Security Workshop

Wednesday, September 16

8:00 am – 1:00 pm

 

Presentations

What is a ‘Culture of Security’ and Where Can I Get One?
Jim Murphy (Consultant)

Mobile Device Management – Not Simply a ‘Nice to Have’
Greg Manson (Carolinas IT)

Building an Offensive Security Process
Elliot Frantz (Virtue Security)

Emerging and Trending Cyber Security Threats in Healthcare
Mac McMillan (CynergisTek)

The Anatomy of a Breach
Greg Sparrow (CompliancePoint)

 

Session Descriptions

What is a ‘Culture of Security’ and Where Can I Get One?

News about information management at any level is replete with articles on problems with data loss, breaches, capture of personal information, and associated consequences, including monetary loss on personal and corporate levels.  Technology solutions vitally necessary, but do not appear to be solving the problems or even slowing the increasing losses.  Many experts have become aware that the most complete and successful organizational security – that which begins to reduce the quantity and frequency of data loss – lies within the individuals making up the organizational work force.  Most organizations have awareness training, and publish privacy and security documentation in response to regulatory requirements, but to many of us in the business of information security, the results are not as we would hope and expect The term “Culture of Security” has been bantered about for years, and has been the topic of many articles, as organizations seek to address the human factors in protecting vital data.  Organizations large and small are beginning to address this “Culture of Security” as a means of involving all the workforce.  I believe that an important incentive towards creating a “Culture of Security” may be in describing and understanding the “Culture of the Attacker” – those who are participating in this massive assault on private information and who benefit monetarily the most in the practice of stealing information.  It is truly an underappreciated perspective.  Adding this body of information to your own organizational planning for a “Culture of Security” can enhance the awareness of your work force and foster greater understanding of the need and top-to-bottom participation in the responsibility of data protection.

Session Objectives:

  • Describe the characteristics of the “Culture of Security” and how it can benefit your organization
  • Explain the “Culture of the Attacker” and the variety of motives and attitudes that are found in the “attacker” realm
  • Identify how your organization can benefit by building a “Culture of Security” that includes the concept of the “Culture of the Attacker”

Jim Murphy (Consultant)

Mobile Device Management – Not Simply a ‘Nice to Have’

You may be surprised that many organizations have chosen to forego a mobile device management (MDM) solution despite the proliferation of mobile devices in their environment. While preforming security risk assessments and consulting for a series of organizations operating under HIPAA and HITECH, an unsettling trend emerged. For one of a few reasons, each organization had chosen to ignore the controls afforded by MDM and instead rely entirely on the controls built into their line-of-business applications to address their security risks. Through use of examples drawn from experience, this presentation will highlight the primary drivers of that trend and propose several reasons everyone should consider implementing an MDM solution. The presentation will also discuss cost effective solutions to implement MDM in your organization. You will leave the presentation with a palpable appreciation of the risks inherent to mobile devices and a renewed appreciation for MDM as a security solution and asset management tool.

Session Objectives:

  • Discuss trends in HIPAA and HTECH and how these affect the safety and security of electronic patient health record information
  • Describe the risks associated with not implementing a mobile device management solution
  • List steps for selecting and implementing a mobile device management solution

Greg Manson (Carolinas IT)

Building an Offensive Security Process

Offensive security testing is an essential part of any organization’s security process, but the demand to perform more of it effectively and efficiently is always increasing. As healthcare security processes mature, we must bring more of this testing internally and use vendors more effectively. In this talk we will take lessons learned in the financial industry to show how healthcare providers can make the most of internal IT staff and leverage vendors more efficiently.  We will also look at a few key concepts in application security and some of the implications they have with HIPAA regulations. As healthcare becomes a larger target, many vulnerabilities that once seemed insignificant will grow substantially in risk.  This will also talk about a changing threat landscape and how this affects the type of assessments that must be performed. BYOD, IoT devices, and increasing interoperability are all leading to a vanishing external perimeter. This must be addressed by going beyond “fear, uncertainty, and doubt” and using quantifiable metrics to conduct meaningful security testing. We will look at a number of processes used at large financial institutions covering vendor management, software assurance, and ethical hacking to take advantage of lessons already learned.

Session Objectives:

  • Prioritize offensive security testing that can be performed internally
  • Describe key concepts of application security and common deficiencies in healthcare applications
  • Discuss emerging threats and how we must adapt security testing processes and standards

Elliot Frantz (Virtue Security)

Emerging and Trending Cyber Security Threats in Healthcare

Cyber criminals are expected to target the healthcare industry more than ever before as recent studies show that they are pursuing protected healthcare information more than they are credit card information. The Anthem breach, that affected 80 million people, is just the first of many large breaches to come. Are you and your organization prepared to fight cyber attacks? Could your organization detect such a breach? The first step toward minimizing the chances that your organization will experience a breach is providing education to foster awareness of potential threats.  This presentation will review and examine some of the top security concerns that exist today, drawing from the presenter’s nearly forty years of experience in managing and helping others manage risk.  Whether its insiders or cyber criminals, this presentation will break down the top concerns in cyber security, leaving participants with the knowledge they need to be prepared for such attacks, and equipped with the right questions to ask their organizations to assess their risk.

Session Objectives:

  • Discuss emerging security trends and concerns for healthcare provider organizations today
  • Describe strategies for mitigating risks associated with the common security issues that exist for healthcare provider organizations today
  • Assess your organization’s risk and determine the appropriate course of action

Mac McMillan (CynergisTek)

The Anatomy of a Breach

This presentation will cover real world analysis of recent breaches including: lessons learned, do’s and don’ts, and best practices for preventing and responding to a breach. CompliancePoint works directly with organizations involved in incident response, breach investigations and remediation efforts to prevent breaches. The presenter will share his insider view of recent breaches, how attacks occur and how organizations can better respond. This presentation will cover all phases of breach management including: pre-breach best practices, post-breach incident response and remediation efforts for risk mitigation of breaches.

Session Objectives:

  • Explain how to implement pre-breach best practices
  • Discuss how to respond post-breach
  • Describe best practices for breach mitigation and incident response

Greg Sparrow (CompliancePoint)

Registration

The registration fee is $99 NCHICA members/$149 non-members.

There is no other place that you can hear the critical issues happening in the North Carolina healthcare and technology world like NCHICA’s annual conference. The quality of the programming is matched only by the quality of the conversations you can have with other attendees.

— 2013 Conference Attendee

Credit card payment is preferred. Check payments must be received by September 4.

Learn More