Cybersecurity: Vulnerabilities, Attacks, and Mitigating Against Threats

Thursday, March 3rd, 2016

Ryan Witt, Vice President – Healthcare Industry Practice, Fortinet Hussein Syed - Chief Information Security Office at Barnabas Health System

Agenda

• Current State of Healthcare • Healthcare Threat Landscape • CISO’s View of Securing Healthcare

Learning Objectives • Recognize why these breaches are occurring • Assess the kind of countermeasures that are being used today and their relative effectiveness

• Identify what the industry can do to solve this problem, both policy-wise and collective action-wise

http://www.himss.org/ValueSuite

Realizing Value of HIT - STEPS

Safeguarding PHI

Global Healthcare Breach Environment

IBM / Ponemon Study - 2015

Transformed Care is a Hotbed for Cybersecurity

Evolving Threat Landscapes – Current Challenges

FortiGuard Labs Threat Research Since 2000, FortiGuard Labs has provided industry-leading security intelligence and research.

FortiGuard Labs Theatre Engagement

Prediction 1 – The Rise of Machine to Machine Attacks (Background)

Prediction 1 – The Rise of Machine to Machine Attacks (Outlook)

Prediction 2 – Headless Worms Target Headless Devices (Background)

Prediction 2 – Headless Worms Target Headless Devices (Outlook)

Prediction 3 – Jailbreaking the Cloud (Background)

Prediction 3 – Jailbreaking the Cloud (Outlook)

Prediction 4 – Ghostware Conceals IOCs (Background)

Prediction 4 – Ghostware Conceals IOCs (Outlook)

Prediction 5 – Two Faced Malware (Background)

Prediction 5 – Two Faced Malware (Outlook)

Actionable Threat Intelligence

Finding the Needle in the Haystack…

Build a security practice • Information Security has become strategic element of an

organizations operating plan, • We are expected to assure the Corporate boards, our

investors, and the regulatory agencies of our information security posture

• Build relationships with peers and understand the business of healthcare

• Develop plans to: – Protect the your brand and reputation – To be HIPAA and PCI DSS compliant – Protect the organization against Cyber Threats

• Build a mature results driven security organization

Build a plan • Develop a three to five years security plan that aligns with a framework • Business wants to

– Brand protection prevent incidents/breaches – Ease of technology use – Meet their strategic objectives

• Do a high level baseline of your security portfolio, its re-iterative process • Technology areas to address with a limited resources

– IT Governance Risk and Compliance – Identity and Access Control Management – Incident Management (Prevention and Detection)

• Threat Management • Vulnerability Management • Data Security • Network Security • System Security

– Business Continuity Management – Information Lifecycle Management (Data Governance)

It’s a journey • Use a risks based approach to address • Use the technical roadmap such as Sans CIS to

map high level objectives to technical tasks • Make it a People, Process, and Technology

– Train and educate your Security team – Understand and streamline processes to gain

efficiencies – Implement technologies to gain visibility and

compliance

NIST Cybersecurity Framework

VISION MISSION

MEMBERS

Advancing the role of CISOs and CSOs through education, collaboration, and advocacy in support of secure health information for the protection of both healthcare organizations and consumers.

Shaping the future of healthcare through the provision of trusted and reliable

security environments.

Launched in July 2014, AEHIS is the first professional organization representing healthcare

executives in senior information security roles. AEHIS’ 250 members are responsible for leading

security practices and safeguarding against patient data breaches and cyber threats.

Where to learn more - AEHIS

Where to learn more - WEDI

The Workgroup for Electronic Data Interchange (WEDI) is the leading authority on the use of Health IT to improve healthcare information exchange in order to enhance the quality of care, improve efficiency and to reduce costs of the American healthcare system. Formed in 1991 by the Secretary of Health and Human Services (HHS), WEDI was named in the 1996 HIPAA legislation as an advisor to HHS and continues to fulfill that role today. - See more at: http://www.wedi.org/about-us#sthash.idLyG6x2.dpuf

Questions

Ryan Witt Vice President – Healthcare Industry Practice Fortinet rwitt@fortinet.com / 650.492.3480 / @WittRZ Hussein Syed Chief Information Security Office Barnabas Health System