Healthcare Information Security Podcast

Getting senior executives involved early and making sure they understand the organization's security vulnerabilities are two vital steps in any risk management initiative, says Mark Ford of Deloitte. In an interview, Ford offers advice on how to: Win the support of senior executives as well as boards of directors for risk management investments; Comply with new federal breach notification rules; and Apply encryption based on risk factors. He also predicts the HITECH Act will serve as a catalyst for hospitals to standardize on fewer clinical information systems to help them simplify their security assurance efforts. Ford is principal of security and privacy services in the healthcare provider practice at Deloitte. The former officer in the U.S. Army Military Intelligence Corp. has 14 years of information security and controls consulting experience.

Interview with Tom Smedinghoff of Wildman Harrold The topic has been discussed for years, but now truly is the time for organizations to invest in federated identity management. So says Tom Smedinghoff, partner at Chicago-based law firm Wildman Harrold. In an exclusive interview, Smedinghoff discusses: What's new about federated ID management; Challenged to implementing a federated strategy; How to build a solid business case for deployment. Smedinghoff is a partner at Wildman Harrold, where his practice focuses on the new legal issues relating to the developing field of information law and electronic business activities. He is internationally recognized for his leadership in addressing emerging legal issues regarding electronic transactions, information security, and digital signature authentication issues from both a transactional and public policy perspective. He has been retained to structure and implement e-commerce, identity management and information security legal infrastructures for the federal g

Interview with Adrian Davis of the Information Security Forum In terms of payments, privacy and third-party relationships, U.S. security leaders have much to learn from - and share with - their peers in the U.K. and elsewhere in the world. This is the perspective of Adrian Davis, a senior research consultant with the UK-based Information Security Forum. In an exclusive interview, Davis discusses: Top threats to public and private organizations; Insights on payments, privacy and vendor management; Advice to organizations looking to improve information security globally. Davis heads the Leadership and Management group within the Research and Services Team of the Information Security Forum, responsible for delivering client-facing projects. His team covers topics such as the role and effectiveness of information security; the role and skills of information security professionals from junior analyst to the Chief Information Security Officer and Chief Security Officer; managing and assessing information secu

The final version of regulations to carry out the HITECH Act must include far more details on privacy and security to ensure widespread adoption of electronic health records, says William R. Braithwaite, M.D., Ph.D. In an interview, Braithwaite, widely known as "Dr. HIPAA" for his work in drafting the HIPAA administrative simplification provisions, says the Medicare and Medicaid EHR incentive program under HITECH will fail if clinicians and patients alike don't trust the security of the systems. He says: Regulators should add much more specific guidelines for security to the "meaningful use" and EHR software certification rules. The final version of the rules should enable hospitals and physicians to qualify for earning EHR incentives in phase one by achieving less demanding criteria. Healthcare organizations must immediately gear up their privacy protection efforts in tandem with their efforts to phase in EHRs. Braithwaite is now chief medical officer for Anakam Inc., a security technology company. He p

Organized crime has targeted healthcare organizations for insurance fraud scams. What are the risks? What are the solutions? Dr. Andrea Allmon, senior director with FICO, discusses: Insurance fraud trends; How organizations are most vulnerable; What to do now to reduce fraud today. Allmon is responsible for FICO's fraud solutions in the insurance and healthcare industries, where she focuses on bringing new and innovative analytic based solutions to market. In her more than 10 years at FICO and over 20 years of industry experience, she has been focused on utilizing data and analytics to solve complex mission critical business and clinical challenges. During her career she has served in key managerial positions and her clients have included property & casualty insurers, worker's compensation insurers and both commercial and government healthcare payors. Prior to joining FICO, Dr. Allmon was the Assistant Director of Analytics at Axios Data Analysis Corporation and was responsible for the development of risk

Interview with Dawn Cappelli of Carnegie Mellon University's Software Engineering Institute Insider crimes are among the biggest threats to public and private sector organizations. And yet too many groups continue to struggle to prevent or even detect these crimes. In an exclusive interview, Dawn Cappelli of Carnegie Mellon University's Software Engineering Institute, discusses: Insider threat trends; Biggest challenges for organizations looking to prevent crimes; Steps organizations can take to reduce risk. Cappelli is Technical Manager for the Threat and Incident Management Team of the CERT Technical Staff at Carnegie Mellon University's Software Engineering Institute (SEI). She has over 25 years experience in software engineering, including programming, technical project management, information security, and research. She is technical lead of CERT's insider threat research, a CyLab-funded project including the Insider Threat Study conducted jointly by the U.S. Secret Service and CERT. Before joinin

Widespread implementation of encryption is a top priority at Stanford Hospital and Clinics, thanks, in large part, to the "safe harbor" in the HITECH breach notification rule, says Michael Mucha, information security officer. He notes that organizations that use the proper form of encryption don't have to report data breaches under the HITECH Act. He says this safe harbor instantly created an obvious return on investment for encryption. In an in-depth interview, Mucha discusses Stanford's risk management projects, including: Using data loss protection, or DLP, as an extension of encryption; Implementing an event correlation system that aggregates logs and uses business rules to monitor who is accessing information and detect potential internal breaches; and Updating role-based access to systems. Palo Alto, Calif.-based Stanford Hospital and Clinics, part of Stanford University Medical Center, recently received a Stage 7 award from HIMSS Analytics. It's one of only a handful of organizations to receive t

A risk analysis should not be an annual event, but rather an ongoing process that's revisited whenever a healthcare organization adds or changes any application. That's the advice of Kenneth Bradberry, vice president and chief technology officer at ACS, a consulting firm recently acquired by Xerox. In an interview during the HIMSS Conference in Atlanta, Bradberry said: Compliance with the HITECH Act should begin with "good security practices at every layer," including infrastructure and application delivery; Encryption is paramount, especially as clinicians gain access to electronic health records via mobile devices; and Larger organizations need a full-time chief information security officer.

C. Warren Axelrod is a veteran banking/security executive and thought-leader, and in an exclusive interview at the RSA Conference 2010 he discusses top security trends and threats, including: Insider fraud; Application security; Cloud computing. Axelrod is currently executive advisor for the Financial Services Technology Consortium. Previously, he was a director of Pershing LLC, a BNY Securities Group Co., where he was responsible for global information security. He has been a senior information technology manager on Wall Street for more than 25 years, has contributed to numerous conferences and seminars, and has published extensively. He holds a Ph.D. in managerial economics from Cornell University, and a B.Sc. in electrical engineering and an M.A. in economics and statistics from Glasgow University. He is certified as a CISSP and CISM.

UAB Health System in Birmingham, Ala., is tackling a long list of information security projects, including updating intrusion detection and prevention systems. In an interview, Terrell Herzig, HIPAA security officer, outlines priority projects, including: Expanding the use of encryption; Conducting vulnerability assessments; and Participating in a national effort to securely share information on cancer patients. Herzig, who serves as the equivalent of a chief information security officer, heads a team of three security specialists at the delivery system, which includes a 1,000-bed hospital and numerous outpatient facilities throughout the state. He is one of the authors of a new book, "Information Security in Healthcare: Managing Risk," published by the Healthcare Information and Management Systems Society.

What are the key banking/security topics on the minds of leaders of the nation's largest banks? At the RSA Conference 2010, Paul Smocer of BITS and the Financial Services Roundtable discusses: The Roundtable's information security priorities; How regulatory reform may impact security organizations; The future of the Shared Assessments Program - in banking and beyond. Smocer, VP of Security at BITS, a division of the Financial Services Roundtable, leads the group's security program. Smocer has over 30 years' experience in security and control functions, most recently focusing on technology risk management at The Bank of New York Mellon and leading information security at the former Mellon Financial. While at Bank of New York Mellon and at Mellon, Smocer was actively engaged with BITS as a member of its Vendor Management Working Group, as 2005 Chair of its Security Steering Committee, and as 2004 Chair of its Operational Risk Committee.

Education and training are two of the key priorities of information security professionals and organizations in 2010. And professional certifications are at the heart of that training. What's new in information security certifications? In an exclusive interview at RSA Conference 2010, W. Hord Tipton, Executive Director of (ISC)², discusses: Training trends; What's new from (ISC)2; Insight into new research on the profession. Tipton is the executive director for (ISC)², the global leader in educating and certifying information security professionals throughout their careers. Tipton previously served as president and chief executive officer of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton, ESRI, and Symantec. Before founding his own business, he served for five years as Chief Information Officer for the U.S. Department of the Interior.

From RSA 2010: Interview with Bob Russo, GM of the PCI Security Standards Council How will the Payment Card Industry Data Security Standard (PCI DSS) be amended, and when? These are the key questions in payments security, and Bob Russo, GM of the PCI Security Standards Council, is prepared to start answering them. In an exclusive interview conducted at RSA Conference 2010, Russo discusses: Key questions about PCI; Potential solutions to enhance payments security; Timeline for the release of the next PCI standard. Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, Mas

Hospitals preparing for a potential government audit of their HIPAA security rule compliance should "build a continual state of readiness," says David Wiseman, information security manager at Saint Luke's Health System, Kansas City, Mo. To be fully prepared, Wiseman says hospitals should: Conduct a HIPAA compliance evaluation to identify areas of weakness; Put together an action plan for resolving those weaknesses; Carefully monitor whether all compliance strategies, such as changing passwords every 90 days, are actually being carried out throughout the enterprise; Update risk assessments whenever an application is upgraded or replaced; and Make extensive use of encryption. About two years ago, Saint Luke's Health System went through what was then a very rare federal audit when the U.S. Department of Health and Human Services was attempting to measure its ability to oversee and implement the HIPAA security rule. Now the Office of Civil Rights within HHS is gearing up to conduct HIPAA compliance audits t

Chief information security officers need to be able to translate technical projects into clear business terms, says Todd Fitzgerald, co-author of the book, "CISO Leadership Skills: Essential Principles for Success." In an interview, Fitzgerald: Describes the managerial skills that CISOs need; Outlines how to treat a security program as a business; Stresses the need for security professionals to become certified; Describes how to win support of senior management for security investments; and Offers insights on how to prepare for a compliance audit. Fitzgerald is senior technical compliance adviser at National Government Services Inc., a Medicare contractor that handles claims processing. He is responsible for coordinating all external government audits for the company. He formerly served as a security officer for several other organizations. His book was published by the International Information Systems Security Certification Consortium.

When it comes to protecting your organization and your customers from a data breach, what is considered "reasonable security?" This question is at the center of several ongoing lawsuits, and how the courts answer it may be one of the biggest stories of 2010. Shedding light on this hot topic is David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association's Information Security Committee. In an exclusive interview, Navetta discusses: Current regulatory trends, including the HITECH Act; Legal issues surrounding "reasonable security;" How to use existing standards to establish "reasonable security." Prior to co-founding the Information Law Group, Navetta established InfoSecCompliance LLC ("ISC"), a law firm focusing on information technology-related law. ISC successfully served a wide assortment of U.S. and foreign clients from Fortune 500 companies to small start-ups and service providers. He previously worked for over three years in New York as assistant gener

Michael Frederick, chief information security officer at Baylor Healthcare System in Dallas, is using the HITRUST Common Security Framework to help ease the task of complying with multiple regulations. In an interview, Frederick, who heads a staff of 22, describes how the framework is helping him achieve several goals, including demonstrating 100% HIPAA compliance. He also: Describes how Baylor developed its own "downtime viewer" system that offers read-only access to critical data during a system outage; Outlines why Baylor is devoting more resources to disaster recovery and business continuity; Shares Baylor's breach notification strategy; Describes efforts to create audit trails that demonstrate compliance; Pinpoints how the organization uses encryption; and Discusses how his role as CISO has evolved. Frederick, who became Baylor's first full-time CISO two years ago, serves the entire health system, which includes 13 hospitals and more than 100 clinics.

Choosing the right form of encryption is essential when attempting to comply with the HITECH Act, says consultant Rebecca Herold. In an interview, Herold: Stresses that healthcare organizations can gain an exemption from the HITECH requirement to report data breaches only if they use specific NIST-approved minimum encryption standards. She points out that many encryption programs fall short of that standard. Notes that many hospitals simply "scramble" data on their own, thinking it will meet the HITECH breach notification "safe harbor" requirement for encryption, when it does not. Urges all healthcare organizations to formally document and assign responsibility for information security and privacy, and then communicate all policies to the entire staff. Stresses the cost-effectiveness of security safeguards. "It is much less expensive to implement safeguards than it is to pay for the expenses of incidents and privacy breaches after the fact." Herold, owner of Rebecca Herold & Associates, is known as the

Alex Cox, Research Consultant and Principal Analyst, NetWitness Alex Cox, a research consultant and principal analyst at the IT security firm NetWitness, discovered last month the Kneber botnet, a variant of the ZueS Trojan that he says has infested 75,000 systems in 2,500 corporate and governmental organizations worldwide. (See Botnet Strikes 2,500 Organizations Worldwide.) In an interview, Cox describes: How the Kneber botnet works. Who the malware targeted. Damage the botnet could cause. Cox was interviewed by Eric Chabrow, GovInfoSecurity.com managing editor.

Khalid Kark, vice president at Forrester Research, recently wrote an in-depth report on healthcare information security in which he described five key principles. In an interview, Kark discusses each principle, including: Take a risk-based approach and look beyond regulatory compliance, focusing instead on creating a broader security framework; Follow the data through its entire life cycle, making sure it's protected when it's in the hands of business partners, outsourcers and others; Equip yourself with the ability to monitor and respond to security incidents; Focus on third parties and business associates, making sure all agreements spell out security provisions; and Be prepared to respond to the changing technology and threat landscape, such as the increasing use of social networks. Kark focuses on information security issues for clients of Forrester Research, a Cambridge, Mass.-based firm that offers consulting as well as research reports.