Cybersecurity: Vulnerabilities, Attacks, and Mitigating ... · • Business wants to – Brand...
Transcript of Cybersecurity: Vulnerabilities, Attacks, and Mitigating ... · • Business wants to – Brand...
Cybersecurity: Vulnerabilities, Attacks, and Mitigating Against Threats
Thursday, March 3rd, 2016
Ryan Witt, Vice President – Healthcare Industry Practice, Fortinet Hussein Syed - Chief Information Security Office at Barnabas Health System
Agenda
• Current State of Healthcare • Healthcare Threat Landscape • CISO’s View of Securing Healthcare
Learning Objectives • Recognize why these breaches are occurring • Assess the kind of countermeasures that are being used today and their relative effectiveness
• Identify what the industry can do to solve this problem, both policy-wise and collective action-wise
http://www.himss.org/ValueSuite
Realizing Value of HIT - STEPS
Safeguarding PHI
Global Healthcare Breach Environment
IBM / Ponemon Study - 2015
Transformed Care is a Hotbed for Cybersecurity
Evolving Threat Landscapes – Current Challenges
FortiGuard Labs Threat Research Since 2000, FortiGuard Labs has provided industry-leading security intelligence and research.
FortiGuard Labs Theatre Engagement
Prediction 1 – The Rise of Machine to Machine Attacks (Background)
Prediction 1 – The Rise of Machine to Machine Attacks (Outlook)
Prediction 2 – Headless Worms Target Headless Devices (Background)
Prediction 2 – Headless Worms Target Headless Devices (Outlook)
Prediction 3 – Jailbreaking the Cloud (Background)
Prediction 3 – Jailbreaking the Cloud (Outlook)
Prediction 4 – Ghostware Conceals IOCs (Background)
Prediction 4 – Ghostware Conceals IOCs (Outlook)
Prediction 5 – Two Faced Malware (Background)
Prediction 5 – Two Faced Malware (Outlook)
Actionable Threat Intelligence
Finding the Needle in the Haystack…
Build a security practice • Information Security has become strategic element of an
organizations operating plan, • We are expected to assure the Corporate boards, our
investors, and the regulatory agencies of our information security posture
• Build relationships with peers and understand the business of healthcare
• Develop plans to: – Protect the your brand and reputation – To be HIPAA and PCI DSS compliant – Protect the organization against Cyber Threats
• Build a mature results driven security organization
Build a plan • Develop a three to five years security plan that aligns with a framework • Business wants to
– Brand protection prevent incidents/breaches – Ease of technology use – Meet their strategic objectives
• Do a high level baseline of your security portfolio, its re-iterative process • Technology areas to address with a limited resources
– IT Governance Risk and Compliance – Identity and Access Control Management – Incident Management (Prevention and Detection)
• Threat Management • Vulnerability Management • Data Security • Network Security • System Security
– Business Continuity Management – Information Lifecycle Management (Data Governance)
It’s a journey • Use a risks based approach to address • Use the technical roadmap such as Sans CIS to
map high level objectives to technical tasks • Make it a People, Process, and Technology
– Train and educate your Security team – Understand and streamline processes to gain
efficiencies – Implement technologies to gain visibility and
compliance
NIST Cybersecurity Framework
VISION MISSION
MEMBERS
Advancing the role of CISOs and CSOs through education, collaboration, and advocacy in support of secure health information for the protection of both healthcare organizations and consumers.
Shaping the future of healthcare through the provision of trusted and reliable
security environments.
Launched in July 2014, AEHIS is the first professional organization representing healthcare
executives in senior information security roles. AEHIS’ 250 members are responsible for leading
security practices and safeguarding against patient data breaches and cyber threats.
Where to learn more - AEHIS
Where to learn more - WEDI
The Workgroup for Electronic Data Interchange (WEDI) is the leading authority on the use of Health IT to improve healthcare information exchange in order to enhance the quality of care, improve efficiency and to reduce costs of the American healthcare system. Formed in 1991 by the Secretary of Health and Human Services (HHS), WEDI was named in the 1996 HIPAA legislation as an advisor to HHS and continues to fulfill that role today. - See more at: http://www.wedi.org/about-us#sthash.idLyG6x2.dpuf
Questions
Ryan Witt Vice President – Healthcare Industry Practice Fortinet [email protected] / 650.492.3480 / @WittRZ Hussein Syed Chief Information Security Office Barnabas Health System