The 10 Most Trusted Healthcare IT Security Solution Providers 2018
Detroit ISSA Healthcare Cybersecurity
1. Doug Copley – Beaumont Health & Michigan Healthcare Cybersecurity Council
Cybersecurity Challenges in Healthcare
2. 1. Insight on specific cybersecurity threats
healthcare organizations face on a daily
basis
2. Practical advice for reducing the risk of
cybersecurity threats
3. A perspective on reaching outside your
organizational boundaries to reduce
cybersecurity risk & improve preparedness
Take-Aways From This Session
3. Healthcare Cybersecurity Headlines✓ 1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Agenda
13. Healthcare Cybersecurity Headlines
✓
1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Agenda
Healthcare Industry Cybersecurity Trends
14. • Healthcare data most valuable
• Phishing/email is easiest method of attack
• Cyber defense improving, but still lagging
• Medical facilities use credit cards nearly as
much as retailers
• More are purchasing cyber insurance
• OCR and CMS doing more audits
• Fines being issued for lack of “basics”
• Likely we will get more regulations
Healthcare Cyber Trends
15. Healthcare Cybersecurity Headlines
✓
1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Agenda
Cybersecurity Issues Unique to Healthcare
16. • Patient Care
• Quality & Safety
• Real-time Access to
Information, Regardless of Where it is
• Flow of Data Needs to be Seamless, to
Patients, Providers and Payers
• Most Medical Devices Are “Connected”
• iPads, iPhones, Tablets, etc. are Required
Understanding Healthcare Needs
17. I researched your symptoms and
condition on Wikipedia. If you would like
a second opinion, my colleague can look
them up on Google…
- OR -
Patient Fear
18. You don’t have your results yet? My
neighbor’s son found lab results on a
Russian hacking site. I’ll have him find
your lab results from last week for you.
Patient Fear
19. • Healthcare records are most valuable.
Why?
• Typing passwords slows down patient care
• So much patient data flows outside the
organizations daily
• So much access to patient data, a
malicious insider is difficult to detect
• Medical device manufacturers
Cyber Challenges
20. 2007 – Vice
President Dick
Cheney feared
terrorists had the
technology to
send a fatal
shock to his
pacemaker, so he
had his doctors
disable its
wireless
capability.
Connected Medical Devices
21. • Many systems are supported by remote
vendors with privileged access
• Security education is difficult to prioritize
for clinical staff (time away from patients)
• Security protections cost money
• What is a MU security risk assessment?
• Easier & quicker to share accounts instead
of giving each staff member an account
Cyber Challenges
22. Healthcare Cybersecurity Headlines
✓
1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Cybersecurity Liabilities for Physician Offices
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Agenda
Applying Practical Remedies to Reduce Risk
23. • Key is appropriately managing the risks
– Policies & procedures (administrative)
– Technology tools (technical)
– Control physical access (physical)
• Risk/Cost decision: Do we need to:
– Prevent it from happening?
– Detect & respond when it happens?
– Would it automatically get corrected?
– Do we get cyber insurance?
Managing Cyber Risk
24. 1. Have a Plan
– Decide on a framework (HiTrust, NIST, ISO, etc.)
– Build relationships with Compliance, Audit, Risk
– Prioritize efforts based on risk
2. Understand your environment
– Understand your business
– Users and equipment on the network
– Understand data flows, particularly off-network
3. Manage your vendors and business associates
Practical Steps To Security
25. 4. Write easy-to-understand policies and
EDUCATE
5. Leverage virtualization (Citrix for abstraction)
6. Manage the data on personal phones & tablets
7. Deploy SSO with badge readers
– Simpler & quicker for clinical users
8. Don’t let insecure devices on your corporate
network – segment if needed, or leverage VDI
(for example XP you can’t eliminate)
Practical Steps To Security
26. 9. Medical devices… push vendors and use FDA
guidance and partnerships as leverage
10.Blocking & tackling
– Awareness & Education – make it relevant!!
– Strong HW, SW, medical device asset mgmt
– System scanning & PATCHING
– Log event monitoring & incident response
• Watch outbound, not just inbound activity
– Data loss prevention
– Restrictions on removable media
Practical Steps To Security
27. Healthcare Cybersecurity Headlines
✓
1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Agenda
Where to Begin
28. 6-Step Security Cycle
Perform a Risk
Assessment
Inventory Your PHI
Develop a Security
Strategy
Train Employees
Implement Policies,
Processes, and
Technologies
Have an Incident
Response Plan Ready
(Source: Healthcare IT News)
29. Regulators expect a risk assessment to drive privacy and security
safeguards. Key questions from the guidance:
1. Have you identified the e-PHI within your organization? (create,
receive, maintain or transmit)
2. What are the external sources of e-PHI? (vendors, consultants)
3. What are the threats to systems that contain e-PHI?
Risk assessment results should help determine:
1. Appropriate personnel screening processes
2. Identify what data to backup and how
3. Decide whether to use encryption
4. Identify what data must be authenticated
5. Determine data transmission safeguards
Where to Begin
Purpose of Risk Analysis
30. Healthcare Cybersecurity Headlines
✓
1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Cyber Liability Insurance
Question & Answer
2
4
3
6
5
7
Agenda
Building Security Without Boundaries
31. • Resources are ALWAYS constrained
– Reason for risk-based prioritization
– Outsource if necessary, but commodity functions
• Encourage and reward innovation
– May increase productivity
– Can help improve morale
• Look for external funding
– Federal & State grants may be available
– May be able to participate in outside initiatives
Building Security Without
Boundaries
32. Build partnerships outside your organization
In healthcare, key resources are:
1. Peer organizations – non-profit and for-profit
2. State - Dept. of Community Health
3. State - Health Information Exchanges
4. State - Health & Hospital Association
5. HiTrust & NH-ISAC
6. Federal – Health & Human Services
7. Federal – FBI & InfraGard
8. Federal – Homeland Security
Leverage Key Partnerships
33. Goals of MHCC efforts:
• Bring Michigan healthcare organizations together
toward a common purpose
• To protect MI critical healthcare infrastructure
• To leverage public/private partnerships to improve
healthcare cybersecurity preparedness
• Apply best practices and consistent protections to
common challenges
• Deliver actionable materials all healthcare entities
can use
Michigan Healthcare Cybersecurity
Council (www.mihcc.org)
35. Healthcare National Meeting Last Fall:
• Representatives from some of the largest healthcare
entities in the country
• Local and national presence from FBI
• Homeland Security and HHS were engaged
Purpose is to collaborate and tackle cybersecurity
preparedness across all critical stakeholders
Strong desire in public and private sectors to
improve collaboration and act as one toward a
common goal
Flushed out needs and challenges
Very Strong Desire To Improve at a
Federal and State Level
36. Healthcare Cybersecurity Headlines
✓
1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Agenda
Question & Answer