Archive for May, 2014

One of the biggest threats for organizations today is the threat of the unknown. For many IT departments and Security Teams, it is a constant battle to know your enemy and protect the organization’s assets from being stolen or corrupted. Not long ago, installing a firewall for the network and anti-virus on workstations was adequate protection. Times have changed, and building a security program requires planning, specifically a good balance of Strategic, Tactical and Operational planning.

Strategic planning is all about allocating the right resources to satisfy long-term goals and protecting the data that helps make your organization valuable. As Darren Dannen explains, “Strategic planning is an organization’s process of defining its strategy or direction and making decisions about allocating its resources to pursue this strategy.” The decisions come mostly from management and are the guiding principles for everyday decisions made throughout the organization. Things to consider would include: What is important to protect? What needs to be monitored? How would you respond to threats? And how do you determine if you need outside assistance?

With these decisions made, the next step is to address Tactical planning, or the implementation of your organization’s strategy. The key here is building a security operations structure that is clear and effective in helping identify and stop attacks. One of the most important aspects of Tactical planning is clearly defining the proper roles within management and your security teams to define the structure of the organization. For healthcare organizations, that means stating who the Security Officer is and outlining Emergency Response Teams to react during a breach or security incident. The next step in Tactical planning is addressing training and techniques. This is when your organization establishes administrative, technological, operational, and analytical procedures to support both immediate and long-term goals.

In support of Strategic and Tactical planning is Operational planning. These activities revolve around protecting information assets through everyday tasks. According to Darren Dannen, there are five basic functions to plan for:

  1. Vulnerability management
  2. Device management
  3. Monitoring
  4. Threat Analysis
  5. Incident Response

Some key areas to address within these functions include patch management, vulnerability scanning, log, auditing, and risk mitigation. This planning process does not happen overnight and can require extra resources to get off the ground. If your organization needs assistance, contact RISC Management. Remember that the first step in establishing any security program is a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.

Sponsored by: RISC Management, www.RISCsecurity.com

References

Implementing Information Security in Healthcare: Building a Security Program

Chris Heuman, the Practice Leader for RISC Management and Consulting will be presenting at the AGENTS of CHANGE Amerinet Member Conference 2014

 

When: May 20-23

Where: Paris Hotel, Las Vegas, Nevada

Topic: Moving Healthcare Data to Secure Cloud Environments

Chris will join key partners to present to the 2014 Amerinet Member Conference.

Register Today: http://www.amerinet-gpo.com/news/Member-Conference/Pages/default.aspx

 

Paris Hotel LV

Fraud Summit 2014  Presented by Information Security Media Group (ISMG)

When: May 14, 2014

Where: Westin Chicago River North

Focus: Account takeover, payment card fraud, and the emerging mobile threats

With registration will receive:

  • Take away key fraud prevention action items from the top fraud experts
  • Earn up to eight hours of continuing professional education (CPE) credits
  • Network with peers
  • View exclusive research material from emerging threats and countermeasures

Visit link for registration: http://www.ismgcorp.com/fraud-summit/chicago/registration

 

Read a short blog written by RISC Management and Consulting, LLC Practice Leader Chris Heuman from 2012

“Any organization that creates, collects, stores, processes, transmits, archives, or deletes sensitive information about an individual, must prepare for a Data Breach before it occurs. To address Data Breach response planning after the breach occurs is costly and potentially a game-ender for some companies.”

Follow the link: http://hipaaprivacyandsecurity.blog.com/category/news/

In the most recent disciplinary action by the Office for Civil Rights regarding a HIPAA Data Breach, the OCR has set a new record for cost per affected individual and total fine amount. A breach affecting 6,800 individuals resulted in $4.8 Million in fines, or almost $706 per affected individual, in addition to the intense, and costly, corrective action plan.

Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.  The monetary payments of $4,800,000 include the largest HIPAA settlement to date.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.”  NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

RA

 

For information about the basics of HIPAA Security Risk Analysis and Risk Management, as well as other compliance tips, visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training

The New York and Presbyterian Hospital Resolution Agreement may be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf

The Columbia University Resolution Agreement may be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf