fellow in the American College of Healthcare Executives
 Certified as a Healthcare Quality Professional
 Certified as an Advanced Nurse Executive
 2010 President of the National Capital of Healthcare Executives
 Nominated Member of the Women’s Business Leader’s of the
U.S. Healthcare Industry Foundation
2

3. We Will Discuss Today
 IT Security Pillars
 How to Appropriately Construct Policies and Procedures
 Develop, Implement, Enforce
 Security Standards and Risk Assessment Effective
Strategies
 System Architecture and Design
 An Overview of Security Issues and Solutions
3

4. SWOT-Analysis
• Identified Security Officer
• Tight Integration Between RolesStrengths
• Knowledge Deficit
• Not Practicing to Standards
• Deficient Risk Assessment Process
Weaknesses
• Are GreatOpportunities
• Are GreatThreats
4

5. 5
Obama meets with CEOs to push cyber-security legislation
The meeting in hopes of getting the stalled legislation passed
comes a day after intelligence officials warn of the threat to
national security.
March 13, 2013|By Ken Dilanian and Jessica Guynn, Los Angeles
Times
"What is absolutely true is that
we have seen a steady ramping
up of cyber-security threats,"
President Obama said on ABC's
"Good Morning America." "Some
are state-sponsored. Some are
just sponsored by criminals."
(Evan Vucci / Associated Press)

6. Security Problems Hit Close To Home
Dear user:
As a follow up to our last email communication about the identified security vulnerability in the XYZ system , the U.S.
General Services Administration (GSA) is taking all possible steps to protect and inform xyz users, especially those that
use their social security numbers for purposes of doing business with the federal government.
Your entity’s data has been identified to be at greater risk for potential identity theft because you used your social
security number as your Tax Identification Number to do business with the federal government.
This vulnerability enabled government entity administrators and delegated entity registration representatives to
potentially gain access to information of any entity’s registration -- enabling visibility of entity management data at all
sensitivity levels.
As a precaution, GSA is taking proactive steps to protect and inform xyz users. The agency is offering users at higher
risk, like you, access to credit monitoring services and will follow up with information about these services.
If you wish to take additional steps to protect against possible identity theft, visit www.xyz for specific information. If you
would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8
p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify
your financial institution immediately if you see any discrepancies.
We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully
informed of any potential risk resulting from this incident. The security of your information is a critical priority to us and we
will work to ensure the system remains secure.
Sincerely,
6

7. In the News
Forget hackers, the fool
next to you is the real
threat
7

8. Statistics on Data Breaches
8

9. Internet Security Alliance
Larry Clinton, the longtime head of the Internet
Security Alliance delivered the keynote at the March
PHI Protection Forum. Mr. Clinton focused on PHI
Security and Privacy, he cited an important study of
the state of health care information security, PWC’s
2013 State of Info Security Survey data regarding
health care organizations.
9

10. PWCs 2013 State of Info Security Survey
 Most executives in the HC industry are confident in the effectiveness
of their security practices. They believe their strategies are sound
and many consider themselves to be leaders in the field
 (And yet, only) 42% have a strategy & (are) proactive in executing it
 Of the 4 key criteria of information security leadership, ONLY 6%
RANK AS LEADERS
 60% do NOT have a policy for third parties to comply with privacy
policies
 73% use mal code detection tools; DOWN 16%
 48% use tools to find unauthorized devices; DOWN 14%
 51% use intrusion detection tools; DOWN 19%
10
PWC’s 2013 State
of Info Security
Survey,
http://www.pwc.com
/gx/en/consulting-
services/information
-security-
survey/index.jhtml

11.  48% use vulnerability scanning tools; DOWN 15%
 31% DON’T KNOW when info sec is part of major
projects –ONLY 18% at project inception
 90% HC respondents say protecting employee &
customer data is important - few know where the data is
stored (43% have an accurate inventory of data)
 Adopting new technology (is outpacing) security – new
technology referring to cloud 28%, mobile 46%, soc
media 45%, personal devices 51%
11
PWCs 2013 State of Info Security Survey

12. The Reasons? As Noted by Larry
 Lack of funding 53%
 20% top leadership “is an impediment to improved security.”
 Only 43% report security breaches
 Diminished budgets have resulted in degraded security programs, incidents
are on the rise, new technologies are being adopted faster than safeguards
 There are short-term economic incentives to be insecure (VoIP, use personal
devices, the Cloud)
 HC providers report lower $ loss from incidents but many do not perform
thorough or consistent analysis to appraising those losses, e.g. only 33%
consider damage to brand as a financial loss
12

13. June 26, 2012 Alaska Department of
Health and Social Services
A USB hard drive possibly containing ePHI was stolen from
the vehicle of a DHHS employee.
 DHHS did not have adequate safeguard policies and
procedures in place.
 DHHS had not completed a risk analysis, implemented
sufficient risk management measures, completed security
training for its workforce, implemented device and media
controls, or addressed device and media encryption.
 Pay a $1.7 million fine and take corrective action to
ensure compliance with the Security Rule
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
13

14. April 17, 2012 Phoenix Cardiac Surgery
Staff were posting clinical and surgical appointments for patients on an
Internet-based calendar that was publicly accessible.
 PC failed to implement adequate policies and procedures to
safeguard patient information
 PC failed to document that it trained any employees on policies and
procedures.
 PC failed to identify a security official and conduct a risk analysis.
 PC failed to obtain business associate agreements with Internet-
based email and calendar services where the provision of the service
included storage of and access to its ePHI.
 Pay a $100,000 fine and develop a corrective action plan to ensure
compliance with the Security Rule
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
14

15. March 13, 2012
Blue Cross Blue Shield of Tennessee
Fifty-seven unencrypted computer hard drives were stolen
from a leased facility. The drives contained the ePHI of
more than 1 million individuals, including member names,
Social Security numbers, diagnosis codes, dates of birth,
and health plan identification numbers.
 BCBST failed to implement appropriate administrative
safeguards by not performing the required security
evaluation.
 BCBST failed to implement appropriate physical
safeguards.
 Pay a $1.5 million fine and implement a corrective action
plan to address gaps in its HIPAA compliance program
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
15

16. The Foundation
16

17. Security Triangle
Confidentiality
Integrity
Availability
17

18. 10 Domains of Information Security
Access Control •Operations Security
Business Continuity and
Disaster Recover Planning
•Physical (Environment
Security)
Cryptography •Security Architecture and
Design
Information Security
Governance and Risk
Management
•Software Development
Security
Legal, Regulations,
Investigation, and
Compliance
•Telecommunications and
Network Security
18
International Information Systems
Security Certification Consortium
https://www.isc2.org/

19. Basic Requirements
 Security
 Reliability
 Transparency
 Scalability
19
 Maintainability
 Audit ability
 Integrity
 Authentic
International Information
Systems Security
Certification Consortium
https://www.isc2.org/

20. 20
Operations security (OPSEC) is a process that identifies critical information to determine
if friendly actions can be observed by adversary intelligence systems, determines if
information obtained by adversaries could be interpreted to be useful to them, and then
executes selected measures that eliminate or reduce adversary exploitation of friendly
critical information.

21. Construction of
Policies and Procedures
21

22. Security
Enterprise
Ecosystem
People
Processes
Core
Business
Technology

23. 23

24. Policy Framework
Implementation
Standards Procedures Protocols Guidelines
Policies
Directives You Shall
Overarching Management Direction
Regulations Strategy Standards Laws
24

25. Policies and Procedures
 Acceptable Use
 Access Control
 Accreditation
 Acquisition
 Business Continuity
 Certification
 Change Control Management
 Code of Ethics
 Confidentiality
 Data Classification
 Internet Use
25

26. System Architecture and Design
26

27. System Architecture Components
 Hardware
 Firmware
 Central Processing Units
 Input/Output Devices
 Software
 Architectural Structures
 Storage and Memory
27
Analyze security
risks, limitations, and
positive attributes of
each.

28. Open Source
 A study by Mitre corporation, sponsored by the Defense Information
Systems Agency, found extensive and diverse use of open software
at the DoD, with over 100 open products being used in more than
250 applications.
 Security applications were most noted as a reason open source
should be expanded.
 Widely used open security tools included SNORT, a light weight
intrusion detection tool used for plugging “network security holes
when new attacks emerge” and SARA, the security auditors
research Assistant, used for relatively straightforward network
security risk analyses. The MITRE report lists more than 100 open
source products that have demonstrated superior records of
security and reliability.
28

29. The Abdus Salam International Centre
for Theoretical Physics

30. System Security Risk Assessment
30

31. Risk Management Purpose
 The purpose of an organization’s risk management
process should be to protect the organization and it’s
ability to perform it’s mission-including but not limited
to its IT assets.
 Risk is a function of the likelihood of a given threat
source’s exercising a particular vulnerability and the
resulting impact of that adverse event.
NIST SP 800-30
www.csrc.nist.gov
31

32. Risk Analysis
Conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic
protected health information held by the
organization.
32

33. Details of a System Security Risk
Assessment
 Qualitative
 Scenario oriented
 No $$ values
 Ranking of threats
 Perform to the goal of reasonableness
 Quantitative
 Assign $$ values
 Resource extensive
 More difficult to determine
 Hybrid
33
International Information
Systems Security
Certification Consortium
https://www.isc2.org/

34. Risk Assessment SP 800-30
 Step 1 Characterization
 Step 2 Threat Identification
 Step 3 Vulnerability Identification
 Step 4 Control Analysis
 Step 5 Likelihood Determination
 Step 6 Impact Analysis
 Step 7 Risk Determination
 Step 8 Control Recommendations
 Step 9 Results Documentation
 Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 has
been completed.
34

35. CMS Security Risk Analysis Process
Review existing
security of
protected health
information
Identify threats
and
vulnerabilities
Assess risks for
likelihood and
impact
Mitigate security
risks
Monitor results
35
CMS, Information Security
Overview,

36. 36

37. 10 Best Practices for the
Small Health Care Environment
 Use Strong Passwords and Change Them Regularly
 Passwords and Strong Authentication
 Install and Maintain Anti-Virus Software
 Use a Firewall
 Control Access to Protected Health Information
 Limit Network Access
 Plan for the Unexpected
 Maintain Good Computer Habits
 Software Maintenance
 Protect Mobile Devices
 Establish a Security Culture
37
CMS, Information Security Overview,
http://cms.gov/Research-Statistics-Data-and-
Systems/CMS-Information-
Technology/InformationSecurity/index.html?redirec
t=/InformationSecurity/

38. Security IT Issues and Solutions
38

39. Overview of Healthcare IT
Security Issues and Solutions
 Lack of Effective Ecosystem Governance
 Lack of Budget
 Lack of Appropriate Risk Assessment with CAP
 MU
 Core Objective and Measure 12
 Core Objective and Measure 15
 HIPAA Privacy and Security Federal Regulations
39

40. Overview of Healthcare IT
Security Issues and Solutions
 Attacks
 Vulnerabilities
 Complex Systems Change Control
 Doing More with Less
 Mobile and Wireless Technologies
 Outsourcing
40

41. HITRUST ™
 The Health Information Trust Alliance (HITRUST) was born out of the belief
that information security should be a core pillar of, rather than an obstacle to,
the broad adoption of health information systems and exchanges.
 HITRUST, in collaboration with healthcare, business, technology and
information security leaders, has established the Common Security
Framework (CSF), a certifiable framework that can be used by any and all
organizations that create, access, store or exchange personal health and
financial information.
 The CSF is an information security framework that harmonizes the
requirements of existing standards and regulations, including federal
(HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As
a framework, the CSF provides organizations with the needed structure,
detail and clarity relating to information security tailored to the healthcare
industry. The CSF is available through HITRUST Central.
41

42. Retain absolute faith that you can and will
prevail in the end, regardless of the
difficulties, and at the same time confront
the most brutal facts of your current reality,
whatever they might be.
(Jim Collins Good to Great)
42

43. Thought Questions
1. In your own experience, what are your
recommendations on the highest IT security
priorities?
2. Are there resources related to IT security that you
suggest must be given greater visibility?
3. What is your organization’s SWOT analysis tell
you?
43

44. References
 CMS, Information Security Overview, http://cms.gov/Research-
Statistics-Data-and-Systems/CMS-Information-
Technology/InformationSecurity/index.html?redirect=/InformationSec
urity/
 HITRUST, http://hitrustalliance.net/
 International Information Systems Security Certification Consortium
https://www.isc2.org/
 National Institute of Standards and Technology,
http://csrc.nist.gov/publications/PubsSPs.html
 Office of the National Coordinator,
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-
security-guide.pdf
44

45. References
 PHI Protection Network, Linked In Group
 PWC’s 2013 State of Info Security Survey,
http://www.pwc.com/gx/en/consulting-services/information-security-
survey/index.jhtml
 Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press).
Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
 The Betterly Report,
http://thebetterleyreport.wordpress.com/2013/03/18/larry-clinton-of-
the-internet-security-alliance-and-some-startling-statistics-about-
privacy-security-in-the-health-care-
industry/?goback=%2Egde_4493923_member_223850708
 The Operations Security Professional’s Association,
http://www.opsecprofessionals.org/
45

46. SWOT-Analysis
• Identified Security Officer
• Tight Integration Between RolesStrengths
• Knowledge Deficit
• Not Practicing to Standards
• Deficient Risk Assessment Process
Weaknesses
Opportunities
Threats
46

47. Thank You!
Contact us at:
4031 University Drive, Suite 100
Fairfax, Virginia 22030 P: 703-283-4678
E: awalker@optimizeitconsulting
www.optimizeitconsulting.com
OptimizeIT Consulting LLC is a proud
EDWOSB
Cage Code 6TH50