Transcription
Evolving Healthcare CybersecurityPrograms with Lessons LearnedSession CYB5, March, 5, 2018Bayardo Alvarez, Director IT, Boston PainCare CenterDan Bowden, CISO, Sentara Healthcare1
Agenda Introductions Sentara’s IT Security Journey Boston PainCare Center’s IT Security Journey Lessons Learned & Best Practices Questions2
Conflict of InterestBayardo Alvarez, Director IT, Boston PainCare CenterDan Bowden, CISO, Sentara HealthcareHave no real or apparent conflicts of interest to report.3
Learning Objectives Explain how to communicate and educate your senior leadershipand management about cybersecurity initiatives and events Explore the challenges with managing a cybersecurity program, itspeople, processes, and technology Illustrate associated best practices and provide guidance for smalland medium providers, based upon experiences and lessonslearned4
Introductions Dan Bowden– VP & CISO, Sentara Healthcare– 25 years in cybersecurity and technology architecture– CHIME/AEHIS member, Public Policy and CISA 405(d) TaskGroup Bayardo Alvarez– Director, Information Technology at Boston PainCare Center– 10 years in healthcare industry, 30 years in I.T.– Chair, HIMSS Privacy & Security Committee5
Sentara HealthcareBuilding an Effective IT Security Program6
Sentara Healthcare – At A Glance130-Year7Not-for-ProfitMissionMagnet NursingHospitalsSentara College ofHealth Sciences11300 122,7583,800Sites of CareHospitalsBedsPhysicians4Medical Groups(1,000 Providers) 5.1BTotal OperatingRevenuesLong-Term / Assisted Living Centers /PACE445,00028,000 Member HealthPlanMembers of the TeamAa2/AARatings 6.4BTotal Assets
Educating Leadership & BoardSetting PrioritiesFind out what the Board wantsContinually work on establishing Risk Tolerance with Executive LeadershipBased on the two points above, set the agenda and prioritiesHow does the program benchmark against premier peers?What threats and vulnerabilities are most likely to be exploited? Impact?8
Handling Cyber Security ThreatsKey Technologies and Process are a must for all OrganizationsNETWORKSEGMENTATIONPractice of separatingnetworks to protectand limit exposure tothreats.SECURITYOPERATIONSCENTER (SOC)Utilizing IBMWatson to besmarter atdetecting andprioritizing CyberThreats2 FACTORAUTHENTICATIONSecure RemoteAccess for all users81% of hackingrelated breachesleveraged eitherstolen and/or weakpasswordsOPERATIONALLEADERSHIPKey operationalleaders meetmonthly to reviewdiscuss and act onCyber SecurityMetrics andemerging threatsMany of these initiatives are visible by the Board of Directors and are statedannual organizational goals3rd PARTY RISKEvaluate andmanage risk from: BusinessAssociates Subcontractors AffiliatedProviders Joint Ventures StrategicPartners
Who are your partners in developing best practicesfor Cyber Security? What is the Information Sharing &Analysis Organization (ISAO)?Mission: Improve the Nation’s cybersecurity posture by identifyingstandards and guidelines for robust and effective information sharingand analysis related to cybersecurity risks, incidents, and bestpractices.10
How do we respond to a cyber security incident?2. EVALUATION & TRIAGE RecoveryForensic InvestigationContainment / MitigationLegal ReviewRecovery3. MANAGING THE SHORT TERMCRISIS Immediate Response PlanningCommunications, PR, Crisis Management1. DISCOVERY Incident Response TeamIncident Analysis – Assess the ImpactMINOR: Detect & ResolveMAJOR: Escalate throughIncident Response PlanReport Discovery via proper channels 4. LONG TERMRESPONSEMANAGEMENTLong Term Recovery Planning:Legal, Reputational, MediaCustomer CommunicationsRecommend Improvements0. PREVENTIONSimplified Incident Response Strategy
Cyber Security influences on operational and strategic processes Proactive Cyber Audits for new partnerships Annual Planning for Cyber Investments Cyber Security is a Team Sport12
Evaluating 3rd parties cyber security risk12Gain objective insight into 3rdparty cyber security3Engage partners with accurate,actionable security insightsAllocate risk resources towhere they are most needed4Continuously monitor partnerperformance5)Collaborate with partners to reducerisks
Dashboards14
Managing Challenges – Getting Things Done Governance vs. Culture–Governance is how the organization says it makes decisions and gets thingsdone–Culture is how the organization actually makes decisions and get thigs done–A large gap between Governance and Culture requires more communication–Effective Program Strategy must account for both: “Culture eats Strategy forBreakfast” People Strategy Process Strategy Technology Strategy15
Best Practices & Guidance Top Threats Cybersecurity Hygiene vs. Control Compliance Hygiene provides meaningful, tangible Capabilities againstThreats Capability Functions: Identify, Protect, Detect, Respond,Recover16
Best Practices & GuidanceWhat would “any decent CISO” put on the agenda?– Identity and Access Management– Lost/Stolen Devices– Phishing -- Email Protection– Asset Management– Malware, Ransomware -Endpoint Protection– ePHI Inventory – DLP– Medical Device Security– Network Management,Segmentation– Vulnerability Management– Security Operations Center,Incident Response– Insider Threat– Policies and Procedures17
Dan - Top 10 Lessons Learned Seek first to understand, and then to be understood – Covey Lead by building trust and influence, not by pointing at the org chart Telegraph your plans, allow others buy-in, create joint ownership Act and speak like the C-Suite and Board to be included Make your boss and their boss look good Create pre-determined outcomes People first, then Process, then Technology Recruit and re-recruit your People, from dedication to commitment Look for “net adds”, there is always a small win available, they add up Capitalize on crisis18
QuestionsDan Bowden, CISOdsbowden@Sentara.com19
Boston PainCare CenterChallenges, Goals, Approach20
Boston PainCare Center Chronic Pain Management Interdisciplinary Practice 3 Centers & Billing Office Physicians, Staff, Consultants 100 On-premise Servers & Endpoints 25021
22
Challenges Limited budget Resources constraints Cost-competitive technologies Cybersecurity knowledge gap Keeping management on board Staff with multiple roles, many priorities Smaller scale, similar threats COMPLY WITH THE SAME RULES AND REGULATIONS23
Our LIANCE24
Risk-based Approach Prioritize data, systems and infrastructure Understand vulnerabilities and threats Choose to mitigate, remediate, transfer, accept Identify and implement safeguards Review, revise and repeat25
Prioritizing Cybersecurity 20 CIS Controls:– Prioritized set of actions– Highly effective actionable steps– Maximize limited resources– Maps to compliance frameworks26
Communicating Cybersecurity Keep cybersecurity on the agenda Avoid technical jargon, translate to business Be realistic, don’t understate or overstate Cybersecurity is not static, it is not binary Inform yourself before you inform others27
The Human Factor Make security a core value Increase awareness, educate staff Onboard training, updates and bulletins Remind people what to do, how torespond, who to report to Help people understand risks:Cause & Effect28
Leverage Features Multi-Function Devices: Operating System Policies:– Password complexity– Change default passwords– Software restrictions– Rename default user accounts– Control removable storage– Restrict administrative access– Browser security features– Disable Universal PnP– Prevent driver execution– Disable unused protocols– Centralized updates– Disable insecure protocols29
https://www.cisecurity.org/cis-benchmarks/30
LayerSecurityBIOSOperating SystemGroup PoliciesAnti-MalwareIntrusion DetectionDATAAwareness & EducationServer Spam FilterWeb FilterFirewallCloud Spam Filter31
Open Source & “Free” Solutions Consider project’s activity, maturity, downloads, reviews Reach out to community for support, insight, feedback Understand features and limitations before implementing Caveats:– Often requires advanced technical knowledge to implement– Lack of technical support, guarantees, development continuity– Some projects eventually become commercial products– Some projects become stale, cease to evolve32
Account Lockout Examiner33
Empower Staff Build up your cybersecurity team Extend your staff with outside team“champions” Team-up staff with staff, consultantsand vendors Review policies and procedures with your team Transfer knowledge, delegate tasks, empower34
Centralize Compliance InformationWeb FilterBackup JobsEndpoint ProtectionConfiguration Changes35
An Ever Evolving ProgramIdentifyAssetsAdjust coverProtect4)AssessSecurityControlsRespond etect36
Bayardo - Lessons Learned Start with basic, fundamental controls Balance cybersecurity and functionality Keep management apprised and on-board Awareness and education are cost-effective controls Approach cybersecurity as a program, not a project It’s about the business, not the technology37
QuestionsDan Bowden, CISOdsbowden@Sentara.comBayardo Alvarez, Director ITbalvarez@bostonpaincare.com38
Account Lockout Examiner. 34 Empower Staff Build up your cybersecurity team Extend your staff with outside team “champions” .
