Title: Information Security Management – Corralling Mobile Data Before It Escapes!
Presenter: James C. Murphy
Seminar Abstract: Mobile data is not a problem only for health care organizations, but the increased value for health care sensitive electronic information (SEI) in the minds of attackers potentially makes this a crucial problem. The “mobile data” umbrella includes data on removable media (e.g., USB devices and CD/DVD platters), but also the use of portable devices (e.g. smart phones, tablets, laptops) whether personally owned or distributed by organizations to workforce members. Despite the resistance by information security professionals, the onslaught is upon us. Health care organizations must update policies to account for the protection and distribution of data on these devices, but policies are only the beginning. The objective of this presentation will be to present these new challenges to data protection, emphasizing: 1) detailed policy structure, 2) definition(s) of "mobile data," 3) recommended practices, 4) disciplined tracking of data and devices, and 5) responsible assessment.
If an organization’s security structure is already weak, the widespread use of mobile data devices will make the structure even weaker, adding substantial vulnerabilities to data production. Proactive processes must be implemented that address tight access control to the centrally stored systems and data and address a standard acceptability of mobile devices that connect to private organizational networks, including encryption. Mobile data devices must be documented and tracked to demonstrate that lost devices have not resulted in data breaches. Repeatedly, the entire set of processes must be assessed as the technology evolves. Finally, all of this must be added to the user awareness training so that all workforce members become partners in the protecting of organizational SEI. Attendees will become aware of the different types and states of mobile data, how they introduce new vulnerabilities to the organization’s security structure, and how to begin engaging knowledgeably in the discussions towards protecting SEI data.
Mr. James C. Murphy is an IT Security professional with 30+ years’ experience, predominantly in healthcare. Currently he is the Information Security Architect in the Office of MMIS Services of the NC Department of Health and Human Services (DHHS), providing information security consulting for major development projects, including the Medicaid and other health plan claims processing system, and the State Health Information Network planning project. For the projects, Jim has documented information security and technology architecture requirements and reviewed security throughout design and development, addressing: access control, data and network protection, regulatory compliance, business continuity, operational and enterprise security, process documentation and project audit. Jim is a member of the Information Systems Security Association (ISSA) Raleigh Chapter, the Eastern North Carolina InfraGard Chapter, serving as Sector Chief for Public Health, and the North Carolina Healthcare Information and Communications Alliance (NCHICA), as part of the Privacy/Security Work Group, and having served on the planning committee for the successful NC Health Information Network proposal. Earlier, he was a HIPAA Security consultant at the UNC Health Care System; assisting in risk analyses, documentation, and BC/DR planning. Before that, he directed IT technology for UNC School of Public Health, managing 20+ staff in Systems, Networks, and Telecommunications groups. He also assisted in the Business Impact Assessment and Disaster Recovery Plan for a major Midwestern City Government. Jim has published, taught and spoken on information security management, service continuity, security auditing and security certification training to diverse audiences. Jim has an MA in Biology from Wake Forest University, and an MS in Information Science from the UNC School of Information and Library Science and holds GSEC, CISSP-ISSMP, CISA and CISM certifications.
Duke University Health System Clinical Education & Professional Development is authorized by IACET to offer .1 CEU per presentation to participants who attend the entire presentation, sign the sign-in sheet, and complete and return the feedback/evaluation form at the conclusion of each presentation. Partial credit is not awarded.