Cybercriminals are targeting the health care sector, and many organizations do not have the necessary visibility and controls in place to ensure the protection of their information. In order to minimize cyber risk and avoid future threats, health care organizations must adopt an intelligence-driven approach that helps establish and maintain an effective and efficient security program.
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...SurfWatch Labs
Credit Unions have to deal with the same cybercrime-related issues as large banks, but they often have less resources to address those risks. Cyber risk intelligence can help to make sure they use those limited resources wisely.
Cyber Threat Intelligence: Knowing What Specific Threats Your Business Should...SurfWatch Labs
By using Cyber Threat Intelligence, organizations can understand what specific threats they face and use these insights to drive the most effective defense.
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...SurfWatch Labs
Credit Unions have to deal with the same cybercrime-related issues as large banks, but they often have less resources to address those risks. Cyber risk intelligence can help to make sure they use those limited resources wisely.
Cyber Threat Intelligence: Knowing What Specific Threats Your Business Should...SurfWatch Labs
By using Cyber Threat Intelligence, organizations can understand what specific threats they face and use these insights to drive the most effective defense.
Given the city’s relative fiscal health, is there a need to look to budget options? The simple answer is, “of course.” There is never enough money to meet all of the needs expressed by the city’s communities. And besides the need for more funds, there can be changes that could help improve equity and efficiency in the city’s spending and taxation—a benefit that could be associated with some of the budget options we present.
The Taylor Law (particularly the Triborough Amendment provision) expires on J...Luis Taveras EMBA, MS
The Taylor Law requires that the municipal administration of collective bargaining be “substantially equivalent” to administration of the Taylor Law by the Public Employee Relations Board (“PERB”).6 Accordingly, the New York City Collective Bargaining Law (“NYCCBL”), applicable to public employees in New York City, includes a provision analogous to the Triborough Amendment, and administration of this provision tracks with PERB’s administration of state law.
School districts are highly dependent on local revenue generated through property taxes. The declining housing market has therefore taken a toll on school districts. Property values have declined in nearly 88 percent of the school districts located in the Long Island and Mid-Hudson regions. Since these districts derive roughly 75 percent of their revenue locally, reduced property values lead to revenue stress.
While the non-oil private sector is relatively small in Saudi Arabia, it has potential to drive much of the growth. Already during the 2003–13 period, the non-oil private sector outperformed the economy as a whole, albeit starting from a low base. It grew at about 10 percent annually, much faster than the overall 6 percent GDP growth rate. Growth was broadly based, with consumption-based sectors such as transport, communications, retail and wholesale trade, and business services growing the fastest.
Based on these estimates, we examine expected
impacts of future computerisation on US labour market outcomes, with the primary objective of analysing the number of jobs at risk and the relationship between an occupation’s probability of computerisation, wages and educational attainment. According to our estimates, about 47 percent of total US employment is at risk.
NYC Comptroller's Office: Annual Summary Contracts Report for Fiscal Year 201...Luis Taveras EMBA, MS
The New York City Charter (“Charter”) requires that all contracts and agreements entered into by City agencies be registered by the Comptroller prior to implementation. This requirement also extends to all agreements memorializing the terms of franchises, revocable consents or concessions. The Comptroller’s Office is charged with a number of Charter-mandated responsibilities intended to safeguard the City’s financial health, including contract registration. The contract registration process ensures there is adequate funding in the City’s treasury (or under the control of the City) to cover the cost of contracts as well as to ensure that both the contracted vendors and process are free from corruption. The Bureau of Contract Administration (“BCA”) within the Comptroller’s Office fulfills this registration responsibility on behalf of the Comptroller by serving as the final oversight in the City’s procurement process.
a) Maintaining approximate compensation parity among employees within the same employment categories (for example, among junior software engineers);
b. Maintaining certain compensation relationships among employees across different employment categories (for example, among junior software engineers relative to senior software engineers)
The Churchill School and Center (Churchill), located in New York City, is a private not-for-profit education corporation that includes the Churchill School (Churchill), the Churchill Center (Center), and a Development Office. Churchill provides special education services, pursuant to Section
853 of the State Education Law (Law), to children from kindergarten through the 12th grade
classified as having a learning disability and/or speech-language impairment. The Center offers
educational programs to non-Churchill students and professional development workshops to parents, teachers, and other service providers. The Development Office administers the fundraising,
endowment, marketing, special events, and alumni activities for the affiliated entities.
On average, California’s public sector workers are more highly educated. Of full-time workers, 55% hold a four-year college degree in the public sector compared to 35% in the private sector. Educational attainment is the single most important predictor of earnings—thus it plays a vital role in this analysis. On average, California state and local governments pay college-educated labor less than private employers. The earnings differential is greatest for professional employees, lawyers and doctors. On the other hand, the public sector appears to set a floor on compensation. The earnings of those with a high school degree or less is higher in state and local government than it is for similar workers in the private sector. There are other significant personnel differences between the public and private sector workforces. The age (median) of a typical worker in state and local government is 44 compared to 40 in the private sector. Furthermore, the state and local government workforce has more women (55%) compared to the private sector (40%).
Texas has more immigrants than Oklahoma and New Mexico have people. Among states, only California has more immigrants than Texas; New York has a similar number.
Using SurfWatch Labs' Threat Intelligence to Understand Third-Party RiskSurfWatch Labs
Data breaches and cyber-attacks are often tied to vendors, partners, or other external organizations. Threat intelligence can help to shed a light on an organization's third-party risks and help to provide guidance on how to mitigate that risk.
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsSurfWatch Labs
Understanding the types of malicious actors that are attempting to compromise your organization, what motivates them, and what their goals are is a crucial step when it comes to taking action against cyber risks.
Using Threat Intelligence to Address Your Growing Digital RiskSurfWatch Labs
Cyber threat intelligence can be used to help organizations to better manage their growing digital risk footprints and drive more effective risk decisions.
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
The digital presence of organizations continues to expand, and with that expansion comes greater exposure to digital risks. Visibility into those risks is critical in order to effectively manage that risk.
IoT Devices Expanding Your Digital FootprintSurfWatch Labs
Network-enabled or "smart" IOT devices are commonplace these days, with commercial and residential buildings having smart light bulbs, smart locks, DVRs, security cameras and more. The potential of having multiple devices per building potentially translates into the largest digital footprint that is NOT under proper security management.
Given the city’s relative fiscal health, is there a need to look to budget options? The simple answer is, “of course.” There is never enough money to meet all of the needs expressed by the city’s communities. And besides the need for more funds, there can be changes that could help improve equity and efficiency in the city’s spending and taxation—a benefit that could be associated with some of the budget options we present.
The Taylor Law (particularly the Triborough Amendment provision) expires on J...Luis Taveras EMBA, MS
The Taylor Law requires that the municipal administration of collective bargaining be “substantially equivalent” to administration of the Taylor Law by the Public Employee Relations Board (“PERB”).6 Accordingly, the New York City Collective Bargaining Law (“NYCCBL”), applicable to public employees in New York City, includes a provision analogous to the Triborough Amendment, and administration of this provision tracks with PERB’s administration of state law.
School districts are highly dependent on local revenue generated through property taxes. The declining housing market has therefore taken a toll on school districts. Property values have declined in nearly 88 percent of the school districts located in the Long Island and Mid-Hudson regions. Since these districts derive roughly 75 percent of their revenue locally, reduced property values lead to revenue stress.
While the non-oil private sector is relatively small in Saudi Arabia, it has potential to drive much of the growth. Already during the 2003–13 period, the non-oil private sector outperformed the economy as a whole, albeit starting from a low base. It grew at about 10 percent annually, much faster than the overall 6 percent GDP growth rate. Growth was broadly based, with consumption-based sectors such as transport, communications, retail and wholesale trade, and business services growing the fastest.
Based on these estimates, we examine expected
impacts of future computerisation on US labour market outcomes, with the primary objective of analysing the number of jobs at risk and the relationship between an occupation’s probability of computerisation, wages and educational attainment. According to our estimates, about 47 percent of total US employment is at risk.
NYC Comptroller's Office: Annual Summary Contracts Report for Fiscal Year 201...Luis Taveras EMBA, MS
The New York City Charter (“Charter”) requires that all contracts and agreements entered into by City agencies be registered by the Comptroller prior to implementation. This requirement also extends to all agreements memorializing the terms of franchises, revocable consents or concessions. The Comptroller’s Office is charged with a number of Charter-mandated responsibilities intended to safeguard the City’s financial health, including contract registration. The contract registration process ensures there is adequate funding in the City’s treasury (or under the control of the City) to cover the cost of contracts as well as to ensure that both the contracted vendors and process are free from corruption. The Bureau of Contract Administration (“BCA”) within the Comptroller’s Office fulfills this registration responsibility on behalf of the Comptroller by serving as the final oversight in the City’s procurement process.
a) Maintaining approximate compensation parity among employees within the same employment categories (for example, among junior software engineers);
b. Maintaining certain compensation relationships among employees across different employment categories (for example, among junior software engineers relative to senior software engineers)
The Churchill School and Center (Churchill), located in New York City, is a private not-for-profit education corporation that includes the Churchill School (Churchill), the Churchill Center (Center), and a Development Office. Churchill provides special education services, pursuant to Section
853 of the State Education Law (Law), to children from kindergarten through the 12th grade
classified as having a learning disability and/or speech-language impairment. The Center offers
educational programs to non-Churchill students and professional development workshops to parents, teachers, and other service providers. The Development Office administers the fundraising,
endowment, marketing, special events, and alumni activities for the affiliated entities.
On average, California’s public sector workers are more highly educated. Of full-time workers, 55% hold a four-year college degree in the public sector compared to 35% in the private sector. Educational attainment is the single most important predictor of earnings—thus it plays a vital role in this analysis. On average, California state and local governments pay college-educated labor less than private employers. The earnings differential is greatest for professional employees, lawyers and doctors. On the other hand, the public sector appears to set a floor on compensation. The earnings of those with a high school degree or less is higher in state and local government than it is for similar workers in the private sector. There are other significant personnel differences between the public and private sector workforces. The age (median) of a typical worker in state and local government is 44 compared to 40 in the private sector. Furthermore, the state and local government workforce has more women (55%) compared to the private sector (40%).
Texas has more immigrants than Oklahoma and New Mexico have people. Among states, only California has more immigrants than Texas; New York has a similar number.
Using SurfWatch Labs' Threat Intelligence to Understand Third-Party RiskSurfWatch Labs
Data breaches and cyber-attacks are often tied to vendors, partners, or other external organizations. Threat intelligence can help to shed a light on an organization's third-party risks and help to provide guidance on how to mitigate that risk.
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsSurfWatch Labs
Understanding the types of malicious actors that are attempting to compromise your organization, what motivates them, and what their goals are is a crucial step when it comes to taking action against cyber risks.
Using Threat Intelligence to Address Your Growing Digital RiskSurfWatch Labs
Cyber threat intelligence can be used to help organizations to better manage their growing digital risk footprints and drive more effective risk decisions.
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
The digital presence of organizations continues to expand, and with that expansion comes greater exposure to digital risks. Visibility into those risks is critical in order to effectively manage that risk.
IoT Devices Expanding Your Digital FootprintSurfWatch Labs
Network-enabled or "smart" IOT devices are commonplace these days, with commercial and residential buildings having smart light bulbs, smart locks, DVRs, security cameras and more. The potential of having multiple devices per building potentially translates into the largest digital footprint that is NOT under proper security management.
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
Threat intelligence needs to be in a language the business understands. SurfWatch Labs can help connect cyber threat intelligence to business operations in order to help manage cyber risk.
SANS Report: The State of Security in Control Systems TodaySurfWatch Labs
SANS conducted a survey of more than 300 ICS professionals and this presentation shares key highlights from the findings to give you insights on the cybersecurity challenges facing your peers and the approaches used to reduce cyber risks.
Point of Sale Insecurity: A Threat to Your BusinessSurfWatch Labs
PoS systems continue to be targeted by cybercriminals for card payment information as well as personally identifiable information. Even as organizations solidify their PoS security, cybercriminals evolve.
This presentation examines the State of PoS Insecurity. Read this to learn:
-Why situational awareness of your POS risks is a must
-Insights on the latest and trending POS cyber risks and impacts
-Fundamental security recommendations from SurfWatch Analysts
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskSurfWatch Labs
Today’s business world is online and as such is inherently chock full of cyber risks. Cybercriminals continue to take advantage of system vulnerabilities and social engineering to target personally identifiable information, credit card numbers, trade secrets and more. Although there are hundreds of security solutions, products and consultants that claim to solve and address data breaches, the traditional, tactical approach to security is not working. Evaluated cyber intelligence is trapped in your systems, applications and employees – and making that intelligence easily available and quickly understood can help your organization significantly reduce the cyber risks it faces and improve its business resilience.
This presentation examines how to reduce your cyber risks by unlocking the door to evaluated intelligence. Learn:
• Why the traditional threat intelligence approach is not addressing the problem
• Why it’s not just about adding on more security layers, but shifting your cybersecurity approach
• How to mine both your tactical and strategic cyber data for improved operational intelligence
• How to derive immediate visual insights of relevant trending cyber problems through security analytics
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursSurfWatch Labs
With the board room increasingly being held accountable for data breaches, it's crucial that they know and understand the cyber risks facing their organization.Connect board room to server room
How to Raise Cyber Risk Awareness and Management to the C-SuiteSurfWatch Labs
Who's responsible for cybersecurity at your organization? The accountability for cybersecurity has shifted to the C-Suite, and it's needs to become part of the overall business strategy.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Managing Cybersecurity in Health Care: Best Practices Every Organization Needs to Know
1. Speaker Firms and Organization:
Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event
starts. We will be back with speaker instructions @ 09:55am. Any Questions? Please email: info@theknowledegroup.org
Group Registration Policy
Please note ALL participants must be registered or they will not be able to access the event.
If you have more than one person from your company attending, you must fill out the group registration form.
We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.
To obtain a group registration please send a note to info@theknowledgegroup.org or call 646.202.9344.
Presented By:
May 03, 2016
1
Partner Firms:
Accellion
Bob Ertl
Sr. Director, Product Management
White and Williams LLP
Daniel J. Ferhat
Partner
SurfWatch Labs
Adam Meyer
Chief Security Strategist
Barnabas Health
Luis Taveras
SVP and Chief Information Officer
2. May 03, 2016
2
Please note the FAQ.HELP TAB located to the right of the main presentation. On this page you will find answers to the top questions asked by
attendees during webcast such as how to fix audio issues, where to download the slides and what to do if you miss a secret word. To access this
tab, click the FAQ.HELP Tab to the right of the main presentation when you’re done click the tab of the main presentation to get back.
For those viewing the webcast on a mobile device, please note:
o These instructions are for Apple and Android devices only. If you are using a Windows tablet, please follow the instructions for viewing
the webcast on a PC.
o The FAQ.HELP TAB will not be visible on mobile devices.
o You will receive the frequently asked questions & other pertinent info through the apps chat window function on your device.
o On Apple devices you must tap the screen anywhere to see the task bar which will show up as a blue bar across the top of the screen.
Click the chat icon then click the chat with all to access the FAQ’s.
o Feel free to submit questions by using the “questions” function built-in to the app on your device.
o You may use your device’s “pinch to zoom function” to enlarge the slide images on your screen.
o Headphones are highly recommended. In the event of audio difficulties, a dial-in number is available and will be provided via the app’s
chat function on your device.
3. May 03, 2016
3
Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.
If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239. We will post the
dial information in the chat window to the right shortly and it’s available in the FAQ.Help Tab on the right.
You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your screen. Questions
will be aggregated and addressed during the Q&A segment.
Please note, this call is being recorded for playback purposes.
If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s event, please send
an email to: info@theknowledgegroup.org. If you’re already logged in to the online Webcast, we will post a link to download the files shortly and it’s
available in the FAQ.Help Tab
4. May 03, 2016
4
If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to hear the
presentations. If you do not have headphones and cannot hear the webcast send an email to info@theknowledgegroup.org and we will send you
the dial in phone number.
About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event today - it's
designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future events. Your feedback is
greatly appreciated. If you are applying for continuing education credit, completions of the surveys are mandatory as per your state boards and
bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We will ask you to fill these words into the survey as proof
of your attendance. Please stay tuned for the secret word. If you miss a secret word please refer to the FAQ.Help tab to the right.
Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read the secret
word. Pardon the interruption.
5. May 03, 2016
5
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
Free Certificate of Attendance Processing (Normally $49 Per Course without a subscription).
Access to over 15,000 pages of course material from Knowledge Group Webcasts.
Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers).
6 Month Subscription is $499 with No Additional Fees Other options are available.
Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
6. May 03, 2016
6
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $499 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $799 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
Questions: Send an email to: info@theknowledgegroup.org with “Unlimited” in the subject.
7. Sponsors:
May 03, 2016
7
SurfWatch Labs helps organizations and service providers quickly establish
a strategic cyber threat intelligence operation that drives more effective use
of their tactical defenses.
Founded in 2013 by former US Government intelligence analysts, SurfWatch
Labs solutions provide a 360-degree view of cyber threats in the context of
your business, along with practical and personalized support to create
immediate insights and meaningful action. Combining useful analytics,
applications and human expertise, SurfWatch solutions can be your off-the-
shelf, cyber threat intelligence team or delivered as a comprehensive
product suite that easily integrates with your existing cybersecurity
operations.
SurfWatch Labs: Cyber In Sight. For more information, visit
www.surfwatchlabs.com.
Accellion, Inc. is the leading private cloud solution for secure file sharing and
collaboration, enabling health care organizations to manage protected health
information (PHI), increase productivity and help ensure data security and
HIPAA compliance. Accellion solutions are used by more than 15 million
users and 2,500 of the world’s leading corporations, government agencies
and healthcare organizations including: Indiana University Health, Kaiser
Permanente, Seattle Children’s Hospital and Beth Israel Deaconess Medical
Center. For more information please visit www.accellion.com or call (650)
485-4300. Follow Accellion’s Blog, Twitter, Facebook and LinkedIn.
8. Partner Firms:
May 03, 2016
8
Founded in 1899, White and Williams LLP is a global-reaching, multi-
practice law firm with over 240 lawyers in ten offices. Clients include the
Fortune 500, insurance companies, large corporations, and financial
institutions as well as mid-market and small businesses, institutions of higher
education and individuals. Our lawyers handle a wide array of complex
litigation, regulatory matters and transactions.
9. Brief Speaker Bios:
Adam Meyer
Adam Meyer leads the threat intelligence analyst team at SurfWatch Labs. has served in leadership positions in the defense,
technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, Mr. Meyer was the Chief
Information Security Officer (CISO) for the Washington Metropolitan Area Transit Authority, one of the largest public transportation
systems in the United States. Preceding his role as a CISO, Mr. Meyer served as the Director of Information Assurance and
Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier
engineering and acquisition commands.
May 03, 2016
9
Daniel J. Ferhat
Dan Ferhat is a Partner with White and Williams LLP. He focuses his practice on medical professional liability litigation and general
liability matters. He defends hospitals, physicians, nurses and other health care practitioners against professional liability claims at the
trial court and appellate court levels. Dan has represented clients in jury trials as well as independently taken cases to verdict before
arbitration panels and judges and has been retained to assist physicians in administrative proceedings before peer review
credentialing committees. In addition to his litigation practice, Dan counsels healthcare clients with respect to HIPAA compliance,
cybersecurity and other privacy issues and policies. He can be reached at ferhatd@whiteandwilliams.com.
10. Brief Speaker Bios:
May 03, 2016
10
Luis Taveras
Dr. Luis E. Taveras is Senior Vice President and Chief Information Officer for Barnabas Health. Barnabas Health is New Jersey’s
largest integrated health care delivery system, providing treatment and services to more than two million patients each year. Dr.
Taveras was most recently in the same capacity at Hartford HealthCare, the largest health care network in Connecticut. From 2003-
2009, Dr. Taveras was a Partner with Accenture. Before joining Accenture, Dr. Taveras was the Chief Technology Officer and Senior
Vice President for St. Vincent Catholic Medical Centers of New York, Prior to that, he was a Senior Partner and Vice President
responsible for Computer Sciences Corporation’s East Coast Health Care Practice and a member of KPMG Consulting’s Health Care
Technology Practice. Dr. Taveras also spent nearly two decades in a number of leadership positions with IBM’s Health Care and
Higher Education Practices. Dr. Taveras earned his Ph.D. at the University of Sarasota, his MBA from Rutgers University and a
Bachelor of Science from Wesleyan University.
► For more information about the speakers, you can visit: https://theknowledgegroup.org/event-homepage/?event_id=1355
Bob Ertl
Bob Ertl leads the team that defines Accellion’s next-generation products and features, balancing ease of content sharing and
collaboration with high-end security and compliance. With over 20 years of product management experience, Bob brings a focus on
innovation and end user simplicity. Prior to Accellion, he concentrated on business intelligence at Oracle, Hyperion, Brio and several
start-ups, and worked as a data warehouse consultant. Bob started his career as a hardware designer for high-performance, high-
availability servers.
11. Massive cyberattacks have expanded their reach beyond financial institutions, retail companies and banks to the premises of the health
care industry. Cybercriminals are targeting medical records, which contain sensitive and valuable information that may be used for
identity theft and fraud. And many health care organizations do not have the necessary visibility and controls in place to ensure the
protection of health care information.
In order to minimize cyber risk and avoid future threats, health care organizations must adopt an intelligence-driven approach that helps
establish and maintain an effective and efficient security program.
In this two-hour LIVE Webcast, a panel of thought leaders and professionals assembled by The Knowledge Group will help the
audience understand all the important issues with regards to maintaining an effective and efficient health care industry cybersecurity
management. The panel will present their thoughts, opinions and expertise on how to manage cybersecurity in health care industry.
Key topics include:
• Cybersecurity in Health Care - An Overview
• Risk Assessment and Identification
• Fundamentals of Cybersecurity and Privacy
• The Implications for Health Care Providers
• Common Pitfalls and Threats in Health Care Security
• How to Employ an Intelligence-Driven Defense
• Health Care Industry Plan Development
May 03, 2016
11
12. Featured Speakers:
May 03, 2016
12
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
13. Introduction
Dan Ferhat is a Partner with White and Williams LLP. He focuses his practice on medical professional liability litigation and
general liability matters. He defends hospitals, physicians, nurses and other health care practitioners against professional
liability claims at the trial court and appellate court levels. Dan has represented clients in jury trials as well as independently
taken cases to verdict before arbitration panels and judges and has been retained to assist physicians in administrative
proceedings before peer review credentialing committees. In addition to his litigation practice, Dan counsels healthcare
clients with respect to HIPAA compliance, cybersecurity and other privacy issues and policies. He can be reached at
ferhatd@whiteandwilliams.com.
May 03, 2016
13
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
14. The Healthcare Industry Has Become Increasingly Susceptible to Data Breaches
• The healthcare industry accounts for 44% of data
breaches
• EHRs have 50 times the black market value of a credit
card
-2014 Bitglass Report | Healthcare Breach Report
May 03, 2016
14
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
15. Why Steal EHRs?
Goldmine of Data
• Personally identifiable information
• Credit card information
• Private health information
Once the data is hijacked, cyber criminals will sell it on the Dark Web
May 03, 2016
15
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
16. Value Of EHRs On The Black Market
• File fraudulent insurance claims
• Obtain & resell prescription medication
• Advance identity theft
• Thieves advertise and sell Medicare ID
numbers online
-FBI Cyber Division, Private Industry Notification, April 2014
May 03, 2016
16
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
17. There Has Been A Shift Toward Hacking As The Primary Threat To Healthcare Data
May 03, 2016
17
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
2015 Statistics
• 98% of healthcare data breaches were due
to large-scale hacking and IT-related
incidents
• Over 111 million people affected by hacking
or IT-related incidents
-2016 Bitglass Report | Healthcare
Breach Report
2014 Statistics
• 68% of healthcare data breaches since 2010
occurred when devices were lost or stolen
• Less than 2 million people affected by
hacking or IT-related incidents
18. Financial Harm
May 03, 2016
18
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
• A 2016 study estimates that data breaches
could be costing the healthcare industry $6
billion annually
• Average cost for a data breach for
healthcare organizations is estimated to be
more than $2.1 million
-2015 Fifth Annual Benchmark Study on Privacy
& Security of Healthcare Data | Ponemon
Institute
19. Wall of Shame
May 03, 2016
19
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
20. Introduction
Adam Meyer leads the threat intelligence analyst team at SurfWatch Labs, and has served in leadership positions in the
defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, Mr. Meyer
was the Chief Information Security Officer (CISO) for the Washington Metropolitan Area Transit Authority, one of the largest
public transportation systems in the United States. Preceding his role as a CISO, Mr. Meyer served as the Director of
Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command
one of the Navy's premier engineering and acquisition commands.
May 03, 2016
20
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
21. You Can’t Defend Your Organization if
You Don’t Know What Threats Are Coming
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
Nation State:
• Typically leverage cyber capabilities to engage in long-
term campaigns focusing on economic, industrial, and
government espionage
Criminal:
• Cyber crime is a business - with a
very high return taking little effort
• Criminals target businesses that are custodians of a
commodity that can be monetized:
- Identity information (Employee & Consumer)
- Financial Information (Payment, Banking, Gift
Card, Coupons, Entertainment accounts etc.)
May 03, 2016
21
22. You Can’t Defend Your Organization if
You Don’t Know What Threats Are Coming
SEGMENT 1:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
• Criminals will target any business that provides an
avenue of approach to high value entities
- Defense/Law Enforcement
- Does your organizational business model
provide products or services to the Defense or
Law Enforcement Industry?
- Critical Infrastructure
- Is you organization a part of a critical
infrastructure sector or does it support critical
infrastructure?
- Supply Chain
- Are you a part of the supply chain for an
organization that could potentially be a high
value target?
May 03, 2016
22
23. The Threat Balloon
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
Cybercriminals
shift their tactics to hit
targets that are:
“Attractive” and “Soft”
This is a blind spot
in your risk program
May 03, 2016
23
24. 2015 Cyber Breach Summary
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
354 - The number of distinct Industry targets that had a negative “event” in 2015
May 03, 2016
24
27. How has Cyber Activity Changed for 2016?
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
131 - Number of distinct Industry targets that had a negative “event” in 2016
May 03, 2016
27
28. How has Cyber Activity Changed for 2016?
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
May 03, 2016
28
29. Moving from Incident Response to Breach Response
• Treat Incident Response and Breach Response as
separate plans and activities
• Incident response is the internal response to an
event that is intended to limit immediate damage.
(Technical Teams)
• Breach response is the external to an incident
when a reporting threshold has been reached.
(Leadership Teams, Counsel, PR)
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
All breaches are incidents but not all incidents are breaches,
and breach response needs to include scenarios for fraud and extortion.
This is a Business Resilience issue!
May 03, 2016
29
30. Where to Go from Here
• Continuing to do more of the same
(reactionary/crisis-mode security) isn’t working
• Are you spending effort and budget in the
right areas?
• How do you stay on top of the latest cyber
issues impacting healthcare organizations?
• Treat this as a business problem and not a
technical problem. The technology is just enabling
your business.
• Use intelligence to reduce uncertainty, make
decisions and take action.
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
May 03, 2016
30
31. Introduction
Bob Ertl leads the team that defines Accellion’s next-generation products and features, balancing ease of content sharing
and collaboration with high-end security and compliance. With over 20 years of product management experience, Bob
brings a focus on innovation and end user simplicity. Prior to Accellion, he concentrated on business intelligence at Oracle,
Hyperion, Brio and several start-ups, and worked as a data warehouse consultant. Bob started his career as a hardware
designer for high-performance, high-availability servers.
May 03, 2016
31
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
32. Healthcare workers care about information security
- It’s the right thing to do, and part of the Hippocratic Oath!
“I will respect the privacy of my patients, for their problems
are not disclosed to me that the world may know.”
- It’s the law - HIPAA, HITECH, Meaningful Use, State Laws...
- Healthcare organizations are always under attack
- Effective management of information security improves patient care and safety.
- BUT THEY ARE SAVING LIVES, so we can’t let security controls hamper them.
May 03, 2016
32
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
33. Healthcare Information Challenges
May 03, 2016
33
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
Access and Share PHI
securely
Comply with HIPAA,
HITECH
Coordinate care
efficiently
Modernize patient
workflows
Access PHI from any
device
Head off
“Shadow IT”
Roll out security that workers can live with. Or they will work around it.
34. Underestimating the risks
May 03, 2016
34
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
Accessing sensitive data on personal
devices?
Are devices protected on trips or on
call?
How is sensitive data transferred and
shared?
What do partners do with the sensitive data
you sent them?
35. Securing Data
Data needs to be protected in three states
May 03, 2016
35
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
AT REST IN USEIN MOTION
36. Securing Data at Rest
Design for the worst
• Protect systems even when they are broken into
• Encryption of all data at rest
• Secure and rotate keys
• Deploy systems to maximize compliance with your policies
• On-premises to maximize control
• Private hosted to avoid cross-talk risks of multi-tenant
• Hybrid – handle a mix of on-prem and cloud data sources
• Protect mobile devices and laptops even when stolen
• Encrypted secure container
• Remote wipe
May 03, 2016
36
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
37. Securing Data in Motion
Protect information when working with patients and partners, and uncontrolled equipment and
locations
• Encrypt all communications
• Typically SSL, HTTPS
• VPN often too fussy for healthcare workers
• Data Loss Prevention (DLP) software
• Detect and track potential PII and PHI leaks
• File Type Exclusion to keep out malware (e.g., .exe)
• Whitelist/blacklist locations
• Whitelist/blacklist capabilities by device
• Whitelist/blacklist “open-in” to mobile apps
May 03, 2016
37
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
38. Securing Data In Use
• Control system access
• Authentication, SSO, 2FA
• Control information access by role, “need to know” and “need to keep”
• Granular administration and collaboration controls
• Leak-proof viewers and editors
• Access expiration and digital rights management (DRM, IRM)
• Visibility and incident management
• Monitoring, detection, SIEM
• Comprehensive auditing and reporting
• Archiving for eDiscovery
May 03, 2016
38
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
39. Use Cases
May 03, 2016
39
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
Doctor – Patient
• PHI compliant exchange of info - test results, pictures of wounds, discharge info
• Transfer of patient records for second opinion cases
• Patient accessing health records or consolidating all healthcare information
Provider – 3d party
• Providers send patient information to another health care professional
• Send immunization data to public health organizations
• Secure information exchange with insurance companies for billing purposes
Medical Facility Compliance
• Monthly device calibration process
• Flu vaccination forms for staff / employees
40. Case Study 1
May 03, 2016
40
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
Ranked as a top U.S. Hospital. Renowned for excellence in patient care,
biomedical research, teaching, and community service.
Business Challenges
• Risk of HIPAA violation with users using less secure solutions as “workarounds” due to tight
email policies and practices
• Internal secure file transfer service was not user-friendly and management became too
involved
Solution
• A secure file sharing solution that provides a user-friendly interface design, network virus
protection, and key management capabilities, such as security monitoring and process control
Benefits Realized
• Ability to send and receive large files in real-time
• Security/Privacy with HIPAA compliance
• Granular admin controls of file sharing. Minimized IT support for file sharing
• Ease-of-use for non-technical users, network virus protection, security monitoring and process
control
41. Case Study 2
May 03, 2016
41
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
Premier provider of healthcare in the U.S. Midwest. In 2014, the network’s
hospitals had around 150,000 admissions and 2.5 million outpatient visits.
Business Challenges
• CD-ROMs were used and shipped overnight via a courier service
• Needed a solution to efficiently and securely deliver large files, since doctors may be on
separate computer networks
Solution
• On-premises file sharing solution was deployed, which provided a way to securely collaborate
and share files to protect patients’ privacy and comply with HIPAA
• Grouping of files into folders to keep related patient files together
• Email plug-ins for Microsoft Outlook and Lotus Notes, and an easy, e-mail-like interface for
clinicians to use without IT support
Benefits Realized
• Shortened the diagnosis process, because hospitals can share large folders of files in real-
time with doctors, who are able to evaluate the data and turn around a transcript within hours
42. Secure File Sharing Benefits
• Expedite diagnosis and improve workflows by enabling secure collaboration between doctors and
outside partners
• Increasing mobility, while remaining HIPAA compliant, enables physicians to quickly and securely
access patient data
• Secure and effective management of sensitive information can help protect organization’s medical
data, IP, and improve patient care and safety
• Proactive security reduces likelihood of a breach and helps reduce expenses
• Knowing the information is secure enhances patient engagement and improves treatment
May 03, 2016
42
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
43. Introduction
Dr. Luis E. Taveras is Senior Vice President and Chief Information Officer for Barnabas Health. Barnabas Health is New
Jersey’s largest integrated health care delivery system, providing treatment and services to more than two million patients
each year. Dr. Taveras was most recently in the same capacity at Hartford HealthCare, the largest health care network in
Connecticut. From 2003-2009, Dr. Taveras was a Partner with Accenture. Before joining Accenture, Dr. Taveras was the
Chief Technology Officer and Senior Vice President for St. Vincent Catholic Medical Centers of New York, Prior to that, he
was a Senior Partner and Vice President responsible for Computer Sciences Corporation’s East Coast Health Care Practice
and a member of KPMG Consulting’s Health Care Technology Practice. Dr. Taveras also spent nearly two decades in a
number of leadership positions with IBM’s Health Care and Higher Education Practices. Dr. Taveras earned his Ph.D. at the
University of Sarasota, his MBA from Rutgers University and a Bachelor of Science from Wesleyan University.
May 03, 2016
43
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
44. Key Questions
What are the most effective and affordable strategies for protecting the RWJBH
enterprise?
We have to abide by all regulatory rules and regulations but is that enough in today’s cyber
warfareenvironment?
Now that we have built a strong cybersecurity team, what do we need to do to retain them as
engaged critical members of our team?
May 03, 2016
44
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
45. I. Cybersecurity at RWJBarnabas HEALTH
May 03, 2016
45
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
46. Information security is now a board room discussion at RWJBH.
Information Security is now a part of the strategic objectives of the organization.
Our Board of Directors at the Corporate and local levels along with our investors,
regulatory agencies and insurance companies expect us to build and implement a
comprehensive set of security strategic objectives.
At RWJBH our plan is to continue to strengthen our security posture to protect our patients
and employees while meeting all regulatory requirements.
May 03, 2016
46
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
47. Our program is overseen and guided by key members or our leadership team.
Security Oversight Group (SOG)
Meeting Frequency: Monthly; Ad-Hoc meetings as needed
May 03, 2016
47
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
48. The SOG has helped us to prepare a matured work plan that meets the current
objectives of the organization while continuing to transform our Information
security environment.
Streamlined all security related processes
• Information Risk Management/Business Risk versus Reward Analysis
To systematize risk/reward decision-making
• Asset Inventory and Valuation
To prioritize protection strategies and focus on safeguarding the crown jewels
• Third-Party Risk Management/IT Supply Chain Integrity
To assess the growing number of globally sourced service providers and systems components
• Security Processing Optimization
To formalize improving the efficiency of security process
• Controls Agility
To achieve objectives for security controls using new methods in response to trends such as cloud and mobile
computing.
May 03, 2016
48
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
49. The SOG has helped us to prepare a matured work plan that meets the current
objectives of the organization while continuing to transform our Information
security environment (Continued).
Built intelligence to detect and prevent internal and external threats
• Cyber Risk Intelligence and Threat Analysis
To Understand the adversarial landscape and recognize attack indicators
• Security Data Analytics
To apply advanced analytics techniques in detecting anomalous system or user
behavior within IT environments
• Security Data Management and Data Warehousing
To develop an overarching strategy and infrastructure for collecting data from various
inputs to be used for various purposes such as threat detection, controls monitoring,
and compliance reporting.
May 03, 2016
49
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
50. This plan, called Defense In Depth, requires that we deploy
the necessary people, apply the proper processes,
and employ the appropriate technologies in a fiscally responsible manner.
People
Build and retain a high performing security team
Provide training to stay current with threats and mitigation
Implement strategies to keep team members engaged
Process
Build repeatable and measurable processes to attain maturity
Use the Cyber Security Framework and Center for Internet Security (CIS) 20 Critical Security
Controls to design safeguards
Technology
Implement solutions to build a Defense-in-Depth security model
May 03, 2016
50
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
51. Our Defense-in-Depth plan has been developed from a business standpoint and
addresses all areas that require controls.
Our information security succeeds by providing our entire organization with the ability to identify risks and provide the
safeguards necessary to stay ahead of cyber criminals at home and abroad. The following areas present a
composite view of the People, Process and Technology paradigm that guide our framework.
IT Governance Risk and Compliance
Identity and Access Control Management
Incident Management (Prevention and Detection)
Threat Management
Vulnerability Management
Data Security
Network Security
System Security
Business Continuity Management
Information Lifecycle Management (Data Governance)
May 03, 2016
51
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
52. This plan is based on industry standards as provided by the National Information
Security Task Force Cybersecurity Framework.
May 03, 2016
52
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
53. We’ve used this framework to make significant progress in protecting our
organization in the past two years.
Network Risk Assessment
Corrective Action plan development underway
Network Security
Network Access Control Phase I &II underway, will secure JCMC, SBMC, ACC, CMC, SBH and
Data Centers including business office
Phase III will secure the remaining sites (NBI, MMC-S, MMC, CMM)
Database Security
Database Activity/Access Monitoring Phase I started to secure 50 Database servers and inspect
200 (BH has over 1000 database servers)
Phase II will be to consolidate some of the environment to economies and improve
controls/security
Identity and Access Control Management
Privileged Account Security
Access Management Group
May 03, 2016
53
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
54. Recognizing that this is a journey, we plan to undertake several major initiatives
to continue our security posture in 2016 and beyond.
IT Governance Risk and Compliance Solution (GRC)
HIPAA Compliance
Risk Management
Privacy Access Audit
Regulatory Compliance Analyst
GRC System Solution
Identity and Access Control Management
Access management group have been formed
Implementation of
User Provision/De-Provisioning solution
Web SSO
Two-factor Authentication
Network Security
Network Segmentation
Enterprise Encryption to protect data
Database encryption
File share encryption
May 03, 2016
54
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
55. An imperative of for 2016 is addressing the
expanding credit card payment environment.
RWJBarnabas Health collects credit card payments in a number of areas
Retail Pharmacy
Co-Pay payments in a number of inpatient and outpatient areas
Parking Garages
Accepting credit card requires us to implement, comply and attest to PCI DSS requirements
PCI DSS is a security standard developed by PCI Standard Council to protect credit
information from theft and misuse.
Failure to comply with PCI DSS can result in:
Bank surcharges
Breaches and fines
Reputational damage to Barnabas Health brand.
May 03, 2016
55
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
56. In summary, at RWJBH we recognize the challenges and our focus is on
addressing the most common security mistakes.
May 03, 2016
56
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
57. May 03, 2016
57
Contact Info:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
E: adam.meyer@surfwatchlabs.com
Daniel J. Ferhat
Partner
White and Williams LLP
E: ferhatd@whiteandwilliams.com
Bob Ertl
Sr. Director, Product
Management
Accellion
E: bob.ertl@accellion.com
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
E: LTaveras@barnabashealth.org
58. ► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type
your question in the box that appears and click send.
► Questions will be answered in the order they are received.
Q&A:
May 03, 2016
58
SEGMENT 3:
Bob Ertl
Sr. Director, Product Management
Accellion
SEGMENT 4:
Luis Taveras
SVP and Chief Information Officer
Barnabas Health
SEGMENT 2:
Adam Meyer
Chief Security Strategist
SurfWatch Labs
SEGMENT 1:
Daniel J. Ferhat
Partner
White and Williams LLP
59. May 03, 2016
59
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
Free Certificate of Attendance Processing (Normally $49 Per Course without a subscription).
Access to over 15,000 pages of course material from Knowledge Group Webcasts.
Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers).
6 Month Subscription is $499 with No Additional Fees Other options are available.
Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
60. May 03, 2016
60
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $499 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $799 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
Questions: Send an email to: info@theknowledgegroup.org with “Unlimited” in the subject.
61. May 03, 2016
61
ABOUT THE KNOWLEDGE GROUP
The Knowledge Group is an organization that produces live webcasts which examine regulatory
changes and their impacts across a variety of industries. “We bring together the world's leading
authorities and industry participants through informative two-hour webcasts to study the impact of
changing regulations.”
If you would like to be informed of other upcoming events, please click here.
Disclaimer:
The Knowledge Group is producing this event for information purposes only. We do not intend to
provide or offer business advice.
The contents of this event are based upon the opinions of our speakers. The Knowledge Group does
not warrant their accuracy and completeness. The statements made by them are based on their
independent opinions and does not necessarily reflect that of The Knowledge Group‘s views.
In no event shall The Knowledge Group be liable to any person or business entity for any special,
direct, indirect, punitive, incidental or consequential damages as a result of any information gathered
from this webcast.
Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their
Contributors or Licensed Partners and are being used with permission under license. These images
and/or photos may not be copied or downloaded without permission from 123RF Limited
Editor's Notes
Why do healthcare workers care about information security?
Protecting the personal information is the right thing to do, and even part of the Hippocratic Oath!
“I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.”
It’s the law - HIPAA, HITECH, Meaningful Use, FISMA, FERPA, State Laws etc.
Healthcare organizations are always under attack, and everyone has a role in preventing those attacks from being successful.
Effective management of information security can help protect an organization's intellectual property, brand, and mission, most importantly patient care and safety.
Secure Access and Sharing of PHI – protect sensitive PHI from inadequate sharing, leakage and loss, especially with ongoing data breaches in healthcare industry
HIPAA, HITECH compliance – meet healthcare specific regulations for storing, accessing and sharing sensitive data
Efficient Care Coordination – enable secure collaboration between physicians to improve care delivery
Improved patient workflows – quick and efficient exchange of patient information between doctors, nurses, labs and outside experts (61% of hospitals still use faxes to collaborate with non-hospital employees)
Shadow IT- unauthorized use of consumer solutions to transfer or share information puts patient data at risk
Access PHI from any device – from the exam room, office or on the go, securely access patient data using mobile devices
HIPAA: Section 164.308 of the Health Insurance Portability and Accountability Act (HIPAA) act requires data backup, disaster recovery and emergency-mode operations planning. HIPAA requires healthcare organizations to protect ePHI or face penalties.
Because enforcement has been lax in the past, many healthcare organizations have put only basic protocols into place. However, the Health Information Technology for Economic and Clinical Health (HITECH) act strengthens HIPAA by increasing penalties, oversight and mandatory breach notifications, as well as extending obligations to business associates and their subcontractors.
BYOD: The trend toward more mobility in healthcare requires providers to develop an effective mobile strategy. Patients today expect healthcare at their fingertips.
Organizations often underestimate their risk because they erroneously believe all of their sensitive data is contained within a few secure systems. In reality, this is seldom true.
Think about the situation from a workflow perspective. Do employees access corporate systems from their personal devices or use company-issued devices to work from home? What happens when employees take their devices on business trips? How is data transferred between devices or communicated to other stakeholders? And have you thought about what your customers or business partners do with any sensitive files you send them?
Almost inevitably, information is going to end up spread across multiple devices and networks with varying degrees of security and risk.
Sensitive data is more vulnerable today than ever before. Corporate intellectual property, personal medical records, Social Security and credit card numbers are all stored, used, and transmitted online and through connected devices.
Data needs to be protected in three states: at rest, in use, and in motion. Each state presents unique security challenges.
Data is at rest when it is stored on a hard drive or in the cloud. In this relatively secure state, information is primarily protected by conventional perimeter-based defenses such as firewalls and anti-virus programs. However, these barriers are not impenetrable. Organizations need additional layers of defense to protect sensitive data from intruders in the event that the network is compromised.
Data is at its most vulnerable when it is in motion, and protecting information in this state requires specialized capabilities. The expectation of immediacy dictates that a growing volume of sensitive data be transmitted digitally— forcing many organizations to replace couriers, faxes, and conventional mail service with faster options such as email.
Data in use is more vulnerable than data at rest because, by definition, it must be accessible to those who need it. Of course, the more people and devices that have access to the data, the greater the risk that it will end up in the wrong hands at some point. The keys to securing data in use are to control access as tightly as possible and to incorporate some type of authentication to ensure that users aren’t hiding behind stolen identities.
Doctor - Patient
PHI compliant exchange of info - test results, pictures of wounds, post pregnancy health care instructions, hospital discharge information etc.
Transfer of patient records for second opinion cases
Patient accessing health records or consolidating all healthcare information from different providers
Medical facility to another medical facility or a third party
Providers send patient information such as laboratory orders and results, patient referrals or discharge summaries directly to another health care professional
Send immunization data to public health organizations
Secure information exchange with insurance companies for billing purposes
Request form providers for information on patient from other providers (often used for unplanned care – ex emergency rooms, unplanned delivery)
Sharing radiology images with external/outsources vendors
Collaborate on research and development with partners
Medical facility compliance
Monthly device calibration process
Flu vaccination forms for staff/employees