Security & Privacy Information Security Policy and Standards Program (PSP) for Healthcare Providers The Solution Key Client Challenges Key challenges include: • Compliance Landscape: Failing to comply with the large number and complexity of requirements (e.g., HIPAA, Meaningful Use) in one of the most regulated industries can result in significant fines and reputational damage • Standardization: Large, diverse, dynamic organizations can lead to duplicated, often disjointed, policy development efforts across various geographic regions and subsidiaries • Policy Program Structure: Lack of a cohesive policy framework often results in a disorganized program where documents are created in an ad-hoc fashion • Communication and Awareness: Without cross-functional relationships, active workgroups, and open communication channels, policy program and requirements are not communicated across the organization • Stakeholder Adoption: Inadequate stakeholder participation can result in low levels of enterprise-wide policy adoption, exposing the organization to more risk Governance HIPAA ICF HITECH NIST Policy Handbook PCI-DSS Handbook Standards HITRUST etc. Regulatory Requirements Stakeholder Support Supporting Deliverables PSP Supporting Deliverables • PSP Governance Integrated Control Framework (ICF) • Technical Standards Policy Handbook • Based on ICF high-level controls • Subject areas aligned to HITRUST 1. Security Program 2. Access Control 3. Human Resources Security Handbook Standards • Based on granular ICF controls • One standard for every policy subject area • Supplemental Policy Guidance 1. Security Program • Other supporting documents 2. Access Control 3. Human Resources Security When combined, the policy handbook and handbook standards should cover the controls in the ICF Establish Governance Establish Integrated Control Framework (ICF) • Develop PSP governance document and obtain approval from key stakeholder(s) • Include PSP framework, review/approval procedures, roles and responsibilities, program glossary, etc. • Integrates security and privacy laws and regulations into one “control library” • Serves as the primary source for developing the handbook and standards • Allows Healthcare Providers to organize, understand and more easily manage the relationship between relevant requirements • Policy Exceptions/ Risk Acceptance Model and Procedures While these documents do not directly map to ICF controls, they are still based on policy subject areas The following “Authoritative Sources” are commonly used to develop information security policy across the healthcare industry: • Health Insurance Portability & Accountability Act (HIPAA) Privacy and Security Rule • Health Information Technology for Economic and Clinical Health (HITECH) Act, Sub. D • National Institute of Standards & Technology (NIST) Special Publication 800-53 • Payment Card Industry Data Security Standard (PCI DSS) v2.0 • The Joint Commission (TJC) • Health & Human Services (HHS) Encryption/Destruction Guide • HITRUST CSF (Common Security Framework) • FTC (Federal Trade Commission) Red Flags • State breach laws (e.g., Massachusetts and California) • Drug Enforcement Administration (DEA) Electronic Prescriptions for Controlled Substances Deloitte Methodology Develop Policy Handbook based on ICF • Organize the ICF controls using a healthcare framework (e.g., HITRUST) to create handbook “policy subject areas”. • Develop high-level policy statements for each policy subject area • Reference applicable ICF controls Develop Standards based on Policy Handbook and ICF • Develop a standard for each Policy Handbook subject area • Each standard should include the more granular ICF controls not already covered by the Policy Handbook • Reference applicable ICF controls As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Communicate the program and build stakeholder support Support ICF, Handbook and Handbook Standards • Leverage stakeholder working groups to communicate policy framework, release timeline, compliance expectations etc. • Distribute policy handbook and standards to the appropriate stakeholders for feedback to foster involvement and “buy-in” • Develop technical standards (not directly mapped to ICF controls, but still based on policy subject areas) • Establish PSP supporting documents such as Policy Exception Procedures and Supplemental Policy Guidance Copyright © 2012 Deloitte Development LLC. All rights reserved. Security & Privacy Information Security Policy and Standards Program (PSP) for Healthcare Providers Mark Ford Principal Deloitte & Touche LLP [email protected] Russell Jones Partner Deloitte & Touche LLP [email protected] Brian Fuller Senior Manager Deloitte & Touche LLP [email protected] Jerry Murtland Senior Manager Deloitte & Touche LLP Ben Davidhizar Senior Consultant Deloitte & Touche LLP [email protected] This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. Copyright © 2012 Deloitte Development LLC. All rights reserved.
© Copyright 2024 ExpyDoc
