The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.
If you would like to subscribe to The CyberPHIx on iTunes, Click Here. You can listen now by choosing a program described below.
Got a topic that you want to hear about? We are all ears!
Submit your idea for Podcast topics to: firstname.lastname@example.org
Security Audit Fatigue: How Efficient Audits Can Drive Business Value
Run time (43:12)
Handling thousands of security audit questions per month while also conducting routine internal audits is a daunting and tiring task. Audit fatigue is real! However, meeting security audit requests has become a standard for doing business in the healthcare industry. This CyberPHIx episode examines successful approaches to handling security audits from a vendor’s perspective. Hear from Chris Risley, Executive Director Enterprise Risk Management of NASCO, an exclusive provider of claims processing and other services to Blue Cross / Blue Shield Plans across the country. This discussion addresses some of the following questions:
- How do you help your organization to combat audit fatigue?
- What standards do you have in place to improve responsiveness and drive efficiencies in the audit process?
- How do you handle capacity constraints in managing a portfolio of audits with limited bandwidth and staff?
- How does effective security risk management correlate to business value and how is that value communicated to leadership and the marketplace?
Security Certifications: Lessons from the Trenches
Run time (38:42)
Security framework certifications such as HITRUST and SOC 2 take center stage in this episode of CyberPHIx. Hear from Derek Vorphal, VP and CISO at Davis Vision, a provider of managed vision care plans nationally. Derek and Meditology Services partner, Brian Selfridge have a candid conversation about where certifications really fit into the overall spectrum of information security risk management tools for healthcare organizations. Our discussion with Derek addresses some of the following issues:
How well do security certifications reduce the number of security audit inquiries?
Can security certification requirements be useful in managing day-to-day information security risk management?
Derek offers advice for people in the early stages of the certification process.
A broad range of staffing skills are needed to complete the certification process.
Seeing the Forest for the Trees: Effective Governance for Risk & Compliance
Run time (17:07)
Developing a cohesive system for meeting HIPAA compliance standards and the never-ending emergence of new security threats can be overwhelming. Approaches to effective compliance management are addressed in this short interview with Bob Quandt, owner of Bullseye Compliance, an experienced healthcare information security officer and leader that has held roles with ShareCare, HCA and several other health entities. The discussion focuses on common challenges faced to by Chief Information Security and Compliance Officers including the security frameworks that work best in healthcare; risk registers and risk tracking approaches; and the importance of obtaining buy-in across departments and varying management levels for new solutions and processes.
Respond, Control and Track: CISO Speaks to Key Data Security Approaches
In this podcast, healthcare system CISO, Keith Henkell, shares his approach to key data security activities including Privileged Access Management, OCR Audit Reponse and Security Metrics Tracking techniques. Specific discussions center on strategies to reduce privilege-related breaches from occurring such as the use of multifactor authentication and reduction of local admin accounts. Also, Keith provides tips for using security metrics to craft a story for upper management including maturity score of your overall program, coverage indicators from existing security tools and a risk register.
Staying in the Swing of Things: Data Security during a Merger, Acquisition or Divestiture (Time: 24:38)
Mergers and acquistions have a major impact on day-to-day privacy and data security programs. In this podcast, two veteran data security and privacy experts from Tivity Health (formerly Healthways), help security teams prepare for these events by sharing first-hand experiences on maintaining and migrating data privacy and data security programs following a divestiture and reorganization. Listen now to hear as Tivity Health’s Jana Courmier, VP of Privacy, Compliance & Accreditation and Paul Wolf, Information Security Officer outline topics such as: maintaining security controls and processes, managing personnel and reduction in staff and communicating effectively with clients.
CISO Sales Pitch: Information Security Strategy (Time: 24:06)
A key component of a successful data security strategy is centered on people; specifically navigating and managing cultural expectations and the organization’s philosophy on data management. Expert health system CISO, Nick Falcone, shares first-hand experiences in establishing a formal risk management program with anecdotes and strategies on working within the organization’s culture.
For detailed show notes, please visit our Podcast page.