Cybersecurity for Health Care Providers

Similar documents
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Why you should adopt the NIST Cybersecurity Framework

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Business continuity management and cyber resiliency

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Cybersecurity, safety and resilience - Airline perspective

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Keys to a more secure data environment

Framework for Improving Critical Infrastructure Cybersecurity

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

NW NATURAL CYBER SECURITY 2016.JUNE.16

Table of Contents. Sample

Addressing the elephant in the operating room: a look at medical device security programs

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Emerging Issues: Cybersecurity. Directors College 2015

NCSF Foundation Certification

Medical Device Cybersecurity: FDA Perspective

FDA & Medical Device Cybersecurity

Chapter X Security Performance Metrics

The NIST Cybersecurity Framework

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber Risk in the Marine Transportation System

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Overview of the Cybersecurity Framework

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

[Attachment Below] Hello Gregory - please find Waterfall's comments on the draft NIST framework attached. Thank you for the opportunity to comment.

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Information Technology General Control Review

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

Gujarat Forensic Sciences University

Developing a Model for Cyber Security Maturity Assessment

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Practical Guide to the FDA s Postmarket Cybersecurity Guidance

Cyber Hygiene: A Baseline Set of Practices

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

CHIME and AEHIS Cybersecurity Survey. October 2016

MITIGATE CYBER ATTACK RISK

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Healthcare HIPAA and Cybersecurity Update

Sage Data Security Services Directory

BUSINESS CONTINUITY MANAGEMENT

Securing an IT. Governance, Risk. Management, and Audit

Heavy Vehicle Cyber Security Bulletin

The Cyber War on Small Business

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

External Supplier Control Obligations. Cyber Security

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

Continuous protection to reduce risk and maintain production availability

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

The NIS Directive and Cybersecurity in

Cybersecurity and the Board of Directors

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Improving Cybersecurity through the use of the Cybersecurity Framework

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

K12 Cybersecurity Roadmap

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

DeMystifying Data Breaches and Information Security Compliance

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Incident Response Table Tops

Cybersecurity Survey Results

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cyber risk management into the ISM Code

Security and Privacy Governance Program Guidelines

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

INTELLIGENCE DRIVEN GRC FOR SECURITY

Information Security Policy

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

June 5, 2018 Independence, Ohio

SWIFT Customer Security Programme

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Designing and Building a Cybersecurity Program

Cyber Security Program

Information Governance Incident Reporting Policy

NEN The Education Network

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Transcription:

Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION

Overview Cybersecurity defined Cyber-Threats Today Impact of Cybersecurity to Health Care Protecting Against Cyber-Attacks Overview of the Maryland Health Care Commission (MHCC) Cybersecurity Self- Assessment Tool (tool) Use of the tool Review of the tool and feedback discussion 2

Cybersecurity The technology, processes, and practices that protect networks, computers, programs, and data from attack, damage, or unauthorized access Requires coordination of many different elements, including: Securing all networks, information, and health information technology (IT) system(s); Disaster recovery and business continuity planning; and End-user education 3

Cyber-threats Today Technology is no longer limited to the home or office and has been increasingly integrated into our everyday lives Cyber-risk landscape is constantly changing making cybersecurity a challenge There are two main types of approaches hackers can use to initiate a cyber-attack External: Initiated from outside the network, such as a malware delivery through a phishing attempt or web server hacks, to execute a computer intrusion Internal: Initiated through the action of a willing or unknowing person, such as inserting a flash drive into a computer 4

Impact to Health Care Cyber-attackers are increasingly targeting health care Puts at risk patient information, intellectual property, sensitive business information, operational dependencies, and the practice s reputation Patient records are worth more on the black market than a social security number because they are a one stop shop of information desired by hackers Damage from a stolen record can take years to repair Other devices can also be attacked to gain access to the practice s network A hacker can gain control of networked medical devices, such as insulin pumps and blood pressure machines, and use this to navigate through the network to access other devices, such as computers. 5

Protecting against Cyber-attacks The health care sector is slow to detect fraud, unlike the financial sector that can quickly detect fraud and block compromised data accessed Implementing cybersecurity best practice safeguards is complex, which can put a burden on providers with limited resources A key step for providers to take to protect against a cyber-attack is to assess existing processes and procedures to identify gaps in cybersecurity Providers can develop processes to address existing gaps to protect against and mitigate the effects of a cyber-attack Ongoing assessments helps providers evaluate progress in developing processes to address gaps, as well as continuously assess the adequacy of processes to protect against new cyber-threats 6

Cybersecurity Self-Assessment Tool The Cybersecurity Self-Assessment Tool (tool) was developed by MHCC with stakeholder input to assist providers in assessing their practice s cybersecurity processes Helps providers gain an understanding of their overall cybersecurity readiness and provides an overview of a practice s cybersecurity environment Uses industry standards and best practices outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Addresses five core functions, Identify, Protect, Detect, Respond, and Recover, identified through a collaboration of industry experts to be in line with existing industry standards, guidelines, and practices for addressing cybersecurity 7

How the Tool Can Help Your Practice Assist providers in strengthening their IT system(s) Use results to inform work in developing cybersecurity protections by Identifying gaps in the current cybersecurity environment Modifying existing cybersecurity processes Developing and implementing best practices to protect health information that is stored, transmitted, or maintained electronically 8

How to use the Tool Select the answer choice that reflects the practice s readiness to establish and implement the cybersecurity processes for each of the following items: Informal: No formal processes exist Developing: Formal processes are in development Established: Formal processes that are standardized throughout the practice have been established N/A: Not applicable to the practice 9

Scoring Responses for each section are tabulated A Readiness Percent score is calculated by dividing the number established by the total questions answered This number is then used as an indicator of the practice s overall readiness 10

Feedback on the tool We will walk through completing each of the sections of the tool Conduct an open group discussion after each section Aim to gain feedback on the utility of the tool and answer the following questions: How applicable is the information to your practice? Is the information easy to use and understand? Is the information helpful in assessing the cybersecurity environment at your practice? Does the scoring accurately reflect the level of cybersecurity readiness at your practice? 11

Identify: Helps a provider assess their systems, assets, data, business context, and resources to understand and manage cybersecurity risk in order to focus and prioritize development of cybersecurity processes. # Has established processes to: Readiness Informal Developing Established N/A 1 Determine the level of importance of assets, such as data, staff, devices, systems, and facilities, IT system(s) and manages these systems in a manner consistent with the level of importance 2 3 4 Prioritize the practice s activities and workflows to inform cybersecurity roles, responsibilities, and risk decisions Manage and monitor IT system(s) operational, environmental, and regulatory requirements to inform and manage cybersecurity risk Identify, document, and evaluate IT system(s) vulnerabilities, internal and external threats, and business impacts on operations 5 Identify IT system(s) priorities, constraints, risk tolerances, and assumptions, and use this to support risk decisions 12

Protect: Provides the framework for providers to develop and implement the appropriate safeguards to limit or contain the potential impact of an IT system(s) cybersecurity event. # Has established processes to: Readiness Informal Developing Established N/A 1 2 Limit access to IT system(s) and facilities to authorized users, devices, activities, and transactions Educate and train staff on cybersecurity awareness necessary to perform information security related duties 3 Manage IT system(s) data to protect confidentiality, integrity, and availability of electronic protected health information 4 Develop and maintain IT system(s) security policies, processes, and procedures to adequately protect IT system(s) 5 6 Conduct and document all manufacturer recommended maintenance and repairs for IT system(s) Manage the security of IT system(s) through the establishment of standardized policies, procedures, and agreements 13

Detect: Assist the practice to perform an assessment of processes to rapidly identify an IT system(s) cybersecurity event, test detection processes, analyze data to understand cybersecurity attack targets and methods, and utilize assessment results to inform improvements to practice processes. Readiness # Has established processes to: Informal Developing Established N/A 1 Detect unusual activity in the IT system(s) in a timely manner, analyze the potential impact(s) of a cyber event, and establish incident alert levels 2 Routinely monitor IT system(s), the physical environment, and staff to identify potential cybersecurity events 3 Assess IT system(s) to detect unusual events in a timely and appropriate manner, and take the necessary action to minimize risks of any unusual event(s) 14

Respond: Assists providers containing the impact of a potential IT system(s) cybersecurity event by assessing the current processes in place to respond to a detected IT system(s) cybersecurity event. # Has established processes to: Readiness Informal Developing Established N/A 1 Respond to detected IT system(s) cybersecurity events in a timely manner 2 Coordinate IT system(s) cybersecurity response activities with internal and external stakeholders, including training of staff, reporting of events, sharing of information, and coordinating with stakeholders as necessary 3 4 5 Analyze and categorize IT system(s) cybersecurity response activities to ensure appropriateness and the ability to support recovery Contain, reduce the effects of, and eliminate an IT system(s) cybersecurity event Make improvements to existing IT system(s) cybersecurity response processes through the application of lessons learned from detection and response activities 15

Recover: Supports providers in rapidly recovering and mitigating the impact of an IT system(s) cybersecurity event by assessing the processes to support restoration of services impacted during an IT system(s) cybersecurity event. # Has established processes to: Readiness Informal Developing Established N/A 1 Recover from cybersecurity events to ensure IT system(s) are restored in a timely manner 2 Incorporate lessons learned from an IT system(s) cybersecurity event into the operations and update recovery plans 3 Coordinate IT system(s) restoration activities with internal and external parties as deemed appropriate by the provider 16

Thank You! For more information or questions please contact: Justine Springer justine.springer@maryland.gov 410-764-3777 The MARYLAND HEALTH CARE COMMISSION

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback