SlideShare a Scribd company logo

McMahon & Associates Risk Management Strategy

Download as DOCX, PDF
Matthew J McMahon
Matthew J McMahon

Risk Management Strategy for a Fictitious Clinical Practice

Healthcare
1 of 8
McMahon & Associates Clinical Services Risk Management Strategy Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University May 04, 2017
2 Contents Executive Summary……………………………………………………………………...…..........3 About McMahon & Associates Clinical Services…………...………..………………….….........3 CHAPTER ONE. Reducing Third Party Risk…………………………………………...…..........3 CHAPTER TWO. Cyber Insurance…………...……...……………………………………...........4 CHAPTER THREE. Workforce Development….……...…………………………………............5 CHAPTER FOUR. Risk Management Frameworks………………….…………..………............6 CHAPTER Five. Secure Data Usage...….……...…………..……………………….....................7 Conclusion……………………………..………………………………………………………….8 Revision History…………...………………………..…………………………………………….8
3 Executive Summary In today’s day and age, cyber-attacks on hospitals are becoming more and more prevalent. Of all of the United States Critical Infrastructures the healthcare sector is the most targeted by persistent cyber-attacks.1 In a threat landscape where a medical record sells for ten times on the dark web what a credit card record does it is imperative that McMahon & Associates Clinical Services create and implement a comprehensive Risk Management Strategy.2 About McMahon & Associates Clinical Services McMahon & Associates Clinical Services is a small, twelve provider clinical counseling service which resides in a small office located at 123 Main Street in Sharon, Massachusetts. The organization rents office space in the same building as a law firm and a doctor’s office but is separated from these businesses by two sets of locked steel doors. The office receives patients on an appointment only basis and operates between the hours of 8:00 AM EST and 8:00 PM EST. The facility utilizes the Athena Health cloud based software platform for clinical documentation, scheduling, routine paperwork and billing purposes. It also utilizes Outlook for email. CHAPTER ONE Reducing Third Party Risk McMahon & Associates Clinical Services has opted to utilize Athena Health as their cloud based clinical documentation, scheduling and billing software solution. An extensive cloud usage strategy report has already been completed in McMahon & Associates Clinical Services Cloud Usage Strategy Report.3 This risk management strategy paper will only touch on applicable highlights from that report. The McMahon & Associates Clinical Services Cloud Usage Strategy Report, extensively details the criteria used for selecting Athena Health among the other vendors that were reviewed.4 Chilmark Researches’ EHR Vendors’ Capabilities for Interoperability, report was an essential tool in comparing and contrasting Athena Health with its ten closest competitors in terms of data privacy and security compliance, secure connection controls, pricing structure, customer reviews, satisfaction ratings and overall functionality.5 1 Hacking Healthcare IT in 2016: Lessons the Healthcare Industry can Learn From the OPM Breach. Institute for Critical Infrastructure Technology. (January, 2016) 2 See note 1 above. 3 McMahon,Matthew. McMahon & Associates Clinical Services Cloud Usage Strategy Report. April (2017) 4 See note 1 above. 5 Chilmark Research. EHR Vendors’ Capabilities for Interoperability. July (2015)
4 The driving force in the choice of Athena Health was its ability to essentially eliminate the need for a traditional IT department.6 This not only reduces overhead but also liability associated with maintaining and securing a traditional IT infrastructure.7 The solution utilizes the software as a solution (SaaS) cloud model which allows for varying levels of role based access.8 Providers access and enter patient health information (PHI) only after accessing the password protected, secure (https) Athena Health website over a secure internet connection.9 While Athena Health is typically thought of as a small electronic medical record (EMR) provider in light of it’s much larger competitors such as MEDITECH, EPIC and Cerner its market share entails servicing over 62,000 providers and is steadily growing. Athena Health’s interfacing capabilities are well demonstrated with over 30 strategic interfacing partners and a fulltime dedicated interface team to build new links from Athena to other third party software vendors.10 Before making the final decision to choose Athena Health as the SaaS cloud based EMR vendor for McMahon & Associates a risk assessment was completed per the specifications laid out by the National Institute of Standards and Technology (NIST.)11 This risk assessment included visiting the Athena Health facilities located at 311 Arsenal Street in Watertown, Massachusetts where decision makers were given a tour of the campus and provided detailed descriptions of secure offsite data storage facilities.12 After reviewing the vendors applicable security documentation for its SaaS cloud based EMR system which included the industry standard manufacturers disclosure statement for medical device security (MDS2) and product specific security whitepaper, which have been kept on file, it was determined that the software solution meets all relevant regulatory compliance measures defined in the Health Information Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.13 CHAPTER TWO Cyber Insurance Cyber liability is a major concern for healthcare providers. Most general healthcare provider insurance policies exclude liability coverage associated to cybersecurity.14 Cybersecurity insurance is filling this gap and will drastically change the hospital IT landscape, improving patient privacy protections and underwriting the risk associated with operating a 6 ClearDATA. Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud. 7 See note 5 above. 8 Cloud Computing Standards Council. Impact of Cloud Computing on Healthcare. November (2012) 9 Murphy,Sean. Healthcare Information Security and Privacy. Frankfurt: Wall Street Journal, March 5 (2015) 10 Athenahealth . What Cloud-based Services Can Do for Your Medical Practice Whitepaper. January (2012) 11 See note 3 above. 12 AthenaHealth Website https://www.athenahealth.com 13 See note 3 above. 14 Schinnerer, Victor O. Protecting Hospitals and Healthcare Operations from Cyber Liability. Healthcare Report . (2011)
5 healthcare organization.15 General security requirements as a precursor to insurability and the ability to conduct timely and efficient security audits will revolutionize the healthcare sector in the future, driving new legislation and best practice guidance.16 Some liability is transferred from McMahon & Associates to Athena Health by the use of a third party, cloud based SaaS EMR system, hosted by Athena Health as Athena then becomes a “business associate,” of McMahon & Associates and inherits certain responsibilities for data protection under HIPAA.17 Even with the utilization of a third party cloud based EMR the acquisition of cyber insurance is strongly recommended. It has the potential to cover the organization should PHI be compromised via Outlook or other business tools or if office property is stolen and breached. Cyber insurance may also cover a breach or data loss by a third party or business associate such as Athena Health. It should be noted though that irresponsible data protection behavior such as sending PHI data via unencrypted email or leaving an unencrypted laptop is a car which is then stolen may not be covered by cyber insurance as the incident does not meet the insurance provider’s minimum protections requirements. CHAPTER THREE Workforce Development In the cybersecurity realm the weakest link is often the human factor. In response to this, even a small twelve practitioner clinical office needs to incorporate a cybersecurity workforce development program. In the industry currently there is a massive shortage of skilled cybersecurity professionals.18 This shortage makes internal training programs all the more imperative. As McMahon & Associated is a small office the third party online cybersecurity vendor Pluralsight will be utilized for employee cybersecurity training with specific courses required at the beginning of their employment and refreshers every six month thereafter.19 The vendor offers comprehensive security trainings delivered in an interesting and interactive video format. The Pluralsight requirements for employees will be managed by President and defacto IT manager Matthew McMahon. Coming from the corporate cybersecurity realm, Matthew holds various certifications in the security realm and regularly stays abreast of new security developments and trends by attending regular security conferences as well as subscribing to popular security publications. Another important component of training is the consideration of third parties training processes, evident by the now infamous Target hack that was the result of an improperly trained 15 McArdle, Jennifer. Incident Response and Cyber Insurance.(Presentation, Salve Regina University, Newport, RI 2016) 16 Yaraghi, Niam. Hackers, Phishers and Disappearing Thumb Drives: Lessons Learned From Major Healthcare Breaches. Brookings. (May 2016.) 17 See note 9 above. 18 Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills. Intel Security. 19 Pluralsight. https://www.pluralsight.com/
6 third party vendor employee clicking on a link in an email that launched an attack.20 Having extensively accessed the security training methods of Athena Health employees via Athena’s product security whitepapers it appears that the company has done its due diligence in training its employee’s in cyber protections.21 CHAPTER FOUR Risk Management Frameworks McMahon & Associates Clinical Services understands that a large part of staying secure means keeping up to date with industry standards. The organization recognizes and adheres to the following security policies; Common Security Framework (CSF,) Health Information Trust Alliance (HITRUST) as well as the International Organization for Standardization (ISO.)22 Employee security trainings specifically target covering content recommended by these advisory bodies. The organization also aims to adhere to all relevant legislation, FDA guidance documents and mandates. Notably these documents include Executive Order 13636 which calls for the protection of our nation’s critical infrastructure, to include the healthcare sector.23 This Executive Order directly contributed to FDA Guidance documents that describe medical software and device best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff24 Also, pertinent is Executive Order 13691 which calls for the sharing of cyber defense information among government entities and for-profit companies.25 While McMahon & Associates has not directly engaged in the sharing of security related information in an industry forum it realizes the eventual need for this and will participate in future discussions with other small businesses and government entities. While there has been some debate on this McMahon & Associates concludes that medical software (Athena Health) should be classified as a “medical device,” and in so doing also adheres the following FDA Guidance documents that describe best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff26 as well as the Guidance for Industry Part 11, Electronic Records; Electronic Signatures, Scope and Application. The NIST document Framework for Improving Critical Infrastructure Cybersecurity is also relevant27 In addition to these general guidance documents McMahon & Associates has adopted the Advanced Cybersecurity Group List 20 Ormes, Eric and Herr, Trey. Understanding Information Assurance. (October, 2016) 21 See note 9 above. 22 See note 4 above. 23 Executive Order 13636—Improving Critical Infrastructure Cybersecurity 24 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 25 Executive Order 13691—Promoting Private Sector Cybersecurity Information Sharing 26 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 27 FDA. Framework for Improving Critical Infrastructure Cybersecurity
7 Checklist, as it model for measuring and quantifying risk assessment and used this form during the review process of Athena Health as it’s SaaS cloud based EMR solution.28 McMahon & Associates regularly conducts security threat and risk assessments (TRA’s) on the tools it utilizes such as Athena Health for clinical documentation as well as Outlook for secure email among others. When completing these assessments it uses the Common Vulnerability Scoring System v3.0.29 These TRA’s are completed by President and defacto IT manager Matthew McMahon, whom congruent with risk management framework guidance has been deemed the responsible person to manage cyber security for the system. In his absence, responsibility and decision making in the realm of cyber security are passed along to company Vice President Carl Jung who has been properly trained as the Presidents backup and currently holds the following certifications: CompTIA Security +, Network + and has attended the SANS SEC401 Security Bootcamp course. CHAPTER Five Secure Data Usage Secure data usage is a top priority for McMahon & Associates. A study recently completed by the Ponemon Institute showed that of employees sampled over one third admitted that they were aware of coworkers that were not adhering to proper data usage company policies and sharing restricted data outside of their companies firewall.30 To assure data protection the organization has crafted its data usage policy to closely follow the CIA triad of Confidentiality, Integrity and Availability of data. Security relating to confidentiality is partially handled by our business partner Athena Health that manages the EMR. Because of this relationship Athena Health is responsible for securing all hardware and database configurations. McMahon & Associates responsibilities rely on assuring secure access and proper access control utilizing the least privileges model. Users accessing Athena Health’s online portal should create robust passwords that are regularly updated.31 Employees no longer in the employ of McMahon & Associates should have access immediately revoked. PHI should also only be emailed when absolutely necessary and when necessary utilize encryption and two factor authentication which requires both a password and public key identification (PKI) card to access. All paper PHI should be shredded. All company phones and laptops used to access patient data shall utilize encryption. McMahon and Associates has a firm no bring your own device (BYOD) policy for accessing patient data. The integrity component of McMahon & Associates data usage policy is again largely handled by our business associate Athena Health who utilizes checksum technology to assure data entered by a software user is uploaded correctly. The utilization on an EMR is in itself a 28 Spidalieri, Francesca and Hancock, Geoff. Advanced Cybersecurity Group List Checklist. (May 27, 2015.) 29 Common Vulnerability Scoring System v3.0 Specification Document. www.First.org 30 Breaking Bad: The Risk of Unsecure File Sharing. Ponemon Institute. (October 2014) 31 McArdle, Jennifer. Cybersecurity Fundamentals and Digital Health Information. (Presentation, Salve Regina University, Newport, RI 2016)
8 method to protect the integrity of data. All data is entered into the Athena Health system and displayed clearly. Audit logging shows who entered data and when. Most data is not able to be edited but if editing is allowed for certain features such as clinical notes that information is logged and auditable.32 The availability component of the triad was one of the main driving factors in deciding to utilize Athena Health as an EMR. McMahon & Associates data is backed up to several different databases on various secure servers scattered around the globe so the risk of the software being unavailable is unlikely. In the event of the software system being down staff are to return to a paper documentation system until the system is back online. As the office is a clinical counseling practice and does not practice emergency medicine, nor does it administer medication the risk associated with documenting on paper is minimal.33 Conclusion It is the goal of McMahon & Associates Counseling Services to not only provide the highest quality of clinical care to our customers but to also prioritize the security of our customers protected health information. It is our belief that this risk management strategy report is a step towards that goal but understands that to achieve a robust security posture an organization and its policies must be fluid and keep up with the threat landscape. This document is meant to be general guidance and not an all-encompassing. Review Process This document shall be reviewed and updated once a year during the month of May. A record of reviews, edits and updates shall be recorded below for posterity. Revision Date Author(s) (Changed By) Change(s) 00 2017-05-04 Matthew J McMahon Initial version 01 02 03 32 See Note 5 Above. 33 Ibid.

Recommended

McMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMcMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMatthew J McMahon
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Introduction to Val IT
Introduction to Val ITIntroduction to Val IT
Introduction to Val ITVaruna Harshana
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 

Recommended

McMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMcMahon and Associates Cloud Usage Policy Paper
McMahon and Associates Cloud Usage Policy PaperMatthew J McMahon
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Introduction to Val IT
Introduction to Val ITIntroduction to Val IT
Introduction to Val ITVaruna Harshana
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
CTO Cybersecurity Forum 2013 Alexander Seger Budapest Convention on Cybercrime
CTO Cybersecurity Forum 2013 Alexander Seger Budapest Convention on CybercrimeCTO Cybersecurity Forum 2013 Alexander Seger Budapest Convention on Cybercrime
CTO Cybersecurity Forum 2013 Alexander Seger Budapest Convention on CybercrimeCommonwealth Telecommunications Organisation
 
Information security
Information securityInformation security
Information securityAlaaMahmoud108
 
Describing the challenges of securing information
Describing the challenges of securing informationDescribing the challenges of securing information
Describing the challenges of securing informationNicholas Davis
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Managementbanerjeerohit
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDineshPrasad64
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideJoAnna Cheshire
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Information security awareness, middle management
Information security awareness, middle managementInformation security awareness, middle management
Information security awareness, middle managementhaneen Emeir, CISA, ISO27001
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber securitySweta Kumari Barnwal
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guidelinePriyanka Aash
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & SecurityNational Pharmacy Technician Association
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Data security
Data securityData security
Data securityTapan Khilar
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA ComplainceFarhatParveen10
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaperTony Amaddio
 

More Related Content

What's hot

Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Describing the challenges of securing information
Describing the challenges of securing informationDescribing the challenges of securing information
Describing the challenges of securing informationNicholas Davis
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Managementbanerjeerohit
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDineshPrasad64
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideJoAnna Cheshire
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guidelinePriyanka Aash
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 

What's hot (20)

Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
CTO Cybersecurity Forum 2013 Alexander Seger Budapest Convention on Cybercrime
CTO Cybersecurity Forum 2013 Alexander Seger Budapest Convention on CybercrimeCTO Cybersecurity Forum 2013 Alexander Seger Budapest Convention on Cybercrime
CTO Cybersecurity Forum 2013 Alexander Seger Budapest Convention on Cybercrime
 
Information security
Information securityInformation security
Information security
 
Describing the challenges of securing information
Describing the challenges of securing informationDescribing the challenges of securing information
Describing the challenges of securing information
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptx
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guide
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
Information security awareness, middle management
Information security awareness, middle managementInformation security awareness, middle management
Information security awareness, middle management
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guideline
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Data security
Data securityData security
Data security
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 

Similar to McMahon & Associates Risk Management Strategy

Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaperTony Amaddio
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare SecurityAngel Villar Garea
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
DHS look at Cyber Insurance
DHS look at Cyber InsuranceDHS look at Cyber Insurance
DHS look at Cyber InsuranceDavid Sweigert
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptMarket Engel SAS
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)Dr Dev Kambhampati
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrptmadhu ck
 

Similar to McMahon & Associates Risk Management Strategy (20)

Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response Plan
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaper
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare Security
 
AICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for CybersecurityAICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for Cybersecurity
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
DHS look at Cyber Insurance
DHS look at Cyber InsuranceDHS look at Cyber Insurance
DHS look at Cyber Insurance
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrpt
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 
DKapellmann_Security Compliance Models
DKapellmann_Security Compliance ModelsDKapellmann_Security Compliance Models
DKapellmann_Security Compliance Models
 

More from Matthew J McMahon

Past and Future Speaking Engagements
Past and Future Speaking EngagementsPast and Future Speaking Engagements
Past and Future Speaking EngagementsMatthew J McMahon
 
DC617 Medical Device Presentation
DC617 Medical Device PresentationDC617 Medical Device Presentation
DC617 Medical Device PresentationMatthew J McMahon
 
HCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportHCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportMatthew J McMahon
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiMatthew J McMahon
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...Matthew J McMahon
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...Matthew J McMahon
 
HCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attackHCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attackMatthew J McMahon
 
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
The Top Five Essential Cybersecurity Protections for Healthcare FacilitiesThe Top Five Essential Cybersecurity Protections for Healthcare Facilities
The Top Five Essential Cybersecurity Protections for Healthcare FacilitiesMatthew J McMahon
 
Can international organizations like the IMF control the externality costs of...
Can international organizations like the IMF control the externality costs of...Can international organizations like the IMF control the externality costs of...
Can international organizations like the IMF control the externality costs of...Matthew J McMahon
 

More from Matthew J McMahon (10)

Past and Future Speaking Engagements
Past and Future Speaking EngagementsPast and Future Speaking Engagements
Past and Future Speaking Engagements
 
DC617 Medical Device Presentation
DC617 Medical Device PresentationDC617 Medical Device Presentation
DC617 Medical Device Presentation
 
HCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportHCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat report
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
 
HCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attackHCA 530, Week 2, Advanced persistent threat healthcare under attack
HCA 530, Week 2, Advanced persistent threat healthcare under attack
 
Case brief US v batti
Case brief US v battiCase brief US v batti
Case brief US v batti
 
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
The Top Five Essential Cybersecurity Protections for Healthcare FacilitiesThe Top Five Essential Cybersecurity Protections for Healthcare Facilities
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
 
Can international organizations like the IMF control the externality costs of...
Can international organizations like the IMF control the externality costs of...Can international organizations like the IMF control the externality costs of...
Can international organizations like the IMF control the externality costs of...
 

Recently uploaded

Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7Miss joya
 
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...Call Girls Noida
 
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service DehradunDehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service DehradunNiamh verma
 
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...Niamh verma
 
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...Call Girls Service Chandigarh Ayushi
 
VIP Kolkata Call Girl New Town 👉 8250192130 Available With Room
VIP Kolkata Call Girl New Town 👉 8250192130 Available With RoomVIP Kolkata Call Girl New Town 👉 8250192130 Available With Room
VIP Kolkata Call Girl New Town 👉 8250192130 Available With Roomdivyansh0kumar0
 
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Gfnyt
 
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girls Service Gurgaon
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meetpriyashah722354
 
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅gragmanisha42
 
Russian Call Girls Gurgaon Swara 9711199012 Independent Escort Service Gurgaon
Russian Call Girls Gurgaon Swara 9711199012 Independent Escort Service GurgaonRussian Call Girls Gurgaon Swara 9711199012 Independent Escort Service Gurgaon
Russian Call Girls Gurgaon Swara 9711199012 Independent Escort Service GurgaonCall Girls Service Gurgaon
 
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...High Profile Call Girls Chandigarh Aarushi
 
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaHot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaRussian Call Girls in Ludhiana
 
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhHot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhVip call girls In Chandigarh
 
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋Sheetaleventcompany
 
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋Sheetaleventcompany
 

Recently uploaded (20)

Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
Vip Kolkata Call Girls Cossipore 👉 8250192130 ❣️💯 Available With Room 24×7
 
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
 
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service DehradunDehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
Dehradun Call Girls Service ❤️🍑 8854095900 👄🫦Independent Escort Service Dehradun
 
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
 
Russian Call Girls in Dehradun Komal 🔝 7001305949 🔝 📍 Independent Escort Serv...
Russian Call Girls in Dehradun Komal 🔝 7001305949 🔝 📍 Independent Escort Serv...Russian Call Girls in Dehradun Komal 🔝 7001305949 🔝 📍 Independent Escort Serv...
Russian Call Girls in Dehradun Komal 🔝 7001305949 🔝 📍 Independent Escort Serv...
 
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
Jalandhar Female Call Girls Contact Number 9053900678 💚Jalandhar Female Call...
 
VIP Kolkata Call Girl New Town 👉 8250192130 Available With Room
VIP Kolkata Call Girl New Town 👉 8250192130 Available With RoomVIP Kolkata Call Girl New Town 👉 8250192130 Available With Room
VIP Kolkata Call Girl New Town 👉 8250192130 Available With Room
 
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
 
College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
College Call Girls Dehradun Kavya 🔝 7001305949 🔝 📍 Independent Escort Service...
 
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service GuwahatiCall Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
Call Girl Guwahati Aashi 👉 7001305949 👈 🔝 Independent Escort Service Guwahati
 
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service GurgaonCall Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
Call Girl Gurgaon Saloni 9711199012 Independent Escort Service Gurgaon
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
 
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
 
Russian Call Girls Gurgaon Swara 9711199012 Independent Escort Service Gurgaon
Russian Call Girls Gurgaon Swara 9711199012 Independent Escort Service GurgaonRussian Call Girls Gurgaon Swara 9711199012 Independent Escort Service Gurgaon
Russian Call Girls Gurgaon Swara 9711199012 Independent Escort Service Gurgaon
 
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
Call Girls Service Chandigarh Grishma ❤️🍑 9907093804 👄🫦 Independent Escort Se...
 
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaHot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
 
#9711199012# African Student Escorts in Delhi 😘 Call Girls Delhi
#9711199012# African Student Escorts in Delhi 😘 Call Girls Delhi#9711199012# African Student Escorts in Delhi 😘 Call Girls Delhi
#9711199012# African Student Escorts in Delhi 😘 Call Girls Delhi
 
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In ChandigarhHot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
Hot Call Girl In Chandigarh 👅🥵 9053'900678 Call Girls Service In Chandigarh
 
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Chandigarh Escort Service Call Girls, ₹5000 To 25K With AC💚😋
 
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Kolkata Escort Service Call Girls, ₹5000 To 25K With AC💚😋
 

McMahon & Associates Risk Management Strategy

  • 1. McMahon & Associates Clinical Services Risk Management Strategy Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University May 04, 2017
  • 2. 2 Contents Executive Summary……………………………………………………………………...…..........3 About McMahon & Associates Clinical Services…………...………..………………….….........3 CHAPTER ONE. Reducing Third Party Risk…………………………………………...…..........3 CHAPTER TWO. Cyber Insurance…………...……...……………………………………...........4 CHAPTER THREE. Workforce Development….……...…………………………………............5 CHAPTER FOUR. Risk Management Frameworks………………….…………..………............6 CHAPTER Five. Secure Data Usage...….……...…………..……………………….....................7 Conclusion……………………………..………………………………………………………….8 Revision History…………...………………………..…………………………………………….8
  • 3. 3 Executive Summary In today’s day and age, cyber-attacks on hospitals are becoming more and more prevalent. Of all of the United States Critical Infrastructures the healthcare sector is the most targeted by persistent cyber-attacks.1 In a threat landscape where a medical record sells for ten times on the dark web what a credit card record does it is imperative that McMahon & Associates Clinical Services create and implement a comprehensive Risk Management Strategy.2 About McMahon & Associates Clinical Services McMahon & Associates Clinical Services is a small, twelve provider clinical counseling service which resides in a small office located at 123 Main Street in Sharon, Massachusetts. The organization rents office space in the same building as a law firm and a doctor’s office but is separated from these businesses by two sets of locked steel doors. The office receives patients on an appointment only basis and operates between the hours of 8:00 AM EST and 8:00 PM EST. The facility utilizes the Athena Health cloud based software platform for clinical documentation, scheduling, routine paperwork and billing purposes. It also utilizes Outlook for email. CHAPTER ONE Reducing Third Party Risk McMahon & Associates Clinical Services has opted to utilize Athena Health as their cloud based clinical documentation, scheduling and billing software solution. An extensive cloud usage strategy report has already been completed in McMahon & Associates Clinical Services Cloud Usage Strategy Report.3 This risk management strategy paper will only touch on applicable highlights from that report. The McMahon & Associates Clinical Services Cloud Usage Strategy Report, extensively details the criteria used for selecting Athena Health among the other vendors that were reviewed.4 Chilmark Researches’ EHR Vendors’ Capabilities for Interoperability, report was an essential tool in comparing and contrasting Athena Health with its ten closest competitors in terms of data privacy and security compliance, secure connection controls, pricing structure, customer reviews, satisfaction ratings and overall functionality.5 1 Hacking Healthcare IT in 2016: Lessons the Healthcare Industry can Learn From the OPM Breach. Institute for Critical Infrastructure Technology. (January, 2016) 2 See note 1 above. 3 McMahon,Matthew. McMahon & Associates Clinical Services Cloud Usage Strategy Report. April (2017) 4 See note 1 above. 5 Chilmark Research. EHR Vendors’ Capabilities for Interoperability. July (2015)
  • 4. 4 The driving force in the choice of Athena Health was its ability to essentially eliminate the need for a traditional IT department.6 This not only reduces overhead but also liability associated with maintaining and securing a traditional IT infrastructure.7 The solution utilizes the software as a solution (SaaS) cloud model which allows for varying levels of role based access.8 Providers access and enter patient health information (PHI) only after accessing the password protected, secure (https) Athena Health website over a secure internet connection.9 While Athena Health is typically thought of as a small electronic medical record (EMR) provider in light of it’s much larger competitors such as MEDITECH, EPIC and Cerner its market share entails servicing over 62,000 providers and is steadily growing. Athena Health’s interfacing capabilities are well demonstrated with over 30 strategic interfacing partners and a fulltime dedicated interface team to build new links from Athena to other third party software vendors.10 Before making the final decision to choose Athena Health as the SaaS cloud based EMR vendor for McMahon & Associates a risk assessment was completed per the specifications laid out by the National Institute of Standards and Technology (NIST.)11 This risk assessment included visiting the Athena Health facilities located at 311 Arsenal Street in Watertown, Massachusetts where decision makers were given a tour of the campus and provided detailed descriptions of secure offsite data storage facilities.12 After reviewing the vendors applicable security documentation for its SaaS cloud based EMR system which included the industry standard manufacturers disclosure statement for medical device security (MDS2) and product specific security whitepaper, which have been kept on file, it was determined that the software solution meets all relevant regulatory compliance measures defined in the Health Information Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.13 CHAPTER TWO Cyber Insurance Cyber liability is a major concern for healthcare providers. Most general healthcare provider insurance policies exclude liability coverage associated to cybersecurity.14 Cybersecurity insurance is filling this gap and will drastically change the hospital IT landscape, improving patient privacy protections and underwriting the risk associated with operating a 6 ClearDATA. Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud. 7 See note 5 above. 8 Cloud Computing Standards Council. Impact of Cloud Computing on Healthcare. November (2012) 9 Murphy,Sean. Healthcare Information Security and Privacy. Frankfurt: Wall Street Journal, March 5 (2015) 10 Athenahealth . What Cloud-based Services Can Do for Your Medical Practice Whitepaper. January (2012) 11 See note 3 above. 12 AthenaHealth Website https://www.athenahealth.com 13 See note 3 above. 14 Schinnerer, Victor O. Protecting Hospitals and Healthcare Operations from Cyber Liability. Healthcare Report . (2011)
  • 5. 5 healthcare organization.15 General security requirements as a precursor to insurability and the ability to conduct timely and efficient security audits will revolutionize the healthcare sector in the future, driving new legislation and best practice guidance.16 Some liability is transferred from McMahon & Associates to Athena Health by the use of a third party, cloud based SaaS EMR system, hosted by Athena Health as Athena then becomes a “business associate,” of McMahon & Associates and inherits certain responsibilities for data protection under HIPAA.17 Even with the utilization of a third party cloud based EMR the acquisition of cyber insurance is strongly recommended. It has the potential to cover the organization should PHI be compromised via Outlook or other business tools or if office property is stolen and breached. Cyber insurance may also cover a breach or data loss by a third party or business associate such as Athena Health. It should be noted though that irresponsible data protection behavior such as sending PHI data via unencrypted email or leaving an unencrypted laptop is a car which is then stolen may not be covered by cyber insurance as the incident does not meet the insurance provider’s minimum protections requirements. CHAPTER THREE Workforce Development In the cybersecurity realm the weakest link is often the human factor. In response to this, even a small twelve practitioner clinical office needs to incorporate a cybersecurity workforce development program. In the industry currently there is a massive shortage of skilled cybersecurity professionals.18 This shortage makes internal training programs all the more imperative. As McMahon & Associated is a small office the third party online cybersecurity vendor Pluralsight will be utilized for employee cybersecurity training with specific courses required at the beginning of their employment and refreshers every six month thereafter.19 The vendor offers comprehensive security trainings delivered in an interesting and interactive video format. The Pluralsight requirements for employees will be managed by President and defacto IT manager Matthew McMahon. Coming from the corporate cybersecurity realm, Matthew holds various certifications in the security realm and regularly stays abreast of new security developments and trends by attending regular security conferences as well as subscribing to popular security publications. Another important component of training is the consideration of third parties training processes, evident by the now infamous Target hack that was the result of an improperly trained 15 McArdle, Jennifer. Incident Response and Cyber Insurance.(Presentation, Salve Regina University, Newport, RI 2016) 16 Yaraghi, Niam. Hackers, Phishers and Disappearing Thumb Drives: Lessons Learned From Major Healthcare Breaches. Brookings. (May 2016.) 17 See note 9 above. 18 Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills. Intel Security. 19 Pluralsight. https://www.pluralsight.com/
  • 6. 6 third party vendor employee clicking on a link in an email that launched an attack.20 Having extensively accessed the security training methods of Athena Health employees via Athena’s product security whitepapers it appears that the company has done its due diligence in training its employee’s in cyber protections.21 CHAPTER FOUR Risk Management Frameworks McMahon & Associates Clinical Services understands that a large part of staying secure means keeping up to date with industry standards. The organization recognizes and adheres to the following security policies; Common Security Framework (CSF,) Health Information Trust Alliance (HITRUST) as well as the International Organization for Standardization (ISO.)22 Employee security trainings specifically target covering content recommended by these advisory bodies. The organization also aims to adhere to all relevant legislation, FDA guidance documents and mandates. Notably these documents include Executive Order 13636 which calls for the protection of our nation’s critical infrastructure, to include the healthcare sector.23 This Executive Order directly contributed to FDA Guidance documents that describe medical software and device best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff24 Also, pertinent is Executive Order 13691 which calls for the sharing of cyber defense information among government entities and for-profit companies.25 While McMahon & Associates has not directly engaged in the sharing of security related information in an industry forum it realizes the eventual need for this and will participate in future discussions with other small businesses and government entities. While there has been some debate on this McMahon & Associates concludes that medical software (Athena Health) should be classified as a “medical device,” and in so doing also adheres the following FDA Guidance documents that describe best practices; Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff26 as well as the Guidance for Industry Part 11, Electronic Records; Electronic Signatures, Scope and Application. The NIST document Framework for Improving Critical Infrastructure Cybersecurity is also relevant27 In addition to these general guidance documents McMahon & Associates has adopted the Advanced Cybersecurity Group List 20 Ormes, Eric and Herr, Trey. Understanding Information Assurance. (October, 2016) 21 See note 9 above. 22 See note 4 above. 23 Executive Order 13636—Improving Critical Infrastructure Cybersecurity 24 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 25 Executive Order 13691—Promoting Private Sector Cybersecurity Information Sharing 26 FDA. Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff 27 FDA. Framework for Improving Critical Infrastructure Cybersecurity
  • 7. 7 Checklist, as it model for measuring and quantifying risk assessment and used this form during the review process of Athena Health as it’s SaaS cloud based EMR solution.28 McMahon & Associates regularly conducts security threat and risk assessments (TRA’s) on the tools it utilizes such as Athena Health for clinical documentation as well as Outlook for secure email among others. When completing these assessments it uses the Common Vulnerability Scoring System v3.0.29 These TRA’s are completed by President and defacto IT manager Matthew McMahon, whom congruent with risk management framework guidance has been deemed the responsible person to manage cyber security for the system. In his absence, responsibility and decision making in the realm of cyber security are passed along to company Vice President Carl Jung who has been properly trained as the Presidents backup and currently holds the following certifications: CompTIA Security +, Network + and has attended the SANS SEC401 Security Bootcamp course. CHAPTER Five Secure Data Usage Secure data usage is a top priority for McMahon & Associates. A study recently completed by the Ponemon Institute showed that of employees sampled over one third admitted that they were aware of coworkers that were not adhering to proper data usage company policies and sharing restricted data outside of their companies firewall.30 To assure data protection the organization has crafted its data usage policy to closely follow the CIA triad of Confidentiality, Integrity and Availability of data. Security relating to confidentiality is partially handled by our business partner Athena Health that manages the EMR. Because of this relationship Athena Health is responsible for securing all hardware and database configurations. McMahon & Associates responsibilities rely on assuring secure access and proper access control utilizing the least privileges model. Users accessing Athena Health’s online portal should create robust passwords that are regularly updated.31 Employees no longer in the employ of McMahon & Associates should have access immediately revoked. PHI should also only be emailed when absolutely necessary and when necessary utilize encryption and two factor authentication which requires both a password and public key identification (PKI) card to access. All paper PHI should be shredded. All company phones and laptops used to access patient data shall utilize encryption. McMahon and Associates has a firm no bring your own device (BYOD) policy for accessing patient data. The integrity component of McMahon & Associates data usage policy is again largely handled by our business associate Athena Health who utilizes checksum technology to assure data entered by a software user is uploaded correctly. The utilization on an EMR is in itself a 28 Spidalieri, Francesca and Hancock, Geoff. Advanced Cybersecurity Group List Checklist. (May 27, 2015.) 29 Common Vulnerability Scoring System v3.0 Specification Document. www.First.org 30 Breaking Bad: The Risk of Unsecure File Sharing. Ponemon Institute. (October 2014) 31 McArdle, Jennifer. Cybersecurity Fundamentals and Digital Health Information. (Presentation, Salve Regina University, Newport, RI 2016)
  • 8. 8 method to protect the integrity of data. All data is entered into the Athena Health system and displayed clearly. Audit logging shows who entered data and when. Most data is not able to be edited but if editing is allowed for certain features such as clinical notes that information is logged and auditable.32 The availability component of the triad was one of the main driving factors in deciding to utilize Athena Health as an EMR. McMahon & Associates data is backed up to several different databases on various secure servers scattered around the globe so the risk of the software being unavailable is unlikely. In the event of the software system being down staff are to return to a paper documentation system until the system is back online. As the office is a clinical counseling practice and does not practice emergency medicine, nor does it administer medication the risk associated with documenting on paper is minimal.33 Conclusion It is the goal of McMahon & Associates Counseling Services to not only provide the highest quality of clinical care to our customers but to also prioritize the security of our customers protected health information. It is our belief that this risk management strategy report is a step towards that goal but understands that to achieve a robust security posture an organization and its policies must be fluid and keep up with the threat landscape. This document is meant to be general guidance and not an all-encompassing. Review Process This document shall be reviewed and updated once a year during the month of May. A record of reviews, edits and updates shall be recorded below for posterity. Revision Date Author(s) (Changed By) Change(s) 00 2017-05-04 Matthew J McMahon Initial version 01 02 03 32 See Note 5 Above. 33 Ibid.