combatting the epidemic of healthcare data threats
TRANSCRIPT
Combatting the Epidemic of Healthcare Data Threats
John Houston, VP, Privacy and Information Security & Associate Counsel UPMC
Paul Castiglione, Secure Data Exchange Advocate Ipswitch, Inc
Dylan Taft, Systems Engineer, Rochester Regional Healthcare
Security is Not a Static Discipline❯Threats change
• Are your system, processes and training meeting new threats?
❯Technologies change• John expects to change our
security infrastructure components every 2 – 3 years.
❯Business requirements change• Technology needs to change too
in order to support new business opportunities.
Survey: Healthcare Threats Growing❯89% experienced a data breach in the
last 24 months❯Most common security threats:
• Employee negligence (69%)• Cyber-attacks (45%)• DDOS attacks (48%)• Ransomware (44%)• Malware (41%)
❯69% believe healthcare is more vulnerable to data breaches than other industries.• Of those, 51% said it’s due to lack of
vigilance ensuring 3rd party providers are securely managing data.
Ponemon Research, 'Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data,’ 2016
Strategy Basics: Keys to Effective Security❯Team organization
• Effective organization of security staff can help identify and mitigate risks
❯Security frameworks• Security frameworks like HITRUST provide the basis for
effective risk assessment❯Partner with IT and business leaders
• Making the security team is a proactive agent in IT planning ensures security isn’t a roadblock to new technology
Team OrganizationVP, Privacy and Information Security
Technical
SecurityNetwork Security
Human Factors Security
❯Technical Security• Responsible for technologies
for security vulnerability and defense in depth
❯Network Security Group• Responsible for network
security tools❯‘Human Factors’ Security
• Owns identity management, privacy management, and social and human factors engineering
Pick a Framework: We Use HITRUST❯HITRUST CSF
❯ A certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.
❯According to HITRUST organization 80% of healthcare org’s use the HITRUST framework.
ISO 27001COBIT
ITIL
PCI DSS
HITRUST
Partner with IT and Business Leaders❯Security Policies
• Security policies are an effective way to provide guidance for technology acquisition, securing processes, and security training
❯Proactive Voice in Technology Decisions• It’s important to be proactive and in
partnership with business and IT leaders in the organization. • Get involved in technology purchase
decisions early in the process to guide requirements to meet security needs.
Actionable Takeaways❯Build effective teams to mitigate risks (for today and the future)
❯Invest in a security framework
❯Build value-add partnerships with IT and business leaders