Post on 12-Sep-2020
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
“Privacy, Security & the CIO”
A Complimentary Webinar From healthsystemCIO.com
Sponsored by Redspin
Your Line Will Be Silent Until Our Event Begins
Thank You!
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Housekeeping
• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com
• Ask A Question• We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the
lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”
• Download the Deck • Go to: http://healthsystemcio.com/presentation/security-noga-webinar.pdf• Shortened link below appears on most slides.
• View the Archive• You will receive an email when our archive recording is ready. • Separate registration is required.
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Agenda — 45 Minutes
• 20 minutes: Jim Noga, VP/CIO, Partners HealthCare
• 5 minutes: A Word From Our Sponsor: Dan Berger, President/CEO, Redspin
• 20 minutes: Q&A w/Jim Noga
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
“Privacy, Security & the CIO ”
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Presentation Overview
In 2011, Partners HealthCare decided to implement an organization-wide information security program based on ISO 27000, NIST Special Publications, and other industry information security standards.
To facilitate this effort, Partners conducted an evaluation of the organization's information security and privacy programwith the assistance of a third party.
Partners HealthCare mapped the security capabilities to the ISO 27000 framework, and recommended an overall strategy for implementing the ISO 27000 framework.
This presentation provides:
• An overview of the findings and recommendations; and
• An overview of the plan for addressing the findings, and implementing an information security and privacy framework for the Partners HealthCare system.
5
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Financial Services
Aerospace
Energy and Utilities
Agriculture, Forestry& Fishing
Retail
Healthcare
Technology
Relative Security Posture by Industry
Defense & Intelligence
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Industry Comparison and Target Maturity
Partners information security maturity when compared to peer organizations and other industries.
Information Security Domain
Infrastructure Security
Identity & Access Management
Cyber Threat Management
Data Protection
Secure Development Lifecycle
Third Party Risk Management
IT Risk and Compliance Mgmt
IT Operations
Business Continuity Management
Peer Group* Life Sciences** FinancialIndustry**
PHSYear 1
PHSYear 2
PHSYear 3
1 Initial 2 Repeatable 3 Defined 4 Measured 5 Optimized
Current Maturity Target Maturity
*Peer Group comprised of four reputed Academic Medical Centers and/or large healthcare systems
*
7
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
The Lighthouse Project - Overview
Partners HealthCare has developed a plan for addressing the project streams based on maturity and risks. This effort resulted in the Partners HealthCare Lighthouse Project.
• The Lighthouse Project will implement a common information security and privacy framework across the Partners HealthCare system, setting an organizational standard for the confidentiality, integrity and availability of patient information.
• The Lighthouse Project will guide Partners’ employees, residents, researchers and staff as to the requirements and the best practices for securing the patient information and systems critical to the organization’s business objectives.
• The Lighthouse Project will build upon previous efforts and investments, and incorporate these into a series of planned subprojects over a three year timeline.
8
Information Security & Privacy
Lighthouse Project
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Academic Research
Zones of Control
Core Clinicals and Clinical
Research
• The Lighthouse Project will establish “zones of control”, in which the security model will be more restrictive in the inner, “managed” zones.1
• Outer zones will also be secure, but in a more flexible manner better aligned with the collaborative nature of academic research.
• Where appropriate, technology will be used to enforce the zones of control. The technologies used will be discussed later in the presentation.
• However, individuals will ultimately be responsible for their compliance. Thus, training the workforce, and enforcing and monitoring compliance will be critical to the success of this approach.
9
1 Note, some information and systems will be “zoned” in a manner more rigorous than others due to specific regulations, such as the PCI-DSS requirements.
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Identity Management – Risk Model
The Lighthouse Project will also establish controls appropriate for the risk posed by different organizational actors, with the controls stricter for actors with the greatest access to information and systems.
10
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Project StreamsProject Key activities
PS1. Information security organization restructuring
• Establish a new information security and privacy staffing model for implementing and managing a standards-based information security and privacy program.
PS2. PCI DSS readiness and compliance
• Review the current approach to compliance with the Payment Card Industry Data Security Standard (PCI-DSS), and implement enhancements as necessary.
PS3. Networkrearchitecture and network access management
• Implement enhancements to overall network information security.
PS4. MSSP transition• Determine approach to outsourcing specific information security services to a managed security services provider (MSSP) to achieve
greater efficiencies and return on investment.
PS5. Information security policies and procedures update
• Review and establish a common information security and policy framework applicable to all Partners entities.
PS6. Incident management • Enhance current approaches to information security and privacy incident handling.
PS7: Information security risk management process
• Establish and staff a risk assessment program to proactively assess information security risks.
11
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Project Key activities
PS8. Data and Asset management• Establish an approach for ensuring that data is appropriately classified, and that only authorized assets are used for accessing,
maintaining, and transmitting ePHI and other forms of confidential information.
PS9. Identity and access management
• Define and operationalize an enhanced approach to managing how individuals gain access to systems containing ePHI, as well asother technology resources.
PS10. Secure SDLC process• Enhance approach to ensuring applications developed by PHS and vendors are secure through the use of secure development
technologies and practices.
PS11. Business continuity management
• Develop a strategy for implementing Business Continuity and Disaster Recovery throughout the organization.1
PS12. Security training and awareness
• Develop a common information security and privacy awareness and training program that will be mandatory for all workforce members.
PS13. Information systems monitoring
• Implement automated technical means of monitoring data and systems to ensure their confidentiality, integrity and availability.
PS14. Third-party risk management • Define a strategy and program to manage third-party-related security risks, tying this to the risk management program described in
PS7.
Recommended Project Streams
12
1 Business Continuity Management will be a addressed separately.
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Lighthouse Project Assumptions
Certain assumptions are incorporated into the planned projects that comprise the Lighthouse Project, including:
• HealthCare as an industry vertical should learn lessons from other industries in terms of how to secure itself from external threats. Threat agents that have targeted other industries are now targeting healthcare (i.e., Advanced Persistent Threats (APTs), Telephony Denial of Services, “hacktovists”).
• The security strategy should rely upon technology to mediate risk on behalf of the Partners workforce, reducing the risk of human error. As an example, information should not be stored locally on a PC if possible, but accessed via Citrix and other presentation technologies which keep the information in the data center.
• No single security technology is sufficient, and a defense in depth approach to securing Partners information systems is required.
• New and emerging threats will appear during the later stages of the Lighthouse Project, which will require time and resources toaddress after the conclusion of the Project. This risk serves to re-enforce the need for periodic assessment of the program, andconduct a thorough re-appraisal of the program at the Project’s conclusion.
13
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Lighthouse Project Activities
• IdM – Identity Management
• Network Penetration Testing
• Managed Security Services
• Governance, Risk, Compliance (GRC) Implementation
• Network Access Control
• Adaptive Authentication
• Managing Privileged Accounts
• Data Loss Prevention
• Friendly Phishing
• Enterprise Risk Assessment
• Encryption
• Masking Data
• Next Generation Firewall
• Next Generation Endpoint Security
• Forensics
• “Dropbox” alternative
• Application Security Testing
• Mobile Device Management
Meaningful Healthcare IT Security ®
To help our clients safeguard protected health
information (PHI) from data breach and meet and
maintain regulatory compliance.
Mission Statement
www.redspin.com
Healthcare Experience
• Conducted HIPAA Security Risk Analysis at 115 hospitals
• Helps Meet Meaningful Use Stage 1 and Stage 2
• Expert Security Engineers and Compliance Professionals
• Extended Risk Analysis Scope:
- Application Risk Analysis
- Business Associates
- Mobile Devices
Meaningful Healthcare IT Security ®
Technical Services
• Penetration Testing
• Web Application Security
• HIPAA Risk Analysis
• Mobile Device Security
• Social Engineering
www.redspin.com
Meaningful Healthcare IT Security ®
www.redspin.com
www.redspin.com
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Q&A
Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the
send to default as “All Panelists.”
Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239
Event #666 436 339
Thank You!
• You will receive an email when our archive recording is ready. (Separate registration is required)
• Thanks to our sponsor: Redspin!
• Don’t Forget To Claim Your CHIME CHCIO Credits – Attending healthsystemCIO.com Webinars = 1 CEU
• Questions/Comments – Anthony Guerra aguerra@healthsystemCIO.com
Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.