Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Health Industry Cybersecurity Best Practices

162 views

Published on

This presentation was given to our meetup (https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/) on February 26, 2019

Published in: Healthcare
  • Be the first to comment

  • Be the first to like this

Health Industry Cybersecurity Best Practices

  1. 1. Health Industry Cybersecurity Best Practices February 26, 2019| Chicago Technology For Value-Based Healthcare Meetup
  2. 2. 26 February 2019|©Nussbaum-Hindmand|2Chicago Technology For Value-Based Healthcare Meetup Rick Hindmand, Esq. Member McDonald Hopkins T: 312.642.2203 Rhindmand@mcdonaldhopkins.com Your Presenters Gerard M. Nussbaum, Esq. Principal Zarach Associates T: 312.620.9506 Gerard@zarachassociates.com
  3. 3. 26 February 2019|©Nussbaum-Hindmand|3Chicago Technology For Value-Based Healthcare Meetup ◆ HICP ◆ Breach Costs ◆ Cybersecurity Threats ◆ Best Practices ◆Medical Devices ◆ Implications ◆ Next Steps Topics
  4. 4. 26 February 2019|©Nussbaum-Hindmand|4Chicago Technology For Value-Based Healthcare Meetup ➣ This presentation and any discussion ◆ Are for educational and informational purposes only, and should not be construed as legal advice or as an offer to perform legal services on any subject matter. ◆ Contains general information and may not reflect current legal developments or information. The information is not guaranteed to be correct, complete or current. The presenters and sponsors make no warranty, expressed or implied, about the accuracy or reliability of the information provided. ➣ Individuals and entities should consult a qualified attorney prior to acting or refraining from action. ➣ Nothing herein is intended to create an attorney-client relationship and shall not be construed as legal advice. Viewing this material or participating in this webinar does not create an attorney-client relationship. ➣ The information provided is intended to be an overview and relevant details may not be covered. ➣ By accessing this information, you acknowledge receipt, understanding, and consent to this disclaimer. Disclaimer
  5. 5. 26 February 2019|©Nussbaum-Hindmand|5Chicago Technology For Value-Based Healthcare Meetup ◆Released December 28, 2018 ◆Adopted under Cybersecurity Act of 2015, §405 Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) [C]ommon set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes https://www.phe.gov/Preparedness/planning/405d/Pages/default.aspx
  6. 6. 26 February 2019|©Nussbaum-Hindmand|6Chicago Technology For Value-Based Healthcare Meetup Prevalence and high cost of health care breaches ◆ Average cost: $2.2 million ◆ Cost per record: $408 ◆ 60% of small businesses go out of business within 6 months ◆ 80% of physicians affected ◆ Health care organizations spend smaller portion of IT budgets on cybersecurity than other industries Breach Costs
  7. 7. 26 February 2019|©Nussbaum-Hindmand|7Chicago Technology For Value-Based Healthcare Meetup 1. E-mail phishing attacks 2. Ransomware attacks 3. Loss or theft of equipment or data 4. Insider, accidental or intentional data loss 5. Attacks against connected medical devices that may affect patient safety Top Five Healthcare Cybersecurity Threats
  8. 8. 26 February 2019|©Nussbaum-Hindmand|8Chicago Technology For Value-Based Healthcare Meetup 1. E-mail protection systems 2. Endpoint protection systems 3. Access management 4. Data protection and loss prevention 5. Asset management 6. Network management 7. Vulnerability management 8. Incident response 9. Medical device security 10. Cybersecurity policies Cybersecurity Ten Best Practices
  9. 9. 26 February 2019|©Nussbaum-Hindmand|9Chicago Technology For Value-Based Healthcare Meetup Medical Devices Are A Significant Security Exposure ➣ Cybersecurity has not been a primary design or operating focus ➣ Significant attack surface ➣ Cybersecurity Act of 2015* ◆ Health Care Industry Cybersecurity (HCIC) Task Force ◆ HCIC Identified medical device security issue ➣ Healthcare Sector Coordinating Council ◆ Joint Cybersecurity Working Group ◆ Public-private partnership ◆ Joint Security Plan * Division N of the Consolidated Appropriations Act of 2016, Public Law 114-113 18 Dec 15; 129 STAT. 2242
  10. 10. 26 February 2019|©Nussbaum-Hindmand|10Chicago Technology For Value-Based Healthcare Meetup ➣Shared responsibility between manufacturers and users ➣Lifecycle approach ◆Vendor product security framework ◆Product development best practices – security designed in ◆Product security maturity model ◆Design controls ◆Deployment guidance ◆Risk management Joint Security Plan Guides Addressing Medical Device Security Medical Device And Health It Joint Security Plan, January 2019
  11. 11. 26 February 2019|©Nussbaum-Hindmand|11Chicago Technology For Value-Based Healthcare Meetup JSP: Product Security Framework
  12. 12. 26 February 2019|©Nussbaum-Hindmand|12Chicago Technology For Value-Based Healthcare Meetup ➣Cybersecurity awareness ➣Codification of existing requirements and best practices in one place ➣Expectations ➣Standard of care ➣Raising the bar? ➣Basis for contractual risk allocation Implications
  13. 13. 26 February 2019|©Nussbaum-Hindmand|13Chicago Technology For Value-Based Healthcare Meetup ◆ Starting point ◆ Prioritize threats and best practices ◆ Compare existing practices with recommended practices ◆ Risk analysis (risk assessment) ◆ Update policies and procedures ◆ Training ◆ Vendor/business associate relationships ◆ Monitor and update Next Steps
  14. 14. 26 February 2019|©Nussbaum-Hindmand|14Chicago Technology For Value-Based Healthcare Meetup Answers to questions are for general information purposes and do not constitute specific legal advice Discussion

×