Managing Cybersecurity in Health Care: Best Practices Every Organization Needs to Know

Speaker Firms and Organization:
Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event
starts. We will be back with speaker instructions @ 09:55am. Any Questions? Please email: info@theknowledegroup.org
Group Registration Policy
Please note ALL participants must be registered or they will not be able to access the event.
If you have more than one person from your company attending, you must fill out the group registration form.
We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.
To obtain a group registration please send a note to info@theknowledgegroup.org or call 646.202.9344.
Presented By:
May 03, 2016
1
Partner Firms:
Accellion
Bob Ertl
Sr. Director, Product Management
White and Williams LLP
Daniel J. Ferhat
Partner
SurfWatch Labs
Adam Meyer
Chief Security Strategist
Barnabas Health
Luis Taveras
SVP and Chief Information Officer

May 03, 2016
2
 Please note the FAQ.HELP TAB located to the right of the main presentation. On this page you will find answers to the top questions asked by
attendees during webcast such as how to fix audio issues, where to download the slides and what to do if you miss a secret word. To access this
tab, click the FAQ.HELP Tab to the right of the main presentation when you’re done click the tab of the main presentation to get back.
 For those viewing the webcast on a mobile device, please note:
o These instructions are for Apple and Android devices only. If you are using a Windows tablet, please follow the instructions for viewing
the webcast on a PC.
o The FAQ.HELP TAB will not be visible on mobile devices.
o You will receive the frequently asked questions & other pertinent info through the apps chat window function on your device.
o On Apple devices you must tap the screen anywhere to see the task bar which will show up as a blue bar across the top of the screen.
Click the chat icon then click the chat with all to access the FAQ’s.
o Feel free to submit questions by using the “questions” function built-in to the app on your device.
o You may use your device’s “pinch to zoom function” to enlarge the slide images on your screen.
o Headphones are highly recommended. In the event of audio difficulties, a dial-in number is available and will be provided via the app’s
chat function on your device.

May 03, 2016
3
 Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.
 If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239. We will post the
dial information in the chat window to the right shortly and it’s available in the FAQ.Help Tab on the right.
 You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your screen. Questions
will be aggregated and addressed during the Q&A segment.
 Please note, this call is being recorded for playback purposes.
 If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s event, please send
an email to: info@theknowledgegroup.org. If you’re already logged in to the online Webcast, we will post a link to download the files shortly and it’s
available in the FAQ.Help Tab

May 03, 2016
4
 If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to hear the
presentations. If you do not have headphones and cannot hear the webcast send an email to info@theknowledgegroup.org and we will send you
the dial in phone number.
 About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event today - it's
designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future events. Your feedback is
greatly appreciated. If you are applying for continuing education credit, completions of the surveys are mandatory as per your state boards and
bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We will ask you to fill these words into the survey as proof
of your attendance. Please stay tuned for the secret word. If you miss a secret word please refer to the FAQ.Help tab to the right.
 Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read the secret
word. Pardon the interruption.

May 03, 2016
5
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
 Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
 Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
 50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
 Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
 Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
 Free Certificate of Attendance Processing (Normally $49 Per Course without a subscription).
 Access to over 15,000 pages of course material from Knowledge Group Webcasts.
 Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers).
 6 Month Subscription is $499 with No Additional Fees Other options are available.
 Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964

May 03, 2016
6
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $499 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $799 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
Questions: Send an email to: info@theknowledgegroup.org with “Unlimited” in the subject.

Sponsors:
May 03, 2016
7
SurfWatch Labs helps organizations and service providers quickly establish
a strategic cyber threat intelligence operation that drives more effective use
of their tactical defenses.
Founded in 2013 by former US Government intelligence analysts, SurfWatch
Labs solutions provide a 360-degree view of cyber threats in the context of
your business, along with practical and personalized support to create
immediate insights and meaningful action. Combining useful analytics,
applications and human expertise, SurfWatch solutions can be your off-the-
shelf, cyber threat intelligence team or delivered as a comprehensive
product suite that easily integrates with your existing cybersecurity
operations.
SurfWatch Labs: Cyber In Sight. For more information, visit
www.surfwatchlabs.com.
Accellion, Inc. is the leading private cloud solution for secure file sharing and
collaboration, enabling health care organizations to manage protected health
information (PHI), increase productivity and help ensure data security and
HIPAA compliance. Accellion solutions are used by more than 15 million
users and 2,500 of the world’s leading corporations, government agencies
and healthcare organizations including: Indiana University Health, Kaiser
Permanente, Seattle Children’s Hospital and Beth Israel Deaconess Medical
Center. For more information please visit www.accellion.com or call (650)
485-4300. Follow Accellion’s Blog, Twitter, Facebook and LinkedIn.

Partner Firms:
May 03, 2016
8
Founded in 1899, White and Williams LLP is a global-reaching, multi-
practice law firm with over 240 lawyers in ten offices. Clients include the
Fortune 500, insurance companies, large corporations, and financial
institutions as well as mid-market and small businesses, institutions of higher
education and individuals. Our lawyers handle a wide array of complex
litigation, regulatory matters and transactions.

Brief Speaker Bios:
Adam Meyer
Adam Meyer leads the threat intelligence analyst team at SurfWatch Labs. has served in leadership positions in the defense,
technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, Mr. Meyer was the Chief
Information Security Officer (CISO) for the Washington Metropolitan Area Transit Authority, one of the largest public transportation
systems in the United States. Preceding his role as a CISO, Mr. Meyer served as the Director of Information Assurance and
Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier
engineering and acquisition commands.
May 03, 2016
9
Daniel J. Ferhat
Dan Ferhat is a Partner with White and Williams LLP. He focuses his practice on medical professional liability litigation and general
liability matters. He defends hospitals, physicians, nurses and other health care practitioners against professional liability claims at the
trial court and appellate court levels. Dan has represented clients in jury trials as well as independently taken cases to verdict before
arbitration panels and judges and has been retained to assist physicians in administrative proceedings before peer review
credentialing committees. In addition to his litigation practice, Dan counsels healthcare clients with respect to HIPAA compliance,
cybersecurity and other privacy issues and policies. He can be reached at ferhatd@whiteandwilliams.com.

Brief Speaker Bios:
May 03, 2016
10
Luis Taveras
Dr. Luis E. Taveras is Senior Vice President and Chief Information Officer for Barnabas Health. Barnabas Health is New Jersey’s
largest integrated health care delivery system, providing treatment and services to more than two million patients each year. Dr.
Taveras was most recently in the same capacity at Hartford HealthCare, the largest health care network in Connecticut. From 2003-
2009, Dr. Taveras was a Partner with Accenture. Before joining Accenture, Dr. Taveras was the Chief Technology Officer and Senior
Vice President for St. Vincent Catholic Medical Centers of New York, Prior to that, he was a Senior Partner and Vice President
responsible for Computer Sciences Corporation’s East Coast Health Care Practice and a member of KPMG Consulting’s Health Care
Technology Practice. Dr. Taveras also spent nearly two decades in a number of leadership positions with IBM’s Health Care and
Higher Education Practices. Dr. Taveras earned his Ph.D. at the University of Sarasota, his MBA from Rutgers University and a
Bachelor of Science from Wesleyan University.
► For more information about the speakers, you can visit: https://theknowledgegroup.org/event-homepage/?event_id=1355
Bob Ertl
Bob Ertl leads the team that defines Accellion’s next-generation products and features, balancing ease of content sharing and
collaboration with high-end security and compliance. With over 20 years of product management experience, Bob brings a focus on
innovation and end user simplicity. Prior to Accellion, he concentrated on business intelligence at Oracle, Hyperion, Brio and several
start-ups, and worked as a data warehouse consultant. Bob started his career as a hardware designer for high-performance, high-
availability servers.

Massive cyberattacks have expanded their reach beyond financial institutions, retail companies and banks to the premises of the health
care industry. Cybercriminals are targeting medical records, which contain sensitive and valuable information that may be used for
identity theft and fraud. And many health care organizations do not have the necessary visibility and controls in place to ensure the
protection of health care information.
In order to minimize cyber risk and avoid future threats, health care organizations must adopt an intelligence-driven approach that helps
establish and maintain an effective and efficient security program.
In this two-hour LIVE Webcast, a panel of thought leaders and professionals assembled by The Knowledge Group will help the
audience understand all the important issues with regards to maintaining an effective and efficient health care industry cybersecurity
management. The panel will present their thoughts, opinions and expertise on how to manage cybersecurity in health care industry.
Key topics include:
• Cybersecurity in Health Care - An Overview
• Risk Assessment and Identification
• Fundamentals of Cybersecurity and Privacy
• The Implications for Health Care Providers
• Common Pitfalls and Threats in Health Care Security
• How to Employ an Intelligence-Driven Defense
• Health Care Industry Plan Development
May 03, 2016
11

Featured Speakers:
May 03, 2016
12
SEGMENT 3:
Bob Ertl
Accellion
SEGMENT 4:
Luis Taveras
Barnabas Health
SEGMENT 2:
Adam Meyer
SurfWatch Labs
SEGMENT 1:
Daniel J. Ferhat
Partner

Introduction
Dan Ferhat is a Partner with White and Williams LLP. He focuses his practice on medical professional liability litigation and
general liability matters. He defends hospitals, physicians, nurses and other health care practitioners against professional
liability claims at the trial court and appellate court levels. Dan has represented clients in jury trials as well as independently
taken cases to verdict before arbitration panels and judges and has been retained to assist physicians in administrative
proceedings before peer review credentialing committees. In addition to his litigation practice, Dan counsels healthcare
clients with respect to HIPAA compliance, cybersecurity and other privacy issues and policies. He can be reached at
ferhatd@whiteandwilliams.com.
May 03, 2016
13
SEGMENT 1:
Daniel J. Ferhat
Partner

The Healthcare Industry Has Become Increasingly Susceptible to Data Breaches
• The healthcare industry accounts for 44% of data
breaches
• EHRs have 50 times the black market value of a credit
card
-2014 Bitglass Report | Healthcare Breach Report
May 03, 2016
14
SEGMENT 1:
Daniel J. Ferhat
Partner

Why Steal EHRs?
Goldmine of Data
• Personally identifiable information
• Credit card information
• Private health information
Once the data is hijacked, cyber criminals will sell it on the Dark Web
May 03, 2016
15
SEGMENT 1:
Daniel J. Ferhat
Partner

Value Of EHRs On The Black Market
• File fraudulent insurance claims
• Obtain & resell prescription medication
• Advance identity theft
• Thieves advertise and sell Medicare ID
numbers online
-FBI Cyber Division, Private Industry Notification, April 2014
May 03, 2016
16
SEGMENT 1:
Daniel J. Ferhat
Partner

There Has Been A Shift Toward Hacking As The Primary Threat To Healthcare Data
May 03, 2016
17
SEGMENT 1:
Daniel J. Ferhat
Partner
2015 Statistics
• 98% of healthcare data breaches were due
to large-scale hacking and IT-related
incidents
• Over 111 million people affected by hacking
or IT-related incidents
-2016 Bitglass Report | Healthcare
Breach Report
2014 Statistics
• 68% of healthcare data breaches since 2010
occurred when devices were lost or stolen
• Less than 2 million people affected by
hacking or IT-related incidents

Financial Harm
May 03, 2016
18
SEGMENT 1:
Daniel J. Ferhat
Partner
• A 2016 study estimates that data breaches
could be costing the healthcare industry $6
billion annually
• Average cost for a data breach for
healthcare organizations is estimated to be
more than $2.1 million
-2015 Fifth Annual Benchmark Study on Privacy
& Security of Healthcare Data | Ponemon
Institute

Wall of Shame
May 03, 2016
19
SEGMENT 1:
Daniel J. Ferhat
Partner

Introduction
Adam Meyer leads the threat intelligence analyst team at SurfWatch Labs, and has served in leadership positions in the
defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, Mr. Meyer
was the Chief Information Security Officer (CISO) for the Washington Metropolitan Area Transit Authority, one of the largest
public transportation systems in the United States. Preceding his role as a CISO, Mr. Meyer served as the Director of
Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command
one of the Navy's premier engineering and acquisition commands.
May 03, 2016
20
SEGMENT 2:
Adam Meyer
SurfWatch Labs

You Can’t Defend Your Organization if
You Don’t Know What Threats Are Coming
SEGMENT 2:
Adam Meyer
SurfWatch Labs
Nation State:
• Typically leverage cyber capabilities to engage in long-
term campaigns focusing on economic, industrial, and
government espionage
Criminal:
• Cyber crime is a business - with a
very high return taking little effort
• Criminals target businesses that are custodians of a
commodity that can be monetized:
- Identity information (Employee & Consumer)
- Financial Information (Payment, Banking, Gift
Card, Coupons, Entertainment accounts etc.)
May 03, 2016
21

You Can’t Defend Your Organization if
You Don’t Know What Threats Are Coming
SEGMENT 1:
Adam Meyer
SurfWatch Labs
• Criminals will target any business that provides an
avenue of approach to high value entities
- Defense/Law Enforcement
- Does your organizational business model
provide products or services to the Defense or
Law Enforcement Industry?
- Critical Infrastructure
- Is you organization a part of a critical
infrastructure sector or does it support critical
infrastructure?
- Supply Chain
- Are you a part of the supply chain for an
organization that could potentially be a high
value target?
May 03, 2016
22

The Threat Balloon
SEGMENT 2:
Adam Meyer
SurfWatch Labs
Cybercriminals
shift their tactics to hit
targets that are:
“Attractive” and “Soft”
This is a blind spot
in your risk program
May 03, 2016
23

2015 Cyber Breach Summary
SEGMENT 2:
Adam Meyer
SurfWatch Labs
354 - The number of distinct Industry targets that had a negative “event” in 2015
May 03, 2016
24

2015 Threat Landscape
SEGMENT 2:
Adam Meyer
SurfWatch Labs
May 03, 2016
25

2015 Threat Landscape
SEGMENT 2:
Adam Meyer
SurfWatch Labs
May 03, 2016
26

How has Cyber Activity Changed for 2016?
SEGMENT 2:
Adam Meyer
SurfWatch Labs
131 - Number of distinct Industry targets that had a negative “event” in 2016
May 03, 2016
27

How has Cyber Activity Changed for 2016?
SEGMENT 2:
Adam Meyer
SurfWatch Labs
May 03, 2016
28

Moving from Incident Response to Breach Response
• Treat Incident Response and Breach Response as
separate plans and activities
• Incident response is the internal response to an
event that is intended to limit immediate damage.
(Technical Teams)
• Breach response is the external to an incident
when a reporting threshold has been reached.
(Leadership Teams, Counsel, PR)
SEGMENT 2:
Adam Meyer
SurfWatch Labs
All breaches are incidents but not all incidents are breaches,
and breach response needs to include scenarios for fraud and extortion.
This is a Business Resilience issue!
May 03, 2016
29

Where to Go from Here
• Continuing to do more of the same
(reactionary/crisis-mode security) isn’t working
• Are you spending effort and budget in the
right areas?
• How do you stay on top of the latest cyber
issues impacting healthcare organizations?
• Treat this as a business problem and not a
technical problem. The technology is just enabling
your business.
• Use intelligence to reduce uncertainty, make
decisions and take action.
SEGMENT 2:
Adam Meyer
SurfWatch Labs
May 03, 2016
30

Introduction
Bob Ertl leads the team that defines Accellion’s next-generation products and features, balancing ease of content sharing
and collaboration with high-end security and compliance. With over 20 years of product management experience, Bob
brings a focus on innovation and end user simplicity. Prior to Accellion, he concentrated on business intelligence at Oracle,
Hyperion, Brio and several start-ups, and worked as a data warehouse consultant. Bob started his career as a hardware
designer for high-performance, high-availability servers.
May 03, 2016
31
SEGMENT 3:
Bob Ertl
Accellion

Healthcare workers care about information security
- It’s the right thing to do, and part of the Hippocratic Oath!
“I will respect the privacy of my patients, for their problems
are not disclosed to me that the world may know.”
- It’s the law - HIPAA, HITECH, Meaningful Use, State Laws...
- Healthcare organizations are always under attack
- Effective management of information security improves patient care and safety.
- BUT THEY ARE SAVING LIVES, so we can’t let security controls hamper them.
May 03, 2016
32
SEGMENT 3:
Bob Ertl
Accellion

Healthcare Information Challenges
May 03, 2016
33
SEGMENT 3:
Bob Ertl
Accellion
Access and Share PHI
securely
Comply with HIPAA,
HITECH
Coordinate care
efficiently
Modernize patient
workflows
Access PHI from any
device
Head off
“Shadow IT”
Roll out security that workers can live with. Or they will work around it.

Underestimating the risks
May 03, 2016
34
SEGMENT 3:
Bob Ertl
Accellion
Accessing sensitive data on personal
devices?
Are devices protected on trips or on
call?
How is sensitive data transferred and
shared?
What do partners do with the sensitive data
you sent them?

Securing Data
Data needs to be protected in three states
May 03, 2016
35
SEGMENT 3:
Bob Ertl
Accellion
AT REST IN USEIN MOTION

Securing Data at Rest
Design for the worst
• Protect systems even when they are broken into
• Encryption of all data at rest
• Secure and rotate keys
• Deploy systems to maximize compliance with your policies
• On-premises to maximize control
• Private hosted to avoid cross-talk risks of multi-tenant
• Hybrid – handle a mix of on-prem and cloud data sources
• Protect mobile devices and laptops even when stolen
• Encrypted secure container
• Remote wipe
May 03, 2016
36
SEGMENT 3:
Bob Ertl
Accellion

Securing Data in Motion
Protect information when working with patients and partners, and uncontrolled equipment and
locations
• Encrypt all communications
• Typically SSL, HTTPS
• VPN often too fussy for healthcare workers
• Data Loss Prevention (DLP) software
• Detect and track potential PII and PHI leaks
• File Type Exclusion to keep out malware (e.g., .exe)
• Whitelist/blacklist locations
• Whitelist/blacklist capabilities by device
• Whitelist/blacklist “open-in” to mobile apps
May 03, 2016
37
SEGMENT 3:
Bob Ertl
Accellion

Securing Data In Use
• Control system access
• Authentication, SSO, 2FA
• Control information access by role, “need to know” and “need to keep”
• Granular administration and collaboration controls
• Leak-proof viewers and editors
• Access expiration and digital rights management (DRM, IRM)
• Visibility and incident management
• Monitoring, detection, SIEM
• Comprehensive auditing and reporting
• Archiving for eDiscovery
May 03, 2016
38
SEGMENT 3:
Bob Ertl
Accellion

Use Cases
May 03, 2016
39
SEGMENT 3:
Bob Ertl
Accellion
Doctor – Patient
• PHI compliant exchange of info - test results, pictures of wounds, discharge info
• Transfer of patient records for second opinion cases
• Patient accessing health records or consolidating all healthcare information
Provider – 3d party
• Providers send patient information to another health care professional
• Send immunization data to public health organizations
• Secure information exchange with insurance companies for billing purposes
Medical Facility Compliance
• Monthly device calibration process
• Flu vaccination forms for staff / employees

Case Study 1
May 03, 2016
40
SEGMENT 3:
Bob Ertl
Accellion
Ranked as a top U.S. Hospital. Renowned for excellence in patient care,
biomedical research, teaching, and community service.
Business Challenges
• Risk of HIPAA violation with users using less secure solutions as “workarounds” due to tight
email policies and practices
• Internal secure file transfer service was not user-friendly and management became too
involved
Solution
• A secure file sharing solution that provides a user-friendly interface design, network virus
protection, and key management capabilities, such as security monitoring and process control
Benefits Realized
• Ability to send and receive large files in real-time
• Security/Privacy with HIPAA compliance
• Granular admin controls of file sharing. Minimized IT support for file sharing
• Ease-of-use for non-technical users, network virus protection, security monitoring and process
control

Case Study 2
May 03, 2016
41
SEGMENT 3:
Bob Ertl
Accellion
Premier provider of healthcare in the U.S. Midwest. In 2014, the network’s
hospitals had around 150,000 admissions and 2.5 million outpatient visits.
Business Challenges
• CD-ROMs were used and shipped overnight via a courier service
• Needed a solution to efficiently and securely deliver large files, since doctors may be on
separate computer networks
Solution
• On-premises file sharing solution was deployed, which provided a way to securely collaborate
and share files to protect patients’ privacy and comply with HIPAA
• Grouping of files into folders to keep related patient files together
• Email plug-ins for Microsoft Outlook and Lotus Notes, and an easy, e-mail-like interface for
clinicians to use without IT support
Benefits Realized
• Shortened the diagnosis process, because hospitals can share large folders of files in real-
time with doctors, who are able to evaluate the data and turn around a transcript within hours

Secure File Sharing Benefits
• Expedite diagnosis and improve workflows by enabling secure collaboration between doctors and
outside partners
• Increasing mobility, while remaining HIPAA compliant, enables physicians to quickly and securely
access patient data
• Secure and effective management of sensitive information can help protect organization’s medical
data, IP, and improve patient care and safety
• Proactive security reduces likelihood of a breach and helps reduce expenses
• Knowing the information is secure enhances patient engagement and improves treatment
May 03, 2016
42
SEGMENT 3:
Bob Ertl
Accellion

Introduction
Dr. Luis E. Taveras is Senior Vice President and Chief Information Officer for Barnabas Health. Barnabas Health is New
Jersey’s largest integrated health care delivery system, providing treatment and services to more than two million patients
each year. Dr. Taveras was most recently in the same capacity at Hartford HealthCare, the largest health care network in
Connecticut. From 2003-2009, Dr. Taveras was a Partner with Accenture. Before joining Accenture, Dr. Taveras was the
Chief Technology Officer and Senior Vice President for St. Vincent Catholic Medical Centers of New York, Prior to that, he
was a Senior Partner and Vice President responsible for Computer Sciences Corporation’s East Coast Health Care Practice
and a member of KPMG Consulting’s Health Care Technology Practice. Dr. Taveras also spent nearly two decades in a
number of leadership positions with IBM’s Health Care and Higher Education Practices. Dr. Taveras earned his Ph.D. at the
University of Sarasota, his MBA from Rutgers University and a Bachelor of Science from Wesleyan University.
May 03, 2016
43
SEGMENT 4:
Luis Taveras
Barnabas Health

Key Questions
 What are the most effective and affordable strategies for protecting the RWJBH
enterprise?
 We have to abide by all regulatory rules and regulations but is that enough in today’s cyber
warfareenvironment?
 Now that we have built a strong cybersecurity team, what do we need to do to retain them as
engaged critical members of our team?
May 03, 2016
44
SEGMENT 4:
Luis Taveras
Barnabas Health

I. Cybersecurity at RWJBarnabas HEALTH
May 03, 2016
45
SEGMENT 4:
Luis Taveras
Barnabas Health

Information security is now a board room discussion at RWJBH.
 Information Security is now a part of the strategic objectives of the organization.
 Our Board of Directors at the Corporate and local levels along with our investors,
regulatory agencies and insurance companies expect us to build and implement a
comprehensive set of security strategic objectives.
 At RWJBH our plan is to continue to strengthen our security posture to protect our patients
and employees while meeting all regulatory requirements.
May 03, 2016
46
SEGMENT 4:
Luis Taveras
Barnabas Health

Our program is overseen and guided by key members or our leadership team.
Security Oversight Group (SOG)
Meeting Frequency: Monthly; Ad-Hoc meetings as needed
May 03, 2016
47
SEGMENT 4:
Luis Taveras
Barnabas Health

The SOG has helped us to prepare a matured work plan that meets the current
objectives of the organization while continuing to transform our Information
security environment.
Streamlined all security related processes
• Information Risk Management/Business Risk versus Reward Analysis
 To systematize risk/reward decision-making
• Asset Inventory and Valuation
 To prioritize protection strategies and focus on safeguarding the crown jewels
• Third-Party Risk Management/IT Supply Chain Integrity
 To assess the growing number of globally sourced service providers and systems components
• Security Processing Optimization
 To formalize improving the efficiency of security process
• Controls Agility
 To achieve objectives for security controls using new methods in response to trends such as cloud and mobile
computing.
May 03, 2016
48
SEGMENT 4:
Luis Taveras
Barnabas Health

The SOG has helped us to prepare a matured work plan that meets the current
objectives of the organization while continuing to transform our Information
security environment (Continued).
Built intelligence to detect and prevent internal and external threats
• Cyber Risk Intelligence and Threat Analysis
 To Understand the adversarial landscape and recognize attack indicators
• Security Data Analytics
 To apply advanced analytics techniques in detecting anomalous system or user
behavior within IT environments
• Security Data Management and Data Warehousing
 To develop an overarching strategy and infrastructure for collecting data from various
inputs to be used for various purposes such as threat detection, controls monitoring,
and compliance reporting.
May 03, 2016
49
SEGMENT 4:
Luis Taveras
Barnabas Health

This plan, called Defense In Depth, requires that we deploy
the necessary people, apply the proper processes,
and employ the appropriate technologies in a fiscally responsible manner.
 People
 Build and retain a high performing security team
 Provide training to stay current with threats and mitigation
 Implement strategies to keep team members engaged
 Process
 Build repeatable and measurable processes to attain maturity
 Use the Cyber Security Framework and Center for Internet Security (CIS) 20 Critical Security
Controls to design safeguards
 Technology
 Implement solutions to build a Defense-in-Depth security model
May 03, 2016
50
SEGMENT 4:
Luis Taveras
Barnabas Health

Our Defense-in-Depth plan has been developed from a business standpoint and
addresses all areas that require controls.
Our information security succeeds by providing our entire organization with the ability to identify risks and provide the
safeguards necessary to stay ahead of cyber criminals at home and abroad. The following areas present a
composite view of the People, Process and Technology paradigm that guide our framework.
 IT Governance Risk and Compliance
 Identity and Access Control Management
 Incident Management (Prevention and Detection)
 Threat Management
 Vulnerability Management
 Data Security
 Network Security
 System Security
 Business Continuity Management
 Information Lifecycle Management (Data Governance)
May 03, 2016
51
SEGMENT 4:
Luis Taveras
Barnabas Health

This plan is based on industry standards as provided by the National Information
Security Task Force Cybersecurity Framework.
May 03, 2016
52
SEGMENT 4:
Luis Taveras
Barnabas Health

We’ve used this framework to make significant progress in protecting our
organization in the past two years.
 Network Risk Assessment
 Corrective Action plan development underway
 Network Access Control Phase I &II underway, will secure JCMC, SBMC, ACC, CMC, SBH and
Data Centers including business office
 Phase III will secure the remaining sites (NBI, MMC-S, MMC, CMM)
 Database Security
 Database Activity/Access Monitoring Phase I started to secure 50 Database servers and inspect
200 (BH has over 1000 database servers)
 Phase II will be to consolidate some of the environment to economies and improve
controls/security
 Privileged Account Security
 Access Management Group
May 03, 2016
53
SEGMENT 4:
Luis Taveras
Barnabas Health

Recognizing that this is a journey, we plan to undertake several major initiatives
to continue our security posture in 2016 and beyond.
 IT Governance Risk and Compliance Solution (GRC)
 HIPAA Compliance
 Risk Management
 Privacy Access Audit
 Regulatory Compliance Analyst
 GRC System Solution
 Access management group have been formed
 Implementation of
 User Provision/De-Provisioning solution
 Web SSO
 Two-factor Authentication
 Network Segmentation
 Enterprise Encryption to protect data
 Database encryption
 File share encryption
May 03, 2016
54
SEGMENT 4:
Luis Taveras
Barnabas Health

An imperative of for 2016 is addressing the
expanding credit card payment environment.
 RWJBarnabas Health collects credit card payments in a number of areas
 Retail Pharmacy
 Co-Pay payments in a number of inpatient and outpatient areas
 Parking Garages
 Accepting credit card requires us to implement, comply and attest to PCI DSS requirements
 PCI DSS is a security standard developed by PCI Standard Council to protect credit
information from theft and misuse.
 Failure to comply with PCI DSS can result in:
 Bank surcharges
 Breaches and fines
 Reputational damage to Barnabas Health brand.
May 03, 2016
55
SEGMENT 4:
Luis Taveras
Barnabas Health

In summary, at RWJBH we recognize the challenges and our focus is on
addressing the most common security mistakes.
May 03, 2016
56
SEGMENT 4:
Luis Taveras
Barnabas Health

May 03, 2016
57
Contact Info:
Adam Meyer
SurfWatch Labs
E: adam.meyer@surfwatchlabs.com
Daniel J. Ferhat
Partner
E: ferhatd@whiteandwilliams.com
Bob Ertl
Sr. Director, Product
Management
Accellion
E: bob.ertl@accellion.com
Luis Taveras
Barnabas Health
E: LTaveras@barnabashealth.org

► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type
your question in the box that appears and click send.
► Questions will be answered in the order they are received.
Q&A:
May 03, 2016
58
SEGMENT 3:
Bob Ertl
Accellion
SEGMENT 4:
Luis Taveras
Barnabas Health
SEGMENT 2:
Adam Meyer
SurfWatch Labs
SEGMENT 1:
Daniel J. Ferhat
Partner

May 03, 2016
59
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
 Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
 Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
 50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
 Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
 Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
 Free Certificate of Attendance Processing (Normally $49 Per Course without a subscription).
 Access to over 15,000 pages of course material from Knowledge Group Webcasts.
 Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers).
 6 Month Subscription is $499 with No Additional Fees Other options are available.
 Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.

May 03, 2016
60
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $499 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $799 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
Questions: Send an email to: info@theknowledgegroup.org with “Unlimited” in the subject.

May 03, 2016
61
ABOUT THE KNOWLEDGE GROUP
The Knowledge Group is an organization that produces live webcasts which examine regulatory
changes and their impacts across a variety of industries. “We bring together the world's leading
authorities and industry participants through informative two-hour webcasts to study the impact of
changing regulations.”
If you would like to be informed of other upcoming events, please click here.
Disclaimer:
The Knowledge Group is producing this event for information purposes only. We do not intend to
provide or offer business advice.
The contents of this event are based upon the opinions of our speakers. The Knowledge Group does
not warrant their accuracy and completeness. The statements made by them are based on their
independent opinions and does not necessarily reflect that of The Knowledge Group‘s views.
In no event shall The Knowledge Group be liable to any person or business entity for any special,
direct, indirect, punitive, incidental or consequential damages as a result of any information gathered
from this webcast.
Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their
Contributors or Licensed Partners and are being used with permission under license. These images
and/or photos may not be copied or downloaded without permission from 123RF Limited

Managing Cybersecurity in Health Care: Best Practices Every Organization Needs to Know

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (15)

More from SurfWatch Labs

More from SurfWatch Labs (17)

Recently uploaded

Recently uploaded (20)

Managing Cybersecurity in Health Care: Best Practices Every Organization Needs to Know

Editor's Notes