Monday, June 3
9:00-10:15 am Plenary Session
Deep Dive into Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients
Erik Decker (University of Chicago Hospitals)
Learn more about the voluntary, consensus-based, industry-led and developed cybersecurity practices for the healthcare industry. Learn how a 150 member-driven task force, facilitated by the Department of Health and Human Services, identified five cyber threats to healthcare and the ten practices to help mitigate them.
- Describe the public-private partnership model developed between the Healthcare Sector Coordinating Council and the Government Coordinating Council
- List the five cybersecurity threats the industry feels are most critical to manage
- Identify the ten cybersecurity practices to mitigate these threats, and their sub-practices
- Discuss how to prioritize the threats for your organization, and how to mitigate them
10:45 am – 12:00 pm Concurrent Sessions
Achieving Better Privacy and Cybersecurity Through Data Classification and Rights Management
Stephanie Crabb (Immersive) & Alex Nisenbaum (PepperHamilton)
One of the recurring observations from the HIPAA audits and investigations conducted by the Office for Civil Rights (OCR) is that healthcare organizations do not and cannot account for all of their ePHI, both inside and outside of “the four walls.” Organizations don’t know the ePHI/PHI they have, where it is transmitted or how it is shared. This is often the reason that an organization is cited for an “incomplete or inaccurate” risk analysis. After all, you cannot assess or manage what you don’t know. Data Classification and Rights Management are disciplines that align privacy and security programs with healthcare operations and advance regulatory compliance performance. This session will introduce these disciplines and explore their early impact on privacy, security and operations in various organizations.
- Explain the fundamentals of data classification and rights management
- Describe the regulatory and operational drivers to implement data classification and rights management
- Discuss approaches and methods related to data classification and rights management
- Discuss one organization’s early efforts to implement data classification and rights management
- Explain how privacy and security programs benefit from data classification and rights management
Case Studies: Addressing Identity & Security in Healthcare at the University of Kansas Health System & Integris Health
James Beeson (University of Kansas Health System), Chris Lloyd (Oxford Computer Group), James Landers (Integris Health) & Matthew Radcliffe (SailPoint)
This session will explore the need for security and privacy around the creation, management, and distribution of identities as it pertains to a healthcare organization and why identity is one, if not the most, important factor in securing your environment. AMC’s challenges with identity management are compounded by the prevalence of multi-role identities. A single person can have identities associated as a student, intern, faculty, patient, employee, etc. Learn how to effectively manage multi-role identities so organizations can ensure they are provisioned and deprovisioned efficiently and securely while creating the correct permissions in all cloud and on-premises systems and applications. Learn how the University of Kansas Health System put this into practice and what they are doing to ensure security and privacy through the management of their identities.
Learn how Integris Health is addressing their business challenges, including the increasing demands of compliance requirements and lack of visibility into clinical applications like Epic and Cerner. They are in the midst of building an integrated identity program with SailPoint. Learn about the successes and lessons learned while constructing a security and compliance strategy and team centered around identity access governance and administration, and what they recommend other healthcare providers consider when building a program that that protects and secures access to patients’ private healthcare information.
Exploring Opportunities and Challenges in Creating Learning Health Systems
Holt Anderson (Learning Health Strategies) & Ed Hammond (Duke Center for Health Informatics)
Launched as a concept by the National Academy of Medicine in 2008, the realization of Learning Health Systems (LHSs) is gaining ground around the globe and more organizations are beginning to include the concept in their strategic planning. This session will explore the LHS concept, examples underway elsewhere and how other AMC members might join in a leadership effort to explore this concept and map a strategy for achieving success. Challenges to the realization of this vision include:
- Establishing a trust framework that includes governance and policy agreements and standards to enable the aggregation, analysis, and dissemination of knowledge among LHS participants
- Creation of business cases that outline the reciprocal ROI for providers, payers, and individuals that will create the market demand for LHSs, and
- An understanding among health professionals and individuals of the benefits of LHSs that underscores the need for and provides a demand for their implementation.
1:00-2:15 pm Concurrent Sessions
Implementing an Effective Auditing and Monitoring Program with a New EMR: Two AMCs + One Healthcare System = OHCA
Karen Pagliaro-Meyer (Columbia University) & Tanisha Raiford (Weill Cornell Medicine)
An Organized Health Care Organization (OHCA) implemented a single electronic medical record shared by two separate universities and one large healthcare system. Over 30,000 users who were workforce members of three separate organizations were required to complete training and transition to the new EMR. The three Privacy Officers worked together to develop a governance structure, outline a processes to conduct auditing, monitoring and investigations and align policies as necessary. Policies aligned included: Notice of Privacy Practices, Sanctions, Privacy Complaints, Legal Health Record and Designated Record Set, Managing patients requiring additional privacy protections, and Release of Medical Information. Along the way we shared best practices and established systems to effectively manage potential HIPAA breaches.
Back to Basics: How to Create Effective Security Policies
Chuck Kesler (Pendo.io) & Steve Cardinal (Medical University of South Carolina)
One of the most dreaded tasks in information security has to be developing policies. While we all know that policies are needed to make technical and physical security controls effective, many policies end up being poorly written, misunderstood, and often even ignored by the workforce. In this session, we will review best practices and simple approaches that can be used to create and implement more effective information security policies.
- Describe the foundational steps and principles required to create effective policies.
- Explain how to align policies with the organization’s internal and external environment and requirements.
- Discuss a process for developing and implementing policies to ensure that they are understood and adopted by the organization.
Overcoming Barriers that Keep You from Building a Secure Mobile App that People Actually Use
Jeff Kramer (MD Interconnect) & Peter Nelson (Stern Security)
Privileged accounts, those with security-relevant functionality beyond regular user accounts, are exploited in about 80 percent of computer hacks. And as if the bad guys aren’t challenging enough, privileged accounts are the objects of desire for red team testers and IT auditors who always seem to be looking for chinks in the armor. This prompts organizations to proactively apply security controls leveraging people, process and technology through well-thought strategies to manage risk while enabling business. Accounts used by system, application and database administrators, as well as accounts used to configure and maintain network infrastructure or control the functioning of medical devices, workstations and mobile devices are all part of the management strategy. Hear how two large organizations are prioritizing and dealing with these challenges, and glean a few golden nuggets from their lessons learned.
2:45-4:00 pm Concurrent Sessions
Roundtable Discussion on First Question – Whose Risk Is It Anyway?
Shelly Epps (Duke Health), Susan Hayden, JD (Duke University School of Medicine) & Dennis Schmidt (UNC Health Care)
In a complex AMC environment, where mobile and web apps, wearables, and other technology could be developed internally, be commercially available, be provided by external partners, etc., the security, privacy, contract and regulatory resources required to evaluate and mitigate risk can be quickly exhausted. Efforts are often duplicated and inefficient as these resources work in isolation without a central communication pathway. We will host a roundtable discussion using specific use cases and audience participation to suggest ways to bucket and scope risk assessments and specifically to use authorization and template contract controls to mitigate risk in scenarios where an AMC cannot (or should not) perform an in-depth risk assessment. We’ll briefly show how a centralized platform might improve assessment efficiency and transparency. Bring opinions/ideas/workarounds from your own institutions and join what we hope will be a lively discussion.
Three Keys to Mature Vendor Security Risk Management Programs
Stephen Dunkle (Geisinger Health System) & Cliff Baker (CORL Technologies)
Learn about key trends and critical elements for maturing a vendor security risk management program. Presenters will offer an overview of these basic steps for Maturing Vendor Risk Management in Healthcare: 1) Determine what the organization needs/desires for a successful VSRM program, 2) Design the program – governance, process, technology, and ability to sustain, and 3) Implement and continue to improve. They will also discuss industry trends, including:
- Third-party data risk is on the rise in the U.S. firms, with an estimated 61% experiencing a breach caused by 3rd parties, which is up from the previous year.
- Organizations continue to lack visibility into the number of third parties (Nth parties, etc.) they are sharing sensitive information with. Only 34% have a comprehensive inventory of all third-parties. (Source: Ponemon Institute.)
- In healthcare settings, risk tiering techniques reveal specific ‘vendor types’ that present a greater data security than others, which can streamline vendor security risk management. (Source: CORL Technologies data).
Blockchain and Healthcare: Better Health Information Sharing
Ken Mortenson (InterSystems), Shay Hassidim (SEMA-4) & Ray Shelton (Mount Sinai Health)
Blockchain as a technology is mostly associated with cryptocurrencies, but the underlying technology is a decentralized, distributed, and digital ledger that is open and verifiable, used to record transactions across many systems, and prevents retroactive alteration without affecting of all subsequent blocks and, as such, is described as a value-exchange protocol. These attributes can be used to address core controls around the collection, use, and disclosure of patient information with necessary safeguards required under may legal and regulatory regimes, including HIPAA and GDPR. The integrated safeguards for information security, such as access controls, immutable logging, encryption, and data integrity can be mapped to the legal requirements in order to operate a zero trust model in compliance with the law. Any cloud environment comes with a blend of complex rules the IT organization should implement. Managing these controls via blockchain may provide the eco-system needed. Topics include:
• What controls (and legal requirements) must be considered?
• Why current controls are insufficient.
• Many of the building blocks for leveraging Blockchain based technology are there – these need to be assembled to form your next generation data security fabric.
Tuesday, June 4
9:00-10:15 am Plenary Session
Quiz the Regulator
Emily Crabbe, JD (HHS Office for Civil Rights)
Each year the AMC conference is pleased to host a key staff member from HHS engaged in HIPAA support, enforcement, and related duties. This year we have Emily Crabbe, JD, Investigator with the HHS Office for Civil Rights. A key facet of this session is a long Q&A period. This is a good time to get your questions answered and to understand OCR’s announced plans for regulation development, enforcement, auditing, guidance development, etc.
10:45 am -12:00 pm Concurrent Sessions
Beyond California: Ascendant State Standards for Data Privacy and Cybersecurity
David Holtzman (CynergisTek) & David Behinfar (UNC Health Care)
The attention given the California Consumer Privacy Act shines a light on the work of states around the country establishing data privacy and cybersecurity standards to safeguard data containing consumers’ personally identifiable information (PII). Every state has its own breach notification laws, with nearly one-half adopting data security and/or data disposal requirements. Others implemented comprehensive cybersecurity requirements that target the insurance and/or the financial services industries.
State attorneys general (AGs) have been taking innovative approaches to punish entities for failing to safeguard PII, applying a mix of data protection standards and consumer protection laws prohibiting unfair trade practices. A 2018 Pennsylvania Supreme Court ruling finding entities that collect PII have a Common Law legal duty to use reasonable safeguards to prevent its theft or unauthorized access could portend a significant rise in consumers suing for damages from data breaches. State breach notification and data protection laws to safeguard consumer PII have created a patchwork of complex, and potentially conflicting obligations. The penalties and litigation costs for those organizations that do not yet effectively protect their PII could be backbreaking.
- Identify common themes in the development of state data privacy and cybersecurity standards to safeguard PII.
- Discuss enforcement by state attorney generals and how consumer litigation is driving changes in the behavior of organizations that handle PII
- Explain what are reasonable safeguards and how they are evolving
Collaborative Security: How Information Sharing Can Add to Your Team
Denise Anderson (H-ISAC) & TJ Bean (HCA)
This session will look at case studies of successful information sharing in incidents such as WannaCry and Petya/Not Petya. Topics include:
- How information is shared
- What information is shared and with whom
- Why information sharing is an important tool in prevention and incident response
- How collaboration can quickly create mitigation strategies
IoT in Healthcare
Rosemary Herhold (Duke Health) & Lee Olson (Mayo Clinic)
The Internet of Things (IoT) is not coming to healthcare organizations; it is already here. IoT devices can be connected to an organization’s network (sometimes without detection), bypassing normal review channels. This presentation answers the questions, ‘What should we do first?’, and ‘What practical, risk-based approaches should a healthcare provider take?’ The presenters will discuss IoT risk assessment techniques, threats, inventory challenges, visibility, and potential loss events from data leakage, insecure communications channels, vulnerable software, etc. They will also discuss countermeasures and lay out a practical plan to address risks associated with IoT.
1:00-2:15 pm Concurrent Sessions
Impact of the European Union’s General Data Protection Regulation on U.S. Academic Medical Centers and Healthcare Facilities
Dina Marty (Wake Forest Baptist Health) & David Peloquin (Ropes & Gray LLP)
The European Union’s landmark privacy legislation, the General Data Protection Regulation (GDPR), took effect on May 25, 2018. The law has a broad extra-territorial reach, but determining its application to the activities of U.S. academic medical centers and other healthcare facilities can be challenging. In this presentation, speakers will address several areas in which the GDPR affects U.S. AMCs and offer practical tips for addressing each area as well as a general framework for analyzing the impact of the GDPR on other AMC activities. Topics reviewed will include the following:
• International patient programs
• Serving as a clinical trial site in a multi-site trial sponsored by an EU-based pharmaceutical or medical device company.
• Conducting research in the EU that is “exempt” under the U.S. Common Rule but that involves the collection of personal data.• Engaging a vendor located in the EU to perform services for a research study enrolling participants solely in the U.S.
Is All Risk Accounted For?
Anurag Shankar (Indiana University)
IT risk management has grown to become the de facto approach for securing data, particularly sensitive data such as PHI. Risk management frameworks such as NIST CSF, NIST RMF, and ISO use risk analysis to help practitioners identify and mitigate risk in their IT environments. Unfortunately, the risk analysis as conducted today focuses solely on risk generating components, for instance the server, desktop, network, people, etc. This linear, one dimensional treatment of risk ignores the highly dynamic nature of the risk equation. The characteristics, location, and timing of vulnerabilities depend not only on components but also on how they intermesh and move. We will show how this oversight generates residual risk and offer strategies to incorporate and mitigate this risk.
Great Efficiencies or More Risk? Changes to the Common Rule Pose Increased Privacy and Data Security Risks
Marti Arvin (CynergisTek) & Holly Benton (Duke Health)
This session will discuss the implications of the revised Common Rule on the process for initiating research studies. The revisions remove the requirement for IRB approval for an increased number of studies. However, the HIPAA regulations have not changed regarding the need for IRB/Privacy Board approval of the waiver of authorization. In addition, IRB’s might have previously been the gatekeeper to determine if a study meets exemption criteria and therefore had a role in assuring the researcher understood that while the Common Rule might not have been applicable there may still be HIPAA obligations. With more IRBs eliminating submission requirements for human subject oversight, a downstream and challenging result is the removal of HIPAA compliance oversight in equal measure. Without awareness and thoughtful approaches to managing the risks this presents, covered entities may be getting more than they bargained for with increased efficiencies. This session will discuss the potential impact of this change to the risk of information being access improperly.
2:45-4:00 pm Concurrent Sessions
Case Studies: Cloud Security & Compliance at the American Hospital Association & Vanderbilt University
Rob Sarkis (American Hospital Assn.), Bryan McGowan (Burwood Group), Bill Schultz (Vanderbilt University) & David Clevenger (Coalfire)The American Hospital Association (AHA) made it a primary goal for their Security team to gain visibility and control over its public cloud deployments. Leveraging a proven combination of automation and cloud security governance, AHA embarked on a project to secure its public cloud environments. During this journey, AHA was able to identify, classify and assign minimum required user permissions to their population of cloud platform users. AHA was also able to gain visibility into the overall cost of application workloads leveraging both infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) enabling efficient resource management. Finally, AHA was able to validate their cloud environment configuration for best-practice security configuration. Learn about their journey to cloud security and compliance. They will share relevant challenges and accomplishments for any organization making the move to cloud adoption.
When organizations stand up new services or move existing applications to the cloud, IT security efforts need to be coordinated among business units and with third-party partners, such as cloud platform providers. As sensitive information flows back and forth among devices and servers in the cloud, it’s critical to document where the security responsibilities begin and end for your organization and your service providers. You also need to identify gaps and determine who will close those gaps. Learn about a cloud implementation use case at Vanderbilt University where these issues came together and were put under a high level of security and compliance scrutiny. We will look at the successes and lessons learned throughout this engagement. Finally, we will have a group discussion regarding how security professionals can embrace emerging technologies.
Case Studies: How Vidant Health & Cone Health Have Addressed Common Security Threats
Kirk Davis & Jerry Hare (Vidant Health), Jon Sternstein (Stern Security), TBD (Cone Health) & Jeff Comer (Sirius)
Learn about successful security projects at Vidant Health. The discussion will include strategies that worked and some that did not. Projects include: security and risk management frameworks and successful ways to share the results, two-factor authentication and web gateway deployments. Large and small organizations can benefit from the lessons learned.
Healthcare organizations face modern security threats from BYOD, IoT, Biomedical Devices, SaaS and Cloud applications. These issues may require new policies, processes, and next generation security controls, but a large part of the threat can be mitigated with traditional and practical security controls such as network segmentation. While most organizations have long desired to build internal controls inside of mostly “flat” networks, re-architecture and cost have been cited as barriers. Segmented Networks protect the organizations “crown jewels” including financial, employee and patient data. Learn from Cone Health a practical approach to network segmentation and how this security control can greatly reduce the impact of a compromise in the world of an ever-expanding threat landscape.
Roundtable Discussion on Medical Device Cyber Security
George Reed & Emily Mengel (WakeMed); LeahAnn Clemens (Mayo Clinic)
This round table discussion will present WakeMed’s efforts to identify and mitigate the cybersecurity risks posed by medical devices and share best practices to improve device management and incident response. Developed as a multi-stakeholder initiative, this effort measured the success of existing processes and security controls, established goals for creating a more effective device management program, and led to organizational change. Learn from this experience as information security and clinical engineering teams offer their strategic goals and the options considered to enhance device security posture; present insights from device inventory, context, and IoMT relationships (topology mapping); openly discuss challenges and lessons learned; and provide recommendations and action steps for others to use to accelerate their own organization’s response.
Click here to see the speaker bios.