200 likes | 345 Views
PHS Information Security Program: A Standards-based Approach September 24, 2009 Jennings Aske – PHS CISO. Agenda. Challenges Regulations Standards PHS Information Security Framework Initial Priorities Governance and Collaboration Encryption Update.
E N D
PHS Information Security Program: A Standards-based Approach September 24, 2009Jennings Aske – PHS CISO
Agenda • Challenges • Regulations • Standards • PHS Information Security Framework • Initial Priorities • Governance and Collaboration • Encryption Update
What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about. - The Classic Hippocratic Oath
Partners HealthCare System, Inc Serving the Community Teaching and Research Enhancing Patient Care Increasing Value and Improving Quality Leadership as an Integrated Healthcare System
Additional Challenges • Scale of our environment: • Email Accounts: 66,246 • IP Addresses: 79,561 • Remote Access Users: 15,806 • Annual number of eGate transactions: 1,692,116,329 • The demands of new technology: • Wireless, Smart Phones, VoIP, Social Media • Business relationships requiring integration: • Mass Eye and Ear, South Shore Hospital, Atrius • Finding the right balance between easy access to information for clinical care and securing our environment
Recent Information Security and Privacy Regulations • MGL c.93H – establish requirements related to encryption and security breaches (effective 10/02/07) • MGL c.93I – establish requirements related to the secure destruction of paper and electronic records (effective 02/03/08) • FTC’s Red Flags Rule – establishes requirements related to preventing, identifying, and mitigating identity theft (effective 08/01/09) • HITECH Modifications to HIPAA’s Privacy and Security Rules (issued 02/17/09) • Interim Final Breach Notification Guidelines – establishes requirements related to reporting security breaches of unsecured PHI (effective 09/23/09) • 201 CMR 17.00 – establishes requirements for security programs for persons owning or licensing the Personal Information of Commonwealth residents (effective 03/01/10)
A standards-based information security programs (and yes, that’s a lot of acronyms) . . . .
Information Security Core Principles • Information security is driven by business objectives. • Information security must be standards-based. • Information security is a risk-based, problem-solving activity. • Information security is collaborative. • Information security evolves. • Information security controls must be financially and operationally supportable. • Information security is largely about people, and not technology. • Information security should facilitate user productivity. • Information security should aspire to transparency and simplicity.
ISO/NIST-Based Policy Framework Standards Procedures A Model Information Security Hierarchy • Partners Confidential Data: • Protected Health Information • Personal Information • Employee Data • Financial Data • Intellectual Property • Source Code • Security Information • Policy Discussions
ISO 27002 - 12 Information Security Clauses • Risk Assessment and Treatment • Security Policy • Organization of Information Security • Asset Management • Human Resources Security • Physical and Environmental Security • Communications and Operations Management • Access Control • Information Systems Acquisition, Development and Maintenance • Information Security Incident Management • Business Continuity Management • Compliance
Initial Priorities • Drafting the Information Security Policy Framework • Information Security Incident Management • Laptop Encryption, and Device and Media Controls • Internet Content Filtering and Email Security • Privileged User Security and Service Accounts • Application and Web Services Security • Social Media Policy and Guidelines • 201 CMR 17.00 Compliance Strategy • Developing the 3-year plan
Information Security Governance and Collaboration Proposed information security governance model: • PHS Information Security Steering Committee – initial meeting on 10/08/09. • PHS Security Operating Committee – initial meeting in November. Also, incorporating information security into existing organizational groups and processes (examples): • PHS Architectural Review Board • Partners member hospitals and sites
Encryption Update Encryption workgroup is defining Partners’ approach for each device that needs encryption Original date for compliance with 201 CMR 17.00 was January 1, 2010; it has been pushed back to March 1, 2010. PHS will continue to target January 1st. Media Sanitization has been added to project to reflect regulatory requirements.
Encryption Project update Encryption Update