Wednesday, October 21
9:00-10:15 am Plenary Session
Benefits & Value of Information Sharing for Organizations
Greg Singleton & William Welch (HHS) & Bill Hagestad (Medtronic)
The goal of information sharing is to create a collaborative, cooperative, and consistent community of information sharing and mutual trust. This panel discussion will address the benefits and challenges to information sharing, including laws, regulations, corporate policies and management. It will also address strategic, operational, tactical and practical perspectives appropriate to healthcare audiences. Panelists will give a unique perspective on industry guidelines, what organizations need to do to prepare for information sharing initiatives, what to share, how to share it, and how to protect any sensitive information they receive.
The panel discussion will be focused on the five pillars of Information sharing:
- Shared Situational Awareness
- Improved Security Posture
- Increased Competency Levels
- Improved Cyber Security Innovation
- Promote Collaboration, Community Trust and Sharing
10:45 am – 12:00 pm Concurrent Sessions
Lessons Learned Implementing an Effective Privacy Program with a New EMR, Part 2
Karen Pagliaro-Meyer (Columbia University Medical Center & Tanisha Raiford (Weill Cornell Medicine)
Lessons learned when an Organized Healthcare Organization (OHCA) implements a single EMR include:
• Audits, monitoring and investigations
• Policies and Procedures
• Access and Privacy Protections
Implementing a new electronic medical record in a single healthcare organization is challenging. These organizations moved to a single EMR affecting over 30,000 users. The Privacy Officers worked together to learn the new EMR and develop a governance structure, outlined a process to conduct auditing, minoring and investigations, align policies to ensure efficiency, implement policies and procedures, review and ensure privacy protections and access, identify and mitigate risk across the Enterprise.
Grade Inflation: Understanding the Impacts a Potential Cyberwar has on the Risk Management Matrix
Sri Bharadwaj (UCI Healthcare) & Clyde Hewitt (CynergisTek)
Cyber security leaders rely on a risk matrix to make investment decisions, then quantify that data when they present their budget request to the CFO. Historically, we see organizations attempting to qualify risk in terms of likelihood and impact, following the NIST 800-30 framework. The results typically follow a bell-curve, with some risks ranked as High, but a majority designated as Moderate (or Medium), and the remaining as Low. Serious events — like hackers, malware, ransomware and theft of patient data — are traditionally ranked as High risks, given that the impacts involve a measurable financial loss and some risk to patient care.
Unfortunately, we have seen significant grade inflation over time, leaving little room for catastrophic impacts that could result from a cyber war. For example, organizations have serious concerns about their backup strategy to recover from a ransomware attack. The thought of not having recoverable hardware to even restore data on is an impact outside the typical risk impact axis. During this session, learn how we can alter the current risk matrix to effectively introduce tertiary/ancillary risks that may be overlooked in the current model. I think we have to take a “whole picture” look and not get pigeon holed into risks that can be truly quantifiable from a CISO perspective.
For this reason, we need to reset the risk matrix, then explore options based on a more realistic impact continuum. This analysis would drive a deeper conversation around cyber resiliency, specifically focusing on incident response and what happens “after the boom.” The potential for cyber war is higher than ever given the current political environment.
At the end of the session, the attendees will be qualified to:
• Identify how a potential cyberwar would impact an organization’s current risk assessment framework
• Justify an increased emphasis on cyber resiliency planning
• Apply a new rubric for measuring adverse impacts to a healthcare organization
• Defend the need for additional preparation across multiple workflows supporting an academic medical center
All Aboard! A ‘How to’ On Engagement & Impact Across the AMC Enterprise
Gerald Auger & Matt Jones (MUSC)
There are many disparate factions at an Academic Medical Center trying to accomplish their own focused goals. Cybersecurity as an enterprise function horizontally crosses all and impacts all factions, but isn’t always positioned to understand constraints controls may introduce. This can result in control circumvention, animosity for the information security office, and barriers to successful role-outs of new controls.
Over the last 2 years MUSC has implemented the “Information Security Forum” (ISF). This monthly enterprise-wide, inter-discipline forum provides a collaborative environment to engage the entire community and understand multiple perspectives. This has resulted in higher alignment of enterprise controls, tailored controls that properly reduce risk, and ‘ownership of information security’ by individuals in the enterprise that are not on the information security team . This has had major value, impact, and costs the organization $100 a month. This talk will share the approach to successfully launching your own ISF, lessons learned from MUSC’s 2 years of experience, and how you can leverage your ISF to reduce cyber risk at your AMC.
1:00-2:15 pm Concurrent Sessions
Email Threats & Defenses
Alex Everett & Peter Voland (UNC Health)
Over the past few years there has been a marked increase in the number of breaches or incidents involving email. Email continues to be critical to the operations of healthcare organizations whether that is communications between staff, communications to employees, or communications with vendors. An incident can stem from a business email compromise (BEC) campaign, a phish, or a malicious attachment. If one of these attacks is successful, it can have a noticeable impact to the organization and impact business operations. Unfortunately, these types of incidents are increasing. According to the Department of Health and Human Services the number of breaches affecting healthcare entities and involving email has risen each of the last four years.
In this presentation we will examine these three attacks and the people, processes, and technologies that can reduce harm and inform leadership if an incident occurs. We will draw from actual attacks at our institution, literature, and the controls that we evaluated. As an example we will describe the Emotet malware and how it can trick trained and savvy users into reading an attachment. Another attack that we will cover is similar name attacks and their role in business email compromise. As part of this we will discuss security awareness, similar name detection in Office365 and GMail, and spoofing detection. Lastly, we will discuss the role of cyberinsurance and digital forensics.
Dammit Jim, I’m a Doctor, Not a Security Analyst!
Jeffrey Volkheimer (Duke Health) & Nathalie Collins (Edith Cowan University, tentative)
Haven’t we all felt like McCoy at some point in our careers (or perhaps this week)? Getting other people to care about things is a *marketing* job. Can any organization really expect security professionals to be marketing experts too? Luckily, marketing tactics work no matter who executes them. If you needed, lets say, a large hospital system to develop a security-conscious culture – fast – how would you do it? One proven tactic is to recruit, and embed, security champions across the organisation from all professional walks of life. This presentation will model a recruitment and execution campaign based on a behavioural segmentation strategy commonly used by marketers. The different segments of champions – and how to nurture and make them effective – will be discussed. The end game: maybe McCoy can’t be a security analyst, but he can be a security champion.
2:45-4:00 pm Concurrent Sessions
World Cafe on Privacy & Compliance
Medical Device Security Best Practices & Lessons Learned
Kurt Griggs (Mayo Clinic) & Ty Greenhalgh (Cyber Tygr)
As health industry ransomware attacks and end point detections increase, so does the need for protecting medical devices through applied Health Technology Management (HTM). Mayo Clinic is once again on the leading edge in this effort. This presentation will provide the audience with an update on the latest medical device ecosystem cybersecurity developments as well as describe Mayo Clinic’s HTM program, strategy and actionable recommendations used to decrease cybersecurity risk and increase patient safety.
Within the last year, organizations like the FDA, DHS, HHS, HSCC, Congress, CHIME and AEHIS have been proactive in their efforts to align the health industry’s cybersecurity efforts to include medical device security. This presentation sets the stage with a high level overview of these critical topics such as the FDA Safety Communication for Third Party Software Components, specific FDA Recalls, the Health Sector Coordinating Counsel’s Supply Chain Risk Management publication, the latest version of the MDS2, the Software Bill of Materials (SBOM) and proposed legislation to reduce breach penalties for hospitals employing specific cybersecurity practices.
The presentation continues by providing actionable examples how Mayo Clinic’s program evaluated and operationalized medical device security technology. The audience will learn the limitations of traditional cybersecurity solutions, why there is a need for a more targeted technology and the best practices Mayo found for implementing a comprehensive medical device security solution. Areas Mayo found most successful include defining Mission, Goals & Objectives, Determining Needs, Aligning to a Framework and Mayo’s Security Solutions which will be shared. The presentation attendees will leave with clear understanding of the complex ecosystem, the rising threats to patient safety and data breaches, the growing challenges in securing networks and the best practices Mayo Clinic used in addressing Security, Privacy, Architecture & Data protection.
How to Make Incident Response Testing Faster & More Frequent
Jamie Nelson & Tremayne Smith (OSU Wexner Medical Center)
Sports teams know that practice is essential to create the muscle memory necessary to respond during a game. As with sports, teams within an organization need to practice responding to various incidents so they will know without too much delay, how to respond. But, practicing incident response and training the whole team can be a challenge. Incident Response vendors have cropped up to assist with running tests, and while these are valuable exercises, they are generally very high level, time consuming, and focused on the security team. It’s true that your security team may have a starring role in most security incident response, but every workforce member has a role to play in responding to potential security incidents and they need training, too. How can Incident Response testing be made more efficient through streamlining and customization to effectively prepare the whole team for incident response?
As part of the Security Education and Awareness Program, OSU’s Wexner Medical Center has developed a tiered IR Testing approach that allows the security team to run IR Tests at both the organizational and staff meeting level. The tests are fun and engage the audience in order to teach teams and individuals how to respond to any incident they may encounter. In this presentation, the speakers will conduct a brief IR Test with the group to demonstrate the process. They will also share with the audience their approach to scaling and running tests for a variety of scenarios and group sizes to ensure all workforce have experience with IR Testing throughout the year.
Thursday, October 22
9:00-10:15 am Plenary Session
Quiz the Regulator
Verne Rinker, JD, MPH, MBA (HHS Office for Civil Rights)
10:45 am -12:00 pm Concurrent Sessions
A Day in the Life of a Healthcare CISO: Tackling Health IT’s Most Common Challenges with a Proven Risk Management Strategy
Gerry Blass (ComplianceAssistant) & Jason Tahaney (Community Options)
A healthcare Chief Information Security Officer’s everyday job can be overwhelming. Tackling new cyber threats, advocating for budget, resources and staff, and maintaining an enterprise-wide security and compliance strategy are all part of the role. How does a CISO balance it all? The presenters will offer tactical tips on how to:
- Analyze the current landscape of healthcare cybersecurity and identify the main components of a comprehensive risk management strategy to protect your organization from common security and compliance inconsistencies.
- Identify the most threatening roadblocks in healthcare IT, including limited human and financial resources, rising costs and data silos, and apply proven risk management solutions to tackle these ever-evolving challenges.
- Apply real-life strategies – including governance, oversight, data analysis and field observation – to identify and respond to risk, maintain transparency, set budgets and effectively track risk registries, assessments, and the mitigation process.
SecureMyResearch: Securing Clinical Research on Campus
Anurag Shankar (Indiana University)
While HIPAA has spurred substantial progress in securing healthcare operations, clinical research data cybersecurity still remains a challenge. ePHI has slowly proliferated beyond AMC boundaries in recent years, making it difficult to secure. The problem is further exacerbated by a severe lack of cross-discipline expertise in research computing, compliance, and cybersecurity. Campuses are trying a variety of approaches to address the issue such as secure enclaves and researcher training, but solutions remain elusive. This talk will describe a fresh, alternative approach to research data cybersecurity Indiana University is pursuing called SecureMyResearch. Jointly funded by the Office of the Vice Presidents of Research and IT, this new initiative aims to reduce the cybersecurity and compliance burden on the researcher by baking cybersecurity in rather than expecting it from the researchers.
1:00-2:15 pm Concurrent Sessions
NIST Privacy Framework: A Healthcare Guide
Kaitlin Boeckl (NIST) & Karen Greenhalgh (Cyber Tygr)
The NIST Privacy Framework is designed to help organizations:
- Identify, assess, manage, and communicate privacy risks
- Develop innovative approaches to protect individuals’ privacy
- Increase trust in products and services
- Have a tool that would assist with enterprise privacy risk management
Process-oriented privacy principles (such as the Fair Information Practice Principles (FIPPs)) are an important component of an overall privacy strategy, but on their own have not achieved consistent and measurable results in privacy protection. In the security field, risk management models, along with technical standards and best practices, are key components of improving security. The NIST Privacy Framework applies successful security methodology, with clearly stated objectives and measurable outcomes, to the protection of privacy.
The Privacy Framework incorporates standards, frameworks, models, methodologies, tools, guidelines, and principles utilized by organizations to identify, assess, manage, and communicate privacy risk at the management, operational, and technical levels. Compatible with existing legal and regulatory regimes, the healthcare industry will find the Framework useful in meeting the compliance requirements of the HIPAA Privacy Rule. Designed to integrate with the NIST Cybersecurity Framework (CSF), healthcare may combine the NIST CSF and NIST Privacy Framework to incorporate compliance for HIPAA’s Security and Privacy Rules into the Enterprise Risk Management program.
Objectives: Participants will be able to
- Recognize the primary sources for current privacy management practices
- Discuss the relationship between privacy and security risks
- Compare and contrast NIST’s Cybersecurity and Privacy Frameworks
- Describe the structure and purpose of the NIST Privacy Framework
- Understand how to use the NIST Privacy Framework in their organizations
Application Testing through the Development Life Cycle
Bill Schultz (Vanderbilt University Medical Center) & Mike Weber (Coalfire)
While the need for vigilant application security is becoming more and more important, the means and methods for testing applications and system environments for security flaws is constantly adapting. In addition to tried and true penetration testing, other approaches such as Red Teams, Blue Teams, and Bug Bounty programs have become increasingly popular. Vulnerability assessment approaches like static code analysis, dynamic code scanning are also important pieces of the puzzle. However, it can get overwhelming (and expensive) to navigate the different options and determine what will provide the most value for your security program. In this session we will discuss this topic from the perspective of an active tester as well as from the people responsible for securing the application. We will look at the different types of testing programs, discuss the strengths and weaknesses of each, give some examples of when and why you might want to use them, and demonstrate how they fit into an overall security testing program and ideally align with your development life cycle. For example, we will discuss how certain testing approaches are better done in different environments (dev, test, prod) and how they can occur in different phases of the development life cycle. This will be an interactive session where we will cover practical tips and share lessons learned that should be relevant to other Academic Medical Centers looking to establish or enhance their own application testing program.
Video Remote Interpretation for On-Demand Healthcare Delivery: Privacy & Data Security Challenges for Language Access
Nancia Odom & Michael Hancock (Duke Health Technology Solutions)
Federal and state laws require that healthcare organizations that receive Medicare, Medicaid or reimbursement from federal health programs provide language access services to limited English proficient (LEP) and Deaf and hard of hearing (HOH) patients. One goal of Duke Health is to have a standardized, health system-wide software solution in place for these patient’s needs and provide medical interpretation to patients in a language in which they can understand. Duke Health has implemented a mobile Video Remote Interpretation (VRI) application. The software presented privacy, data security, and on-demand healthcare delivery operational challenges that once addressed, allowed Duke to meet patient language access needs in over 250 languages, in addition to compliance requirements in order to provide service across the continuum of care.
2:45-4:00 pm Concurrent Sessions
Data Governance in AMCs: A Winning Strategy for Privacy Boards, IRBs & Patients
Jill McCormack (VCU Health) & Dawn Morgenstern (Clearwater Compliance)
As Academic Medical Centers and Universities move in a direction to reduce costs and redundancies, unique challenges surface relating to the use and disclosure of protected health information for research. The lines become blurred when each is under common control and ownership and a shared services business model exists for certain functions. The key is the separation of responsibilities of the Institutional Review Board (IRB) and the Privacy Board, in relation to the data sets derived from the AMC’s electronic health records. The presentation will discuss the steps that VCU Health System has undertaken to address the challenges, leverage shared services, streamline processes for Principal Investigators, and develop practices to comply with the requirements of the HIPAA Privacy and Security Rules.
Building an Enterprise Disaster Recovery Plan on a Shoestring Budget
Dennis Schmidt & John Mack (UNC-Chapel Hill)
Having a good disaster recovery plan is not only good practice, but it is also required by most government contracts and federal regulators. However, building a disaster recovery plan for enterprise environments is hard! Commercial solutions can be cost prohibitive and open source templates are hard to find. Cataloging necessary documentation and information on dozens of central systems can be a huge drain on personnel resources. In this session, we will discuss how a large university pulled together a team to create a comprehensive disaster recovery plan from scratch, using only internal resources. We will talk about:
- Getting buy in from leadership and stakeholders
- Assembling the team
- Building the document framework
- Defining a disaster
- Determining what systems should be included
- Gathering data
- Writing the document
- Vetting the draft
- Publishing the living document
- Sharing the document – Who should be allowed to see it?
- Exercising the plan
Securing the Wild West of the Medical IoT & Connected Medical Devices
Tom Mustac (Mount Sinai Health System)
This panel discussion will address the monumental challenges that healthcare organizations face in ensuring the availability of a secure and reliable infrastructure for patients and the medical community. The discussion will address the following areas / questions;
- Overview of the breath of challenges – What are the attack vectors and inhibitors we face?
- Where are we as an industry vertical in addressing these challenges?
- Prioritization of risks – Where does one start?
- What tools are available?
- Where are we heading / What does the future look like?
The panel will consist of senior cybersecurity leaders from other learning medical institutions / healthcare providers and practitioners that are leading cyber security programs at leading healthcare institutions.