1 / 20

Agenda

PHS Information Security Program: A Standards-based Approach September 24, 2009 Jennings Aske – PHS CISO. Agenda. Challenges Regulations Standards PHS Information Security Framework Initial Priorities Governance and Collaboration Encryption Update.

nitza
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PHS Information Security Program: A Standards-based Approach September 24, 2009Jennings Aske – PHS CISO

  2. Agenda • Challenges • Regulations • Standards • PHS Information Security Framework • Initial Priorities • Governance and Collaboration • Encryption Update

  3. What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about. - The Classic Hippocratic Oath

  4. Partners HealthCare System, Inc Serving the Community Teaching and Research Enhancing Patient Care Increasing Value and Improving Quality Leadership as an Integrated Healthcare System

  5. Additional Challenges • Scale of our environment: • Email Accounts: 66,246 • IP Addresses: 79,561 • Remote Access Users: 15,806 • Annual number of eGate transactions: 1,692,116,329 • The demands of new technology: • Wireless, Smart Phones, VoIP, Social Media • Business relationships requiring integration: • Mass Eye and Ear, South Shore Hospital, Atrius • Finding the right balance between easy access to information for clinical care and securing our environment

  6. Recent Information Security and Privacy Regulations • MGL c.93H – establish requirements related to encryption and security breaches (effective 10/02/07) • MGL c.93I – establish requirements related to the secure destruction of paper and electronic records (effective 02/03/08) • FTC’s Red Flags Rule – establishes requirements related to preventing, identifying, and mitigating identity theft (effective 08/01/09) • HITECH Modifications to HIPAA’s Privacy and Security Rules (issued 02/17/09) • Interim Final Breach Notification Guidelines – establishes requirements related to reporting security breaches of unsecured PHI (effective 09/23/09) • 201 CMR 17.00 – establishes requirements for security programs for persons owning or licensing the Personal Information of Commonwealth residents (effective 03/01/10)

  7. We have to stop chasing the law . . . .

  8. Preventive Medicine

  9. Standards Matter

  10. A standards-based information security programs (and yes, that’s a lot of acronyms) . . . .

  11. Information Security Core Principles • Information security is driven by business objectives. • Information security must be standards-based. • Information security is a risk-based, problem-solving activity. • Information security is collaborative. • Information security evolves. • Information security controls must be financially and operationally supportable. • Information security is largely about people, and not technology. • Information security should facilitate user productivity. • Information security should aspire to transparency and simplicity.

  12. ISO/NIST-Based Policy Framework Standards Procedures A Model Information Security Hierarchy • Partners Confidential Data: • Protected Health Information • Personal Information • Employee Data • Financial Data • Intellectual Property • Source Code • Security Information • Policy Discussions

  13. ISO 27002 - 12 Information Security Clauses • Risk Assessment and Treatment • Security Policy • Organization of Information Security • Asset Management • Human Resources Security • Physical and Environmental Security • Communications and Operations Management • Access Control • Information Systems Acquisition, Development and Maintenance • Information Security Incident Management • Business Continuity Management • Compliance

  14. Initial Priorities • Drafting the Information Security Policy Framework • Information Security Incident Management • Laptop Encryption, and Device and Media Controls • Internet Content Filtering and Email Security • Privileged User Security and Service Accounts • Application and Web Services Security • Social Media Policy and Guidelines • 201 CMR 17.00 Compliance Strategy • Developing the 3-year plan

  15. Information Security Governance and Collaboration Proposed information security governance model: • PHS Information Security Steering Committee – initial meeting on 10/08/09. • PHS Security Operating Committee – initial meeting in November. Also, incorporating information security into existing organizational groups and processes (examples): • PHS Architectural Review Board • Partners member hospitals and sites

  16. Encryption Update Encryption workgroup is defining Partners’ approach for each device that needs encryption Original date for compliance with 201 CMR 17.00 was January 1, 2010; it has been pushed back to March 1, 2010. PHS will continue to target January 1st. Media Sanitization has been added to project to reflect regulatory requirements.

  17. Encryption Project update Encryption Update

More Related