[ISN] Taking time to build out a strong health IT security program

http://healthitsecurity.com/2014/06/17/taking-time-to-build-out-a-strong-health-it-security-program/ By Patrick Ouellette Health IT Security June 17, 2014 Department of Health and Human Services (HHS) Chief Regional Civil Rights Counsel Jerome Meites recently predicted that there would be a considerable uptick in HHS data breach penalties within the next year, according to thehill.com. “Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up,” Meites said, adding that he wasn’t speaking on the behalf of HHS. Meites’ comments should be the latest reminder to healthcare organizations that they should be prepared with transparent security programs in the face of upcoming HIPAA audits. Anahi Santiago, Chief Information Security Officer (CISO) and Privacy Officer at Einstein Healthcare Network, explained to HealthITSecurity.com how much of the work that she did years ago within her organization has helped keep it equipped for a potential federal visit. In building her security program over her 9 ½ years at Einstein, Santiago said she has used pieces of a variety of different security frameworks as reference points. She sees all of the frameworks crossing paths and having similarities, so having a mix of the different frameworks makes the most sense. We started with the NIST framework and weren’t overly-prescriptive with it; we used it as a baseline and have taken some pieces from COBIT and ISO, and we’ve certainly started to lean toward utilizing HITRUST. I would love, at some point, to transition the organization fully to HITRUST. But we recognize that no one framework is a good fit for the organization; especially in healthcare you recognize that no one framework will be a one-size-fits-all. […]