The CyberPHIx | A Meditology Services Podcast
The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.
Got a topic that you want to hear about? We are all ears!
Submit your idea for Podcast topics to: firstname.lastname@example.org
Re-Engineering Vendor Security Risk Management
Run time (37:12)
You can outsource your systems and services, but you cannot outsource your risk.
In 2008, the FDIC set a benchmark for vendor data risk by stating that a financial institution’s BOD and officers are responsible for third-party actions as it affects data security. In healthcare, these same standards are starting to be applied, leading to increased oversight of vendor relationships.
In this CyberPHIx podcast, Kelly White, Founder and CEO of Risk Recon, outlines some key concepts for effective vendor risk management drawing on experience in healthcare as well as other industries very vulnerable to third-party data security breaches.
Kelly’s position in the security automation market, provides us with insight into emerging trends of innovation and technology to better assess risk and potential impact of vendor data sharing.
Our discussion with Kelly touches on some of the following trends:
- Understanding vendor risk management in peer industries, such as financial services, reveals opportunities for innovation and more effective oversight over vendor relationships in the healthcare sector.
- The Value of Risk is a key risk management concept that supersedes the rating of risk by the size of vendors. In risk management activities with small or medium-sized vendors, focusing the lens on the Value of the Risk will help set priorities that are most effective in leading to remediation.
- Healthcare is an industry primed to adopt and lead innovation and automation in risk management. The next wave of rapid security automation/innovation is likely to come out of the healthcare industry.
Detecting and Responding to Cyber Attacks
Run time (16:23)
The FBI reported last year that the average dwell time for hackers in the healthcare environment is 270 days before they are detected. Identifying and dealing with potential security gaps is especially important during security due diligence of new entities.
Learn ways that security time gap can be closed in our recent CyberPHIx podcast episode with Peter Merrill, Director of Information Security at Dartmouth/Hitchcock Health Care System and Meditology’s Brian Selfridge.
Our discussion with Peter touches on the following topics regarding security due diligence of merged and affiliated entities:
- Maintaining good security measures is a good business practice whether or not your organization is acquiring or integrating a new entity.
- Learn which security projects to prioritize when affiliating and integrating a new entity.
- Create a security program that balances the organization’s culture and preference for techniques used in ethical hacking and other security due diligence methods.
- How to deal with different security approaches within affiliated entities.
Hanging a Lantern on Data Security: Senior-Level Exposure
Run time (18:04)
Our second CyberPHIx podcast interview with Mark Eggleston, CISO of Health Partner Plans centers on communicating strategically with board-level and senior management executives. Mark and Meditology Services partner, Brian Selfridge discuss how to present data security initiatives and issues to senior management including some of these topics:
- Providing a concise, risk management strategy overview on key security issues will bolster the security function’s role within the organization.
- Build relationships with senior management. Learn how they like information delivered and what key interests they have.
- The most effective communication tools are one-page summaries containing best practices and an illustration of risk reduction levels. In general, stay away from slide decks and too much technical detail for board level briefings.
- Create a 360-view of data security by engaging other members of the IT organization, compliance and legal in risk management conversations in a regular and organized setting.
Clearing the Fog of Data Security within the Cloud
Run time (23:27)
Cloud-based services offer new functionality and efficiency for healthcare organizations, but also bring with them new security considerations for protecting PHI. In this CyberPHIx podcast, Mark Eggleston, VP and Chief Information Security and Privacy Officer of Health Partner Plans discusses implementation strategies for cloud-based applications. Mark and Meditology Services partner, Brian Selfridge discuss the following approaches for managing data security risk within cloud-based applications:
- Identify a business case for securing data in the cloud-environment. Determine if your organization has the experience to implement the cloud-solution internally or might benefit from a third-party with experience in implementing a specific cloud-solution.
- Ensure that Service Level Agreements (SLAs) and Managed Service Agreements (MSAs) with Cloud-Provider include specific security requirements that include scenarios for end-of-service, ongoing risk assessment and downstream data sharing with 4th-party vendors.
- Clearly define user access roles to ensure cloud providers are aligning with the minimum necessary requirements.
- Prepare to educate board-level and senior management about the gaps in security controls with the cloud-providers. Providing a concise, risk management strategy will bolster the security function’s role within the organization.
Security Audit Fatigue: How Efficient Audits Can Drive Business Value
Run time (43:12)
Handling thousands of security audit questions per month while also conducting routine internal audits is a daunting and tiring task. Audit fatigue is real! However, meeting security audit requests has become a standard for doing business in the healthcare industry. This CyberPHIx episode examines successful approaches to handling security audits from a vendor’s perspective. Hear from Chris Risley, Executive Director Enterprise Risk Management of NASCO, an exclusive provider of claims processing and other services to Blue Cross / Blue Shield Plans across the country. This discussion addresses some of the following questions:
- How do you help your organization to combat audit fatigue?
- What standards do you have in place to improve responsiveness and drive efficiencies in the audit process?
- How do you handle capacity constraints in managing a portfolio of audits with limited bandwidth and staff?
- How does effective security risk management correlate to business value and how is that value communicated to leadership and the marketplace?
Security Certifications: Lessons from the Trenches
Run time (38:42)
Security framework certifications such as HITRUST and SOC 2 take center stage in this episode of CyberPHIx. Hear from Derek Vorphal, VP and CISO at Davis Vision, a provider of managed vision care plans nationally. Derek and Meditology Services partner, Brian Selfridge have a candid conversation about where certifications really fit into the overall spectrum of information security risk management tools for healthcare organizations. Our discussion with Derek addresses some of the following issues:
How well do security certifications reduce the number of security audit inquiries?
Can security certification requirements be useful in managing day-to-day information security risk management?
Derek offers advice for people in the early stages of the certification process.
A broad range of staffing skills are needed to complete the certification process.
Seeing the Forest for the Trees: Effective Governance for Risk & Compliance
Run time (17:07)
Developing a cohesive system for meeting HIPAA compliance standards and the never-ending emergence of new security threats can be overwhelming. Approaches to effective compliance management are addressed in this short interview with Bob Quandt, owner of Bullseye Compliance, an experienced healthcare information security officer and leader that has held roles with ShareCare, HCA and several other health entities. The discussion focuses on common challenges faced to by Chief Information Security and Compliance Officers including the security frameworks that work best in healthcare; risk registers and risk tracking approaches; and the importance of obtaining buy-in across departments and varying management levels for new solutions and processes.
Respond, Control and Track: CISO Speaks to Key Data Security Approaches
In this podcast, healthcare system CISO, Keith Henkell, shares his approach to key data security activities including Privileged Access Management, OCR Audit Reponse and Security Metrics Tracking techniques. Specific discussions center on strategies to reduce privilege-related breaches from occurring such as the use of multifactor authentication and reduction of local admin accounts. Also, Keith provides tips for using security metrics to craft a story for upper management including maturity score of your overall program, coverage indicators from existing security tools and a risk register.
Staying in the Swing of Things: Data Security during a Merger, Acquisition or Divestiture (Time: 24:38)
Mergers and acquistions have a major impact on day-to-day privacy and data security programs. In this podcast, two veteran data security and privacy experts from Tivity Health (formerly Healthways), help security teams prepare for these events by sharing first-hand experiences on maintaining and migrating data privacy and data security programs following a divestiture and reorganization. Listen now to hear as Tivity Health’s Jana Courmier, VP of Privacy, Compliance & Accreditation and Paul Wolf, Information Security Officer outline topics such as: maintaining security controls and processes, managing personnel and reduction in staff and communicating effectively with clients.
CISO Sales Pitch: Information Security Strategy (Time: 24:06)
A key component of a successful data security strategy is centered on people; specifically navigating and managing cultural expectations and the organization’s philosophy on data management. Expert health system CISO, Nick Falcone, shares first-hand experiences in establishing a formal risk management program with anecdotes and strategies on working within the organization’s culture.
For detailed show notes, please visit our Podcast page.