HIPAA Security Implementation, Version 1.0
7.8 PRESENTATION
By now, it's reasonable to expect that you've accumulated a lot of documentation. You've got the identification of goals and referential material to look up the legal requirements from the HIPAA Security Rule. Next, you have a site survey of the existing infrastructure and policies that might assist in your HIPAA compliance plan. This would be followed by a detailed financial risk evaluation and, finally, a very thorough document of the possible and favored implementation tasks and technologies.
Don't print all of this material out and turn it in as your justification plan. In most cases, some type of slide show presentation will serve as an effective tool for making your pitch. The following presentation guideline is based upon a good discussion on justifying an IDS infrastructure by Stephen Northcutt [1] . To seek justification for your HIPAA Security Rule compliance plan, the slide show should consist of the following sections:
-
Executive Summary-Basic introduction that identifies what the presentation is about. In this case, it's about your HIPAA Security Rule compliance plan.
-
Problem Statement-This section identifies the goals you're trying to achieve. This information and its supporting documentation would come from the 'Defining Your Goals' section.
-
Identify Existing Infrastructure-In this section, you'll identify the current state of compliance. This will include what goals from the previous section have already been met, and will identify what areas have not been completely met. The source for these slides will come from the 'Identifying Existing Tools' section above.
-
Identify your recommendations-Armed with the appropriate information, you've made decisions about what you'd like to do. This is where you present them.
-
Provide Alternatives-Here you include information about other technologies have been considered. This part and the last part of the presentation come from the research that was done in the 'Pick your solutions' section. Even though you've already identified the solutions you want to implement, it's important to provide this section so that the decision makers know you've thoroughly considered the alternatives and to give them the opportunity to informatively alter the plan if they see fit to do so.
-
Cost/Benefit Analysis-This section will include the cost of the recommended and alternative solutions and the financial risk calculations that has already been identified. Some information from Chapter 9 might be appropriate here for identifying how the budget plan is to be laid out.
-
Project Plan-This is the implementation plan that has been created based upon all the information above. This plan will demonstrate that this plan is realistic and that all appropriate considerations have been taken.
-
Executive Summary-At this point in time, you're wrapping up your presentation. There won't be any new information in this section as it will for the most part be a repeat of the first part of the slide show. This follows the Northcutt approach of 'Tell them what you're going to tell them, tell them, and then tell them what you told them' approach.
In many cases, a management board might want a short summarized presentation. In preparation for this eventuality, you should prepare three slides consisting of the Executive Summary/Problem Statement, Cost Summary, and the Schedule from the bigger slide presentation created based upon the guidelines above. Be prepared to identify facts and figures and to answer questions. If necessary, refer to the slides from the larger presentation.
[1] Network Intrusion Detection: Third Edition by Stephen Northcutt and Judy Novak, Chapter 19