Guest Post- Alex Naveira, Director, ITGA & CISO on Compliance

Posted by Ashley Sims - Marketing Manager on Thu, Apr 21, 2016

To continue this month's conversation on compliance, we have another special guest joining us on the blog today. Alex Naveira is the Director, ITGA & CISO at Miami Children's Hospital and oversees multiple locations. We asked Alex what compliance meant to him and he had a list of different kinds of compliance and said "which one?" Needless to say, a CISO's job is quite complex when it comes to compliance and we are thrilled to have Alex join us to explain what he sees in his day to day life. 

An elderly man falls off of a subway platform and onto the train tracks.  A stranger pulls the man to safety while the train screeches to a stop.  Witnesses called the rescuer a hero, but he said: “No, my intuition made me do it and I just did what was right.”  Now, what does this story have to do with compliance?  What is compliance?

 

compliance.jpg

According to the Oxford English Dictionary, Compliance is defined as “acting in accordance with, and fulfilment of … conditions, or regulations.”, but with Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within.

 

The first thing we need to understand before having a well-established information security governance, risk and “compliance” program is what we are striving to protect (e.g. resources, systems, identities).  Subsequently, we need to act on the processes and tools required to protect the information and technical resources within the environment.  Examples of these processes include access authorizations, continuous monitoring of infrastructure and system access threats, prioritization, and remediation of these threats.  Adaptive tools in today’s protection arsenal include Identity and Access Intelligence (IAI) systems, SIEMs with threat intelligence capabilities, and intelligent Network Access Control (NAC) systems.  Before regulations required it, we were already implementing passwords, role-based security, putting up firewalls, IPSs, and Identity and Access Management systems.  Why?  Because experience and intuition told us that it was the right thing to do.

 

iStock_000023256305_Full.jpgToday, we leverage these processes and tools to provide us a more intelligent path to management and control over our networked devices and most importantly, our identities.  In consequence, this naturally allows us to comply with regulatory requirements and institutes a culture of doing not only what is within the strict parameters of the law, but also what is right.  In less proactive organizations, compliance can certainly be used as a catalyst in approving the necessary funds to optimize security and operations, but it should never be used as the sole factor for doing what is right.

 

When an elderly man falls off a subway platform and is immediately rescued by a stranger, does the stranger wait for others to provide him “the law” of correctness before acting?  Of course not!  He just does what is right, even if difficult or expensive.  In the current world of nefarious movements, we need to establish an inherent culture of doing the right thing, not because a regulation tells us that it is right, but because our experience and intuition has assured us that it is the right thing to do.

Alex Naveira, CISSP, CISA

Director, ITGA & CISO

Information Technology

Miami Children's HospitalImpact_Pro_Demo.png

 

Looking for ways to keep your organization compliant? Check out our Attack Intelligence for Healthcare Organizations data sheet and you can even request a demoto see the solution at work. 

Tags: continuous compliance, hipaa compliance, compliance

What does “Compliance” mean to a Healthcare CISO?

Posted by William "Buddy" Gillespie HCISPP, ITILv3 on Thu, Apr 14, 2016

The role of the healthcare CISO has expanded exponentially since the HITECH Act of 2009.  CISOs were traditionally charged with the responsibility to maintain the IT environment consisting of applications and infrastructure.  Today they are taking on an expanded organizational role consisting of innovation, operational responsibility and compliance.  Although, the governance for compliancy consists of a village when it comes to leadership and stakeholders, CISOs still remain at the center of the universe.  A multitude of federal and state regulations are at the CISO’s doorstep and pressing on the their scope of responsibility.

iStock_000021946209_Full.jpg

 

Among these regulations are PCI, ICD-10, Meaningful Use and, the biggest and most daunting of all, HIPAA.  If a Healthcare Organization (HCO) fails to meet the compliancy standards required by these regulations, the results may be penalties consisting of fees, possible imprisonment and the loss of credibility. 

The “experts” all agree that the following are the largest and most challenging force vectors for the healthcare CIO to confront in order to achieve and sustain compliance:

 


  • Mobile Devices:
    • The sprawl of mobile devices in the Internet of Things (IoT) has created multiple and diverse conduits into the patient data.  A strong Mobile Device Management solution should be implemented along with encryption where appropriate.  CIOs are taking responsibility to map the information flow of patient data to ensure that the data is following the authorized path.
  • Rogue Applications:
    • None of the enterprise applications in healthcare can meet all the point specific needs across the HCO enterprise.  This void has spawned the sprawl of rogue applications.  These apps are often acquired without the knowledge of the CISO.  The CISO and IS are not able to provide the best controls without being a part of those 3rd party solutions.

The Cloud:

  • The use of Cloud Service Providers (CSP) in healthcare has its advantages and benefits.  Lower cost and scalability are two of the most common benefits.  However, the CISO must ensure that the CSP is HIPAA compliant and a strong Service Level Agreement is negotiated.
  • Payment Card Industry (PCI):PCI_Demo.png
  • HIPAA:
    • The number one compliancy challenge for CISOs is HIPAA.  The HITECH Act expanded the scope of HIPAA and the Omnibus bill in 2013 gave definition and guidance for the implementation of the HITECH requirements.  The Meaningful Use requirements expanded the access to the electronic medical records thus creating additional opportunities for security breaches.  The good news is that CISOs have the technical controls available in the market place to build a fortress against the onslaught of breach opportunities.  The other side of the coin the CISOs must build the case for a security budget that will allow for the acquisition and implementation of those controls.

In order to be successful and achieve the appropriate level of compliance, the CISO must advocate for a Compliance Governance within the HCO.  The CISO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy.Privacy_and_Security_ini_Healthcare.png

 

 

Want to hear more from Buddy on the role of HIPAA and compliance in healthcare? Download his free on-demand webinar Privacy and Security in Healthcare  

Tags: hipaa compliance, compliance, PCI DSS, HIPAA

What does "Compliance" mean to you?

Posted by Ashley Sims - Marketing Manager on Thu, Apr 07, 2016

Compliance is a word that we hear a lot in our business. Broadly, it is defined as "the action or fact of complying with a wish or command." 

If that seems like a simple definition, it's because it is. It's too simple. In today's world, not only do you have to comply with the wishes of customers, vendors, and board members; you have to make sure that you are compliant with any one of several governing boards in your industry. 

HIPAA. SOX. NIST. PCI-DSS. These are just a few of the most well-known regulations that businesses have to follow, and they all create very unique challenges for organizations. 

In order to get a better handle on what "compliance" means outside of Webster's definition, we asked some of our Brent_quote.jpgfriends around the cyber-security industry to help us out and answer the seemingly simple question: "What does 'Compliance' mean to you? 

"What does compliance mean to me? In short, it’s the bare minimum standard we must meet in order to be able to demonstrate security. Compliance gives us a common language to use between regulators, auditors and security to evaluate the effectiveness of our controls."

Brent Comstock - VP, Identity & Access Management, Elavon 

"Compliance is simply defined as the ability to comply with a set of rules or requests.  As a CFO, we typically think of this as ensuring the organization has the requisite systems of internal control that adequately manage the risks that the corporation faces in multiple areas (such as legal risk, financial risk, regulation risk, IT risk, data risk, etc). Interesting to note that organizations continue to equate compliance with security with an inappropriate reliance on historical system compliance procedures leading them to mistakenly believe that their company is more secure."

Curtis Cain - CFO, Courion Corporation 

"With Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within."

Alex Naveira, CISSP, CISA - Director, ITGA & CISO, Miami Children's Hospital 

"In order to be successful and achieve the appropriate level of compliance, the CIO must advocate for a Compliance Governance within the HCO.  The CIO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy."

William "Buddy" Gillespie, HCISPP, ITILv3 - WJGillespie HIT Consulting  

Do these definitions ring true in your business? If not, tell us what compliance means to you in the comments. 

Looking for more information on how your organization can become or remain compliant? Courion and Core Security have multiple options for maintaining compliance across all industry and government regulations. Find out more here or contact us at info@courion.com

 

Tags: access compliance, hipaa compliance, access risk, compliance

Improving Operational Efficiencies within Healthcare IT

Posted by Ashley Sims - Marketing Manager on Thu, Nov 19, 2015

As a healthcare security specialist, do the concerns of breaches and operational inefficiencies keep you up at night? With the average health record worth an industry high $398 per record, we can understand why. 

Last week, William "Buddy" Gillespie, HCISPP, the former CTO/CIO of Wellspan Health joined tablet.jpgus for a webinar and detailed ways that you could improve operational efficiences within your organization and decrease your threat surface. Buddy drilled down into the issues facing organizations today such as HIPAA compliance, healthcare operations, and more. It was a perfect first for our series of three webinars and we hope you enjoyed it as much as we did. 

For those of you who couldn't make the webinar and want to get caught up, we have it available for download now.

In this webinar you will learn: 

  • Regulatory Guidelines
  • PHI Security
  • Health Information Management
  • Healthcare Operations
  • And much more 

Download Now

 

After you download part 1, make sure to get ahead of the crowd and the meetings that are always filling up your calendar and save the date for the second part of our series: 

Privacy and Security in Healthcare: Drivers, Trends, Challenges, and Solutions 

Wednesday, December 9th at 11:00 AM ET 

Sign Me Up!

Tags: hipaa compliance, healthcare data, healthcare IT, HIPAA, healthcare security, phi security

Cyber Security for Baby Monitors, OnStar, and the IoT- #TechTuesday

Posted by Ashley Sims - Marketing Manager on Tue, Sep 15, 2015

Tags: cybersecurity, IOT, hipaa compliance, cyber security, #techtuesday, hack, breach, internet of things, Hacking, HIPAA

3 Steps to HIPAA Compliance

Posted by John Verner on Wed, Sep 09, 2015

With the rising use of mobile devices, EHR solutions, BYOD policies, and the amount of shared and saved data comes the rising risk of HIPAA compliance. While this can seem like

medical bag

an insurmountable task, you don't have to try and tackle everything at once! We've broken the process down to 3 easy, repeatable steps to make your organization HIPAA compliant. 

1. Perform a Risk Analysis

How do you secure your devices? What are the processes for PHI handoff? What are your password rules? To perform a risk analysis, you not only need the answers to these questions, you need to know your data flow. Knowing where your PHI information enters, resides, and exits your environment will help you to know where your vulnerabilities are. Make sure that you look at all of your devices, servers, and applications to make sure you have an understanding of how each of these work and, more importantly, where they do not. 

There are plenty of options from vulnerability scans, to penetration tests to look for vulnerabilities. Here are Courion, we have our very own Quick Scan process to help find your weaknesses and create plans to help fix them.

Once you see all of your vulnerabilities, analyze the HIPAA risk level and potential impact to your organization by asking:

Hipaa risk levels

Then assign each vulnerability a high, medium, or low risk value based on your findings so that you have an understanding of which risks to tackle first. 

2. Create a Risk Management Plan

Your risk plan can be as simple or as detailed as you want to make it. However, remember that being able to show HIPAA extensive documentation of intent to mitigate risk will go a long way in your quest for compliance.

An easy way to do this is to answer the following four questions:

HIPAA compliance questions

Remember you need to have a plan in place for the risks to the system and for each of your employee types that use the system.

female dr

Employees: Focus on training and education around security practices and HIPAA compliance. Put blockers in place to help stop breaches before they start. Teach the importance of HIPAA compliant passwords

business man

Business Administration: Anyone who touches your data should follow your rules. Whether this is a medical device repairman or a contractor, they should be held accountable for their involvement in your data. 

IT guy

IT Department: IT doesn't always mean security. Make sure that your IT team is constantly updating your software and applications so that you have the most up to date security features.  

 

3. Implement Your Plan

Once you see all of your vulnerabilities laid out with their management plans, you will quickly see which of these are top priorities. Make a plan to take care of the biggest risks first and then start over. Keep identifying the top risks in your organization and working on implementing security fixes. chart

What's next? Rinse and repeat. While this is only a three step system it will still take you time to dig through your systems, solutions, and data to find where your greatest risks lie and even more time to find and implement the security fix. However, with an IAM solution you could automate much of this process. An IAM solution will continuously monitor your system and alert you to any variables that may lead to a breach.

Tags: cybersecurity, cyber risk, EHR security, emr security, hipaa compliance, healthcare data, healthcare, cyber security, EMR, EHR, electronic medical record, healthcare IT, medical records, cyber attack, compliance, HIPAA, #HIT, healthcare security