This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
● Strategic Directives

An in-depth discussion on risk management

By Jason Free, Features Editor

multi-media features, you will have the opportunity to listen in on the conversations of prominent healthcare professionals as they analyze and debate the most important topics facing our industry today. Audio selections of these conversations will be made available on the HMT website. For our fi rst HMT Conference Call, I approached Mac Mc-


Millan, Chair of the HIMSS Privacy and Security Policy Task Force and CEO, CynergisTek, Inc., and asked him to select two of his colleagues to discuss in-depth issues relative to compliance monitoring. McMillan’s two guests, Adam Greene from the law fi rm Davis Wright Tremaine and Sharon Finney, Corporate Data Security Offi cer for the Adventist healthcare system, were gra- cious enough to allow me to record their conversation regarding risk analysis and risk assessment. In June, I will post audio fi les of their call in the “Online Only

Features” section of the HMT website. Subscribers of the HMT daily newsletter will be notifi ed when they can hear McMillan and his colleagues’ lengthy conversation. Here is a transcript of McMillan’s introduction to the con-

ference call: McMillan: Today, I reached out to two folks to discuss the con- tinuing challenges we have in the healthcare industry around risk analysis and risk assessment. T e fi rst person on the line is Adam Greene from Davis

Wright and Tremaine. Adam has a background from OCR [Offi ce of Civil Rights] and he has been working now for quite some time in the private sector as part of Davis Wright and Tremaine advising healthcare clients. T e second person on the line is Sharon Finney, the Corpo-

rate Data Security Offi cer for the Adventist healthcare system. She has a long history of service in the healthcare industry as an information security professional, and also sits on various boards and advises other folks on corporate data security. T e reason I reached out to these two folks is because both of them have a lot of experience and they’re both very knowl- edgeable about what’s required as well as what folks are doing in the fi eld. Our discussion today will be around what do we need to do to really get folks to where they need to be because

18 June 2014

ith the intention of providing a wider spec- trum of content and ideas, we have started an online series that is entitled, “HMT Conference Call.” Within these special

Mac McMillan

Chair of the HIMSS Privacy and

Security Policy Task Force and CEO, CynergisTek, Inc.

Adam Green

Partner, Davis Wright Tremaine

Sharon Finney

Corporate Data Security Officer, Adventist

healthcare system

we still have a lot of the healthcare organizations who are not conducting risk assessments frequently enough. T ey are not conducting them thoroughly enough. We’re still seeing evidence of that. In fact, we saw evidence of that in just the most recent OCR pronouncement with respect to the client they levied this year. Quite frankly, when you take a hard look at that tool from a real security practitioner’s perspective, I’m not sure the OCR and others in the government have helped us with this new tool that they’ve published for smaller organizations. I would like to talk about all of that, and talk about where the

issues are, and talk about what we think really needs to happen in order to get this industry where it needs to be, because this is such an important thing as part of a security program. So, Adam, I would like to start with you.

Green: T anks, Mac. Risk analysis is really hard. T at’s one of the big challenges

here. Every client would like a simple checklist that they can go through, check the boxes and feel like they’re done. Risk analysis, the way OCR seems to view, really requires some deep thought as to the particular risks your organization. T at’s go- ing to diff er for diff erent organizations. If you’re in California, an earthquake is going to be a much higher risk than if you’re in Maine, for example. T ere’s not a one-size-fi ts-all solution, and I think entities really had a hard time grappling with that notion sometimes. T at’s one of the challenges that we’ve seen. T e more-sophisticated covered entities understand that this consideration has been a real big focus of OCR of late; they’ve gotten the message. T ey still don’t necessarily know what are the right resources. What are the right tools? Who should they be using? What should they be doing? T ey at least have been hear- ing that risk analysis has been really important. T e Meaningful Use requiring risk analysis has brought the healthcare industry a long way on that front. T ere’s still a number of entities who haven’t got the message and won’t get the message until they are investigated, unfortunately, by OCR and told you need to have a risk analysis. McMillan: You bring up an interesting point with respect to the complexity of it. Sharon, you and I have been on the other side of this coin in terms of being involved in information security for years, and I know I’ve done literally hundreds of risk analyses over my 30+ year career, and I personally don’t think that risk analysis is that


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28