2019 NCHICA AMC CONFERENCE

HEALTHCARESECURITYPROJECTSTRATEGIESKirk Davis & Jerry Hare (Vidant Health)Jon Sternstein (Stern Security)

Presenters

K I R K D A V I SDirector Information Security & Network

ServicesVidant Health

J O N S T E R N S T E I N

PrincipalStern Security

J E R R Y H A R EManager for Security

Operations & Engineering

Vidant Health

Agenda

• The Environment• Risks• Case Study: Two-factor Authentication• Case Study: Tracking Security Progress• Case Study: Web Filtering• Case Study: Medical Device Management• Case Study: Vendor Management• Common Issues• Success Essentials

2 0 1 9 A M C C o n f e r e n c e

WHY WOULD ANYONE WANT TO STEAL PATIENT DATA?

Common Question

- A N O N Y M O U S P H Y S I C I A N

PHI For Sale - Dark Web

• Behavioral Health Center in Maine Breached in 2017

• 4229 Patients• Name, address, phone, employer,

DOB, SSN, therapy notes• Mentions uses for the PHI• Listed as SOLD

2 0 1 9 A M C C o n f e r e n c e

199 MillionH E A L T H C A R E R E C O R D S L O S T

S I N C E 2 0 0 9

372R E P O R T E D B R E A C H E S I N 2 0 1 8( L A R G E S T Y E A R O N R E C O R D )

2 0 1 9 A M C C o n f e r e n c e

8

Source: Gartner Hype Cycle for Providers 2017

2 0 1 9 A M C C o n f e r e n c e

Security Vigilance (Clairvoyance?)

Award Winning Security Program

Leadership/Innovators Category:

Vidant HealthKirk Davis, Director,

Information Security Services

Healthcare Security Needs a Strategy

No Strategy =

No Progress

2 0 1 9 A M C C o n f e r e n c e

Case Study:Security Strategy & Tracking ProgressC H A L L E N G E S

W H A T H E L P E D

• Build and Upkeep• No Change Tracking• Use of old framework versions

• Communication• Defined Measurable Metrics

2 0 1 9 A M C C o n f e r e n c e

F U T U R E S T A T E

Case Study:2-Factor Authentication

P O T E N T I A L R O A D B L O C K S

W H A T H E L P E D

• Extra login step• $$$$ & Licensing• Vendor Shared Logins• No smartphone• Support Roles

• Communication• Support for E-Prescribing Controlled Substances• Service Desk Training• Upper Management Support

2 0 1 9 A M C C o n f e r e n c e

Case Study:Web FilteringC H A L L E N G E S

W H A T H E L P E D

• HTTPS Inspection• Choosing Categories• Streaming Media Sites• Server Web Filtering• Training• Non-domain joined machines• Social Media & Personal Email/Storage• Vendor ACLs / IP NAT

• Communication• Change Management• Complimentary Systems• Tiered Web Filtering Approach

2 0 1 9 A M C C o n f e r e n c e

Case Study:Medical Device ManagementC H A L L E N G E S

W H A T W O R K E D

• Asset Inventory• Security Review Process• Onboarding• Rogue Purchases• Risk Acceptance

• Coordination with other organizations• Communication• New Strategy• Supply Chain + InfoSec + BioMed + Compliance• Upper Management Support

2 0 1 9 A M C C o n f e r e n c e

Case Study:VendorManagementC H A L L E N G E S

W H A T W O R K E D

• Process Standards & Documentation• Contract management• Priority List• Risk Acceptance

• Communication• New Strategy• SecOps + Business Analysts + Contract Mgmt +

Business Relationship Mgmt + Project Mgmt• Project Prioritization

2 0 1 9 A M C C o n f e r e n c e

COMMON CHALLENGES

Risk AcceptanceExceptions

ScalabilityRogue Purchases & Grants

2 0 1 9 A M C C o n f e r e n c e

SUCCESSESSENTIALS

CommunicationCommunicationCommunication

Cross-Department Teamwork

Education

C-Level Awareness & Support

2 0 1 9 A M C C o n f e r e n c e

Thank you!

2 0 1 9 A M C C o n f e r e n c e