Se Securit ity Risk An Anal alyses Done Right A Complimentary - - PowerPoint PPT Presentation

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

“Se Securit ity Risk An Anal alyses Done Right”

A Complimentary Webinar From healthsystemCIO.com Sponsored by Fortified Health Solutions, A Santa Rosa Company Your Line Will Be Silent Until Our Event Begins at 12:00 ET Thank You!

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Housekeeping

• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com
• Ask A Question
• We will be holding a Q&A session after the formal presentations.
• You may submit your questions at any time by clicking on the QA panel located in the

lower right corner of your screen, type in your questions in the text field and hit

• send. Please keep the send to default as “All Panelists.”
• Download the Deck
• Go to Download today's deck at: http://healthsystemcio.com/presentation/risk-

analyses-webinar.pdf

• Shortened URL at bottom of all slides
• View the Archive
• You will receive an email when our archive recording is ready.
• Separate registration is required.

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Agenda — Approximately 45 Minutes

• 25-30 minutes: Chuck Podesta, CIO, UC Irvine Health
• 5 minutes: A Word From Our Sponsor: Troy McClendon, President,

Fortified Health Solutions, A Santa Rosa Company

• 10-15 minutes: Q&A w/Chuck Podesta

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

“Security Ri Risk Analyses Done Right”

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Threats

VIRUSES DATA LOSS INAPPROPRIATE ACCESS HACKERS UNSAFE WEBSITES PHISHING SOCIAL ENGINEERING WEAK PASSWORDS BREACH OF INFORMATION

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

It’s not just HIPAA

• Health Information Technology for Economic and Clinical Health

(HITECH)

• Health Information Trust Alliance (HITRUST)
• Payment Card Industry (PCI)
• National Institute of Standards and Technology (NIST)
• International Organization for Standardization (ISO)
• Federal Trade Commission (FTC)
• State Laws

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

HITRUST

• Common Security Framework (CSF)
• Risk Assessment
• Corrective Action Plan
• Policy Management
• Incident Management
• Exception Management

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Risk Assessment Harmonization

Goes Way Beyond Meaningful Use

• Data Management
• Network Segmentation
• System Controls
• Technical Controls
• Encryption
• Physical Controls
• User Awareness
• Audit and Monitoring
• Risk Transfer

Current State Planned Minimal Optimal

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Data Management

• Sensitive Data Map
• Structured and Unstructured ePHI
• Credit Card Data
• Data Lifecycle
• Retention Program
• Access
• Audit
• Minimal Necessary

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Network Segmentation

• LAN & WAN Segmentation
• Important for PCI

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

System Controls

• Computers
• Desktops, Laptops, Servers
• Mobile Devices
• PDA/Tablets, USB/Flash, Phones/PDA
• Removable Media
• Backup Tapes and CDs
• Peripherals
• Printers, Copiers/Fax, Scanners

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Technical Controls

• Network Access
• System Authentication
• IDS/IPS
• Vulnerability Assessment
• Data Management
• Data Loss Prevention (DLP)
• Configuration Management
• Server, Desktop, Network
• Log Manager
• Log Manager
• SIEM

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Encryption

• Data At Rest
• Database and File Storage
• Backup tapes and the Cloud
• Workstations and Laptops
• Data In Motion
• Email and FTP
• USB/Flash and CDs
• Tablets
• Interfaces
• Texting

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

User Awareness

• Policy Education
• Device Placement, Access, Auditing
• Logoff
• Encryption
• Process Education
• Encryption
• Threat Awareness
• Create Awareness Program
• Home Use

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Audit and Monitoring

• Solutions
• Network Management and network access controls
• Data Loss Prevention
• Log Management
• Application Event Management
• Database Managers
• Email Auditor
• SIEM

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Risk Transfer

• Financial
• Cyber Insurance
• ASP Services
• Cloud Services
• Vendor Managed Systems
• Third Parties
• CoLocation
• Outsourcing
• SaaS
• Cloud

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Keys to a Successful Plan

• C-Suite Buy-in
• You Can’t Do It Alone
• Organizational Awareness
• Funding for Technical Investments
• A Breach is not IF but WHEN
• Monitor Your BA Readiness
• Implement Corrective Action Plans
• Hire a CISO

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

“Security Risk sk Analy lyse ses Done ne Right”

Troy McClendon, President, Fortified Health Solutions, A Santa Rosa Company

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291 HIPAA Security, Privacy & Breach Compliance - What Health Executives Need to Know Proprietary & Confidential 19

What’s the biggest misstep for Covered Entities and Business Associates?

• Fa

Failu ilure to cond nduc uct a thor

• rou
• ugh

h Risk Ana naly lysis is

• Fa

Failu ilure to addr ddress the resul ults of a Com

• mprehe

hens nsive ve Risk Analysis is

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Wha hat t to to do do with th Risk Ana Analys ysis Result esults

• Prioritize the risk(s) if not already sorted in the report
• Determine the effort it will take to remediate the risk(s)
• Identify the staff members to participate in remediation efforts
• Identify any outside resources to participate in remediation efforts

20

Extract the Administrative Risk(s) Extract the Physical Risk(s) Extract the Technical Risk(s)

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

• The organization may not have adequate resources to complete the

required remediation

• The organization may not have the in-house skillset(s) to complete the

required remediation

• Remediation may require the organization to implement new policies &

processes

• Could equate to additional staff training, capital investment,

governance, differences of opinion, stricter employee sanctions

• Remediation may require the organization to implement new technologies
• Could equate to increased budget(s), capital investment, skills training,
• utsourcing
• Remediation will require the organization to implement
• n-going security processes

21

What you’ll most likely need to prepare for…

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Q&A

Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”

Slide Deck: http://goo.gl/BZkqHF Webex Support 1-866-229-3239 Event #299 749 291

Thank You!

• Thanks to our featured speaker: Chuck Podesta
• Thanks to our sponsor: Fortified Health Solutions, a Santa Rosa

Company

• You will receive an email when our archive recording is ready.

(Separate registration is required)

• CHIME CHCIO Credits – Attending our Webinars = 1 CEU
• Questions/Comments – Anthony Guerra aguerra@healthsystemCIO.com

Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.