2019 NCHICA AMC CONFERENCE HEALTHCARE SECURITY … · STRATEGIES Kirk Davis & Jerry Hare (Vidant...
Transcript of 2019 NCHICA AMC CONFERENCE HEALTHCARE SECURITY … · STRATEGIES Kirk Davis & Jerry Hare (Vidant...
2019 NCHICA AMC CONFERENCE
HEALTHCARESECURITYPROJECTSTRATEGIESKirk Davis & Jerry Hare (Vidant Health)Jon Sternstein (Stern Security)
Presenters
K I R K D A V I SDirector Information Security & Network
ServicesVidant Health
J O N S T E R N S T E I N
PrincipalStern Security
J E R R Y H A R EManager for Security
Operations & Engineering
Vidant Health
Agenda
• The Environment• Risks• Case Study: Two-factor Authentication• Case Study: Tracking Security Progress• Case Study: Web Filtering• Case Study: Medical Device Management• Case Study: Vendor Management• Common Issues• Success Essentials
2 0 1 9 A M C C o n f e r e n c e
WHY WOULD ANYONE WANT TO STEAL PATIENT DATA?
Common Question
- A N O N Y M O U S P H Y S I C I A N
PHI For Sale - Dark Web
• Behavioral Health Center in Maine Breached in 2017
• 4229 Patients• Name, address, phone, employer,
DOB, SSN, therapy notes• Mentions uses for the PHI• Listed as SOLD
2 0 1 9 A M C C o n f e r e n c e
199 MillionH E A L T H C A R E R E C O R D S L O S T
S I N C E 2 0 0 9
372R E P O R T E D B R E A C H E S I N 2 0 1 8( L A R G E S T Y E A R O N R E C O R D )
2 0 1 9 A M C C o n f e r e n c e
8
Source: Gartner Hype Cycle for Providers 2017
2 0 1 9 A M C C o n f e r e n c e
Security Vigilance (Clairvoyance?)
Award Winning Security Program
Leadership/Innovators Category:
Vidant HealthKirk Davis, Director,
Information Security Services
Healthcare Security Needs a Strategy
No Strategy =
No Progress
2 0 1 9 A M C C o n f e r e n c e
Case Study:Security Strategy & Tracking ProgressC H A L L E N G E S
W H A T H E L P E D
• Build and Upkeep• No Change Tracking• Use of old framework versions
• Communication• Defined Measurable Metrics
2 0 1 9 A M C C o n f e r e n c e
F U T U R E S T A T E
Case Study:2-Factor Authentication
P O T E N T I A L R O A D B L O C K S
W H A T H E L P E D
• Extra login step• $$$$ & Licensing• Vendor Shared Logins• No smartphone• Support Roles
• Communication• Support for E-Prescribing Controlled Substances• Service Desk Training• Upper Management Support
2 0 1 9 A M C C o n f e r e n c e
Case Study:Web FilteringC H A L L E N G E S
W H A T H E L P E D
• HTTPS Inspection• Choosing Categories• Streaming Media Sites• Server Web Filtering• Training• Non-domain joined machines• Social Media & Personal Email/Storage• Vendor ACLs / IP NAT
• Communication• Change Management• Complimentary Systems• Tiered Web Filtering Approach
2 0 1 9 A M C C o n f e r e n c e
Case Study:Medical Device ManagementC H A L L E N G E S
W H A T W O R K E D
• Asset Inventory• Security Review Process• Onboarding• Rogue Purchases• Risk Acceptance
• Coordination with other organizations• Communication• New Strategy• Supply Chain + InfoSec + BioMed + Compliance• Upper Management Support
2 0 1 9 A M C C o n f e r e n c e
Case Study:VendorManagementC H A L L E N G E S
W H A T W O R K E D
• Process Standards & Documentation• Contract management• Priority List• Risk Acceptance
• Communication• New Strategy• SecOps + Business Analysts + Contract Mgmt +
Business Relationship Mgmt + Project Mgmt• Project Prioritization
2 0 1 9 A M C C o n f e r e n c e
COMMON CHALLENGES
Risk AcceptanceExceptions
ScalabilityRogue Purchases & Grants
2 0 1 9 A M C C o n f e r e n c e
SUCCESSESSENTIALS
CommunicationCommunicationCommunication
Cross-Department Teamwork
Education
C-Level Awareness & Support
2 0 1 9 A M C C o n f e r e n c e
Thank you!
2 0 1 9 A M C C o n f e r e n c e