On Thursday, September 8th at 11:00 am, I hosted a webinar with the HIMSS Southern California Chapter. It was about pinpointing critical IT security threats and the steps organizations should take to address these critical threats. I specifically addressed the following topics:
• The importance of an IT security assessment
• How to build an effective framework around your security program
• The latest threats and how other organizations are handling them
• How to communicate to your board of directors about security
2. Marty Miller
Interim CTO at Verity Health System /T2 Tech Group Partner
• Over 15 years of experience in healthcare IT leadership,
strategy and digital informatics
• Partner at T2 Tech Group and current interim CTO at Verity
Health System.
• Previous CIO and CTO at Children’s Hospital Los Angeles
from 2006 - 2014
• In 2014, recognized in CRN’s Top 20 Most Innovative
Midmarket CIOs and Hospitals and Health Network’s Most
Wired list
• Proven success record in cloud migrations, digital business
transformation, data center moves, EHR implementations
and new hospital openings
• Worldwide IT Security Manger for Ingram Micro 2000-2003
3. Areas of discussion
• Threat landscape
• How to build your security
program around an effective
framework
• How are other organizations
dealing with the latest threats
• Communicating with your
executives and board of
directors
4. Threat Landscape
• Many new threats daily
– Nation States, Hacktivist
Groups, Terrorists,
Competitors, Domestic
Intelligence Services
– Ransomware
– Medical device security issues
– Other recent security breaches
from the news
• As health systems and hospitals
utilize EHRs, patient/physician
portals, and Health Information
Exchange the risk increases
Source: Managing cyber risks in an interconnected world, Key findings
from The Global State of Information Security Survey 2015, PWC
1151
2581
9155
1091
4227
13138
0
2000
4000
6000
8000
10000
12000
14000
Small Medium Large
Detected Security Incidents by Company
Size (revenue)
2013 2014
It’s not a matter of if you have a security
incident, but when
5. The Biggest Data Breaches in 2016, So Far
• MedStar Health Inc.
– March 30, 2016: The FBI is investigating a
computer virus that paralyzed MedStar
Health-operated hospitals in Maryland and
Washington.
• Premier Healthcare
– March 10, 2016: A data breach
was reported by Premier Healthcare, a
multispecialty provider healthcare group,
after a laptop computer was stolen from the
billing department of their Bloomington,
Indiana headquarters.
• 21st Century Oncology
– March 10, 2016: 21st Century Oncology, a
Fort Myers-based company offering cancer
care services, revealed in a statement on
their website that 2.2 million patients may
have had personal information stolen when
the company’s system was breached in
October 2015.
• Snapchat
– March 3, 2016: 700 current and
former Snapchat employees had their personal
information stolen when hackers used a
phishing scam to trick an employee into e-
mailing them the private data.
• UC Berkeley
– February 29, 2016: The financial data of more
than 80,000 University of California, Berkeley
students, alumni, employees, and school
officials was compromised around December
2015 and announced to the public in February
2016.
• Wendy’s
– May 11, 2016: The company believes that
malware infiltrated one particular point of sale
system at fewer than 300 of approximately
5,500 franchised North America Wendy’s
restaurants, starting in the fall of 2015.
• LinkedIn
– May 17, 2016: A 2012 data breach came back
to haunt LinkedIn when 117 million email and
password combinations stolen by hackers four
years ago popped up online.
6. A Thought to Ponder
• The security breaches we’ve heard of aren’t because the
affected organization isn’t spending money on tools or
people – why has it not been effective?
• A clear strategy built around an effective framework to prioritize and manage
risks, respond to attacks, and identify the right tools for the job is necessary
7. Security Framework
• Many frameworks cover
cybersecurity
– ISO
– SANS
– COBIT 5 for
Security
– PCI-DSS
– NIST
• Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-
021214.pdf
NIST Cyber Security
Framework core
Identify
Asset Management
Business
Environment
Governance
Risk Assessment
Risk Management
Strategy
Protect
Access Control
Awareness and
Training
Data Security
Information
Protection
Processes and
Procedures
Maintenance
Protective
Technology
Detect
Anomalies and
Events
Security Continuous
Monitoring
Detection
Processes
Respond
Response Planning
Communications
Analysis
Migration
Improvement
Recover
Recovery Planning
Improvements
Communication
8. Where security money is traditionally spent
NIST Cyber Security
Framework core
Identify
Asset Management
Business
Environment
Governance
Risk Assessment
Risk Management
Strategy
Protect
Access Control
Awareness and
Training
Data Security
Information
Protection
Processes and
Procedures
Maintenance
Protective
Technology
Detect
Anomalies and
Events
Security
Continuous
Monitoring
Detection
Processes
Respond
Response Planning
Communications
Analysis
Migration
Improvement
Recover
Recovery Planning
Improvements
Communication
9. Where security money is traditionally spent
NIST Cyber Security
Framework core
Identify
Asset Management
Business
Environment
Governance
Risk Assessment
Risk Management
Strategy
Protect
Access Control
Awareness and
Training
Data Security
Information
Protection
Processes and
Procedures
Maintenance
Protective
Technology
Detect
Anomalies and
Events
Security
Continuous
Monitoring
Detection
Processes
Respond
Response Planning
Communications
Analysis
Migration
Improvement
Recover
Recovery Planning
Improvements
Communication
10. Crisis Communications Plan
1. If you don't communicate immediately, you lose your greatest
opportunity to control events.
2. Identifying the audiences and the spokesperson assigned to
communicate with each audience, the next step is to script messages.
– Pre-scripted messages should be prepared using information
developed during the risk assessment. The risk assessment
process should identify scenarios that would require
communications with stakeholders.
11. How are organizations dealing with the
threats?
• Routine board level topic and concern
– CISO reports to board regularly
• Robust communication in place for security incidents
• Cybersecurity assessment
• Prioritize improvement in areas of weakness
• Routine testing of controls / continuous improvement
• Strong relationship with Internal Audit
• Sourcing security functions – SIEM monitoring, IPS monitoring
security assessments, pen testing
– At least one annual pen test - an attempt to evaluate
the security of an IT infrastructure by safely trying to exploit
vulnerabilities
• Obtain multi-year budget for improvement/evolution
13. Communicating Security to Executives
• Perfect security is impossible – the goal is to detect
breaches quickly and minimize their impact
– Strengthen your ability to recover when
incidents occur
• Compliance does not equal “security”
• Cyber risk management strategy must be a
component of business strategy and can’t simply
be delegated to IT
• Cyber threats can impact brand, patient care, and
patient satisfaction/provider choices
• Security isn’t a project
• Talent is difficult to find – sourcing some security
functions is likely a reality
14. 6th Annual Privacy & Security Forum
Sept. 30, 2016 8am-3:30pm
Hoag Hospital Conference Center Newport Beach, CA
• CISOs Panel:
– Bryan Kissinger
– Gary Gooden
– Nolan Garrett
– Tamer Azmy