Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls...
Transcript of Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls...
![Page 1: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/1.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
“Security Risk Analyses Done Right”
A Complimentary Webinar From healthsystemCIO.comSponsored by Fortified Health Solutions, A Santa Rosa Company
Your Line Will Be Silent Until Our Event Begins at 12:00 ET
Thank You!
![Page 2: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/2.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Housekeeping
• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com• Ask A Question
• We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the
lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”
• Download the Deck • Go to Download today's deck at: http://healthsystemcio.com/presentation/risk-
analyses-webinar.pdf• Shortened URL at bottom of all slides
• View the Archive• You will receive an email when our archive recording is ready. • Separate registration is required.
![Page 3: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/3.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Agenda — Approximately 45 Minutes
• 25-30 minutes: Chuck Podesta, CIO, UC Irvine Health
• 5 minutes: A Word From Our Sponsor: Troy McClendon, President, Fortified Health Solutions, A Santa Rosa Company
• 10-15 minutes: Q&A w/Chuck Podesta
![Page 4: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/4.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
“Security Risk Analyses Done Right”
![Page 5: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/5.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Threats
VIRUSES
DATA LOSS
INAPPROPRIATE ACCESS
HACKERSUNSAFE
WEBSITES
PHISHING SOCIAL ENGINEERING
WEAK PASSWORDS
BREACH OF INFORMATION
![Page 6: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/6.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
It’s not just HIPAA
• Health Information Technology for Economic and Clinical Health (HITECH)
• Health Information Trust Alliance (HITRUST)
• Payment Card Industry (PCI)
• National Institute of Standards and Technology (NIST)
• International Organization for Standardization (ISO)
• Federal Trade Commission (FTC)
• State Laws
![Page 7: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/7.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
HITRUST
• Common Security Framework (CSF)• Risk Assessment
• Corrective Action Plan
• Policy Management
• Incident Management
• Exception Management
![Page 8: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/8.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Risk Assessment HarmonizationGoes Way Beyond Meaningful Use
• Data Management• Network Segmentation• System Controls• Technical Controls• Encryption• Physical Controls• User Awareness• Audit and Monitoring• Risk Transfer
Current StatePlanned
MinimalOptimal
![Page 9: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/9.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Data Management
• Sensitive Data Map• Structured and Unstructured ePHI
• Credit Card Data
• Data Lifecycle• Retention Program
• Access
• Audit
• Minimal Necessary
![Page 10: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/10.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Network Segmentation
• LAN & WAN Segmentation• Important for PCI
![Page 11: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/11.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
System Controls
• Computers• Desktops, Laptops, Servers
• Mobile Devices• PDA/Tablets, USB/Flash, Phones/PDA
• Removable Media• Backup Tapes and CDs
• Peripherals• Printers, Copiers/Fax, Scanners
![Page 12: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/12.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Technical Controls
• Network Access• System Authentication• IDS/IPS• Vulnerability Assessment
• Data Management• Data Loss Prevention (DLP)
• Configuration Management• Server, Desktop, Network
• Log Manager• Log Manager• SIEM
![Page 13: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/13.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Encryption
• Data At Rest• Database and File Storage
• Backup tapes and the Cloud
• Workstations and Laptops
• Data In Motion• Email and FTP
• USB/Flash and CDs
• Tablets
• Interfaces
• Texting
![Page 14: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/14.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
User Awareness
• Policy Education• Device Placement, Access, Auditing
• Logoff
• Encryption
• Process Education• Encryption
• Threat Awareness• Create Awareness Program
• Home Use
![Page 15: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/15.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Audit and Monitoring
• Solutions• Network Management and network access controls
• Data Loss Prevention
• Log Management
• Application Event Management
• Database Managers
• Email Auditor
• SIEM
![Page 16: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/16.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Risk Transfer
• Financial• Cyber Insurance
• ASP Services
• Cloud Services
• Vendor Managed Systems
• Third Parties• CoLocation
• Outsourcing
• SaaS
• Cloud
![Page 17: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/17.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Keys to a Successful Plan
• C-Suite Buy-in
• You Can’t Do It Alone
• Organizational Awareness
• Funding for Technical Investments
• A Breach is not IF but WHEN
• Monitor Your BA Readiness
• Implement Corrective Action Plans
• Hire a CISO
![Page 18: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/18.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
“Security Risk Analyses Done Right”Troy McClendon, President, Fortified Health Solutions,
A Santa Rosa Company
![Page 19: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/19.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
HIPAA Security, Privacy & Breach Compliance - What Health Executives Need to Know Proprietary & Confidential
19
What’s the biggest misstep for Covered Entities and Business Associates?
• Failure to conduct a thorough Risk Analysis
• Failure to address the results of a Comprehensive Risk Analysis
![Page 20: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/20.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
What to do with Risk Analysis Results
• Prioritize the risk(s) if not already sorted in the report
• Determine the effort it will take to remediate the risk(s)
• Identify the staff members to participate in remediation efforts
• Identify any outside resources to participate in remediation efforts
20
Extract the Administrative
Risk(s)
Extract the Physical Risk(s)
Extract the Technical Risk(s)
![Page 21: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/21.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
• The organization may not have adequate resources to complete the required remediation
• The organization may not have the in-house skillset(s) to complete the required remediation
• Remediation may require the organization to implement new policies & processes
• Could equate to additional staff training, capital investment, governance, differences of opinion, stricter employee sanctions
• Remediation may require the organization to implement new technologies
• Could equate to increased budget(s), capital investment, skills training, outsourcing
• Remediation will require the organization to implement on-going security processes
21
What you’ll most likely need to prepare for…
![Page 22: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/22.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Q&A
Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the
send to default as “All Panelists.”
![Page 23: Security Risk Analyses Done Right - …•Data Management •Network Segmentation •System Controls •Technical Controls •Encryption •Physical Controls •User Awareness •Audit](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43d805c189326f524a3bcf/html5/thumbnails/23.jpg)
Slide Deck: http://goo.gl/BZkqHFWebex Support 1-866-229-3239
Event #299 749 291
Thank You!
• Thanks to our featured speaker: Chuck Podesta
• Thanks to our sponsor: Fortified Health Solutions, a Santa Rosa Company
• You will receive an email when our archive recording is ready. (Separate registration is required)
• CHIME CHCIO Credits – Attending our Webinars = 1 CEU
• Questions/Comments – Anthony Guerra [email protected]
Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.