Re: Five healthcare security training expert tips

[InfoSec News <alerts () infosecnews org>]

Forwarded from: "Gregory W. MacPherson" <greg (at) constellationsecurity.com>

Bed to differ - ideally healthcare people should *not* need to be trained on 
security. Ideally the security components of healthcare ought to be built so 
that the users are PROHIBITED from performing actions that could compromise the 
confidentiality, integrity, and availability of the secured data (and that 
includes shoving a memory stick into a workstation and copying off a bunch of 
records).

Training is for people who *have* to deal with security. I would argue that the 
best strategy for healthcare is to restrict access to the point where 
healthcare people do *not* have to deal with security. If they can access it, 
it's because they are *supposed* to access it, and if they cannot then they are 
not supposed to access it. It's a white list model, a management nightmare, and 
a huge market opportunity for new technologies, and much better IMHO than 
'security y training' for people who, quite frankly, could give a s**t about 
security.

=;^)


On or about 2013.08.15 07:23:15 +0000, InfoSec News (alerts (at) 
infosecnews.org) said:

> http://healthitsecurity.com/2013/08/14/five-healthcare-security-training-expert-tips/
>
> By Patrick Ouellette
> Health IT Security
> August 14, 2013
>
> The need for wholesale data security training changes in healthcare evident, 
> irrespective of whether it???s educating non-IT clinical staff members on 
> HIPAA basics or further education for IT professionals. Most healthcare pros 
> will agree that the usual methods, such as annual training classes, aren???t 
> well-suited for current technologies and compliance requirements.
>
> There isn't a proverbial silver bullet to fix the security gaps within 
> healthcare organizations, but there some success stories that experts have 
> shared with HealthITSecurity.com over the past few months. These five lessons 
> learned can be helpful for those looking to just tweak or even revamp their 
> security training procedures.
>
> 1. Top-down approach improves user awareness
>
> To ensure that her staff abides by required protocols and procedures, Lynda 
> Martel, Executive Director of Government and Enterprise Business Relations at 
> DriveSavers Data Recovery, recommends regularly educating and updating staff 
> members on the importance of appropriate BYOD practices. And the seriousness 
> of safeguarding sensitive data needs to be conveyed from the top down:
>
> [...]

> --
> Find the best InfoSec talent without breaking your budget!
> Post a Job! $99 for 31 days
> http://www.hotinfosecjobs.com/


--
Gregory W. MacPherson, CISSP, Security+, ITIL, Etc.
Founder, IT Security Expert, Global Network Security Exploitation Specialist
http://www.constellationsecurity.com/greg/
"The role of a statesmen is to define clearly for a people the alternatives 
before them."



--
Find the best InfoSec talent without breaking your budget!
Post a Job! $99 for 31 days
http://www.hotinfosecjobs.com/