Finding a New Security Framework

HIPAA_Chat-200x200By Steve Spearman, Founder and Chief Security Consultant for Health Security Solutions
Twitter: @HIPAASolutions
LinkedIn: Our HIPAA Chat Group
Host of HIPAA ChatJoin us on the next broadcast.

In a recent article titled How One Hospital Made a Security Framework Work for Them, security consultant Brian Evans says that it is common for organizations in the healthcare industry to have such a hard time compensating for the weaknesses of its current security framework, that it does not have the time needed to select a new one. This is a real problem since your company’s security framework will serve as its written policies and procedures that serve as a “blueprint” on how your company will manage risks and minimize its vulnerabilities.

Fortunately, in this article, Evans presents a step-by-step breakdown of how a large-scale hospital selected and adjusted NIST’s Risk Management Framework, to provide an enterprise-wide, comprehensive framework that worked for their organization. This is especially impressive, since it had multiple departments that worked almost autonomously and solved their security and IT issues independently of one another.

Here are a few takeaways from the main article:

  1. They selected a framework that was flexible enough to meet the needs of each department of their hospital.
  2. They assembled their team by including people who managed security in their respective departments. Therefore, they were able to ensure that their new framework worked for each department.
  3. They hired a third-party security specialist to look for their weak points so that they could address those weaknesses in their policies and procedures. This helped them identify gaps and weaknesses in each department’s security and IT.
  4. They chose a framework that HHS was very familiar with. Since federal organizations are required to use NIST’s security framework, and Health and Human Services (HHS) endorses NIST’s framework as the best practice for protecting electronic health information. Therefore, using NIST’s guidelines and documentation for their own security framework ensured that this hospital would make a good impression on HHS.

If your company needs a new security framework, we highly recommend reading Evans’ article as a good example of how to find a security framework that works for you.

Source: How One Hospital Made a Security Framework Work for Them

This article was originally published on Health Security Solutions and is republished here with permission. Steve Spearman hosts HIPAA Chat, a show produced by HITECH Answers airing on our Internet radio station, Learn more aboutHIPAA Chat or download podcasts of the show. Find out more about attending the next taping of HIPAA Chat and ask your questions directly to Steve.