Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

“Security Risk Analyses Done Right”

A Complimentary Webinar From healthsystemCIO.comSponsored by Fortified Health Solutions, A Santa Rosa Company

Your Line Will Be Silent Until Our Event Begins at 12:00 ET

Thank You!

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Housekeeping

• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com• Ask A Question

• We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the

lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”

• Download the Deck • Go to Download today's deck at: http://healthsystemcio.com/presentation/risk-

analyses-webinar.pdf• Shortened URL at bottom of all slides

• View the Archive• You will receive an email when our archive recording is ready. • Separate registration is required.

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Agenda — Approximately 45 Minutes

• 25-30 minutes: Chuck Podesta, CIO, UC Irvine Health

• 5 minutes: A Word From Our Sponsor: Troy McClendon, President, Fortified Health Solutions, A Santa Rosa Company

• 10-15 minutes: Q&A w/Chuck Podesta

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

“Security Risk Analyses Done Right”

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Threats

VIRUSES

DATA LOSS

INAPPROPRIATE ACCESS

HACKERSUNSAFE

WEBSITES

PHISHING SOCIAL ENGINEERING

WEAK PASSWORDS

BREACH OF INFORMATION

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

It’s not just HIPAA

• Health Information Technology for Economic and Clinical Health (HITECH)

• Health Information Trust Alliance (HITRUST)

• Payment Card Industry (PCI)

• National Institute of Standards and Technology (NIST)

• International Organization for Standardization (ISO)

• Federal Trade Commission (FTC)

• State Laws

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

HITRUST

• Common Security Framework (CSF)• Risk Assessment

• Corrective Action Plan

• Policy Management

• Incident Management

• Exception Management

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Risk Assessment HarmonizationGoes Way Beyond Meaningful Use

• Data Management• Network Segmentation• System Controls• Technical Controls• Encryption• Physical Controls• User Awareness• Audit and Monitoring• Risk Transfer

Current StatePlanned

MinimalOptimal

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Data Management

• Sensitive Data Map• Structured and Unstructured ePHI

• Credit Card Data

• Data Lifecycle• Retention Program

• Access

• Audit

• Minimal Necessary

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Network Segmentation

• LAN & WAN Segmentation• Important for PCI

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

System Controls

• Computers• Desktops, Laptops, Servers

• Mobile Devices• PDA/Tablets, USB/Flash, Phones/PDA

• Removable Media• Backup Tapes and CDs

• Peripherals• Printers, Copiers/Fax, Scanners

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Technical Controls

• Network Access• System Authentication• IDS/IPS• Vulnerability Assessment

• Data Management• Data Loss Prevention (DLP)

• Configuration Management• Server, Desktop, Network

• Log Manager• Log Manager• SIEM

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Encryption

• Data At Rest• Database and File Storage

• Backup tapes and the Cloud

• Workstations and Laptops

• Data In Motion• Email and FTP

• USB/Flash and CDs

• Tablets

• Interfaces

• Texting

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

User Awareness

• Policy Education• Device Placement, Access, Auditing

• Logoff

• Encryption

• Process Education• Encryption

• Threat Awareness• Create Awareness Program

• Home Use

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Audit and Monitoring

• Solutions• Network Management and network access controls

• Data Loss Prevention

• Log Management

• Application Event Management

• Database Managers

• Email Auditor

• SIEM

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Risk Transfer

• Financial• Cyber Insurance

• ASP Services

• Cloud Services

• Vendor Managed Systems

• Third Parties• CoLocation

• Outsourcing

• SaaS

• Cloud

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Keys to a Successful Plan

• C-Suite Buy-in

• You Can’t Do It Alone

• Organizational Awareness

• Funding for Technical Investments

• A Breach is not IF but WHEN

• Monitor Your BA Readiness

• Implement Corrective Action Plans

• Hire a CISO

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

“Security Risk Analyses Done Right”Troy McClendon, President, Fortified Health Solutions,

A Santa Rosa Company

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

HIPAA Security, Privacy & Breach Compliance - What Health Executives Need to Know Proprietary & Confidential

19

What’s the biggest misstep for Covered Entities and Business Associates?

• Failure to conduct a thorough Risk Analysis

• Failure to address the results of a Comprehensive Risk Analysis

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

What to do with Risk Analysis Results

• Prioritize the risk(s) if not already sorted in the report

• Determine the effort it will take to remediate the risk(s)

• Identify the staff members to participate in remediation efforts

• Identify any outside resources to participate in remediation efforts

20

Extract the Administrative

Risk(s)

Extract the Physical Risk(s)

Extract the Technical Risk(s)

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

• The organization may not have adequate resources to complete the required remediation

• The organization may not have the in-house skillset(s) to complete the required remediation

• Remediation may require the organization to implement new policies & processes

• Could equate to additional staff training, capital investment, governance, differences of opinion, stricter employee sanctions

• Remediation may require the organization to implement new technologies

• Could equate to increased budget(s), capital investment, skills training, outsourcing

• Remediation will require the organization to implement on-going security processes

21

What you’ll most likely need to prepare for…

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Q&A

Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the

send to default as “All Panelists.”

Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239

Event #299 749 291

Thank You!

• Thanks to our featured speaker: Chuck Podesta

• Thanks to our sponsor: Fortified Health Solutions, a Santa Rosa Company

• You will receive an email when our archive recording is ready. (Separate registration is required)

• CHIME CHCIO Credits – Attending our Webinars = 1 CEU

• Questions/Comments – Anthony Guerra aguerra@healthsystemCIO.com

Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.