HIPAA Compliance Program Operations Management

00:00

So, Friends. This is our full last lecture of the course you made it. You and your amazing team are truly the definition of compliance. You've aged about a dozen years in the last 18 months, and your side hustle has been trading in all those energy drink aluminum cans for recycled cash by the pound because your team has created literally a new landfill.

00:16

But now it's time for running the day to day operations of your security program

00:20

so you could get a little sleep. Well last week, a computer virus wreaked havoc for one of your departments, and there's been a couple of personnel incidents that, well, HR had to get all into it. But you know what? Same old stuff on this end until, well, maybe we're missing something. Well, we better take another look around.

00:35

So in today's lecture will be defining what operations management means, especially for our HIPPA compliance program. We're gonna look at the ways we will stay ahead of threats and threat. Actors, hackers and bad guys are always getting better using more advanced hacking and malicious software tactics. And so what should we be doing to stay ahead of those scary people. How can we make sure we're always ready for the day? The OCR auditor crashes down our door.

00:55

And what are some of those? KP is key performance indicators that we're looking at

00:59

and paying attention to his leaders of our security program. So if you're ready, let's go into our network operations center and look into our network traffic logs. We wanna make sure that our employees who are watching Netflix while they're supposed to be filling outpatient building statements well, that Netflix traffic we should be throttling to a maximum of six hours per employee per business day. After all, we've got work here to do folks.

01:19

So, according to the Japanese model of total quality management, kick seven fundamental principles

01:23

of the Japanese approach to delivering quality within our systems and achieving quality is the primary business goal. Have these essential characteristics, so we need process control. We need easy to see quality insistence and compliance quality first, correct quality problems early and the service line correct one's own mistakes,

01:42

automate inspection and monitoring techniques that's a big one and continually strive for improvements. So we need to make sure, as leaders of our HIPAA compliance and security program. There were that were implementing these seven principles to ensure we're delivering quality in our products and patient health care delivery.

01:57

So there are many things that we need to do. Is leaders of our security and compliance program to stay ahead of the bad guys the head of the bad actors, the hackers and hacktivists what we have to be plugged into the blog's and notices and common vulnerabilities and exploit databases that will notify us of new threats. And this way we could be on the lookout for them. But the number one thing we can do

02:15

is for our network specifically what we need to understand what normal network behavior is, what our is our normal network activity. What is the normal number of users on the network and where they located and who typically accesses

02:28

systems and services like Ph I If a person from genera tutorial who has never access thr all of a sudden is looking a patient records, that's a warning flag and we need to check it out and we need to understand our risk today and tomorrow

02:40

as our network grows and it expands and we had new services and new features are, risks have changed. No every minute. Where are pH? I is. And we need to make sure using data loss prevention technology that our users aren't sharing. Ph. I transmitting pH I or storing pH. I in an unsanctioned and unsorted

02:58

unsupported cloud software as a service application, or SAS

03:00

and storage services like Dropbox or Box. Without being approved, we need to always be prepared for attacks on our critical systems and monitoring them and measuring them. So when we see behavior outside the norm, we know that it's likely an attack on our systems that's occurring.

03:15

And we need to always be testing, reviewing, assessing and updating our controls from policy to physical and technical again. Our goal is not to just stay ahead of threats,

03:23

but to improve our program and reach the Tier four adaptive security program maturity level.

03:29

So I would like to pivot now to break down the seven k p I s we should be watching for in our Knock Network Operations center that helps monitor or cybersecurity threats. And there are good guidelines here that can help us toe operate our network better,

03:39

and we'll give us better visibility to what's really going on with our normal network behavior, not just monitoring cyber threats. So number one are we seeing a significant rise or drop in touch

03:49

in trouble tickets? Are we seeing an overall trend in the number of tickets? Go up? This aligns with the first item on our list. Number three is the cost of resolving each ticket or cyber incident going up significantly more systems are affected

04:01

deeper into computer registry or deeper in the operating system or network issues. Well, that's a flag and thus our time to resolve it significantly going up and thus

04:11

likely affecting our systems and network up time. And what if any, regulatory impact? Are these tickets signifying and bottom line our last one? How are these affected systems adversely affecting our patient care and the quality of our customer service? What is the customer impact? This is the stuff that keeps CEO CTO s and CSOs awake every night

04:30

and the resumes on monster and indeed current and up to the minute and up to date.

04:34

So no election security operations would be complete without a slide on an organization security operation center or sock an incident response or what the security industry calls i r. A sock is not for everybody. In fact, most commonly you'll see organizations have Sakas, a service where you pay a monthly bill for a management program for the security operations

04:54

rather than having to go through all the expense for all the high end, very well trained and highly skilled security analysts whose career is based on studying the activities of the bad guys,

05:02

the job of a sock is to identify, analyze and react the cybersecurity threats and is a collection of security analysts and engineers and artificial intelligence systems, and are thrown into the study of you Be a entity user behavior analytics. That's a fancy way of saying that the sock and its cyber ops team perform a critical layer of analysis

05:23

needed to seek out a regular activity that could suggest a security incident has or is occurring.

05:29

Their job is to investigate suspicious activities, contain and prevent them. Your healthcare organization doesn't require a sock for compliance, but if your organization is big enough and manages and maintains enough systems, you will end up building out your own sock or having a Sakas a service as the threats out there really are tremendous.

05:46

One of the engineers at work, what just built out of testing honeypot,

05:49

a lab for testing. And when his domain went live on the Internet, bots from China were sweeping his new domain within five minutes of going live, pinging his domain for vulnerabilities. Imagine what happens when hackers identify you as a target and use real exploit tools, scary stuff and socks on. Their specialists are really going to save and protect big organizations.

06:10

You're in the big leagues now,

06:12

so we're managing our network now. We're performing the day to day network operations of our critical systems and our HIPPA compliance platform. So now it's time for our last quiz. Yea r last check on your abilities before we escalate to our Tier three sock investigation and threatening expert team. So can you remember three of the few things we mentioned regarding how we stay ahead of our threats in our environment?

06:31

Well, if you'll recall, we have to know our network

06:33

and understand our risk level. Know everywhere we have P h I and G p h I and always be prepared for an attack. We need to always be reviewing and assessing our network and always monitoring and measuring our network. Using those KP eyes to know when our network is not behaving normal. Abnormal doesn't mean it's necessarily bad.

06:50

We just might have a run on patients needing emergency services.

06:54

So all the ER nurses are in the HR right now, even the on call staff. But if we know our baseline, if we know what's normal, we're aware that we need to look into it. And that's the key, because in 2020 the average for the industry is that it takes us nor a normal business to detect that there's been a breach 167 days,

07:13

and and that is not acceptable to us

07:15

and our security program leaders and to our organization, and certainly not to our patients who have trusted us to protect the privacy and security of their protected health information.

07:25

So in this lesson we defined operations management. We looked at some of the ongoing activities We need to stay ahead of those bad actors out there that are always developing new ways to hurt us in new ways to steal our information and use those malicious acts against us

07:36

and reviewed the seven KP ice for measuring and monitoring cyber threats and the good steps and managing all of the tickets that come into our service desks and yea team, we did it. We completed our very last quiz.

07:46

So congratulations you made it. You made it through hip, the parts and pieces necessary to achieve HIPPA compliance. And we implemented a HIPPA compliance program and we're ready for whatever tomorrow in the Department of Health and Human Services Office for Civil Rights throws at us. So congratulations, Really nice job, great work.

08:05

So thanks for sitting in today's lecture. We hope today's information brought you some insight on what a day in the life of a leader managing this HIPPA compliant beast looks like on behalf of all of us. Here it's library and most importantly, you for sticking with us to this point, you could have literally bailed out a long time ago. We've been a jump altitude for like 20 lectures like hours ago

08:24

and the next time and final time we get together. If you still haven't jump from this plane will be our wrap up and next steps for you and your career with governance, risk and compliance.

08:31

So I hope you stay with us. So until then,