Presentation is loading. Please wait.

Presentation is loading. Please wait.

Healthcare security posture

Published byJennifer Davidson Modified over 6 years ago

Similar presentations

Presentation on theme: "Healthcare security posture"— Presentation transcript:

1 Healthcare security posture
Scott Raymond, MHA/INF, BSN, RN ACIO VP, Information Technology Centura Heatlth

2 Southern California IDN
5 hopitals 350 employed physicians 400 specialist 250 affiliates Free standing Surgery centers Free standing Radiology centers Free standing Dialysis centers

3 Things to cover Best Practice Security Posture Breaches Threats NIST
HIPAA Quick Wins Q&A

4 Best Practice Security Posture
Identify Asset Management Business Environment Governance Risk Assessment Risk Management Protect Access Control Awareness & Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Detect Anomalies & Events Security Continuous Monitoring Detection Processes Respond Response Planning Communication Analysis (RCA) Mitigation Improvements (Post Mortem) Recover Recovery Planning Improvements

5 Environment assessment
Example

6 Our current posture Firewall Endpoint Security
Microsoft Identification Management Data Loss Prevention/ Encryption SIEM MDM 2FA AD Password Management Web Filtering Remote Access/Remote Support

7 current posture

8 Things to work on Security Best Practice Standards
Security & Incident Response Playbook (Think Pilot Check Playbook) Elevated credentials 2FA for DBAs Log Aggregator Tap Badging for Clinicians (2FA on the inside) BioMed Management & Surveillance Eliminating Generic Machines and Desktops Published Desktop (CHD) VDI Strategy and deployment

9 Breaches An intentional or unintentional release of secure or private/confidential information to an untrusted environment

10 2016 was the year of the breach
Democratic National Committee U.S. Department of Justice Internal Revenue Service Yahoo LinkedIn Oracle Cisco Target Wendy’s Snapchat And many more…

11 Healthcare Breaches Premier Healthcare 21st Century Oncology
200,000 patient records 21st Century Oncology 2.2 million patient records MedStar Health Ransomware Newkirk Products 3.3 million customer health insurance plans According to HIPAA Journal there were 329 healthcare breaches in 2016 exposing 16.5 million records!

12 Breach Threats External Threats Malware Spyware Ransomware Vandalism
Business Disruption No Vendor Back-up or Contingency Internal Threats Bad Actors Negligence/Accidental Inappropriate Access Lack of Controls Lack of Security No Back-up or Contingency

13 nist Achieving adequate information security for organizations, mission/business processes, and information systems is a multifaceted undertaking that requires:  • Clearly articulated security requirements and security specifications;  • Well-designed and well-built information technology products based on state-of-the-practice hardware, firmware, and software development processes;  • Sound systems/security engineering principles and practices to effectively integrate information technology products into organizational information systems;  • Sound security practices that are well documented and seamlessly integrated into the training requirements and daily routines of organizational personnel with security responsibilities;  • Continuous monitoring of organizations and information systems to determine the ongoing effectiveness of deployed security controls, changes in information systems and environments of operation, and compliance with legislation, directives, policies, and standards;21 and  • Information security planning and system development life cycle management.22 

14 HIPAA Administrative Safeguards Access Controls
Security Awareness Training Security Incident Procedures Evaluation Business Associate Contracts Physical Safeguards Facility Access Controls Workstation Use & Security Device & Media Controls Disposal Media & Media Reuse Technical Safeguards Access Control Audit Controls Integrity (P&Ps) Person or Entity Authentication Transmission Security (encryption) Organizational Requirements BAAs & Other Arrangements Requirements for Group Health Plans Implement Safeguards Ensure Adequate Separation Ensure Agent Safeguards Report Security Incidents Policy & Procedures

15 NIST & HIPAA Crosswalk Access Control Awareness & Training
Audit & Accessibility Security Assessment & Authorization Configuration Management Contingency Planning/Business Continuity Identification & Authentication Incident Response Maintenance Media Protection Physical Environment Protection Planning Personnel Security Rick Assessment System & Services Acquisitions System & Communication Protection System & Information Integrity Program Management

16 Quick Wins Secure the DMZ Network Segmentation Patch Management
Firewall 2FA for all remote access No webmail Network Segmentation Patch Management N+30 Automation End user Education Phishing Campaigns Outlook reporting button SOC 24/7/365 monitoring Managed Services Consulting/Staff Aug Yearly Security Audits Pen Testing Red Team/Blue Team Vendor Audits Security Scorecard Contracts

17 ? Questions Questions Questions Questions Questions Questions

18 Best Practice Security posture takeawaways
Secure the DMZ Firewall 2FA for all remote access No webmail Network Segmentation Patch Management N+30 Automation Scott Raymond

Download ppt "Healthcare security posture"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security Controls – What Works

Security Controls – What Works
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Similar presentations

Ads by Google