2016-Symposium-Cybersecurity-Slides.pptx
naomisowunmi
10 views
44 slides
Jun 08, 2024
Slide 1 of 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
About This Presentation
Presentation slides on ransomware presented at a symposium
Slide Content
Ransomware and Other Cyber Attacks The Threat is Real, Are You Prepared? Dayna C. Nicholson , JD, MPH , Attorney, Pepper Hamilton LLP Mark S. Kadrich , Chief Information Security Officer, San Diego Health Connect
Synopsis Excellent patient care cannot be delivered without accurate, complete, and readily available patient data. In today’s increasingly-interconnected world, patient data is generated, transmitted and stored across multiple platforms, and can be accessed by a significant number of users. Healthcare providers face challenges in collecting, amalgamating, storing and re-accessing the data they generate. Minor glitches in these complex digital systems can threaten the delivery of patient care, and can have significant impact on operations and budgets. Ransomware exploits, zombie computers, data driven hacks and other cyber threats can bring the delivery of care to a screeching halt. Zombies are real, but this session will give you some tools to fight them by taking a holistic approach to cyber security. This session will examine the legal requirements, such as the HIPAA standards, discuss the risks to data security posed by medical devices and the Internet of Things, and propose an architectural framework for implementing a robust cybersecurity program at your facility. There will be a test at the end....
Dayna is a Lawyer Dayna C. Nicholson is a senior associate in the Corporate and Securities Practice Group of Pepper Hamilton LLP, resident in the Los Angeles and Orange County offices. Ms . Nicholson focuses her practice on health care–related matters, such as licensing and other regulatory compliance, peer review and credentialing and corporate and medical staff governance. Her clients include hospitals, medical staffs, managed care organizations, medical groups, medical device retailers and other health care providers. Ms. Nicholson also has experience in patient information privacy and security issues , appeals of state-issued administrative penalties, Medicare and Medi -Cal certification, emergency care requirements and litigation arising out of peer review matters.
Mark is an Alpha Geek For the past 30+ years, Mark Kadrich has worked in the security community, building knowledge, and contributing solutions. His strengths are in architecture level design, solution design, policy generation, endpoint security, and risk management. Mr. Kadrich is the author of the book Endpoint Security published by Addison Wesley. Mr Kadrich holds degrees in Management Information Systems, Computer Engineering and Electrical Engineering. He was a contributing author in publications such as Healthcare Technology Online, Health IT Outcomes, TCP Unleashed, ISSA Journal, Publish Magazine, Planet IT, RSA, CSI, SANS and The Black Hat Briefings. Mark Kadrich is a well- known speaker and evangelist on network security matters at technical conferences and security events. He was the program manager and chair for Cornerstones of Trust for 3 years. Mr. Kadrich is the Chief Information Security Officer for San Diego Health Connect, a Health Information Exchange (HIE) in San Diego County as well as the CISO for 211 San Diego, connecting people with community, health, and disaster services in San Diego.
The Goal Provide High Quality Patient Care Complete, accurate data available to appropriate caregiver at the time it is needed. Privacy: Not accessed by those with no need. Security: Predictability , reliability, stability; data remains intact, not corrupted, not stolen.
The Strategy Compliance Follow the law Assess risk Security features (firewalls, controlled access, encryption) Policies and procedures
The Problem Complexity Systems of systems of systems.... Lack of reliable metrics Build on a foundation of sand Need to Demonstrate Compliance Or get fined trying.... Legal Requirements Vary by country, by state, by whim
Security Threats: T he Zombies Technically, zombies are the hordes of computers that launch attacks against us. There are millions of them in the Zombie Army They are owned by: Hackers, Thieves and Spies Organized Crime Hacker Groups Nation States You!
What Are They Doing? It can be complex but to sum it up... It’s about the money.... Extortion Denial of services for money Denial of data access for money Data Theft Personal information to make money Finance information (see the pattern here?) User Mistake Lost devices Lapses in judgment
Attacks in the News Medstar Health in D.C. Malware infection FBI Investigating Hollywood Presbyterian Ransomware Attack Paid $17,000 to get key Final cost of “shutdown” still being calculated Others... Methodist Hospital, Chino Valley MC, Desert Valley Hospital, Beth Isreal Deaconess (Angry Birds)
How Do They Get In? Usually through your own people Game App downloads Fake apps in Android Jail broken phones download from any site Phishing Attacks Focused Leverage LinkedIn Poor Cyber Habits Clicking on phishing emails Using unapproved web sites
Legal Framework Simultaneously: Disjointed and redundant Overbroad and insufficient Cutting edge and behind the curve Federal Law/Regulation Electronic Communications Privacy Act, Stored Communications Act HIPAA/HITECH , Gramm-Leach Bliley, Privacy Act Telephone Consumer Protection Act, CAN-SPAM Act HHS , FDA, FTC
Legal Framework State Law/Regulation Consumer data, health data, financial data Department of Health, Department of Insurance, Attorney General Case law Common law right to privacy Negligence theories
Legal Repercussions Regulatory Enforcement Administrative Fines and Debarment Criminal Enforcement Fines and Incarceration Civil Lawsuits Monetary Settlements
Current Activity Phase II HIPAA Audits Heightened enforcement Settlement/Corporate Integrity Agreements Prosecution Litigation Legislation
Healthcare Trends Medical Devices Telemedicine Mobile Health Communications Texting E-mail Social Media Wellness Apps Diagnostic Tools
Healthcare Trends Rely on Technology Margins are tight and technology offers salvation! Technology changes faster then security Boundaries are blurred Mobile - Doctors, Nurses, Administrators... Cloud - EMR, HIE, PHR Distributed – Systems of Systems Interconnected – Even the alarm systems....
A Simple Question... Do you trust your security solution? Well, do ya ?
Trust Versus Risk Risk describes your sensitivity to a particular set of threats Trust describes your feeling that you can deal with them effectively History says that trust is misplaced....
Breathe....
Components of Security Technology Firewalls, AV, IDS, IPS, Routers, Switches Policy Behaviors, Expectations, Sanctions People The hugest variable in the equation Teamwork! You, your people, your culture, your goals Legal + Technical
About the Technology... Good Technology Cloud IOT BYOD Wireless It’s not the technology that’s the problem, it’s how it is misused that causes the problem. Bad Technology Cloud IOT BYOD Wireless
Cloud Any service or application that is delivered over the Internet EMR Security Data Infrastructure Wireless
Internet of Things Home and Personal Medical Devices Wearables ( FitBit ?) Control Devices Thermostats Doors Beds
Mobile Phones – Zillions of Devices Tablets – Millions of Devices Sensors – Zillion Million Devices Remote Patient Monitoring Implanted Devices
Legal Issues Who owns the data? Who has a right to inspect the device? How is data migration controlled? Moral Issues (Yep) Cost Driven Why buy new devices when everyone will come with one soon? BYOD
Wireless Trend is to Wireless Many devices no longer have cables Ubiquitous WiFi Offered on buses, planes, public This drives security people CRAZY Broadband Vendors Moving towards wireless cloud Femtocells Selling as an option to wired infrastructure
Policy Required by Law Specifies Behavior Provides for Punishment Hardest Part of Culture
People Biggest Asset! Hugest Threat!
Present Solution Concepts Compliance Based WE MUST COMPLY! Checkbox Mentality Finance Influenced It must be cheap! Risk Shedding Approach People and Tech are Different We wind up with the worst of all worlds... A mandated solution that is expensive slow and unreliable...
Present Solution Concepts Firewalls IDS/IPS/AV/ AntiMalware Access Control Lists Authentication Methods Outsourced Cloud (Yet Again!) But they are independent technologies loosely linked by databases and human procedures
Unintended Consequences Disjointed Security Solutions Drive to Lowest Common Denominator Reliance on Vendor Solutions Un-integrated Security & Event Data Unknown Trust Extra Work
Some Simple Questions Can you describe your security architecture without using a vendor’s name? How fast is your security architecture? How sensitive is your security architecture?
Breathe....
A New Path Documented Architecture Drawings, Procedures, Metrics End-to-End Testing Including ALL VENDORS Process Control Methodology P.I.D. Proportional, Integral, Derivative Re-engineered Legal... Reset boundaries of test and partnerships
Architecture Components Compartmentalization Create Pockets of Similar Data Types/Functions Segmentation Create Enclaves of Networks/Containment Data Classification Identify Data Levels BESIDES HIPAA! Need to be able to identify public, sensitive, classified Testing Methodologies Repeatable, Reliable, Ungamable
Architectural Overview
Testing Methodologies New Metrics Patches, Updates, Signatures are OK BUT THEY DON’T MEASURE SECURITY Metrics must be repeatable, reliable, ungamable and most importantly, they must be USABLE End-to-End Testing Test the ENTIRE system of systems (vendors too) Find the places that need improvement Requires New Legal Agreements
Legal Issues Present BAAs Lacking Specify only that BA must show compliance “Sure, I have this certification...” (Beyond lame) No Provisions for Integrated Testing Testing stops that the border No way to ensure that borders create data compartments No way to ensure that security events trigger actions in our partners! THIS IS HUGE!
Beyond Horizon Viewpoint Technology must be planned for Remember when WiFi was new? Hidden APs all over the place! Ignore New Tech at your own peril By ignoring or banning it you create a greater demand for it People of good conscience will work very hard to get their jobs done Get in front of legislative controls
People Pass Laws Not technology.... They are afraid They have suffered loss A knee-jerk reaction by legislators will fix it! (Besides, it can’t hurt reelection chances)
Integrate Your People and Security They Drive Technology They Can Drive Policy They are your BEST Asset They Can Disable your security if you don’t!
Some Lessons Learned Having a Documented Architecture is Critical Right now we’re “Teaching to the Test” Security by obscurity isn’t a plan that works Vendor “suites” aren’t as sweet as we think Compliance does not mean secure An integrated architecture and end-to-end testing can demonstrate efficacy Integrate your People, Policy, and Technology Purchase Cyberliability insurance
Questions? Us too! Dayna C. Nicholson Mark S. Kadrich [email protected] [email protected] 213.928.9807 408-313-6263
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 10
- Slides 44
- Age 542 days
Related Slideshows
36
Clinical approach Dyspnoea A simple and practical approach.pptx
ShajahanPS
23 views
238
Cancer Awareness therapy for public by Dr Kanhu Charan Patro
kanhucpatro
23 views
41
Prof Satyadas Memorial oration Kozhikode.pptx
ShajahanPS
18 views
26
Viral Conjunctivitis and it;s managment.pptx
ZaidAzhar
33 views
30
Essential Thrombocythemia 15 Years of Experience at the Hematology Department, Algies, Algeria.pdf
sbelakehal
29 views
10
Hypertension sign symptoms cmdt style with regime
androiddabest
30 views