Healthcare Cybersecurity Transformation for your Organization: Looking to the Future Session #CS5, February 19, 2017 Mitchell Parker, Executive

Transcription

1 Healthcare Cybersecurity Transformation for your Organization: Looking to the Future Session #CS5, February 19, 2017 Mitchell Parker, Executive Director, Information Security & Compliance, Indiana University Health 1

2 Speaker Introduction Mitchell Parker, MBA, CISSP Executive Director, Information Security & Compliance Indiana University Health 2

3 Conflict of Interest Mitchell Parker, MBA, CISSP Has no real or apparent conflicts of interest to report. 3

4 Agenda Healthcare Cybersecurity Transformation for your Organization: Looking to the Future Many healthcare organizations have continued to approach cybersecurity as they always have. As a result, many organizations lack personnel and budget to have effective cybersecurity programs. This session describes how you can transform your organization s cybersecurity program with a "whole of organization approach. 4

5 Learning Objectives Explain how to talk to your board of directors and senior management about prioritizing cybersecurity and allocating sufficient resources Describe effective change management processes and policies to transform your organization s cybersecurity program Illustrate how to effectively manage risks even in the face of new technologies 5

6 STEPS Electronic Secure Data This presentation will help you realize benefits in the STEPS Framework by: Assisting in developing organization-wide strategies to address data protection throughout the system lifecycle Assisting in communicating the value of protecting and securing data to organizational stakeholders Giving framework details organizations can use to implement in their own programs 6

7 It s a Business Problem The issue is that we treat it as an IT problem IT problems tend to go into the IT bucket Information Security issues have their root in many non-it causes Today, we re going to go through what to do to get the message across to senior management and the board that Infosec provides value We re going to address how to build the structures you need to demonstrate organizational and strategic value 7

8 Why did breaches occur? Discuss why the breaches occurred in the first place. Don t discuss just the technology behind them Discuss the process failures that caused the breaches to occur For example: When we discuss the OCR breach, we discuss that the application software was not properly maintained, and that the organization did not communicate the security issues to Congress for funding Example #2: The CHS breach and maintenance processes for network equipment 8

9 State of the Industry Discuss the state of the industry Talk about what trends the executives are seeing Use non-biased sources (Gartner, Ponemon, insurance companies, etc.) to report on trends and emerging threats Use information sharing with other peer organizations to discuss trends in the immediate region Use your Information Sharing and Analysis Center (NH-ISAC) membership(s) to communicate industry trends 9

10 Information Sharing You need to be communicating out that you are sharing information across your region and industry Board Members and Senior Executives are more receptive to listening when you show that you ve talked with your peers Besides NH-ISAC, there s the CISO Executive Network (if your city has one), ISSA, ISACA, Infragard, and the self-organized groups in cities/regions (Philadelphia, Indianapolis, and NYC in particular) There are many others depending on your location We are seeing other avenues being used to share security information (EMR vendor user sites, e.g. Epic UserWeb) 10

11 Tie to Strategy You need to tie what you do in security to two levels: Overall Information Systems Strategy Organizational Strategy You need to make sure that your communication and training plans reflect the strategies of the organization You also need to make sure that you focus activities on communicating the strategy Your metrics need to focus on augmenting and supporting the overall organizational strategy 11

12 Designing and Maintaining Systems It s a marathon, not a sprint You need to meet organizational and security requirements You need to synchronize with: The Business Customers Enterprise Architects Legal/Contracting/Compliance Supply Chain You need to demonstrate that you are working with teams internally to design and develop systems correctly 12

13 You can t buy your way to it You can t buy your way into security, no matter what some people or vendors want you to believe However, there are also too many businesses that believe that, and they talk to executives Our job is to communicate that you need a program that continually assesses and addresses risk, not something you buy Insurance companies have gotten smart, and now require risk assessments. These show when people try and use magic bullets. You definitely cannot do this for PCI Compliance due to the need to review device configurations and how they integrate with your network. 13

14 Security as a Foil You want to communicate that security is heavily dependent on good process management across the organization It is often a good foil for finding other process issues as it depends heavily on the correct execution of other components, e.g. Budgeting Change Management Project Management It s important to communicate this out to senior leadership. Security is good at smoking out other issues 14

15 Organizational Responsibilities HIPAA, HITECH, and Meaningful Use all exposed the need to be compliant However, being compliant is more than a checkbox Truly successful organizations need to use risk assessments as a tool to review processes at all levels Human Resources (access review) Physical Security Information Management 15

16 Organizational Structure Due to the organizational responsibilities, InfoSec is nominally an IT department and this is changing in scope InfoSec is now a large part of Information Management/Regulatory Compliance Esp. Joint Commission IM standards InfoSec also has hooks into a number of other departments: Clinical Risk Management Insurance Emergency Preparedness Privacy Corporate Compliance Supply Chain Revenue Cycle Information Management 16

17 Vendor Management The HIPAA Security Rule requires that we address risk across the enterprise HITECH extends this to Business Associates The security events that have occurred (Ransomware, Mirai Botnet, Target Breach) indicate that we need to have good vendor management to protect ourselves Vendor management is important because: It protects the organization It keeps third parties from walking all over you It keeps staffing expectations realistic 17

18 You cant buy compliance You can t buy your way into compliance, nor should you Consultants don t understand your business They walk out the door and take knowledge with them While they produce nice looking documents, ultimately they are just that without organizational involvement 18

19 Budget Impact of IT IT is no longer a bucket that can handle all expenses and is flexible enough to do so There are maintenance and support costs to be factored into overall system cost There are security and compliance costs to be factored in HIPAA and continual risk management need to be accounted for Capital Budgeting needs to be accounted for People cannot cut costs on capital items and expect IT to pay for the difference or give resources for free 19

20 Risk is Universal Now with the IoT, computer security risk is patient risk There always has been a computer security component of Joint Commission Information Management standards PCI Compliance cuts across the entire enterprise Downtime because of a security incident or because the database server is still downtime, and you still need to address it 20

21 Policies/Procedures/CM Processes Data Classification Policy Give a foundation on how to address different types of data within an organization. Use a matrix to address these types, their storage and handling requirements, and their retention times Data Retention Policy Build off of the Data Classification Policy and its matrix Data Export/Usage/Reporting Policy Build off of the Data Classification Policy and address multiple areas of data usage 21

22 Governance You need to be part of governance committees to address handling of information security issues Honest Broker (research) Information Security Steering Committee (operational issues) Business/Clinical Specific Steering Committees (business and application issues) Data Warehouse Steering Committee (data issues) This is critical to addressing new technologies, as they will usually come through these committees first 22

23 Contract Language/BAA You should be specifying these items up front in the BAA/Contract and staffing to check on this: Security Requirements (and no blanket statements on HIPAA) nothing on HIPAA Certified (if you see that run) List of security deliverables from the vendor Expected work/budgeted time to maintain the system Vulnerability Management Vendor s risk management program SOC1/SOC2 requirements Network segmentation and design 23

24 Budgeting/Decision Process Capital Budgeting inclusion. Get involved before someone builds several careers or programs around it Supply Chain Purchasing Processes. Get involved before it shows up on your doorstep IT purchasing processes. Get involved before someone else from IT does 24

25 Change Management This is useless unless you get major players on one board You need to get the I do my own change management people playing in your sandbox This means ERP and some of the more established players: EMR team Best way Burn the ships Change Management at my previous job Announce to the other change committees that no changes go through unless they come from the main Change Board Enforce it with IT leadership The main purpose of this is to get your organization to think in terms of change packages and consider the impact of their actions at multiple levels, including Service Desk 25

26 Emerging Technologies Addressing these is part of the overall risk process If you don t have the right structure in place, you won t be addressing any technology risks, let alone new ones You need to make sure you have a solid structure in place before addressing new technologies It s about addressing and mitigating risk and understanding its impact 26

27 STEPS Electronic Secure Data This presentation helped you realize benefits in the STEPS Framework by: Assisting in developing organization-wide strategies to address data protection throughout the system lifecycle Assisting in communicating the value of protecting and securing data to organizational stakeholders Giving framework details organizations can use to implement in their own programs 27

28 Questions For further questions after this conference, please contact me at: ( ) (317) (Office phone) Please complete your online session evaluation! 28