1. Tuesday March 15, 2016 Session 19-D Technology Forum David Finkelstein, CIO RiverSpring Health

2. RiverSpring Health – A New Brand with a Century of History An Internationally recognized non-profit geriatric care organization offering a full continuum of senior care, serving more than 12,000 older adults in the greater New York area with services including: Hebrew Home at Riverdale - Skilled nursing facility providing post-acute rehab services, memory care, low vision care, Alzheimer's care, long term care. RiverSpring RiverWalk Independent Living, The Terrace at Riverdale assisted living, and Hudson House subsidized housing RiverSpring Rehabilitation RiverSpring Social Day Care RiverSpring at Night Weinberg Center for Elder Abuse Prevention RiverSpring Certified Home Health Agency RiverSpring Health Plans RiverSpring Care Management RiverSpring Services Corp

3. Threat of Future Security Attack Source: 2015 HIMSS Cybersecurity Survey

4. The financial impact is REAL Source: 2015 Cost of Data Breach Study by Ponemon Institute LLC

5. What can YOU do to protect your organization’s data AND reputation Defense in Depth – Training, P&P, On/off boarding, Minimum Necessary access, separation of duties, anti-virus, MDM, access controls, patching, LEM Correlation Defense in Breadth -Secure Perimeter, lock down access, training, drills -Best Practices – Reduce Attack Surfaces – Create Secure People, Processes, & Systems – Engage Third Party Experts for Validation

6. Conducting a Vulnerability Assessment External Vulnerability Assessment & Pen Test Internal Penetration Test Social Engineering – Phishing Attack & Spear Phishing Attack – Baiting Attack – Tailgating Attack

7. External Vulnerability Assessment & Pen Test Use of computer aided tools to: – Evaluate risks such as open ports – Missing security patches – Weak defenses

8. Internal Penetration Test Security tools to test: – Missing Security Patches – Improperly Shared Drives / Data – Weak Passwords – Rouge Devices – Server Hardening

9. Social Engineering Phishing - The act of tricking someone into revealing private or sensitive information Spear Phishing – a targeted phishing attack, where high value individuals with access to large amounts of confidential information or financial assets are targeted

10. How can we protect ourselves? Be suspicious of everything, especially email from an unknown or inconsistent address Be extra cautious if an Email asks for credentials or referring to an external link Provide training to your organization frequently Encourage recipients of questionable Email to contact your IT team immediately

11. What can a Phishing attack look like?

12. How can we identify a Phishing Attack? -Sender’s Name and Email address do not match -Sender’s Email address is mis-spelled -Red Outlook Warning that the message is potentially unsafe -Incorrect capitalization in Name -Unusual Request – IT should NEVER ask for confidential information such as date of birth or password

13. What if this was a REAL attack? Hackers would be able to log into the company network and access confidential information about the business, staff, patients, members, residents. Use the network access to scan the network for vulnerabilities which could lead to compromise or damage to critical business systems Damage the reputation of the organization Install a virus or other malware onto the systems Attempt to access personal information where you re-use the same password at other sites, including banking, eCommerce and others

14. Questions? Thank You ! David Finkelstein, CIO RiverSpring Services Corp Bronx, NY 10471 718-581-1576 office 347-514-4744 mobile david.finkelstein@riverspringhealth.org