panel cyber security and privacy without carrie waggoner
DESCRIPTION
http://mihin.org/TRANSCRIPT
![Page 1: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/1.jpg)
Security & Privacy PanelModerator: Jeff Livesay
MiHIN Associate Director
![Page 2: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/2.jpg)
Security – by the numbers - redux
• Same as last year: I say a number and the person who guesses what the number refers to receives a door prize….
43 39 33 18This year’s numbers are:
![Page 3: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/3.jpg)
The percentage of ALL 2011 security breaches in
ALL industries globally that began in healthcare
43
Source: Symantec 2012
![Page 4: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/4.jpg)
The percentage of healthcare security breaches that begin in practices of size 1-10 providers
39
Source: HITRUST U.S. Healthcare Data Breach Trends Dec 2012
![Page 5: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/5.jpg)
$1.50 per CC#
(PCI)
$3 per SS#
(PII)
$50 per medical record
(PHI)Source: Digital Health Conference Panel, NYC 2012
33The Black Market value ratio of Personal Health Information (PHI) to Personal Credit Information (PCI)
![Page 6: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/6.jpg)
• The number of prioritized recommendations made in the Cyber-Security White Paper to:• Michigan’s Health Information Technology
Commission in February 2013 • Governor Snyder’s Cyber Initiative Task Force in
March 2013
18 MiHINWhite Paper
Half of these recommendations already have efforts underway in Michigan
![Page 7: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/7.jpg)
Why are Security and Privacy so important in healthcare?
Ensuring the Security of Electronic Health Records:
http://www.youtube.com/watch?feature=player_embedded&v=BxSFS9faxI4#
![Page 8: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/8.jpg)
Introducing today’s panelists
• Dan Lohrmann, Michigan Chief Security Officer, Deputy Director, Michigan Dept. of Technology, Management & Budget Cybersecurity & Infrastructure Protection
• Brian Seggie, Chief Security Officer, MiHIN• Carrie Waggoner: Privacy Specialist, Office of Legal
Affairs, Michigan Dept. of Community Health• Allan Foster, President, Kantara Initiative; Community
VP, ForgeRock• Jeremy Rowley, Associate General Counsel, Digicert
![Page 9: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/9.jpg)
Use of material by permission only.
Michigan Department of Technology, Management & Budget
Healthcare InformationProtecting Your Data
Dan Lohrmann, Michigan Chief Security OfficerJune 6, 2013
![Page 10: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/10.jpg)
Use of material by permission only.
Global Cyber Threats . . .
10
![Page 11: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/11.jpg)
Use of material by permission only.
DHS Open Source Report(www.dhs.gov/national-infrastructure-protection-plan)
11
![Page 12: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/12.jpg)
Use of material by permission only.
For Example . . .
12
![Page 13: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/13.jpg)
Use of material by permission only.
New Targets
![Page 14: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/14.jpg)
Use of material by permission only.
Healthcare Information – Insider Threat
Louisiana . . . 7 Arrested for creating fake IDs using patient information
Florida . . . ER Clerk accessed records to sell for profit
Texas . . . State employee used immunization information to apply for credit cards
Source: Health Info Security January 2013
![Page 15: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/15.jpg)
Use of material by permission only.
4 Critical Errors
#1 – Presuming that HIPAA Compliance is Security
#2 – Basing Security on Systems Rather than the Critical Data
#3 – Ineffective Awareness Program
#4 – Failure to Control Access to Information
Source: IT World, June 2009
![Page 16: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/16.jpg)
Use of material by permission only.
Top 3 Threats to Healthcare Security
#1 – Malware: Computers need to be hardened with appropriate security configurations. Anti-virus and anti-spyware are not enough!
#2 – Automatic Log-off: Workers leave workstations without logging off, often in public areas. Automated log-off procedure a must!
#3 – Removable Media: USB devices enable removal of sensitive information with the click of a mouse. Know what’s on your network!
Source: Information Management Magazine Feb 2006
![Page 17: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/17.jpg)
Trust Frameworks: Our communities shape the future of Digital Identity
Allan Foster (ForgeRock), Board of Trustee PresidentMiNIH 2013
![Page 18: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/18.jpg)
18
Kantara Initiative: OverviewValues
Kantara Initiative - Trust Frameworks: A Global Context
Organizations, Industry and Governments join Kantara because we value:
• TrustOperating Accreditation, Approval and Certification programs
• PrivacyDeveloping privacy respecting solutions.
• SecurityDeveloping high security solutions and practices
• CommunityBridging technology and policy requirements
Trustees:
Trustees At Large:
• Government of Canada
• Terena
![Page 19: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/19.jpg)
19
Kantara Initiative: OverviewFederation, Compliance, and Interoperability
Kantara Initiative - Trust Frameworks: A Global Context
Members join Kantara because we build trust and harmonization by developing compliance criteria based on requirements of end-users, relying parties and identity providers.
Organizations become APPROVED because we operate compliance programs for multiple solutions that fit a variety of requirements and jurisdictions.
Kantara Builds Bridges
*Non-Profit 501c6
![Page 20: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/20.jpg)
20
Kantara Initiative: ReviewLandscape
Kantara Initiative - Trust Frameworks: A Global Context
Healthcare organizations join Kantara to leverage our community and Approval services (NIST, ICAM , etc) to advance their organizational goals.
• Healthcare provider’s identity is tied to each clinical and administrative system they use.
• Single sign-on solutions exist for some large organizations. These solutions do not necessarily scale beyond the walls of the organization.
• ‘Extended’ environment, point-to-point integration and agreements must exist between organizations in order to provide system access to individuals.
• Traditional fee-for-service healthcare delivery had little or no need for a nation wide interoperable, federated identity ecosystem.
• Incentive models are changing with the advent of Accountable Care Organizations and Community-based healthcare delivery.
![Page 21: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/21.jpg)
21
Kantara Initiative: Overview What does a Trust Framework look like?
Kantara Initiative - Trust Frameworks: A Global Context
Trust
Input Requirements in to Kantara
Kantara and end-user
stakeholders develop criteria for assessment
Kantara Accredited Assessors
perform assessments
Relying Parties&
End-Users
Criteria for IdP / CSP Assessment
to verify Trust
![Page 22: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/22.jpg)
22
Trust Framework Model
Kantara Initiative - Trust Frameworks: A Global Context
Registration
Verification
Assessment
Certification Process
Trust Status Listing Service
Interested Parties
Trust Status Listing Service, Registry, White List
![Page 23: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/23.jpg)
Kantara Trust Framework:Component Services
23Kantara Initiative - Trust Frameworks: A Global Context
Credential Service Provider
Identity Proofing /
Verification
Organizational Trust
Credential Issuance /
Management
Responding to industry experts Kantara members create path to component service recognition.
Component Services: • Identity Proofing /
Verification • Credential Issuance
and Management
![Page 24: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/24.jpg)
Kantara Trust Framework:Accredited Assessors and Approved CSPs
Kantara Accredited to LoA 1-4
24Kantara Initiative - Trust Frameworks: A Global Context
Kantara Approved to LoA 3 non-crpyto
Verizon Universal Identity Service (VUIS)** ICAM Trust Framework Approval
IDPV Component RecognitionNorton Credential Service Provider *ICAM Trust Framework Approval (Conditional)
![Page 25: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/25.jpg)
Shaping the Future of Digital Identity
Thanks!!• @kantaranews• kantarainitiative.org• kantarainitiative.org/membership/• kantarainitiative.org/listinfo/community• bit.ly/Kantara_Assurance• [email protected]
25Kantara Initiative - Trust Frameworks: A Global Context
![Page 26: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/26.jpg)
The Other Side of Security
Brian Seggie MiHIN Chief Security Officer
![Page 27: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/27.jpg)
With all of the investments in Security…
• Technical solutions have been deployed Firewalls, Intrusion Prevention Systems, Data Loss Prevention
• Standards have been developed FIPS 140, NIST 800, ISO 27001/2
• Compliance structures have been built ISC, SANS, COBIT
• Regulations have been passed HIPAA/HITECH, PCI-DSS, SOX, GLBA
why are we still insecure?
![Page 28: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/28.jpg)
The Other Side of Security
• Attitude• Confusion• Important data not identified• Complexity• Understaffing
![Page 29: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/29.jpg)
Attitude – Denial of the Threat
“There are only two types of companies: those that have been hacked, and those that will be.” - FBI Director Robert Mueller, 2012
“There are only two categories of companies … those that know they’ve been compromised and those that don’t know it yet.” - US Attorney General, 2013
and more recently…
![Page 30: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/30.jpg)
Confusion
IT staff and other users do not know what is expected of them
![Page 31: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/31.jpg)
Identify what is important
Where should you focus your limited resources?
![Page 32: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/32.jpg)
Complexity
Too many dissimilar systems and security policies
of organizations use network security devices from multiple vendors
reported a security breach, system outage, or both, due to complex policies
Source: Algosec 2012 survey
95%
50%
![Page 33: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/33.jpg)
Understaffed IT Departments
• Shortcuts taken to just “keep the lights on”
• Hit-and-miss management of infrastructure
“More than two-thirds of the world's CSOs report that their current information security operations are understaffed, and that it's compromising their company's security.”Source: Frost & Sullivan for ISC(2) 2012
![Page 34: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/34.jpg)
Thank you
Everyone here has or will be compromised, how will you respond
when it does?
![Page 35: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/35.jpg)
Direct, Privacy, and Interstate Communication
Presented by Jeremy RowleyDigiCert, Inc.
![Page 36: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/36.jpg)
Report to Congress on Foreign Economic Collection and Industrial Espionage from the Office of the National Counterintelligence Executive Office: “The massive R&D costs for new [Healthcare] products in these sectors, up to $1 billion for a single drug, the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable US healthcare, pharmaceutical, and related information.”
The HIMSS Privacy and Security Committee goal: "By 2014, all entities who use, send, or store health information meet requirements for confidentiality, integrity, availability and accountability based on sound risk management practices, using recognized standards and protocols."
NHIN Project Statement: “A project to create the set of standards and services that, with a policy framework, enable simple, directed, routed, scalable transport over the Internet to be used for secure and meaningful exchange between known participants in support of meaningful use”
36
DirectTrust Project
![Page 37: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/37.jpg)
37
DirectTrust Communication Single solution that secures communication to patients, public health, and other
providers Built on existing PKI and uses existing systems
• Identity, Digital Signatures, Encryption• Widely used and nationwide adoption by the HISPs
Athena, Cerner, McKesson, covisint, eClincalWorks, MiHIN ONC endorsed and compliant with guidance released in May 2013
Meets Direct requirements• Simple – Push-based transport system• Secure – Encrypted and verifiable messages• Scalable – No need for a central network authority• Standards-based – uses s/MIME established protocols
Uses HISPs to handle infrastructure and provide communication• Arranges identity verification• Manages digital certificates• Maintains integrity of trust and security framework• Responsible for complying with regulations
![Page 38: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/38.jpg)
38
DirectTrust Interstate ParticipantsCA
• Cross-certification with FBCA• Accredited trust anchor• Certificate Issuance
RA
• Identity Verification to NIST LOA3/Medium• Accredited practices
HISP
• Gatekeeper for participation• Certificate management and facilitation of communication between the parties• Verified individual and organizational ientity
HCO
• Transacts health care information• Verified representative responsible for certificates and communication
Patients
• Provides health care information• Communication with the HCO
![Page 39: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/39.jpg)
• Organization verified using government documents
• In-person or remote proofing using a government ID
• Address verification• FBCA medium assurance verification
NIST LOA3
• Organization verified using government documents
• In-person proofing using government IDs• Declaration of Identity• 30 days of issuance
Medium
39
Verification Requirements
![Page 40: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/40.jpg)
40
Interstate Direct Exchange
![Page 41: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/41.jpg)
41
Tools Single portals are already available and easy to implement
![Page 42: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/42.jpg)
Founding member, co-chair of Certificate Policies & Practices Working Group, DirectTrust
First CA to issue Direct-compliant FBCA certificates Direct Med CA included in Transitional Trust Anchor Bundle Already supporting HISPs, HIEs and HCOs Feel free to contact me at [email protected]
42
DigiCert
![Page 43: Panel Cyber Security and Privacy without Carrie Waggoner](https://reader036.vdocuments.net/reader036/viewer/2022062614/54700f3eaf795998418b47ba/html5/thumbnails/43.jpg)
Questions?
Contact Us:
Jeff Livesay
Associate Director
Brian Seggie
Security Director and Chief Security Officer
For more information:[email protected]