Security Risk Mgt in Healthcare

1
Security Risk Mgt in Healthcare

• Bobby SinghDirector, Information Security Smart
  Systems for Health Agency

2
Agenda

• SSHA Mandate
• SSHA Information Security Mandate
• Security Program
• Example ISO Toolkit
• Approach Deliverables

3

• SSHA Mandate

4
SSHA Transforming Healthcare through IT

• Providing healthcare providers with timely,
  secure
• electronic access to patient information
• Creating a secure patient information sharing
  network between 150,000 providers at 24,000 sites
• The results
• Improved patient care
• More effective providers
• Integration
• Better use of financial resources

5
Vision and Mission

• Vision
• Help transform Ontarios health care delivery by
  enabling secure electronic exchange of health
  information among providers and patients
• Mission
• Enable health care providers to
• Electronically share health information quickly
  and securely and
• Make better care decisions

6
Who is SSHA connecting?

• Doctors
• Hospitals
• Pharmacists
• Laboratories
• Public Health Units
• Community care
• Continuing care
• Ministry of Health and Long-Term Care programs

7

• SSHA InfoSec Mandate

8
Mission

• The Security Groups mission is to
• Support Agencys mission to provide an health
  information network to the betterment of health
  care in Ontario by providing information security
  assurance and security design on the Agencys
  products and services
• Develop, implement, and mature Agencys
  information security program (Governance, Risk
  Management, Compliance, Education/Awareness..)
• Respond to information security incidents and
  provide assistance or take actions appropriately
  to manage security incidents

9
InfoSec Services
10

• Security Risk Mgt

Source EY
11
Facts

• Employee misconduct involving information
  systems was cited as a distant number two
  concern behind major virus, Trojan horse or
  Internet worms regardless of geographic region,
  industry or organizational size
• Only 24 gave their information security
  department the highest rating in meeting the
  needs of the organization
• Only 11 deemed government security-driven
  regulations as being highly effective in
  improving their information security posture or
  in reducing data protection

Source EY
12
Where to start

• Conduct a environmental scan
• Determine how security is viewed in the
  organization
• What obstacles are causing the budget to shrink
• Low hanging fruit
• Look for things that require minimum effort but
  produce concrete results such as guidelines
• Education/awareness training
• Physical walkthrough

13
Security Program

• Must have a security program
• Multi-year process so be patient
• Strategic value
• Measurement and metrics
• ROI
• Its not about how many viruses you stopped but
  how did you help move the business forward
• Consistent and periodic basis

14
Security Program Cont.

• What is your governance model
• Must have an enterprise wide security policy
• How to you manage risk or tolerance level
• Who do you report into
• CIO, CFO, VP or Director
• Marketable security program
• Identify key success factors

15
Security Program Cont.

• If you can afford - hire the best people
• Must show accountability, transparency and value
  for money within your own department
• Program must be supported by upper mgt.
• Accountability
• Create a security council/committee

16
Find a Champion

• Identify a security friendly and business
  understanding person
• Someone who looks at things holistically
• Get them involved and groom them

17

• ISO Toolkit

18
Objective

• Development of a toolkit that will equip health
  care organizations with the necessary
  methodologies, tools, training and templates
• Key is to deliver set of tools that will enable
  health care organization in educating them about
  information management, security, trust and
  accountability in managing information
• Tools may include education material, sample
  policies, contracts, gap analysis checklist and
  recommendations

19
Approach

• Mixed skill set in-house third party
• InfoSec will leverage its internal competencies
  and third party expertise to deliver a
  comprehensive resource centre for ISO 17799/27001
• Two set of deliverables
• One for small office to mid-size
• Other for mid-size to large institutions

20
Approach

• Steering Committee (Internal)
• Project related matters
• Budgets/Financial issues
• Strategic direction
• User Group (made up of external stakeholders)
• Requirements gathering
• Input providers
• Beta testers
• User Group
• Key to success is engaging our client base
• 12/14 participants from 10/12 different
  organizations
• Focused meetings/checkpoints over the course of
  the project

21
Deliverables

• The ISO Toolkit will be developed in the form of
  knowledge portal available to all health care
  organizations in Ontario
• The Toolkit will provide
• A security resource centre with heavy focus on
  education
• Tools, methodologies and guidelines
• Sample policies and templates
• Gap analysis checklist for risk assessment

22
Deliverables

• Some of the Tools that will be included
• Security Risk Assessment a methodology to
  enable security personnel in health care
  organizations to conduct a Threat and Risk
  assessment. This will be an approach tailored to
  the health care environment and in particular
  organization subject to PHIPA
• Security Policy Template pro forma security
  policies for large, medium and small
  organizations. This section will include links
  to health care organizations that have already
  developed policies
• ISO 17799 Gap Assessment gap self-assessment
  tool to measure compliance with ISO 17799
• Confidentiality Agreement Template standard
  confidentiality agreements that can be used by
  health care organizations
• 3rd Party Contract Template standard terms and
  conditions that can be included in contracts with
  3rd party organizations that process or access
  health information

23
Advantages of the Toolkit

• Better protection of the companys confidential
  information
• Uniform approach to handling managing
  information
• Establishment of benchmark
• Gain in patient TRUST
• Enhanced trust among providers
• Reduced risk of hacker attacks
• Structured security methodology that has gained
  international recognition
• Increased mutual confidence between partners
• Potentially lower premiums for computer risk
  insurance

24
In Summary

• Get your client/stakeholders educated
• Take your message out
• Build alliances
• Inject yourself in processes such as SDLC or ITIL
• Keep security in the front
• Keep it personal
• Show ROI

25
Discussion
26
Contact Info Bobby Singh 416.586.4231 Bobby.sing
h_at_ssha.on.ca