#518 - CSB IT SECURITY A PRACTICAL AND MODULAR

APPROACH TO INFORMATION SECURITY

C H R I S B A L D W I NB R U C E H A L L

T Y L E R W R I G H T S O N

Anthem Breach

Office for Civil Rights Fines

HITECH Breach Enforcement

Meaningful Use Audits

Phishing Exploits | Internet Links | Downloads | Mobility

HIPAA | HITECH | Omnibus Rule

Personal Information Security Concerns

Policy Development

Contingency Plans

CSB IT Security

AdministrativeSafeguards

Technical Safeguards

PhysicalSafeguards

Solving“The Hacker Problem”

EffectiveSecurity Management

Goals for Today – Building an Effective Security Program

About CSB IT Security

Compliance vs. Security

Maturity Level Continuum – Where are you?

A Modular Approach to Information Security

CSB Security Solutions -- Offerings

Questions

About: CSB IT Security

Established in 2012

Chris Baldwin, Bruce Hall, Tyler Wrightson

Experience: HIPAA Risk Assessments, OCR Breach investigation, CMS

Meaningful Use Audits, Program Development, Technical

Assessments, Awareness and Training, Social Engineering/Testing

Clients: Hospitals, Physician Practices, IPAs, Managed Care Entities,

Business Associates

Healthcare Experience | Compliance Experience | Security Experience

Compliance vs. Security

Compliance

HIPAA Security RuleHITECH Breach Notification and EnforcementOCR Investigations and penaltiesOCR Pilot AuditsHIPAA Final Omnibus RuleOCR Audit Program – 2015….State Specific laws – Protected Health Information | Personal

InformationDon’t forget Payment Card Information (PCI 3.0)

Compliance : OCR FINDINGS: TOP ISSUES

Compliance: RESOLUTIONS BY YEAR AND TYPE

Compliance: Standards

NIST 800-66 Introductory Resource Guide to the HIPAA Security Rule

NIST 800-30 Guide for Conducting Risk AssessmentsNIST 800-34 Contingency Planning – Federal Information Sys

temsCMS Guide On Conducting a Risk AnalysisONC Guide to Privacy and Security of Electronic Health Infor

mationNIST 800-111 Guide to Storage EncryptionOffice for Civil Rights Audit Protocols

Compliance: Gotchas….

Breach | OCR | Self-Reporting | Patient Complaint | Business Associate

Physical, Technical and Administrative SafeguardsComprehensive Risk AssessmentPolicies and ProceduresLaptop EncryptionContingency PlansAccess Control AuditingStorage and Transmission – Data Loss PreventionPrivacy! No longer 2% of separation

Beyond Compliance to Security

Home Security: Your neighborhood…. “Threats” and “vulnerabilities”“Likelihood” and “impact”Setting priority based upon risk….

If a burglar were standing in your living room in the middle of the night, would you know it?

Focusing on Security

CEO’s are asking:Could the Anthem breach or

the Target breach or the Partners breach happen to us?

Compliant and Secure!

CSB IT Security

Building Block Approach toInformation Security

CSB IT Security – Maturity Model

Governance

Risk Assessment and ongoing security roadmap

Comprehensive approach to physical, technical and administrative safeguards

Policies and procedures that are practical, effective and compliant

Workforce security – awareness and training – social engineering and testing with real-time feedback

Integrated contingency planning and incident response

Real-time vulnerability management and threat detection

A Modular Approach to Information Security

CSB Security Offerings

Security Management“The Hacker Threat”

Security Management

Security Management

Risk Assessment – Measurable Results

Security Management

Building Effective Governance – Managing the Security AgendaInformation Privacy and Security Committee Charter

Purpose Committee Authority Membership Objectives Meeting Frequency Documentation

Security Management

Policies and Procedures

Security Management

Awareness and Training Using metrics to change behavior Periodic phishing tests (Social Engineering)

Pass / Fail metrics Willingness to provide credentials Use of tests that seem real – “trickery” Scoring by individual Immediate feedback and training loop Quote: “I was one of those who entered my UserID and password – I won’t do

that again”

Security Management

CSB approach – we understand healthcare….

“Partners Healthcare Data Breach Effects 3,300 Patients”

Phishing test:

“Now that we are nearing the end of Flu season, we need your help in responding to a Joint Commission Survey” – Please enter your network credentials….

Security Management

Social engineering Testing

Category Definition

Low

Loss of confidentiality, integrity, or availability would have a limited adverse impact and might: (1) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with noticeably reduced effectiveness; (2) result in minor damage to organizational assets; (3) result in minor financial loss; or (4) result in minor harm to individuals.

Moderate

Loss of confidentiality, integrity, or availability would have a serious adverse impact and might: (1) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with significantly reduced effectiveness; (2) result in significant damage to organizational assets; (3) result in significant financial loss; or (4) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.

High

Loss of confidentiality, integrity, or availability would have a severe or catastrophic adverse impact and might: (1) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (2) result in major damage to organizational assets; (3) result in major financial loss; or (4) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

Security Management

Contingency Planning

“The Hacker Problem”

“The Hacker Problem”

Penetration Testing Mimicking the methods used by hackers and criminals to break into

organizations to identify whether meaningful vulnerabilities exist

“The Hacker Problem”

Vulnerability Assessments Assessments designed to identify all vulnerabilities present in key systems

which are likely to be targeted by hackers.

“The Hacker Problem”

Threat Detection Real time monitoring of key workstation, server and network systems which

are likely to be targeted by hackers

Questions?

For assistance:

Text “HM” or “HT” to -- 508-817-7692SM – Security Management / Administrative AssistanceHT – Hacker Threat Assistance

Call 508-213-4020, enter 1 for inquiries oremail: admin@csbitsolutions.com orJoin our email list: http://eepurl.com/bg0yY9 orBrowse to: www.csbitsolutions.com