security risk analyses done right -...
Post on 27-Jul-2018
215 Views
Preview:
TRANSCRIPT
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
“Security Risk Analyses Done Right”
A Complimentary Webinar From healthsystemCIO.comSponsored by Fortified Health Solutions, A Santa Rosa Company
Your Line Will Be Silent Until Our Event Begins at 12:00 ET
Thank You!
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Housekeeping
• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com• Ask A Question
• We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the
lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”
• Download the Deck • Go to Download today's deck at: http://healthsystemcio.com/presentation/risk-
analyses-webinar.pdf• Shortened URL at bottom of all slides
• View the Archive• You will receive an email when our archive recording is ready. • Separate registration is required.
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Agenda — Approximately 45 Minutes
• 25-30 minutes: Chuck Podesta, CIO, UC Irvine Health
• 5 minutes: A Word From Our Sponsor: Troy McClendon, President, Fortified Health Solutions, A Santa Rosa Company
• 10-15 minutes: Q&A w/Chuck Podesta
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
“Security Risk Analyses Done Right”
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Threats
VIRUSES
DATA LOSS
INAPPROPRIATE ACCESS
HACKERSUNSAFE
WEBSITES
PHISHING SOCIAL ENGINEERING
WEAK PASSWORDS
BREACH OF INFORMATION
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
It’s not just HIPAA
• Health Information Technology for Economic and Clinical Health (HITECH)
• Health Information Trust Alliance (HITRUST)
• Payment Card Industry (PCI)
• National Institute of Standards and Technology (NIST)
• International Organization for Standardization (ISO)
• Federal Trade Commission (FTC)
• State Laws
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
HITRUST
• Common Security Framework (CSF)• Risk Assessment
• Corrective Action Plan
• Policy Management
• Incident Management
• Exception Management
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Risk Assessment HarmonizationGoes Way Beyond Meaningful Use
• Data Management• Network Segmentation• System Controls• Technical Controls• Encryption• Physical Controls• User Awareness• Audit and Monitoring• Risk Transfer
Current StatePlanned
MinimalOptimal
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Data Management
• Sensitive Data Map• Structured and Unstructured ePHI
• Credit Card Data
• Data Lifecycle• Retention Program
• Access
• Audit
• Minimal Necessary
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Network Segmentation
• LAN & WAN Segmentation• Important for PCI
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
System Controls
• Computers• Desktops, Laptops, Servers
• Mobile Devices• PDA/Tablets, USB/Flash, Phones/PDA
• Removable Media• Backup Tapes and CDs
• Peripherals• Printers, Copiers/Fax, Scanners
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Technical Controls
• Network Access• System Authentication• IDS/IPS• Vulnerability Assessment
• Data Management• Data Loss Prevention (DLP)
• Configuration Management• Server, Desktop, Network
• Log Manager• Log Manager• SIEM
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Encryption
• Data At Rest• Database and File Storage
• Backup tapes and the Cloud
• Workstations and Laptops
• Data In Motion• Email and FTP
• USB/Flash and CDs
• Tablets
• Interfaces
• Texting
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
User Awareness
• Policy Education• Device Placement, Access, Auditing
• Logoff
• Encryption
• Process Education• Encryption
• Threat Awareness• Create Awareness Program
• Home Use
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Audit and Monitoring
• Solutions• Network Management and network access controls
• Data Loss Prevention
• Log Management
• Application Event Management
• Database Managers
• Email Auditor
• SIEM
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Risk Transfer
• Financial• Cyber Insurance
• ASP Services
• Cloud Services
• Vendor Managed Systems
• Third Parties• CoLocation
• Outsourcing
• SaaS
• Cloud
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Keys to a Successful Plan
• C-Suite Buy-in
• You Can’t Do It Alone
• Organizational Awareness
• Funding for Technical Investments
• A Breach is not IF but WHEN
• Monitor Your BA Readiness
• Implement Corrective Action Plans
• Hire a CISO
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
“Security Risk Analyses Done Right”Troy McClendon, President, Fortified Health Solutions,
A Santa Rosa Company
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
HIPAA Security, Privacy & Breach Compliance - What Health Executives Need to Know Proprietary & Confidential
19
What’s the biggest misstep for Covered Entities and Business Associates?
• Failure to conduct a thorough Risk Analysis
• Failure to address the results of a Comprehensive Risk Analysis
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
What to do with Risk Analysis Results
• Prioritize the risk(s) if not already sorted in the report
• Determine the effort it will take to remediate the risk(s)
• Identify the staff members to participate in remediation efforts
• Identify any outside resources to participate in remediation efforts
20
Extract the Administrative
Risk(s)
Extract the Physical Risk(s)
Extract the Technical Risk(s)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
• The organization may not have adequate resources to complete the required remediation
• The organization may not have the in-house skillset(s) to complete the required remediation
• Remediation may require the organization to implement new policies & processes
• Could equate to additional staff training, capital investment, governance, differences of opinion, stricter employee sanctions
• Remediation may require the organization to implement new technologies
• Could equate to increased budget(s), capital investment, skills training, outsourcing
• Remediation will require the organization to implement on-going security processes
21
What you’ll most likely need to prepare for…
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Q&A
Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the
send to default as “All Panelists.”
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Thank You!
• Thanks to our featured speaker: Chuck Podesta
• Thanks to our sponsor: Fortified Health Solutions, a Santa Rosa Company
• You will receive an email when our archive recording is ready. (Separate registration is required)
• CHIME CHCIO Credits – Attending our Webinars = 1 CEU
• Questions/Comments – Anthony Guerra aguerra@healthsystemCIO.com
Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.
top related