Combatting the Epidemic of Healthcare Data Threats

John Houston, VP, Privacy and Information Security & Associate Counsel UPMC

Paul Castiglione, Secure Data Exchange Advocate Ipswitch, Inc

Dylan Taft, Systems Engineer, Rochester Regional Healthcare

Security is Not a Static Discipline❯Threats change

• Are your system, processes and training meeting new threats?

❯Technologies change• John expects to change our

security infrastructure components every 2 – 3 years.

❯Business requirements change• Technology needs to change too

in order to support new business opportunities.

Survey: Healthcare Threats Growing❯89% experienced a data breach in the

last 24 months❯Most common security threats:

• Employee negligence (69%)• Cyber-attacks (45%)• DDOS attacks (48%)• Ransomware (44%)• Malware (41%)

❯69% believe healthcare is more vulnerable to data breaches than other industries.• Of those, 51% said it’s due to lack of

vigilance ensuring 3rd party providers are securely managing data.

Ponemon Research, 'Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data,’ 2016

Strategy Basics: Keys to Effective Security❯Team organization

• Effective organization of security staff can help identify and mitigate risks

❯Security frameworks• Security frameworks like HITRUST provide the basis for

effective risk assessment❯Partner with IT and business leaders

• Making the security team is a proactive agent in IT planning ensures security isn’t a roadblock to new technology

Team OrganizationVP, Privacy and Information Security

Technical

SecurityNetwork Security

Human Factors Security

❯Technical Security• Responsible for technologies

for security vulnerability and defense in depth

❯Network Security Group• Responsible for network

security tools❯‘Human Factors’ Security

• Owns identity management, privacy management, and social and human factors engineering

Pick a Framework: We Use HITRUST❯HITRUST CSF

❯ A certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.

❯According to HITRUST organization 80% of healthcare org’s use the HITRUST framework.

ISO 27001COBIT

ITIL

PCI DSS

HITRUST

Partner with IT and Business Leaders❯Security Policies

• Security policies are an effective way to provide guidance for technology acquisition, securing processes, and security training

❯Proactive Voice in Technology Decisions• It’s important to be proactive and in

partnership with business and IT leaders in the organization. • Get involved in technology purchase

decisions early in the process to guide requirements to meet security needs.

Actionable Takeaways❯Build effective teams to mitigate risks (for today and the future)

❯Invest in a security framework

❯Build value-add partnerships with IT and business leaders

http://ft.ipswitch.com/ODW-2016-03-BrightTalk-Data-Loss-Due-To-Human-Error-LP.html?source=Webinar&details=Slideshare