coming together: integrating security and privacy with ...what is enterprise risk? objective: the...
TRANSCRIPT
PLEASE NOTE
This is an interactive panel, and we
will be conducting voting throughout.
To make voting easy, please register
NOW, before the panel starts. To
register:
- Text the phrase “Berwanger” to
the number 22333
- Use a web browser session by
visiting Pollev.com/Berwanger
(web browser must wait until poll
appears)
6/8/2017 1
Coming Together: Integrating
Security and Privacy with
Enterprise Risk Management
(Mon. 1:00-2:15 pm) Michael Berwanger, Director, Quality Management & Compliance, MedCost
Blair Kraft, Director of Information Technology, Coastal Connect HIE
JT Moser, Director of Enterprise Risk and Corporate Investigations, Wake Forest Baptist Health
Agenda
Integrating Privacy & Security into an ERM Program
Overview of general framework
Distinguishing ERM from traditional risk management
Traditional challenges for Pri/Sec in ERM environment
Use Case
How does ransomware play into an ERM Program?
Practical challenges and success stories
Practical Application
A time for open discussion
Resource sharing
Experience in building/participating in ERM Programs
What is Enterprise Risk?
Objective: The objective of enterprise risk management is to
develop a holistic, portfolio view of the most significant risks to
the achievement of the entity’s most important objectives
Definition: Enterprise risk management (ERM) is the process of
planning, organizing, leading, and controlling the activities of
an organization in order to manage the effects of risk on an
organization's capital and earnings.
Distinguishing from traditional Risk Management:
Silo/Stove Pipe issue
Scope limitations
Mentality shift: prevent loss rather than manage risk
ERM Program Typical Framework
Establish Risk Identification and
Inventory
Risk Assessment and Measurement
Risk Prioritization and Risk Plan Development
Work Risk Plans
Develop Risk Auditing/Monitoring
Risk Reporting and Communication
Common ERM Challenges for Privacy &
Security Professionals
Visibility Internal Politics Organizational
Maturity
Resources Enabling
Technology
Marrying regulatory risk with broader corporate risk
Common Privacy and Security Topics in
ERM Programs
Multiple avenues to
present at an ERM forum
Broader organizational
impact
Discussion will vary at
every organization, based
on culture, needs, and
risk profile
Privacy
Internal Controls
Patient Rights
Record Set Management
Third Party Management
Security
Encryption
Patching
Threat Management
Physical, Technical,
Administrative Controls
System Integration
Legacy System management
New technology
Industry Competition
Cost planning
Incident Response
Reputation
Regulatory Drivers
New and evolving risks
Reporting
Blair Kraft, Director of
Information Technology
Use Case of Ransomware
A changing landscape.
The recent past.
Publicized vulnerabilities
Common statistics
113 million records were stolen in 2016
Kaspersky Labs reported criminals using 6,563,145 unique hosts in 2015. 24% of these were located in the US.
Criminal attacks are the number 1 cause of data breaches in healthcare.
Criminal attacks on healthcare have increased 125% in 5 years.
Healthcare organizations account for 88% of all recent ransomware detections across the US.
Compromising the Environment
What is the most popular way to access a company network?
Stealing Passwords
Phishing Email
Calling an employee
Prevent Phishing Attacks
Implement and enforce email gateway
payload inspection and inbound filtering.
Sinkhole all new domains for 48 hours.
Improve education/awareness to
employees.
The list of breaches continues to grow
A Malware infection potentially obtained records.
Current figures indicate more than 265,000 individuals were impacted.
Hacking Incident
381,504 records breeched
Bizmatics, an EMR Management Company
Community Health Plan of Washington
Case Study: Wyoming Medical Center
April 2016 – 3200 Patient Health Records compromised
1. A criminal attacker launched a phishing campaign against WMC.
2. 1 user clicked on the email allowing the attacker access to their network credentials.
3. Using the single network credential, the attackers were able to gain access to additional credentials on the network.
4. A new phishing attack was crafted that originated from users within the network.
5. That phishing attack was only sent to 20 employees. 3min and 26 seconds later, they had access.
The entire campaign took 15 min from start to finish.
Ransomware
Anatomy of a Ransomware Attack
Delivery
Installation
Handshake and Keys
Encryption
Extortion
Best prevention Methods to Ransomware
Ensure you are addressing phishing –based attacks, focusing on end-users, and that you are securing common devices.
Move from Compliance-Based Security to Risk-Based Security
Consider using advanced endpoint protection
You must be prepared to recover via backup paying the ransom shouldn’t be an option.
Thank you!
Questions
& Discussion