Security Risk Mgt in Healthcare - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Security Risk Mgt in Healthcare

Description:

Security Risk Mgt in. Healthcare. Bobby Singh. Director, Information Security ... SSHA Information Security Mandate. Security Program. Example ISO Toolkit ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 27
Provided by: mklo
Category:

less

Transcript and Presenter's Notes

Title: Security Risk Mgt in Healthcare


1
Security Risk Mgt in Healthcare
  • Bobby SinghDirector, Information Security Smart
    Systems for Health Agency

2
Agenda
  • SSHA Mandate
  • SSHA Information Security Mandate
  • Security Program
  • Example ISO Toolkit
  • Approach Deliverables

3
  • SSHA Mandate

4
SSHA Transforming Healthcare through IT
  • Providing healthcare providers with timely,
    secure
  • electronic access to patient information
  • Creating a secure patient information sharing
    network between 150,000 providers at 24,000 sites
  • The results
  • Improved patient care
  • More effective providers
  • Integration
  • Better use of financial resources

5
Vision and Mission
  • Vision
  • Help transform Ontarios health care delivery by
    enabling secure electronic exchange of health
    information among providers and patients
  • Mission
  • Enable health care providers to
  • Electronically share health information quickly
    and securely and
  • Make better care decisions

6
Who is SSHA connecting?
  • Doctors
  • Hospitals
  • Pharmacists
  • Laboratories
  • Public Health Units
  • Community care
  • Continuing care
  • Ministry of Health and Long-Term Care programs

7
  • SSHA InfoSec Mandate

8
Mission
  • The Security Groups mission is to
  • Support Agencys mission to provide an health
    information network to the betterment of health
    care in Ontario by providing information security
    assurance and security design on the Agencys
    products and services
  • Develop, implement, and mature Agencys
    information security program (Governance, Risk
    Management, Compliance, Education/Awareness..)
  • Respond to information security incidents and
    provide assistance or take actions appropriately
    to manage security incidents

9
InfoSec Services
10
  • Security Risk Mgt

Source EY
11
Facts
  • Employee misconduct involving information
    systems was cited as a distant number two
    concern behind major virus, Trojan horse or
    Internet worms regardless of geographic region,
    industry or organizational size
  • Only 24 gave their information security
    department the highest rating in meeting the
    needs of the organization
  • Only 11 deemed government security-driven
    regulations as being highly effective in
    improving their information security posture or
    in reducing data protection

Source EY
12
Where to start
  • Conduct a environmental scan
  • Determine how security is viewed in the
    organization
  • What obstacles are causing the budget to shrink
  • Low hanging fruit
  • Look for things that require minimum effort but
    produce concrete results such as guidelines
  • Education/awareness training
  • Physical walkthrough

13
Security Program
  • Must have a security program
  • Multi-year process so be patient
  • Strategic value
  • Measurement and metrics
  • ROI
  • Its not about how many viruses you stopped but
    how did you help move the business forward
  • Consistent and periodic basis

14
Security Program Cont.
  • What is your governance model
  • Must have an enterprise wide security policy
  • How to you manage risk or tolerance level
  • Who do you report into
  • CIO, CFO, VP or Director
  • Marketable security program
  • Identify key success factors

15
Security Program Cont.
  • If you can afford - hire the best people
  • Must show accountability, transparency and value
    for money within your own department
  • Program must be supported by upper mgt.
  • Accountability
  • Create a security council/committee

16
Find a Champion
  • Identify a security friendly and business
    understanding person
  • Someone who looks at things holistically
  • Get them involved and groom them

17
  • ISO Toolkit

18
Objective
  • Development of a toolkit that will equip health
    care organizations with the necessary
    methodologies, tools, training and templates
  • Key is to deliver set of tools that will enable
    health care organization in educating them about
    information management, security, trust and
    accountability in managing information
  • Tools may include education material, sample
    policies, contracts, gap analysis checklist and
    recommendations

19
Approach
  • Mixed skill set in-house third party
  • InfoSec will leverage its internal competencies
    and third party expertise to deliver a
    comprehensive resource centre for ISO 17799/27001
  • Two set of deliverables
  • One for small office to mid-size
  • Other for mid-size to large institutions

20
Approach
  • Steering Committee (Internal)
  • Project related matters
  • Budgets/Financial issues
  • Strategic direction
  • User Group (made up of external stakeholders)
  • Requirements gathering
  • Input providers
  • Beta testers
  • User Group
  • Key to success is engaging our client base
  • 12/14 participants from 10/12 different
    organizations
  • Focused meetings/checkpoints over the course of
    the project

21
Deliverables
  • The ISO Toolkit will be developed in the form of
    knowledge portal available to all health care
    organizations in Ontario
  • The Toolkit will provide
  • A security resource centre with heavy focus on
    education
  • Tools, methodologies and guidelines
  • Sample policies and templates
  • Gap analysis checklist for risk assessment

22
Deliverables
  • Some of the Tools that will be included
  • Security Risk Assessment a methodology to
    enable security personnel in health care
    organizations to conduct a Threat and Risk
    assessment. This will be an approach tailored to
    the health care environment and in particular
    organization subject to PHIPA
  • Security Policy Template pro forma security
    policies for large, medium and small
    organizations. This section will include links
    to health care organizations that have already
    developed policies
  • ISO 17799 Gap Assessment gap self-assessment
    tool to measure compliance with ISO 17799
  • Confidentiality Agreement Template standard
    confidentiality agreements that can be used by
    health care organizations
  • 3rd Party Contract Template standard terms and
    conditions that can be included in contracts with
    3rd party organizations that process or access
    health information

23
Advantages of the Toolkit
  • Better protection of the companys confidential
    information
  • Uniform approach to handling managing
    information
  • Establishment of benchmark
  • Gain in patient TRUST
  • Enhanced trust among providers
  • Reduced risk of hacker attacks
  • Structured security methodology that has gained
    international recognition
  • Increased mutual confidence between partners
  • Potentially lower premiums for computer risk
    insurance

24
In Summary
  • Get your client/stakeholders educated
  • Take your message out
  • Build alliances
  • Inject yourself in processes such as SDLC or ITIL
  • Keep security in the front
  • Keep it personal
  • Show ROI

25
Discussion
26
Contact Info Bobby Singh 416.586.4231 Bobby.sing
h_at_ssha.on.ca
Write a Comment
User Comments (0)
About PowerShow.com