Implementation

00:00

So here we are again, you cyber a construction champions and welcome to module three of the cyber A Siri's implementing a HIPPA compliance program for leadership in this election. 3.1 implementation months one through four. And this is the module I'm really excited about because this is the real work. This is the real leadership role day by day, execution of your security program.

00:18

We're gonna take your health care organization from zero to hero over the next 18 months. Not literally.

00:23

It's really only over 8 10 minute lectures for you agile project managers out there already trying to determine if we can issue a change order. Tow our customer for our construction project because there's been scope creep. Hang on a second. I'm kind of going off topic here. Let's get back to focus on scope, and we could go over invoicing later. Hey, Bob, Calm down, dude,

00:41

you about punched a hole through the wall with that knockout your costumey Bob, Put your goggles on and I'm not paying for workers comp if you're solves all kicks back on you and takes out your face.

00:50

So in today's lesson will be learning about the processes of procedures that we call building a baseline. We aren't in judgment mode right now. We're in complete honesty with ourselves. And at this early stage, if our babies ugly, we're going to call it out. We can't fix it if we don't know it's broken. So we'll be working through our self assessment and then formalizing our shortcomings in a gap assessment. This is where we start measuring ourselves

01:10

against the HIPPA guidelines, high Trust

01:11

and this cybersecurity framework. HIPAA was enacted in 1996. The standard is now 24 years old at the time of recording this lecture. So certainly we have to achieve HIPPA compliance. But we're also going to use deeper, newer and current standards like this CSF to align best practices, harden our critical infrastructure and account for risk.

01:29

And from our baseline and Gap assessments, we're gonna build our floor plans and foundation

01:33

on what our security complaints program is gonna look like.

01:36

So let's take a step back and recall our families of controls that we will include in our baseline for the self assessment. Remember that there are three families of controls, administrative things like documentation and policy, physical controls like surveillance cameras and electric door locks, and our technical controls like firewalls, multi factor authentication and encryption. It's getting an honest assessment of where we're at.

01:56

A baseline

01:57

is how we begin drawing our floor plans for our new security program.

02:00

Our baseline includes a complete and detailed inventory of the assets in our network. What is our firewall? It's software version. How much memory? The size of its storage drives, etcetera. We do this across the entire network, from personal computers to servers and their operating systems to our cloud infrastructure. All of it. We put all our documentation across our controls, from policy to our employees. Training documentation,

02:21

employee hiring procedures, etcetera. We inventory our physical controls

02:24

like how many video cameras we have? How long are we able to retain the recorded video surveillance footage and where is it stored? And what doors were locked to control? Entry to our rooms and facilities where the keys, who controls access to the keys and so on. And what do we have in regards to business continuity planning and D R. Disaster recovery, risk management, vulnerability management,

02:44

hardening management, etcetera?

02:45

There is a lot of work here so give yourself the appropriate time because you still have a day job keeping things running in your organization and use automated tools where you can like network inventory scanning tools that will queer the network for its contents and document everything. So there's a ton of work here and you remember, you have a day job. You still got to take care of those patients.

03:04

So in the in between, all of this

03:06

got to start documenting it. Start inventorying it and figuring it out because we have a security program to build out and get ready for HIPPA compliance.

03:15

So now that you've taken at least 6 to 8 weeks to baseline your organization's families of controls, now you perform what we in the security industry called Gap Assessment. You compare each control or safeguard with where you are. You will know Tate and call out from your standards and guidelines for HIPPA, for example, your controls and their specific implementation requirements

03:31

required in mandatory or addressable. And remember from our previous lecture, HHS defined addressable as no specifics and how you meet the safeguard

03:39

as long as you address it with a level of satisfaction that will guarantee the privacy and security of your pH I e P h I. The screen capture is a document you can pull down for free from the Department of Health and Human Services, which breaks down all of the safeguards across the three families of controls administrative, physical and technical. We will likely also pulled down standards like the next 830

03:59

National Institute of Standards and Technology website,

04:00

which is the 55 page special publication called Risk Management Guide for Information Technology Systems. You will also pull down standards and documents for newer guidelines like the next 866 which is a walk through of becoming HIPPA compliant, and standards like high Trust and this cybersecurity framework, CSF

04:17

for examples and best practices for around on 100 administrative, physical and technical controls.

04:23

Toe Align your network with industry best practices to ensure the confidentiality, integrity and availability of your network, and it's critical infrastructure. So you're not just seeking compliance, but the best. Our network you can afford to maintain and operate, and you will find a bunch of self assessment tools out there

04:39

that you can pull down for free, including the United States Health and Human Services, HHS Security Risk Assessment Tool.

04:46

The S R A tool will walk you through step by step. How to assess your organization against the required and addressable controls for hip hop.

04:54

So now that we've used our automated tools for yourself, assessment tools printed out all our documentation, visited all our business locations to inventory and check on our physical security capabilities, and photographed both control wins and losses, there's a photo of a locked data closet That's a win, and there's a photo of an employee's desk where they have their password to their HR under their keyboard. That's a loss,

05:14

and from here we start planning our remediation. Efforts to fill the gaps were not executing yet. We still have a lot of work to do.

05:19

We got to sit down with the budget people and tell them we have to buy some stuff to be compliant. So we have to begin those budgetary discussions by summarizing our baseline, summarizing our gaps and then prioritizing our remediation efforts by creating a compliance roadmap. Ah, 14 month plan. From this point forward, with the business outcomes not only being compliance on the other end

05:38

but most importantly improving our systems and documentation

05:41

our methodologies, processes and procedures that they're going to improve our patient care and the overall health and well being of all that we serve. We will build this plan by addressing the low hanging fruit first, like software patching our systems and then in our plan

05:54

address. The required controls are firewalls old and outdated and required for compliance and critical to protecting the CIA. Try out of our data.

06:01

So we put that in the budget and bring it to the top of the budget plan and then, in our plan, will spell out the safe by safeguard by safeguard. Howard are satisfying the addressable components and best practices of high trust and this CSF we, including the budget options for addressable because our CFO and board of trustees might not want to spend the money on video cameras for our remote clinic

06:21

but are satisfied with locked doors. Controlled entry

06:24

and guests Sign in chief managed by the front desk lobby ambassador.

06:28

Then we put this plan together with specific outcomes and timelines for those outcomes, and typically you'll see an internal project manager assigned to start managing this Remediation project Assigned resource is apply. Budget order equipment. Communicate with stakeholders are teams progress schedule and manage internal communications like status calls. So if you're ready, let's start building.

06:47

Alright, Your cyber rebuilders and framers have compliance. It's time for our quiz. Why isn't HIPPA enough for our security program? This one's gonna be a little bit of work. We need some critical thinking on this one.

06:59

So isn't HIPPA compliance enough to keep us busy? Well, you learn pretty fast with commercial enterprises and health care for that. Most entities are for profit that compliance is not enough to get the budget approved. For the new firewall. Compliance could be a reason an incentive and agreed to by product of the purchase of the new firewall.

07:15

The bottom line is, is that any improvement we make in our critical network infrastructure,

07:18

the improvement of a control or the addition of a service that gets us the check for an addressable component of the hip? A standard Well, these improvements must first and foremost show how, through their acquisition and implementation are going to improve the overall quality of our patient care and improve the overall quality of our health for our patients. We want to see efficiencies through innovation and modernization

07:39

that's going to drive down costs and deliver quality health care.

07:42

But increased profitability and compliance becomes a byproduct of our improvements and not the reason for them. And for me, this is a tremendous and amazing business plan.

07:51

So in this lecture, we learned about the need to baseliner environments administrative, physical and technical controls. We learned about performing self assessments that we're gonna use many free tools available out there to measure ourselves not just against the hippo standards but best practices from the Amazing Nest organization and their guidelines for managing risk and other standards like high trust or the nest cybersecurity framework

08:11

reviewed Gap assessments. And then how we will build out our plans, including budget

08:15

outcomes and timelines over the next 14 months, to get to the end state compliance and that best our network that the world has ever seen. And so in our next lecture, we're gonna roll up our sleeves, or if you're the construction worker with giant biceps, because you work with sledgehammers and jackhammers all day. Well, you to put on your sleeveless muscle shirt and let's get building.

08:33

So on behalf of all of us here cyber instructors, teaching assistants, nail gun maintenance staff and people who can accurately the reader measuring tape so that we don't have to measure twice and cut once and end up with having our building materials in the trash heap, we thank you for watching or listening at 1.5 times normal speed. So take care. We want you toe enjoy the rest of this Siri's.

08:52

We want you to also enjoy building out your hip a program.