Biomedical Device Security: New Challenges and Opportunities. Florence D. Hudson Senior Vice President and Chief Innovation Officer Internet2
|
|
- Everett Douglas
- 5 years ago
- Views:
Transcription
1 Biomedical Device Security: New Challenges and Opportunities Florence D. Hudson Senior Vice President and Chief Innovation Officer Internet2
2 The evolution to today s reality in biomedical devices Number of connected devices is increasing with the goal to improve patient care and create efficiencies in the healthcare system Growing Bring Your Own Device paradigm for providers and patients Proprietary / closed devices and systems are assumed secure Inadequate teamwork between medical providers, device vendors, technology innovators, cybersecurity experts, insurance companies, regulators, patients, to assess & address vulnerabilities ROI not agreed for improved security needs across ecosystem Rate of innovation is slow, and will continue to be unless we work as a Collaborative Innovation Community 2
3 Biomedical devices have inadequate security controls There is no such thing as a threat-proof medical device Suzanne Schwartz, M.D., MBA, Director of emergency preparedness/ operations and medical countermeasures at the FDA Center for Devices and Radiological Health, October 2014 FDA areas of concern about cybersecurity vulnerabilities Malware infections on network-connected medical devices or computers Smartphones and tablets used to access patient data BYOD Unsecured or uncontrolled distribution of passwords Failure to provide timely security software updates and updates to medical devices and networks 3 :
4 FDA recommendations for Management of Cybersecurity in Medical Devices Cybersecurity - is the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient. Manufacturers should develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety. Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death. FDA recognizes that medical device security is a shared responsibility between stakeholders, including Health care facilities Patients Providers Manufacturers of medical devices. 4
5 FDA recommendations for manufacturers to protect networked biomedical devices and patients Manufacturers should address cybersecurity during the design and development of the medical device This can result in more robust and efficient mitigation of patient risks Establish a cybersecurity vulnerability and management approach as part of the software and hardware validation and risk assessment Address the following elements Identification of assets, threats, and vulnerabilities Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients Assessment of the likelihood of a threat or vulnerability being exploited Determination of risk levels and suitable mitigation strategies 5
6 FDA provides considerations regarding Cybersecurity for biomedical devices Connected Medical devices are more vulnerable to cybersecurity threats than devices not connected (wireless or hard-wired) to networks, internet, other devices The extent to which security controls are needed depends on a number of factors Device s intended use and environment of use Presence and intent of electronic data interfaces Type of cybersecurity vulnerabilities present Likelihood the vulnerability will be exploited (intentionally or unintentionally) Potential risk of patient harm due to a cybersecurity breach. Need to balance between cybersecurity safeguards and the usability of the device in its intended environment of use Ensure that the security controls are appropriate for the intended use case Home use vs. closely monitored health care facility use Patient use vs. health care provider use For example, security controls should not unreasonably hinder access to a device intended to be used during an emergency situation. 6
7 FDA and NIST recommend 5 step Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Identify and Protect Limit Access to Identified, Trusted Users Only Multi-factor authentication (e.g., user ID and password, smartcard, biometric) Layered authorization model by differentiating privileges based on the user role Avoid hardcoded password or common words Limit public access to passwords used for privileged device access Automatic timed methods to terminate session and/or update password Require user authentication before permitting software or firmware updates Ensure Trusted Content Restrict software or firmware updates to only authenticated code Use systematic procedures for authorized users to download versionidentifiable software and firmware from the manufacturer Ensure capability of secure data transfer to and from the device, when appropriate use encryption 7 National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. Available at: final.pdf.
8 FDA and NIST recommend 5 step Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover Detect, Respond, Recover Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event Implement device features that protect critical functionality, even when the device s cybersecurity has been compromised Provide methods for retention and recovery of device configuration by an authenticated privileged user 8 National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. Available at: final.pdf.
9 Start today to identify and address risks and challenges to overcome to provide improved connected healthcare Considerations Potential Actions Security / Privacy Design in security and privacy from the beginning for devices and applications Use federated identify and multi-factor authentication Cultural transformation Engage patients & providers in development of the devices and solutions Focus on user experience Data quality Systematic data analysis and cleansing Integrating data from various systems to get a complete picture Ownership, collection, use and sharing of data Incorporating new types of sensors / devices Use connectors & translators to integrate multiple data formats and protocols Develop and deploy enterprise data policy, comply with regulatory policy Develop an extensible architecture to incorporate future data / sensor types 9 Source:
10 We must work together across the healthcare and technology ecosystem to improve device security Assess and understand the risks Threat vectors Malicious and inadvertent security/safety issues Singular and extended risks Work as Collaborative Innovation Community (CIC) to improve security Collaborative Innovation Community to include medical providers, device vendors, technology innovators, insurance companies, regulators, patients Start with assessment of device security, privacy, safety risks Agree ROI for improved security needs based on device / use case 10
11 Medical Devices could be classified for Trust, Identity, Privacy and Security (TIPS) requirements Classify TIPS requirement level by use case / device type Low TIPS requirements e.g., FitBit, wearable IOT connected clothing High TIPS requirements e.g., insulin pump, heart device Work with biomedical device vendors to develop optimized security based on use case and cost to reduce risk Security can be addressed at various levels in a biomedical device. Based on the low or high TIPS requirements, one or multiple levels of security and privacy can be developed. Service level Software level Firmware level Hardware level Service level security is fastest to deploy, followed by software Firmware and hardware level security take more time to bake into the device 11
12 Medical Device Security in a Connected World Debra Bruemmer Manager of Clinical Information Security 2014 MFMER slide-12
13 Topics Mayo Clinic Overview Organization & Service Lines What 2 Years of Medical Device Security Research Gets You Fixing the Device Eco-system Final Thoughts 2014 MFMER slide-13
14 Mayo Clinic Overview Provides Patient Care, Education and Research 65,000 Employees 4,100 Employed physicians & scientist 3,500 Residents & students Large group practices in MN, AZ, FL, WI with 70 smaller sites Over 1 million patients per year Technology dependent Paperless patient care Interconnected systems and devices ~230,000 active IP addresses Unique in that we have: High profile patients (In the press: Middle East Leaders, United States Presidents, Foreign Dignitaries, Sports Figures, etc.) Significant intellectual property assets Classified research 2014 MFMER slide-14
15 Mayo Clinic Overview Mayo Clinic decided to dramatically increase it s security posture Brought in external CISO & formed Information Security Department Reviewed surface area of environment ~10,000 Windows servers ~2,000 Linux servers ~80,000 workstations ~20,000 networked medical devices Found that a significant number of devices on the network were not IT managed Formed a new team focused on medical device security 2014 MFMER slide-15
16 Clinical Information Security Division Director of CIS Organization & Service Lines Manager Medical Devices Principal Security Analyst Environmental, Facilities & Clinical Support Systems Principal Security Analyst Operational & Pre- Purchase Principal Security Analyst Principal Security Engineer Senior Security Analyst Security Analyst Security Analyst 2014 MFMER slide-16
17 Mayo Clinic Philosophy Incorporate security into the procurement process RFP questions and standard security contract language Practice drives purchase decision, security enables secure execution Test medical devices, do not wait for the vendors to identify and address issues Document/Share test findings with the vendor Outline actions and timeline to address findings Prefer collaboration vs. public disclosure Goal: Partner with our vendors to have a safe outcome for our patients; this includes assisting vendors in providing us with a secure product Benefit society by using Mayo Clinic s influence Require changes made put into standard product Drive changes for long term vendor process improvements 2014 MFMER slide-17
18 What You Learn from 2 Years of Medical Device Security Research and Management 2014 MFMER slide-18
19 Vendor Situations Most are engaged and trying to catch up Struggling to change internal culture and build security awareness Think of themselves as device manufactures, not software developers No one has a full understanding of how everything works together Engineers & product designers really love their software and are proud of it The don t take well to calling their baby ugly Interactions with sales and product managers tend to be unproductive Executives understand the company/brand impacts (thanks to Target) 2014 MFMER slide-19
20 Vendor Situations Poor processes for development, testing, and support Lack coding standards with security tollgates Lack hardened configuration standards Lack testing process and tools (vulnerability scanning, fuzz testing, & penetration testing) Lack mature processes to apply updates & patches across install base Vendor Responses Initial reaction is guarded Follow up meetings have been more productive Remediation timelines are prolonged (~ 88% of issues are vendor owned) Significant support process implications 2014 MFMER slide-20
21 Incorporate Security Language Into Procurement Contracts Product development & specifications Security standards/processes are adhered to during development Testing processes and tools meet industry standards Written security program Consistent with industry standards Reflects business size, product, and data stored or accessed Provide audit logs in electronic format Test security program key controls, systems & procedures (yearly) Produce system and security logs in a standard exportable format Secure user authentication protocols and access control measures Education and training of employees Periodic reviews 2014 MFMER slide-21
22 Incorporate Security Language Into Procurement Contracts Perform vulnerability assessment on all products Meets "SANS WE Top 25" and / or "OWASP Top 10" Performed by vendor, Mayo or agreed upon 3 rd party AV and Patching Support use of commercial AV and receipt of regular signature updates All software or firmware updates are restricted to authenticated code Validated updates and patches for all products (i.e. commercial applications, operating systems) will be provided within 30-days of release Post installation Document required ports & services Remove software and installation media not required for the product Disable ports, services and drives not required for use Financial responsibilities (future findings or breaches) 2014 MFMER slide-22
23 Incorporate Security Language Into Procurement Contracts Passwords All vendor used PW are made unique to Mayo Clinic and changed every 90-days Complex (> 14 characters, alphanumeric, upper/lower case, and symbols) No hardcoded passwords User credentials or passwords will not be stored or transmitted in clear text Encryption Communication is encrypted between devices (i.e. servers, monitors, computers) Wireless communication will use meet current industry standard Administrative Privileges Limit accounts requiring administrative privileges No application / service / communication process requires admin privilege Incident Response Process Reported to Mayo within 30-days of identification Identify supplier s mitigation/response plan, including timeframe 2014 MFMER slide-23
24 Focus Security Testing on Risks Current production devices and systems Upgrades and new versions Pre-purchases Remediated devices Medical Devices AND Clinical Support Systems (applications) Infant Protection System Nurse Call Temperature Monitoring Etc MFMER slide-24
25 Standard Security Testing Process Focus on high priority devices Greatest potential to cause patient harm Greatest potential to widely disrupt patient care processes Clinical Application Engage all stakeholders Mayo (Clinical Users, Biomed, IT, Facilities) Vendor Equipment Function Assess the whole device family Follow the data flow to include points of testing Workstations, servers, & endpoint Document demographic information, establish rules of engagement Conduct assessment via scanning, penetration testing, fuzz testing Testing outcomes drive remediation efforts Network mitigations Endpoint & system mitigations Partnering with the vendor 2014 MFMER slide-25
26 Standard Security Testing Process Timeline: 3 weeks for test preparation 3 weeks of testing 3 weeks to document findings & write report Establish remediation timeline (Mayo/vendor) Data Collection Follow the data flow Workstations, servers, & endpoint Document demographic information Vendor or internal Mayo area supply a non-production representative system to be used for testing Clinical & support areas (biomed, facilities) are engaged to determine: rules of engagement that need to be followed Identification of the device family components 2014 MFMER slide-26
27 Standard Security Testing Process Testing includes: Operational security review Vulnerability scanning using commercial and public scanners Fuzz testing Penetration testing simulating multiple attack scenarios Reverse engineering and code review (subset of code) Testers are provided network access to the system, the name of the product, and IP address Testing Outcomes and Process Generate detailed vulnerability assessment report Review report with internal proponents Review report with vendor Outline and document actions (vendor and Mayo) Track actions for closure 2014 MFMER slide-27
28 Standard Security Testing Process Testing comprehensive report List issues by high / medium / low severity Complete details enable vendor to reproduce the vulnerability Include screen prints, video, scripts, etc. Initial week of testing good to have a vendor rep on-site to provide feedback on severity and to understand the process & vulnerabilities found Testing Axiom Visibility, Transparency, Moral High Ground 2014 MFMER slide-28
29 Security Testing System Thinking No device lives in isolation Need to review the ecosystem a device lives in Many devices have control software that is vulnerable External access methods and process require testing Map communication patterns to determine all possible threat vectors, test the whole chain End user processes can thwart security measures 2014 MFMER slide-29
30 Device Family Concept is Important Includes everything needed to support the device and provide patient care: Devices Software Hardware Communication components 2014 MFMER slide-30
31 Security Testing - Statistics Tested or Reviewed ~ 30 Device / System Families Infusion pumps and formulary systems (multiple brands) CT MRI Infant Abduction Protection Etc Engaged 9 vendors in addressing findings Tested $100 million dollars of pre-purchased equipment Finalized contracts with 3 vendors to include security language (Mayo Minimum Security Requirements) 2014 MFMER slide-31
32 Security Testing & Reviews 2015 Plan Timeline = 3 x 3 x 3 (based on history) Seeking vendor engagement Staff participation Equipment Target = 15 + devices and Systems Discussion in-process with multiple vendors Retesting Meaningful Pre-purchase Security Reviews Integrate into clinical purchase decision making processes Clinical Equipment Integration Team CPC Equipment Sub-committee Radiology Equipment Committee Etc MFMER slide-32
33 Common Medical Device Issues Operational security gaps Application vulnerabilities Configuration vulnerabilities Unpatched OS, middleware and commercial applications Lack of encryption 2014 MFMER slide-33
34 Operational Security Gaps Customer support web sites Minimal or no user validation Helpful documentation & software Technical service & User manuals Software / firmware downloads Internal technical documentation Documents on intranets, servers & hard drives Publicly available information Hardcoded and default passwords Source code Manuals, source code, diagrams, etc. Devices publically available for purchase Allows for reverse engineering Testing platform for exploits Customer service social engineering Up for auction is this used Hospira Abbott PLUM A+ IV Infusion Pump. This powers up and initiates. It passed the self test MFMER slide-34
35 Application Vulnerabilities Generally fragile applications Susceptible to denial of service attacks (small & large scale) No passwords or passwords easily guessed or cracked Required to run with elevated privileges Use hardcoded passwords Available publically, user content and source code Unable to run simple anti-virus Vulnerable to a large number of known exploits 2014 MFMER slide-35
36 Configuration Vulnerabilities Unneeded functionality left operational Unneeded files and applications left on systems Default users and passwords not removed or changed Security software disabled Default settings on software & hardware Old communication and transfer protocols 2014 MFMER slide-36
37 Unpatched Software Running on older operating systems with no upgrade paths Various versions of Windows (and DOS) Multiple versions of Linux Old proprietary systems Unpatched software and commercial applications with published exploits No or resource intensive process for updates and patching Sneaker-net upgrade processes 2014 MFMER slide-37
38 Lack of Encryption PHI & PII stored unencrypted or weak encryption Ability to read and change patient data DES, MD5, Base 64 Communication is unencrypted Man-In-The-Middle attacks Emulation of monitoring devices Able to capture traffic and emulate devices Weak wireless encryption WEP 2014 MFMER slide-38
39 Fixing the Medical Device System Vendors Design in security for living in a dangerous environment Make devices easily and efficiently upgradable Include security in testing Follow security best practices Review operational security Think like they are out to get you! Providers Implement defense in depth Monitor for issues and compromises Develop business continuity and incident response plans Perform timely upgrades Test equipment before patient care Include contract language that requires security, testing and liability Think like they are out to get you! 2014 MFMER slide-39
40 Fixing the Medical Device System Regulators Have a prescriptive baseline for security Provide a framework for best practice Make cyber-security issues a mandatory reportable event Revise issue submission and reporting to facilitate the entry and reporting of security issues Regulatory actions for cyber-security issues Exclusions in DMCA for cyber-security testing Government Security Agencies Implement a database of reported vulnerabilities Provide intelligence for medical device issues and attacks Investigations of issues and events Security research 2014 MFMER slide-40
41 Lessons Learned - Decentralization & Variety Risk increases with The number of groups purchasing devices The number of groups supporting and maintaining devices The diversity of operating systems, vendors, and software The ability to maintain a good inventory diminishes as the number of groups purchasing devices increases Business areas & departments like shiny new technology 2014 MFMER slide-41
42 Final Thoughts The full medical device eco-system is currently broken We will be living with this problem for at least a decade While vendors have a responsibility to fix their equipment, healthcare providers have a responsibility to protect patients The technology and knowledge exist to fix the problem, but it s not always a technology problem All healthcare organizations can and must take action, start small and mature your efforts Educate yourself Inventory and prioritize devices (engage Clinical, Biomed, and IT staff) Talk with vendors Incorporate contract language into procurement processes Engage in industry efforts Etc. Be prepared, it s only a matter of time 2014 MFMER slide-42
Biomedical Device Security: New Challenges and Opportunities
Biomedical Device Security: New Challenges and Opportunities Florence D. Hudson Senior Vice President and Chief Innovation Officer Internet2 June 22, 2015 The evolution to today s reality in biomedical
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationCybersecurity Today Avoid Becoming a News Headline
Cybersecurity Today 2017 Avoid Becoming a News Headline Topics Making News Notable Incidents Current State of Affairs Common Points of Failure Three Quick Wins How to Prepare for and Respond to Cybersecurity
More informationREAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY
SEPTEMBER 11 13, 2017 BOSTON, MA REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY HealthcareSecurityForum.com/Boston/2017 #HITsecurity Brian Selfridge Partner, Meditology Services https://www.meditologyservices.com/
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationMEDICAL DEVICE CYBERSECURITY: FDA APPROACH
MEDICAL DEVICE CYBERSECURITY: FDA APPROACH CYBERMED SUMMIT JUNE 9TH, 2017 SUZANNE B. SCHWARTZ, MD, MBA ASSOCIATE DIRECTOR FOR SCIENCE & STRATEGIC PARTNERSHIPS CENTER FOR DEVICES AND RADIOLOGICAL HEALTH
More informationAddressing the elephant in the operating room: a look at medical device security programs
Addressing the elephant in the operating room: a look at medical device security programs Ernst & Young LLP Presenters Michael Davis Healthcare Leader Baltimore +1 410 783 3740 michael.davis@ey.com Esther
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationInternet of Things Toolkit for Small and Medium Businesses
Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors
More informationMEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018
MEDICAL DEVICE SECURITY A Focus on Patient Safety February, 2018 WHO I AM Adam Brand I Am The Cavalry Director Privacy and Security, Protiviti Focus on Medical Device Healthcare Security Custom EEG Manufacturing,
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationInternet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin
Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationWhat It Takes to be a CISO in 2017
What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationAddressing Cybersecurity in Infusion Devices
Addressing Cybersecurity in Infusion Devices Authored by GEORGE W. GRAY Chief Technology Officer / Vice President of Research & Development Ivenix, Inc. INTRODUCTION Cybersecurity has become an increasing
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationFDA & Medical Device Cybersecurity
FDA & Medical Device Cybersecurity Closing Keynote, February 19, 2017 Suzanne B. Schwartz, M.D., MBA Associate Director for Science & Strategic Partnerships Center for Devices and Radiological Health US
More informationSuzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA
Preventing the Unthinkable: Issues in MedTech Cyber Security Trends and Policies MassMEDIC Cambridge, Mass Thursday Oct 1, 2015 Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations &
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationForging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health
Forging a Stronger Approach for the Cybersecurity Challenge Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health 1 Speaker Introduction Tom Stafford, Vice President & CIO Education: Bachelors
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationSurprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS
Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationSage Data Security Services Directory
Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time
More informationThe National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne
The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne Schwartz, Assoc. Dir., CDRH, FDA Denise Anderson, MBA, President,
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationProcurement Language for Supply Chain Cyber Assurance
Procurement Language for Supply Chain Cyber Assurance Procurement Language for Supply Chain Cyber Assurance Introduction For optimal viewing of this PDF, please view in Adobe Acrobat. This document serves
More informationCyber Security Requirements for Supply Chain. June 17, 2015
Cyber Security Requirements for Supply Chain June 17, 2015 Topics Cyber Threat Legislation and Regulation Nuts and Bolts of NEI 08-09 Nuclear Procurement EPRI Methodology for Procurement Something to think
More informationUPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA
UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA ljohnson@ffalaw.com INTRODUCTION Cyber attacks increasing Liability/actions resulting
More information2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationPOSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, 2017 14TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS 1 Fact vs. Myth Let s Play: Fact vs. Myth The FDA is the federal entity
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More information2015 HFMA What Healthcare Can Learn from the Banking Industry
2015 HFMA What Healthcare Can Learn from the Banking Industry Agenda Introduction- Background and Experience Healthcare vs. Banking The Results OCR Audit Results Healthcare vs. Banking The Theories Practical
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationClinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions
Clinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions Executive Summary Mayo Clinic s primary value is The needs of the patient come first. It is built into our daily
More informationSOLUTION BRIEF Virtual CISO
SOLUTION BRIEF Virtual CISO programs that prepare you for tomorrow s threats today Organizations often find themselves in a vise between ever-evolving cyber threats and regulatory requirements that tighten
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationDOD Medical Device Cybersecurity Considerations
Enedina Guerrero, Acting Chief, Incident Mgmt. Section, Cyber Security Ops Branch 2015 Defense Health Information Technology Symposium DOD Medical Device Cybersecurity Considerations 1 DHA Vision A joint,
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationIT Vulnerabilities: What an IT Auditor Should be Thinking About
IT Vulnerabilities: What an IT Auditor Should be Thinking About Evolving in a Changing Landscape OCTOBER 23-25 HOTEL NIKKO - SF Agenda 1. About the Speaker 2. IT Vulnerability: The Term Defined 3. Identification
More informationLESSONS LEARNED IN SMART GRID CYBER SECURITY
LESSONS LEARNED IN SMART GRID CYBER SECURITY Lynda McGhie CISSP, CISM, CGEIT Quanta Technology Executive Advisor Smart Grid Cyber Security and Critical Infrastructure Protection lmcghie@quanta-technology.com
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationCompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]
s@lm@n CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ] Topic break down Topic No. of Questions Topic 1: Volume A 117 Topic 2: Volume B 122 Topic
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationTIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE
TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,
More informationEnsuring System Protection throughout the Operational Lifecycle
Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationDevice Discovery for Vulnerability Assessment: Automating the Handoff
Device Discovery for Vulnerability Assessment: Automating the Handoff O V E R V I E W While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are
More informationCybersecurity Session IIA Conference 2018
www.pwc.com/me Cybersecurity Session IIA Conference 2018 Wael Fattouh Partner PwC Cybersecurity and Technology Risk PwC 2 There are only two types of companies: Those that have been hacked, and those that
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationINFORMATION SECURITY-SECURITY INCIDENT RESPONSE
Information Technology Services Administrative Regulation ITS-AR-1506 INFORMATION SECURITY-SECURITY INCIDENT RESPONSE 1.0 Purpose and Scope The purpose of the Security Response Administrative Regulation
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationCYBERSECURITY RISK LOWERING CHECKLIST
CYBERSECURITY RISK LOWERING CHECKLIST The risks from cybersecurity attacks, whether external or internal, continue to grow. Leaders must make thoughtful and informed decisions as to the level of risk they
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationTestBraindump. Latest test braindump, braindump actual test
TestBraindump http://www.testbraindump.com Latest test braindump, braindump actual test Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version : DEMO Get Latest & Valid
More informationForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.
Real-time Visibility Network Access Control Endpoint Compliance Mobile Security ForeScout CounterACT Continuous Monitoring and Mitigation Rapid Threat Response Benefits Rethink IT Security Security Do
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationSession 77X Patient Safety Partnership: Predicting and Preventing Threats
Prepared for the Foundation of the American College of Healthcare Executives Session 77X Patient Safety Partnership: Predicting and Preventing Threats Presented by: Debra Bruemmer Athar Mirza Patient
More informationChoosing the Right Security Assessment
A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationBoston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018
Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security BRANDEIS UNIVERSITY PROFESSOR ERICH SCHUMANN MAY 2018 1 Chinese military strategist Sun Tzu: Benchmark If you know your
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More information