Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

“Privacy, Security & the CIO”

A Complimentary Webinar From healthsystemCIO.com

Sponsored by Redspin

Your Line Will Be Silent Until Our Event Begins

Thank You!

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Housekeeping

• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com

• Ask A Question• We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the

lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”

• Download the Deck • Go to: http://healthsystemcio.com/presentation/security-noga-webinar.pdf• Shortened link below appears on most slides.

• View the Archive• You will receive an email when our archive recording is ready. • Separate registration is required.

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Agenda — 45 Minutes

• 20 minutes: Jim Noga, VP/CIO, Partners HealthCare

• 5 minutes: A Word From Our Sponsor: Dan Berger, President/CEO, Redspin

• 20 minutes: Q&A w/Jim Noga

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

“Privacy, Security & the CIO ”

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Presentation Overview

In 2011, Partners HealthCare decided to implement an organization-wide information security program based on ISO 27000, NIST Special Publications, and other industry information security standards.

To facilitate this effort, Partners conducted an evaluation of the organization's information security and privacy programwith the assistance of a third party.

Partners HealthCare mapped the security capabilities to the ISO 27000 framework, and recommended an overall strategy for implementing the ISO 27000 framework.

This presentation provides:

• An overview of the findings and recommendations; and

• An overview of the plan for addressing the findings, and implementing an information security and privacy framework for the Partners HealthCare system.

5

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Financial Services

Aerospace

Energy and Utilities

Agriculture, Forestry& Fishing

Retail

Healthcare

Technology

Relative Security Posture by Industry

Defense & Intelligence

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Industry Comparison and Target Maturity

Partners information security maturity when compared to peer organizations and other industries.

Information Security Domain

Infrastructure Security

Identity & Access Management

Cyber Threat Management

Data Protection

Secure Development Lifecycle

Third Party Risk Management

IT Risk and Compliance Mgmt

IT Operations

Business Continuity Management

Peer Group* Life Sciences** FinancialIndustry**

PHSYear 1

PHSYear 2

PHSYear 3

1 Initial 2 Repeatable 3 Defined 4 Measured 5 Optimized

Current Maturity Target Maturity

*Peer Group comprised of four reputed Academic Medical Centers and/or large healthcare systems

*

7

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

The Lighthouse Project - Overview

Partners HealthCare has developed a plan for addressing the project streams based on maturity and risks. This effort resulted in the Partners HealthCare Lighthouse Project.

• The Lighthouse Project will implement a common information security and privacy framework across the Partners HealthCare system, setting an organizational standard for the confidentiality, integrity and availability of patient information.

• The Lighthouse Project will guide Partners’ employees, residents, researchers and staff as to the requirements and the best practices for securing the patient information and systems critical to the organization’s business objectives.

• The Lighthouse Project will build upon previous efforts and investments, and incorporate these into a series of planned subprojects over a three year timeline.

8

Information Security & Privacy

Lighthouse Project

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Academic Research

Zones of Control

Core Clinicals and Clinical

Research

• The Lighthouse Project will establish “zones of control”, in which the security model will be more restrictive in the inner, “managed” zones.1

• Outer zones will also be secure, but in a more flexible manner better aligned with the collaborative nature of academic research.

• Where appropriate, technology will be used to enforce the zones of control. The technologies used will be discussed later in the presentation.

• However, individuals will ultimately be responsible for their compliance. Thus, training the workforce, and enforcing and monitoring compliance will be critical to the success of this approach.

9

1 Note, some information and systems will be “zoned” in a manner more rigorous than others due to specific regulations, such as the PCI-DSS requirements.

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Identity Management – Risk Model

The Lighthouse Project will also establish controls appropriate for the risk posed by different organizational actors, with the controls stricter for actors with the greatest access to information and systems.

10

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Project StreamsProject Key activities

PS1. Information security organization restructuring

• Establish a new information security and privacy staffing model for implementing and managing a standards-based information security and privacy program.

PS2. PCI DSS readiness and compliance

• Review the current approach to compliance with the Payment Card Industry Data Security Standard (PCI-DSS), and implement enhancements as necessary.

PS3. Networkrearchitecture and network access management

• Implement enhancements to overall network information security.

PS4. MSSP transition• Determine approach to outsourcing specific information security services to a managed security services provider (MSSP) to achieve

greater efficiencies and return on investment.

PS5. Information security policies and procedures update

• Review and establish a common information security and policy framework applicable to all Partners entities.

PS6. Incident management • Enhance current approaches to information security and privacy incident handling.

PS7: Information security risk management process

• Establish and staff a risk assessment program to proactively assess information security risks.

11

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Project Key activities

PS8. Data and Asset management• Establish an approach for ensuring that data is appropriately classified, and that only authorized assets are used for accessing,

maintaining, and transmitting ePHI and other forms of confidential information.

PS9. Identity and access management

• Define and operationalize an enhanced approach to managing how individuals gain access to systems containing ePHI, as well asother technology resources.

PS10. Secure SDLC process• Enhance approach to ensuring applications developed by PHS and vendors are secure through the use of secure development

technologies and practices.

PS11. Business continuity management

• Develop a strategy for implementing Business Continuity and Disaster Recovery throughout the organization.1

PS12. Security training and awareness

• Develop a common information security and privacy awareness and training program that will be mandatory for all workforce members.

PS13. Information systems monitoring

• Implement automated technical means of monitoring data and systems to ensure their confidentiality, integrity and availability.

PS14. Third-party risk management • Define a strategy and program to manage third-party-related security risks, tying this to the risk management program described in

PS7.

Recommended Project Streams

12

1 Business Continuity Management will be a addressed separately.

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Lighthouse Project Assumptions

Certain assumptions are incorporated into the planned projects that comprise the Lighthouse Project, including:

• HealthCare as an industry vertical should learn lessons from other industries in terms of how to secure itself from external threats. Threat agents that have targeted other industries are now targeting healthcare (i.e., Advanced Persistent Threats (APTs), Telephony Denial of Services, “hacktovists”).

• The security strategy should rely upon technology to mediate risk on behalf of the Partners workforce, reducing the risk of human error. As an example, information should not be stored locally on a PC if possible, but accessed via Citrix and other presentation technologies which keep the information in the data center.

• No single security technology is sufficient, and a defense in depth approach to securing Partners information systems is required.

• New and emerging threats will appear during the later stages of the Lighthouse Project, which will require time and resources toaddress after the conclusion of the Project. This risk serves to re-enforce the need for periodic assessment of the program, andconduct a thorough re-appraisal of the program at the Project’s conclusion.

13

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Lighthouse Project Activities

• IdM – Identity Management

• Network Penetration Testing

• Managed Security Services

• Governance, Risk, Compliance (GRC) Implementation

• Network Access Control

• Adaptive Authentication

• Managing Privileged Accounts

• Data Loss Prevention

• Friendly Phishing

• Enterprise Risk Assessment

• Encryption

• Masking Data

• Next Generation Firewall

• Next Generation Endpoint Security

• Forensics

• “Dropbox” alternative

• Application Security Testing

• Mobile Device Management

Meaningful Healthcare IT Security ®

To help our clients safeguard protected health

information (PHI) from data breach and meet and

maintain regulatory compliance.

Mission Statement

www.redspin.com

Healthcare Experience

• Conducted HIPAA Security Risk Analysis at 115 hospitals

• Helps Meet Meaningful Use Stage 1 and Stage 2

• Expert Security Engineers and Compliance Professionals

• Extended Risk Analysis Scope:

- Application Risk Analysis

- Business Associates

- Mobile Devices

Meaningful Healthcare IT Security ®

Technical Services

• Penetration Testing

• Web Application Security

• HIPAA Risk Analysis

• Mobile Device Security

• Social Engineering

www.redspin.com

Meaningful Healthcare IT Security ®

www.redspin.com

www.redspin.com

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Q&A

Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the

send to default as “All Panelists.”

Slide Deck: http://goo.gl/ChslTo Webex Support 1-866-223-3239

Event #666 436 339

Thank You!

• You will receive an email when our archive recording is ready. (Separate registration is required)

• Thanks to our sponsor: Redspin!

• Don’t Forget To Claim Your CHIME CHCIO Credits – Attending healthsystemCIO.com Webinars = 1 CEU

• Questions/Comments – Anthony Guerra aguerra@healthsystemCIO.com

Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.