• No results found

Security Managers - A Practical Approach

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Managers - A Practical Approach"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

Managing e-health data:

Security management in practice

Marc Nyssen

Medical Informatics VUB

Master in Health Telematics KIST E-mail: [email protected]

(2)

Structure of the presentation

Practical approach towards ISMS: plan, do, act, check

How to start

Scope of the “institution”

People and committees concerned

Documents

(3)

Practical approach: plan

1- Determine the scope (department, application, institution?) (step 1)

2- Determine the information/privacy policy (step 2)

3- Comprehensive risk analysis (steps 3, 4, 5)

4- Plan risk treatment (step 6)

5- Select management goals and controls (step 7)

6- Prepare statement of applicability (step 8)

(4)

Practical approach: Do

1- Perform risk treatment, with resources allocated and controls

(steps 1, 2, 3)

2- Educating and training (step 4)

3- Manage operations and business resources (steps 5, 6)

4- Deal with security incidents (step 7)

(5)

Practical approach: Act

1- Carry out improvement measures (step 1)

(6)

Practical approach: Check

1- Monitor procedures and controls (step 1)

2- Review ISMS regularly (step 2)

(7)

Plan: 1. Scope of the “institution”

Delimit the boundaries of data security management”

Department

Hospital

Single application: for example “medical record system”

Including or not including physical access

(8)

Plan: 2. Determine the information

security/privacy policy

Information/privacy policy of the institution:

Organizations processing health information, including personal health information, shall have a written

information security policy that is approved by management, published, and then communicated to all employees and relevant external parties.

General policy statements concerning how data is managed by the institution PLUS:

a) the need for health information security;

b) the goals of health information security;

c) compliance scope

d) legislative, regulatory, and contractual requirements, including those for the protection of personal health information and the legal and ethical responsibilities of health professionals to protect this information;

e) arrangements for notification of information security incidents, including a channel for raising concerns regarding confidentiality, without fear of blame or recrimination.

f) the breadth of health information;

g) the rights and ethical responsibilities of staff, as agreed in law, and as accepted by members of professional bodies;

(9)

Plan: 2. Determine the information

security/privacy policy

h) the rights of subjects of care, where applicable, to privacy and to access to their records;

i) the obligations of clinicians with respect to obtaining informational consent from subjects of care and maintaining the confidentiality of personal health information;

j) the legitimate needs of clinicians and health organizations to be able to overcome normal security protocols when healthcare priorities, often linked to the incapacity of certain subjects of care to express their preferences, necessitate such overrides; also the procedures to be employed to achieve this;

k) the obligations of the respective health organizations, and of subjects of care, where healthcare is delivered on a “shared care” or “extended care” basis;

l) the protocols and procedures to be applied to the sharing of information for the purpose of research and clinical trials

m) the arrangements for, and authority limits of, temporary staff, such as locums, students and “on-call” staff;

n) the arrangements for, and limitations placed upon, access to personal health information by volunteers and support staff such as clergy and charity personnel.

(10)

Plan: 3. Risk assessment

1. Organize the risk management process: who will do what?

Committees, individuals? Consultants?

2. Identify the risks

3. Evaluate risks impact

4. Evaluate risk importance (establish a hierarchy)

5. select solutions

(11)

Plan: 3. Risk assessment: points of attention

1. Information that needs protection:

Personal health information

Pseudonymized data derived from personal health data

Statistical and research data

clinical/medical knowledge

Data on health professionals (staff/volunteers)

Information related to public health surveillance

Audit trail data

System security data, including access control data and all system

(12)

Plan: 3. Risk assessment: points of attention ...

1. Information that needs protection:

Personal health information

Pseudonymized data derived from personal health data

Statistical and research data

clinical/medical knowledge

Data on health professionals (staff/volunteers)

Information related to public health surveillance

Audit trail data

System security data, including access control data and all system

(13)

Plan: 4. Risk treatment

Goals:

Diminish (or eliminate) the risks to assets by the threats that were

defined

(14)

Plan: 5. Management goals

Management goals:

For example:

Introduce new security measures:

Physical protection: steel doors, secure locks within 1 week

Physical access logging within 1 month

Firewall between local and external network within 2 months

Resources: $2500

HR: 3 man-months

(15)

Plan: 6. Statement of applicability

Statement of applicability:

Involvement: technical department: physical access

ICT department

External consultants

(16)

Plan: 7. Residual risk

What is the residual risk:

Although the countermeasures were taken, there are residual

risks:

- break-in via metal door

- break-in via the network's firewall

- personnel mischief

(17)

Assignment

Set up an ISMS for your institution (at least the “plan” part):

Department

Ministry

Company

Hospital

Making use of the ISO 27000 methodology and resulting in the set of

documents as required by the standard.

The “set of documents” will be bundled as a single report, with the

paragraphs corresponding to the ISO-ISMS documents as specified step

by step above.

Unless specific references are used, no need for references but methods

used to gather information and to come to conclusions in the different

parts of the report MUST be specified step by step!

(18)

References and more information

Introduction to ISO 2002 and friends, Martin Dolphin

ISO standards 27001, 27002, 27005 and 27799

Anne Lupfer, “Gestion des risques et s

é

curit

é de l'information”,

(19)

Thank you for your attention !

Any questions ?

References

Download now ( PDF - 19 Page - 128.32 KB )

Related documents

Mobile Device Security Information for IT Managers

Poor security controls on these devices may allow unauthorised access to corporate information, including sensitive critical infrastructure data, if a device is lost or stolen.. Apart

HP TippingPoint Intrusion Prevention Systems Security Target

The Security Management security function provides the capability to manage: user accounts; audit data and audit configurations; security configuration data, such as password

THIS PUBLICATION CONSISTS OF SIX SECTIONS IN SEQUENTIAL ORDER

User logs into Database Management Access tool Operating System Audit Trail DBMS data file stored on operating system DBMS Audit Trail DBMS Config Files...

ACF INTERNATIONAL FOOD SECURITY & LIVELIHOODS SURVEILLANCE A PRACTICAL GUIDE FOR FIELD WORKERS

The surveillance system can monitor itself through inclusion of data related indicators. In Malawi the system included a table of monitoring indicators, including timeliness of

HIPAA Compliance and Smart Cards: Solutions to Privacy and Security Requirements

In the hands of health care providers, smart cards can assist with the fulfillment of HIPAA requirements for provider-based access control, including automatic logoff, audit

Cisco IronPort S-Series Web Security Appliance Security Target

FMT_SMF.1: The TOE is required to perform security management functions to manage functions related to system data collection, analysis and reaction, system configuration, audit

AUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS)

• View • Historian • AssetCentre • Transaction Manager FactoryTalk Services Platform • Directory • Security/Audit Data Servers Levels 0–2 Cell/Area Zones Demilitarized

Access Control and Audit Trail Software

The second part of the Access Control and Audit Trail software is modifications to the standard Star software to create a system audit trail, applications locking, file security