(Subject to Change) 10:00-10:45 AM BYOD and MDM: Reducing Risk on the Mobile Perimeter Moderator Chris Crowley Ethical Hacker SANS Institute

Transcription

1 (Subject to Change) 8:30-9:00 AM Badge Pickup & Check-In 9:00-9:45 AM KEYNOTE: Enabling Mobile Healthcare: Privacy & Security in an Era of Accelerating Change Speaker Karl West Intermountain Healthcare 9:45 10:00 AM TBD 10:00-10:45 AM BYOD and MDM: Reducing Risk on the Mobile Perimeter Moderator Chris Crowley Ethical Hacker SANS Institute Anahi Santiago Director Information Security and Support Services Einstein Healthcare Network Lee Kim Director, Privacy & Security HIMSS Stephen Cobb Senior Security Researcher ESET North America John Donohue Associate CIO of Technology & Infrastructure Penn Medicine Adam Kehler Privacy & Security Expert Regional Extension Center for Pennsylvania East and West 10:45-11:00 AM Break 11:00-11:45 AM Medical Device Security: How to Crack a Very Tough Nut Moderator Dale Nordenberg Co-founder & Executive Director Medical Device Innovation, Safety and Security Consortium Chad Wilson Director, IT Security Children's National Medical Center Darren Lacey Johns Hopkins University and Johns Hopkins Medicine Page: 1

2 Axel Wirth Healthcare Solutions Architect Symantec Corporation Kevin Fu Associate Professor, Computer Science & Engineering University of Michigan 11:45-12:15 AM Best Practices from NIST: Use Military Might to Secure Mobile Apps Speaker Jeff Voas Computer Scientist National Institute of Standards and Technology 12:15-1:15 PM mhealth Updates, Advice & Best Practices from the FDA, OCR and ONC Moderator Tom Sullivan Executive Editor HIMSS Media Kathryn Marchesini Acting Chief Privacy Officer Office of the National Coordinator for Health IT Suzanne Schwartz Director Emergency Preparedness/Operations & Medical Countermeasures Center for Devices & Radiological Health US Food and Drug Administration Iliana Peters Senior Advisor for HIPAA Compliance and Enforcement Office for Civil Rights 1:15-2:00 PM Networking Luncheon 2:00 2:45 PM Risky Business: Mitigating mhealth Workarounds with "Usable" Security Moderator Sal Volpe Physician Solo Physician Practioner Thompson Boyd Physician Liaison Hahnemann University Hospital David Houlding Senior Security & Privacy Researcher Intel Mark Parkulo Vice-Chair, Meaningful Use Coordinating Group Mayo Clinic Glenn Fala Senior Director of Software Development Penn Medicine Page: 2

3 2:45-3:15 PM The Brave New World of Patient-Generate Data and What it Means for Healthcare Privacy & Security Speaker Robert Havasy Vice President Personal Connected Health Alliance 3:15-3:30 PM Break 3:30-4:15 PM KEYNOTE: Realizing the Vision of a Secure & Connected Mobile World Speaker James Doggett SVP, Chief Security Officer and Chief Technology Risk Officer Kaiser Permanente 4:15-4:45 PM Research Central: Developing a Secure mhealth Platform for Wearables Speaker David Kotz Champion International Professor Department of Computer Science - Dartmouth College 4:45-5:30 PM Wrap-up with the Mobile Privacy & Security Genius Bar Moderator Kevin Johnson Founder Secure Ideas Mark Parkulo Vice-Chair, Meaningful Use Coordinating Group Mayo Clinic John Donohue Associate Chief Information Officer of Technology & Infrastructure Penn Medicine Darren Lacey Johns Hopkins University and Johns Hopkins Medicine Karl West Intermountain Healthcare 5:30-6:30 PM Networking Reception Page: 3

4 Enabling Mobile Healthcare: Privacy & Security in an Era of Accelerating Change The mobile tsunami is upon us. Whether it is a new app, smart phone operating system, or medical device, advances in mobile technology seem to be accelerating at warp speed. Without a doubt, mhealth presents unique opportunities for increasing clinician productivity and engaging patients - from devices at the bedside to health data tracking in the home. However, it also presents often-daunting privacy and security challenges. Nobody knows that better than Karl West, CISO of Intermountain Healthcare, which operates 22 hospitals in Utah and one in Idaho. Intermountain has a long history of securely adopting, developing, and implementing new technologies, including an aggressive but prudent adoption of mhealth. In his keynote presentation, from his seat at one of the most innovative healthcare organization in the world, West will address the forces fueling the mhealth revolution, discuss Intermountain s mobile initiatives, and then explain what he considers the best and most practical way to mitigate the related risks. BYOD and MDM: Managing Risk on the Mobile Perimeter With four out of every five physicians using smartphones and/or tablets, it is safe to say that BYOD is here to stay. However, what must healthcare organizations do to make sure this does not lead to security breaches? How can they protect every device while ensuring that staff workflows are not compromised? When it comes to answering these questions, top healthcare security professionals say that it all starts mobile device management (MDM). The threshold question is: Do you have MDM, and what is your strategy for MDM, says Darren Lacey, CISO for Johns Hopkins University and Johns Hopkins Medicine. This is the most important issue facing us. What are we doing with MDM? What are we doing to enforce policy? How much security do we expect out of it? And what will it look like in the future. Following an overview of the proliferation of personal mobile devices and the primary security threats, this session will discuss these key MDM questions directly, as well policies and procedures for specific use cases such as texting and image transfer. Medical Device Security: How to Crack a Very Tough Nut As more data from medical devices is fed into EHRs on a provider s network, finding ways to secure and protect the devices from viruses and other cyber threats has become a vital part of any comprehensive security program. Securing medical devices, however, is a tough nut to crack for a number of reasons. Many are not managed by the IT department; clinicians are often resistant to new security safeguards that may impact their workflow; medical device vendors are often unresponsive to requests for security upgrades; and some of the upgrades can be prohibitively expensive. In this session, moderator Dale Nordenberg, executive director of the Medical Device Innovation, Safety, and Security Consortium (MDISS), identifies drivers for an increased regulatory focus on medical device security and the potential dangers these devices pose, if not equipped with adequate security safeguards, to patient safety. Then leading healthcare security discuss, among other things: 1. New FDA guidelines that require vendors to address risks more quickly 2. Practices for assessing and mitigating medical device risks 3. Processes for approving requests for new medical devices 4. Responding to infected devices 5. Educating clinicians and administrators to the security risks medical devices pose Best Practices from NIST: Use Military Might to Secure Mobile Apps Here is a scary fact: An estimated 80% of physicians use mobile apps as part of their medical practices, and many of these apps were not designed for healthcare and lack essential privacy and security safeguards, creating an ideal situation for a breach. That is where the National Institute of Standards and Technology (NIST) come in. Page: 4

5 The organization was recently honored for contributing its expertise in cyber security and software performance evaluation as part of a program to help the U.S. military evaluate mobile apps more effectively for use in the battlefield. NIST has since taken that research and created a guide to help healthcare organizations (and others) leverage the benefits of mobile apps while managing their risks. In this session, NIST computer scientist Jeff Voas explains that process. He will cover mobile app testing requirements, such as security, functionality, performance and reliability; and mobile app vetting tools and techniques. He ll also review software assurance issues, describe undesirable characteristics that vetting may reveal, and provide examples of security weakness issues affecting apps. mhealth Updates, Advice, and Best Practices from the OCR and ONC In this session, top privacy and security officials from the Office for Civil Rights and the Office of the National Coordinator for Health IT will discuss best practices for securing mobile devices as well as areas where they see providers falling short. Panelists will also address HIPAA enforcement, rules, regulations and other mhealth issues critical to attendees, who will have ample opportunity to ask questions. Risky Business: Mitigating mhealth Workarounds with Usable Security According to a recent survey, 21% of 674 healthcare employees said they practice workarounds every day, and 30% said they sometimes use workarounds to perform their jobs. No doubt this is risky business and exacerbated by healthcare workers using powerful collaboration apps, social media, texting, and other powerful mhealth personal communication devices. In this session, our panelists will discuss approaches to mitigating workarounds by digging deeper into: How physicians and other healthcare employees are using mhealth tools to accomplish tasks Security safeguards they like and dislike and why Common workarounds Best practices to prevent workarounds (training, technology, and administrative controls) The need to create usable privacy and security policies and procedures that make workarounds unnecessary. The Brave New World of Patient-Generate Data and What it Means for Healthcare Privacy & Security The Center for Connected Health at Partners Healthcare is renowned for its work in developing innovative and effective solutions, including mhealth, for delivering quality patient care outside traditional settings. Recently, the center has been investigating how healthcare professionals can prepare for the tidal wave of patient-generated data weight loss, blood pressure, etc. that is just starting to hit their shores, and, specifically, what they must do to secure this vector. Although HIPAA does not technically apply until a healthcare provider receives data, patients expect that the data they share from consumer devices will be as secure as anything their healthcare provider might give them. We are entering a brave new world, and there s a lot of concern about data getting into the wrong hands, says Robert Havasy, technology and strategy expert at the Center for Connected Health. In this session, Havasy discusses how the explosion in patient-generated data will transform healthcare. He will also give an overview of the support systems that need to be in place for privacy and security and broader enterprise integration. Manage Risk and Take Hold of the Future What is that reverberation you hear? It is the pace of change echoing throughout the healthcare industry thanks to non-stop advances in technology. That pace is dramatically changing our risk landscape, and healthcare privacy and security initiatives must evolve constantly to address new and growing threats. In his highly engaging style, James Doggett, senior vice president and chief technology risk officer for Kaiser Permanente, will call on more than 20 years of information security experience to discuss the state of the health IT industry, with a special emphasis how to protect your organization's technology assets and data and the role risk management will play in defining the future of healthcare. Change is constant in healthcare and the related privacy and security threats can cause concern. Fortunately, as Jim will explain, there are ways to mitigate changes and the risks they represent so that you do not get steamrolled by the future. Page: 5

6 Research Central: Developing a Secure mhealth Platform for Wearables Many of the most compelling mhealth applications are designed to enable long-term health monitoring for, among other things, outpatients with chronic medical conditions and for physicians seeking to quantify and detect behavioral aberrations for early diagnosis. But while mhealth devices and applications are proliferating, many challenges remain to provide the necessary usability, manageability, interoperability, availability, security, and privacy. In this session, Dartmouth College computer science professor David Kotz reviews the progress of a project intended to engineer the tools for secure wearable mhealth. Importantly, for healthcare security professionals tasked to secure this growing proliferation of wearables, Kotz will discuss the keys to creating an mhealth platform that is secure, provides high availability, and allows for the deployment of multiple third-party applications that share resources in a body-area network. Wrap-up with the Mobile Privacy & Security Genius Bar The Mobile Privacy & Security Genius Bar is a takeoff on the name for the in-store tech support provided in retail Apple Stores. After a full day of mobile security presentations, this is an opportunity to tie up loose ends, for attendees and speakers to address unanswered questions, and share final thoughts and ideas on mobile privacy and security. Page: 6