7 Steps to Building a Security ProgramEssential Elements of a Comprehensive Effort
"A risk analysis is at the core of any good information security program," Walsh says. "Obviously no business runs risk-free. Therefore it's important for organizations to assess what risks they have and then determine the appropriate safeguards and controls they need to apply to reduce their risks to an acceptable level."
In an interview, Walsh describes his seven indicators of an effective information security program. He'll chair an all-day workshop on this subject Feb. 20 at the Healthcare Information and Management Systems Society Conference in Las Vegas.
In addition to an updated risk assessment, other key components of an effective security strategy, Walsh says, are:
- Securing mobile devices and portable media. He notes that the loss or theft of mobile devices and media is the No. 1 cause of major breaches.
- Managing business associates. "Make sure that your business associates are securing the protected health information that you share with them," Walsh says. He notes that 22 percent of major breaches have been caused by a business associate.
- Maintaining high availability and resiliency. "In a lot of organizations ... disaster recovery and availability strategies haven't kept up with business needs."
- Preparing a breach detection and response plan. "Everybody's going to have some kind of an incident at some point."
- Conducting ongoing training. "Most people want to do the right thing; sometimes they just don't know what the right thing is."
- Evaluating compliance with federal and state regulations. Walsh points out that federal officials have launched a HIPAA compliance audit program this year - yet another reason to intensify compliance efforts.
Walsh, CISSP, is president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm that advises healthcare organizations on information security. Walsh also serves as information security officer at San Antonio Community Hospital on an outsourced basis. He is one of the authors of the book, "Information Security in Healthcare: Managing Risk," published by HIMSS.