Agenda for Brazil P&S Sessions - DRAFT

Session 1 – Introduction


We hear about cyber-attacks and resulting breaches of patient data in the news almost daily. 

Considering the unique challenges faced by hospital and other provider organizations relating to electronic health data and cyber threat,  we will discuss basic privacy, security and risk concepts and learn about a basic framework for organizational risk assessment.

Privacy, Security and Confidentiality Defined  

Patient Privacy concerns 

Privacy Principles  

Security – CIA 

  • Confidentiality
  • Integrity 
  • Availability

Today’s Health IT Environment Creates Security Risk 

  • Healthcare Environment – “The Problem” - Increasing Use of IT in health care, delivery, payment
  • Treat Environment
  • IT Vulns
  • Etc.

Cyber Defined

Risk Assessment – Intro 

Security Risk as part of business risk (point forward to next module)

Risk Assessment defined.


  • Vulnerabilities
  • Risk

         - Severity

  • Likelihood
  • Impact
  • Risk  

         - Mitigation


Session 2 - Cyber Risk as a Component of Business Risk – Communicating with C-Suite

As part of a healthcare organization’s efforts to mitigate potential cyber risks, active governance with both the C-Suite and the organization’s board of directors can reduce the risk and exposure of potential cyber events impacting overall business risk.  Learn about governance and risk management approaches and how to communicate relevant metrics and measures.


ROI versus ALE versus….

Language/Vocabulary – talking about security in terms of mitigating business risk and the business value of security efforts Protect/ Detect

Session 3 – Monitoring and Detection

Healthcare organizations make a tremendous investment in IT products to monitor network activity and enforce business rules. Learn how to make efficient use of data collected by these tools and what it takes to detect breaches.

Security Continuous Monitoring

  • Monitoring Tools
  • End Point Monitoring
  • What to do with the Data


  • Breach detection
  • Forensic Analysis
  • How do we know what is a breach?
  • Employee monitoring

Respond and Recover

Session 4 - Response Planning and Recovery 

One of the greatest challenges facing today's health IT security professionals is planning and preparing to respond response to a security breach. A healthcare organization’s response can best be handled by adhering to the six generally acceptable steps to incident handling: preparation, identification, containment, eradication, recovery, and lessons learned.

Response Planning

  • Response Planning
  • Mitigation activities
  • Disaster Recovery
  • Business Continuity
  • Law Enforcement
  • Victim Notification

Recovery Planning

  • Recovery of IT Infrastructure
  • Recovery of Business Operations
  • Damage mitigation – reputational, compliance, cost, employee moral

Session 5 – Specific  Implementation Risks for Healthcare Organizations

Healthcare organizations often incorporate new or disruptive technologies before evaluating the risks and having governing policies and procedures in place. Learn the risks for Healthcare organizations associated with the use of these technologies: Cloud, Mobile, Social Media, and Internet of Things.

  • Cloud
  • Mobile
  • Social Media
  • IoT