Archive for the ‘Business Continuity’ Category

Promote the National Cyber Security Awareness Month (NCSAM). Get involved and do your part! This is a job for everyone, make an effort to care! The theme for this year is “Our Shared Responsibility”. NCSAM will be observed in October, but make it part of your practice to start today.

Top 5 Reported Cyber Scams

 

 

Staff can do

 

For more information on keeping current on cybersecurity, vulnerabilities, data loss prevention, managing risks, and workforce members training, Contact RISC Management and Consulting, LLC at 800.648.4358 or visit www.RISCsecurity.com

To learn more about Cyber Security visit: https://www.staysafeonline.org/ncsam/landing-page/

 

Come visit with RISC at HIMSS15 in Chicago!

Booth 8175 – Cybersecurity Command Center, a HIMSS Knowledge Center

RISC and Virtual Auditor will be presenting at 12:15 pm – 12:45 pm CT on Tuesday, April 14th on Information Security Compliance Monitoring & Documentation

Location 8175 – Level 3 – Hall B1

Title: Effective Information Security in Healthcare

Description: RISC Management & Consulting

Why Do Healthcare Data Breaches Keep Happening? Learn the necessary foundational elements for an effective data privacy and information security program from industry expert Chris Heuman. RISC will demonstrate the key elements lacking from many security programs, and real world solutions to fill the gaps. Learn the most often used phrase after an incident or Data Breach has occurred and what you can do about it!

Remember to add Session ID: CS13 to your personal HIMSS15 calendar!

For more information click here

For More Information Click Here

Feel free to stop at our booth and chat about compliance challenges you may be experiencing. RISC and Virtual Auditor can help you determine the most effective and efficient solution for your organization.

To Register Click Here

To Register Click Here

 

 

Hotel Reservation Click Here

Hotel Reservation Click Here

Schedule at a Glance Click Here

Schedule at a Glance Click Here

 

 

Join the GCC HIMSS Chapter at HIMSS15

Chicago welcomes the 2015 Healthcare Information and Management Systems Society (HIMSS) Annual Conference & Exhibition, April 12-16, 2015, at McCormick Place. The GCC HIMSS Chapter will be hosting the event this year.  There’s an expected attendance of over 38,000 healthcare industry professionals ready to discuss health IT issues and view innovative solutions designed to transform healthcare. There are more than 300 education programs, preconference symposiums, workshops, 1200 exhibitors, networking, and special features such as the new Cybersecurity Command Center.

Thought leaders who will be acting as keynotes at the upcoming event, includes George W. Bush, 43rd President of the United States, leads a strong roster of speakers that also includes Alex Gourlay, President, Walgreens; Bruce D. Broussard, President & CEO, Humana; and Jeremy Gutsche, Founder of Trendhunter.com and Author of “Exploiting Chaos.”

To learn more about this year’s keynote speakers, visit www.himssconference.org.

TIPS

HIMSS15 New Attendee Orientation | Webinar

April 1, 2015 — 2:00 PM – 3:00 PM CT
Virtual Event

Session ID: CO1

Designed for those who are attending the HIMSS15 Annual Conference & Exhibition for the first time, HIMSS staff will provide orientation in detail across the many programs and offerings available to attendees while providing tips and techniques for getting the most out of your conference experience.

Learning Objectives:

  • Provide an overview of the HIMSS15 Annual Conference & Exhibition
  • Identify ways for first time attendees to maximize their Conference experience
  • Review opportunities among the three pillars of Education, Exhibition, and Networking

Or follow this link for a short video if you are a first time conference attendee: http://www.himssconference.org/first-time-attendees

VA and RISC for Texas HIMSS Feb 18 2015

 

Come visit with Virtual Auditor and RISC at the 7th Annual Regional Conference Texas Chapters of HIMSS in Austin! There will be over 400 healthcare IT professionals and optional preconference activities such as legislative visits at the State Capitol and Networking social. The focus will be on promoting the value of investing in Health Information Technology.

Wednesday, February 18, 2015 – Friday, February 20, 2015

Renaissance Austin Hotel

9721 Arboretum Blvd.

Virtual Auditor will be demonstrating an industry-leading Information Security Continuous Monitoring Solution (ISCMS). The ISCMS was specifically developed to help organizations including healthcare, banking, finance, and other heavily regulated industries, to meet their data privacy, information security, and compliance requirements. The ISCMS provides continuous monitoring, alerting, reporting, and event correlation, providing the data your techs want, your security folks wish they had, and your executives need! Visit www.VirtualAuditor.com for more information if you can’t see this amazing technology first hand.

Contact Sales@virtualauditor.com or 888-312-5151

For more information please visit: http://www.cvent.com/events/2015-texas-regional-himss-conference/event-summary-25f61ec35a2f482d99a39eb8605be861.aspx#

Is Your Organization’s New Years Resolution to Be More Secure? If not, it should be!

However, that is too easy to say, and very hard to accomplish. The current threat environment is expanding far faster than the controls can hope to keep up with. A CISOs / CSOs job has never been harder; a trend that will continue this year and on into the future. If you don’t believe that call up organization’s like SONY, ebay (one of the least talked-about giant data breaches of the year), Target, JPMorgan Chase, Home Depot, Community Health Systems, or the 321 other healthcare organizations reporting breaches affecting over 83 million individuals! In fact, healthcare breaches accounted for a whopping 42.3% of data breaches included in the just-published Identity Theft Resource Center 2014 Data Breach Report(1).

Threat vectors include all of the usual suspects that we have been talking about for years. But the massive proliferation of data, accelerating migration to remote and teleworkers, and huge increase in activity of nation-states, organized crime, and hacktivists all make the CISOs / CSOs job next to impossible. It’s not a matter of whether an incident will happen to a modern connected company, but when.

Data breach incident handling must be a part of your data privacy and information security program. Balancing the need for speed of response, especially prompted by state-level data breach rules, with accuracy and responsible forensic activities is a tough challenge. It becomes tougher when interested parties such as the CEO, who suddenly realized that information security is important, compliance, legal, IT Management, public relations, the cyber security insurance carrier and their forensic experts, and the press all want constant feedback and a complete understanding of what happened, who did it, and how much is this going to cost us? from the word, “Go!”

Hopefully all of these parties were interested when the CISO / CSO asked to run a data breach incident drill last year in order to test the capabilities, response time, and training of all relevant parties to respond to such an incident. From our experience performing risk assessments, they were not, and a drill has never been completed.

Don’t let a real incident be the first time you test your data privacy and information security incident response plan. Remember a successful program is built on statements of policy, supporting procedures, tools, checklists, logs, forms, and training. If a real incident is your first test, chances are you are looking at a poor result, and a poor result is more likely to lead to fines and firings.

Since an incident is a matter of When Not If, testing your incident response plan should not be seen as optional or subject to perpetual procrastination!

Lastly, remember that while Information Technology (I.T.) is the system owner and the primary source of information in the event of an incident or breach, the problem is a business issue, not an I.T. issue! Consider addressing requirements and response in your Business Continuity Plan (BCP). BCP procrastination is a topic for another article!

Happy New Year and we’ll secure you in 2015

The team at RISC Management

(1) http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

Critical to Enterprises With Sensitive or Confidential Information

Data Loss Prevention, often abbreviated DLP, is no longer an optional solution for organizations that:

  1. Are in possession or use of data that is regulated, confidential, sensitive, or otherwise limited from public access;
  2. Are large enough to have more than a single, structured data repository such as only one server and dumb terminals (hardly the case anymore);
  3. Need to be able to prove to management, auditors, or regulatory bodies that they know where their data is, and how it is being protected.

Business owners should consult with security professionals according to Siciliano (Entrepreneur, 2014), CEO of IDTheftSecurity.com, Inc. Siciliano reported the importance of installing data-loss prevention software and performing a risk assessment, “it’s possible to monitor the entire network’s activities to detect events that could lead to a data breach and detect trespassers before it occurs” (p. 3).

Part of the Guide to Privacy and Security of Health Information explains the HIPAA Security Rule requirement that a covered entity must conduct a Risk Analysis [§ 164.308(a) (1) (ii) (A)] to identify risks and vulnerabilities to electronic protected health information. Performing a “risk analysis is the first step in an organization’s Security Rule compliance efforts” (Office of the National Coordinator for Health Information Technology, 2014, p. 10) in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. In addition, organizations must perform an Application and Data Criticality Analysis [§ 164.308(a) (7) (ii) (E)] to, “Assess the relative criticality of specific applications and data…”

The first step in any information security and compliance program is understanding what data your organization has, where it is located, and who is using it; authorized or unauthorized. Complete and accurate knowledge is necessary in order to understand what laws or requirements apply to your organization, and which members of your workforce may require training or monitoring.

Data Classification

Classifying your data into categories such as a Data Classification Matrix makes it easier to apply controls based upon the data type, rather than in a discretionary manner, or simply guessing. Most organizations know that they should protect credit card information differently than public marketing materials. But can they explain the differences in controls applied to ePHI versus Social Security Numbers? What are the requirements for this data? Who enforces them? How much trouble are we in if we have an unauthorized breach of this data?

Every organization should determine the classes that their data types fall into, not the data repositories. For example, classify your data as “Regulated” as opposed to “ePHI” or “Confidential” as opposed to “Payroll Records”. Remember, for data privacy and security regulations and industry requirements, the purpose of the data is irrelevant, it’s the existence of the data that matters.

An example of a data classification matrix that RISC has assisted its clients in successfully deploying is:

  1. Regulated
  2. Confidential
  3. Non-public
  4. Public

Once your data is classified, control mechanisms can be assigned to that classification as a whole, rather than piecemeal.

Roads

Now, your DLP solution is ready to find that data, and let you know where it is, at high speed, with pretty good accuracy. A DLP solution, or even a DLP assessment, can perform a year’s worth of human analysis in a week or two of close to pure automation!

RISC Management’s DLP solution

  • Can assist you in finding the sensitive information that is created, collected, stored, processed, transmitted, disclosed, or archived by your organization;
  • Will deliver Data Loss Prevention (DLP) solutions that protect regulated, sensitive, or confidential employee, customer, or company information and safeguard intellectual property across all electronic communications channels;
  • Can help you watch the sensitive information flowing into, throughout, and out of your network without impacting performance or requiring infrastructure modifications.

Key Benefits

  1. Compliance with regulations such as HIPAA, Red Flags Rule, PCI, and state/federal privacy regulations
  2. Automated email encryption utilizing policy-driven healthcare data classification and filtering
  3. Unobtrusive enforcement of data loss prevention policies across all popular Internet communication channels
  4. Healthcare code sets (e.g. HCPCS, ICD-9, LOINC, and NDC) as built-in dictionaries
  5. Inclusive data logs of confidential data copied, sent, or downloaded

An important definition to understand is the term Vulnerability and Technical vulnerability. Vulnerability is defined in NIST (2012) Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems. The NIST (SP) 800-30 guide is a 95 page document published and developed by the National Institute of Standards and Technology (NIST) under the Federal Information Security Management Act (FISMA), Public Law 107-347.

Vulnerability Testing

Included in the risks that should be identified by an organization regularly are technical vulnerabilities. These vulnerabilities may include missing patches on computing devices, misconfigurations accidentally performed by staff members or consultants, or insecure network architecture. While the reasons are many, the result is the same, elevated risk to the confidentiality, integrity, and availability of your organization’s sensitive information.

RISC Management & Consulting can assist your organization in performing comprehensive technical vulnerability testing. The Security Engineers at RISC use numerous best in class tools to establish a thorough view of your security posture. The output of these tools is used in a number of ways including:

  •  Comparing security controls and system configuration to organizational policy.
  • Comparing the state of security to compliance requirements such as HIPAA, PCI-DSS, and ISO 27002.
  • Comparing the actual network architecture to the organization’s understanding of the network architecture.
  • Developing a technical vulnerability assessment report that provides a compliance, business, and technical review of the state of information security.

Contact RISC Management and Consulting today to discover how we can help you! www.RISCsecurity.com or 630-270-9336

References

Entrepreneur.(2014). 11 Ways to protect your business from cyber criminals. Retrieved from http://www.entrepreneur.com/article/238369

National Institute of Standards & Technology. (2012). Guide for conducting risk assessments: Information security. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf