Session Descriptions

Monday, June 11

9:00-10:15 am Plenary Session

NIST Cybersecurity Framework

The NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. Matt Barrett, Program Manager for the NIST Cybersecurity Framework, will discuss the latest update to the Framework and how it can help your organization.

10:45 am – 12:00 pm Concurrent Sessions

Human vs. Machine: Embracing the Old or Exploring New Frontiers

This session will focus on the relative merits of using technology versus human behavior to address diverse data risks for your privacy program. The discussion will address the pros and cons of:

  • Tighter role-based access to systems versus training and awareness of what is allowed
  • Privacy monitoring by human beings using experience and expertise versus behavioral analytics anomaly detection
  • Offering encrypted devices versus data loss protection settings to prevent storage on unencrypted devices
  • Implications of all of the above in the unique environment of an AMC

This panel of compliance and privacy professionals will draw on their experience of working in AMCs and understanding the complex environment. Panel: Marti Arvin (CynergisTek), Holly Benton (Duke University) & Lauren Steinfeld (Penn Medicine)

Building Health Information Company Security from Scratch

DevOps and “Cloud” are contemporaneous and complimentary movements. We will present the case for embracing the DevOps revolution, independently of when/if you move to cloud. The benefits of bringing versioned, automated, trackable, and repeatable processes to security and operations is in itself a major improvement to any system. Felipe Polo-Wood will use the first half of this session to go through the specific disciplines that make up DevOps and shed light into the benefits based on the experiences of the current implementation efforts at Duke Health.

In the second half, Shay Hassidim of Sema4, a recent spin out from Mount Sinai Health System, will present on a current migration of the storage, network, data, AI services and advanced workloads that previously operated within the Mount Sinai Data Center to the cloud. This process involves multi-Terabyte databases, multi-Petabyte sequenced raw data, thousands of compute nodes, non-stop lab operation that delivers precision medicine using advanced genomics tests and data pipelines. This migration from a classic HPC supercomputing environment into a modern, cost effective, cloud based environment demands an agile, flexible and dynamic governance and compliance methodology which handles all security aspects primarily via automation, from end-point security, cyber-security threats, network architecture, data organization, migration, annotation, backup, archiving, modeling & transformation, workload & pipelines deployment. The approach leverages NIST Cybersecurity Framework and ITSM concepts, serverless architecture, and relies mostly on native cloud services & kubernetes based clusters and allows for multi-geo coverage and a high degree of high-availability. Panel: Shay Hassidim (sema4) & Felipe Polo-Wood (Duke Health)

NIST 800-63: Real World vs. Government Guidelines

The speakers will present an overview of the realities of implementing NIST’s 800-63. They will provide a concise overview of what this regulation means to the modern healthcare organization, strategies for implementing these standards in a large teaching hospital, and how this standard has been used across numerous healthcare organizations. Panel: Sara Schweitzer (Mayo Clinic) & John Nye (CynergisTek)

1:00-2:15 pm Concurrent Sessions

50 Shades of Guest & IoT

It’s not just BYOD. Our real challenge is managing the 50 shades of guests now entering enterprise networks: classifying and controlling every combination of managed and unmanaged users and devices, while also taking into consideration dynamic factors of security posture, geographic location and more. Join our panel for a technical exploration of defining, identifying, posturing, monitoring and controlling access of the 50 shades of guests. Session content is audience-driven as we discuss applications of real-world tools or technologies such as MDM, NAC, client agents, guest onboarding products, wireless, network monitoring and access control in healthcare environments. Panel: Tara Cho (Wyrick Robbins), Jennifer Minella (Carolina Advanced Digital) & Dominic Messer (WakeMed)

Compliance vs. Evidence-Based Cybersecurity

Compliance regimes such as HIPAA have a tendency to morph into a checklist exercise that does not necessarily equal cybersecurity. The same goes for standards such as NIST which are expensive to align with but have been shown to be ineffective when used incorrectly, especially within government agencies that are required to follow them. With these in mind, we have started to explore and formulate evidence-based cybersecurity based on practices that have been shown to be effective with either real data or empirical evidence. Our ultimate goal is to help organizations improve real security with compliance resulting as a natural by-product, not vice versa. This talk will provide a summary of our work so far. Panel: Randy Regimbal (Mayo Clinic) & Anurag Shankar (Indiana University)

Privileged Account Management

Privileged accounts, those with security-relevant functionality beyond regular user accounts, are exploited in about 80 percent of computer hacks. And as if the bad guys aren’t challenging enough, privileged accounts are the objects of desire for red team testers and IT auditors who always seem to be looking for chinks in the armor. This prompts organizations to proactively apply security controls leveraging people, process and technology through well-thought strategies to manage risk while enabling business. Accounts used by system, application and database administrators, as well as accounts used to configure and maintain network infrastructure or control the functioning of medical devices, workstations and mobile devices are all part of the management strategy. Hear how two large organizations are prioritizing and dealing with these challenges, and glean a few golden nuggets from their lessons learned. Panel: Lee Olson (Mayo Clinic) & Mike Dockery (Cincinnati Insurance Company)

2:45-4:00 pm Concurrent Sessions

New Frontiers in Privacy & Security

In this roundtable discussion, presenters will analyze the latest trends and technologies transforming healthcare privacy and security. They will dive into especially hot topics including artificial intelligence in healthcare compliance, social media monitoring for privacy violations, new collaboration models for healthcare privacy and security teams, and how to get ahead of what’s coming from OCR. The presenters each bring a unique perspective on patient privacy to the table. Healthcare organizations increasingly find their names in the headlines, not celebrating their research or medical breakthroughs, but reporting costly and reputation-damaging data breaches that expose the sensitive information of thousands of patients. Hear from healthcare compliance and IT security experts about their latest efforts to prevent this from happening to their organizations. Presenters will emphasize their experiences evaluating, implementing, and using privacy monitoring technologies that rely on proactive detection models, and how these tools have transformed their program operations and outcomes. Panel: Carlos Cruz (Tri-City Medical Center), Michael Gregory (Community Healthcare System) & Robert Lord (Protenus)

Meeting Workforce Needs in Healthcare Cybersecurity & Privacy: Development of an Innovative Curriculum at the University of Texas at Austin

Increasing numbers of threats, crypto-ransomware attacks, and visible data breaches in healthcare settings underscore that workforce needs in healthcare cybersecurity and privacy are acute. The development of new curricula to meet this talent gap, that will successfully equip individuals with the skills and competencies they need to be job-ready, is paramount.

This session will describe new cybersecurity and privacy modules developed by educators in the Health Informatics and Health IT (HIHIT) Program at The University of Texas at Austin (UT Austin) to rapidly make individuals job-ready to meet workforce needs. UT Austin has been nationally recognized for creating innovative programs in Health IT to meet workforce demands. In 2010, the program was launched with a University-Based Training Grant from the Office of National Coordinator (ONC) for Health IT. Using the ONC funding, faculty in the program partnered with large healthcare organizations and members of the Health IT industry to develop a unique learning center and a curriculum that includes both didactic education and hands-on learning with current technologies. To date, the program has educated more than 1,200 individuals and 96% of those seeking Health IT positions have found jobs with 143 employers nationwide. Graduates of the nine-week program receive a certificate in HIHIT from UT Austin’s McCombs School of Business, and are eligible to sit for exams offered by four external credentialing organizations, including the Certified Associate in Project Management from the Project Management Institute. Most recently, the HIHIT Program has partnered with the Army Garrison at Ft. Hood to become a Ft. Hood Army Career Skills Program to deliver health informatics and health IT education to college-educated, transitioning soldiers via distance education, with the goal of equipping them to be ready for civilian careers in Health IT.

The same approach utilized to develop the very successful HIHIT certificate program was used to create new modules in cybersecurity and privacy for integration into the existing curriculum, or for delivery as stand-alone educational units, keeping in mind the keen interest expressed by transitioning soldiers to enter this field. The panel members will begin with a summary of the program, followed by comments about the curriculum development process, and how the curriculum modules meet the needs of industry and healthcare organizations. Panel: Sri Bharadwaj (UC Irvine Health) & Leanne Field (University of Texas at Austin)

Case Studies: Next-Gen Endpoint Security Solutions

In this roundtable, three AMC CISOs will discuss the results that they have seen from deploying next-generation endpoint detection and response (EDR) products in their organizations. You will learn how EDR solutions differ from traditional anti-virus and endpoint protection products, how they approached deploying EDR solutions across tens of thousands of systems in their organizations, the results that they have seen from using EDR, critical success factors to consider when implementing an EDR solution, vendors that provide EDR solutions, and how EDR solutions fit in with a broader set of cybersecurity controls. Panel: Chris Beal (MCNC), Jennings Aske (NewYork-Presbyterian) and Chuck Kesler & Tom Maniaci (Duke Health)

Tuesday, June 12

9:00-10:15 am Plenary Session

Quiz the Regulator

In this popular session, Suzanne Schwartz, MD, MBA, Associate Director for Science and Strategic Partnerships, Center for Devices and Radiological Health, U.S. Food and Drug Administration, will discuss the FDA’s medical device cybersecurity policies and initiatives. The session also features a Q&A period.

10:45 am -12:00 pm Concurrent Sessions

Traps, Tricks & Trepidation in HIPAA & Hybrid Entity Designations at Universities & AMCs

This session will focus on HIPAA and complexities of the hybrid entity designation issues particular to universities and AMCs. Topics include:

  • Determining whether a university is a hybrid entity and what the “covered components” are that must comply with HIPAA
  • Establishing correct HIPAA “relationships” between the university’s covered components, the affiliated AMC, and the affiliated faculty practice plan or physician groups, including when an affiliated covered entity (ACE) or an organized health care arrangement (OHCA) is appropriate
  • Addressing areas of vulnerability in HIPAA compliance resulting from the university-AMC-faculty practice plan relationships, including: when business associate agreements are needed between the entities; “co-employment arrangements” when physicians are employees of the university when performing research and employees of the AMC/faculty practice plan when performing clinical care; and controlling faculty and student access to health information for research

Panel: Marti Arvin (CynergisTek), Holly Benton (Duke University) & Lauren Steinfeld (Penn Medicine)

Building & Improving a Collaborative Privacy & Information Security Program

This presentation will focus on the development of a fully integrated proactive privacy and information security program in the healthcare environment. The components of an effective integrated program will be highlighted as will the benefits of an integrated approach. In addition, the presentation will focus on the elements of a proactive privacy and information security program. The principles of privacy and information security by design will be explained and methods for implementing a privacy and information security strategy throughout an organization including practical tips for implementing privacy and information security by design will be presented. Kiren Gurai (Sutter Health)

Unpacking the Health Care Industry Cybersecurity Task Force 2017 Report

The Health Care Industry Cybersecurity Task Force’s report published in 2017 identified six high level imperatives with recommendations and action items for each to increase awareness, improve security, and reduce risks. This presentation will dissect and analyze the various recommendations and action items in the report, including the risk management approaches and best practices, while also taking into consideration the unique aspects and technological and regulatory challenges faced by the healthcare industry and its inherent and imposed limitations. Other topics include: how EHR manufacturers and providers can address the confluence of many technologies, including traditional EHRs, wearables and biomedical devices; how to address the patient’s right of limiting access; Privacy By Design, and the implications it has on the design and implementation of secure systems; how threat actors can leverage this network of shared information; future threat vectors and possible defensive mechanisms, both technical and governance; as well as some of the legal barriers and opportunities to build common defenses. Panel: Gary Warner (University of Alabama at Birmingham), Steve Snyder (Smith Moore Leatherwood) and Sayee Balaji Chandrasekaran & Monty LaRue (Allscripts)

1:00-2:15 pm Concurrent Sessions

AMCs & the General Data Protection Regulation (GDPR): Does the New Law Apply to My Organization?

Panel experts will review the basic provisions of the new law (effective May 25, 2018), discuss its relevancy to the healthcare sector and how it might apply to AMCs based in the US, and offer pragmatic approaches to address critical “must-have” components for GDPR compliance – inclusive of an AMC use case as an illustrative example. Session Objectives:

  • Review the regulatory requirements for GDPR
  • Evaluate how GDPR may apply to AMCs
  • Actionable steps to achieve compliance and mitigate risks

Panel: David Holtzman (CynergisTek), Karen Pagliaro-Meyer (Columbia University Medical Center), Lynn Rohland (RGP) & Robert Webster (LabCorp)

AMCs & Vendor Security: Most Comprehensive Study to Date

Academic Medical Centers (AMCs) are a hub of research and clinical trial activity. The number of outside parties involved in collaborative studies creates unique challenges in securing protected patient data. The core element of research studies is sensitive health data. So how can it be secured from unintended release? Knowing that data is the diamond mine of academic research, how well do outside clinical trial and research partners fare in securing and protecting sensitive data records from malicious intent or data misuse? This session will cover:

  • Unique challenges to AMCs (research studies, clinical trials)
  • Profiles of typical AMC vendor population and associated risk factors
  • Top three vendor security risk factors for AMCs

Panel: Michelle Allar (Wake Forest Baptist Health) & Jay Stewart (CORL Technologies)

Hollywood’s Hype & the Harsh Reality of a Ransomware Attack

No amount of advance planning can totally prepare an organization for a large-scale ransomware attack. From the moment of discovery, IT departments are aggressively fighting the clock to stop the spread to not only the EHR, biomedical, laboratory, and pharma systems, but also to the revenue cycle management, facilities, cafeteria, and supply-chain management systems. No endpoint is safe, including servers, workstations, printers, environmental control systems, or physical security controls. Healthcare executives are inclined to turn to the CIO to lead the initial recovery efforts but the recovery challenge transcends many different business units, including legal, finance, human resources, public relations, audit, and the entire compliance team (compliance, privacy and security). This presentation will provide lessons learned from actual ransomware attacks drawing on firsthand experience of working with multiple organizations that experienced a significant event in 2017. It will include the timeline from initial discovery through technical recovery and will also focus on the non-technical actions needed to meet the legal, regulatory, and contractual requirements. It will also address the human impacts of ransomware and strategies to help mitigate the negative effects. Attendees will gain a focused perspective on the human impact to the organization, explore the responsibilities of various departments following a serious security event, and review considerations that would help determine if the event is a reportable breach. Panel: Dave Dillehunt (FirstHealth of the Carolinas) & Clyde Hewitt (CynergisTek)

2:45-4:00 pm Concurrent Sessions

Emerging Security & Privacy Issues Arising from the Proliferation of Devices in the Health Care Workplace

This roundtable discussion will examine key security and privacy issues arising from the use of electronic devices in and with health care organizations. In part, panelists and the audience will discuss security and privacy issues related to electronic health care data stored on and transmitted from wearable and implantable devices. How do device companies protect the security and privacy of health care data – including data generated in research studies – during its creation, storage and transmission? Additionally, panelists and the audience will examine the security risks posed by the use of employee and/or employer electronic devices in the workplace. As one example, there are newly emerging physical security risks for health care providers and research facility sites posed by bad actors gaining access to (proliferating) employee devices. Moderator: Robert Van Arnam (Williams Mullen); Panel: David Kuraguntla (GraftWorx), Dominic Madigan (Williams Mullen) & Karen Pagliaro-Meyer (Columbia University Medical Center)

Case Study: Creating an OCR-Quality Risk Management Plan

Encompass Health will share how they established risk management processes that correlated directly with OCR guidance. Some of the challenges they faced were the vast scope and complexity of the organization, as well as its regular expansion via strategic acquisitions, which meant the scope of information assets, threats, vulnerabilities and security controls was continuously evolving. Another challenge was that while the HIPAA legislation and OCR guidance explicitly state that organizations must conduct a risk assessment, the exact form that assessment should take is open to interpretation. Hear how they completed a comprehensive, OCR-quality risk analysis that aligns with the NIST framework. The risk analysis is granular, down to individual media and medical devices where ePHI resides. Their software supports ongoing risk analysis and risk management, consistent with a constantly evolving asset, threat and vulnerability environment. This has resulted in increased confidence in the accuracy, detail, timeliness and scope of risk analysis, as well as anticipated savings in resources needed to generate Board-required risk assessment. Panel: Rich Curtiss (Clearwater Compliance) & Shane Eaker (Encompass Health)

Incident Response for Executives

The surge in malicious attacks on healthcare organizations has certainly raised the awareness of executives and boards to have a coordinated response process. It also proves that the incident response process should not be assigned solely to the CIO. Given the quick litigation filed following recent ransomware attacks, it is critical to have the ability to continue operations parallel to the technical recovery. Historically, the focus on business continuity has been on clinical operations, but recent events stress the importance of having downtime procedures for non-clinical processes as well, including financial, HR and supply chain management. This presentation will explore the managerial priorities and operational impacts associated with incident response. Panel: Sri Bharadwaj (UC Irvine Health), Mike Caudill (Duke Health) & Kiren Gurai (Sutter Health)

This continues to be an excellent conference, well planned and implemented. Great value, great information, and great networking.
—2014 Conference Attendee

Click here to see the speaker bios.