1 / 0

Key Risks to Manage

Key Risks to Manage. Project Process. Using our HIPAA HITECH Certify Express process, We performed a HIPAA Security assessment of Company A…. Gained an understanding and assessed Company A’s technology environment. Assisted Company A in mitigating identified security gaps.

arnon
Download Presentation

Key Risks to Manage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Key Risks to Manage DRAFT for Discussion Purposes Only
  2. Project Process Using our HIPAA HITECH Certify Express process, We performed a HIPAA Security assessment of Company A… Gained an understanding and assessedCompany A’s technology environment Assisted Company A in mitigating identified security gaps Performed testing to validate HIPAA security rule compliance Provide security and compliance gap remediation recommendations Provide HIPAA required documentation examples and templates Review all updated documents and processes Validate evidence provided and perform control design testing Perform a sampling of operational testing Understand core business operations and technical environment Document infrastructure and applications that contain PHI Determine gaps in HIPAA HITECH compliance DRAFT for Discussion Purposes Only
  3. Key Observations and Implications Key Observations Implications Governance and Strategy An information security strategy and key goals have been defined and communicated to all stakeholders across the organization. The recently developed information risk management program document now addresses the keys risks that Company A faces in the current environment. A security and privacy compliance officer has been assigned. A strong top down security culture reduces the risk of unauthorized activities and data breaches. Risk Management A formal information security risk and compliance program to manage risk to an acceptable level and comply with applicable regulatory requirements (e.g. HIPAA Security Rule, HITECH, etc.) has been implemented. A process to implement risk assessments on a recurring basis to identify security risks has been implemented Security risks must be identified and managed mitigate potential negative effects in a programmatic way. Policies and Procedures All information security policies, standards, and procedures have recently been updated or completed . Those that did not previously exist were created. Logging and monitoring standard have been implemented to provide guidance on the events that need to be monitored; roles and responsibilities associated with the management of the logs; and frequency of the log reviews to be performed Business Continuity and disaster recovery formal plans and processes have recently been implemented and tested to ensure required Recovery Time Objectives (RTOs) can be met. Policies and procedures provide the governing foundation for the implementation and management of security. A tested Business Continuity is critical in the event of a breach or emergency to reduce financial, operational and reputational risk. 3rd Party Management Company A has implemented a process to identify risks associated with 3rd parties. It is important that a follow-up and monitoring process is fully implemented to ensure 3rd parties maintain security compliance. Company A has a certification process for all Company A Exchange participants It is critical that all parties actively using Company A Exchange have implemented, tested and regularly monitor their security status. A leakage in one end-point can affect everyone on the network. Access Controls User accounts and access rights are regularly reviewed to detect appropriateness of user permissions, including privileged user accounts. Since Company A has a limited number of employees performing multiple functions it is operationally difficult to implement strong segregation of duties controls. Thus, regular monitoring and review of key activity and data access is critical. All logs should be regularly reviewed for unexpected activity. (1) Errors messages should be logged and analyzed(2) Sensitive activities / transactions should be logged (3) System administrator / operator logs should be recorded and / or reviewed(4) Audit logs should be protected against tampering and / or unauthorized access. Since Company A has a limited number of staff, performing multiple duties, review of access and activity logs is critical to ensure individuals are only performing authorized activities. . Network Appropriate network segregation controls have been defined and implemented. All externally facing systems and applications are hosted in the DMZ. Wireless access points that use weak encryption (WEP) are still being utilized to support legacy devices by partners and 3rd parties. Multi-factor authentication is not implemented for accessing applications over remote channels. Since Company A’skey business is providing secure email and an ePerscribe exchange, network integrity is critical. DRAFT for Discussion Purposes Only
  4. Company A Policy and Plan Compliance DRAFT for Discussion Purposes Only
More Related