Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Similar documents
Effectively Meeting the Cyber Security Challenge: Strategies, Tips and Tactics

Cyber security tips and self-assessment for business

Take Risks in Life, Not with Your Security

Defensible and Beyond

Ransomware, Viruses, and Hackers in Health Care: Five Steps to Avoid Being the Next Victim. Michael Overly and Chanley Howell.

Cyber Insurance: What is your bank doing to manage risk? presented by

Cybersecurity and Hospitals: A Board Perspective

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

How Breaches Really Happen

ACM Retreat - Today s Topics:

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

2015 HFMA What Healthcare Can Learn from the Banking Industry

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

Cybersecurity The Evolving Landscape

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

2017 Annual Meeting of Members and Board of Directors Meeting

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Personal Physical Security

PULSE TAKING THE PHYSICIAN S

Information Governance, the Next Evolution of Privacy and Security

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

mhealth SECURITY: STATS AND SOLUTIONS

A General Review of Key Security Strategies

Personal Cybersecurity

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Business continuity management and cyber resiliency

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Defending Our Digital Density.

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Addressing the elephant in the operating room: a look at medical device security programs

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cyber Security Updates and Trends Affecting the Real Estate Industry

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Governance Ideas Exchange

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Too Little Too Late: Top Reasons Why You Got Hacked

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

CYBER SECURITY AND MITIGATING RISKS

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity in Higher Ed

Internet of Things Toolkit for Small and Medium Businesses

Cyber Security Risk Management and Identity Theft

Ransomware A case study of the impact, recovery and remediation events

HIPAA Compliance is not a Cybersecurity Strategy

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Cybersecurity and Nonprofit

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Cybersecurity Today Avoid Becoming a News Headline

Building a Resilient Security Posture for Effective Breach Prevention

Security Audit What Why

Cybersecurity Auditing in an Unsecure World

The simplified guide to. HIPAA compliance

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

What It Takes to be a CISO in 2017

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Executive Insights. Protecting data, securing systems

Designing Secure Medical Devices

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Cyber Risks in the Boardroom Conference

How NOT To Get Hacked

Connected Medical Devices

Cybersecurity Survey Results

Must Have Items for Your Cybersecurity or IT Budget in 2018

ISACA West Florida Chapter - Cybersecurity Event

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Healthcare HIPAA and Cybersecurity Update

Incident Response Table Tops

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Modeling Factors Associated with Healthcare Data Breaches. Session #155, March 3, 2018 Dr. Alex McLeod, Dr. Diane Dolezel, Texas State University

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Sage Data Security Services Directory

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

building a security culture to counter emerging cybersecurity threats

Security Awareness Training Courses

DeMystifying Data Breaches and Information Security Compliance

2018 Guide to Building Your Security Strategy. January 23, pm 2 pm ET

Transcription:

Forging a Stronger Approach for the Cybersecurity Challenge Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health 1

Speaker Introduction Tom Stafford, Vice President & CIO Education: Bachelors of Science Aerospace Engineering Masters of Science Mechanical Engineering Career: United States Navy Medical Device Design and Manufacture Healthcare IT IT Accolades: 10 th Best Place to work in IT 2015 Computerworld 2 nd Best Place to work in IT 2016 Computerworld 5 th Best Place to work in IT 2017 Computerworld 5 th Best Place to work in IT 2018 - Computerworld Premier 100 Technology Leaders 2017 Computerworld Top 105 CIOs to watch in 2018 Becker s Healthcare Add Speaker Photo Here 2

Conflict of Interest Tom Stafford, BSAE, MSME Has no real or apparent conflicts of interest to report. 3

Agenda Halifax Health Bad Actors and Healthcare What are we Protecting? Look back at 2018 Look forward to 2019 Governance Halifax s Philosophy: D 3 Anatomy of a Ransomware Attack How Strong are you? Lets be Collaborative 4

Learning Objectives Identify potential threats to cybersecurity and best practices to establish security, scrutiny, and authentication for access to PHI Evaluate effective cybersecurity measures and policies, including system-wide procedures; end user training; and use of technology Analyze strategies aimed at predicting and preventing cyber breaches Identify methods to ensure your cybersecurity insurance policy is effective and senior leadership is prepared prior to being breached or ransomed 5

About Halifax Health Halifax Health Medical Center, Daytona Beach Opened in 1928 600 beds More than 500 physicians, representing 54 subspecialties Halifax Health - Medical Center of Port Orange Opened in 2006 80 bed community hospital 20 bed emergency department 8 bed intensive care unit 6

Bad Actors and Healthcare Who are the Bad Actors? Financially Motivated Cybercriminals Hacktivists Hackers for Hire: RAAS Nation State supports Actors Malicious Insider How do they Attack? Social Engineering Network Vulnerabilities Misuse of Credentials Physical Penetration 7

Bad Actors and Healthcare Why do they attack Healthcare? We are valuable low lying fruit Health Record, includes Identity and other valuable information Data doesn t change Medical history is accurate for a lifetime Healthcare is easier to Hack Interoperability Requirements Great delays between the breach and determining there was one The Electronic Health Record is vital to patient care and operations Data is used for Identity Theft, False Claims, Medical Research Trends, Medical Equipment and Drug Purchases 8

What are we Protecting? Patient Records (ex. ephi) Research Data (ex. cancer treatments IP) Employee Sensitive Information (ex. PII) Business plans, (ex. bids, acquisition targets) Payment Card Information Medical Treatment Devices (ex. insulin pumps, imaging) Contracts (ex. with customers, suppliers, distributors) Employee log-in credentials Physician Compensation Clinical Studies Data 9

Look back at 2018 Tight Budgets and Lack of Resources Email: Friend or Foe Ransomware on the Decline, Crypto-mining on the Incline IoT Security (Including Biomed) Breaches are Back Blockchain GDPR 10

Look forward to 2019 Collective Call to Action Ransomware, Crypto-mining, and Breaches Patient Safety needs Cyber Safety IoT, the dreaded XP Biomed Devices More Cloud Intra-operability, APIs, and AI 2019 11

Governance & Executive Involvement Board C-Suite Executive Approval, Knowing the Landscape Incident Response Team Members 12

Halifax s Security Philosophy eterrents etection D3 eception rd Party Assurance 13

Deterrents? What about Defenses? The number one deterrent? Assisting the User Training and Testing Education, Education, Education External Source warning in emails Fake Phishing Tests Technology Controls Block Webmail Block Malicious Sites USB Privileges External Storage Privileges Local Admin Rights Privileges Two-Factor The User 14

Fake Phishing Email Tests 1.0% Click rate, was sent to 4,573 users. 15

Ransomware Threat and Deterrent Chain IT Security is based on monitoring attack vectors and having deterrent chains in front of the data that is to be wiped, ransomed, or breached. Attack Vector: Zero Day Ransomware attachment in phishing email Legend Deterrents Hackers Actions Halifax Reactions Email Sent External Firewall Does not detect Team Member Clicks on Attachment Cloud Based Scan Attachment opened in cloud does not detect Anti- Virus Does not detect Patched Servers Biomed Servers Not patched Obtain Domain Account Access Hackers own the flat network Last Deterrent: Network Segmentation Last Mitigation: Air Gapped Backup 16

Biomed Devices on the Halifax Data Network 17

Lets Talk about Biomed Why are they vulnerable? The devices last longer than the available support for the operating system or the vendor will not patch the systems since they are FDA Class 2/3 devices. WannaCry, HHS, and the FDA... Notify customers within 30 days after vulnerability is found. Patch within 60 days Manufacturers are not there yet 18

Lets Talk about Biomed and IoT How do we reduce the risk? New Devices: Do not demo or purchase new devices that have outdated Operating Systems and/or the manufacturer will not allow the device to be patched. Updated bid spec to include Halifax Health s IT and Biomed Specifications: 19

Lets Talk about Biomed and IoT How do we reduce the risk? Existing Devices: Vulnerability Scans will help determine what needs to be patched. Work with Biomed and other departments to determine type/location of devices Work with the vendors for them to patch the devices or to allow IT to patch the devices If they cannot be patched, bury the devices (Micro- Segmentation) behind the Internal Firewall prior to having them replaced with a non-vulnerable device 20

Detection and Deception Detection (SIEMS): User Behavior Machine, Biomed, IoT Behavior Network Penetration Deception: Honey pots Domain Account Verification 21

3rd Party (Digital Traders) Assurance Don t be their Target Does anyone know what Fazio Mechanical Systems did? BAA is not enough for Healthcare You are only as strong as your weakest link 22

Understanding your Digital Traders Map your existing digital traders Create controls so you are aware of new Digital Traders Beyond the BAA, Contractual Requirements Quantify their Security Posture Audit Them Do not allow them to dictate how the access your system Require Two-Factor Authentication 23

Anatomy of a Ransomware Attack The Hack The Crash Cyber Insurance External Council To Bit Coin or Not Recovery Key takeaways: Hospital Incident Know your Cyber Insurance Plan Executive Table Top Exercises DR/BD Documents and Logs 24

How Strong are you? Two ways to test this: 1. Do not - You only know if you fail and CIO will have a whole new meaning Career Is Over 2. Ethical Hacking and Penetration Testing 25

Lets be Collaborative! Standards Framework Passwords Two-Factor Webmail USB & External Storage Phishing BioMed Cyber Insurance Tabletop Exercises Quantitative 3 rd Party Risk Assessments Ethical Hacking 26

Lets be Collaborative! Question 1 Which standards framework do you utilize? 1. NIST 2. HITRUST 3. Critical Security Controls 4. ISO 27

Lets be Collaborative! Question 2 Password Reset Duration? 1. 90 Days 2. 180 Days 3. 1 Year 4. Other 28

Lets be Collaborative! Question 3 Require Robust Passwords? 1. Yes 2. No 29

Lets be Collaborative! Question 4 Remote Two-Factor Authentication Utilization? 1. Employees, Physicians, Vendors 2. Employees, Physicians 3. Employees 4. None 30

Lets be Collaborative! Question 5 Webmail Blocking? 1. Yes 2. No 31

Lets be Collaborative! Question 6 Restrict USB Access? 1. Read 2. Write 3. Both 4. None 32

Lets be Collaborative! Question 7 Restrict Internet Based Storage? 1. Yes 2. No 33

Lets be Collaborative! Question 8 Conduct Fake Phishing tests? 1. Yes 2. No 34

Lets be Collaborative! Question 9 Vulnerable Biomed devices location? 1. Yes 2. No 35

Lets be Collaborative! Question 10 Do you have Cyber Insurance? 1. Yes 2. No 3. Don t Know 36

Lets be Collaborative! Question 11 Do you know how to contact your Insurer? 1. Yes 2. No 37

Lets be Collaborative! Question 12 Do you conduct tabletop exercises? 1. Senior Leadership 2. IT Staff 3. Both 4. None 38

Lets be Collaborative! Question 13 Do you have quantitative 3 rd Party RAs? 1. Yes 2. No 39

Lets be Collaborative! Question 14 Conduct Ethical Hacking Tests? 1. Once 2. Annually 3. Bi-Annually 4. Never 40

Questions Tom Stafford tom.stafford@halifax.org 386-425-7309 https://www.linkedin.com/in/tom-stafford-8a69927 *** Don t forget about the online session evaluation 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback