Cybersecurity Challenges in Healthcare. Doug Copley Beaumont Health & Michigan Healthcare Cybersecurity Council

Similar documents

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Big Data, Big Risk, Big Rewards. Hussein Syed

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Logging In: Auditing Cybersecurity in an Unsecure World

ALERT LOGIC FOR HIPAA COMPLIANCE

Altius IT Policy Collection Compliance and Standards Matrix

Medical Devices. Safe, but are they secure? Dan Stoker, Consultant Professional Services, Coalfire

Attachment A. Identification of Risks/Cybersecurity Governance

OCIE CYBERSECURITY INITIATIVE

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

IoT & SCADA Cyber Security Services

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

HIPAA Compliance & Privacy. What You Need to Know Now

Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK

Procedure Title: TennDent HIPAA Security Awareness and Training

Executive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6

Information Blue Valley Schools FEBRUARY 2015

HIPAA: Compliance Essentials

White Paper Strengthening Information Assurance in Healthcare

Secure HIPAA Compliant Cloud Computing

HIPAA Security Alert

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Click to edit Master title style

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES

INFORMATION SECURITY FOR YOUR AGENCY

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

HIPAA and HITECH Compliance for Cloud Applications

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Data Security and Healthcare

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Critical Controls for Cyber Security.

The Internet of Things: 4 security dimensions of smart devices

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

Testimony of PETER J. BESHAR. Executive Vice President and General Counsel. Marsh & McLennan Companies

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES. second edition

Information Technology General Controls And Best Practices

11th AMC Conference on Securely Connecting Communities for Improved Health

Empowering Nurses & Building Trust Through Health IT

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Zero Trust. Privileged Access Management

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Four Top Emagined Security Services

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Cyber Security An Exercise in Predicting the Future

Miami University. Payment Card Data Security Policy

1B1 SECURITY RESPONSIBILITY

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

INFORMATION SYSTEMS. Revised: August 2013

Turning Medical Device Hacks into Tools for Defenders

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

InfoGard Healthcare Services InfoGard Laboratories Inc.

Data Breach Response Planning: Laying the Right Foundation

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Bellevue University Cybersecurity Programs & Courses

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

How Much Do I Need To Do to Comply? Vice president SystemExperts Corporation

NERC CIP VERSION 5 COMPLIANCE

The Protection Mission a constant endeavor

Bridging the HIPAA/HITECH Compliance Gap

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

What is Management Responsible For?

Can Your Diocese Afford to Fail a HIPAA Audit?

Looking at the SANS 20 Critical Security Controls

Security Audit Survivor How to Remain On the Island in the Wake of the Piedmont Audit

CHIS, Inc. Privacy General Guidelines

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

How To Manage Security On A Networked Computer System

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Policy Title: HIPAA Security Awareness and Training

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

IT Security Vendor Compliance Assessment

Enforcing PCI Data Security Standard Compliance

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

How To Protect Your Data From Being Stolen

SANS Top 20 Critical Controls for Effective Cyber Defense

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Transcription:

Cybersecurity Challenges in Healthcare Doug Copley Beaumont Health & Michigan Healthcare Cybersecurity Council

Healthcare Headlines Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Understanding Healthcare Needs Patient Care Quality & Safety Real-time Access to Information, Regardless of Where it is Flow of Data Needs to be Seamless, to Patients, Providers and Payers Most Medical Devices Are Connected ipads, iphones, Tablets, etc. are Required

Healthcare Cyber Trends Healthcare data most valuable Phishing/email is easiest method of attack Cyber defense improving, but still lagging Medical facilities use credit cards nearly as much as retailers More are purchasing cyber insurance OCR and CMS doing more audits Fines being issued for lack of basics Likely we will get more regulations

Cyber Challenges Healthcare records are most valuable. Why? Typing passwords slows down patient care So much patient data flows outside the organizations daily So much access to patient data, a malicious insider is difficult to detect Medical device manufacturers

Connected Medical Devices 2007 Vice President Dick Cheney feared terrorists had the technology to send a fatal shock to his pacemaker, so he had his doctors disable its wireless capability.

Cyber Challenges Many systems are supported by remote vendors with privileged access Security education is difficult to prioritize for clinical staff (time away from patients) Security protections cost money What is a MU security risk assessment? Easier & quicker to share accounts instead of giving each staff member an account

Managing Cyber Risk Key is appropriately managing the risks Policies & procedures (administrative) Technology tools (technical) Control physical access (physical) Risk/Cost decision: Do we need to: Prevent it from happening? Detect & respond when it happens? Would it automatically get corrected? Do we get cyber insurance?

Practical Steps To Security 1. Have a Plan Decide on a framework (HiTrust, NIST, ISO, etc.) Build relationships with Compliance, Audit, Risk Prioritize efforts based on risk 2. Understand your environment Understand your business Users and equipment on the network Understand data flows, particularly off-network 3. Manage your vendors and business associates

Practical Steps To Security 4. Write easy-to-understand policies and EDUCATE 5. Leverage virtualization (Citrix for abstraction) 6. Manage the data on personal phones & tablets 7. Deploy SSO with badge readers Simpler & quicker for clinical users 8. Don t let insecure devices on your corporate network segment if needed, or leverage VDI (for example XP you can t eliminate)

Practical Steps To Security 9. Medical devices push vendors and use FDA guidance and partnerships as leverage 10.Blocking & tackling Awareness & Education make it relevant!! Strong HW, SW, medical device asset mgmt System scanning & PATCHING Log event monitoring & incident response Watch outbound, not just inbound activity Data loss prevention Restrictions on removable media

6-Step Security Cycle Perform a Risk Assessment Have an Incident Response Plan Ready Inventory Your PHI Implement Policies, Processes, and Technologies Develop a Security Strategy Train Employees (Source: Healthcare IT News)

Where to Begin Purpose of Risk Analysis Regulators expect a risk assessment to drive privacy and security safeguards. Key questions from the guidance: 1. Have you identified the e-phi within your organization? (create, receive, maintain or transmit) 2. What are the external sources of e-phi? (vendors, consultants) 3. What are the threats to systems that contain e-phi? Risk assessment results should help determine: 1. Appropriate personnel screening processes 2. Identify what data to backup and how 3. Decide whether to use encryption 4. Identify what data must be authenticated 5. Determine data transmission safeguards

Leverage Key Partnerships Build partnerships outside your organization In healthcare, key resources are: 1. Peer organizations non-profit and for-profit 2. State - Dept. of Community Health 3. State - Health Information Exchanges 4. State - Health & Hospital Association 5. HiTrust & NH-ISAC 6. Federal Health & Human Services 7. Federal FBI & InfraGard 8. Federal Homeland Security

Michigan Healthcare Cybersecurity Council (www.mihcc.org) Goals of MHCC efforts: Bring Michigan healthcare organizations together toward a common purpose To protect MI critical healthcare infrastructure To leverage public/private partnerships to improve healthcare cybersecurity preparedness Apply best practices and consistent protections to common challenges Deliver actionable materials all healthcare entities can use

MIHCC Participating Organizations

Questions?

Doug Copley doug.copley@mihcc.org Thank You!