Wednesday, October 21
9:00-10:15 am Plenary Session
Benefits & Value of Information Sharing for Organizations
Greg Singleton & William Welch (HHS) & Bill Hagestad (Medtronic)
The goal of information sharing is to create a collaborative, cooperative, and consistent community of information sharing and mutual trust. This panel discussion will address the benefits and challenges to information sharing, including laws, regulations, corporate policies and management. It will also address strategic, operational, tactical and practical perspectives appropriate to healthcare audiences. Panelists will give a unique perspective on industry guidelines, what organizations need to do to prepare for information sharing initiatives, what to share, how to share it, and how to protect any sensitive information they receive.
The panel discussion will be focused on the five pillars of Information sharing:
- Shared Situational Awareness
- Improved Security Posture
- Increased Competency Levels
- Improved Cyber Security Innovation
- Promote Collaboration, Community Trust and Sharing
10:45 am – 12:00 pm Concurrent Sessions
Lessons Learned Implementing an Effective Privacy Program with a New EMR, Part 2
Karen Pagliaro-Meyer (Columbia University Medical Center & Tanisha Raiford (Weill Cornell Medicine)
Lessons learned when an Organized Healthcare Organization (OHCA) implements a single EMR include:
• Audits, monitoring and investigations
• Policies and Procedures
• Access and Privacy Protections
Implementing a new electronic medical record in a single healthcare organization is challenging. These organizations moved to a single EMR affecting over 30,000 users. The Privacy Officers worked together to learn the new EMR and develop a governance structure, outlined a process to conduct auditing, minoring and investigations, align policies to ensure efficiency, implement policies and procedures, review and ensure privacy protections and access, identify and mitigate risk across the Enterprise.
Grade Inflation: Understanding the Impacts a Potential Cyberwar has on the Risk Management Matrix
Sri Bharadwaj (UCI Healthcare) & Clyde Hewitt (CynergisTek)
Cyber security leaders rely on a risk matrix to make investment decisions, then quantify that data when they present their budget request to the CFO. Historically, we see organizations attempting to qualify risk in terms of likelihood and impact, following the NIST 800-30 framework. The results typically follow a bell-curve, with some risks ranked as High, but a majority designated as Moderate (or Medium), and the remaining as Low. Serious events — like hackers, malware, ransomware and theft of patient data — are traditionally ranked as High risks, given that the impacts involve a measurable financial loss and some risk to patient care.
Unfortunately, we have seen significant grade inflation over time, leaving little room for catastrophic impacts that could result from a cyber war. For example, organizations have serious concerns about their backup strategy to recover from a ransomware attack. The thought of not having recoverable hardware to even restore data on is an impact outside the typical risk impact axis. During this session, learn how we can alter the current risk matrix to effectively introduce tertiary/ancillary risks that may be overlooked in the current model. I think we have to take a “whole picture” look and not get pigeon holed into risks that can be truly quantifiable from a CISO perspective.
For this reason, we need to reset the risk matrix, then explore options based on a more realistic impact continuum. This analysis would drive a deeper conversation around cyber resiliency, specifically focusing on incident response and what happens “after the boom.” The potential for cyber war is higher than ever given the current political environment.
At the end of the session, the attendees will be qualified to:
• Identify how a potential cyberwar would impact an organization’s current risk assessment framework
• Justify an increased emphasis on cyber resiliency planning
• Apply a new rubric for measuring adverse impacts to a healthcare organization
• Defend the need for additional preparation across multiple workflows supporting an academic medical center
All Aboard! A ‘How to’ On Engagement & Impact Across the AMC Enterprise
Gerald Auger & Matt Jones (MUSC)
There are many disparate factions at an Academic Medical Center trying to accomplish their own focused goals. Cybersecurity as an enterprise function horizontally crosses all and impacts all factions, but isn’t always positioned to understand constraints controls may introduce. This can result in control circumvention, animosity for the information security office, and barriers to successful role-outs of new controls.
Over the last 2 years MUSC has implemented the “Information Security Forum” (ISF). This monthly enterprise-wide, inter-discipline forum provides a collaborative environment to engage the entire community and understand multiple perspectives. This has resulted in higher alignment of enterprise controls, tailored controls that properly reduce risk, and ‘ownership of information security’ by individuals in the enterprise that are not on the information security team . This has had major value, impact, and costs the organization $100 a month. This talk will share the approach to successfully launching your own ISF, lessons learned from MUSC’s 2 years of experience, and how you can leverage your ISF to reduce cyber risk at your AMC.
1:00-2:15 pm Concurrent Sessions
A Deep Look at Breaches: Managing Vulnerability in the Next Decade
Angel Hoffman (APHC Compliance) & Jon Sternstein (Stern Security)
This session will identify cybersecurity efforts in relation to current breaches. Information from both field experience and a literature review will be included to assist in unearthing some of the reasons for recent breaches, at various health care organizations. The goals of this session are to reveal recent causes, summarize organizational rationales for current conditions and to identify mitigation strategies related to future breaches and anticipated risk. The panel will discuss current trending related to health care breaches moving into the new decade. Phishing and ransomware will also be addressed in the discussion, as the panel looks at types of risk, volume and frequency of breaches and defense strategies.
Email Threats & Defenses
Alex Everett & Peter Voland (UNC Health)
Over the past few years there has been a marked increase in the number of breaches or incidents involving email. Email continues to be critical to the operations of healthcare organizations whether that is communications between staff, communications to employees, or communications with vendors. An incident can stem from a business email compromise (BEC) campaign, a phish, or a malicious attachment. If one of these attacks is successful, it can have a noticeable impact to the organization and impact business operations. Unfortunately, these types of incidents are increasing. According to the Department of Health and Human Services the number of breaches affecting healthcare entities and involving email has risen each of the last four years.
In this presentation we will examine these three attacks and the people, processes, and technologies that can reduce harm and inform leadership if an incident occurs. We will draw from actual attacks at our institution, literature, and the controls that we evaluated. As an example we will describe the Emotet malware and how it can trick trained and savvy users into reading an attachment. Another attack that we will cover is similar name attacks and their role in business email compromise. As part of this we will discuss security awareness, similar name detection in Office365 and GMail, and spoofing detection. Lastly, we will discuss the role of cyberinsurance and digital forensics.
Dammit Jim, I’m a Doctor, Not a Security Analyst!
Jeffrey Volkheimer (Duke Health) & Nathalie Collins (Edith Cowan University, tentative)
Haven’t we all felt like McCoy at some point in our careers (or perhaps this week)? Getting other people to care about things is a *marketing* job. Can any organization really expect security professionals to be marketing experts too? Luckily, marketing tactics work no matter who executes them. If you needed, lets say, a large hospital system to develop a security-conscious culture – fast – how would you do it? One proven tactic is to recruit, and embed, security champions across the organisation from all professional walks of life. This presentation will model a recruitment and execution campaign based on a behavioural segmentation strategy commonly used by marketers. The different segments of champions – and how to nurture and make them effective – will be discussed. The end game: maybe McCoy can’t be a security analyst, but he can be a security champion.
2:45-4:00 pm Concurrent Sessions
World Cafe on Privacy & Compliance
Medical Device Security Best Practices & Lessons Learned
Kurt Griggs (Mayo Clinic) & Ty Greenhalgh (Cyber Tygr)
As health industry ransomware attacks and end point detections increase, so does the need for protecting medical devices through applied Health Technology Management (HTM). Mayo Clinic is once again on the leading edge in this effort. This presentation will provide the audience with an update on the latest medical device ecosystem cybersecurity developments as well as describe Mayo Clinic’s HTM program, strategy and actionable recommendations used to decrease cybersecurity risk and increase patient safety.
Within the last year, organizations like the FDA, DHS, HHS, HSCC, Congress, CHIME and AEHIS have been proactive in their efforts to align the health industry’s cybersecurity efforts to include medical device security. This presentation sets the stage with a high level overview of these critical topics such as the FDA Safety Communication for Third Party Software Components, specific FDA Recalls, the Health Sector Coordinating Counsel’s Supply Chain Risk Management publication, the latest version of the MDS2, the Software Bill of Materials (SBOM) and proposed legislation to reduce breach penalties for hospitals employing specific cybersecurity practices.
The presentation continues by providing actionable examples how Mayo Clinic’s program evaluated and operationalized medical device security technology. The audience will learn the limitations of traditional cybersecurity solutions, why there is a need for a more targeted technology and the best practices Mayo found for implementing a comprehensive medical device security solution. Areas Mayo found most successful include defining Mission, Goals & Objectives, Determining Needs, Aligning to a Framework and Mayo’s Security Solutions which will be shared. The presentation attendees will leave with clear understanding of the complex ecosystem, the rising threats to patient safety and data breaches, the growing challenges in securing networks and the best practices Mayo Clinic used in addressing Security, Privacy, Architecture & Data protection.
How to Make Incident Response Testing Faster & More Frequent
Jamie Nelson & Tremayne Smith (OSU Wexner Medical Center)
Sports teams know that practice is essential to create the muscle memory necessary to respond during a game. As with sports, teams within an organization need to practice responding to various incidents so they will know without too much delay, how to respond. But, practicing incident response and training the whole team can be a challenge. Incident Response vendors have cropped up to assist with running tests, and while these are valuable exercises, they are generally very high level, time consuming, and focused on the security team. It’s true that your security team may have a starring role in most security incident response, but every workforce member has a role to play in responding to potential security incidents and they need training, too. How can Incident Response testing be made more efficient through streamlining and customization to effectively prepare the whole team for incident response?
As part of the Security Education and Awareness Program, OSU’s Wexner Medical Center has developed a tiered IR Testing approach that allows the security team to run IR Tests at both the organizational and staff meeting level. The tests are fun and engage the audience in order to teach teams and individuals how to respond to any incident they may encounter. In this presentation, the speakers will conduct a brief IR Test with the group to demonstrate the process. They will also share with the audience their approach to scaling and running tests for a variety of scenarios and group sizes to ensure all workforce have experience with IR Testing throughout the year.
Thursday, October 22
9:00-10:15 am Plenary Session
Quiz the Regulator
Devi Mehta, JD, MPH (HHS Office for Civil Rights)
10:45 am -12:00 pm Concurrent Sessions
The OCR HIPAA Audit Protocol: What’s in There?
Chuck Kesler (Pendo.io)
In July 2018, the OCR published an updated version of their audit protocol for the Privacy, Security, and Breach Notification Rules as part of their Phase 2 HIPAA Audit Program (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html). In this session, we will break down the key audit requirements for different parties (Providers, Payers, Business Associates), and discuss how you can use other audits, like a SOC2 audit, to ensure you have the right controls in place and monitor compliance.
Trust but Verify: How to Protect Your Organization from Third-Party Security Breaches
Robert Babin (Saint Peter’s Healthcare) & Gerry Blass (ComplyAssistant) TENTATIVE
In today’s global economy and highly connected system of networks, we are susceptible to any attacker from any country who has a digital path right to our doorsteps. We need to work even harder to protect information that could be exposed online. That includes how we interact with third-party vendors and business associates who are obligated to safeguard our data. Before the digital evolution of healthcare, partnerships with vendors were based on a handshake. In 2018, an astounding 20% of healthcare data breaches occur from third-party vendors. Though we have complicated business associate agreements (BAAs), which are in part meant to hold third parties accountable for how they use, store and share protected information, even BAAs are simply a piece of paper. This presentation will offer new insights on how to think more broadly about vendor risk management, what types of data need to be protected, the types of business partners you should have agreements with, and how to build a resourced governance process that could save your organization from disastrous consequences if and when a breach does occur.
SecureMyResearch: Securing Clinical Research on Campus
Anurag Shankar (Indiana University)
While HIPAA has spurred substantial progress in securing healthcare operations, clinical research data cybersecurity still remains a challenge. ePHI has slowly proliferated beyond AMC boundaries in recent years, making it difficult to secure. The problem is further exacerbated by a severe lack of cross-discipline expertise in research computing, compliance, and cybersecurity. Campuses are trying a variety of approaches to address the issue such as secure enclaves and researcher training, but solutions remain elusive. This talk will describe a fresh, alternative approach to research data cybersecurity Indiana University is pursuing called SecureMyResearch. Jointly funded by the Office of the Vice Presidents of Research and IT, this new initiative aims to reduce the cybersecurity and compliance burden on the researcher by baking cybersecurity in rather than expecting it from the researchers.
1:00-2:15 pm Concurrent Sessions
NIST Privacy Framework: A Healthcare Guide
Kaitlin Boeckl (NIST) & Karen Greenhalgh (Cyber Tygr)
Building an Enterprise Disaster Recovery Plan on a Shoestring Budget
Dennis Schmidt & John Mack (UNC-Chapel Hill)
Having a good disaster recovery plan is not only good practice, but it is also required by most government contracts and federal regulators. However, building a disaster recovery plan for enterprise environments is hard! Commercial solutions can be cost prohibitive and open source templates are hard to find. Cataloging necessary documentation and information on dozens of central systems can be a huge drain on personnel resources. In this session, we will discuss how a large university pulled together a team to create a comprehensive disaster recovery plan from scratch, using only internal resources. We will talk about:
- Getting buy in from leadership and stakeholders
- Assembling the team
- Building the document framework
- Defining a disaster
- Determining what systems should be included
- Gathering data
- Writing the document
- Vetting the draft
- Publishing the living document
- Sharing the document – Who should be allowed to see it?
- Exercising the plan
Video Remote Interpretation for On-Demand Healthcare Delivery: Privacy & Data Security Challenges for Language Access
Nancia Odom & Michael Hancock (Duke Health Technology Solutions)
Federal and state laws require that healthcare organizations that receive Medicare, Medicaid or reimbursement from federal health programs provide language access services to limited English proficient (LEP) and Deaf and hard of hearing (HOH) patients. One goal of Duke Health is to have a standardized, health system-wide software solution in place for these patient’s needs and provide medical interpretation to patients in a language in which they can understand. Duke Health has implemented a mobile Video Remote Interpretation (VRI) application. The software presented privacy, data security, and on-demand healthcare delivery operational challenges that once addressed, allowed Duke to meet patient language access needs in over 250 languages, in addition to compliance requirements in order to provide service across the continuum of care.
2:45-4:00 pm Concurrent Sessions
Data Governance in AMCs: A Winning Strategy for Privacy Boards, IRBs & Patients
Jill McCormack (VCU Health) & Dawn Morgenstern (Clearwater Compliance)
As Academic Medical Centers and Universities move in a direction to reduce costs and redundancies, unique challenges surface relating to the use and disclosure of protected health information for research. The lines become blurred when each is under common control and ownership and a shared services business model exists for certain functions. The key is the separation of responsibilities of the Institutional Review Board (IRB) and the Privacy Board, in relation to the data sets derived from the AMC’s electronic health records. The presentation will discuss the steps that VCU Health System has undertaken to address the challenges, leverage shared services, streamline processes for Principal Investigators, and develop practices to comply with the requirements of the HIPAA Privacy and Security Rules.
Application Testing through the Development Life Cycle
Bill Schultz (Vanderbilt University Medical Center) & Mike Weber (Coalfire)
While the need for vigilant application security is becoming more and more important, the means and methods for testing applications and system environments for security flaws is constantly adapting. In addition to tried and true penetration testing, other approaches such as Red Teams, Blue Teams, and Bug Bounty programs have become increasingly popular. Vulnerability assessment approaches like static code analysis, dynamic code scanning are also important pieces of the puzzle. However, it can get overwhelming (and expensive) to navigate the different options and determine what will provide the most value for your security program. In this session we will discuss this topic from the perspective of an active tester as well as from the people responsible for securing the application. We will look at the different types of testing programs, discuss the strengths and weaknesses of each, give some examples of when and why you might want to use them, and demonstrate how they fit into an overall security testing program and ideally align with your development life cycle. For example, we will discuss how certain testing approaches are better done in different environments (dev, test, prod) and how they can occur in different phases of the development life cycle. This will be an interactive session where we will cover practical tips and share lessons learned that should be relevant to other Academic Medical Centers looking to establish or enhance their own application testing program.
Securing the Wild West of the Medical IoT & Connected Medical Devices
Tom Mustac (Mount Sinai Health System)
This panel discussion will address the monumental challenges that healthcare organizations face in ensuring the availability of a secure and reliable infrastructure for patients and the medical community. The discussion will address the following areas / questions;
- Overview of the breath of challenges – What are the attack vectors and inhibitors we face?
- Where are we as an industry vertical in addressing these challenges?
- Prioritization of risks – Where does one start?
- What tools are available?
- Where are we heading / What does the future look like?
The panel will consist of senior cybersecurity leaders from other learning medical institutions / healthcare providers and practitioners that are leading cyber security programs at leading healthcare institutions.