Healthcare Online User Group

Great points. Focusing on the data is becoming ever more important with the traditional security perimeter (healthcare organization firewalls etc) blurring with mobile health, cloud computing and other trends. Compounding this challenge are BYOD, personal apps and other tools empowering healthcare workers with new alternatives and workarounds to get their job done, and inadvertantly further dispersing the healthcare data. Discovering where the data is using tools such as DLP (Data Loss Prevention) is becoming a critical first step. With an accurate and up to date data inventory in hand healthcare organizations can identify unsecured PHI before a potential breach occurs, and take preventative action such as cleanup, encryption, or moving the unsecured data somewhere more secure. Also several good points about risk assessments in the interview with David Finn. Risk assessments can identify and prioritize risks, and (beyond regulatory compliance) can serve as a valuable tool to focus limited dollars for privacy and security to where they reduce the most business risk. Given all the locations of PHI and the myriad of possible ways it can be compromised, many healthcare organizations find that the number of hypothetical risks is daunting. In this case a useful best practice is to assign risks threat sources and use the threat source motivations, capabilities, avenues of attack etc to triage the real risks from the hypothetical risks. This enables healthcare organizations to focus those limited resources where they really count. More on this in another blog I did, and attached whitepaper.