Beruflich Dokumente
Kultur Dokumente
Successful healthcare
information security
starts with strong
organizational
leadership
Internal risk
management is the
key for ensuring
information
confidentiality,
business process
availability, and data
integrity
WHITE PAPER
800-721-9177
805-684-6858
TABLE OF CONTENTS
1 Executive Summary
7 About Redspin
There are many reasons why healthcare organizations might over-invest in technology and under-
invest in process management. Some of the most common include:
Many healthcare organizations, through basic organizational structure and reporting hierarchy,
lack executive-level knowledge of (1) information technology solutions; and (2) the importance
of EPHI security issues and regulations. This lack of knowledge at the executive level manifests
itself in at least two unfortunate ways:
Many managers mistakenly believe—or are sold on the idea—that more equipment under
the data center roof makes an organization more secure. In fact the opposite is often true.
The addition of more sophisticated technology solutions typically introduces complexity into
the organization. Complexity adds unnecessary risk and can actually make a healthcare
organization’s data LESS secure.
Buying equipment and implementing cutting-edge technology is more fun and exciting for
managers and staff than anything else. In stark contrast is the relatively mundane and disciplined
process of documenting an EPHI security program, training staff to implement the program,
monitoring the program’s success, and consistently working to maintain EPHI security.
The best healthcare
Enhance Executive-Level Awareness of EPHI Security Performance
organizations Building executive-level awareness of EPHI security processes and regulations and awareness
actively link EPHI of the organization’s performance in safeguarding EPHI is important. Redspin recommends that
healthcare organizations have a Chief Information Security Officer (CISO) who reports to the
security spending executive management team and who is operationally independent from all other IT groups. This
independence will help prevent conflicts of interest which may occur if the person responsible for
decisions to both installing and configuring IT systems is the same person responsible for managing the security risk
1) the creation of introduced by those same IT systems. Ideally the CISO is responsible for the security of EPHI by:
business value; and • Ensuring compliance with internally-developed security policies through ongoing oversight
and regular review of controls. This review should include an evaluation of the effectiveness
2) the reduction of EPHI security tools, applications, and operational procedures.
of risks. • Reporting the results of internal and third-party EPHI security assessments, linking
security issues to potential business impact, and making business-justified budgetary
recommendations to executive-level management.
• Ensuring organizational compliance with HIPAA law and all other applicable regulations.
Consider the example of a health insurance company that has encrypted its EPHI and managed its
encryption keys adequately, but has failed to properly configure the firewall that protects its internal
network. While the EPHI data may be indecipherable to a hacker, the improper configuration of
the firewall could still compromise the organization’s security. An attack on the internal network
could disable information systems and/or require that the network be taken off-line for repair. In
either case, the EPHI and all other data may be temporarily unavailable, in violation of HIPAA law
and causing immense disruption to the business.
Knowledge of EPHI
security regulations,
policies, controls,
and measurements
is a valuable
organizational asset.
Knowing the letter of the laws for safeguarding EPHI, ensuring organizational compliance with
these laws, and being aware of the significant consequences of non-compliance are important
endeavors for all healthcare organizations. For more details about the HIPAA Security Rule
and the consequences of non-compliance, see the Redspin publication Trends in Healthcare IT:
Understanding HITECH, the HIPAA Security Rule, and How to Safeguard your Electronic Protected
Health Information (EPHI).
If an organization succeeds in building institutional knowledge of EPHI security programs, the loss
of one or two key employees familiar with these programs need not be debilitating.
Therefore all EPHI data, both internally and externally within each healthcare organization, should
be classified based on business impact. Detailed EPHI data flows should be developed and updated
as needed. Frequently a thorough EPHI mapping can help an organization identify inefficiencies or
weaknesses which can be corrected to strengthen EPHI security.
Redspin works with healthcare organizations to evaluate security controls, to identify EPHI security
vulnerabilities, and to develop action plans for addressing these issues. Redspin categorizes the
impact of security issues based on the potential impairment of an IT system, facility, or procedure if
a given vulnerability were exercised. See the following table.
High There is a strong need for corrective measures. An existing system may
Redspin Healthcare continue to operate, but a corrective action plan must be put in place as
soon as possible.
Security Impact
Medium Corrective actions are needed and a plan must be developed to
Definitions incorporate these actions within a reasonable period of time.
Informational The issue does not indicate a material violation but is something for
management to consider for enhancing the overall security posture.
Any time security policies and procedures are updated, these changes should be institutionalized.
By aggressively managing the security threat landscape, leading healthcare organizations remain
better positioned to safeguard EPHI.
WEB
WWW.REDSPIN.COM
PHONE
800-721-9177
EMAIL
INFO@REDSPIN.COM
Redspin, Inc.
6450 Via Real, Ste. 3, Carpinteria, CA 93013