PLEASE NOTE

This is an interactive panel, and we

will be conducting voting throughout.

To make voting easy, please register

NOW, before the panel starts. To

register:

- Text the phrase “Berwanger” to

the number 22333

- Use a web browser session by

visiting Pollev.com/Berwanger

(web browser must wait until poll

appears)

6/8/2017 1

Coming Together: Integrating

Security and Privacy with

Enterprise Risk Management

(Mon. 1:00-2:15 pm) Michael Berwanger, Director, Quality Management & Compliance, MedCost

Blair Kraft, Director of Information Technology, Coastal Connect HIE

JT Moser, Director of Enterprise Risk and Corporate Investigations, Wake Forest Baptist Health

Agenda

Integrating Privacy & Security into an ERM Program

Overview of general framework

Distinguishing ERM from traditional risk management

Traditional challenges for Pri/Sec in ERM environment

Use Case

How does ransomware play into an ERM Program?

Practical challenges and success stories

Practical Application

A time for open discussion

Resource sharing

Experience in building/participating in ERM Programs

What is Enterprise Risk?

Objective: The objective of enterprise risk management is to

develop a holistic, portfolio view of the most significant risks to

the achievement of the entity’s most important objectives

Definition: Enterprise risk management (ERM) is the process of

planning, organizing, leading, and controlling the activities of

an organization in order to manage the effects of risk on an

organization's capital and earnings.

Distinguishing from traditional Risk Management:

Silo/Stove Pipe issue

Scope limitations

Mentality shift: prevent loss rather than manage risk

ERM Program Typical Framework

Establish Risk Identification and

Inventory

Risk Assessment and Measurement

Risk Prioritization and Risk Plan Development

Work Risk Plans

Develop Risk Auditing/Monitoring

Risk Reporting and Communication

Common ERM Challenges for Privacy &

Security Professionals

Visibility Internal Politics Organizational

Maturity

Resources Enabling

Technology

Marrying regulatory risk with broader corporate risk

Common Privacy and Security Topics in

ERM Programs

Multiple avenues to

present at an ERM forum

Broader organizational

impact

Discussion will vary at

every organization, based

on culture, needs, and

risk profile

Privacy

Internal Controls

Patient Rights

Record Set Management

Third Party Management

Security

Encryption

Patching

Threat Management

Physical, Technical,

Administrative Controls

System Integration

Legacy System management

New technology

Industry Competition

Cost planning

Incident Response

Reputation

Regulatory Drivers

New and evolving risks

Reporting

Blair Kraft, Director of

Information Technology

Use Case of Ransomware

A changing landscape.

The recent past.

Publicized vulnerabilities

Common statistics

113 million records were stolen in 2016

Kaspersky Labs reported criminals using 6,563,145 unique hosts in 2015. 24% of these were located in the US.

Criminal attacks are the number 1 cause of data breaches in healthcare.

Criminal attacks on healthcare have increased 125% in 5 years.

Healthcare organizations account for 88% of all recent ransomware detections across the US.

Compromising the Environment

What is the most popular way to access a company network?

Stealing Passwords

Phishing Email

Calling an employee

Prevent Phishing Attacks

Implement and enforce email gateway

payload inspection and inbound filtering.

Sinkhole all new domains for 48 hours.

Improve education/awareness to

employees.

The list of breaches continues to grow

A Malware infection potentially obtained records.

Current figures indicate more than 265,000 individuals were impacted.

Hacking Incident

381,504 records breeched

Bizmatics, an EMR Management Company

Community Health Plan of Washington

Case Study: Wyoming Medical Center

April 2016 – 3200 Patient Health Records compromised

1. A criminal attacker launched a phishing campaign against WMC.

2. 1 user clicked on the email allowing the attacker access to their network credentials.

3. Using the single network credential, the attackers were able to gain access to additional credentials on the network.

4. A new phishing attack was crafted that originated from users within the network.

5. That phishing attack was only sent to 20 employees. 3min and 26 seconds later, they had access.

The entire campaign took 15 min from start to finish.

Ransomware

Anatomy of a Ransomware Attack

Delivery

Installation

Handshake and Keys

Encryption

Extortion

Best prevention Methods to Ransomware

Ensure you are addressing phishing –based attacks, focusing on end-users, and that you are securing common devices.

Move from Compliance-Based Security to Risk-Based Security

Consider using advanced endpoint protection

You must be prepared to recover via backup paying the ransom shouldn’t be an option.

Thank you!

Questions

& Discussion