Wednesday, October 21
2:05-2:50 pm Plenary Session
Benefits & Value of Information Sharing for Organizations
Greg Singleton & William Welch (HHS) & Bill Hagestad (Medtronic)
The goal of information sharing is to create a collaborative, cooperative, and consistent community of information sharing and mutual trust. This panel discussion will address the benefits and challenges to information sharing, including laws, regulations, corporate policies and management. It will also address strategic, operational, tactical and practical perspectives appropriate to healthcare audiences. Panelists will give a unique perspective on industry guidelines, what organizations need to do to prepare for information sharing initiatives, what to share, how to share it, and how to protect any sensitive information they receive.
The panel discussion will be focused on the five pillars of Information sharing:
- Shared Situational Awareness
- Improved Security Posture
- Increased Competency Levels
- Improved Cyber Security Innovation
- Promote Collaboration, Community Trust and Sharing
3:00-3:50 pm Concurrent Sessions
How Information Blocking Changes Everything
Adam Greene (Davis Wright Tremaine LLP)
While health care providers were focused on fighting the pandemic, HHS finalized regulations implementing the 21st Century Cures Act’s information blocking prohibition. These regulations represent a fundamental shift in how we govern health information, creating compliance risks for hundreds of practices within our organizations that could now constitute “information blocking.” This session will provide an overview of how we got here, the elements of information blocking, the eight exceptions, and practical tips for implementing an information blocking compliance program.
Grade Inflation: Understanding the Impacts a Potential Cyberwar has on the Risk Management Matrix
Sri Bharadwaj (UCI Healthcare) & Clyde Hewitt
Cyber security leaders rely on a risk matrix to make investment decisions, then quantify that data when they present their budget request to the CFO. Historically, we see organizations attempting to qualify risk in terms of likelihood and impact, following the NIST 800-30 framework. The results typically follow a bell-curve, with some risks ranked as High, but a majority designated as Moderate (or Medium), and the remaining as Low. Serious events — like hackers, malware, ransomware and theft of patient data — are traditionally ranked as High risks, given that the impacts involve a measurable financial loss and some risk to patient care.
Unfortunately, we have seen significant grade inflation over time, leaving little room for catastrophic impacts that could result from a cyber war. For example, organizations have serious concerns about their backup strategy to recover from a ransomware attack. The thought of not having recoverable hardware to even restore data on is an impact outside the typical risk impact axis. During this session, learn how we can alter the current risk matrix to effectively introduce tertiary/ancillary risks that may be overlooked in the current model. I think we have to take a “whole picture” look and not get pigeon holed into risks that can be truly quantifiable from a CISO perspective.
For this reason, we need to reset the risk matrix, then explore options based on a more realistic impact continuum. This analysis would drive a deeper conversation around cyber resiliency, specifically focusing on incident response and what happens “after the boom.” The potential for cyber war is higher than ever given the current political environment.
At the end of the session, the attendees will be qualified to:
• Identify how a potential cyberwar would impact an organization’s current risk assessment framework
• Justify an increased emphasis on cyber resiliency planning
• Apply a new rubric for measuring adverse impacts to a healthcare organization
• Defend the need for additional preparation across multiple workflows supporting an academic medical center
All Aboard! A ‘How to’ On Engagement & Impact Across the AMC Enterprise
Gerald Auger & Matt Jones (MUSC)
There are many disparate factions at an Academic Medical Center trying to accomplish their own focused goals. Cybersecurity as an enterprise function horizontally crosses all and impacts all factions, but isn’t always positioned to understand constraints controls may introduce. This can result in control circumvention, animosity for the information security office, and barriers to successful role-outs of new controls.
Over the last 2 years MUSC has implemented the “Information Security Forum” (ISF). This monthly enterprise-wide, inter-discipline forum provides a collaborative environment to engage the entire community and understand multiple perspectives. This has resulted in higher alignment of enterprise controls, tailored controls that properly reduce risk, and ‘ownership of information security’ by individuals in the enterprise that are not on the information security team . This has had major value, impact, and costs the organization $100 a month. This talk will share the approach to successfully launching your own ISF, lessons learned from MUSC’s 2 years of experience, and how you can leverage your ISF to reduce cyber risk at your AMC.
4:00-4:50 pm Concurrent Sessions
The Transformation of Telehealth & the Rise of Virtual Care
Karen Pagliaro-Meyer (Columbia University Medical Center & Tanisha Raiford (Weill Cornell Medicine)
What are some of the Privacy, Security & Compliance issues associated with the rapid increased use of Telehealth?
Privacy and Security Issues
The expanded use of telehealth and other virtual care services during the COVID-19 pandemic protected both patients and providers. However, the rapid increased reliance on telehealth is not without data privacy and security considerations. This session will highlight those areas that organizations should evaluate including:
- Business Associate Agreements/Data Use Agreements
- Security Assessments/Technology Waivers
- Telehealth policies and training materials for faculty and staff
The COVID-19 pandemic has created new and emerging telehealth compliance issues: relaxing standards in certain areas while increasing the need for greater compliance planning and implementation in others. During this session we will highlight some of the compliance issues associated with the continued use of telehealth including:
- practicing telemedicine across state lines
- documentation in the EMR
- Credentialing and Privileging
- informed consent
Medical Device Security Best Practices & Lessons Learned
Kurt Griggs (Mayo Clinic) & Ty Greenhalgh (Cyber Tygr)
As health industry ransomware attacks and end point detections increase, so does the need for protecting medical devices through applied Health Technology Management (HTM). Mayo Clinic is once again on the leading edge in this effort. This presentation will provide the audience with an update on the latest medical device ecosystem cybersecurity developments as well as describe Mayo Clinic’s HTM program, strategy and actionable recommendations used to decrease cybersecurity risk and increase patient safety.
Within the last year, organizations like the FDA, DHS, HHS, HSCC, Congress, CHIME and AEHIS have been proactive in their efforts to align the health industry’s cybersecurity efforts to include medical device security. This presentation sets the stage with a high level overview of these critical topics such as the FDA Safety Communication for Third Party Software Components, specific FDA Recalls, the Health Sector Coordinating Counsel’s Supply Chain Risk Management publication, the latest version of the MDS2, the Software Bill of Materials (SBOM) and proposed legislation to reduce breach penalties for hospitals employing specific cybersecurity practices.
The presentation continues by providing actionable examples how Mayo Clinic’s program evaluated and operationalized medical device security technology. The audience will learn the limitations of traditional cybersecurity solutions, why there is a need for a more targeted technology and the best practices Mayo found for implementing a comprehensive medical device security solution. Areas Mayo found most successful include defining Mission, Goals & Objectives, Determining Needs, Aligning to a Framework and Mayo’s Security Solutions which will be shared. The presentation attendees will leave with clear understanding of the complex ecosystem, the rising threats to patient safety and data breaches, the growing challenges in securing networks and the best practices Mayo Clinic used in addressing Security, Privacy, Architecture & Data protection.
Video Remote Interpretation for On-Demand Healthcare Delivery: Privacy & Data Security Challenges for Language Access
Nancia Odom & Michael Hancock (Duke Health Technology Solutions)
Federal and state laws require that healthcare organizations that receive Medicare, Medicaid or reimbursement from federal health programs provide language access services to limited English proficient (LEP) and Deaf and hard of hearing (HOH) patients. One goal of Duke Health is to have a standardized, health system-wide software solution in place for these patient’s needs and provide medical interpretation to patients in a language in which they can understand. Duke Health has implemented a mobile Video Remote Interpretation (VRI) application. The software presented privacy, data security, and on-demand healthcare delivery operational challenges that once addressed, allowed Duke to meet patient language access needs in over 250 languages, in addition to compliance requirements in order to provide service across the continuum of care.
Thursday, October 22
9:05-9:50 am Plenary Session
Quiz the Regulator
Verne Rinker, JD, MPH, MBA (HHS Office for Civil Rights)
Each year the AMC conference is pleased to host a key staff member from HHS engaged in HIPAA support, enforcement, and related duties. This year we have Verne Rinker, Health Information Privacy Specialist with the HHS Office for Civil Rights. A key facet of this session is a Q&A period. This is a good time to get your questions answered and to understand OCR’s announced plans for regulation development, enforcement, auditing, guidance development, etc.
10:00-10:50 am Concurrent Sessions
NIST Privacy Framework: A Healthcare Guide
Nakia Grayson (NIST) & Karen Greenhalgh (Cyber Tygr)
The NIST Privacy Framework is designed to help organizations:
- Identify, assess, manage, and communicate privacy risks
- Develop innovative approaches to protect individuals’ privacy
- Increase trust in products and services
- Have a tool that would assist with enterprise privacy risk management
Process-oriented privacy principles (such as the Fair Information Practice Principles (FIPPs)) are an important component of an overall privacy strategy, but on their own have not achieved consistent and measurable results in privacy protection. In the security field, risk management models, along with technical standards and best practices, are key components of improving security. The NIST Privacy Framework applies successful security methodology, with clearly stated objectives and measurable outcomes, to the protection of privacy.
The Privacy Framework incorporates standards, frameworks, models, methodologies, tools, guidelines, and principles utilized by organizations to identify, assess, manage, and communicate privacy risk at the management, operational, and technical levels. Compatible with existing legal and regulatory regimes, the healthcare industry will find the Framework useful in meeting the compliance requirements of the HIPAA Privacy Rule. Designed to integrate with the NIST Cybersecurity Framework (CSF), healthcare may combine the NIST CSF and NIST Privacy Framework to incorporate compliance for HIPAA’s Security and Privacy Rules into the Enterprise Risk Management program.
Participants will be able to:
- Recognize the primary sources for current privacy management practices
- Discuss the relationship between privacy and security risks
- Compare and contrast NIST’s Cybersecurity and Privacy Frameworks
- Describe the structure and purpose of the NIST Privacy Framework
- Understand how to use the NIST Privacy Framework in their organizations
Email Threats & Defenses
Alex Everett & Brian Penders (UNC Health)
Over the past few years there has been a marked increase in the number of breaches or incidents involving email. Email continues to be critical to the operations of healthcare organizations whether that is communications between staff, communications to employees, or communications with vendors. An incident can stem from a business email compromise (BEC) campaign, a phish, or a malicious attachment. If one of these attacks is successful, it can have a noticeable impact to the organization and impact business operations. Unfortunately, these types of incidents are increasing. According to the Department of Health and Human Services the number of breaches affecting healthcare entities and involving email has risen each of the last four years.
In this presentation we will examine these three attacks and the people, processes, and technologies that can reduce harm and inform leadership if an incident occurs. We will draw from actual attacks at our institution, literature, and the controls that we evaluated. As an example we will describe the Emotet malware and how it can trick trained and savvy users into reading an attachment. Another attack that we will cover is similar name attacks and their role in business email compromise. As part of this we will discuss security awareness, similar name detection in Office365 and GMail, and spoofing detection. Lastly, we will discuss the role of cyberinsurance and digital forensics.
SecureMyResearch: Securing Clinical Research on Campus
Anurag Shankar (Indiana University)
While HIPAA has spurred substantial progress in securing healthcare operations, clinical research data cybersecurity still remains a challenge. ePHI has slowly proliferated beyond AMC boundaries in recent years, making it difficult to secure. The problem is further exacerbated by a severe lack of cross-discipline expertise in research computing, compliance, and cybersecurity. Campuses are trying a variety of approaches to address the issue such as secure enclaves and researcher training, but solutions remain elusive. This talk will describe a fresh, alternative approach to research data cybersecurity Indiana University is pursuing called SecureMyResearch. Jointly funded by the Office of the Vice Presidents of Research and IT, this new initiative aims to reduce the cybersecurity and compliance burden on the researcher by baking cybersecurity in rather than expecting it from the researchers.
11:00-11:50 am Concurrent Sessions
Data Governance in AMCs: A Winning Strategy for Privacy Boards, IRBs & Patients
Jill McCormack (VCU Health) & Dawn Morgenstern (Clearwater Compliance)
As Academic Medical Centers and Universities move in a direction to reduce costs and redundancies, unique challenges surface relating to the use and disclosure of protected health information for research. The lines become blurred when each is under common control and ownership and a shared services business model exists for certain functions. The key is the separation of responsibilities of the Institutional Review Board (IRB) and the Privacy Board, in relation to the data sets derived from the AMC’s electronic health records. The presentation will discuss the steps that VCU Health System has undertaken to address the challenges, leverage shared services, streamline processes for Principal Investigators, and develop practices to comply with the requirements of the HIPAA Privacy and Security Rules.
A Day in the Life of a Healthcare CISO: Tackling Health IT’s Most Common Challenges with a Proven Risk Management Strategy
Gerry Blass (ComplianceAssistant) & Jason Tahaney (Community Options)
A healthcare Chief Information Security Officer’s everyday job can be overwhelming. Tackling new cyber threats, advocating for budget, resources and staff, and maintaining an enterprise-wide security and compliance strategy are all part of the role. How does a CISO balance it all? The presenters will offer tactical tips on how to:
- Analyze the current landscape of healthcare cybersecurity and identify the main components of a comprehensive risk management strategy to protect your organization from common security and compliance inconsistencies.
- Identify the most threatening roadblocks in healthcare IT, including limited human and financial resources, rising costs and data silos, and apply proven risk management solutions to tackle these ever-evolving challenges.
- Apply real-life strategies – including governance, oversight, data analysis and field observation – to identify and respond to risk, maintain transparency, set budgets and effectively track risk registries, assessments, and the mitigation process.
Securing the Wild West of the Medical IoT & Connected Medical Devices
Tom Mustac (Mount Sinai Health System)
This panel discussion will address the monumental challenges that healthcare organizations face in ensuring the availability of a secure and reliable infrastructure for patients and the medical community. The discussion will address the following areas / questions;
- Overview of the breath of challenges – What are the attack vectors and inhibitors we face?
- Where are we as an industry vertical in addressing these challenges?
- Prioritization of risks – Where does one start?
- What tools are available?
- Where are we heading / What does the future look like?
The panel will consist of senior cybersecurity leaders from other learning medical institutions / healthcare providers and practitioners that are leading cyber security programs at leading healthcare institutions.