際際滷

際際滷Share a Scribd company logo
FREDERICK SCHOLL, Ph.D., CISSP, CISM, CHP MONARCH INFORMATION NETWORKS, INC. [email_address] MAY 30, 2009
MONARCH INFORMATION NETWORKS, INC. INDEPENDENT CONSULTANT 1991-PRESENT ADVISE  TRUSTED BUSINESSES ON HOW TO PROTECT THEIR INFORMATION CLIENTS SCHERING-PLOUGH QUEST DIAGNOSTICS NISSAN  AMERICAS
WEB 2.0 SECURITY ISSUES
HIPAA ENFORCEMENT SECURITY RULECMS 10 AUDITS IN 2008/PWC 6 CURRENTLY IN 2009/QISS SECURITY RULEOIG 8 AUDITS OF HOSPITALS 2008 19 HIGH IMPACT VULNERABILITIES/HOSPITAL PRIVACY RULEHHS/OCR 6746 INVESTIGATED RESOLUTIONS 2008 PROVIDENCE HEALTH (05-06):  $100K CVS (2008):  $2.25M
HIPAA ENFORCEMENT UNDER ARRA/HITECH BREACH NOTIFICATION RULE-9/17/2009 FEDERAL MEDICAL RECORD NOTIFCATION RULE (CA,AR) IF MORE THAN 500 RECORDS POST TO HHS NOTIFY PROMINENT MEDIA OUTLETS 261 MILLION RECORDS OF ALL TYPES BREACHED (05-09, WWW.PRIVACYRIGHTS.ORG)
FINANCIAL RECORDS SECURITY BREACH CHOICEPOINT:  -12%  MARKET VALUE 2004-2005 $20m FTC FINES NOW PART OF REED ELSEVIER HEARTLAND:  -39%  MARKET VALUE 2008-2009 CLASS ACTION LAWSUIT IN PROGRESS
HOW TO AVOID HIPAA PUBLICITY IMPLEMENT RISK MANAGEMENT PROCESS KEY SECURITY PROBLEMS TO AVOID OIG ASSESSMENT RESULTS
NIST RISK MANAGEMENT FRAMEWORK
KEY SECURITY ACTIVITIES BUSINESS ALIGNMENT APPLICATION DEVELOPMENT INTRASTRUCTURE OPERATIONS FOLLOW NIST 800-66 CHECKLISTS DEVELOP AND TEST INCIDENT RESPONSE PROCESS ENCRYPT PHI AT REST AND IN TRANSIT REVIEW DATA DESTRUCTION PROCESS
KEY ACTIVITIES, CONT. MOVE TOWARD SECURITY STANDARDS HITRUST SCAP MONITOR
OIG 2008 HIPAA FINDINGS-LARGE HOSPITALS
油

More Related Content

Healthcamp

  • 1. FREDERICK SCHOLL, Ph.D., CISSP, CISM, CHP MONARCH INFORMATION NETWORKS, INC. [email_address] MAY 30, 2009
  • 2. MONARCH INFORMATION NETWORKS, INC. INDEPENDENT CONSULTANT 1991-PRESENT ADVISE TRUSTED BUSINESSES ON HOW TO PROTECT THEIR INFORMATION CLIENTS SCHERING-PLOUGH QUEST DIAGNOSTICS NISSAN AMERICAS
  • 4. HIPAA ENFORCEMENT SECURITY RULECMS 10 AUDITS IN 2008/PWC 6 CURRENTLY IN 2009/QISS SECURITY RULEOIG 8 AUDITS OF HOSPITALS 2008 19 HIGH IMPACT VULNERABILITIES/HOSPITAL PRIVACY RULEHHS/OCR 6746 INVESTIGATED RESOLUTIONS 2008 PROVIDENCE HEALTH (05-06): $100K CVS (2008): $2.25M
  • 5. HIPAA ENFORCEMENT UNDER ARRA/HITECH BREACH NOTIFICATION RULE-9/17/2009 FEDERAL MEDICAL RECORD NOTIFCATION RULE (CA,AR) IF MORE THAN 500 RECORDS POST TO HHS NOTIFY PROMINENT MEDIA OUTLETS 261 MILLION RECORDS OF ALL TYPES BREACHED (05-09, WWW.PRIVACYRIGHTS.ORG)
  • 6. FINANCIAL RECORDS SECURITY BREACH CHOICEPOINT: -12% MARKET VALUE 2004-2005 $20m FTC FINES NOW PART OF REED ELSEVIER HEARTLAND: -39% MARKET VALUE 2008-2009 CLASS ACTION LAWSUIT IN PROGRESS
  • 7. HOW TO AVOID HIPAA PUBLICITY IMPLEMENT RISK MANAGEMENT PROCESS KEY SECURITY PROBLEMS TO AVOID OIG ASSESSMENT RESULTS
  • 9. KEY SECURITY ACTIVITIES BUSINESS ALIGNMENT APPLICATION DEVELOPMENT INTRASTRUCTURE OPERATIONS FOLLOW NIST 800-66 CHECKLISTS DEVELOP AND TEST INCIDENT RESPONSE PROCESS ENCRYPT PHI AT REST AND IN TRANSIT REVIEW DATA DESTRUCTION PROCESS
  • 10. KEY ACTIVITIES, CONT. MOVE TOWARD SECURITY STANDARDS HITRUST SCAP MONITOR
  • 11. OIG 2008 HIPAA FINDINGS-LARGE HOSPITALS
  • 12.