Upload
trinhhanh
View
214
Download
0
Embed Size (px)
Citation preview
Introduction
Regulatory Landscape
Business Drivers
Information Security Frameworks
2014 Breach Report – Ponemon Institute
2014 Cyber Threat Report – SANS Institute / Norse
Information Security Management Program
Security and Privacy Strategic Guidelines
Questions
Agenda
2
Proprietary and Confidential — Kroll 3
Regulatory Landscape
HIPAA, HITECH, Omnibus, & Meaningful Use
Office of Civil Rights (OCR)
Centers for Medicare & Medicaid Services (CMS)
Federal Trade Commission (FTC)
Federal Breach Notification Rule
State Breach Notification Rules
Proprietary and Confidential — Kroll 4
Business Drivers
Reputation
Confidentiality
» Protecting confidential information
Availability
» Ensuring the accessibility of patient information
Integrity
» Ensuring the accuracy and reliability of patient information for treatment decision making
Financial
Proprietary and Confidential — Kroll 5
Common Security Framework
Healthcare Security (and Privacy) Framework
» HITRUST (http://www.hitrustalliance.net/csf/hitrust_central_information.php)
» 13 Security Control Categories
» 42 Control Objectives
» 135 Control Specifications
Aligned with HIPAA Security Rule, NIST 800-53, ISO 2700x, COBIT, PCI-DSS and others
Cyber Security Threat Intelligence and Incident Coordination Center (http://www.hitrustalliance.net/c3/)
Proprietary and Confidential — Kroll 6
Other Frameworks
ISO 2700x
PCI-DSS
COBIT
NIST 800-53, 800-30, 800-66
NIST Cyber Security Framework
OCR Audit Protocol
Proprietary and Confidential — Kroll 18
Information Security Management Program
Security and Privacy Risk Profile
Continuous process for assessment and remediation
» Use a framework for guidance
» Evaluate internal and external risks
Executive Communication
Proactive Monitoring, Audit and Testing
Third Party Risks
Incident Management Program
Proprietary and Confidential — Kroll 19
Security and Privacy Strategic Guidelines
Simplify the program
Integrate and Collaborate with Stakeholders
Make it manageable and measure results
Proactive Partnership
Learn and Understand the organizational risk profile
Educate and Empower