SlideShare a Scribd company logo

Challenges & Opportunities in Managing Cyber Risks

A
Anna Gomez

• Outline the resource, technology, awareness and financial challenges among small and medium providers to handle emerging security risks and ransomware attacks • Explore potential opportunities to help small, medium and even large healthcare providers especially from efficient management of cyber risk program • Call for an active participation by the board members and audit compliance committees in raising the support and investment required for cybersecurity programs • Highlight key recommendations from the National Cybersecurity Taskforce formed by the Department of Health and Human Services

Technology
1 of 17
Download to read offline
CHALLENGES & OPPORTUNITIES IN MANAGING CYBER RISKS MAY 03, 2018 Ram Ramadoss, MBA, CISA, CISM, CISSP, CRISC, CIPP Vice President – CRP Privacy and Information Security and EHR Oversight Corporate Responsibility Program Catholic Health Initiatives Colorado, USA
AGENDA • CHI Overview • Small and Medium Sized Providers – an easy target • Challenges • Opportunities • Board Members Engagement • Highlights – Key recommendations from the Taskforce • Q&A 2
CATHOLIC HEALTH INITIATIVES OVERVIEW • An integrated Healthcare provider in the USA • We operate in 17 states through 100 hospitals and 700 plus clinics, including three academic health centers and major teaching hospitals as well as 30 critical-access facilities, community health-service organizations, and nursing colleges. • Operating revenue - $15.5 Billion • 90,000 plus employees • Merger discussion in progress with Dignity Health (a major faith- based healthcare provider in California, Nevada and Arizona) 3
Small and Medium Sized Healthcare Providers – an easy target for cyber threats 4
CHALLENGES • Ignorance is bliss • Dwindling operating margins - low or no security budget • Lack of IT resources and support • No policies/training and lack of cyber hygiene practices • Lack of awareness and education – employees/physicians • Risk assessment – even large companies struggle in this area • No sense of urgency from this sector • Ransomware attacks |No incident management program • Majority of providers moving towards cloud based Electronic Health Record (EHR) solutions 5
CHALLENGES • A major challenge for large healthcare systems – access to EMRs from third party physician practices • Challenges with EHR vendors – configuration best practices • No leverage when these entities deal with third party companies and partners • No ability and resources to process security alerts from Information Sharing and Analysis Centers (ISACs) • No cost effective Managed Security Service Providers (MSSPs) to support this sector 6
CHALLENGES • Legacy applications and legacy medical devices • Business Resilience (non-existent) – major confusion regarding the ownership even for large providers • Lack of knowledge of organization’s storage of data location for cloud based solutions • Lack of accountability in addressing remediation • No robust logging capabilities • Monitoring of activities is minimal | a significant challenge when faced with security incidents 7
CHALLENGES • No network segmentation • No threat and vulnerability management program • A small percentage of organizations with cyber insurance coverage A coordinated attack on multiple small entities could pose a significant risk to national security 8
OPPORTUNITIES- SOLUTION PROVIDERS • Cybersecurity solutions - patient treatment & ease of use • Build more efficient and meaningful platforms (AI and Machine Learning) risk assessment | prioritization of risks options to manage risks • Build cyber care platforms to manage asset management | policies & standards training | phishing campaigns incident management capabilities • Build cost-effective ongoing monitoring solutions 9
OPPORTUNITIES- SOLUTION PROVIDERS • Develop more intuitive security awareness training • Encourage low-cost MSSPs to support these segments • who can enable automation, efficiency and effectiveness • Witnessing a major shift in Third Party Risk Assessments and Monitoring • Develop robust development and support strategies • EHR vendors and medical device manufacturers 10
OPPORTUNITIES – HEALTHCARE PROVIDERS • Address baseline security controls for critical systems • Apply 80-20 rule; maintenance is relatively easier • Conduct independent risk assessments to identify key risks • Focus on business resilience efforts • Implement of advanced endpoint protection solutions • Adopt a conservative approach – firewalls; web filtering; USB monitoring; basic Data Leakage Prevention (DLP) • Security patching and cyber hygiene practices • Reduce less defensible legacy systems and technologies 11
BOARD MEMBERS ENGAGEMENT • Recent incidents have created solid awareness among board members and senior leadership teams • Hire board members who are security savvy and champions of privacy • Quarterly update to the board members • State of security – risks and emerging threats • Integration of security reviews – due diligence and new products/business lines • Identify areas where support is required • Engagement is the key 12
Highlights – Key recommendations from the Health and Human Services National Cybersecurity Taskforce 13
RECOMMENDATIONS FOR SMALL AND MEDIUM SIZED PROVIDERS • Tax incentives, grants to encourage low-cost MSSPs • Crediting providers who have engaged MSSPs • Explore opportunities for individuals to engage in ongoing internship programs • Evaluate incentive options to encourage health care providers migrate to more secure environments 14
OTHER KEY RECOMMENDATIONS • Establish a consistent, consensus based health care specific Cybersecurity Framework • Explore potential impacts to the Physician Self-Referral Law, the Anti-Kickback Statute, and other fraud and abuse laws to allow large health care organizations to share cybersecurity resources and information with their partners. • Improve manufacturing and development transparency among developers and users. • Establish a model for adequately resourcing the cybersecurity workforce with qualified individuals. 15
OTHER KEY RECOMMENDATIONS • Establish a cybersecurity hygiene posture within the health care industry to ensure existing and new products/systems risks are managed in a secure and sustainable fashion. • Provide patients with information on how to manage their health care data, including a cybersecurity and privacy grading system for consumers to make educated decisions when selecting services or products around non-regulated health care services and products. • Improve information sharing of industry threats, risks, and mitigations. 16
Q & A RamRamadoss@catholichealth.net 17

Recommended

Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT Sanjiv Arora
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Healthcare Benefit Cost Strategies for 2012
Healthcare Benefit Cost Strategies for 2012Healthcare Benefit Cost Strategies for 2012
Healthcare Benefit Cost Strategies for 2012Nyhart Actuary & Employee Benefit Consultancy
 
RSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programRSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programIceberg Networks Corporation
 
CloudExpo 2015NewYork: Turning The Corner on Cloud Data Security Governance
CloudExpo 2015NewYork: Turning The Corner on Cloud Data Security GovernanceCloudExpo 2015NewYork: Turning The Corner on Cloud Data Security Governance
CloudExpo 2015NewYork: Turning The Corner on Cloud Data Security GovernanceEvelyn de Souza
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
Hipaa risk analysis_1.4
Hipaa risk analysis_1.4Hipaa risk analysis_1.4
Hipaa risk analysis_1.4SISA Information Security Pvt.Ltd
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Projectnovemberchild
 

Recommended

Business RISKS From IT
Business RISKS From IT Business RISKS From IT
Business RISKS From IT Sanjiv Arora
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Healthcare Benefit Cost Strategies for 2012
Healthcare Benefit Cost Strategies for 2012Healthcare Benefit Cost Strategies for 2012
Healthcare Benefit Cost Strategies for 2012Nyhart Actuary & Employee Benefit Consultancy
 
RSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programRSA-Iceberg Seminar: Building an effective supplier risk management program
RSA-Iceberg Seminar: Building an effective supplier risk management programIceberg Networks Corporation
 
CloudExpo 2015NewYork: Turning The Corner on Cloud Data Security Governance
CloudExpo 2015NewYork: Turning The Corner on Cloud Data Security GovernanceCloudExpo 2015NewYork: Turning The Corner on Cloud Data Security Governance
CloudExpo 2015NewYork: Turning The Corner on Cloud Data Security GovernanceEvelyn de Souza
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
Hipaa risk analysis_1.4
Hipaa risk analysis_1.4Hipaa risk analysis_1.4
Hipaa risk analysis_1.4SISA Information Security Pvt.Ltd
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Projectnovemberchild
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...Levi Shapiro
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014Aladdin Dandis
 
Cura Overview
Cura OverviewCura Overview
Cura OverviewRaj Shekhar
 
( Big ) Data Management - Governance - Global concepts in 5 slides
( Big ) Data Management - Governance - Global concepts in 5 slides( Big ) Data Management - Governance - Global concepts in 5 slides
( Big ) Data Management - Governance - Global concepts in 5 slidesNicolas Sarramagna
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk ManagmentMLG College of Learning, Inc
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurancemindleaftechnologies
 
Cobit v5 High Level Controls Topology
Cobit v5 High Level Controls TopologyCobit v5 High Level Controls Topology
Cobit v5 High Level Controls TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planningWilliam Godwin
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a DiseaseSurfWatch Labs
 
Critical it assets
Critical it assetsCritical it assets
Critical it assetsShashwat Shankar
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentationchristianaegerter1
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Risk View - InfoSec intro
Risk View - InfoSec introRisk View - InfoSec intro
Risk View - InfoSec introcswinney
 
Looking Ahead to Physician Contracting in 2018
Looking Ahead to Physician Contracting in 2018Looking Ahead to Physician Contracting in 2018
Looking Ahead to Physician Contracting in 2018MD Ranger, Inc.
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteGlobus
 
Systemic Governance - A Generic Framework
Systemic Governance - A Generic FrameworkSystemic Governance - A Generic Framework
Systemic Governance - A Generic FrameworkMalcolm Ryder
 
Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC NextLabs, Inc.
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...NextLabs, Inc.
 
Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...
Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...
Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...Healthcare Network marcus evans
 
Microsoft in Healthcare Analytics Georgia HIMSS
Microsoft in Healthcare Analytics Georgia HIMSS Microsoft in Healthcare Analytics Georgia HIMSS
Microsoft in Healthcare Analytics Georgia HIMSS Perficient, Inc.
 

More Related Content

What's hot

mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...Levi Shapiro
 
( Big ) Data Management - Governance - Global concepts in 5 slides
( Big ) Data Management - Governance - Global concepts in 5 slides( Big ) Data Management - Governance - Global concepts in 5 slides
( Big ) Data Management - Governance - Global concepts in 5 slidesNicolas Sarramagna
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurancemindleaftechnologies
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planningWilliam Godwin
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a DiseaseSurfWatch Labs
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Risk View - InfoSec intro
Risk View - InfoSec introRisk View - InfoSec intro
Risk View - InfoSec introcswinney
 
Looking Ahead to Physician Contracting in 2018
Looking Ahead to Physician Contracting in 2018Looking Ahead to Physician Contracting in 2018
Looking Ahead to Physician Contracting in 2018MD Ranger, Inc.
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteGlobus
 
Systemic Governance - A Generic Framework
Systemic Governance - A Generic FrameworkSystemic Governance - A Generic Framework
Systemic Governance - A Generic FrameworkMalcolm Ryder
 
Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC NextLabs, Inc.
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...NextLabs, Inc.
 

What's hot (20)

mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Cura Overview
Cura OverviewCura Overview
Cura Overview
 
( Big ) Data Management - Governance - Global concepts in 5 slides
( Big ) Data Management - Governance - Global concepts in 5 slides( Big ) Data Management - Governance - Global concepts in 5 slides
( Big ) Data Management - Governance - Global concepts in 5 slides
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
 
Cobit v5 High Level Controls Topology
Cobit v5 High Level Controls TopologyCobit v5 High Level Controls Topology
Cobit v5 High Level Controls Topology
 
Information classification
Information classificationInformation classification
Information classification
 
Business case for enterprise continuity planning
Business case for enterprise continuity planningBusiness case for enterprise continuity planning
Business case for enterprise continuity planning
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a Disease
 
Critical it assets
Critical it assetsCritical it assets
Critical it assets
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentation
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Risk View - InfoSec intro
Risk View - InfoSec introRisk View - InfoSec intro
Risk View - InfoSec intro
 
Looking Ahead to Physician Contracting in 2018
Looking Ahead to Physician Contracting in 2018Looking Ahead to Physician Contracting in 2018
Looking Ahead to Physician Contracting in 2018
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Systemic Governance - A Generic Framework
Systemic Governance - A Generic FrameworkSystemic Governance - A Generic Framework
Systemic Governance - A Generic Framework
 
Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
 

Similar to Challenges & Opportunities in Managing Cyber Risks

Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...
Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...
Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...Healthcare Network marcus evans
 
Microsoft in Healthcare Analytics Georgia HIMSS
Microsoft in Healthcare Analytics Georgia HIMSS Microsoft in Healthcare Analytics Georgia HIMSS
Microsoft in Healthcare Analytics Georgia HIMSS Perficient, Inc.
 
High Risk patient Groups presentation 20150123.1
High Risk patient Groups presentation 20150123.1High Risk patient Groups presentation 20150123.1
High Risk patient Groups presentation 20150123.1Dennis P. Sweeney
 
Microsoft: A Waking Giant in Healthcare Analytics and Big Data
Microsoft: A Waking Giant in Healthcare Analytics and Big DataMicrosoft: A Waking Giant in Healthcare Analytics and Big Data
Microsoft: A Waking Giant in Healthcare Analytics and Big DataDale Sanders
 
Microsoft: A Waking Giant In Healthcare Analytics and Big Data
Microsoft: A Waking Giant In Healthcare Analytics and Big DataMicrosoft: A Waking Giant In Healthcare Analytics and Big Data
Microsoft: A Waking Giant In Healthcare Analytics and Big DataHealth Catalyst
 
Tom Martin from HIMSS-Health 2.0 01.15.2013
Tom Martin from HIMSS-Health 2.0 01.15.2013Tom Martin from HIMSS-Health 2.0 01.15.2013
Tom Martin from HIMSS-Health 2.0 01.15.2013David Parpart, D.C.
 
Data Is the New Strategic Asset in M&As: Is Ripping and Replacing EHRs Really...
Data Is the New Strategic Asset in M&As: Is Ripping and Replacing EHRs Really...Data Is the New Strategic Asset in M&As: Is Ripping and Replacing EHRs Really...
Data Is the New Strategic Asset in M&As: Is Ripping and Replacing EHRs Really...Health Catalyst
 
Moving to the Cloud: Modernizing Data Architecture in Healthcare
Moving to the Cloud: Modernizing Data Architecture in HealthcareMoving to the Cloud: Modernizing Data Architecture in Healthcare
Moving to the Cloud: Modernizing Data Architecture in HealthcarePerficient, Inc.
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareCompTIA
 
The Role of Data Lakes in Healthcare
The Role of Data Lakes in HealthcareThe Role of Data Lakes in Healthcare
The Role of Data Lakes in HealthcarePerficient, Inc.
 
Choosing an Analytics Solution in Healthcare
Choosing an Analytics Solution in HealthcareChoosing an Analytics Solution in Healthcare
Choosing an Analytics Solution in HealthcareDale Sanders
 
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...Sri Bharadwaj
 
Maureen Charlebois, Chief Nursing Director and Group Director, Canada Health ...
Maureen Charlebois, Chief Nursing Director and Group Director, Canada Health ...Maureen Charlebois, Chief Nursing Director and Group Director, Canada Health ...
Maureen Charlebois, Chief Nursing Director and Group Director, Canada Health ...Investnet
 
The Foundations of Success in Population Health Management
The Foundations of Success in Population Health ManagementThe Foundations of Success in Population Health Management
The Foundations of Success in Population Health ManagementHealth Catalyst
 
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Shahid Shah
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHostway|HOSTING
 
JR's Lifetime Advanced Analytics
JR's Lifetime Advanced AnalyticsJR's Lifetime Advanced Analytics
JR's Lifetime Advanced AnalyticsChase Hamilton
 
JR's Lifetime Advanced Analytics
JR's Lifetime Advanced AnalyticsJR's Lifetime Advanced Analytics
JR's Lifetime Advanced Analyticsd-Wise Technologies
 
Acme hcp 1.0 quality and outcome
Acme hcp 1.0 quality and outcomeAcme hcp 1.0 quality and outcome
Acme hcp 1.0 quality and outcomebrobin14
 

Similar to Challenges & Opportunities in Managing Cyber Risks (20)

Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...
Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...
Communicating as a Leading and Value-driven CMIO of the Future - Judi Binderm...
 
Microsoft in Healthcare Analytics Georgia HIMSS
Microsoft in Healthcare Analytics Georgia HIMSS Microsoft in Healthcare Analytics Georgia HIMSS
Microsoft in Healthcare Analytics Georgia HIMSS
 
High Risk patient Groups presentation 20150123.1
High Risk patient Groups presentation 20150123.1High Risk patient Groups presentation 20150123.1
High Risk patient Groups presentation 20150123.1
 
Microsoft: A Waking Giant in Healthcare Analytics and Big Data
Microsoft: A Waking Giant in Healthcare Analytics and Big DataMicrosoft: A Waking Giant in Healthcare Analytics and Big Data
Microsoft: A Waking Giant in Healthcare Analytics and Big Data
 
Microsoft: A Waking Giant In Healthcare Analytics and Big Data
Microsoft: A Waking Giant In Healthcare Analytics and Big DataMicrosoft: A Waking Giant In Healthcare Analytics and Big Data
Microsoft: A Waking Giant In Healthcare Analytics and Big Data
 
Tom Martin from HIMSS-Health 2.0 01.15.2013
Tom Martin from HIMSS-Health 2.0 01.15.2013Tom Martin from HIMSS-Health 2.0 01.15.2013
Tom Martin from HIMSS-Health 2.0 01.15.2013
 
Collaborative Healthcare Models
Collaborative Healthcare ModelsCollaborative Healthcare Models
Collaborative Healthcare Models
 
Data Is the New Strategic Asset in M&As: Is Ripping and Replacing EHRs Really...
Data Is the New Strategic Asset in M&As: Is Ripping and Replacing EHRs Really...Data Is the New Strategic Asset in M&As: Is Ripping and Replacing EHRs Really...
Data Is the New Strategic Asset in M&As: Is Ripping and Replacing EHRs Really...
 
Moving to the Cloud: Modernizing Data Architecture in Healthcare
Moving to the Cloud: Modernizing Data Architecture in HealthcareMoving to the Cloud: Modernizing Data Architecture in Healthcare
Moving to the Cloud: Modernizing Data Architecture in Healthcare
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
 
The Role of Data Lakes in Healthcare
The Role of Data Lakes in HealthcareThe Role of Data Lakes in Healthcare
The Role of Data Lakes in Healthcare
 
Choosing an Analytics Solution in Healthcare
Choosing an Analytics Solution in HealthcareChoosing an Analytics Solution in Healthcare
Choosing an Analytics Solution in Healthcare
 
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
Closing-the-gap-meeting-acute-workforce-needs-in-healthcare-cyber security-an...
 
Maureen Charlebois, Chief Nursing Director and Group Director, Canada Health ...
Maureen Charlebois, Chief Nursing Director and Group Director, Canada Health ...Maureen Charlebois, Chief Nursing Director and Group Director, Canada Health ...
Maureen Charlebois, Chief Nursing Director and Group Director, Canada Health ...
 
The Foundations of Success in Population Health Management
The Foundations of Success in Population Health ManagementThe Foundations of Success in Population Health Management
The Foundations of Success in Population Health Management
 
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
 
HIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare CloudHIPAA Compliance: Simple Steps to the Healthcare Cloud
HIPAA Compliance: Simple Steps to the Healthcare Cloud
 
JR's Lifetime Advanced Analytics
JR's Lifetime Advanced AnalyticsJR's Lifetime Advanced Analytics
JR's Lifetime Advanced Analytics
 
JR's Lifetime Advanced Analytics
JR's Lifetime Advanced AnalyticsJR's Lifetime Advanced Analytics
JR's Lifetime Advanced Analytics
 
Acme hcp 1.0 quality and outcome
Acme hcp 1.0 quality and outcomeAcme hcp 1.0 quality and outcome
Acme hcp 1.0 quality and outcome
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Challenges & Opportunities in Managing Cyber Risks

  • 1. CHALLENGES & OPPORTUNITIES IN MANAGING CYBER RISKS MAY 03, 2018 Ram Ramadoss, MBA, CISA, CISM, CISSP, CRISC, CIPP Vice President – CRP Privacy and Information Security and EHR Oversight Corporate Responsibility Program Catholic Health Initiatives Colorado, USA
  • 2. AGENDA • CHI Overview • Small and Medium Sized Providers – an easy target • Challenges • Opportunities • Board Members Engagement • Highlights – Key recommendations from the Taskforce • Q&A 2
  • 3. CATHOLIC HEALTH INITIATIVES OVERVIEW • An integrated Healthcare provider in the USA • We operate in 17 states through 100 hospitals and 700 plus clinics, including three academic health centers and major teaching hospitals as well as 30 critical-access facilities, community health-service organizations, and nursing colleges. • Operating revenue - $15.5 Billion • 90,000 plus employees • Merger discussion in progress with Dignity Health (a major faith- based healthcare provider in California, Nevada and Arizona) 3
  • 4. Small and Medium Sized Healthcare Providers – an easy target for cyber threats 4
  • 5. CHALLENGES • Ignorance is bliss • Dwindling operating margins - low or no security budget • Lack of IT resources and support • No policies/training and lack of cyber hygiene practices • Lack of awareness and education – employees/physicians • Risk assessment – even large companies struggle in this area • No sense of urgency from this sector • Ransomware attacks |No incident management program • Majority of providers moving towards cloud based Electronic Health Record (EHR) solutions 5
  • 6. CHALLENGES • A major challenge for large healthcare systems – access to EMRs from third party physician practices • Challenges with EHR vendors – configuration best practices • No leverage when these entities deal with third party companies and partners • No ability and resources to process security alerts from Information Sharing and Analysis Centers (ISACs) • No cost effective Managed Security Service Providers (MSSPs) to support this sector 6
  • 7. CHALLENGES • Legacy applications and legacy medical devices • Business Resilience (non-existent) – major confusion regarding the ownership even for large providers • Lack of knowledge of organization’s storage of data location for cloud based solutions • Lack of accountability in addressing remediation • No robust logging capabilities • Monitoring of activities is minimal | a significant challenge when faced with security incidents 7
  • 8. CHALLENGES • No network segmentation • No threat and vulnerability management program • A small percentage of organizations with cyber insurance coverage A coordinated attack on multiple small entities could pose a significant risk to national security 8
  • 9. OPPORTUNITIES- SOLUTION PROVIDERS • Cybersecurity solutions - patient treatment & ease of use • Build more efficient and meaningful platforms (AI and Machine Learning) risk assessment | prioritization of risks options to manage risks • Build cyber care platforms to manage asset management | policies & standards training | phishing campaigns incident management capabilities • Build cost-effective ongoing monitoring solutions 9
  • 10. OPPORTUNITIES- SOLUTION PROVIDERS • Develop more intuitive security awareness training • Encourage low-cost MSSPs to support these segments • who can enable automation, efficiency and effectiveness • Witnessing a major shift in Third Party Risk Assessments and Monitoring • Develop robust development and support strategies • EHR vendors and medical device manufacturers 10
  • 11. OPPORTUNITIES – HEALTHCARE PROVIDERS • Address baseline security controls for critical systems • Apply 80-20 rule; maintenance is relatively easier • Conduct independent risk assessments to identify key risks • Focus on business resilience efforts • Implement of advanced endpoint protection solutions • Adopt a conservative approach – firewalls; web filtering; USB monitoring; basic Data Leakage Prevention (DLP) • Security patching and cyber hygiene practices • Reduce less defensible legacy systems and technologies 11
  • 12. BOARD MEMBERS ENGAGEMENT • Recent incidents have created solid awareness among board members and senior leadership teams • Hire board members who are security savvy and champions of privacy • Quarterly update to the board members • State of security – risks and emerging threats • Integration of security reviews – due diligence and new products/business lines • Identify areas where support is required • Engagement is the key 12
  • 13. Highlights – Key recommendations from the Health and Human Services National Cybersecurity Taskforce 13
  • 14. RECOMMENDATIONS FOR SMALL AND MEDIUM SIZED PROVIDERS • Tax incentives, grants to encourage low-cost MSSPs • Crediting providers who have engaged MSSPs • Explore opportunities for individuals to engage in ongoing internship programs • Evaluate incentive options to encourage health care providers migrate to more secure environments 14
  • 15. OTHER KEY RECOMMENDATIONS • Establish a consistent, consensus based health care specific Cybersecurity Framework • Explore potential impacts to the Physician Self-Referral Law, the Anti-Kickback Statute, and other fraud and abuse laws to allow large health care organizations to share cybersecurity resources and information with their partners. • Improve manufacturing and development transparency among developers and users. • Establish a model for adequately resourcing the cybersecurity workforce with qualified individuals. 15
  • 16. OTHER KEY RECOMMENDATIONS • Establish a cybersecurity hygiene posture within the health care industry to ensure existing and new products/systems risks are managed in a secure and sustainable fashion. • Provide patients with information on how to manage their health care data, including a cybersecurity and privacy grading system for consumers to make educated decisions when selecting services or products around non-regulated health care services and products. • Improve information sharing of industry threats, risks, and mitigations. 16