Fixing the breakdown between securing your Business, your Customers and your Data SLOANE STRICKERCSO, GLOBAL HEALTHCARE EXCHANGE

Yeah that’s right. I’m going to talk about security

Well,…, data security that is

IntroHospitals and healthcare systems are under increasing regulatory demands to protect patient data, while at the same time sharing data to improve coordination patient care. How do we really ensure our data security and help our customers meet these stringent regulatory requirements. How does technology help, hinder or even obfuscate this?How can companies – not just in healthcare - implement and maintain a real-world, proactive security framework that ensures both compliance, customer obligations and true data protection?

COMPLIANCE AGREEMENTS PROTECTION

Topics• Real world security & compliance

1. To be compliant (i.e. pass the audit)2. To get customers (i.e. trust and competency)3. To protect assets (i.e. really protect your data)

• But.., there are continuous changes and shifts in the security landscape

• Compliance and Consequences• Technology• Attackers• Customer Expectations

• How?• The right Controls, the right Compliance and the right

Commitment

Real Security?

VS

AN ERA OF CHANGE IN SECURITY

Compliance and Consequences

Technology

Attackers

Customer Expectations

SHIFT: COMPLIANCE AND CONSEQUENCES

• The business has to adhere to regulations, guidelines, standards, etc.

• HIPAA, HITECH, PCI DSS, GLBA, BASEL II, SOX, etc.• EU Privacy laws, …, and many more state or international

standards• Internal and external Audits (like OCR’s new HIPAA

Audit Program) are changing the economics of risk and creating “impending events”

• Possible OCR HIPAA audits according to the new HIPAA Privacy, Security, & Breach Notification Audit Program

• St Joseph’s Health System hit with $2.14 penalty last monthHackers may attack you but auditors will show up

SHIFT: TECHNOLOGY

• Shifts in worker mobility and devices are redefining the IT landscape

• Shifts in on-premise to SaaS, PaaS and IaaS (e.g. cloud)

• Cloud is changing our notion of a perimeter• System communication is fundamentally changing

• Many transactions occur over HTTP/HTTPS• The security model if shifting from good people vs. bad people to enabling partial trust

• Can’t mitigate every possible risk You may get hacked but you will get impacted

SHIFT: ATTACKERS• Cyber criminals are becoming organized and motive-driven

• An entire underground economy exists to support cybercrime

• Ransomware and blackmail• Disruption, exposure and embarassment

• Attackers are shifting their methods to exploit both technical and human weaknesses

• Attackers are after much more than monetizable data

• Hactivism• State-sponsored attacks• IP attacks / breaches

If you do get hacked, how much will it actually cost you?

SHIFT: CUSTOMER EXPECTATIONS

• Customers are starting to use security as a discriminator

• In many ways security has become a non-negotiable expectation

• Security being woven into Service Level Agreements (SLAs)

• As well as HA, DR and BCP availability levels and assurance• Price, process maturity and scale can only go so far

• “Assurance” is also key• Customer requested questionnaires and on-site visits

If you don’t get the upper hand of trust fast, someone else will

So how do we cover all this so we can do business?

• Enterprise Security Architecture

• Encryption at-rest/in-flight• Fine grain role based

access/permissions• Every access/every action

captured for audit, control, security

• Audit ready reporting• Audits, Certs and

Assessments• SOC-I, SOC-2, PCI• HIPAA - HITECH• Global Privacy Regulatory

THE MINUMUM SECURITY AND AUDIT

1. How do you or your service provider(s) ensure that sensitive data is protected? 

2. Can you or they provide a SOC1 (SSAE16) Report, a SOC2 Report, and/or a Business Associate Agreement (and BAA must be updated for new OCR rules)?

3. What Security and Controls framework/guidelines do you or the follow? 

4. Do you or they maintain a dedicated security team and proactively assess risk and vulnerabilities?

5. Do you or they provide incident responseor service availability SLAs, targetsand/or historical baselines?

6. Are you or they prepared for a possible audits like the new OCR HIPAA audit or customer inquiry?

17

Are your and/or you partners, providers and customers secure?

Working with Customers or Providers

• Integrating Security Controls & Ecosystem– Develop a coordinated information security and business relationship– Ensure a complete understanding of the GHX platform & processing– GHX and client-side due diligence and scoping of sensitive data– Understand applicable U.S. federal, state, and international compliance requirements– Providing Documentation such as SOC 1 Report and PCI Compliance Attestation– Sign Business Associate Agreements (BAA) to help customers meet

HIPAA / HITECH obligations– Conduct security reviews for customers if applicable– Ensure all needs, requests and agreements are in place

to begin business and realize value

Securing with Customers or Providers

Trust & Advantage

Assurance& Evidence

Value & Engagement

1. Security Position(s)2. Customer’s Security Needs3. Provide Answers Quickly

1. Provide SOC Report & BAA2. Security Team Meetings

and Additional Questions

1. Implement Quickly withSecurity Aspects in Place

2. Realize value on both sides

So how do we handle all these new vulnerabilities?

FORCES IMPACTING SECURITY POSTURE

Security Posture

Evolving Endpoints

DissolvingPerimeters

EncryptedTrafficVisibility

New SecurityControlAdaptation

Complexityof Privacy

IncidentResponse

Other Key Best-Practices

Understanding VulnerabilitiesSDLC Security integratedProduct Security RequirementsAwareness of ops, supportDeployment & UpdatesMarket RequirementsThreat ModelingGather Customer Requirements

SecOps and a Security mindset to think and test like a hacker…

Market RequirementsThreat ModelingGather Customer RequirementsSecurity TeamSecurity CouncilSecurity LeadershipSecurity as a ServiceSecurity Value Proposition

MODERN ENTERPRISE DEFENSE IN DEPTH

• Foundational Defense in Depth

• Multiple layers of defense• Consistency of application• Diversity of layers

• New Requirements• Deployment Agnostic• Competency in Failure• Take Action on Noisy

Threat Intelligence

• Extended Enterprise Security

• Advanced Malware Scanning

• “Hunting” Capabilities• BYOD/CYOD defenses• Cloud Application Security• Mobility Defense in Depth

• Coverage & Adjustability• New requirements• New Threats• New TechnologiesGet Proactive!

• SSO / Access Control • Authentication• Authorization• Encryption in Flight• Encryption at Rest• Certificate Management• Complete Audit History• User and System Logs

ADVANCED SECURITY

Must move from reactive security to proactive security

So how do we stay compliant?

Key Compliance Aspects

Guidelines and RequirementsMonitoring and AlertingAudit trails and logging

Documentation and ReportsMust move from knock-on-wood to safe harbor position

• Functional Controls • Assess, identify, treat and

reduce security vulnerabilities & risk to meet HIPAA / HITECH compliance and SSAE16 / SOC 1 reporting obligations

• Administrative Controls• Policies, procedures, training

and agreements protecting confidential and competitively sensitive data and intellectual property

• Process Controls• Regular reviews, maintenance

and external audits of security policies, procedures, and controls including incident response

• Physical Controls• Access restrictions, identification

requirements, monitoring and alarms• Technical Controls

• Access management, vulnerability management, intrusion detection and prevention, logging and monitoring, malicious code protective measures, encryption, configuration management, penetration testing, network access control, high availability and business continuity

• External Audit• SOC 1, SOC 2, AT-101 annual audits

and reports regulated and set by the AICPA’s Statement on Standards for Attestation Engagements No. 16. (SSAE16)

THE RIGHT CONTROLS AND AUDITS

Provide this documentation up front and build customer confidence early!

“If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”

― Jim Barksdale

Questions

or

“Stump the Presenter”