SlideShare a Scribd company logo

Detroit ISSA Healthcare Cybersecurity

Doug Copley
Doug Copley
1 of 38
Download to read offline
Doug Copley – Beaumont Health & Michigan Healthcare Cybersecurity Council Cybersecurity Challenges in Healthcare
1. Insight on specific cybersecurity threats healthcare organizations face on a daily basis 2. Practical advice for reducing the risk of cybersecurity threats 3. A perspective on reaching outside your organizational boundaries to reduce cybersecurity risk & improve preparedness Take-Aways From This Session
Healthcare Cybersecurity Headlines✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda
Healthcare Headline 1
Healthcare Headline 2
Healthcare Headline 3
Healthcare Headline 4
Healthcare Headline 5
Healthcare Headline 6
Healthcare Headline 7
Healthcare Headline 8
Healthcare Headline 9 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Healthcare Industry Cybersecurity Trends
• Healthcare data most valuable • Phishing/email is easiest method of attack • Cyber defense improving, but still lagging • Medical facilities use credit cards nearly as much as retailers • More are purchasing cyber insurance • OCR and CMS doing more audits • Fines being issued for lack of “basics” • Likely we will get more regulations Healthcare Cyber Trends
Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Cybersecurity Issues Unique to Healthcare
• Patient Care • Quality & Safety • Real-time Access to Information, Regardless of Where it is • Flow of Data Needs to be Seamless, to Patients, Providers and Payers • Most Medical Devices Are “Connected” • iPads, iPhones, Tablets, etc. are Required Understanding Healthcare Needs
I researched your symptoms and condition on Wikipedia. If you would like a second opinion, my colleague can look them up on Google… - OR - Patient Fear
You don’t have your results yet? My neighbor’s son found lab results on a Russian hacking site. I’ll have him find your lab results from last week for you. Patient Fear
• Healthcare records are most valuable. Why? • Typing passwords slows down patient care • So much patient data flows outside the organizations daily • So much access to patient data, a malicious insider is difficult to detect • Medical device manufacturers Cyber Challenges
2007 – Vice President Dick Cheney feared terrorists had the technology to send a fatal shock to his pacemaker, so he had his doctors disable its wireless capability. Connected Medical Devices
• Many systems are supported by remote vendors with privileged access • Security education is difficult to prioritize for clinical staff (time away from patients) • Security protections cost money • What is a MU security risk assessment? • Easier & quicker to share accounts instead of giving each staff member an account Cyber Challenges
Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Cybersecurity Liabilities for Physician Offices Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Applying Practical Remedies to Reduce Risk
• Key is appropriately managing the risks – Policies & procedures (administrative) – Technology tools (technical) – Control physical access (physical) • Risk/Cost decision: Do we need to: – Prevent it from happening? – Detect & respond when it happens? – Would it automatically get corrected? – Do we get cyber insurance? Managing Cyber Risk
1. Have a Plan – Decide on a framework (HiTrust, NIST, ISO, etc.) – Build relationships with Compliance, Audit, Risk – Prioritize efforts based on risk 2. Understand your environment – Understand your business – Users and equipment on the network – Understand data flows, particularly off-network 3. Manage your vendors and business associates Practical Steps To Security
4. Write easy-to-understand policies and EDUCATE 5. Leverage virtualization (Citrix for abstraction) 6. Manage the data on personal phones & tablets 7. Deploy SSO with badge readers – Simpler & quicker for clinical users 8. Don’t let insecure devices on your corporate network – segment if needed, or leverage VDI (for example XP you can’t eliminate) Practical Steps To Security
9. Medical devices… push vendors and use FDA guidance and partnerships as leverage 10.Blocking & tackling – Awareness & Education – make it relevant!! – Strong HW, SW, medical device asset mgmt – System scanning & PATCHING – Log event monitoring & incident response • Watch outbound, not just inbound activity – Data loss prevention – Restrictions on removable media Practical Steps To Security
Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Where to Begin
6-Step Security Cycle Perform a Risk Assessment Inventory Your PHI Develop a Security Strategy Train Employees Implement Policies, Processes, and Technologies Have an Incident Response Plan Ready (Source: Healthcare IT News)
Regulators expect a risk assessment to drive privacy and security safeguards. Key questions from the guidance: 1. Have you identified the e-PHI within your organization? (create, receive, maintain or transmit) 2. What are the external sources of e-PHI? (vendors, consultants) 3. What are the threats to systems that contain e-PHI? Risk assessment results should help determine: 1. Appropriate personnel screening processes 2. Identify what data to backup and how 3. Decide whether to use encryption 4. Identify what data must be authenticated 5. Determine data transmission safeguards Where to Begin Purpose of Risk Analysis
Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Cyber Liability Insurance Question & Answer 2 4 3 6 5 7 Agenda Building Security Without Boundaries
• Resources are ALWAYS constrained – Reason for risk-based prioritization – Outsource if necessary, but commodity functions • Encourage and reward innovation – May increase productivity – Can help improve morale • Look for external funding – Federal & State grants may be available – May be able to participate in outside initiatives Building Security Without Boundaries
Build partnerships outside your organization In healthcare, key resources are: 1. Peer organizations – non-profit and for-profit 2. State - Dept. of Community Health 3. State - Health Information Exchanges 4. State - Health & Hospital Association 5. HiTrust & NH-ISAC 6. Federal – Health & Human Services 7. Federal – FBI & InfraGard 8. Federal – Homeland Security Leverage Key Partnerships
Goals of MHCC efforts: • Bring Michigan healthcare organizations together toward a common purpose • To protect MI critical healthcare infrastructure • To leverage public/private partnerships to improve healthcare cybersecurity preparedness • Apply best practices and consistent protections to common challenges • Deliver actionable materials all healthcare entities can use Michigan Healthcare Cybersecurity Council (www.mihcc.org)
MIHCC Participating Organizations
Healthcare National Meeting Last Fall: • Representatives from some of the largest healthcare entities in the country • Local and national presence from FBI • Homeland Security and HHS were engaged Purpose is to collaborate and tackle cybersecurity preparedness across all critical stakeholders Strong desire in public and private sectors to improve collaboration and act as one toward a common goal Flushed out needs and challenges Very Strong Desire To Improve at a Federal and State Level
Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Question & Answer
Questions?
Thank You! Doug Copley doug.copley@mihcc.org

Recommended

Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcare
Comtech TCS
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
CompTIA
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 
Ivanti Threat Thursday for April 30
Ivanti Threat Thursday for April 30Ivanti Threat Thursday for April 30
Ivanti Threat Thursday for April 30
Ivanti
 

Recommended

Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcare
Comtech TCS
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
CompTIA
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 
Ivanti Threat Thursday for April 30
Ivanti Threat Thursday for April 30Ivanti Threat Thursday for April 30
Ivanti Threat Thursday for April 30
Ivanti
 
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannMedical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
Frank Siepmann
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
Dave Darnell
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Puneet Kukreja
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
OnRamp
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016
Matthew Rosenquist
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
Carolyn Slade, MS-HIM
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
Matthew Rosenquist
 
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Sri Bharadwaj
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
Livingstone Advisory
 

More Related Content

What's hot

Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
Dave Darnell
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Puneet Kukreja
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
Matthew Rosenquist
 

What's hot (20)

Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank SiepmannMedical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
 
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum 2015 Atlanta CHIME Lead Forum
2015 Atlanta CHIME Lead Forum
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
 

Similar to Detroit ISSA Healthcare Cybersecurity

Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
Siddharth Janakiram
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
at MicroFocus Italy ❖✔
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
mihinpr
 

Similar to Detroit ISSA Healthcare Cybersecurity (20)

Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
 
Webinar: Overcoming it challenges
Webinar: Overcoming it challengesWebinar: Overcoming it challenges
Webinar: Overcoming it challenges
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
ATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applicationsATAGTR2017 Security Testing for Healthcare applications
ATAGTR2017 Security Testing for Healthcare applications
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
 
Digital trust and cyber challenge now extends beyond the Enterprise
Digital trust and cyber challenge now extends beyond the Enterprise Digital trust and cyber challenge now extends beyond the Enterprise
Digital trust and cyber challenge now extends beyond the Enterprise
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
The 10 Most Trusted Healthcare IT Security Solution Providers 2018
The 10 Most Trusted Healthcare IT Security Solution Providers 2018The 10 Most Trusted Healthcare IT Security Solution Providers 2018
The 10 Most Trusted Healthcare IT Security Solution Providers 2018
 

Detroit ISSA Healthcare Cybersecurity

  • 1. Doug Copley – Beaumont Health & Michigan Healthcare Cybersecurity Council Cybersecurity Challenges in Healthcare
  • 2. 1. Insight on specific cybersecurity threats healthcare organizations face on a daily basis 2. Practical advice for reducing the risk of cybersecurity threats 3. A perspective on reaching outside your organizational boundaries to reduce cybersecurity risk & improve preparedness Take-Aways From This Session
  • 3. Healthcare Cybersecurity Headlines✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda
  • 12. Healthcare Headline 9 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  • 13. Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Healthcare Industry Cybersecurity Trends
  • 14. • Healthcare data most valuable • Phishing/email is easiest method of attack • Cyber defense improving, but still lagging • Medical facilities use credit cards nearly as much as retailers • More are purchasing cyber insurance • OCR and CMS doing more audits • Fines being issued for lack of “basics” • Likely we will get more regulations Healthcare Cyber Trends
  • 15. Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Cybersecurity Issues Unique to Healthcare
  • 16. • Patient Care • Quality & Safety • Real-time Access to Information, Regardless of Where it is • Flow of Data Needs to be Seamless, to Patients, Providers and Payers • Most Medical Devices Are “Connected” • iPads, iPhones, Tablets, etc. are Required Understanding Healthcare Needs
  • 17. I researched your symptoms and condition on Wikipedia. If you would like a second opinion, my colleague can look them up on Google… - OR - Patient Fear
  • 18. You don’t have your results yet? My neighbor’s son found lab results on a Russian hacking site. I’ll have him find your lab results from last week for you. Patient Fear
  • 19. • Healthcare records are most valuable. Why? • Typing passwords slows down patient care • So much patient data flows outside the organizations daily • So much access to patient data, a malicious insider is difficult to detect • Medical device manufacturers Cyber Challenges
  • 20. 2007 – Vice President Dick Cheney feared terrorists had the technology to send a fatal shock to his pacemaker, so he had his doctors disable its wireless capability. Connected Medical Devices
  • 21. • Many systems are supported by remote vendors with privileged access • Security education is difficult to prioritize for clinical staff (time away from patients) • Security protections cost money • What is a MU security risk assessment? • Easier & quicker to share accounts instead of giving each staff member an account Cyber Challenges
  • 22. Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Cybersecurity Liabilities for Physician Offices Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Applying Practical Remedies to Reduce Risk
  • 23. • Key is appropriately managing the risks – Policies & procedures (administrative) – Technology tools (technical) – Control physical access (physical) • Risk/Cost decision: Do we need to: – Prevent it from happening? – Detect & respond when it happens? – Would it automatically get corrected? – Do we get cyber insurance? Managing Cyber Risk
  • 24. 1. Have a Plan – Decide on a framework (HiTrust, NIST, ISO, etc.) – Build relationships with Compliance, Audit, Risk – Prioritize efforts based on risk 2. Understand your environment – Understand your business – Users and equipment on the network – Understand data flows, particularly off-network 3. Manage your vendors and business associates Practical Steps To Security
  • 25. 4. Write easy-to-understand policies and EDUCATE 5. Leverage virtualization (Citrix for abstraction) 6. Manage the data on personal phones & tablets 7. Deploy SSO with badge readers – Simpler & quicker for clinical users 8. Don’t let insecure devices on your corporate network – segment if needed, or leverage VDI (for example XP you can’t eliminate) Practical Steps To Security
  • 26. 9. Medical devices… push vendors and use FDA guidance and partnerships as leverage 10.Blocking & tackling – Awareness & Education – make it relevant!! – Strong HW, SW, medical device asset mgmt – System scanning & PATCHING – Log event monitoring & incident response • Watch outbound, not just inbound activity – Data loss prevention – Restrictions on removable media Practical Steps To Security
  • 27. Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Where to Begin
  • 28. 6-Step Security Cycle Perform a Risk Assessment Inventory Your PHI Develop a Security Strategy Train Employees Implement Policies, Processes, and Technologies Have an Incident Response Plan Ready (Source: Healthcare IT News)
  • 29. Regulators expect a risk assessment to drive privacy and security safeguards. Key questions from the guidance: 1. Have you identified the e-PHI within your organization? (create, receive, maintain or transmit) 2. What are the external sources of e-PHI? (vendors, consultants) 3. What are the threats to systems that contain e-PHI? Risk assessment results should help determine: 1. Appropriate personnel screening processes 2. Identify what data to backup and how 3. Decide whether to use encryption 4. Identify what data must be authenticated 5. Determine data transmission safeguards Where to Begin Purpose of Risk Analysis
  • 30. Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Cyber Liability Insurance Question & Answer 2 4 3 6 5 7 Agenda Building Security Without Boundaries
  • 31. • Resources are ALWAYS constrained – Reason for risk-based prioritization – Outsource if necessary, but commodity functions • Encourage and reward innovation – May increase productivity – Can help improve morale • Look for external funding – Federal & State grants may be available – May be able to participate in outside initiatives Building Security Without Boundaries
  • 32. Build partnerships outside your organization In healthcare, key resources are: 1. Peer organizations – non-profit and for-profit 2. State - Dept. of Community Health 3. State - Health Information Exchanges 4. State - Health & Hospital Association 5. HiTrust & NH-ISAC 6. Federal – Health & Human Services 7. Federal – FBI & InfraGard 8. Federal – Homeland Security Leverage Key Partnerships
  • 33. Goals of MHCC efforts: • Bring Michigan healthcare organizations together toward a common purpose • To protect MI critical healthcare infrastructure • To leverage public/private partnerships to improve healthcare cybersecurity preparedness • Apply best practices and consistent protections to common challenges • Deliver actionable materials all healthcare entities can use Michigan Healthcare Cybersecurity Council (www.mihcc.org)
  • 35. Healthcare National Meeting Last Fall: • Representatives from some of the largest healthcare entities in the country • Local and national presence from FBI • Homeland Security and HHS were engaged Purpose is to collaborate and tackle cybersecurity preparedness across all critical stakeholders Strong desire in public and private sectors to improve collaboration and act as one toward a common goal Flushed out needs and challenges Very Strong Desire To Improve at a Federal and State Level
  • 36. Healthcare Cybersecurity Headlines ✓ 1 Healthcare Industry Cybersecurity Trends Cybersecurity Issues Unique to Healthcare Applying Practical Remedies to Reduce Risk Where to Begin Building Security Without Boundaries Question & Answer 2 4 3 6 5 7 Agenda Question & Answer