Vulnerability Management in HealthCare
Transcript of Vulnerability Management in HealthCare
Vulnerability Management In The Healthcare Environment Gabriel Doncel MS, MBA
Welcome! • Introduction
•Vulnerability Management
•Healthcare Challenges
• Information Breaches
•Vulnerability Management
•Conclusion
•Q & A Gabriel Doncel © 2013
Gabriel Doncel
• Information Security Team – Christiana Care
•Adjunct Faculty - Wilmington University
•University of Delaware - MBA, MS IS/TM
•Wilmington University - BS
Gabriel Doncel © 2013
Christiana Care Health System
•Multiple Data Centers
• 50+ sites
• 17,000 Users
• 1,500 Servers
•9,500 PCs & 1,000 Laptops
• 1,500 Mobile Devices
• 2,200 Networked printers
• 1,100 Beds
•6,641 Births / year
•40,220 Surgical Proc.
Gabriel Doncel © 2013
Definitions
•Vulnerability
•Threat
•Risk
Gabriel Doncel © 2013
Vulnerability Management
Scan
Report
Remediate
Validate
Gabriel Doncel © 2013
Healthcare Challenges
•Regulations
•Business Associates
•Asset Inventory
•Asset Classification
• Fast Paced Environment
•Clinical Devices / Legacy Systems
Gabriel Doncel © 2013
Clinical Devices
•OS Variety
•Vendors
•Support Levels
•Portable
•Encryption
Gabriel Doncel © 2013
Patient Data Breaches
•Unauthorized acquisition, access, use, or disclosure
•Protected Health Information
•Unsecured data
• 500 individuals
Gabriel Doncel © 2013
US Patient Records Breached
2009 2010 2011 2012
2.88
5.45
10.92
2.16
(In Millions)
Gabriel Doncel © 2013
Cause
(In Millions)
0.00 1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00
Theft / Loss / Improper Disposal
Unauthorized Access / Disclosure
Hacking / IT Incident
Other / Unknown 2009
2010
2011
2012
Gabriel Doncel © 2013
Data Location
2009 2010 2011 2012
58% 42%
51% 51%
11%
16%
15% 8%
17% 27%
24% 24%
13% 16% 10% 16%
IT Asset (computer / Server) Other Portable Electronic Device Paper Other Gabriel Doncel © 2013
Business Associate Involved
2009 2010 2011 2012
20% 20%
22%
16%
Gabriel Doncel © 2013
Vulnerabilities
Gabriel Doncel © 2013
•Theft / Loss / Improper Disposal
•Unauthorized Access / Disclosure
•Paper
Zero-Day Vulnerabilities
•New Employees
•Terminations
•New Equipment
•Acquisitions
•New Partnership
•New Process
•Social Media Gabriel Doncel © 2013
Vulnerability Management
•Employee Education
•Employee Engagement
•Physical Security
•Vendor Management
Gabriel Doncel © 2013
Vulnerability Management
More patching ?
Gabriel Doncel © 2013
Thank you!
Questions?
Gabriel Doncel © 2013