Healthcare Privacy and Security: Workforce Competency. #privacysummit. Sean Murphy CISSP, ISSMP, HCISPP March 7, 2014



Similar documents
Healthcare and IT Working Together KY HFMA Spring Institute

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

Certification and Training

Security Risk Management Strategy in a Mobile and Consumerised World

How To Protect Yourself From Cyber Threats

Joe Dylewski President, ATMP Solutions

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Cybersecurity Credentials Collaborative (C3) cybersecuritycc.org

CYBERBOK Cyber Crime Security Essential Body of Knowledge: A Competency and Functional Framework for Cyber Crime Management

Mitigating and managing cyber risk: ten issues to consider

BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Bryan Cline, PhD Senior Advisor

The Next Generation of Security Leaders

North Texas ISSA CISO Roundtable

Rogers Insurance Client Presentation

The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap

Status of the Industry: 2015 Global Information Security Workforce Study

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Security Transcends Technology

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework

Applying Framework to Mobile & BYOD

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

HITRUST CSF Assurance Program

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

(ISC)² Foundation Announces 2014 Information Security Scholarship Recipients

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

CONTINUING PROFESSIONAL EDUCATION (CPE) POLICIES & GUIDELINES

Vendor Management. Outsourcing Technology Services

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

How To Protect Yourself From A Hacker Attack

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Developing National Frameworks & Engaging the Private Sector

Controls over CIS. Ryan O Halloran, Senior Manager KPMG Hobart. TAO Client Information Session. May 2015

Cybercrime & Cybersecurity: the Ongoing Battle International Hellenic University

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Logging In: Auditing Cybersecurity in an Unsecure World

HIPAA Overview and updates since HITECH and PPACA

Understanding changes to the Trust Services Principles for SOC 2 reporting

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

EHS Privacy and Information Security

October 24, Mitigating Legal and Business Risks of Cyber Breaches

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Organizational Structure What Works

Third-Party Cybersecurity and Data Loss Prevention

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Risk Management: IT Vendor Management and Outsourcing

Auditing emerging cyber threats and IT controls

What can HITRUST do for me?

Managing Cyber & Privacy Risks

Privacy Liability & Data Breach Management Nikos Georgopoulos 1 st Athens Privacy & Data Breach Management Conference

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

CyberSecurity for Law Firms

THE AMERICAN LAW INSTITUTE Continuing Legal Education

Cyber Security and Data Privacy Acumin Specialist Cloud Services

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Cloud Security and Managing Use Risks

Work Toward Your Bachelor s Degree

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Transcription:

Healthcare Privacy and Security: Workforce Competency Sean Murphy CISSP, ISSMP, HCISPP March 7, 2014

Agenda: State of healthcare information protection Current solutions and impact Special environment of healthcare Healthcare-specific info protection competency Current healthcare info protection workforce Knowledge domains required Competency measures in action Return on investment Top 10 actions

Breaches are epidemic Often multiple per org Patients are affected Data loss is costly It is getting worse Healthcare lags behind SOURCE: ID Experts: Ponemon Study; Third Annual Benchmark Study on Patient Privacy & Data Security ; Dec 2012 ; Infographic included

SOLUTION?: Implement best practices from banking, military, telecomm, etc. IMPACT: Usually, intended. -- compliance -- privacy -- security Often, unintended. -- risk -- patient safety

NOW THEN

Protecting healthcare information Special environment Equipment Infrastructure Data Applications Regulations IT security budget Privacy and security concerns impact patient care

Healthcare information protection workforce competency measures can help Because information privacy and security in healthcare must happen Much of the risk can be addressed by InfoSec best practices Not all risk is equal and healthcare requires a tailored approach Additional $$$ are not coming Part of the answer is in recruiting and retaining the right people

Borrowed from Steve Person, from imagestore.slideshare cdn.com

Primary Sources of Information Protection Workforce Privacy Health Information Management Legal Risk Management Internal IT Staff Other Industry InfoTech Medical Technician Clinical Engineering Device System Administrators Super Users (Lab, Rad, Pharm)

Getting to the desired competencies Healthcare Industry Regulatory Environment Privacy and Security in Healthcare Information Governance and Risk Management Third Party Risk Management Privacy Ethical/Legal Program Management IT Security Incident Reporting Admin, Technical, and Physical Controls Business Continuity Disaster Recovery Telecommunications IT Security Medical Technician Healthcare Clinical Engineering Manufacturer/Vendor Risk Specific Medical Device Clinical Workflow IT Security Patient Safety

Competency measures: -- A level of assurance key personnel are trained and ready Competency measures validated by several information protection areas -- DOD Directive 8570.01 -- Position descriptions -- Information Technology -- Leading Professional Organization (like IAPP) -- National Initiative for Cybersecurity Education framework -- Healthcare C-level top two competencies desired: Privacy and Security Knowledge 66% and Knowledge of Healthcare Industry 55%

Workforce competency measures have return on investment -- Avoid fines and penalties -- Reduce risk of adverse actions Board action, Bond rating, Abnormal churn -- Increase due diligence -- Tailored risk management -- Enable initiatives: BYOD, HIE, Cloud Services -- Patient care improves -- More effective recruiting -- Turnover of employees reduced

Top 10 actions 1. Read the sources for this material a) www.ecri.org b) csrc.nist.gov/nice/framework c) 2014 Healthcare Information Security Today survey (ISC) 2 d) Third Annual Patient Privacy and Data Security Study (Pomemon) 2. Take an inventory of all information protection POCs 3. Determine their competency areas and levels 4. Review your latest risk assessment and remediation actions 5. Examine current workforce competency credentials choices a) Consider Continuing Education requirements b) Evaluate domains covered

Top 10 actions (continued) 6. Look at current position descriptions and job announcements 7. Consider potential candidates to obtain certification 8. Analyze next year s information protection budget a) Prioritize workforce competency impact 9. Tweet, We need healthcare-specific security and privacy credentials? RT if you agree @HIPAA_Smurf 10.Tell me where I got it wrong a) Continue this important dialogue

Agenda: State of healthcare information protection Current solutions and impact Special environment of healthcare Healthcare-specific info protection competency Current healthcare info protection workforce Knowledge domains required Competency measures in action Return on investment Top 10 actions

Healthcare Privacy and Security: Workforce Competency Sean Murphy CISSP, ISSMP, HCISPP March 7, 2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information