DC Regulatory Update 2011

CISO Executive Network

Understanding the Regulatory Environment

DC Breakfast Series Roundtable

Thursday, January 20, 2011

8:00 am - 12 noon

Reed Smith

Speakers

Chris Swalina, Amy Mushahwar  Reed Smith

Here are documents recommended by Amy and Chris:  FTC Summary, Commerce Report, A Washington Tale of Two Privacy Reports

Kimber Spradlin  Big Fix/IBM

Member Speaker

James White MedStar Health

Network Member James White Discusses Regulatory Compliance

Organizations should ensure they maintain current security and privacy policies, along with an effective risk management process, in order to make sure they remain in compliance.

“As I look at the challenges facing many businesses today, and particularly in healthcare, we are dealing with a significantly changing regulatory environment,” explains James White, CISO with MedStar Health, a nine hospital not-for-profit healthcare system in the Baltimore/Washington corridor.  “Failing to stay abreast of these requirements could have significant impacts on our business and our ability to provide critical services to the community.”

When asked who else in the organization should be brought up to speed regarding compliance issues, James says he believes it is important that everyone in the organization should understand the “rules of the road” as they relate to information security and privacy.  “In particular, it is critical that the organization’s executive leadership understand the issues,” he says.  “I’ve found this best accomplished by communicating information technology risk in business terms, i.e., regulatory, reputation, patient care, etc.”

There are certain regulatory requirements that are specific to the healthcare industry and its clinical and financial interests.  “These issues clearly receive the highest priority,” says James, “followed by all others.”  He adds that the real key to prioritizing and managing these requirements is the establishment of an IT risk management function that not only includes IT, but also representatives from key business areas as well.

James is the person in his organization taking the lead on compliance-related decisions.  He is the risk committee chair and, he says, it is up to him to make sure identification and selection of risk issues move forward to the governance committee for review and action.

When it comes to interacting with departments such as legal, compliance, auditors, and others who have a vested interest in compliance issues, James finds it most effective to reach out to representatives from each area in order to better understand their responsibilities, goals and objectives, and challenges.  “I really focus my efforts on how to bring them into my governance process,” he says, “not just how I could support them in their process.”

And his best advice to other CISO Executive Network members regarding understanding the regulatory environment?  “Read, read, read,” he says.  “And keep your Privacy/Legal officer on speed dial.”

James White is the chief information security officer (CISO) for MedStar Health, a nine hospital not-for-profit healthcare system in the Baltimore/Washington corridor. He holds both a Master of Business Administration degree from the Robert H. Smith School of Business at the University of Maryland and a Bachelor of Business Administration degree from Averett University. He also is a Certified Information Systems Security Professional and a Certified Information Security Manager.