Panel Cyber Security and Privacy without Carrie Waggoner

of 43/43
Security & Privacy Panel Moderator: Jeff Livesay MiHIN Associate Director

Embed Size (px)


Transcript of Panel Cyber Security and Privacy without Carrie Waggoner

  • 1. Security & Privacy Panel Moderator: Jeff Livesay MiHIN Associate Director

2. Security by the numbers - redux Same as last year: I say a number and the person who guesses what the number refers to receives a door prize. 43 39 33 18 This years numbers are: 3. The percentage of ALL 2011 security breaches in ALL industries globally that began in healthcare 43 Source: Symantec 2012 4. The percentage of healthcare security breaches that begin in practices of size 1-10 providers 39 Source: HITRUST U.S. Healthcare Data Breach Trends Dec 2012 5. $1.50 per CC# (PCI) $3 per SS# (PII) $50 per medical record (PHI) Source: Digital Health Conference Panel, NYC 2012 33 The Black Market value ratio of Personal Health Information (PHI) to Personal Credit Information (PCI) 6. The number of prioritized recommendations made in the Cyber-Security White Paper to: Michigans Health Information Technology Commission in February 2013 Governor Snyders Cyber Initiative Task Force in March 2013 18 MiHIN White Paper Half of these recommendations already have efforts underway in Michigan 7. Why are Security and Privacy so important in healthcare? Ensuring the Security of Electronic Health Records: _embedded&v=BxSFS9faxI4# 8. Introducing todays panelists Dan Lohrmann, Michigan Chief Security Officer, Deputy Director, Michigan Dept. of Technology, Management & Budget Cybersecurity & Infrastructure Protection Brian Seggie, Chief Security Officer, MiHIN Carrie Waggoner: Privacy Specialist, Office of Legal Affairs, Michigan Dept. of Community Health Allan Foster, President, Kantara Initiative; Community VP, ForgeRock Jeremy Rowley, Associate General Counsel, Digicert 9. Use of material by permission only. Michigan Department of Technology, Management & Budget Healthcare Information Protecting Your Data Dan Lohrmann, Michigan Chief Security Officer June 6, 2013 10. Use of material by permission only. Global Cyber Threats . . . 10 11. Use of material by permission only. DHS Open Source Report ( 11 12. Use of material by permission only. For Example . . . 12 13. Use of material by permission only. New Targets 14. Use of material by permission only. Healthcare Information Insider Threat Louisiana . . . 7 Arrested for creating fake IDs using patient information Florida . . . ER Clerk accessed records to sell for profit Texas . . . State employee used immunization information to apply for credit cards Source: Health Info Security January 2013 15. Use of material by permission only. 4 Critical Errors #1 Presuming that HIPAA Compliance is Security #2 Basing Security on Systems Rather than the Critical Data #3 Ineffective Awareness Program #4 Failure to Control Access to Information Source: IT World, June 2009 16. Use of material by permission only. Top 3 Threats to Healthcare Security #1 Malware: Computers need to be hardened with appropriate security configurations. Anti-virus and anti- spyware are not enough! #2 Automatic Log-off: Workers leave workstations without logging off, often in public areas. Automated log-off procedure a must! #3 Removable Media: USB devices enable removal of sensitive information with the click of a mouse. Know whats on your network! Source: Information Management Magazine Feb 2006 17. Trust Frameworks: Our communities shape the future of Digital Identity Allan Foster (ForgeRock), Board of Trustee President MiNIH 2013 18. 18 Kantara Initiative: Overview Values Kantara Initiative - Trust Frameworks: A Global Context Organizations, Industry and Governments join Kantara because we value: Trust Operating Accreditation, Approval and Certification programs Privacy Developing privacy respecting solutions. Security Developing high security solutions and practices Community Bridging technology and policy requirements Trustees: Trustees At Large: Government of Canada Terena 19. 19 Kantara Initiative: Overview Federation, Compliance, and Interoperability Kantara Initiative - Trust Frameworks: A Global Context Members join Kantara because we build trust and harmonization by developing compliance criteria based on requirements of end-users, relying parties and identity providers. Organizations become APPROVED because we operate compliance programs for multiple solutions that fit a variety of requirements and jurisdictions. Kantara Builds Bridges *Non-Profit 501c6 20. 20 Kantara Initiative: Review Landscape Kantara Initiative - Trust Frameworks: A Global Context Healthcare organizations join Kantara to leverage our community and Approval services (NIST, ICAM , etc) to advance their organizational goals. Healthcare providers identity is tied to each clinical and administrative system they use. Single sign-on solutions exist for some large organizations. These solutions do not necessarily scale beyond the walls of the organization. Extended environment, point-to-point integration and agreements must exist between organizations in order to provide system access to individuals. Traditional fee-for-service healthcare delivery had little or no need for a nation wide interoperable, federated identity ecosystem. Incentive models are changing with the advent of Accountable Care Organizations and Community-based healthcare delivery. 21. 21 Kantara Initiative: Overview What does a Trust Framework look like? Kantara Initiative - Trust Frameworks: A Global Context Trust Input Requirements in to Kantara Kantara and end-user stakeholders develop criteria for assessment Kantara Accredited Assessors perform assessments Relying Parties & End-Users Criteria for IdP / CSP Assessment to verify Trust 22. 22 Trust Framework Model Kantara Initiative - Trust Frameworks: A Global Context Registration Verification Assessment Certification Process Trust Status Listing Service Interested Parties Trust Status Listing Service, Registry, White List 23. Kantara Trust Framework: Component Services 23Kantara Initiative - Trust Frameworks: A Global Context Credential Service Provider Identity Proofing / Verification Organizational Trust Credential Issuance / Management Responding to industry experts Kantara members create path to component service recognition. Component Services: Identity Proofing / Verification Credential Issuance and Management 24. Kantara Trust Framework: Accredited Assessors and Approved CSPs Kantara Accredited to LoA 1-4 24Kantara Initiative - Trust Frameworks: A Global Context Kantara Approved to LoA 3 non-crpyto Verizon Universal Identity Service (VUIS)* * ICAM Trust Framework Approval IDPV Component Recognition Norton Credential Service Provider *ICAM Trust Framework Approval (Conditional) 25. Shaping the Future of Digital Identity Thanks!! @kantaranews [email protected] 25Kantara Initiative - Trust Frameworks: A Global Context 26. The Other Side of Security Brian Seggie MiHIN Chief Security Officer 27. With all of the investments in Security Technical solutions have been deployed Firewalls, Intrusion Prevention Systems, Data Loss Prevention Standards have been developed FIPS 140, NIST 800, ISO 27001/2 Compliance structures have been built ISC, SANS, COBIT Regulations have been passed HIPAA/HITECH, PCI-DSS, SOX, GLBA why are we still insecure? 28. The Other Side of Security Attitude Confusion Important data not identified Complexity Understaffing 29. Attitude Denial of the Threat There are only two types of companies: those that have been hacked, and those that will be. - FBI Director Robert Mueller, 2012 There are only two categories of companies those that know theyve been compromised and those that dont know it yet. - US Attorney General, 2013 and more recently 30. Confusion IT staff and other users do not know what is expected of them 31. Identify what is important Where should you focus your limited resources? 32. Complexity Too many dissimilar systems and security policies of organizations use network security devices from multiple vendors reported a security breach, system outage, or both, due to complex policies Source: Algosec 2012 survey 95% 50% 33. Understaffed IT Departments Shortcuts taken to just keep the lights on Hit-and-miss management of infrastructure More than two-thirds of the world's CSOs report that their current information security operations are understaffed, and that it's compromising their company's security. Source: Frost & Sullivan for ISC(2) 2012 34. Thank you Everyone here has or will be compromised, how will you respond when it does? 35. Direct, Privacy, and Interstate Communication Presented by Jeremy Rowley DigiCert, Inc. 36. Report to Congress on Foreign Economic Collection and Industrial Espionage from the Ofce of the National Counterintelligence Executive Ofce: The massive R&D costs for new [Healthcare] products in these sectors, up to $1 billion for a single drug, the possibility of earning monopoly prots from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable US healthcare, pharmaceutical, and related information. The HIMSS Privacy and Security Committee goal: "By 2014, all entities who use, send, or store health information meet requirements for confidentiality, integrity, availability and accountability based on sound risk management practices, using recognized standards and protocols." NHIN Project Statement: A project to create the set of standards and services that, with a policy framework, enable simple, directed, routed, scalable transport over the Internet to be used for secure and meaningful exchange between known participants in support of meaningful use 36 DirectTrust Project 37. 37 DirectTrust Communication Single solution that secures communication to patients, public health, and other providers Built on existing PKI and uses existing systems Identity, Digital Signatures, Encryption Widely used and nationwide adoption by the HISPs Athena, Cerner, McKesson, covisint, eClincalWorks, MiHIN ONC endorsed and compliant with guidance released in May 2013 Meets Direct requirements Simple Push-based transport system Secure Encrypted and verifiable messages Scalable No need for a central network authority Standards-based uses s/MIME established protocols Uses HISPs to handle infrastructure and provide communication Arranges identity verification Manages digital certificates Maintains integrity of trust and security framework Responsible for complying with regulations 38. 38 DirectTrust Interstate Participants CA Cross-certification with FBCA Accredited trust anchor Certificate Issuance RA Identity Verification to NIST LOA3/Medium Accredited practices HISP Gatekeeper for participation Certificate management and facilitation of communication between the parties Verified individual and organizational ientity HCO Transacts health care information Verified representative responsible for certificates and communication Patients Provides health care information Communication with the HCO 39. Organization verified using government documents In-person or remote proofing using a government ID Address verification FBCA medium assurance verification NIST LOA3 Organization verified using government documents In-person proofing using government IDs Declaration of Identity 30 days of issuance Medium 39 Verification Requirements 40. 40 Interstate Direct Exchange 41. 41 Tools Single portals are already available and easy to implement 42. Founding member, co-chair of Certificate Policies & Practices Working Group, DirectTrust First CA to issue Direct-compliant FBCA certificates Direct Med CA included in Transitional Trust Anchor Bundle Already supporting HISPs, HIEs and HCOs Feel free to contact me at [email protected] 42 DigiCert 43. Questions? Contact Us: Jeff Livesay Associate Director [email protected] Brian Seggie Security Director and Chief Security Officer [email protected] For more information: [email protected]