This document discusses information security for informatics professionals. It begins with an introduction of the speaker, Amy Walker, which details her experience in healthcare, informatics, and security. The presentation will cover IT security pillars, constructing policies and procedures, security standards and risk assessment strategies, system architecture and design, and an overview of security issues and solutions. Examples of data breaches and related fines are provided to illustrate security risks faced by healthcare organizations. Frameworks and best practices for security are also outlined to help attendees strengthen their organization's security posture.
DR. STEVEN GORIAH,
Vice President of Information Technology & CISO
Westchester Medical Center Health Network
The U.S Healthcare system is seeing a
staggering amount of security breaches each
year. In this session, you’ll learn about the role
of a cybersecurity framework, best practices in
choosing a framework, and which framework
best fits your organization and why. Dr. Goriah
will also speak on implementation, roles and
responsibilities and why it's essential to create
a culture of privacy and security
Nearly one in five healthcare CIOs have had a security breach within the past 12 months. Learn how TCS can help you keep sensitive patient data secure and protected.
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
Most small to medium health care organizations do not have the capability to address cyber incidents within the organization. Those that do are poorly trained and ill equipped. These health care organizations are subject to various laws that address privacy concerns, proper handling of financial information, and Personally Identifiable Information. Currently an IT staff handles responses to these incidents in an Ad Hoc manner. A properly trained, staffed, and equipped Cyber Incident Response Team is needed to quickly respond to these incidents to minimize data loss, and provide forensic data for the purpose of notification, disciplinary action, legal action, and to remove the risk vector. This paper1 will use the proven Incident Command System model used in emergency services to show any sized agency can have an adequate CIRT.
DR. STEVEN GORIAH,
Vice President of Information Technology & CISO
Westchester Medical Center Health Network
The U.S Healthcare system is seeing a
staggering amount of security breaches each
year. In this session, you’ll learn about the role
of a cybersecurity framework, best practices in
choosing a framework, and which framework
best fits your organization and why. Dr. Goriah
will also speak on implementation, roles and
responsibilities and why it's essential to create
a culture of privacy and security
Nearly one in five healthcare CIOs have had a security breach within the past 12 months. Learn how TCS can help you keep sensitive patient data secure and protected.
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
Most small to medium health care organizations do not have the capability to address cyber incidents within the organization. Those that do are poorly trained and ill equipped. These health care organizations are subject to various laws that address privacy concerns, proper handling of financial information, and Personally Identifiable Information. Currently an IT staff handles responses to these incidents in an Ad Hoc manner. A properly trained, staffed, and equipped Cyber Incident Response Team is needed to quickly respond to these incidents to minimize data loss, and provide forensic data for the purpose of notification, disciplinary action, legal action, and to remove the risk vector. This paper1 will use the proven Incident Command System model used in emergency services to show any sized agency can have an adequate CIRT.
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
Haystax Technology, Inc. provides next-generation intelligence and analytics solutions that deliver up to the minute situational awareness and actionable intelligence for the public and commercial sectors. Haystax uses a combination of software and human analysis to turn large, disparate and unstructured data volumes into comprehensive and actionable information. In essence, these technologies allow users to find “the needle in the haystack” quickly and reliably.
What Is Security Risk Analysis? By: MedSafeMedSafe
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
We are living in an always-on world using different communications devices, systems and networks. As privacy and protecting one’s identity is becoming increasingly important, the task of protecting these devices, systems and networks from cyber attack is no longer an option, it is a necessity.
Applying advanced analytic techniques to enable rapid real-time enterprise threat intelligence and awareness. This presentation looks at how data + algorithms can help enterprises improve their overall threat posture.
No business wants to face a data breach, but you should be prepared should it happen. Here are 5 steps to protect your organization after a data breach.
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
Improving Collaboration Through Identity ManagementGov BizCouncil
Driven by recent events and several White House and Congressional directives, federal agencies are focused on identity management like never before. With all this pressure, agency leaders face a difficult task ensuring secure access to agency resources by the right people, at the right time, and for the right reasons, without restricting the organization’s operational effectiveness.
Haystax Technology, Inc. provides next-generation intelligence and analytics solutions that deliver up to the minute situational awareness and actionable intelligence for the public and commercial sectors. Haystax uses a combination of software and human analysis to turn large, disparate and unstructured data volumes into comprehensive and actionable information. In essence, these technologies allow users to find “the needle in the haystack” quickly and reliably.
The 10 Most Trusted Healthcare IT Security Solution Providers 2018insightscare
With the impending risk in the mind, to assist healthcare organizations to prevent data security breaches, we bring you the “The 10 Most Trusted Healthcare IT Security Solution Providers” issue. In this issue, we are presenting to you some of the prominent companies and healthcare solution providers, who have successfully helped the industry to protect the patients’ information and other critical healthcare data against the ever-rising cyber-attacks.
Haystax carbon for Insider Threat Management & Continuous EvaluationHaystax Technology
Haystax Technology, Inc. provides next-generation intelligence and analytics solutions that deliver up to the minute situational awareness and actionable intelligence for the public and commercial sectors. Haystax uses a combination of software and human analysis to turn large, disparate and unstructured data volumes into comprehensive and actionable information. In essence, these technologies allow users to find “the needle in the haystack” quickly and reliably.
What Is Security Risk Analysis? By: MedSafeMedSafe
What exactly is a Security Risk Analysis? Most practices ask, we deliver. This presentation covers all you should be concerned with. Go to www.MedSafe.com for more information!
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
We are living in an always-on world using different communications devices, systems and networks. As privacy and protecting one’s identity is becoming increasingly important, the task of protecting these devices, systems and networks from cyber attack is no longer an option, it is a necessity.
Applying advanced analytic techniques to enable rapid real-time enterprise threat intelligence and awareness. This presentation looks at how data + algorithms can help enterprises improve their overall threat posture.
No business wants to face a data breach, but you should be prepared should it happen. Here are 5 steps to protect your organization after a data breach.
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
Improving Collaboration Through Identity ManagementGov BizCouncil
Driven by recent events and several White House and Congressional directives, federal agencies are focused on identity management like never before. With all this pressure, agency leaders face a difficult task ensuring secure access to agency resources by the right people, at the right time, and for the right reasons, without restricting the organization’s operational effectiveness.
Haystax Technology, Inc. provides next-generation intelligence and analytics solutions that deliver up to the minute situational awareness and actionable intelligence for the public and commercial sectors. Haystax uses a combination of software and human analysis to turn large, disparate and unstructured data volumes into comprehensive and actionable information. In essence, these technologies allow users to find “the needle in the haystack” quickly and reliably.
The 10 Most Trusted Healthcare IT Security Solution Providers 2018insightscare
With the impending risk in the mind, to assist healthcare organizations to prevent data security breaches, we bring you the “The 10 Most Trusted Healthcare IT Security Solution Providers” issue. In this issue, we are presenting to you some of the prominent companies and healthcare solution providers, who have successfully helped the industry to protect the patients’ information and other critical healthcare data against the ever-rising cyber-attacks.
Application for Yoga for Stress ManagementSatwa Yoga
The most important point is to recognize the source of the negative stress.
This is not an admission of weakness or inability to cope! It is a way to identify the problem and plan measures to overcome it.Yoga is a universal practical discipline. Yoga is harmony that provides peace & poise, health & Happiness.It is a tool to develop Human Resources
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
Healthcare Information Technology (IT) has made great advances over the past few years and while these advances have enable healthcare professionals to provide higher quality healthcare to a larger number of individuals it also provides the criminal element more opportunities to access sensitive information, such as patient protected health information (PHI) and Personal identification Information (PII). Having an Information Assurance (IA) programallows for the protection of information and information systems andensures the organization is in compliance with all requires regulations, laws and directive is essential. While most organizations have such a policy in place, often it is inadequate to ensure the proper protection to prevent security breaches. The increase of data breaches in the last few years demonstrates the importance of an effective IA program. To ensure an effective IA policy, the
policy must manage the operational risk, including identifying risks, assessment and mitigation of identified risks and ongoing monitoring to ensure compliance.
Where in the world is your PII and other sensitive data? by @druva incDruva
Consumers rely on businesses to keep their personal information safe. Too few of those businesses are actively protecting that data. Here’s what’s gone wrong, and how businesses should be responding. Full blog here: http://bit.ly/1Jtzym5
Does your organization take credit card information? Do you store personal information on your staff, clients or donors? Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
Identity Theft Response
You have successfully presented an expanded Mobile Device Management Policy, which was approved by the CEO. He now wants you to work on a response plan for identity theft, which you proposed a few weeks earlier as part of a series of four cybersecurity projects.
The CEO says to you, "The Incident Response Plan will be our company's action plan to recover should the 'worst' occur. In our case, the 'worst' would be a breach of the company's security that could occur through the theft of customers' personally identifiable information, possibly through an individual's mobile device. Such a breach could compromise the integrity of the financial institution's data."
The CEO continues: “It is your responsibility to be fully prepared, and I want you to ask your team some ‘What if’ questions.”
“Specifically, I want you to ask: What if our customer information system is compromised internally by a misguided employee? What do we do? And, What if the system is breached by an external hacker and all our customer records are exfiltrated and/or deleted? How would we respond?”
You know that any stolen identity might be that of an employee and/or the identities within the customer information module, which would affect a large number of accounts. Either way, even the slightest breach would be serious, and not having an approved, executable plan of action would only compound the problem. Any lack of regulatory compliance by the organization could also be brought to light.
The CEO closes by saying, “A comprehensive plan for identity theft response is mandatory, and it will receive a lot of scrutiny from senior leadership. Everyone in the company realizes it is a critical component of our success and continued operation. I’m counting on you to do it well.”
Identity theft is becoming more common as technology continues to advance exponentially. Mobile devices, applications, and email make it more convenient for individuals to access records and financial accounts, but also increase the risk of identity theft.
As the CISO, you will be drafting an incident response plan to address identity theft for your financial organization.
Identity Theft Response is the second of four sequential projects in this course. The final plan will be about 10-12 pages in length. There are 16 steps in this project and it should take about 14 days to complete. Begin with Step 1, where you will identify types of cyberattacks in which personally identifiable information could be vulnerable.Competencies
Your work will be evaluated using the competencies listed below.
· 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas.
· 2.2: Locate and access sufficient information to investigate the issue or problem.
· 8.4: Design an enterprise cybersecurity incident response plan.
Project 2: Identity Theft Response
Step 1: Identify Potential PII Attacks
Since this project will require an enterprise cybersecurity incident response plan with ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
Consumers rely on businesses to keep their personal information safe. Too few of those businesses are actively protecting that data. Here’s what’s gone wrong, and how businesses should be responding. Full blog here: http://bit.ly/1Jtzym5
The General Data Protection Regulation (GDPR) becomes enforceable at the end of May, 2018. Designed to strengthen and unify data protection for individuals within the European Union (EU), it comes with a strict set of compliance protocols. And, because GDPR also applies to the export of the export of personal data outside the EU, it is applicable to any entity that uses or exchanges this data. As Vice President and Senior Legal Counsel for a leading international bank, Paul knows firsthand the importance of protecting and securing customer data and intelligence. Join Paul to learn about responsibilities and accountabilities that your organization will need to address.
Part of the "2016 Annual Conference: Big Data, Health Law, and Bioethics" held at Harvard Law School on May 6, 2016.
This conference aimed to: (1) identify the various ways in which law and ethics intersect with the use of big data in health care and health research, particularly in the United States; (2) understand the way U.S. law (and potentially other legal systems) currently promotes or stands as an obstacle to these potential uses; (3) determine what might be learned from the legal and ethical treatment of uses of big data in other sectors and countries; and (4) examine potential solutions (industry best practices, common law, legislative, executive, domestic and international) for better use of big data in health care and health research in the U.S.
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School 2016 annual conference was organized in collaboration with the Berkman Center for Internet & Society at Harvard University and the Health Ethics and Policy Lab, University of Zurich.
Learn more at http://petrieflom.law.harvard.edu/events/details/2016-annual-conference.
PYA Principal Barry Mathis presented “Hot Topics in Privacy and Security,” at the Florida Hospital Association's 14th Annual Health Care Corporate Compliance Education Retreat.
The presentation explored:
• Changes in the privacy and security ecosystem.
• Emerging technology risks and hot topics.
• What happens to hacked data.
• How to best protect data.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
Information+security rutgers(final)
1. INFORMATION SECURITY FOR
INFORMATICS PROFESSIONALS
Amy M. Walker, MS, RN, CPHQ, FACHE, NEA-BC
CEO OptimizeIT Consulting LLC
Healthcare IT Strategist
A Proud EDWOSB, Cage Code 6 TH50
2. Amy Walker MS, RN, CPHQ, FACHE,
NEA-BC
.
Healthcare System
Critical Care RN, Certified and Nurse Manager
Director of Informatics, CIO Boot Camp-CHIME
Chief Clinical Information Officer (CCIO)
Technology Provider-Large Scale
Development
Implementation
Strategic Account Management
Consulting
DoD Health Affairs
HIPAA, Healthcare Compliance, Security, and Data Exchange
Interim CIO
Entrepreneur
Fellow in the American College of Healthcare Executives
Certified as a Healthcare Quality Professional
Certified as an Advanced Nurse Executive
2010 President of the National Capital of Healthcare Executives
Nominated Member of the Women’s Business Leader’s of the
U.S. Healthcare Industry Foundation
2
3. We Will Discuss Today
IT Security Pillars
How to Appropriately Construct Policies and Procedures
Develop, Implement, Enforce
Security Standards and Risk Assessment Effective
Strategies
System Architecture and Design
An Overview of Security Issues and Solutions
3
4. SWOT-Analysis
• Identified Security Officer
• Tight Integration Between RolesStrengths
• Knowledge Deficit
• Not Practicing to Standards
• Deficient Risk Assessment Process
Weaknesses
• Are GreatOpportunities
• Are GreatThreats
4
5. 5
Obama meets with CEOs to push cyber-security legislation
The meeting in hopes of getting the stalled legislation passed
comes a day after intelligence officials warn of the threat to
national security.
March 13, 2013|By Ken Dilanian and Jessica Guynn, Los Angeles
Times
"What is absolutely true is that
we have seen a steady ramping
up of cyber-security threats,"
President Obama said on ABC's
"Good Morning America." "Some
are state-sponsored. Some are
just sponsored by criminals."
(Evan Vucci / Associated Press)
6. Security Problems Hit Close To Home
Dear user:
As a follow up to our last email communication about the identified security vulnerability in the XYZ system , the U.S.
General Services Administration (GSA) is taking all possible steps to protect and inform xyz users, especially those that
use their social security numbers for purposes of doing business with the federal government.
Your entity’s data has been identified to be at greater risk for potential identity theft because you used your social
security number as your Tax Identification Number to do business with the federal government.
This vulnerability enabled government entity administrators and delegated entity registration representatives to
potentially gain access to information of any entity’s registration -- enabling visibility of entity management data at all
sensitivity levels.
As a precaution, GSA is taking proactive steps to protect and inform xyz users. The agency is offering users at higher
risk, like you, access to credit monitoring services and will follow up with information about these services.
If you wish to take additional steps to protect against possible identity theft, visit www.xyz for specific information. If you
would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8
p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify
your financial institution immediately if you see any discrepancies.
We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully
informed of any potential risk resulting from this incident. The security of your information is a critical priority to us and we
will work to ensure the system remains secure.
Sincerely,
6
9. Internet Security Alliance
Larry Clinton, the longtime head of the Internet
Security Alliance delivered the keynote at the March
PHI Protection Forum. Mr. Clinton focused on PHI
Security and Privacy, he cited an important study of
the state of health care information security, PWC’s
2013 State of Info Security Survey data regarding
health care organizations.
9
10. PWCs 2013 State of Info Security Survey
Most executives in the HC industry are confident in the effectiveness
of their security practices. They believe their strategies are sound
and many consider themselves to be leaders in the field
(And yet, only) 42% have a strategy & (are) proactive in executing it
Of the 4 key criteria of information security leadership, ONLY 6%
RANK AS LEADERS
60% do NOT have a policy for third parties to comply with privacy
policies
73% use mal code detection tools; DOWN 16%
48% use tools to find unauthorized devices; DOWN 14%
51% use intrusion detection tools; DOWN 19%
10
PWC’s 2013 State
of Info Security
Survey,
http://www.pwc.com
/gx/en/consulting-
services/information
-security-
survey/index.jhtml
11. 48% use vulnerability scanning tools; DOWN 15%
31% DON’T KNOW when info sec is part of major
projects –ONLY 18% at project inception
90% HC respondents say protecting employee &
customer data is important - few know where the data is
stored (43% have an accurate inventory of data)
Adopting new technology (is outpacing) security – new
technology referring to cloud 28%, mobile 46%, soc
media 45%, personal devices 51%
11
PWCs 2013 State of Info Security Survey
12. The Reasons? As Noted by Larry
Lack of funding 53%
20% top leadership “is an impediment to improved security.”
Only 43% report security breaches
Diminished budgets have resulted in degraded security programs, incidents
are on the rise, new technologies are being adopted faster than safeguards
There are short-term economic incentives to be insecure (VoIP, use personal
devices, the Cloud)
HC providers report lower $ loss from incidents but many do not perform
thorough or consistent analysis to appraising those losses, e.g. only 33%
consider damage to brand as a financial loss
12
13. June 26, 2012 Alaska Department of
Health and Social Services
A USB hard drive possibly containing ePHI was stolen from
the vehicle of a DHHS employee.
DHHS did not have adequate safeguard policies and
procedures in place.
DHHS had not completed a risk analysis, implemented
sufficient risk management measures, completed security
training for its workforce, implemented device and media
controls, or addressed device and media encryption.
Pay a $1.7 million fine and take corrective action to
ensure compliance with the Security Rule
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
13
14. April 17, 2012 Phoenix Cardiac Surgery
Staff were posting clinical and surgical appointments for patients on an
Internet-based calendar that was publicly accessible.
PC failed to implement adequate policies and procedures to
safeguard patient information
PC failed to document that it trained any employees on policies and
procedures.
PC failed to identify a security official and conduct a risk analysis.
PC failed to obtain business associate agreements with Internet-
based email and calendar services where the provision of the service
included storage of and access to its ePHI.
Pay a $100,000 fine and develop a corrective action plan to ensure
compliance with the Security Rule
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
14
15. March 13, 2012
Blue Cross Blue Shield of Tennessee
Fifty-seven unencrypted computer hard drives were stolen
from a leased facility. The drives contained the ePHI of
more than 1 million individuals, including member names,
Social Security numbers, diagnosis codes, dates of birth,
and health plan identification numbers.
BCBST failed to implement appropriate administrative
safeguards by not performing the required security
evaluation.
BCBST failed to implement appropriate physical
safeguards.
Pay a $1.5 million fine and implement a corrective action
plan to address gaps in its HIPAA compliance program
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
15
18. 10 Domains of Information Security
Access Control •Operations Security
Business Continuity and
Disaster Recover Planning
•Physical (Environment
Security)
Cryptography •Security Architecture and
Design
Information Security
Governance and Risk
Management
•Software Development
Security
Legal, Regulations,
Investigation, and
Compliance
•Telecommunications and
Network Security
18
International Information Systems
Security Certification Consortium
https://www.isc2.org/
19. Basic Requirements
Security
Reliability
Transparency
Scalability
19
Maintainability
Audit ability
Integrity
Authentic
International Information
Systems Security
Certification Consortium
https://www.isc2.org/
20. 20
Operations security (OPSEC) is a process that identifies critical information to determine
if friendly actions can be observed by adversary intelligence systems, determines if
information obtained by adversaries could be interpreted to be useful to them, and then
executes selected measures that eliminate or reduce adversary exploitation of friendly
critical information.
25. Policies and Procedures
Acceptable Use
Access Control
Accreditation
Acquisition
Business Continuity
Certification
Change Control Management
Code of Ethics
Confidentiality
Data Classification
Internet Use
25
27. System Architecture Components
Hardware
Firmware
Central Processing Units
Input/Output Devices
Software
Architectural Structures
Storage and Memory
27
Analyze security
risks, limitations, and
positive attributes of
each.
28. Open Source
A study by Mitre corporation, sponsored by the Defense Information
Systems Agency, found extensive and diverse use of open software
at the DoD, with over 100 open products being used in more than
250 applications.
Security applications were most noted as a reason open source
should be expanded.
Widely used open security tools included SNORT, a light weight
intrusion detection tool used for plugging “network security holes
when new attacks emerge” and SARA, the security auditors
research Assistant, used for relatively straightforward network
security risk analyses. The MITRE report lists more than 100 open
source products that have demonstrated superior records of
security and reliability.
28
29. The Abdus Salam International Centre
for Theoretical Physics
31. Risk Management Purpose
The purpose of an organization’s risk management
process should be to protect the organization and it’s
ability to perform it’s mission-including but not limited
to its IT assets.
Risk is a function of the likelihood of a given threat
source’s exercising a particular vulnerability and the
resulting impact of that adverse event.
NIST SP 800-30
www.csrc.nist.gov
31
32. Risk Analysis
Conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic
protected health information held by the
organization.
32
33. Details of a System Security Risk
Assessment
Qualitative
Scenario oriented
No $$ values
Ranking of threats
Perform to the goal of reasonableness
Quantitative
Assign $$ values
Resource extensive
More difficult to determine
Hybrid
33
International Information
Systems Security
Certification Consortium
https://www.isc2.org/
34. Risk Assessment SP 800-30
Step 1 Characterization
Step 2 Threat Identification
Step 3 Vulnerability Identification
Step 4 Control Analysis
Step 5 Likelihood Determination
Step 6 Impact Analysis
Step 7 Risk Determination
Step 8 Control Recommendations
Step 9 Results Documentation
Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 has
been completed.
34
35. CMS Security Risk Analysis Process
Review existing
security of
protected health
information
Identify threats
and
vulnerabilities
Assess risks for
likelihood and
impact
Mitigate security
risks
Monitor results
35
CMS, Information Security
Overview,
37. 10 Best Practices for the
Small Health Care Environment
Use Strong Passwords and Change Them Regularly
Passwords and Strong Authentication
Install and Maintain Anti-Virus Software
Use a Firewall
Control Access to Protected Health Information
Limit Network Access
Plan for the Unexpected
Maintain Good Computer Habits
Software Maintenance
Protect Mobile Devices
Establish a Security Culture
37
CMS, Information Security Overview,
http://cms.gov/Research-Statistics-Data-and-
Systems/CMS-Information-
Technology/InformationSecurity/index.html?redirec
t=/InformationSecurity/
39. Overview of Healthcare IT
Security Issues and Solutions
Lack of Effective Ecosystem Governance
Lack of Budget
Lack of Appropriate Risk Assessment with CAP
MU
Core Objective and Measure 12
Core Objective and Measure 15
HIPAA Privacy and Security Federal Regulations
39
40. Overview of Healthcare IT
Security Issues and Solutions
Attacks
Vulnerabilities
Complex Systems Change Control
Doing More with Less
Mobile and Wireless Technologies
Outsourcing
40
41. HITRUST ™
The Health Information Trust Alliance (HITRUST) was born out of the belief
that information security should be a core pillar of, rather than an obstacle to,
the broad adoption of health information systems and exchanges.
HITRUST, in collaboration with healthcare, business, technology and
information security leaders, has established the Common Security
Framework (CSF), a certifiable framework that can be used by any and all
organizations that create, access, store or exchange personal health and
financial information.
The CSF is an information security framework that harmonizes the
requirements of existing standards and regulations, including federal
(HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As
a framework, the CSF provides organizations with the needed structure,
detail and clarity relating to information security tailored to the healthcare
industry. The CSF is available through HITRUST Central.
41
42. Retain absolute faith that you can and will
prevail in the end, regardless of the
difficulties, and at the same time confront
the most brutal facts of your current reality,
whatever they might be.
(Jim Collins Good to Great)
42
43. Thought Questions
1. In your own experience, what are your
recommendations on the highest IT security
priorities?
2. Are there resources related to IT security that you
suggest must be given greater visibility?
3. What is your organization’s SWOT analysis tell
you?
43
44. References
CMS, Information Security Overview, http://cms.gov/Research-
Statistics-Data-and-Systems/CMS-Information-
Technology/InformationSecurity/index.html?redirect=/InformationSec
urity/
HITRUST, http://hitrustalliance.net/
International Information Systems Security Certification Consortium
https://www.isc2.org/
National Institute of Standards and Technology,
http://csrc.nist.gov/publications/PubsSPs.html
Office of the National Coordinator,
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-
security-guide.pdf
44
45. References
PHI Protection Network, Linked In Group
PWC’s 2013 State of Info Security Survey,
http://www.pwc.com/gx/en/consulting-services/information-security-
survey/index.jhtml
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press).
Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
The Betterly Report,
http://thebetterleyreport.wordpress.com/2013/03/18/larry-clinton-of-
the-internet-security-alliance-and-some-startling-statistics-about-
privacy-security-in-the-health-care-
industry/?goback=%2Egde_4493923_member_223850708
The Operations Security Professional’s Association,
http://www.opsecprofessionals.org/
45
46. SWOT-Analysis
• Identified Security Officer
• Tight Integration Between RolesStrengths
• Knowledge Deficit
• Not Practicing to Standards
• Deficient Risk Assessment Process
Weaknesses
Opportunities
Threats
46
47. Thank You!
Contact us at:
4031 University Drive, Suite 100
Fairfax, Virginia 22030 P: 703-283-4678
E: awalker@optimizeitconsulting
www.optimizeitconsulting.com
OptimizeIT Consulting LLC is a proud
EDWOSB
Cage Code 6TH50
Editor's Notes
No deep dive.
Social engineering- often used in conjunction with blind and double blind testing, social engineering is gaining critical or sensitive information through social interaction, typically with the organization’s employees, suppliers, and contractors. Techniques may include posing as a representative of the IT department’s help desk and gaining users account and password information, posing as an employee and gaining physical access to restricted areas, intercepting mail, or even dumpster diving to search for sensitive materials. It tests the organization’s people to contribute to or prevent unauthorized access to information and information systems.
Security posture is not static It is dynamic and can change based on the quality of the continued execution of the program elements. It requires active management of the security program to maintain a certain security posture.
Proprietary is not always more secure.Open source software is often misunderstood as “free” software. With open source software, the source code is available to the user or purchaser, whereas with most software, only the executable or object code is available. The security implications are debated, but most believe that users are able to examine open source code results in systems with fewer unanticipated vulnerabilities.
Record keeping is mandatory The OSI open system interconnect model was first dfined and published as an international standard (ISO/IEC) 7498-1). In 1984 Last revised in 1994. Strenghts and Weakensses, Estalished, flexible,Weaknesses complex,Encapsultaiotn the process of wrapping the data using headers and somethins, traliers before ending. Layering-separating function of each laayer. TCP/IP model functions like the OSI Model. Maps to the IP modle. Simplier it is network centric doesn’t/ describe the function of the applictiont in enough detail..Does your organization keep records on or otherwise keeps track of network and data , and systems intrusions. How long is it kept?How about insider intrusions?Network security is a cornerstone for business operations because network connectivity. provide an easy and consistent venue or an attack.Availability- uptime, here we look for single points of failure. Non redundant components, can be reinforced. Redundancy has to be built into the a system at the network, application, and/or process level. Backups networks.Confidentiaily =wireless network are vulnerable to sniffing. Message protection,, non repudiation is the assurance that a specific author did actually send a specific item to a specifi recipients. Effective non-repudiation is accomplished through the use of digital signatures, and encryption. Hi redundancy. 8) Defense in depth, hurdles.
Network attackers-The types of attacks, attacker would take a path of least resistance. Most know issues from both the defender and attacker. It is important to have a documented topology. Single point of failures are to be avoided.Wireless 803.11 From the wired network to station, wireless local area networks. Both wireless and wired technologies are susceptible to sniffing( the collection of sniffing)Cloud computing cloud computing is the provisioning of IT services over the cloud, the internet. The term cloud is based on the depiction of the internet as a cloud .Some of the services provided in the cloud are data storage, software, security, communications, etc. Security issues since the services are being provided at a third party, trust is a major concern. Connections-VPN?Sharing of data-Cross Border Data Transfer-cloud services are provided may be challenging to ensure cross border transmission of traffic. Network partitions- firewalls are used to make trusted vsuntrustednewtorks, again no single point of failures, defenise in depth, stateful inspection. A complete firewardcolution would be having the firewall handling traccic and denying or permitting access correctly the funcationrequiremetn and the logging and monitroing aspect addressing the assurance requirements of the firewall solution by ensuring that the fireall is workign properly and providing the expected level of protection in relation to the risks that the firewall was inteneded to control
There are a number of risk assessment models available:OCTAVE- Operational Critical Threat, Asset, and Vulnerability EvaluationNIST SP 800-30SSE-CMM System Security Engineering Capability Maturity ModelOther……..
Administrative Categories to AssessReview of Policies and ProceduresImplementationEnforcementPenetration TestingVulnerabilitiesDemonstrationLogsWalkthroughTechnical SafeguardsDetailed wired/wireless network designsSecure workstation use (documentation of specific guidelines for each class of workstation)Procedures for encryption and decryption of EPHIPhysical SafeguardsData Backup and StorageDisposalAdministration safeguardsRisk Management Methodology Information Access ManagementSecurity Awareness and TrainingPrivacy PoliciesBusiness Association AgreementsQuantative- estimate single loss expectancy, annualized rate of occurance, annual loss expectancy,- estimate potential losses.
An organization should take a positive proactive actions.National Institute of Standards and TechnologyRecognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of information and information systems supporting critical infrastructure operations. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.Vulnerability Assessment Tools A audit trail is a record of system activities. More specifically, an audit trail is a chronological record of system activities that makes it possible a reconstruction , review, and examination of the sequence of activities that can then be used to indicate a possible intrusion, or to investigate and incident.Data generated by the system, network, application, or user activities are recorded.The configuration of an audit trail should include data about network connections, system-level events, application-level events, user level events ie keystroke activity, event filtering. It may be necessary to use some type of event filtering or clipping level. Attackers often try to scrub audit logs to cover their attacks. Vulnerability assessment tools. Penetration Testing-pen tests (also called ethical hacking) consists of a formal set of steps and procedures similar to those tricks and techniques an intruder would be likely to use. The purpose is to evaluate how well the enterprise can thwart an attack and how it might be compromised by a potential attack.
Core Measure 15:Regardless of which Risk Assessment process is selected there is a likely to be a gap or need of a correction action plan Analyze current stateIdentify assets, threats, vulnerabilities and business impact.Perform technical risk assessment through appropriate testing,Review existing control documentationInterview key personnel to understand concernsDevelop Strategy for Improvement or corrective action planPrioritize identified risk and exposurePerform root cause analysisDevelop potential solutionsPrepare recommendations for improvementsAssess existing versus target process maturityCommunicate and Manage RiskConsider high-level strategies to facilitate improvementRate proposed recommendations by impact and success potentialPrepare business case for identified solutions.
Risk Mitigation Risk appetitePrioritizationAppreciation to dealing with risk accept risk transfer risk eliminate risk reduce riskEvolving process
Best practicesFirewallsPhysical security systems, electronic access, control systems, badging systems, CCTV, etc.Encryption of critical data in transitRole-based access controlIntrusion detection systems monitored by personInformation assurance technologies that track access and use of organizational dataAutomated patch managementIntrusion detection systems monitored by automate systems with built in alarmsTwo factor authenticationWireless monitoringKeystroke monitoring of individual users