Presented to Information Systems Security Association of Orange County

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

David A. Brown Chief Information Security Officer State of Ohio
Security Controls – What Works
Computer Security: Principles and Practice
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Working with HIT Systems
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
FFIEC Cyber Security Assessment Tool
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Business Continuity and Disaster Recovery
Security and resilience for Smart Hospitals Key findings
Michael Wright • Chief Security Officer • Tech Lock
Cloud Security for eHealth – Study Validation
BruinTech Vendor Meet & Greet December 3, 2015
Office 365 Security Assessment Workshop
ISSeG Integrated Site Security for Grids WP2 - Methodology
Cybersecurity - What’s Next? June 2017
Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Compliance with hardening standards
Leverage What’s Out There
Data Compromises: A Tax Practitioners “Nightmare”
Introduction to the Federal Defense Acquisition Regulation
Cyber Protections: First Step, Risk Assessment
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
I have many checklists: how do I get started with cyber security?
Making Information Security Manageable with GRC
Office 365 Security Assessment Workshop
Healthcare Cloud Security Stack for Microsoft Azure
Red Flags Rule An Introduction County College of Morris
SMB practice development: Security play
Network Security Best Practices
County HIPAA Review All Rights Reserved 2002.
12 STEPS TO A GDPR AWARE NETWORK
SMB practice development: Security play
The Practical Side of Meaningful Use:
Keeping your data, money & reputation safe
Ransomware and Data breaches in public libraries
Cyber security Policy development and implementation
Windows 10 Enterprise subscriptions in CSP – Messaging Summary
Cybersecurity ATD technical
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Technology Convergence
Cyber Security in a Risk Management Framework
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Employee Cybersecurity Program
Texas Assisted Living Association 2019 Conference
Adding security to your ICS environment? Fine! But how?!
Presentation transcript:

Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients Presented to Information Systems Security Association of Orange County April 11, 2019 April Sather, Founder & Principal Illuminar Consulting, Inc.

Illuminar Consulting, Inc.© Agenda :10 Introduction to the practices & toolkit :05 Top 5 threats :05 Top 10 practices :10 Never assume - questions leaders must ask :05 Execution :05 Q&A January 2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Why are we here? 4 in 5 U.S. physicians have experienced a form of cybersecurity attack. Average cost of data breach is $3.86M globally, $7.91M in the US. Cost per health record breached = $408 vs .$206 for a financial one, yet ... Spending as a % of total IT budget on cybersecurity in the healthcare sector is only half the average of all sectors overall; (4-7%) versus (10-14%). Average time from being breached to realizing it is 196 days. It is not a matter of if an organization will be breached, it is when. Most of us, as individuals, have already been a victim of a breach. Don’t take my word for it, check out haveibeenpwned.com. Sources: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients & Ponemon Institute 2018 Data Breach Report https://www.healthcaredive.com/news/4-out-of-5-us-physicians-have-experienced-a-cybersecurity-attack/512848/ 8/4/2019 Illuminar Consulting, Inc.©

What Makes the HHS Approach Different? Driven by Cybersecurity Act of 2015 (CSA) Sec. 405(d) – ‘Aligning Health Care Industry Security Approaches’. Practices released in December 2018 by HHS. Created by a public-private Task Group. “... practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes.” Eric Hargan, Deputy Secretary of Health and Human Services Designed for leaders by leaders ... and will need leadership support to implement. Accompanied by quality (and free) supporting tools and resources. 8/4/2019 Illuminar Consulting, Inc.©

What the Guidelines are, and are not Not a new framework. They are based on NIST – quickly becoming the dominant framework in the U.S. Not designed to address every cybersecurity challenge. Goal is to ‘move the needle’ in a pragmatic way. Following these new practices does not guarantee compliance with other frameworks or standards (e.g., HIPAA). but will help organizations select the most effective practices to mitigate today’s threats. 8/4/2019 Illuminar Consulting, Inc.©

Health Industry Cybersecurity Practices Components Executive Summary Health Industry Cybersecurity Practices (HCP) 36 pages Tailored for small organizations Practices and metrics Technical Volume 1 29 pages Tailored for medium and large organizations Technical Volume 2 108 pages Policy templates, links to training and other resources Mapping of practices to NIST framework Resources & Templates 71 pages Self-assessment tool (Excel-based) Use to prioritize improvement areas Risk Assessment 8/4/2019 Illuminar Consulting, Inc.©

Which Technical Volume Applies? = f (size + complexity) Source: https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf, page 11. 8/4/2019 Illuminar Consulting, Inc.©

Top 5 Cybersecurity Threats E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety Source: https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Top 10 Protections E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies Source: https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 3 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 3 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 9 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 9 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 8 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 8 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 6 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 6 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 7 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Audience Participation .... for $10 gift card Which 7 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS E-mail phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety E-mail protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

HICP Threat and Protection Summary Example: Practice wishes to protect against Email Phishing Attack (A) threat Implement practices # 1, 8 & 10 Email Protection Systems, Incident Response, Cybersecurity Policies More detailed implementation advice provided in Technical Volumes 8/4/2019 Illuminar Consulting, Inc.©

Practice #1: Sub-practices for Medium & Large Entities 8/4/2019 Illuminar Consulting, Inc.©

Ex. Basic Email Protection System Controls (1st 3 of 9 shown) Source:https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol2-508.pdf 8/4/2019 Illuminar Consulting, Inc.©

Ex. Basic Email Protection System Controls (4-7 of 9 shown) Source:https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol2-508.pdf 8/4/2019 Illuminar Consulting, Inc.©

Ex. Basic Email Protection System Controls (8-9 of 9 shown) Source:https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol2-508.pdf 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Ex. Suggested Metrics for Practice #1: E-mail Protection Systems (1st 3 of 7 shown) Source: https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol2-508.pdf 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Ex. Suggested Metrics for Practice #1: E-mail Protection Systems (4-5 of 7 shown) Source: https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol2-508.pdf 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Ex. Suggested Metrics for Practice #1: E-mail Protection Systems (6-7 of 7 shown) Source: https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol2-508.pdf 8/4/2019 Illuminar Consulting, Inc.©

Threat #1: Email Phishing Attack Have staff been trained on how to identify a suspicious email and specifically, on how to report it? Have we tested staff understanding via a phishing simulation? When? Who investigates reports of suspicious email? SLA? How many suspicious emails were reported last month? What is our process if a staff member has been phished? Do we tag external emails to make them recognizable? What tools are used to detect and block dangerous email? Are they working? 8/4/2019 Illuminar Consulting, Inc.©

Threat #2: Ransomware Attack Do we have a ransomware incident response plan? Show me. When is the last time we tested it? Explain our backup strategy. What data are we backing up? Where are we backing it up to? When is the last time we tried to restore our data from backup? Did it work? Show me results of this test. Are patches up to date on applications, hardware, operating systems? Show me. How are we handling HW/SW/OS that cannot be patched? 8/4/2019 Illuminar Consulting, Inc.©

Threat #3: Loss or Theft of Equipment or Data Do we have a complete inventory of assets (e.g., desktops, laptops, mobile phones, tablets)? When was it last updated. Show me. Are laptops and mobile devices configured securely, encrypted and regularly patched? How might we verify this? Show me. Do we have a policy and practice of removing all data from devices before we retire or dispose of them? Who is accountable for enforcing this? How are we controlling the use of USB keys? If in use, are they encrypted, tracked and actively managed? Have we trained our staff on all of the above, and tested their understanding? Do staff know the process for reporting an incident? 8/4/2019 Illuminar Consulting, Inc.©

Threat #4: Insider, Accidental or Intentional Data Loss Have staff been trained on (and do policies exist for): data access procedures, what can (and cannot) be shared via email, use of removable media (e.g., USB keys)? process for reporting a lost/stolen device, accidental email disclosure, etc.? Have we tested staff understanding via social engineering and other simulations? When? Is our system set up to audit access to health record systems and sensitive data? If so, who reviews exceptions? When? What data loss prevention tools do we use? If none, why? Do we require strong/unique usernames and passwords? How frequently are users required to change their passwords? Do we use MFA (multi-factor authentication)? If not, why not? 8/4/2019 Illuminar Consulting, Inc.©

Threat #5: Attacks Against Connected Medical Devices Do we know what connected medical devices are out there? In our facility? Used by our mobile workforce? In or with patients? Show me the inventory, and let’s discuss how each category is managed. Who is responsible for patching and monitoring our connected medical devices? How are we handling ones that can’t be updated? What is our protocol for notifying patients in the event of a compromise? And, vice versa? Have we communicated this well? Do we know how to contact the medical device manufacturer? Do they know how to contact us (e.g., to share vulnerabilities)? 8/4/2019 Illuminar Consulting, Inc.©

Leading Cybersecurity Ongoing oversight Periodic cyber risk assessments Stay up to date with latest threats Model good cybersecurity hygiene Enforce policies Continuous end user training and validation of understanding Have gaps? Manage remediation like a project Prioritize Schedule, budget, scope .... and resources Status reports, risk and issue logs Defined end date 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© The Big Picture: HICP in Context The 6 Health Care Industry Cybersecurity Imperatives Define and streamline leadership, governance, and expectations for health care industry cybersecurity. [HICP falls under this imperative] Increase the security and resilience of medical devices and health IT Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities Increase health care industry readiness through improved cybersecurity awareness and education Identify mechanisms to protect R&D efforts and intellectual property from attacks of exposure Improve information sharing of industry threats, risks, & mitigations Source: Report on Improving Cybersecurity in the Health Care Industry 2017 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© Where to find HICP? https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx 8/4/2019 Illuminar Consulting, Inc.©

Free Online Training Resources 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc.© www.haveibeenpwned.com 8/4/2019 Illuminar Consulting, Inc.©

Illuminar Consulting, Inc. Services Cybersecurity Risk Assessments Security Program Management as-a-service Security Awareness Program Design & Delivery Technology Governance & Risk Management Email: info@illuminarconsulting.com Web: illuminarconsulting.com 8/4/2019 Illuminar Consulting, Inc.©

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.