Healthcare security posture

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security Controls – What Works
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Information Security Update CTC 18 March 2015 Julianne Tolson.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Eliza de Guzman HTM 520 Health Information Exchange.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Chapter 2 Securing Network Server and User Workstations.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Managed IT Services JND Consulting Group LLC
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
Risk management.
Cybersecurity - What’s Next? June 2017
Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Security Standard: “reasonable security”
Understanding HIPAA Dr. Jennifer Lu.
Introduction to the Federal Defense Acquisition Regulation
Cyber Protections: First Step, Risk Assessment
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Joe, Larry, Josh, Susan, Mary, & Ken
I have many checklists: how do I get started with cyber security?
The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture
UConn NIST Compliance Project
Final HIPAA Security Rule
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
County HIPAA Review All Rights Reserved 2002.
The Practical Side of Meaningful Use:
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
CIPSEC architecture CIPSEC workshop Frankfurt 16/10/2018
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
Security week 1 Introductions Class website Syllabus review
Introduction to the PACS Security
IT Management Services Infrastructure Services
Presentation transcript:

Healthcare security posture Scott Raymond, MHA/INF, BSN, RN ACIO VP, Information Technology Centura Heatlth

Southern California IDN 5 hopitals 350 employed physicians 400 specialist 250 affiliates Free standing Surgery centers Free standing Radiology centers Free standing Dialysis centers

Things to cover Best Practice Security Posture Breaches Threats NIST HIPAA Quick Wins Q&A

Best Practice Security Posture Identify Asset Management Business Environment Governance Risk Assessment Risk Management Protect Access Control Awareness & Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Detect Anomalies & Events Security Continuous Monitoring Detection Processes Respond Response Planning Communication Analysis (RCA) Mitigation Improvements (Post Mortem) Recover Recovery Planning Improvements

Environment assessment Example

Our current posture Firewall Endpoint Security Microsoft Identification Management Data Loss Prevention/Email Encryption SIEM MDM 2FA AD Password Management Web Filtering Remote Access/Remote Support

current posture

Things to work on Security Best Practice Standards Security & Incident Response Playbook (Think Pilot Check Playbook) Elevated credentials 2FA for DBAs Log Aggregator Tap Badging for Clinicians (2FA on the inside) BioMed Management & Surveillance Eliminating Generic Machines and Desktops Published Desktop (CHD) VDI Strategy and deployment

Breaches An intentional or unintentional release of secure or private/confidential information to an untrusted environment

2016 was the year of the breach Democratic National Committee U.S. Department of Justice Internal Revenue Service Yahoo LinkedIn Oracle Cisco Target Wendy’s Snapchat And many more…

Healthcare Breaches Premier Healthcare 21st Century Oncology 200,000 patient records 21st Century Oncology 2.2 million patient records MedStar Health Ransomware Newkirk Products 3.3 million customer health insurance plans According to HIPAA Journal there were 329 healthcare breaches in 2016 exposing 16.5 million records!

Breach Threats External Threats Malware Spyware Ransomware Vandalism Business Disruption No Vendor Back-up or Contingency Internal Threats Bad Actors Negligence/Accidental Inappropriate Access Lack of Controls Lack of Security No Back-up or Contingency

nist Achieving adequate information security for organizations, mission/business processes, and information systems is a multifaceted undertaking that requires:  • Clearly articulated security requirements and security specifications;  • Well-designed and well-built information technology products based on state-of-the-practice hardware, firmware, and software development processes;  • Sound systems/security engineering principles and practices to effectively integrate information technology products into organizational information systems;  • Sound security practices that are well documented and seamlessly integrated into the training requirements and daily routines of organizational personnel with security responsibilities;  • Continuous monitoring of organizations and information systems to determine the ongoing effectiveness of deployed security controls, changes in information systems and environments of operation, and compliance with legislation, directives, policies, and standards;21 and  • Information security planning and system development life cycle management.22 

HIPAA Administrative Safeguards Access Controls Security Awareness Training Security Incident Procedures Evaluation Business Associate Contracts Physical Safeguards Facility Access Controls Workstation Use & Security Device & Media Controls Disposal Media & Media Reuse Technical Safeguards Access Control Audit Controls Integrity (P&Ps) Person or Entity Authentication Transmission Security (encryption) Organizational Requirements BAAs & Other Arrangements Requirements for Group Health Plans Implement Safeguards Ensure Adequate Separation Ensure Agent Safeguards Report Security Incidents Policy & Procedures

NIST & HIPAA Crosswalk Access Control Awareness & Training Audit & Accessibility Security Assessment & Authorization Configuration Management Contingency Planning/Business Continuity Identification & Authentication Incident Response Maintenance Media Protection Physical Environment Protection Planning Personnel Security Rick Assessment System & Services Acquisitions System & Communication Protection System & Information Integrity Program Management

Quick Wins Secure the DMZ Network Segmentation Patch Management Firewall 2FA for all remote access No webmail Network Segmentation Patch Management N+30 Automation End user Education Phishing Campaigns Outlook reporting button SOC 24/7/365 monitoring Managed Services Consulting/Staff Aug Yearly Security Audits Pen Testing Red Team/Blue Team Vendor Audits Security Scorecard Contracts

? Questions Questions Questions Questions Questions Questions

Best Practice Security posture takeawaways Secure the DMZ Firewall 2FA for all remote access No webmail Network Segmentation Patch Management N+30 Automation Scott Raymond scottraymond@centura.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.