An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and...

1. Healthcare IT Security – Who’s responsible, really?
In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligently
while at the same time prove a process of internal dispute resolutions. An information security program is one such
complex and multifarious business necessity. At its heart, information security is a method of managing risk to
information and information systems, and reducing uncertainty relative to organizational objectives; it is a balance.
But the success of an information security program depends upon the ability of an organization to establish a set of
controls based on a thoughtful and consistent design that was developed against carefully analyzed internal and
external requirements. Relatively few companies approach the problem this way, so we thought we'd offer some
guidance based on Redspin's 10+ years of IT security experience.
The following describes an accountability-driven and risk-based approach to address the information security
expectations of leaders, customers, citizens, partners, and investors.
Creating an environment where operational units coordinate to achieve consistent and appropriate information
security controls helps to ensure that the operation and security objectives of the organization are met. One way to do
this is to assign accountability and responsibilities in a way that makes internal parties accountable to one another,
with guidance and input from subject matter experts. The following mutual accountability can be used to drive
decisions that align with your organization’s mission and goals:
A Data Steward is a single person accountable for establishing policies for internal uses and conditions of internal and
external disclosure. There is one steward for each domain of data across the entire organization. Domains are
generally broad and easily identifiable, organizations having on average between 10 to 15 core domains.
A Process Owner is a single person accountable for general processes (such as workforce acquisition and
termination). These individuals establish the minimum process control requirements, which may then be implemented
in a centralized or decentralized manner. Each implementer is responsible for meeting the process owner’s control
requirements and one or more data steward’s control requirements.
System Sponsors are assigned to each application and system, from the department specific applications to general
utility applications such as email. These system sponsors are responsible for meeting the availability and processing
quality requirements of the process owners (e.g. up time and stability), and the data confidentiality and integrity
requirements of the data stewards (e.g. patching and access controls). They are also responsible for justifying the
continued existence of an application or system.
Data Gatekeepers are accountable for disclosures to a particular audience. Some of these roles are historically well
established. For example, the senior public-relations official is accountable for responding to inquiries from the public
and the press, and the senior legal official is accountable for addressing inquires from the courts and, depending on
the organization, perhaps for inquiries from regulators and governments. Extending this concept to each unique
audience creates internal accountability. Audiences may include consumers, vendors, business customers, partners,
local and foreign governments, and law enforcement and intelligence agencies. The data gatekeeper is answerable to
one or more data stewards.
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177

2. Let's run this through an example to see how it works. USB thumb drives are prevalent, with organizations taking
stances that range from very loose to very tight. Policies commonly ban the devices, don't mention them, or put IT in
the role of deciding who gets one. The first two positions generally fail to serve the organization, and the last requires
IT to make a business operations decision. To address this let's step back to ask ourselves a few questions. Which
process do the USB drives support and are the USB drives inherently required by those processes? Will the USB
drive contain controlled information and are the data stewards requirements met?
Sales might use thumb drives to display presentations on client's equipment. This is clearly a sales process, and would
be under the purview of the most senior sales management position, perhaps a VP of Sales. The VP of Sales could
responsibly and reasonably take a position that USB drives are required for external sales presentations. So long as
that drive contains only sales information, then the data in question is also under the purview of the VP of Sales.
Changing the scenario for a moment, let's say a salesperson wants to include very sensitive discount information.
In this case, the VP of Sales may have a policy that discount data is only shared with key members of the client
decision team. The VP of Sales in a process owner role still approves the use of USB thumb drives for sales
presentations, but the VP of Sales in a data steward role requires that the data be distributed in a limited and
controlled manner.
Changing the scenario even further, let's say that the client requests key financial information. Again the use of USB
drives is already approved by the VP of Sales. However, in this scenario the data in question is subject to the policies
of the CFO, who has the requirement that key financial data be stored only on company owned equipment and be
encrypted at all times when not within company facilities. In this case, the sales person must use a company owned
and encrypted laptop for the presentation. If the VP of Sales doesn't like this and still wants to use USB drives, the
issue is not between Sales and IT, it's between Sales and Finance. We are effectively taking IT out of the middle, to a
role where IT implements the decision of the parties who have the greatest stake in the decision.
IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions.
IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engage
IT, and creating a way that provides the businesses with the right information to make decisions are key to the
perceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it has
also been shown to be a hallmark of successful organizations.
IT has been put in the role of making business decisions, because organizations lack a framework for making data and
system decisions. Providing a framework for decision making can become a key value that IT can provide. Even if
your organization is not ready to formally adopt these concepts the thinking process, and the line of questions that
result, will help you facilitate better security decision making within your organization.
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177