The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.
If you would like to subscribe to The CyberPHIx on iTunes, Click Here. You can listen now by choosing a program described below.
Got a topic that you want to hear about? We are all ears!
Submit your idea for Podcast topics to: email@example.com
Hanging a Lantern on Data Security: Senior-Level Exposure
Run time (18:04)
Our second CyberPHIx podcast interview with Mark Eggleston, CISO of Health Partner Plans centers on communicating strategically with board-level and senior management executives. Mark and Meditology Services partner, Brian Selfridge discuss how to present data security initiatives and issues to senior management including some of these topics:
- Providing a concise, risk management strategy overview on key security issues will bolster the security function’s role within the organization.
- Build relationships with senior management. Learn how they like information delivered and what key interests they have.
- The most effective communication tools are one-page summaries containing best practices and an illustration of risk reduction levels. In general, stay away from slide decks and too much technical detail for board level briefings.
- Create a 360-view of data security by engaging other members of the IT organization, compliance and legal in risk management conversations in a regular and organized setting.
Clearing the Fog of Data Security within the Cloud
Run time (23:27)
Cloud-based services offer new functionality and efficiency for healthcare organizations, but also bring with them new security considerations for protecting PHI. In this CyberPHIx podcast, Mark Eggleston, VP and Chief Information Security and Privacy Officer of Health Partner Plans discusses implementation strategies for cloud-based applications. Mark and Meditology Services partner, Brian Selfridge discuss the following approaches for managing data security risk within cloud-based applications:
- Identify a business case for securing data in the cloud-environment. Determine if your organization has the experience to implement the cloud-solution internally or might benefit from a third-party with experience in implementing a specific cloud-solution.
- Ensure that Service Level Agreements (SLAs) and Managed Service Agreements (MSAs) with Cloud-Provider include specific security requirements that include scenarios for end-of-service, ongoing risk assessment and downstream data sharing with 4th-party vendors.
- Clearly define user access roles to ensure cloud providers are aligning with the minimum necessary requirements.
- Prepare to educate board-level and senior management about the gaps in security controls with the cloud-providers. Providing a concise, risk management strategy will bolster the security function’s role within the organization.
Security Audit Fatigue: How Efficient Audits Can Drive Business Value
Run time (43:12)
Handling thousands of security audit questions per month while also conducting routine internal audits is a daunting and tiring task. Audit fatigue is real! However, meeting security audit requests has become a standard for doing business in the healthcare industry. This CyberPHIx episode examines successful approaches to handling security audits from a vendor’s perspective. Hear from Chris Risley, Executive Director Enterprise Risk Management of NASCO, an exclusive provider of claims processing and other services to Blue Cross / Blue Shield Plans across the country. This discussion addresses some of the following questions:
- How do you help your organization to combat audit fatigue?
- What standards do you have in place to improve responsiveness and drive efficiencies in the audit process?
- How do you handle capacity constraints in managing a portfolio of audits with limited bandwidth and staff?
- How does effective security risk management correlate to business value and how is that value communicated to leadership and the marketplace?
Security Certifications: Lessons from the Trenches
Run time (38:42)
Security framework certifications such as HITRUST and SOC 2 take center stage in this episode of CyberPHIx. Hear from Derek Vorphal, VP and CISO at Davis Vision, a provider of managed vision care plans nationally. Derek and Meditology Services partner, Brian Selfridge have a candid conversation about where certifications really fit into the overall spectrum of information security risk management tools for healthcare organizations. Our discussion with Derek addresses some of the following issues:
How well do security certifications reduce the number of security audit inquiries?
Can security certification requirements be useful in managing day-to-day information security risk management?
Derek offers advice for people in the early stages of the certification process.
A broad range of staffing skills are needed to complete the certification process.
Seeing the Forest for the Trees: Effective Governance for Risk & Compliance
Run time (17:07)
Developing a cohesive system for meeting HIPAA compliance standards and the never-ending emergence of new security threats can be overwhelming. Approaches to effective compliance management are addressed in this short interview with Bob Quandt, owner of Bullseye Compliance, an experienced healthcare information security officer and leader that has held roles with ShareCare, HCA and several other health entities. The discussion focuses on common challenges faced to by Chief Information Security and Compliance Officers including the security frameworks that work best in healthcare; risk registers and risk tracking approaches; and the importance of obtaining buy-in across departments and varying management levels for new solutions and processes.
Respond, Control and Track: CISO Speaks to Key Data Security Approaches
In this podcast, healthcare system CISO, Keith Henkell, shares his approach to key data security activities including Privileged Access Management, OCR Audit Reponse and Security Metrics Tracking techniques. Specific discussions center on strategies to reduce privilege-related breaches from occurring such as the use of multifactor authentication and reduction of local admin accounts. Also, Keith provides tips for using security metrics to craft a story for upper management including maturity score of your overall program, coverage indicators from existing security tools and a risk register.
Staying in the Swing of Things: Data Security during a Merger, Acquisition or Divestiture (Time: 24:38)
Mergers and acquistions have a major impact on day-to-day privacy and data security programs. In this podcast, two veteran data security and privacy experts from Tivity Health (formerly Healthways), help security teams prepare for these events by sharing first-hand experiences on maintaining and migrating data privacy and data security programs following a divestiture and reorganization. Listen now to hear as Tivity Health’s Jana Courmier, VP of Privacy, Compliance & Accreditation and Paul Wolf, Information Security Officer outline topics such as: maintaining security controls and processes, managing personnel and reduction in staff and communicating effectively with clients.
CISO Sales Pitch: Information Security Strategy (Time: 24:06)
A key component of a successful data security strategy is centered on people; specifically navigating and managing cultural expectations and the organization’s philosophy on data management. Expert health system CISO, Nick Falcone, shares first-hand experiences in establishing a formal risk management program with anecdotes and strategies on working within the organization’s culture.
For detailed show notes, please visit our Podcast page.