Many experts in the
health-care industry believe that the key success factor in reducing
health-care costs, while at the same time improving quality, is the
availability of useful medical information. In fact, the Health
Information Technology for Economic Clinical Health Act (HITECH), a
component of the American Recovery and Reinvestment Act (ARRA) of 2009,
has mandated the widespread adoption and use of electronic health record
(EHR) technologies. However, the productivity and efficiency gains
that health-care experts are hoping to achieve via EHR also come with a
commensurate level of risk. The new regulations have placed an
increased responsibility on health-care providers to protect information
by imposing many new information security and privacy requirements, in
addition to increasing compliance obligations and enforcement penalties.
does a health-care organization strike the proper balance between
maximizing the opportunities of EHR and prudent, cost-effective
mitigation of the security risks?
One of the primary goals of
the CERT Program is to educate organizations about the appropriate use
of technology, systems, and organizational management practices to
mitigate attacks (both internal and external) on networked systems,
limit damage, and ensure the continuity of critical services in spite of
cyber related incidents, accidents, or failures.
Porter, a CERT Visiting Scientist and health-care information security
expert, will discuss the effects of the new regulations on the
health-care industry and some of the essential elements that healthcare
technology executives should consider in order to secure patient
information and systems from external threats. Greg will also discuss
the synergies between HITECH’s breach notification requirements and
incident response programs.
Randy Trzeciak, a senior member of
the CERT technical staff and insider threat team lead, will discuss the
increasing risks of insider threat within organizations, the key factors
influencing an insider's decision to act, the technical and
non-technical indicators and precursors of malicious acts, and the
countermeasures that could improve the survivability and resiliency of
About the Speakers:
Porter is an Adjunct Professor at Heinz College at Carnegie Mellon
University where he teaches information security and privacy related
subject matter within the college's expanding graduate level health care
programs. Greg is also the founder of Allegheny Digital, a Western
Pennsylvania based security and privacy services company specializing in
Network Infrastructure Security, Digital Forensics, Regulatory
Compliance, and Enterprise Risk Management.Prior to starting
Allegheny Digital, Greg led the Mid Atlantic Information Protection
& Business Resiliency Practice for KPMG, LLP, where he assumed
various responsibilities ranging from Technical Lead to Project Manager.
Greg maintains several information security related certifications and
is a Certified Information Systems Security Professional (CISSP) and a
Certified Information Security Manager (CISM). He also serves as a
Visiting Scientist at SEI-CERT.
Trzeciak is currently a senior member of the technical staff at CERT.
He leads the insider threat team, which focuses on insider threat
research; threat analysis and modeling; assessments; and training.
Randy has more than 20 years of experience in software engineering;
database design, development, and maintenance; project management; and
information security. He also is an adjunct professor at Carnegie
Mellon’s Heinz College, School of Information Systems and Management.
Randy holds an MS in Management from the University of Maryland, a BS in
Management Information Systems, and a BA in Business Administration
from Geneva College.