Last Chance: MacBook Air, Dell XPS 13 or $600 off with SANS Online Training Ends December 7

Health Care Security Essentials New

The targeting and theft of sensitive health information continues to challenge covered entities and business associates alike. Increased regulation combined with a dynamic threat landscape require today's health care leader to have a clear understanding of relevant legislation and how to measurably defend patient data and related systems.

Health Care Security Essentials is designed to provide attendees with an introduction to current and emerging issues in health care information security and regulatory compliance. The class provides a foundational set of skills and knowledge for students through the integration of case studies, hands-on labs, and defensible control considerations for securing and monitoring electronic protected health information ("ePHI"). In this class, students will learn about actual attacks and incidents that have affected health care organizations and what can be done to mitigate the damage to prevent your organization from suffering a similar outcome. For compliance and audit professionals, this class details how to automate controls in support of the Health Insurance Portability and Accountability Act ("HIPAA") Security Rule and other key regulations.

Why Choose This Course?

  • The HIPAA Security Rule provides the "what" in regard to requirements with which health care organizations must comply, yet we're often asked "how can we implement safeguards that fulfill the intent of the rule?" and "what else should HCO's be doing to protect patient and hospital assets?". This course is purposefully built to provide an effective answer.
  • Health Care Security Essentials dissects the Security Rule and highlights important security controls to identify and mitigate both insider and external based attacks.

If you are an information security professional working in health care, this course will provide you with practical advice for stopping even the most advanced attacks that may target the organization.

Course Syllabus

Overview

The first day of the course focuses on existing threats to health care information systems and data. We will examine 'why' and 'how' patient information is being targeted, as well as evolving trends, including, but not limited to the commercialization of malicious software, medical identity theft, and insider threats. Day one also provides attendees with an overview of the HIPAA Security Rule and its context, with close attention paid to the rules structure, safeguards, and the implementation specifications governing ePHI. This information will remove ambiguity and get to the point of how to defend patient data and other sensitive information. The section concludes with a discussion on security frameworks, controls, and practical countermeasures.

Hands-on exercises covered in the first day include an analysis of recent breach data, sensitive asset identification and hardening, and an introduction to data loss prevention ("DLP").

CPE/CMU Credits: 6

Overview

Day two begins with examining the risk analysis requirement of the Security Rule, 164.308(a)(1)(ii)(A) along with relevant audit findings and important considerations for developing a defensible risk management process. Physical and technical safeguards are also examined. The course then transitions to a review of electronic health records ("EHR") security, often a prized target by criminals, and EHR application assessment and hardening. Section 2 concludes by discussing the current state of medical device security and risk management processes.

Hands-on exercises covered during day two include log monitoring and analysis techniques, vulnerability assessment, asset encryption, and configuration analysis. Additional labs may be added, time permitting.

CPE/CMU Credits: 6

Additional Information

  • Student laptops should have virtualization enabled in the BIOS and administrative rights, ideally.
  • The laptop should have at least one available USB port.
  • All requisite software including VMWare Player/Fusion is provided during the class.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

*CPE/CMU credits not offered for the SelfStudy delivery method


3 Training Results
Type Topic Course / Location / Instructor Date Register

Training Event
Dec 10, 2016 -
Dec 11, 2016
 

Training Event
SANS Secure Singapore 2017
Singapore, Singapore
Mar 16, 2017 -
Mar 17, 2017
 

Community SANS
Staff
Mar 9, 2017 -
Mar 10, 2017
 

*Course contents may vary depending upon location, see specific event description for details.