Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Similar documents
Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Security Audit What Why

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

HIPAA Security and Privacy Policies & Procedures

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

Information Governance, the Next Evolution of Privacy and Security

K12 Cybersecurity Roadmap

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

The ABCs of HIPAA Security

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Data Backup and Contingency Planning Procedure

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

All Aboard the HIPAA Omnibus An Auditor s Perspective

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

mhealth SECURITY: STATS AND SOLUTIONS

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Healthcare Privacy and Security:

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

The Relationship Between HIPAA Compliance and Business Associates

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Cyber Protections: First Step, Risk Assessment

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Policy and Procedure: SDM Guidance for HIPAA Business Associates

[DATA SYSTEM]: Privacy and Security October 2013

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

01.0 Policy Responsibilities and Oversight

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Chapter 5: Vulnerability Analysis

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Security and Privacy Breach Notification

Cloud Communications for Healthcare

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Vulnerability Assessments and Penetration Testing

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

HIPAA Compliance Checklist

Objectives of the Security Policy Project for the University of Cyprus

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Healthcare HIPAA and Cybersecurity Update

Designing and Building a Cybersecurity Program

Medical Device Cybersecurity: FDA Perspective

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA & Privacy Compliance Update

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Carbon Black PCI Compliance Mapping Checklist

SecurityScorecard 2018 Healthcare Report. A Pulse on the Healthcare Industry's Cybersecurity Risks

EXHIBIT A. - HIPAA Security Assessment Template -

Modified Stage 2 Meaningful Use: Objective #9 Secure Electronic Messaging Massachusetts Medicaid EHR Incentive Payment Program

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Vulnerability Management

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

FDA & Medical Device Cybersecurity

HIPAA Compliance. Dr. John Barker Ph.D., MIEEE MEDICAL DEVICES BUSINESS SEMINAR

Vendor Security Questionnaire

Anatomy of a Healthcare Data Breach

IBM Internet Security Systems Proventia Management SiteProtector

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Data Compromise Notice Procedure Summary and Guide

Synology Security Whitepaper

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

HIPAA Privacy, Security and Breach Notification

Hospital Council of Western Pennsylvania. June 21, 2012

View the Replay on YouTube

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

The Next Frontier in Medical Device Security

Horizon Health Care, Inc.

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Medical Device Vulnerability Management

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Transcription:

Click to edit Master title style Evaluating the Security of Your IT Network Vulnerability Scanning & Network Map Kyle Stafford / M-CEITA 5/12/2017 1 1

Disclaimer This presentation was current at the time it was published or uploaded onto the web. Medicare and Medicaid policy changes frequently, so links to source documents have been provided for your reference. This presentation was prepared as a service to the public and is not intended to grant rights or impose obligations. This presentation may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage participants to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. 2

Agenda Overview of M-CEITA Security Updates Rise of Hacking Attacks Security Mitigation Vulnerability Scan Network Map Questions and Answers 3

Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THE TRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 4

M-CEITA Services Meaningful Use Support Security Risk Assessment & Network Security Evaluation Audit Preparation Targeted Process Optimization (Lean) GLPTN - Great Lakes Practice Transformation Network Chronic Care Management (CCM) Quality Payment Program Resource Center www.mceita.org 1-888-MICH-EHR www.qppresourcecenter.com 5

Security Updates Rise Of Hacking Attacks Pre-determined healthcare cybersecurity attacks rise by 320% within the 2016 calendar year. (HealthITSecurity.com, 2016) 113 healthcare providers within 2016 reported a breach in relation to Hacking/IT incidents. (500+) records. The average cost of a patient medical record post breach is up to $402. (Ponemon Institute, 2016) U.S. Department of Health and Human Services https://ocrportal.hhs.gov/ocr/breach/ 6

Security Updates Rise Of Hacking Attacks Hacking Attacks Against Healthcare Providers 2016 113 2015 57 0 20 40 60 80 100 120 2015 2016 7

Security Updates Rise Of Hacking Attacks 2017 38 hacking incidents have been reported - HHS 969,091 individuals affected Total Hacking incidents now make up 75% of all individuals affected on the HHS wall of shame. (Ponemon Institute, 2016) 8

Security Updates Rise Of Hacking Attacks How are hackers gaining access to your network? Exploiting a vulnerability/weakness. Inefficient security controls Lack of security/network awareness 9

How To Mitigate Against Attacks Be aware of where your weaknesses exist Identify critical assets Ensure appropriate measures are implemented How do you know what to implement?... 10

Vulnerability Database New vulnerabilities identified every day https://nvd.nist.gov/ Operating systems, software & applications, network devices, configurations Determine if your devices are prone to known vulnerabilities 11

Vulnerability Ranking & Scoring Vulnerabilities classified? CVE Common Vulnerabilities and Exposures Structure and consistency CVSS Scoring CVSS Common Vulnerability Scoring System Used to rank vulnerabilities CVSS Ratings V2: Low (0.0.-3.9)Medium (4.0-6.9)High (7.0-10.0) V3: Low (0.0.-3.9)Medium (4.0-6.9)High (7.0-8.9) Critical (9.0-10.0) 12

Vulnerability Scanning - Explained What is a vulnerability scan? A vulnerability scan is a tool used to detect and identify technical vulnerabilities and provide remediation recommendations to address, prioritize, and mitigate risk. Why have a vulnerability scan? Commonly, a medical practice will not be aware of their weak points with their current technical configurations. Awareness is necessary to defend against attacks. 13

Vulnerability Scanning Compliance While not explicitly referenced by the security rule, vulnerability scans and network maps are common methods for meeting numerous requirements of HIPAA. Vulnerability scans are common methods for meeting the Evaluation requirement of the HIPAA Security Rule. 14

Vulnerability Scanning Compliance Security Rule 164.308(a)(8) Evaluation Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity's or business associate s security policies and procedures meet the requirements of this subpart. Summary: Practices are required to identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-phi. 15

Vulnerability Scanning Common Questions How do I know if I need a vulnerability scan? You are a HIPAA Covered Entity Your network has devices which store / process / transmit / or maintain sensitive information (including ephi) Your network has undergone significant changes / upgrades to technology Your internal or external operating environment experienced significant technology-related changes within the past year 16

Vulnerability Scanning Common Questions How does this compare to a Security Risk Assessment? Risk assessment identifies the presence of risk as it pertains to the assets and information flows in place. Evaluation should determine how effectively you protect that risk from being actualized. The need for technical evaluation is likely to be identified in a risk assessment. 17

Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Define the scope of computers/devices to be scanned. (What to scan & what not to scan) Access the devices and network being scanned. (wired/wireless) Scan using the scope of assets defined and confirmed. Report is generated from the data collected from the scan. Present the results to appropriate parties (management, IT, security officer). 18

Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Define Determine which assets should be scanned. Do you have ownership of ALL the devices? Are some devices shared within the network? 19

Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Access Ensure that that scanner will be able to communicate with the devices Device with the scanner should be on the same network Preferably a wired connection 20

Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Scan Configure the vulnerability scanner Input the scope of devices to be scanned Specify devices which need to be avoided 21

Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Report Generate a report based on the findings Executive summary for management Full details report for IT and compliance 22

Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Present Appropriate staff should be notified of the findings Office/Practice Managers Executive Management IT Staff Compliance Officers 23

Vulnerability Scanning Types Of Assets What types of assets can be scanned? Computers: Desktops, Laptops, Tablets, Smart Phones Operating Systems: Windows, Apple, Linux Software: Web Browsers, Word Processing, Mail Clients, OS. Network Devices & Configurations: Routers, Modems, Firewalls 24

25

26

27

Understand Your Network Now that you know what devices are vulnerable, what next? Understanding the relation between devices and how they can reveal how vulnerabilities are related. 28

Network Map - Explained What is a Network Map? A network map is a visual schematic outlining the topology of a currently configured computer network. Why obtain a Network Map? This map will not only assist with determining assets in which create, maintain, receive, or transmit ephi and sensitive information but will make the HIPAA audit protocol much easier. 29

Network Map Compliance Security Rule 164.310(d)(2)(iv) Device and Media Controls -- Data Backup and Storage Procedures Security Rule 164.312(e)(1) Transmission Security Rule 164.310(b) Workstation Use 30

Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Define the boundary of assets within the network to be included. List will be formalized with which assets to be included. Gather physical, technical, and configuration information of all assets included in the network map. Design the visual representation of the network topology. Present the final copy of the network diagram to appropriate parties. 31

Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Define Determine what assets should be included within the network map. Are some devices not connected to the network? Should some assets not be included? 32

Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results List Formalize a readable list to be used for the design process List of devices will be larger than expected 33

Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Gather Leverage automation tools (network scanners) Determine what details should be included IP address, FQDN/Hostname, MAC address 34

Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Design Choose a software that you feel most comfortable with Microsoft Visio is commonly used Other drafting alternatives are available Draw and label how the devices are connected Wired or wireless connections Represent the network map to display an easy way to determine how one device can interact with another 35

Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Present Present the results to appropriate staff Ensure that this document is secured Encrypted and stored in a secure location This could be used as a roadmap to where critical assets are located within your network 36

37

Conclusion Hacking attacks are at an all time high, increasingly targeting the health care industry In response to this trend, medical offices need to understand and actively improve their network security more than ever Technical evaluation of a network will reveal important details about where security needs to be improved Vulnerability scanning and network mapping are important tools for a complete evaluation of a medical practice s security 38

Questions Additional Contact Info: MIPS, MACRA & MU www.mceita.org 888-MICH-EHR mceita@altarum.org Presenter: Kyle Stafford Kyle.Stafford@Altarum.org Phone: 734-302-5627 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback