A successful security program is all about managing risk.

Tod Ferran, CISSP, QSA
By: Tod Ferran
I had the opportunity to attend the Healthcare IT News/HIMSS Media Privacy & Security Forum in Boston. The speakers presented a lot of great information and security pointers for IT directors. The conference was wrapped up by Healthcare IT News really well, but I wanted to expound with the security observations I gleaned from the conference.

Security isn’t going to happen if the C-suite isn’t involved

Nate Russ, Regional Director of Northeast Healthcare at Symantec, explained that those involved with security must show why security is a strategic move from a business standpoint in order to get funding. If business leaders don’t see the urgency, why would they boost your budget?

He also pointed out the importance of leveraging compliance exercises for security budgeting, further expounded upon by John Halamka, CIO of Beth Israel Deaconess Medical Center. Halamka explained a test he conducted on his workforce members where he disseminated phishing emails to test phishing knowledge. Each workforce member who clicked on the email, represented a compromise to the business and a potential breach of data. Halamka made sure to add that the decision wasn’t an IT initiative. It was a business initiative overseen by business leaders.

I can’t stress the concept of involving corporate leadership enough.
Security is a cultural problem within the business. It’s not just an IT problem.
Tweet: Security is a cultural problem within a business. It’s not just an IT problem. http://bit.ly/1nd7Ghj #HIPAATweet
If your security and risk management is going to succeed, it’s because everyone at the organization is on board

Like SecurityMetrics’ CEO Brad Caldwell always says, “Security isn't just technical, it's a mentality within an organization.”

See Also: HIPAA and the Status of Healthcare: What C-suites Should Know

Stop thinking you are immune to compromise

In Linda Sanches’ presentation about OCR audits, she kept stressing the vulnerability of the healthcare industry. The ‘this could happen to me’ mentality should be felt by all providers and motivate them to strengthen their security posture.
 The idea of undergoing a breach tomorrow is terrifying. What’s even scarier is not being prepared to deal with it. I counsel all my clients to create a proactive (vs. reactive) breach plan. This is easily done as you find your risks in your HIPAA Risk Analysis, and create your Risk Management Plan.

Your security strategy needs to be risk-based

My favorite idea at the conference was presented by Jim Routh, CISO at Aetna. He said building a security program based on regulations is not enough. It must be a risk-based program.

Help us measure healthcare security and compliance. Take the survey.

As a HIPAA security auditor, I deal with this problem a lot. Many healthcare providers struggle to complete the HIPAA requirement bare minimum. That’s not really the point of HIPAA or any other security regulation for that matter.


If you’re really concerned about security, about your patient’s data (which extends to their health and safety), and about your reputation, go beyond what’s required in government mandates.

What were your favorite parts of the conference?

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

Monday, September 29, 2014