Many experts in the health-care industry believe that the key success factor in reducing health-care costs, while at the same time improving quality, is the availability of useful medical information. In fact, the Health Information Technology for Economic Clinical Health Act (HITECH), a component of the American Recovery and Reinvestment Act (ARRA) of 2009, has mandated the widespread adoption and use of electronic health record (EHR) technologies. However, the productivity and efficiency gains that health-care experts are hoping to achieve via EHR also come with a commensurate level of risk. The new regulations have placed an increased responsibility on health-care providers to protect information by imposing many new information security and privacy requirements, in addition to increasing compliance obligations and enforcement penalties.
How does a health-care organization strike the proper balance between maximizing the opportunities of EHR and prudent, cost-effective mitigation of the security risks?
One of the primary goals of the CERT Program is to educate organizations about the appropriate use of technology, systems, and organizational management practices to mitigate attacks (both internal and external) on networked systems, limit damage, and ensure the continuity of critical services in spite of cyber related incidents, accidents, or failures.
Greg Porter, a CERT Visiting Scientist and health-care information security expert, will discuss the effects of the new regulations on the health-care industry and some of the essential elements that healthcare technology executives should consider in order to secure patient information and systems from external threats. Greg will also discuss the synergies between HITECH's breach notification requirements and incident response programs.
Randy Trzeciak, a senior member of the CERT technical staff and insider threat team lead, will discuss the increasing risks of insider threat within organizations, the key factors influencing an insider's decision to act, the technical and non-technical indicators and precursors of malicious acts, and the countermeasures that could improve the survivability and resiliency of the organization.
About the Speakers
Greg Porter is an Adjunct Professor at Heinz College at Carnegie Mellon University where he teaches information security and privacy related subject matter within the college's expanding graduate level health care programs. Greg is also the founder of Allegheny Digital, a Western Pennsylvania based security and privacy services company specializing in Network Infrastructure Security, Digital Forensics, Regulatory Compliance, and Enterprise Risk Management. Prior to starting Allegheny Digital, Greg led the Mid Atlantic Information Protection & Business Resiliency Practice for KPMG, LLP, where he assumed various responsibilities ranging from Technical Lead to Project Manager. Greg maintains several information security related certifications and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM). He also serves as a Visiting Scientist at SEI-CERT.
Randy Trzeciak is currently a senior member of the technical staff at CERT. He leads the insider threat team, which focuses on insider threat research; threat analysis and modeling; assessments; and training. Randy has more than 20 years of experience in software engineering; database design, development, and maintenance; project management; and information security. He also is an adjunct professor at Carnegie Mellon's Heinz College, School of Information Systems and Management. Randy holds an MS in Management from the University of Maryland, a BS in Management Information Systems, and a BA in Business Administration from Geneva College.