Agenda for Brazil P&S Sessions - DRAFT
Session 1 – Introduction
Title: We hear about cyber-attacks and resulting breaches of patient data in the news almost daily.
Considering the unique challenges faced by hospital and other provider organizations relating to electronic health data and cyber threat, we will discuss basic privacy, security and risk concepts and learn about a basic framework for organizational risk assessment.
Privacy, Security and Confidentiality Defined
Patient Privacy concerns
Privacy Principles
Security – CIA
- Confidentiality
- Integrity
- Availability
Today’s Health IT Environment Creates Security Risk
- Healthcare Environment – “The Problem” - Increasing Use of IT in health care, delivery, payment
- Treat Environment
- IT Vulns
- Etc.
Cyber Defined
Risk Assessment – Intro
Security Risk as part of business risk (point forward to next module)
Risk Assessment defined.
Threat
- Vulnerabilities
- Risk
- Severity
- Likelihood
- Impact
- Risk
- Mitigation
Identify
Session 2 - Cyber Risk as a Component of Business Risk – Communicating with C-Suite
As part of a healthcare organization’s efforts to mitigate potential cyber risks, active governance with both the C-Suite and the organization’s board of directors can reduce the risk and exposure of potential cyber events impacting overall business risk. Learn about governance and risk management approaches and how to communicate relevant metrics and measures.
Measures/Metrics
ROI versus ALE versus….
Language/Vocabulary – talking about security in terms of mitigating business risk and the business value of security efforts Protect/ Detect
Session 3 – Monitoring and Detection
Healthcare organizations make a tremendous investment in IT products to monitor network activity and enforce business rules. Learn how to make efficient use of data collected by these tools and what it takes to detect breaches.
Security Continuous Monitoring
- Monitoring Tools
- End Point Monitoring
- What to do with the Data
Detection
- Breach detection
- Forensic Analysis
- How do we know what is a breach?
- Employee monitoring
Respond and Recover
Session 4 - Response Planning and Recovery
One of the greatest challenges facing today's health IT security professionals is planning and preparing to respond response to a security breach. A healthcare organization’s response can best be handled by adhering to the six generally acceptable steps to incident handling: preparation, identification, containment, eradication, recovery, and lessons learned.
Response Planning
- Response Planning
- Mitigation activities
- Disaster Recovery
- Business Continuity
- Law Enforcement
- Victim Notification
Recovery Planning
- Recovery of IT Infrastructure
- Recovery of Business Operations
- Damage mitigation – reputational, compliance, cost, employee moral
Session 5 – Specific Implementation Risks for Healthcare Organizations
Healthcare organizations often incorporate new or disruptive technologies before evaluating the risks and having governing policies and procedures in place. Learn the risks for Healthcare organizations associated with the use of these technologies: Cloud, Mobile, Social Media, and Internet of Things.
- Cloud
- Mobile
- Social Media
- IoT