1 / 0

Privacy & Security in the Age of Meaningful Use

Privacy & Security in the Age of Meaningful Use. David S. Finn. Health Information Technology Officer, Symantec Corp. By way of Introduction. 1. We Don’t Really Do a Very Good Job at This. 2. What’s Different and Why the Paradigm Shift. 3.

elijah
Download Presentation

Privacy & Security in the Age of Meaningful Use

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy & Security in the Age of Meaningful Use

    David S. Finn Health Information Technology Officer, Symantec Corp. Privacy & Security in the Age of Meaningful Use
  2. By way of Introduction 1 We Don’t Really Do a Very Good Job at This 2 What’s Different and Why the Paradigm Shift 3 Changing Threat Landscape + Evolving Infrastructure 4 = Complexity 5 It’s About the Data 6 Q & A 7 Privacy & Security in the Age of Meaningful Use
  3. Who is that man and why is he talking? Recovering healthcare CIO Unable to hold a job (treasurer for theatrical production company; real estate controller; world’s oldest entry level programmer; systems audit; IS manager; audit director; healthcare IT consultant; operational/system risk consultant; EVP Operations - healthcare consultancy; privacy & information security officer; VP-IS; CIO; Health IT Officer) CISA, CISM, CRISC 2 degrees in Theatre Privacy & Security in the Age of Meaningful Use
  4. Top Ten Things that Would be Different if We Actually Did Privacy and Security Right . . . Wiki Leaks wouldn’t. 9. Rupert Murdoch would still have all of his newspapers. 8. The HHS “Wall of Shame” website could be leased out for advertising. 7. A “bot net” would be a net for catching runaway robots instead of a term used to describe millions of runaway computers. 6. A worm would be used as fishing bait rather than to infiltrate computer systems. Privacy & Security in the Age of Meaningful Use
  5. Top Ten Things that Would be Different if We Actually Did Privacy and Security Right . . . 5. We wouldn’t have to see or hear the word “cyber crime” 300 times/day in every book, magazine, newspaper or newscast. 4. A cloud would be a soft, fluffy thing, even to IT people . . . not a place of terror. 3. The word “virus” could be returned to the medical world - - where it came from. I could be talking about core business functions rather than the security you need to have in place just to conduct your core business functions. 1. A hacker would just be someone who had a bad cough. Privacy & Security in the Age of Meaningful Use
  6. Seriously, though, if we actually took this seriously . . . Security would be designed into systems, not added after the fact Security would not be the first thing cut as scope creep began because it is easier to cut than explain cutting functionality (no matter how obscure or arcane) Security and Privacy would be part of the business mission, not a compliance requirement that you do everything you can do to minimize Security wouldn’t be a small group in IT, it would be embedded in all the operational functions of IT Security and Privacy would part of every employees job description (not just in IT) Security would mean something and not be another card IT played to get head count, OpEx or CapEx budget Privacy & Security in the Age of Meaningful Use
  7. Security has changed . . . And IT Security . . . Proliferation of intelligent devices with embedded and downloaded software The Threat landscape More automation, more data, more access As a result: Growing dependency on a highly complex ecosystem of devices But: these systems are now attracting the attention of the “underground economy” And not just security but how we do IT . . . Mobile Anytime, anywhere, any device Separation between traditional IT infrastructure and consumer devices is disappearing – infrastructures as well as data are merging Virtualization leading to Cloud Cloud for internal IT service delivery and for delivery of IT services. Legislation & Regulation are raising the security and privacy bar – legal exposure Privacy & Security in the Age of Meaningful Use
  8. Key Security Trends CHALLENGING THREAT LANDSCAPE WELL_MEANING &MALICIOUS INSIDERS TARGETED ATTACKS INCREASING COMPLEXITY EVOLVING INFRASTRUCTURE INCREASING FINANCIALAND COMPLIANCE RISK MORE DATA:HIGHER RISK &SWEETER TARGET COMPLIANCE REQUIREMENTS MOBILE VIRTUALIZATION VENDOR COMPLEXITY CLOUD Privacy & Security in the Age of Meaningful Use
  9. The Current Approach Is Not Working Spending More Stopping Less Privacy & Security in the Age of Meaningful Use
  10. IT Must Evolve to Meet New Demands System-Centric Information-Centric Data: Centralized, structured Infrastructure: Physical IT focus: Systems tasks Data: Distributed, unstructured Infrastructure: Physical, virtual, cloud, mobile outsourced IT Focus: Information Privacy & Security in the Age of Meaningful Use
  11. The Information-Centric Model It’s about the data. Remediation Discovery Policy Compliance Reporting Classification Threats Ownership Identity Encryption Privacy & Security in the Age of Meaningful Use
  12. When It is About the Data. RISK Policy Identify Compliance Remediate Governance Manage Risk Store Manage INFORMATION Protect Recover Infrastructure Intelligence COST VALUE Classify Discover Ownership Assess Privacy & Security in the Age of Meaningful Use PHYSICAL 12 VIRTUAL CLOUD MOBILE
  13. Addressing Security Challenges at Each Layer GOVERNANCE Policy Driven and Risk Based INTELLIGENCE Information and Identity Centric INFRASTRUCTURE Well Managed and Secure Protect against customized targeted attacks Secure virtual and cloud-based environments Manage and secure data on mobile devices Classify critical data Discover where data is Apply encryption Monitor threats to data Develop and enforce policies Identify and authenticate Assess against policies Prioritize remediation based on risk Deliver multi-level reports to manage IT risks Privacy & Security in the Age of Meaningful Use
  14. Compliance and Security Solutions GOVERNANCE Develop Policies, Manage Risk Policy & Procedure; On-going Risk Management Authenticate Identities Domains; 2FA INTELLIGENCE Protect the Information Data Loss Prevention & Encryption Identity Threats Managed Security Services INFRASTRUCTURE Manage Systems IT Life Cycle Management Protect the Infrastructure Layered Protection Cloud Cloud (SLA, network performance, processes) Privacy & Security in the Age of Meaningful Use
  15. “Meaningful Use” and Provider Business Impacts Privacy & Security in the Age of Meaningful Use
  16. “Meaningful Use” and Provider IT Impacts Privacy & Security in the Age of Meaningful Use
  17. Providers under Pressure HIPAA Data Retention Enforcement Security & Privacy Rules HIPAA Health Insurance Portability and Accountability Act HITECH Health Information Technology for Economic and Clinical Health Act ARRA American Recovery and Reinvestment Act P4P Pay for Performance ICD International Classification of Diseases (used for insurance billing) CMS Center for Medicare and Medicaid Services JCAHO Joint Commission on Accreditation of Healthcare Organizations = “The Joint Commission” HITECH State Regulations Funding & Laws Security & Privacy Mandates ARRA JCAHO Incentives& Grants Accreditation $-Cuts Quality Reporting CMS MoreReporting New Billing Rules Outcomes-basedReimbursement Disease Registries ICD-10 P4P Privacy & Security in the Age of Meaningful Use
  18. Budgets are under Pressure but the Need doesn’t go Away Critical Infrastructure Security Automate security processes Efficiently guard PHI (Protected Health Information) Comprehensive protection of entire enterprise infrastructure Outsource security management Managing Storage Complexity Standardize management and backup tools across platforms Discover unutilized capacity Manage storage across clinical departments (Radiology, Cardiology, etc). Postpone costly HW investments and avoid standardization “the HW way” Automating IT Regulatory Compliance Automate compliance processes Minimize risk of non-compliance Integrate compliance processes and centralize management of security logs Minimize risk of breach and exposure Managing Electronic Messaging Avoid email system upgrades, mitigate storage growth Reduce cost through file system storage tiering Increase user productivity, eliminate doctors’ (and other users’) mailbox quota Automate legal processes IT Lifecycle Management Automate deployment of new systems and upgrades Reduce application conflicts and enable better HW utilization Accurately account for licenses and leases Automate help desk processes and reduce help desk tickets Desktop and Application Virtualization Extend client HW life Bridge during system transitions and (potentially delayed) project roll-outs Benefit from inherent security & performance increase of a server-based computing model Increase clinician productivity by enabling roaming and remote access Privacy & Security in the Age of Meaningful Use
  19. Develop and Enforce IT Policies Remediateproblems Assess infrastructureand processes Define riskand developIT policies Report,monitor anddemonstratedue care Privacy & Security in the Age of Meaningful Use
  20. Protect the Information Discover sensitiveinformation Define ownership and access rights Remediate process and policy deficiencies Enforce acceptable use Privacy & Security in the Age of Meaningful Use
  21. Authenticate Identities Validate identities of users, sites and devices Control access Provide trusted connections Authenticate transactions Privacy & Security in the Age of Meaningful Use
  22. Manage Systems Monitor system status Implementsecureoperatingenvironments Enforcepatch levels AutomateIT processes Privacy & Security in the Age of Meaningful Use
  23. Protect The Infrastructure Protectagainst email& web-based threats Backup & recover criticaldata Secure& harden endpoints & critical servers Visibilityinto cross- infrastructure attacks Privacy & Security in the Age of Meaningful Use
  24. Presentation Identifier Goes Here
  25. Questions? Unless someone like you cares a whole awful lot, nothing is going to get better. It's not.Dr. Seuss David S. Finn Health IT Officer david_finn@symantec.com 832.816.2206 Privacy & Security in the Age of Meaningful Use 25
More Related