Monday, June 3
9:00-10:15 am Plenary Session
Deep Dive into Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients
Erik Decker (University of Chicago Hospitals)
Learn more about the voluntary, consensus-based, industry-led and developed cybersecurity practices for the healthcare industry. Learn how a 150 member-driven task force, facilitated by the Department of Health and Human Services, identified five cyber threats to healthcare and the ten practices to help mitigate them.
- Describe the public-private partnership model developed between the Healthcare Sector Coordinating Council and the Government Coordinating Council
- List the five cybersecurity threats the industry feels are most critical to manage
- Identify the ten cybersecurity practices to mitigate these threats, and their sub-practices
- Discuss how to prioritize the threats for your organization, and how to mitigate them
10:45 am – 12:00 pm Concurrent Sessions
Achieving Better Privacy and Cybersecurity Through Data Classification and Rights Management
Stephanie Crabb (Immersive), Alex Nisenbaum (PepperHamilton) & Richard Wyckoff (University of Vermont Health Network)
One of the recurring observations from the HIPAA audits and investigations conducted by the Office for Civil Rights (OCR) is that healthcare organizations do not and cannot account for all of their ePHI, both inside and outside of “the four walls.” Organizations don’t know the ePHI/PHI they have, where it is transmitted or how it is shared. This is often the reason that an organization is cited for an “incomplete or inaccurate” risk analysis. After all, you cannot assess or manage what you don’t know. Data Classification and Rights Management are disciplines that align privacy and security programs with healthcare operations and advance regulatory compliance performance. This session will introduce these disciplines and explore their early impact on privacy, security and operations in various organizations.
- Explain the fundamentals of data classification and rights management
- Describe the regulatory and operational drivers to implement data classification and rights management
- Discuss approaches and methods related to data classification and rights management
- Discuss one organization’s early efforts to implement data classification and rights management
- Explain how privacy and security programs benefit from data classification and rights management
Case Studies: Addressing Identity & Security in Healthcare at the University of Kansas Health System & Integris Health
James Beeson (University of Kansas Health System), Chris Lloyd (Oxford Computer Group), James Landers (Integris Health) & Matthew Radcliffe (SailPoint)
This session will explore the need for security and privacy around the creation, management, and distribution of identities as it pertains to a healthcare organization and why identity is one, if not the most, important factor in securing your environment. AMC’s challenges with identity management are compounded by the prevalence of multi-role identities. A single person can have identities associated as a student, intern, faculty, patient, employee, etc. Learn how to effectively manage multi-role identities so organizations can ensure they are provisioned and deprovisioned efficiently and securely while creating the correct permissions in all cloud and on-premises systems and applications. Learn how the University of Kansas Health System put this into practice and what they are doing to ensure security and privacy through the management of their identities.
Learn how Integris Health is addressing their business challenges, including the increasing demands of compliance requirements and lack of visibility into clinical applications like Epic and Cerner. They are in the midst of building an integrated identity program with SailPoint. Learn about the successes and lessons learned while constructing a security and compliance strategy and team centered around identity access governance and administration, and what they recommend other healthcare providers consider when building a program that protects and secures access to patients’ private healthcare information.
Exploring Opportunities and Challenges in Creating Learning Health Systems
Holt Anderson (Learning Health Strategies) & Ed Hammond (Duke Center for Health Informatics)
Launched as a concept by the National Academy of Medicine in 2008, the realization of Learning Health Systems (LHSs) is gaining ground around the globe and more organizations are beginning to include the concept in their strategic planning. This session will explore the LHS concept, examples underway elsewhere and how other AMC members might join in a leadership effort to explore this concept and map a strategy for achieving success. Challenges to the realization of this vision include:
- Establishing a trust framework that includes governance and policy agreements and standards to enable the aggregation, analysis, and dissemination of knowledge among LHS participants
- Creation of business cases that outline the reciprocal ROI for providers, payers, and individuals that will create the market demand for LHSs, and
- An understanding among health professionals and individuals of the benefits of LHSs that underscores the need for and provides a demand for their implementation.
1:00-2:15 pm Concurrent Sessions
Implementing an Effective Auditing and Monitoring Program with a New EMR: Two AMCs + One Healthcare System = OHCA
Karen Pagliaro-Meyer (Columbia University) & Tanisha Raiford (Weill Cornell Medicine)
An Organized Health Care Organization (OHCA) implemented a single electronic medical record shared by two separate universities and one large healthcare system. Over 30,000 users who were workforce members of three separate organizations were required to complete training and transition to the new EMR. The three Privacy Officers worked together to develop a governance structure, outline a processes to conduct auditing, monitoring and investigations and align policies as necessary. Policies aligned included: Notice of Privacy Practices, Sanctions, Privacy Complaints, Legal Health Record and Designated Record Set, Managing patients requiring additional privacy protections, and Release of Medical Information. Along the way we shared best practices and established systems to effectively manage potential HIPAA breaches.
Back to Basics: How to Create Effective Security Policies
Chuck Kesler (Pendo.io) & Steve Cardinal (Medical University of South Carolina)
One of the most dreaded tasks in information security has to be developing policies. While we all know that policies are needed to make technical and physical security controls effective, many policies end up being poorly written, misunderstood, and often even ignored by the workforce. In this session, we will review best practices and simple approaches that can be used to create and implement more effective information security policies.
- Describe the foundational steps and principles required to create effective policies.
- Explain how to align policies with the organization’s internal and external environment and requirements.
- Discuss a process for developing and implementing policies to ensure that they are understood and adopted by the organization.
Overcoming Barriers that Keep You from Building a Secure Mobile App that People Actually Use
Jeff Kramer (MD Interconnect), Allie Lindahl (Transitions LifeCare, formerly with WakeMed) & Peter Nelson (Stern Security)
Due to the complexities of care coordination, disconnected systems, speed of technology and innovation, the best ideas in their original form are only partially right. To get from your original idea to a fully fleshed out secure mobile application requires judiciously and quickly overcoming the barriers inherent in today’s medical environment. Participants will walk away with a practical checklist to address each barrier below and real life examples of how each played out in the development of RapidConnect communication application for and with WakeMed clinicians, with key input from Stern Security. The application is cloud-based and is used on WakeMed physician personal devices as well as duty phones/web.
• Barrier 1: The engineers who will build your app lack an in-depth knowledge of the clinical environment;
• Barrier 2: Stakeholders giving you valuable and much needed input will try to steer you off course
• Barrier 3: Legacy systems are there and easy for people to fall back on
• Barrier 4: New and improved infrastructure options come to market everyday leaving yesterday’s choices outdated
2:45-4:00 pm Concurrent Sessions
Roundtable Discussion on First Question – Whose Risk Is It Anyway?
Shelly Epps (Duke Health), Susan Hayden, JD (Duke University School of Medicine) & Dennis Schmidt (UNC Health Care)
In a complex AMC environment, where mobile and web apps, wearables, and other technology could be developed internally, be commercially available, be provided by external partners, etc., the security, privacy, contract and regulatory resources required to evaluate and mitigate risk can be quickly exhausted. Efforts are often duplicated and inefficient as these resources work in isolation without a central communication pathway. We will host a roundtable discussion using specific use cases and audience participation to suggest ways to bucket and scope risk assessments and specifically to use authorization and template contract controls to mitigate risk in scenarios where an AMC cannot (or should not) perform an in-depth risk assessment. We’ll briefly show how a centralized platform might improve assessment efficiency and transparency. Bring opinions/ideas/workarounds from your own institutions and join what we hope will be a lively discussion.
Three Keys to Mature Vendor Security Risk Management Programs
Stephen Dunkle (Geisinger Health System) & Cliff Baker (CORL Technologies)
Learn about key trends and critical elements for maturing a vendor security risk management program. Presenters will offer an overview of these basic steps for Maturing Vendor Risk Management in Healthcare: 1) Determine what the organization needs/desires for a successful VSRM program, 2) Design the program – governance, process, technology, and ability to sustain, and 3) Implement and continue to improve. They will also discuss industry trends, including:
- Third-party data risk is on the rise in the U.S. firms, with an estimated 61% experiencing a breach caused by 3rd parties, which is up from the previous year.
- Organizations continue to lack visibility into the number of third parties (Nth parties, etc.) they are sharing sensitive information with. Only 34% have a comprehensive inventory of all third-parties. (Source: Ponemon Institute.)
- In healthcare settings, risk tiering techniques reveal specific ‘vendor types’ that present a greater data security than others, which can streamline vendor security risk management. (Source: CORL Technologies data).
Blockchain and Healthcare: Better Health Information Sharing
Ken Mortenson (InterSystems), Shay Hassidim (SEMA-4) & Ray Shelton (Mount Sinai Health)
Blockchain as a technology is mostly associated with cryptocurrencies, but the underlying technology is a decentralized, distributed, and digital ledger that is open and verifiable, used to record transactions across many systems, and prevents retroactive alteration without affecting of all subsequent blocks and, as such, is described as a value-exchange protocol. These attributes can be used to address core controls around the collection, use, and disclosure of patient information with necessary safeguards required under may legal and regulatory regimes, including HIPAA and GDPR. The integrated safeguards for information security, such as access controls, immutable logging, encryption, and data integrity can be mapped to the legal requirements in order to operate a zero trust model in compliance with the law. Any cloud environment comes with a blend of complex rules the IT organization should implement. Managing these controls via blockchain may provide the eco-system needed. Topics include:
• What controls (and legal requirements) must be considered?
• Why current controls are insufficient.
• Many of the building blocks for leveraging Blockchain based technology are there – these need to be assembled to form your next generation data security fabric.
Tuesday, June 4
9:00-10:15 am Plenary Session
Quiz the Regulator
Emily Crabbe, JD (HHS Office for Civil Rights)
Each year the AMC conference is pleased to host a key staff member from HHS engaged in HIPAA support, enforcement, and related duties. This year we have Emily Crabbe, JD, Investigator with the HHS Office for Civil Rights. A key facet of this session is a long Q&A period. This is a good time to get your questions answered and to understand OCR’s announced plans for regulation development, enforcement, auditing, guidance development, etc.
10:45 am -12:00 pm Concurrent Sessions
Beyond California: Ascendant State Standards for Data Privacy and Cybersecurity
David Behinfar (UNC Health Care), Katherine Georger (Duke Health) & David Holtzman (CynergisTek)
The attention given the California Consumer Privacy Act shines a light on the work of states around the country establishing data privacy and cybersecurity standards to safeguard data containing consumers’ personally identifiable information (PII). Every state has its own breach notification laws, with nearly one-half adopting data security and/or data disposal requirements. Others implemented comprehensive cybersecurity requirements that target the insurance and/or the financial services industries.
State attorneys general (AGs) have been taking innovative approaches to punish entities for failing to safeguard PII, applying a mix of data protection standards and consumer protection laws prohibiting unfair trade practices. A 2018 Pennsylvania Supreme Court ruling finding entities that collect PII have a Common Law legal duty to use reasonable safeguards to prevent its theft or unauthorized access could portend a significant rise in consumers suing for damages from data breaches. State breach notification and data protection laws to safeguard consumer PII have created a patchwork of complex, and potentially conflicting obligations. The penalties and litigation costs for those organizations that do not yet effectively protect their PII could be backbreaking.
- Identify common themes in the development of state data privacy and cybersecurity standards to safeguard PII.
- Discuss enforcement by state attorney generals and how consumer litigation is driving changes in the behavior of organizations that handle PII
- Explain what are reasonable safeguards and how they are evolving
Collaborative Security: How Information Sharing Can Add to Your Team
Denise Anderson (H-ISAC), TJ Bean (HCA) & Taylor Lehmann (Wellforce & Tufts Medical Center)
This session will look at case studies of successful information sharing in incidents such as WannaCry and Petya/Not Petya. Topics include:
- How information is shared
- What information is shared and with whom
- Why information sharing is an important tool in prevention and incident response
- How collaboration can quickly create mitigation strategies
IoT in Healthcare
Rosemary Herhold (Duke Health) & Lee Olson (Mayo Clinic)
The Internet of Things (IoT) is not coming to healthcare organizations; it is already here. IoT devices can be connected to an organization’s network (sometimes without detection), bypassing normal review channels. This presentation answers the questions, ‘What should we do first?’, and ‘What practical, risk-based approaches should a healthcare provider take?’ The presenters will discuss IoT risk assessment techniques, threats, inventory challenges, visibility, and potential loss events from data leakage, insecure communications channels, vulnerable software, etc. They will also discuss countermeasures and lay out a practical plan to address risks associated with IoT.
1:00-2:15 pm Concurrent Sessions
Impact of the European Union’s General Data Protection Regulation on U.S. Academic Medical Centers and Healthcare Facilities
Dina Marty (Wake Forest Baptist Health) & David Peloquin (Ropes & Gray LLP)
The European Union’s landmark privacy legislation, the General Data Protection Regulation (GDPR), took effect on May 25, 2018. The law has a broad extra-territorial reach, but determining its application to the activities of U.S. academic medical centers and other healthcare facilities can be challenging. In this presentation, speakers will address several areas in which the GDPR affects U.S. AMCs and offer practical tips for addressing each area as well as a general framework for analyzing the impact of the GDPR on other AMC activities. Topics reviewed will include the following:
• International patient programs
• Serving as a clinical trial site in a multi-site trial sponsored by an EU-based pharmaceutical or medical device company.
• Conducting research in the EU that is “exempt” under the U.S. Common Rule but that involves the collection of personal data.• Engaging a vendor located in the EU to perform services for a research study enrolling participants solely in the U.S.
How to Build a Comprehensive & Transparent Risk Management Program
Robert Babin (Saint Peter’s Healthcare System), Gerry Blass (ComplyAssistant) & Anurag Shankar (Indiana University)
IT risk management (RM) has grown to become the de facto approach for securing data, particularly sensitive data such as PHI. RM frameworks such as NIST CSF and ISO use risk analysis to help practitioners identify and mitigate risk in their IT environments.
This session includes:
- A day-in-the-life perspective from the CISO of a large academic medical center about the typical obstacles and challenges of keeping PHI and PII secure.
- An evaluation of risk metrics that must be transparent to executive leadership for proper governance, oversight, trending and funding.
- A glimpse into the future of RM and how it needs to become more nuanced as healthcare faces new threat landscapes and industry changes.
Using real-world case studies, the session will provide strategies and justification for funding a comprehensive, long-term RM program. Learn about the latest industry threats and how to get commitment from the entire senior leadership team to build, resource and enforce an RM program.
Great Efficiencies or More Risk? Changes to the Common Rule Pose Increased Privacy and Data Security Risks
Marti Arvin (CynergisTek) & Holly Benton (Duke Health)
This session will discuss the implications of the revised Common Rule on the process for initiating research studies. The revisions remove the requirement for IRB approval for an increased number of studies. However, the HIPAA regulations have not changed regarding the need for IRB/Privacy Board approval of the waiver of authorization. In addition, IRB’s might have previously been the gatekeeper to determine if a study meets exemption criteria and therefore had a role in assuring the researcher understood that while the Common Rule might not have been applicable there may still be HIPAA obligations. With more IRBs eliminating submission requirements for human subject oversight, a downstream and challenging result is the removal of HIPAA compliance oversight in equal measure. Without awareness and thoughtful approaches to managing the risks this presents, covered entities may be getting more than they bargained for with increased efficiencies. This session will discuss the potential impact of this change to the risk of information being access improperly.
2:45-4:00 pm Concurrent Sessions
Case Studies: Establishing Secure & Compliant Cloud Services
Rob Sarkis (American Hospital Assn.), Bryan McGowan (Burwood Group), Bill Schultz (Vanderbilt University) & David Clevenger (Coalfire)This session will explore two separate case studies in the use of cloud services at The American Hospital Association (AHA) and Vanderbilt University Medical Center (VUMC). The discussion will cover how these organizations approached security and compliance challenges associated with using cloud services. AHA will share how they evolved their security program policies and processes to achieve minimum required user permissions to their cloud platform users, gain visibility into the application workloads leveraging both infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), and expand the use of cloud services. VUMC will discuss a cloud implementation that involved high complexity and strict compliance requirements. We will look at some of the challenges in defining and understanding security responsibility, and how to leverage security service providers to fill in the gaps and help to demonstrate compliance. Our panel will explore how these organizations have overcome challenges on the journey to cloud security and compliance. They will share relevant challenges and accomplishments for any organization making the move to cloud adoption.
Strategies for Advancing Security Initiatives in Healthcare
Kirk Davis & Jerry Hare (Vidant Health), Jon Sternstein (Stern Security)
Learn about case studies of successful security projects within Vidant Health. The discussion will include strategies that worked and some that did not. The case studies will include management level activities such as security and risk management frameworks and successful ways to share the results. It will also include case studies of large technical projects such as 2-factor authentication and web gateway deployments. Large and small organizations will find the knowledge learned in this presentation valuable to advance the security posture in their organization.
Roundtable Discussion on Medical Device Cyber Security
George Reed & Emily Mengel (WakeMed); LeahAnn Clemens (Mayo Clinic)
This round table discussion will present WakeMed’s efforts to identify and mitigate the cybersecurity risks posed by medical devices and share best practices to improve device management and incident response. Developed as a multi-stakeholder initiative, this effort measured the success of existing processes and security controls, established goals for creating a more effective device management program, and led to organizational change. Learn from this experience as information security and clinical engineering teams offer their strategic goals and the options considered to enhance device security posture; present insights from device inventory, context, and IoMT relationships (topology mapping); openly discuss challenges and lessons learned; and provide recommendations and action steps for others to use to accelerate their own organization’s response.
Click here to see the speaker bios.