How would your organization hold up if audited or attacked by criminals? Don’t wait to find out.

Are you a target?	What you can do	How LarsonAllen can help
Targets for security audits Targets for crime	Build a sound business strategy Test and manage your information systems	Information security services

Initial audits will focus on the largest entities, as well as those with complaints registered with CMS.

Targets for crime
Hackers, organized crime groups, and internal employees view health care organizations as a prime mark for profits. They want access to patient and non-patient data (especially executives), which they use for identity theft and fraud.

Today, cyber thieves focus on:

• Penetrating wireless networks, Web sites, and modems (an unpatched Windows XP computer can be compromised in 20 minutes)
• How employees use email and the Internet via email spear phishing and social engineering (tricking staff into bypassing otherwise adequate controls allowing criminals to obtain remote access)
• Physical intrusions to gain access to networks or steal laptops, back up tapes, CDs, USB/thumb drives, etc.

Access our presentations to learn more about these threats.

What you can do to safeguard data
Understanding the flow of information within your organization will better position your leadership team to manage risks while withstanding scrutiny from HIPAA regulators and criminals.

• Build a sound business strategy: Include steps to protect, detect, test, and validate your information security systems as well as respond to an attack and remediate, so it doesn’t happen again.

  Through standards you can establish the protective foundation to maintain your organization’s data (confidentiality, integrity, and availability). These standards must cover how people will use information and how the systems will manage and enforce the use of it.

• Test and manage your information systems: Once the standards are established, processes for detecting problems, issues, and breaches need to be managed. And they should encompass a variety of automated and manual methods.

  A key component of a sound security strategy includes periodic testing to validate that systems are performing as expected. This includes the configurations of the technical systems, the response to events and attacks, and the processes that support the identification, response, and remediation.

  Such testing and validation should be done by entities that are independent of the functions being audited. Information security and information systems administration are different domains, requiring specialized knowledge and expertise.

  We recommend you engage security professionals who understand how to conduct true penetration tests to validate system security.

For more information, contact Randy Romes, information security services principal, or learn about our full array of information security services.