Healthcare Information Security Podcast

Increasingly, digital forensics is an important element of an information security program for organizations of all types and sizes. But where can security leaders find qualified forensics professionals? How can these professionals obtain the skills and expertise they need to be successful? Rob Lee of Mandiant and SANS Institute discusses forensics careers, focusing on: Hot trends of 2010; Questions hiring managers must ask; Growth opportunities for qualified pros. Lee, a director with Mandiant and curriculum lead for digital forensic training at SANS Institute, has more than 13 years experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on Information Operations. Later, he was a member of the Air Force Office of Special Investigations where he

Dena Haritos Tsamitis has an ambitious goal for the year: to improve cyber awareness among 10 million people globally. The Director of Education, Training and Outreach at Carnegie Mellon University's CyLab, Dena discusses: The cyber awareness challenge among people of all ages; Effective techniques for improving awareness; How organizations can improve and maximize their own efforts. Dena oversees education, training and outreach for Carnegie Mellon CyLab, the university's cybersecurity research center. She leads the MySecureCyberspace initiative to raise "cyber awareness" in Internet users of all ages through a portal, game and curriculum. She guides the education initiatives of the NSF Situational Awareness for Everyone center, which explores ways to improve computer defenses by incorporating models of human, computer and attack interactions into the defenses themselves. Also through CyLab, she serves as Principle Investigator on two NSF-funded programs: the Scholarship for Service (SFS) program and t

Interview with James Van Dyke of Javelin Strategy & Research Identity fraud crimes expanded at a 12% rate in 2009. What can we expect to see in 2010? Javelin Strategy & Research is out with its latest Identity Fraud Study. For insight on the study results and what they mean to organizations across industry, James Van Dyke of Javelin discusses: Headlines from this year's study; Trends and threats to watch; What organizations and individuals can do to better protect themselves. Van Dyke is founder and president of Javelin Strategy & Research. Javelin is the leading provider of independent, quantitative and qualitative research for payments, multi-channel financial services, security and fraud initiatives. Javelin's clients include the largest financial institutions, card issuers and technology vendors in the industry.

When it comes to enterprise security, an organization gets its tone from the top - even when the tone is set accidentally. How do you set the right tone? That's the topic of the new book from former CISO Jennifer Bayuk: "Enterprise Security for the Executive: Setting the Tone from the Top." In an interview about her book, Bayuk discusses: The key audience she wants to reach; The main message for enterprise leaders; Today's top enterprise security challenges and how leaders should tackle them. Bayuk is an independent consultant on topics of information confidentiality, integrity and availability. She is engaged in a wide variety of industries with projects ranging from oversight policy and metrics to technical architecture and requirements. She has a wide variety of experience in virtually every aspect of the Information Security. She was a Chief Information Security Officer, a Security Architect, a Manager of Information Systems Internal Audit, a Big 4 Security Principal Consultant and Auditor, and a Se

Career Insights from Srinvivas Mukkamala of New Mexico Tech. Education, skills, experience - what exactly does it take to make it in an information security career today? Srinivas Mukkamala, an educator and practitioner, offers unique insight on: The necessary mindset for an information security professional; What are the baseline skills? How to keep skills sharp. Mukkamala, one of CAaNES' owners and its interim-Director of Operations, is a senior research scientist with ICASA (Institute for Complex Additive Systems Analysis, a statutory research division of New Mexico Tech performing work on information technology, information assurance, and analysis and protection of critical infrastructures as complex interdependent systems) and Adjunct Faculty of the Computer Science Department of New Mexico Tech. He leads a team of information assurance (IA) "first responders" who are deployed at the request of various government agencies and financial institutions around the state of New Mexico to perform vulnerab

With Howard Schmidt's appointment as national cybersecurity coordinator, his role as president of the Information Systems Security Association (ISSA) has been filled by Kevin Richards, a risk management advisor with Crowe Horwath. In an exclusive interview, Richards discusses: Top agenda items for ISSA in 2010; Biggest information security threats; Best opportunities for information security professionals. Richards has served on the ISSA International Board since 2003, initially in a global chapter relations capacity and then as the international vice president since 2007. A past president of the Chicago ISSA Chapter, Richards is an information security and risk management advisor for Crowe Horwath with more than 18 years of experience in information security, business continuity and enterprise risk management. His expertise ranges from risk analysis and program design to information security and business continuity program development and leading practices.

One of the nation's best-known healthcare data security experts who's advising federal regulators on policy issues offers advice to organizations preparing to comply with the data breach notification requirements of the HITECH Act. In an interview, Dixie Baker of SAIC advises hospitals and others to: Study how the HITECH Act, and the interim final rule on breach notification, precisely define what constitutes a data breach; Consider encrypting more information to protect against breaches; Implement detailed processes for notifying affected individuals and federal regulators about a breach; and Train all staff members about how to avoid a breach, how to recognize one and what do if one should occur. Baker is senior vice president and chief technology officer for health and life sciences at Science Applications International Corp., a McLean, Va.-based scientific, engineering and technology applications company. The consultant has played a key role in the federal government's efforts to set policies and sta

Risk management today - it's less about pure technology, more about business acumen and pure communication skills. This is the position of Kenneth Newman, VP & Information Security Manager at Central Pacific Bank. In an interview about top risk management trends, Newman discusses: Scope of the risk management job in banking institutions today; Biggest challenges to getting the job done right; Necessarily skills for successful risk managers. Newman joined Central Pacific Bank as Vice President & Information Security Manager in February 2009. He oversees the bank's information security program and the protection of its information assets. Prior to joining CPB, Mr. Newman served as First Vice President & Online Risk Manager for Washington Mutual (WaMu) and has managed various global and regional security and risk functions for Deutsche Bank and Citigroup in New York. Central Pacific Bank is the main subsidiary of Central Pacific Financial Corp., a Hawaii based financial institution with $5.2 billion in ass

What's the cost of a data breach? The Ponemon Institute is out with its 5th annual "Cost of a Data Breach" study, and in an exclusive interview Dr. Larry Ponemon discusses: The current cost of a data breach - and how it's risen since 2009; Data breach trends across industry; What organizations should do to respond to or prevent breaches. Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute. He is a Fellow of the Center for Government Innovation of the Unisys Co

Credit reports, social networks and international background checks - these are three of the hottest topics in employment background screening, according to Employment Screening Resources (ESR), a CA-based firm. In an exclusive interview, Lester Rosen, President and CEO of ESR, discusses: The top 10 trends in background screening in 2010; Specific challenges for information security leaders; How to improve your organization's background screening process. Rosen, a retired attorney, founded ESR in 1996. In 2003, that firm was rated as the top screening firm in the US in the first independent study of the industry in research report prepared by the Intellectual Capital Group, a division of HR.com. He is a consultant, writer and frequent presenter nationwide on pre-employment screening and safe hiring issues. His speaking appearances have included numerous national and statewide conferences. He has qualified and testified in the California, Florida and Arkansas Superior Court as an employment screening e

In 10 years as a security compliance officer, Christopher Paidhrin has seen his role broaden as data security has become an even higher priority at Southwest Washington Medical Center in Vancouver, Wash. Today, Paidhrin is more involved in policy development. He's also pushing to improve awareness of the policies in every sector of the hospital. "A policy does no good if it sits in a folder and no one reads it," he says. And he now advises area physician group practices on data security issues. In an interview, Paidhrin, who serves as the equivalent of a chief information security officer, singles out his top three priorities for 2010, including: Strengthening data loss prevention capabilities; Aligning IT goals with strategic goals; and Ramping up data security training. He also describes his hospital's annual risk analysis process, which is supplemented by a consultant's audit every three years "to make sure we're not deceiving ourselves."

Faced with the threat of much stiffer penalties for data security violations and ramped-up enforcement at the federal and state levels, many hospitals are just starting to pay serious attention to security, contends consultant Kate Borten. But they must go far beyond investing in new technologies to develop comprehensive security strategies and actually carry them out, she says. In an interview, Borten, president of the Marblehead Group, predicts that civil suits by state attorneys general, like one recently filed in Connecticut, will grab the attention of hospitals and physician groups of all sizes, hopefully triggering action on data security. The HITECH Act gave state attorneys general the power to file civil suits on healthcare data security violations. Patients will be much more likely to file complaints with a state official than they would with a federal agency, she contends, predicting a ramping up of security cases. Among Borten's tips for hospitals playing catch-up on data security are: Hire

Interview with Lydia Parnes, Former Director of the FTC's Bureau of Consumer Protection Privacy, data security and consumer protection - three of the top concerns to organizations everywhere. And they are three of the topics nearest and dearest to Lydia Parnes, former director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection. Now a partner in the Washington, D.C. office of Wilson Sonsini Goodrich & Rosati, Parnes works with organizations to ensure their privacy and security policies. In an exclusive interview, Parnes discusses: Current trends in privacy, data security and consumer protection; The greatest challenges to organizations entrusted with ensuring these protective measures; How the public and private sectors are likely to work together to tackle these challenges this year. Parnes' current practice focuses on privacy, data security, Internet advertising, and general advertising and marketing practices. The former director of the Bureau of Consumer Protection (BCP) at the

Hospitals and other healthcare organizations need to identify data security breaches "in a much more systematic way" to help ensure the privacy of personal information. That's the advice of Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society. Gallagher, one of the nation's leading healthcare data security experts, advises hospitals to "go beyond compliance" with federal regulations to "implement an active security risk management process." She also urges hospitals to allocate adequate resources to security so they can address potential threats identified in their risk assessments. A recent survey by Chicago-based HIMSS found that most hospitals spend less than 3% of their IT budget on security, a level Gallagher calls inadequate. As the federal government provides billions of dollars in funding for electronic health records through Medicare and Medicaid incentive payments, the government and the industry "need to make sure adequate resource

The single most important step hospitals should take to comply with the HITECH Act is to retrain all employees, physicians and even volunteers on how to maintain the privacy and security of personal health information. That's the advice of Dan Rode, a regulatory expert at the American Health Information Management Association. In an interview, Rode also advises hospitals preparing for HITECH compliance to develop a detailed plan for reporting data security breaches and make sure that their business associates have similar plans in place. And he makes a strong case for greatly expanded use of encryption of electronic health records and other clinical information. Rode, vice president for policy and government relations, is a leader in the standards arena. He was among those who drafted the data standards that ultimately were incorporated in the Health Insurance Portability and Accountability Act.

Completing security risk assessments for a long list of applications and providing data security training to its entire staff are two of the top priorities for 2010 at Johns Hopkins Medicine, one of the nation's largest academic medical centers. In an interview, Stephanie Reel, vice president for information services for the Baltimore-based organization, spells out a top 10 list of data security priorities. The list also includes a massive effort to deploy new multi-factor authentication and broader use of encrypted e-mail. Reel is one of the nation's longest serving CIOs, with nearly 20 years of experience at Johns Hopkins. In addition to heading I.T. for the health system, she serves as vice provost for I.T. for all of Johns Hopkins University.

To make sure their information technology strategies adequately address the needs of physicians, many hospitals have designated a doctor to serve as chief medical informatics officer. These physicians are working closely with CIOs, CSOs and others to help select and implement I.T., including technologies to keep clinical information secure. In this interview, William Bria, M.D., chief medical informatics officer at Shriners Hospitals for Children, describes how the organization's 22 charity care hospitals are striving to provide doctors with easy access to a wealth of clinical information while minimizing the risk of privacy violations. Dr. Bria, founder and president of the Association of Medical Directors of Information Systems (AMDIS), also describes in detail the organization's use of: Two-factor authentication, including smart cards, at the hospitals; An additional authentication layer (codes generated by hardware tokens) for physicians accessing systems remotely; and New secure messaging technology

How do security leaders at community hospitals address data security challenges such as compliance with the HITECH Act? Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind., also serves as the defacto chief security officer, dividing up many data security tasks among the members of his team, each of whom also are multi-taskers. In this interview, Christian, the former chairman of the Healthcare Information and Management Systems Society (HIMSS), describes the: Creation of a security breach notification plan to comply with the HITECH Act; Acquisition of an identity management system; Encryption of all data that goes "outside the building;" and Prohibition of storage of patient data on laptops. He also provides a real-world example of the value of an intrusion detection system that immediately pinpointed the room where someone visiting a patient unplugged a PC and plugged his laptop into the hospital's network.

Information security is the hot career option for professionals in 2010 and beyond. This is the prediction of David Foote of Foote Partners, the FL-based consultancy that tracks IT skills and competencies. In a look ahead at 2010 and beyond, Foote discusses: the security careers "bubble" and how it began; the wave that has driven the surge in security jobs; predictions for 2010-2012. Foote has long been one of the nation's leading industry analysts tracking, analyzing and reporting on IT workforce management and compensation practices, trends and issues. His columns, articles and contributions appear regularly in dozens of publications. As Foote Partners' CEO and Chief Research Officer since 1997, David leads a senior team of experienced former McKinsey & Company, Gartner, META Group, and Towers Perrin analysts and consultants, and former HR, IT, and business executives, in advising governments and corporations worldwide on increasing performance and managing IT's impact on their businesses and custome

Malware is increasingly sophisticated, and social media are the common new venues for attacks. These are the headlines from the latest Cisco Annual Security Report. Patrick Peterson, Cisco senior fellow, offers highlights of the report, discussing: Top trends and threats; The risks to specific vertical industries and government agencies; The message to information security professionals looking to stay ahead of the threats. Peterson, Chief Security Researcher, is also a Cisco Fellow -- a position that is reserved for individuals whose technical contribution has made a material impact not only within Cisco, but also in the industry as a whole. As a security technology evangelist, Peterson leads research projects to understand cutting-edge criminal attacks and business models and developing the technologies to combat them. Peterson chairs the technical committee for the Messaging Anti-Abuse Working Group (MAAWG) and the authentication committee for the Authentication and Online Trust Alliance. He is a frequ