Gary Christoph, Ph.D. - PowerPoint PPT Presentation

About This Presentation
Title:

Gary Christoph, Ph.D.

Description:

How do we inspire trust now? We: Deploy new technology ... How can we inspire trust? Think about the risks we face. Develop coherent, enforceable policy ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 12
Provided by: GregStelz
Category:

less

Transcript and Presenter's Notes

Title: Gary Christoph, Ph.D.


1
Building a Culture of Confidentiality and Security
Gary Christoph, Ph.D. gchristoph_at_comcast.net J
une 9, 2005

2
The Issues
  • Identity theft happens
  • Budget pressures continue the drive to adopt more
    and newer technologies
  • Network Security is Hard and Expensive
  • Consumers expect better of us
  • Compliance Mandates (HIPAA, GLBA, SarbOx, CA SB
    1386, etc.) are (unfortunately) strong security
    drivers

3
How do we inspire trust now?
We Deploy new technology without thinking about
misuse Deploy shrink wrap software Use complex e
nvironments Use bloated codes Rely on people to
do the right thing Do not write things down H
ide our mistakes
4
How can we inspire trust?
Think about the risks we face Develop coherent,
enforceable policy Publish our policies and proc
edures Actually do what we say we are doing Trai
n and educate users and staff Periodically test t
hat it works Report failures KISS
5
Why do mandates exist
  • Government is reactive, not proactive
  • Society only moves to protect people after
    problems become obvious
  • If a formal mandate exists, it is usually because
    there is a real problem that needs to be
    addressed

6
Compliance begets repeatability
Repeatability begets trust
  • Cutting too many corners now can put CEOs in
    jail
  • Bad publicity forces action
  • Consultants aim to make money, not fix the
    problem (FUD)
  • People are not good at assessing risk

7
Hard NW Security/Privacy Issues
  • People are involved
  • People are neither repeatable nor logical
  • People on the job make inappropriate assumptions

  • Technical Solutions are too complex
  • Point products do not tile the floor
  • Management of many solutions is not easy or
    cheap
  • Pace of technological change adds new
    vulnerabilities (e.g., wireless)
  • Administrative Solutions that are not solutions
  • Processes get in the way of work
  • Controls violated without your knowledge or
    without consequence

8
A Simple Strategy
  • Find a simple way to implement new features
  • Decide what is important to protect
  • Find a simple way to protect it
  • Document it
  • Test it
  • Act on changing threats
  • Communicate well

9
The Regs were written to be scalable and
technology neutral. Why?
  • Rules have to cover everything from a one-person
    Dentists office in Podunk, Missouri, to Johns
    Hopkins Hospital
  • It economically makes no sense to require
    everyone to have the same controls
  • Technology evolves

So 1. The solution must fit the need 2. Be bett
er than the average, but no more than that

10
Technology ONLY Addresses Part of the Problem
Transaction Standards
Standard Code Sets
Unique Health Identifiers
Security
Privacy
Limitations
Administrative Procedures
Covers Protected Health Information (PHI)
transmitted or
Covers Protected Health Information (PHI)
transmitted or
Technical Security Services
stored, in any medium (electronic, paper, oral)
Chain of Trust Agreement Certification,
Access Controls Authorization
Access Controls Authorization
Internal Audit, Training, Written Policies
Procedures, etc.
Internal Audit, Training, Written Policies
Procedures, etc.
Data Authentication
General Rules
Entity Authentication
Entity Authentication
PHI data elements defined Notice of Privacy Pract
ices mandated
Physical Safeguards
Technical Security Mechanisms
Secure Workstation Physical Access Controls,
Media Controls, etc. Security Awareness
Minimum necessary disclosure/use of data
Minimum necessary disclosure/use of data
Basic Network Safeguards Integrity and Protection
Basic Network Safeguards Integrity and Protection
Consent required for routine use
Authorization required for non-routine use
Business associate contracts required
Designated Privacy Officer
Training
Training
Electronic Signature
Not currently required
11
The Trust Solution Target
  • Want transparency
  • Obviousness--Easy for users to comply with
  • Easy for admins to enforce
  • Want repeatability
  • Works the same every time
  • Does only what it is supposed to do
  • Want universality
  • Everywhere same policy enforced the same
  • Use technology to reduce administrative controls
  • Want simplicity
  • Complexity is the enemy
  • Want easy to manage
  • Want verifiability
  • Documentable
  • Want cheap
  • Do not want to go out of business
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Gary Christoph, Ph.D." is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!