Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented to Information Systems Security Association of Orange County

Published byVolker Albrecht Modified over 5 years ago

Similar presentations

Presentation on theme: "Presented to Information Systems Security Association of Orange County"— Presentation transcript:

1 Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients
Presented to Information Systems Security Association of Orange County April 11, 2019 April Sather, Founder & Principal Illuminar Consulting, Inc.

2 Illuminar Consulting, Inc.©
Agenda :10 Introduction to the practices & toolkit :05 Top 5 threats :05 Top 10 practices :10 Never assume - questions leaders must ask :05 Execution :05 Q&A January 2019 Illuminar Consulting, Inc.©

3 Illuminar Consulting, Inc.©
Why are we here? 4 in 5 U.S. physicians have experienced a form of cybersecurity attack. Average cost of data breach is $3.86M globally, $7.91M in the US. Cost per health record breached = $408 vs .$206 for a financial one, yet ... Spending as a % of total IT budget on cybersecurity in the healthcare sector is only half the average of all sectors overall; (4-7%) versus (10-14%). Average time from being breached to realizing it is 196 days. It is not a matter of if an organization will be breached, it is when. Most of us, as individuals, have already been a victim of a breach. Don’t take my word for it, check out haveibeenpwned.com. Sources: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients & Ponemon Institute 2018 Data Breach Report 8/4/2019 Illuminar Consulting, Inc.©

4 What Makes the HHS Approach Different?
Driven by Cybersecurity Act of 2015 (CSA) Sec. 405(d) – ‘Aligning Health Care Industry Security Approaches’. Practices released in December 2018 by HHS. Created by a public-private Task Group. “... practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes.” Eric Hargan, Deputy Secretary of Health and Human Services Designed for leaders by leaders ... and will need leadership support to implement. Accompanied by quality (and free) supporting tools and resources. 8/4/2019 Illuminar Consulting, Inc.©

5 What the Guidelines are, and are not
Not a new framework. They are based on NIST – quickly becoming the dominant framework in the U.S. Not designed to address every cybersecurity challenge. Goal is to ‘move the needle’ in a pragmatic way. Following these new practices does not guarantee compliance with other frameworks or standards (e.g., HIPAA). but will help organizations select the most effective practices to mitigate today’s threats. 8/4/2019 Illuminar Consulting, Inc.©

6 Health Industry Cybersecurity Practices Components
Executive Summary Health Industry Cybersecurity Practices (HCP) 36 pages Tailored for small organizations Practices and metrics Technical Volume 1 29 pages Tailored for medium and large organizations Technical Volume pages Policy templates, links to training and other resources Mapping of practices to NIST framework Resources & Templates 71 pages Self-assessment tool (Excel-based) Use to prioritize improvement areas Risk Assessment 8/4/2019 Illuminar Consulting, Inc.©

7 Which Technical Volume Applies? = f (size + complexity)
Source: page 11. 8/4/2019 Illuminar Consulting, Inc.©

8 Top 5 Cybersecurity Threats
phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety Source: 8/4/2019 Illuminar Consulting, Inc.©

9 Illuminar Consulting, Inc.©
Top 10 Protections protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies Source: 8/4/2019 Illuminar Consulting, Inc.©

10 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 3 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

11 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 3 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

12 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 9 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

13 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 9 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

14 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 8 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

15 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 8 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

16 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 6 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

17 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 6 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

18 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 7 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

19 Illuminar Consulting, Inc.©
Audience Participation .... for $10 gift card Which 7 protections most effectively mitigate the threat? TOPT 5 THREATS TOP 10 PROTECTIONS phishing attack Ransomware attack Loss or theft of equipment or data Insider, accidental or intentional data loss Attacks against connected medical devices that may affect patient safety protection systems Endpoint protection systems Access management Data protection & data loss protection Asset management Network management Vulnerability management Incident response Medical device security Cybersecurity policies 8/4/2019 Illuminar Consulting, Inc.©

20 HICP Threat and Protection Summary
Example: Practice wishes to protect against Phishing Attack (A) threat Implement practices # 1, 8 & 10 Protection Systems, Incident Response, Cybersecurity Policies More detailed implementation advice provided in Technical Volumes 8/4/2019 Illuminar Consulting, Inc.©

21 Practice #1: Sub-practices for Medium & Large Entities
8/4/2019 Illuminar Consulting, Inc.©

22 Ex. Basic Email Protection System Controls (1st 3 of 9 shown)
Source: 8/4/2019 Illuminar Consulting, Inc.©

23 Ex. Basic Email Protection System Controls (4-7 of 9 shown)
Source: 8/4/2019 Illuminar Consulting, Inc.©

24 Ex. Basic Email Protection System Controls (8-9 of 9 shown)
Source: 8/4/2019 Illuminar Consulting, Inc.©

25 Illuminar Consulting, Inc.©
Ex. Suggested Metrics for Practice #1: Protection Systems (1st 3 of 7 shown) Source: 8/4/2019 Illuminar Consulting, Inc.©

26 Illuminar Consulting, Inc.©
Ex. Suggested Metrics for Practice #1: Protection Systems (4-5 of 7 shown) Source: 8/4/2019 Illuminar Consulting, Inc.©

27 Illuminar Consulting, Inc.©
Ex. Suggested Metrics for Practice #1: Protection Systems (6-7 of 7 shown) Source: 8/4/2019 Illuminar Consulting, Inc.©

28 Threat #1: Email Phishing Attack
Have staff been trained on how to identify a suspicious and specifically, on how to report it? Have we tested staff understanding via a phishing simulation? When? Who investigates reports of suspicious ? SLA? How many suspicious s were reported last month? What is our process if a staff member has been phished? Do we tag external s to make them recognizable? What tools are used to detect and block dangerous ? Are they working? 8/4/2019 Illuminar Consulting, Inc.©

29 Threat #2: Ransomware Attack
Do we have a ransomware incident response plan? Show me. When is the last time we tested it? Explain our backup strategy. What data are we backing up? Where are we backing it up to? When is the last time we tried to restore our data from backup? Did it work? Show me results of this test. Are patches up to date on applications, hardware, operating systems? Show me. How are we handling HW/SW/OS that cannot be patched? 8/4/2019 Illuminar Consulting, Inc.©

30 Threat #3: Loss or Theft of Equipment or Data
Do we have a complete inventory of assets (e.g., desktops, laptops, mobile phones, tablets)? When was it last updated. Show me. Are laptops and mobile devices configured securely, encrypted and regularly patched? How might we verify this? Show me. Do we have a policy and practice of removing all data from devices before we retire or dispose of them? Who is accountable for enforcing this? How are we controlling the use of USB keys? If in use, are they encrypted, tracked and actively managed? Have we trained our staff on all of the above, and tested their understanding? Do staff know the process for reporting an incident? 8/4/2019 Illuminar Consulting, Inc.©

31 Threat #4: Insider, Accidental or Intentional Data Loss
Have staff been trained on (and do policies exist for): data access procedures, what can (and cannot) be shared via , use of removable media (e.g., USB keys)? process for reporting a lost/stolen device, accidental disclosure, etc.? Have we tested staff understanding via social engineering and other simulations? When? Is our system set up to audit access to health record systems and sensitive data? If so, who reviews exceptions? When? What data loss prevention tools do we use? If none, why? Do we require strong/unique usernames and passwords? How frequently are users required to change their passwords? Do we use MFA (multi-factor authentication)? If not, why not? 8/4/2019 Illuminar Consulting, Inc.©

32 Threat #5: Attacks Against Connected Medical Devices
Do we know what connected medical devices are out there? In our facility? Used by our mobile workforce? In or with patients? Show me the inventory, and let’s discuss how each category is managed. Who is responsible for patching and monitoring our connected medical devices? How are we handling ones that can’t be updated? What is our protocol for notifying patients in the event of a compromise? And, vice versa? Have we communicated this well? Do we know how to contact the medical device manufacturer? Do they know how to contact us (e.g., to share vulnerabilities)? 8/4/2019 Illuminar Consulting, Inc.©

33 Leading Cybersecurity
Ongoing oversight Periodic cyber risk assessments Stay up to date with latest threats Model good cybersecurity hygiene Enforce policies Continuous end user training and validation of understanding Have gaps? Manage remediation like a project Prioritize Schedule, budget, scope .... and resources Status reports, risk and issue logs Defined end date 8/4/2019 Illuminar Consulting, Inc.©

34 Illuminar Consulting, Inc.©
The Big Picture: HICP in Context The 6 Health Care Industry Cybersecurity Imperatives Define and streamline leadership, governance, and expectations for health care industry cybersecurity. [HICP falls under this imperative] Increase the security and resilience of medical devices and health IT Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities Increase health care industry readiness through improved cybersecurity awareness and education Identify mechanisms to protect R&D efforts and intellectual property from attacks of exposure Improve information sharing of industry threats, risks, & mitigations Source: Report on Improving Cybersecurity in the Health Care Industry 2017 8/4/2019 Illuminar Consulting, Inc.©

35 Illuminar Consulting, Inc.©
Where to find HICP? 8/4/2019 Illuminar Consulting, Inc.©

36 Free Online Training Resources
8/4/2019 Illuminar Consulting, Inc.©

37 Illuminar Consulting, Inc.©
8/4/2019 Illuminar Consulting, Inc.©

38 Illuminar Consulting, Inc.
Services Cybersecurity Risk Assessments Security Program Management as-a-service Security Awareness Program Design & Delivery Technology Governance & Risk Management Web: illuminarconsulting.com 8/4/2019 Illuminar Consulting, Inc.©

Download ppt "Presented to Information Systems Security Association of Orange County"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Security Controls – What Works

Security Controls – What Works
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Similar presentations

Ads by Google