Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014



Similar documents
Cybersecurity Framework: Current Status and Next Steps

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

How To Write A Cybersecurity Framework

National Institute of Standards and Technology Smart Grid Cybersecurity

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Overview of the HIPAA Security Rule

Framework for Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Our Commitment to Information Security

Applying Framework to Mobile & BYOD

Framework for Improving Critical Infrastructure Cybersecurity

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Business Continuity for Cyber Threat

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

NIST Cybersecurity Framework & A Tale of Two Criticalities

PROTIVITI FLASH REPORT

Framework for Improving Critical Infrastructure Cybersecurity

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Billing Code: 3510-EA

Nine Network Considerations in the New HIPAA Landscape

Data Breach Response Planning: Laying the Right Foundation

No. 33 February 19, The President

Framework for Improving Critical Infrastructure Cybersecurity

Conducting Your HIPAA Risk Analysis Top Ten Steps

Cybersecurity as a Risk Factor in doing business

Why you should adopt the NIST Cybersecurity Framework

Big Data, Big Risk, Big Rewards. Hussein Syed

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

Building Security In:

Health Industry Implementation of the NIST Cybersecurity Framework

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Cybersecurity Framework Security Policy Mapping Table

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Managing Cybersecurity Risk in a HIPAA-Compliant World

Envisioning Collaboration for Medical Device and Healthcare Cybersecurity

Applying IBM Security solutions to the NIST Cybersecurity Framework

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

How To Understand And Manage Cybersecurity Risk

NIST Cybersecurity Framework What It Means for Energy Companies

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Bridging the HIPAA/HITECH Compliance Gap

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

HIPAA and Mental Health Privacy:

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Richard Gadsden Information Security Office Office of the CIO Information Services

Joe Dylewski President, ATMP Solutions

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

CForum: A Community Driven Solution to Cybersecurity Challenges

Understanding the NIST Cybersecurity Framework September 30, 2014

Assessing Your HIPAA Compliance Risk

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

HIPAA and HITECH Compliance for Cloud Applications

FACT SHEET: Ransomware and HIPAA

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

2016 OCR AUDIT E-BOOK

The NIST Cybersecurity Framework

Ed McMurray, CISA, CISSP, CTGA CoNetrix

CONCEPTS IN CYBER SECURITY

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

CSF Support for HIPAA and NIST Implementation and Compliance

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.

An Independent Member of Baker Tilly International

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Security Rule Compliance

The HIPAA Audit Program

Frequently Asked Questions about the HITRUST Risk Management Framework

Transcription:

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014

Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 2

Based on the Executive Order, the Cybersecurity Framework Must... Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations 3

The Cybersecurity Framework Is for Organizations Of any size, in any sector in the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 4

Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 5

Framework Core What assets need protection? What safeguards are available? What techniques can detect incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 6

Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities 7

How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: Understand security status Establish / Improve a cybersecurity program Communicate cybersecurity requirements with stakeholders, including partners and suppliers Identify opportunities for new or revised standards Identify tools and technologies to help organizations use the Framework Integrate privacy and civil liberties considerations into a cybersecurity program 8

Key Points about the Framework It s a framework, not a prescription It s the result of a public-private partnership The framework is a living document 9

The HIPAA Security Rule and the NIST Cybersecurity Framework OCR/NIST Conference September 23, 2014 Linda Sanches, Senior Advisor HHS Office for Civil Rights (OCR)

Cyber Security and Type of Breach 500+ Breaches by Type of Breach as of 9/2014 Hacking/IT incidents represent 8% of all 500+ breaches, but may rise now that Community Health has been reported affecting 4.5 million patients U.S. Department of Health and Human Services, Office for Civil Rights September 23, 2014 slide 2

500+ Breaches by Location of Breach Paper accounts for 21% of incidents September 23, 2014 slide 3

Audit Findings and Observations No findings or observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Security accounted for 60% of the findings and observations although only 28% of potential total. Providers had a greater proportion of findings & observations (65%) than reflected by their proportion of the total set (53%). Smaller, Level 4 entities struggle with all three areas U.S. Department of Health and Human Services, Office for Civil Rights September 23, 2014 slide 4

Key Security Rule Findings 58 of 59 providers had at least one Security Rule finding or observation No complete and accurate risk assessment in two thirds of entities 47 of 59 providers, 20 out of 35 health plans and 2 out of 7 clearinghouses Key take away: Most covered entities have not identified the risks and vulnerabilities of their environment, and therefore are failing to adequately safeguard PHI. September 23, 2014 slide 5

Appropriate Safeguards Prevent Breaches Evaluate the risk to e-phi when at rest on removable media, mobile devices and computer hard drives Take reasonable and appropriate measures to safeguard e-phi Store all e-phi to a network Encrypt data stored on portable/movable devices & media Employ a remote device wipe to remove data when lost or stolen Train workforce members on how to effectively safeguard data and timely report security incidents September 23, 2014 slide 7

More Information http://www.hhs.gov/ocr/privacy/ 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information