Digital Health Cyber Security Centre

Similar documents
Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Information Security Controls Policy

External Supplier Control Obligations. Cyber Security

Information Technology Branch Organization of Cyber Security Technical Standard

BHConsulting. Your trusted cybersecurity partner

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Information Security Controls Policy

ASD CERTIFICATION REPORT

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Cyber Security. Building and assuring defence in depth

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

BHConsulting. Your trusted cybersecurity partner

Security

Security Principles for Stratos. Part no. 667/UE/31701/004

A practical guide to IT security

POSITION DESCRIPTION

CYBER RESILIENCE & INCIDENT RESPONSE

Security by Default: Enabling Transformation Through Cyber Resilience

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

Security and Privacy Governance Program Guidelines

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Information Security Strategy

INFORMATION SECURITY AND RISK POLICY

POSITION DESCRIPTION

Canada Life Cyber Security Statement 2018

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Cyber Security Strategy

Data Security Standard 9 IT protection The bigger picture and how the standard fits in

ISACA West Florida Chapter - Cybersecurity Event

Google Cloud & the General Data Protection Regulation (GDPR)

The Learner can: 1.1 Describe the common types of security breach that can affect the organisation, such as:

Fundamentals of Cybersecurity/CIIP. Building Capacity: Using a National Strategy & Self-Assessment

DXC Security Training

Information Security Incident

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Verasys Enterprise Security and IT Guide

Next Generation Threats and Utilising Artificial Intelligence and Big Data Analytics. Ian Glover

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

CASE STUDY CHIEF INFORMATION OFFICER GROUP

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

a publication of the health care compliance association MARCH 2018

Cybersecurity The Evolving Landscape

M a d. Take control of your digital security. Advisory & Audit Security Testing Certification Services Training & Awareness

Government data matching and the Privacy Act 1988 (Cth)

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Education Network Security

EU General Data Protection Regulation (GDPR) Achieving compliance

Accreditation Process. Trusted Digital Identity Framework February 2018, version 1.0

Information Security Policy

ISAO SO Product Outline

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

IoT & SCADA Cyber Security Services

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

Protecting your data. EY s approach to data privacy and information security

Cyber Attack: Is Your Business at Risk?

April Appendix 3. IA System Security. Sida 1 (8)

WA Govt Changing Cyber Security Landscape

Keys to a more secure data environment

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

MNsure Privacy Program Strategic Plan FY

Putting It All Together:

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

Nine Steps to Smart Security for Small Businesses

CCISO Blueprint v1. EC-Council

Sense of Security. Compliance, Protection and Business Confidence

TEL2813/IS2820 Security Management

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

A company built on security

NYDFS Cybersecurity Regulations

CYBER SOLUTIONS & THREAT INTELLIGENCE

Information Security and Cyber Security

Cyber Security Program

SECURITY & PRIVACY DOCUMENTATION

Governance, Organisation, Law, Regulation and Standards Syllabus QAN 603/0855/2

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Unit 3 Cyber security

Cyber Resilience - Protecting your Business 1

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Monthly Cyber Threat Briefing

Data Sheet The PCI DSS

Defensible Security DefSec 101

Qualification Specification. Level 2 Award in Cyber Security Awareness For Business

AUTHORITY FOR ELECTRICITY REGULATION

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Implementation Strategy for Cybersecurity Workshop ITU 2016

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

Cyber Security of ETCS

Big data privacy in Australia

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

NEN The Education Network

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Global Security Consulting Services, compliancy and risk asessment services

Transcription:

Digital Health Cyber Security Centre

Current challenges Ransomware According to the ACSC Threat Report 2017, cybercrime is a prevalent threat for Australia. Distributed Denial of Service (DDoS) Targeting of Australian Routers Security of IoT devices Current challenges Access to personally identifiable information Credentialharvesting malware Targeting trusted third parties Social engineering It enables criminals to generate large profits with a low risk of identification and prevention.

Verizon s 2017 Data Breach Investigations Report reveals that 15% of breaches involve healthcare organisations. Healthcare sector The Verizon report also identifies that ransomware accounts for 72% of malware incidents in the Healthcare industry.

Digital Health Cyber Security Centre structure Anthony Kitzelmann Chief Information Security Officer (CISO) & General Manager Digital Health Cyber Security Centre Security Operations Operational security management Real-time security monitoring Security Incident Response Team IT Security Adviser (ITSA) Vulnerability management Establishing & monitoring threat intelligence feeds and using the intelligence to detect, prevent and mitigate the cyber threat Cyber Security Engineering Security architecture & design Security assurance and advice Forward planning and continuous improvement Penetration testing and threat & risk assessments (TRAs) Procurement of security-related products and services Coordination of system certification and security accreditation activities Security & Compliance Outreach Engage with the digital health sector to increase overall security awareness Undertake privacy assurance and incident management activities Develop security guidance for organisations and consumers Develop Agency information security policies Exchange security threat intelligence Partner with national and international cyber security organisations Coordinate regular cyber security exercises 4

My Health Record security a collaborative approach The Digital Health Cyber Security Centre works closely with the National Infrastructure Operator to support the ongoing security of the My Health Record System. Digital Health Cyber Security Centre National Infrastructure Operator 5

My Health Record Privacy Controls Control access Lock documents People can control their own My Health Record access and privacy settings Provide healthcare providers with a record access code Nominate * representatives * Nominate people to manage the record on your behalf Restrict viewing of specific documents to selected people Check activity See who has accessed your record Citizen-centric security and privacy model for the My Health Record system

Digital Health Security Legislation My Health Record legislation provides protections for privacy of medical information in the system. Severe penalties apply if deliberate misuse occurs (up to 2 years in jail and fines of up to $126,000) People System administration personnel are subject to Australian Government security clearance vetting processes Cyber security professionals continually monitor system use and network traffic Process Access to My Health Record servers and administration computers is tightly controlled & monitored My Health Record conformance processes must be passed before software can connect to the system Technology Encryption of sensitive data both in storage & in transit. Specialist security real-time monitoring tools Preventing portable storage devices being connected to My Health Record servers

A layered approach to security provides robust protection for our sensitive health data Within each layer, a range of technology solutions can be implemented to enhance security for that layer Defence in Depth Policies, procedures, awareness Release 8 2017 Release 7 Physical Security 8 2017 2016 Release 6 2015 Perimeter Release 5 2014 Release 4 Internal 2013 Network Release 3 2013 Host Application Application Data Data Defence in depth security is used to protect the My Health Record system. Additional capabilities are being introduced as part of the Cyber Security Centre s workplan, to strengthen our information security investment 8

The Digital Health Cyber Security Centre Security Operations continually monitors the system for evidence of unauthorised access. utilises specialist security real-time monitoring tools, configured and tuned to automatically detect events of interest or notable events. regularly reviews and updates the defined events of interest, based on its knowledge of the likely threats to the My Health Record. Examples of notable events Overseas access by consumers and healthcare providers Multiple failed logins from the same computer Multiple logins within a short period of time Logins to the same record from multiple computers at the same time High transaction rate for a given healthcare provider Certain instances of after hours access and all instances of emergency access 9

Security Assurance Security assurance activities are undertaken to ensure the security of the My Health Record system is adequately maintained, including: Accreditation in accordance with the Australian Government Information Security Manual (ISM) and Protective Security Policy Framework (PSPF). Including assessment by an independent IRAP* assessor. Threat and risk assessments to independently audit the effectiveness of security controls. Regular penetration testing, to understand and monitor security threats, risks and vulnerabilities. Pre-release testing and technical reviews to identify and rectify any security vulnerabilities, prior to release of new My Health Record system functionality. Security clearances ensuring personnel involved with management of the My Health Record system have a baseline security clearance, granted by the Australian Government Security Vetting Agency. Information Security Policy and associated security procedures and plans. *IRAP: InfoSec Registered Assessors Program (managed by Australian Signals Directorate) Review Secure Design Continuous Improvement Release Secure Build Test & Accredit 10

Cyber Security Guidance Materials A range of cyber security guidance materials have been produced to encourage improved information security practices across the health sector. The Information Security Guide for Small Healthcare Businesses provides simple guidance for non-technical health professionals regarding: privacy passwords software updates back-ups and staff security awareness. A number of additional publications provide guidance regarding specific information security topics.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback