Escalated Threats to PHI Require a New Approach to Privacy and Security Wednesday, March 2, 2016

Similar documents
The Customer Relationship:

Cybersecurity and Hospitals: A Board Perspective

Speakers. Shellie Zavatsky Director of Internal Audit at Hurley Medical Center. Trent Long Director of Managed Privacy Services at FairWarning, Inc

Protecting PHI in the Cloud. Session #47, February 20, 2017 Kurt J. Long, Founder & CEO, FairWarning, Inc.

Security and Privacy Governance Program Guidelines

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA & Privacy Compliance Update

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Combating Cyber Risk in the Supply Chain

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Security & Phishing

Cybersecurity in Higher Ed

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Angela McKay Director, Government Security Policy and Strategy Microsoft

June 2 nd, 2016 Security Awareness

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Are we breached? Deloitte's Cyber Threat Hunting

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

All Aboard the HIPAA Omnibus An Auditor s Perspective

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Cyber Insurance: What is your bank doing to manage risk? presented by

ISACA West Florida Chapter - Cybersecurity Event

Cybersecurity The Evolving Landscape

2018 Guide to Building Your Security Strategy. January 23, pm 2 pm ET

Cloud Communications for Healthcare

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Business continuity management and cyber resiliency

DeMystifying Data Breaches and Information Security Compliance

Getting Security Right: The CISO of the Future

Background FAST FACTS

Healthcare HIPAA and Cybersecurity Update

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Defending Our Digital Density.

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

CYBER RESILIENCE & INCIDENT RESPONSE

Cybersecurity and Nonprofit

ID Theft and Data Breach Mitigation

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

Executive Insights. Protecting data, securing systems

View the Replay on YouTube

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

CHIEF INFORMATION OFFICER

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Compliance is not a Cybersecurity Strategy

Entertaining & Effective Security Awareness Training

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

Is Your Compliance Strategy Putting Your Business at Risk?

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Employee Security Awareness Training

Cyber Security Issues

HEALTH CARE AND CYBER SECURITY:

OA Cyber Security Plan FY 2018 (Abridged)

Information Governance, the Next Evolution of Privacy and Security

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Top Five Ways to Protect Your Organization from Data Loss & Cyber Hackers

The Cyber War on Small Business

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Auditing and Access to Electronic Health Records. December 15, p (Eastern)

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Service Provider View of Cyber Security. July 2017

Not Just Another Day of HIPAA

Anticipating the wider business impact of a cyber breach in the health care industry

Cybersecurity, safety and resilience - Airline perspective

Privacy and Security in the Age of Meaningful Use

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

The Relationship Between HIPAA Compliance and Business Associates

Putting It All Together:

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Altitude Software. Data Protection Heading 2018

The New Healthcare Economy is rising up

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Monthly Cyber Threat Briefing

What It Takes to be a CISO in 2017

Protecting your next investment: The importance of cybersecurity due diligence

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

2017 Annual Meeting of Members and Board of Directors Meeting

PULSE TAKING THE PHYSICIAN S

Building a Threat Intelligence Program

Horizon Health Care, Inc.

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

HIPAA UPDATE. Michael L. Brody, DPM

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

HCISPP HealthCare Information Security and Privacy Practitioner

Transcription:

Escalated Threats to PHI Require a New Approach to Privacy and Security Wednesday, March 2, 2016 Kurt J. Long, CEO & Founder, FairWarning, Inc. Robert Rost, IT Operations Director of Defensive Services, IT Security, Banner Health Dave Summitt, Director of Cyber Security Operations, H. Lee Moffitt Cancer Center and Research Institute

Conflict of Interest Kurt J. Long: Has no real or apparent conflicts of interest to report. Robert Rost: Has no real or apparent conflicts of interest to report. Dave Summitt: Has no real or apparent conflicts of interest to report.

Agenda Profile escalating internal and external threats in healthcare Feature privacy and security program challenges Review how to create a multi-layered privacy and security program Customer perspectives

Learning Objectives Highlight the escalating threats to healthcare Illustrate how these new threats are changing the way care providers need to approach privacy and security Explain how to develop a coordinated threat detection and threat response program Spotlight how new tools like data visualization, trending and analytics identify data breaches

How Benefits Were Realized for the Value of Health IT The risks to healthcare are escalating at a time when the industry is consolidating with the intent of reducing expenses in areas that are not directly related to patient care, like information security and privacy. Today s escalated information security threats including compromised user credentials, advanced persistent threats and nation-state espionage leave the entire healthcare industry vulnerable including patients, care institutions, physicians, clinicians and the vendors that serve the industry. Tomorrow s threats are still unknown. By creating an innovative and multi-layered approach to security and privacy, covered entities can protect patient data, prevent damage to their reputation, achieve compliance and save money. http://www.himss.org/valuesuite

Escalating Advanced Threats Rise of Cyber Threats to Healthcare Industry Foreign National Espionage IRS Tax Fraud Sale of Patient Data to Crime Rings Sale of Employee Data to Crime Rings Sale of Physician Data to Crime Rings Medical & Financial ID Theft Lost laptops, media, paper records Snooping 1 Patient Complaints Pre-2010 2011 2012 2013 2014 2015

What would happen if your EHR was taken hostage? Real and growing threat to healthcare in 2016 Attacks grew 113% in 2014 according to 2015 Symantec Internet Threat Report Why EHR? High value to the data, you need it, and you re likely to pay to get it back Doctors wouldn t have the vital information needed to treat patients. Records of patient and insurance payments would be lost, patient personal and credit card information would be compromised. HIPAA breach/ocr fines And so on

We are all patients And the long-term effects of a PHI breach have yet to be realized 91% of Healthcare organizations have had at least one data breach involving the loss of theft of patient data in the last two years Source: Forbes May 2015 As of November 2015, breaches impacted 119,959,229 patients. That s well over onethird of all United States citizens who have suffered an information breach through the healthcare industry. Source: Identity Theft Resource Center

How long does it take to discover a breach? On average hackers had access to victims environments for 205 days before they were discovered and 69% of victims learn from a third party that they are compromised* Source: Mandiant M:Trends 2015, View From the Front Lines Report

Insider threats are still very real Malicious Co-worker, Patient, Neighbor, & VIP Snooping Fraud/Medical ID Theft/ID Theft Inappropriate physician access Disgruntled employee Compromised Compromised user credentials from an outside source Negligent/Accidental Lost device Misuse of systems Log-in/Log-out failures

External attacks are getting more sophisticated. Old tactics will no longer work. Advanced persistent threats (APTs) Spear phishing Malware Nation state attacks Organized crime

How can you get ahead of a breach? Information security Data visualization Trending Analytics Finding the right talent or using Managed privacy & security services

Creating a multi-layered privacy and security program Critical elements: Qualified and expertly trained privacy and security staff Proper, multi-layered, multi-vendor, IT infrastructure leveraging bestof-breed security solutions Patient privacy monitoring using advanced technology Coordinated threat prevention/response framework Education programs that create a culture of privacy, security and compliance

Creating a modern threat prevention and response framework Source: FireEye Solution Brief

Managed Privacy & Security Services

A picture is worth a thousand rows of data Data visualization & trending depicts graphically what is happening to your data

Get your house in order HIPAA Audits: Phase 2 in Early 2016 The HHS Office for Civil Rights has announced that it will begin Phase 2 of its long-awaited audit program in early 2016 McGraw Discusses HIPAA Audits Slated for Early 2016 Source: HealthData Management October 2015

Banner Health One of the largest nonprofit hospital systems in the country Twenty-nine acute-care hospitals and health care facilities With more than 47,000 employees, Banner Health is the largest private employer in Arizona and third largest employer in the Northern Colorado front range area Mission: As the leading nonprofit provider of health care in every community we serve, Banner Health is deeply committed to our mission: To make a difference in people's lives through excellent patient care. Robert Rost, IT Operations Director of Defensive Services, IT Security Robert has over 10 years experience in Information Security and Risk. As the IT Operations Director over Defensive Services, he is responsible for detecting, managing & responding to IT Security incidents including managing vulnerability management & data protection programs.

Customer Perspective: Robert Rost, Banner Health A new approach is needed... because a lot of our security wheels will continue to give our companies & patients the same results. Source - http://www.socialmediatoday.com/

but Source - http://www.evilenglish.net

The Baby What works Leverage intelligence Do the basics Partnerships Plan the work. Work the plan. Mature Governance, Risk & Compliance Understand the business Embrace encryption Source - http://ladynicci.com Adapt to the threat & legislative landscapes

The Bath Water What Doesn t work Eat the entire elephant in one bite Supporting vendors that don t play nice or Automate (enough) Building unconnected product sprawl Develop meaningless metrics Overemphasizing protect controls Source - http://2.bp.blogspot.com Isolating information security risk from enterprise risk management Ignoring the OCR Audit Protocol

H. Lee Moffitt Cancer Center and Research Institute Founded in Tampa, FL in 1986 Third largest cancer center in the U.S. based on patient volume. MISSION: To contribute to the prevention and cure of cancer VISION: To transform cancer care through service, science and partnership Dave Summitt, Director of Cyber Security Operations With over 25 years of experience in information technology, his experience spans across federal and private sectors concentrating on information systems, network and engineering operations and over the last 10 years focusing on cyber-security initiatives.

Initiatives: H. Lee Moffitt Cancer Center and Research Institute Standing up a Security Operations Center Proactive monitoring (stopping problems before they become major) Incident response & management Combines traditional NOC Provide Organizational-wide Awareness Training Tailored to the audience Annual Cyber Security Incident Response table-top exercises Participate in threat sharing groups InfraGuard HITRUST CyberExchange CERT notifications Local security organizations

Why does it take so long to discover a breach? Because organizations do not understand their network Active monitoring doesn t exist Security staff doesn t have the correct or enough resources THIS NEEDS TO CHANGE Source: Mandiant M:Trends 2015, View From the Front Lines Report

How can you get ahead of a breach? Expanded Information security Data visualization Trending Analytics Finding the right talent or using Managed privacy & security services Training users & leaders must know and understand what they are up against Visibility Security personnel need to add to their responsibility to championing the need.

Questions Kurt J. Long, CEO & Founder FairWarning, Inc. Kurt@FairWarning.com Robert Rost, IT Operations Director of Defensive Services, IT Security Banner Health Robert.Rost@bannerhealth.com Dave Summitt, Director of Cyber Security Operations H. Lee Moffitt Cancer Center and Research Institute Dave.Summitt@moffitt.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback