Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Cyber Threats for Health Systems

Published byClyde Stevens Modified over 6 years ago

Similar presentations

Presentation on theme: "Managing Cyber Threats for Health Systems"— Presentation transcript:

1 Managing Cyber Threats for Health Systems
Dan Bowden, Vice President & CISO January, 2018

2 The Health Care Industry Cybersecurity Task Force Report
Severe Lack of Cybersecurity Talent Legacy Equipment Premature/Over Connectivity Vulnerabilities Impact Patient Care Known Vulnerabilities Epidemic

3 HCIC Task Force Report – Executive Summary
Health care cybersecurity is a key public health concern that needs immediate and aggressive attention

4 HCIC Report -- Imperatives
Six High-Level Imperatives 1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity. 2. Increase the security and resilience of medical devices and health IT. 3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. 4. Increase health care industry readiness through improved cybersecurity awareness and education. 5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure. 6. Improve information sharing of industry threats, weaknesses, and mitigations.

5 What now, HHS? Alignment of Imperatives, Recommendations and Action Items with CISA 405(d) Task Group: CHIME / AEHIS: Association of Executives in Health Information Security, Public Policy Group

6 What is the Task Group Doing?
The U.S. Department of Health and Human Services (HHS) is leading the development of a common set of voluntary cybersecurity guidance and best practices that cost-effectively reduce the cybersecurity risks of healthcare providers. HHS is conducting this work through a collaborative, multi-stakeholder process that will create an initial set of recommended cybersecurity practices that are actionable, practical, and relevant to healthcare providers of every size and resource level. Healthcare providers have long identified a need for a common set of consensus-based and industry-led cybersecurity practices that cost-effectively reduce their cybersecurity risks. Congress recognized this need in Section 405(d) of the Cybersecurity Information Sharing Act of 2015 (CISA), which directs the Secretary of HHS to develop voluntary, consensus-based, and industry-led guidelines in collaboration with key stakeholders.

7 What’s in it? Call to Action Most Impactful Threats
Detailed Best Practice Recommendations: “How To Guide” Best Practices sub-divided for varying sized systems

8 What’s in it? Most Impactful Threats Phishing Ransomware/Malware
Insider Threat Lost/Stolen Equipment Medical Device Support

9 What’s in it? Best Practices Email Projection Network Management
Endpoint Protection IAM DLP Asset Management Network Management Vuln Mgmt SOC and IR Medical Device Security Policies and Procedures

10 Stuff Going on At Sentara

11 Handling Cyber Security Threats OPERATIONAL LEADERSHIP
Key Technologies and Process are a must for all Organizations SECURITY OPERATIONS CENTER (SOC) 2 FACTOR AUTHENTICATION NETWORK SEGMENTATION OPERATIONAL LEADERSHIP 3rd PARTY RISK Practice of separating networks to protect and limit exposure to threats. Utilizing IBM Watson to be smarter at detecting and prioritizing Cyber Threats Secure Remote Access for all users 81% of hacking-related breaches leveraged either stolen and/or weak passwords Evaluate and manage risk from: Business Associates Subcontractors Affiliated Providers Joint Ventures Strategic Partners Key operational leaders meet monthly to review discuss and act on Cyber Security Metrics and emerging threats All organizations need to implement both key technologies and process to protect against Cyber Threats as well as defining organizational processes to manage risk. Some of the key technologies and process that Sentara has implemented are: Network Segmentation – Diving the network into manageable parts and monitoring communications between each of the part provides early detection of potential cyber threats while limiting organizational risk. Security Operations Center (SOC) – We have partnered with IBM to provide us the with 24x7 Monitoring of Sentara’s Cyber Security Threats. Utilizing Watson this service provides AI capabilities to both detect and prioritize potential cyber security threats. Two Factor Authentication – Most cyber Security Breaches are due to compromised passwords, Sentara has taken a strong view that all external access requires two factor authentication to prevent comprising our systems.( We use the company DUO for this service) Operational Leadership – Security is everyone’s responsibility at Sentara. Engaging key operational leaders to participate on decision making for cyber has improved both the knowledge and the pace of execution for implementing cyber security initiatives. Our COO and CIO co-chair a group of leaders who meet monthly to review, prioritize and act on cyber initiatives. 3rd Party Risk Sentara utilizes tools that assess public information about 3rd parties with respect to their cyber security posture. This assessment is like a Cyber Security Credit Score which enables us to make informed decisions when partnering with new organizations as well as allows us to focus resources on mitigating potential issues. Many of these initiatives are visible by the Board of Directors and are stated annual organizational goals

12 Simplified Incident Response Strategy
How do we respond to a cyber security incident? 2. EVALUATION & TRIAGE Recovery 3. MANAGING THE SHORT TERM CRISIS Forensic Investigation Containment / Mitigation Legal Review Recovery Immediate Response Planning Communications, PR, Crisis Management 1. DISCOVERY 4. LONG TERM RESPONSE MANAGEMENT Incident Response Team Incident Analysis – Assess the Impact MINOR: Detect & Resolve MAJOR: Escalate through Incident Response Plan Report Discovery via proper channels Long Term Recovery Planning: Legal, Reputational, Media Customer Communications Recommend Improvements Our formal Incident Response Plan is owned by Info Security and is over 20 pages long, this is a Simplified version of that plan. Discovery Assess the incident and engage the Incident Response Team (more details on who makes up the team on the next slide) Investigate, Contain, and Mitigate the issue, begin the recovery process Manage the Short Term Crisis: Engage our partners within Sentara & outside of Sentara as necessary, Craft customer messaging Long Term Management: The IRT works to ensure we have long term plans in place and recommends improvements 0. PREVENTION Simplified Incident Response Strategy

13 Membership of the Incident Response Team
Incident Response Team leader/coordinator Privacy Officer Legal Risk Management Others as appropriate Information security Law Enforcement HR, employee relations, patient relations Public relations / Marketing Fulfillment Vendor Beazley/Broker Outside legal counsel Crisis Management Firm Dealing with major Cyber Security Issues involves the entire team at Sentara. It is important to have the entire team working early since the time to notify patients has direct reputational impact (i.e. Equifax waiting 6 or more months) Some of the key participants that have critical roles to play early in the management process include CISO Legal Council Privacy Marketing/Communications HR Cyber Security Broker or Cyber Insurance Representatives Many others as appropriate are vital to the successful management of an incident

14 Cyber Security influences on operational and strategic processes
Proactive Cyber Audits for new partnerships Annual Planning for Cyber Investments Cyber Security is a Team Sport Implementing a robust Cyber Security program takes significant resources and focus. Given the prevalence of Cyber Threats and the potential risk implementing a Cyber Security Program should be a top priority for all Healthcare Organizations. Some ways that our Cyber Program has influenced both operational and strategic processes in our organization including planning, growth and workforce development Proactive Audit for new partnerships- Proactive Cyber Audits are conducted on all new partnerships to assess risk and assess remediation efforts. New practices, hospital or joint ventures many time are unaware of latent cyber vulnerabilities and require significant remediation as partnerships are negotiated. Annual Planning - Each year our information security oversight committee plans initiatives based upon the greatest potential risk to our organization. Transparency of these initiatives have led to transformative discussions with the Board of Directors and stronger partnership with internal audit. Cyber Security is a team sport -Workforce Education and Development are essential to a well-run cyber program. Education on Phishing s, remote access and good security hygiene have contributed to early detection of issues as well as vigilance of employees in protecting our patient health information.

15 Evaluating partners cyber security risk
Gain objective insight into 3rd party cyber security 3 Engage partners with accurate, actionable security insights 1 2 Allocate risk resources to where they are most needed Continuously monitor partner performance 4 In today’s environment where sharing of Patient and Member data is critical to population health efforts and essential to providing the best possible care. Understanding partners cyber security risk is becoming important part of negotiations and managing relationships. Sentara utilizes public information available on the internet to assess and managing 3rd Party risk. This allows us to establish a “Security Credit Score” for all partners and focus our time and resources on partners who may not have the best credit score. (For Howard only) These partners include SQCN, Cloud Software Companies, or any service we use in the internet ie. Eligibility, claims scrubbing, Radiology Nighthawk Services. The tool we use that provides us with these Security Credit Scores is Risk Recon) Collaborate with partners to reduce risks 5)

16 Sentara’s ISAO Partners
This slide is static and does not animate. Who are your partners in developing best practice for Cyber Security? Sentara’s ISAO Partners WHAT IS Information Sharing & Analysis Organization (ISAO)? Mission: Improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices. The Cybersecurity Information Sharing Act of 2015 (“CISA”) was signed into law on December 18, Provided guidance and certain protections to encourage companies voluntarily to share information—specifically, information about “cyber threat indicators” and “defensive measures”—with the federal government, state and local governments, and other companies and private entities.  Sentara has worked with several progressive organizations to share security best practices and cyber threat information aimed at improving the quality of healthcare cyber readiness. (For Howard only) We share technology decision making process, technical configurations, policy and procedure information, incident response processes and threat information. Information Sharing & Analysis Organization (ISAO) Members with common cybersecurity objectives

17 Internal Cyber Vulnerability Dashboard
Appendix Slides We have two slides that I thought were to technical for the presentation but will include them if you would like. The first is our Security Credit Score for Sentara and the second is our internal dashboard to manage issues from Internal Audit. I am not sure how long you want to talk to slides vs open dialog but we have a few more options.

18 Looking Forward Partnering with FBI, Homeland Security towards more active cyber threat sharing and management Research creation of cross sector, national cyber security infrastructure to include partnerships with law enforcement Leverage Partnerships with Academic Institutions creating internship and training for next generation of Cyber Security Professionals Howard – Let me know your thoughts on this and I can edit and provide you another draft One point I thought might be good to make is our partnership with Academic institutions to utilize internship as security staff. We currently have 10 students that rotate through the program and do real security work for Sentara. This provides us with highly motivated staff and a good hiring pool for new cyber security talent

19

Download ppt "Managing Cyber Threats for Health Systems"

Similar presentations

CDCs 21 Goals. CDC Strategic Imperatives 1. Health impact focus: Align CDCs people, strategies, goals, investments & performance to maximize our impact.

CDCs 21 Goals. CDC Strategic Imperatives 1. Health impact focus: Align CDCs people, strategies, goals, investments & performance to maximize our impact.
Local Public Health System Assessment

Local Public Health System Assessment
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
IT Governance and Management

IT Governance and Management
PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.

PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.
Network security policy: best practices

Network security policy: best practices
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Seán Paul McGurk National Cybersecurity and Communications

Seán Paul McGurk National Cybersecurity and Communications
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.

Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
UNCLASSIFIED Homeland Security Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.

UNCLASSIFIED Homeland Security Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Similar presentations

Ads by Google