NCHICA Cybersecurity Forum on May 15, 2017
The Dysfunction of Data Security and IT Governance and How to Solve the Problem
Strong IT governance is necessary for today’s healthcare organizations. Without effective governance, the digital healthcare environment will never be secure, endangering patient care delivery and corporate success. While healthcare organizations adopted technology at an incredible pace, they rejected control and structure with the same vigor. IT governance is typically implemented as an afterthought and then only to ensure minimum compliance levels. These shortcuts have left patients, employees, and healthcare corporations vulnerable to both cyber-crime and self-inflicted wounds that cost millions of dollars, affect patient care and damage corporate reputation. IT security governance must be a priority at the highest levels of a healthcare corporation. The IT infrastructure and associated security is the logistic manifestation that provides both clinicians and office staff the ability to do their work. Without top down support an environment of this complexity will not be efficient or secure. IT governance needs to set the specific standards for security to be measured far beyond the goal of “minimum necessary” for compliance and the associated POAMs. Three fundamental areas of assessment are Data Inventory and Classification, Infiltration Events, and Ex-filtration Events. If a company cannot answer questions such as: where and what is our data, and how many external attacks have been successful, then the governance has failed. Ryan Dobbins (infoLock Technologies)
Building a Security Program based on the NIST Cybersecurity Framework
As cyberattacks are growing more sophisticated and focused against the healthcare industry, it is paramount that these organizations put in place a dynamic approach to identifying and mitigating the most critical threats on an ongoing basis. To better address these threats, many healthcare organizations are adopting the NIST Cybersecurity Framework (CSF) and its five core functions: identify, protect, detect, respond, and recover. While the framework consists of best practices and industry standards around managing cybersecurity risks, its purpose is to help organizations develop and implement an automated risk management program that provides visibility and insights into systems and networks, from a security and risk management perspective, on a near real-time basis. But while benefits are clear, planning and implementation are not that easy. Where do you start? What do you monitor? And how do you prioritize systems and problems? This session will discuss the benefits of adopting the NIST CSF, mapping current investments as well as identifying gaps in your security program based on the framework, and taking a practical approach to addressing the core functions to achieve automated risk management. Ken Durbin (Symantec)
Did You Know You are under Attack Right Now?
If you are connected to the internet, you are under attack right now. Are you monitoring or watching your IT ecosystem? If you are not, how would you know? Most small to midsize businesses (SMBs) are not watching their IT ecosystem. They install a firewall and put virus protection on their endpoints and truly believe they are secure enough. On average, it takes 205 days to discover that a breach has occurred. Normally it is a third party who discovers the breach. Think of it this way, a burglar breaks into your house, drinks your milk, eats your cookies, sleeps in your bed, watches your TV, brings his friends over to have a wild party at your house…all the while you are unaware they are even there…until your neighbor calls the police to let them know there is some unusual behavior going on next door. This talk will be about how healthcare organizations can improve their cyber security posture and speed up breach detection by deploying the right tools, training your people how to use the tools properly, and developing the processes necessary to incorporate the tools into the overall program. Gary Daemer (InfusionPoints)
- Gary Daemer is CEO of InfusionPoints, which he founded nine years ago to help his clients improve their security posture. He has also led multiple security teams in several government consulting organizations. He worked in industry as a Program Manager, Security Architect, and Security Engineer. He led many security efforts for small to midsize business, telecommunications, healthcare, banking, and insurance industries. His teams have built, defended and tested multiple enterprise business environments over the years. He has a MSEE from Virginia Tech and holds several Industry Certifications as well.
- Ryan Dobbins is Director of Managed Services for infoLock Technologies. Prior to joining infoLock, he was responsible for the development and everyday management of the information security program at a multi-billion-dollar healthcare enterprise. His areas of expertise include threat protection, data loss prevention, and governance risk and compliance. He is active in the GRC community and holds the GSLC from SANS.
- Ken Durbin, CISSP is a Strategist for Symantec. He has been providing solutions to the public sector for over 25 years with a focus on Compliance and Risk Management (CRM). His focus also includes the standards, mandates and best practices from NIST, OMB, DHS, SANS, etc. and their application to CRM. Mr. Durbin spends a significant amount of his time tracking the development, application and implementation of the NIST Cybersecurity Framework as its adoption has grown out of the Critical Infrastructure Sectors to include all sectors and even other countries.
- MODERATOR: Chuck Kesler is Chief Information Security Officer for Duke Medicine. He leads the organization’s Information Security Office, which provides information security services for all Duke University Health System entities, as well as academic departments, centers, and research institutes in Duke’s Schools of Medicine and Nursing. He is responsible for establishing and managing all aspects of Duke Medicine’s information security program, including security strategy, governance, risk management, security policies, security awareness, vulnerability management, security event monitoring, and incident response.
Workshop on Planning for Digital Transformations & IoT in Healthcare on May 16, 2017
Finding the ‘Right Mix’ of IT in a Hybrid World
To accelerate their businesses, enterprises are seeking to implement the right mix of private cloud, public cloud, managed cloud and traditional IT infrastructure, thereby speeding innovation and growth. A solution that focuses on a hybrid infrastructure design is the top choice of many mid to large enterprises. While Cloud is a business catalyst, but there’s no one-size-fits-all solution. To stay competitive, you need an optimized internal environment fuse with the right mix of private and public cloud. Kevin Shabow, HPE
Digital Transformation of Healthcare
“The Journey to the new style of Healthcare”. What does Digital mean for Healthcare? Technology, new way of engaging with customers, new way of doing business? It is creating value at the frontiers, The Edge, where business meets the customer, creating value in the processes of the healthcare value chain, and building foundational capabilities that supports the entire structure. In this discussion we show the global drivers of healthcare, the health care value chain, the new markets and solutions that address the requirements of the new markets. How do we bridge the digital divide: Rate of business change, growing consumerism, ready access to low cost third party data and apps. Growing IT skill gap, outdated IT operating model, Inflexible architecture and Old technologies. Tim Study, HPE
Designing Healthcare’s Intelligent Edge
Healthcare environments are unique with their swirling masses of people, volumes of confidential data, extremely dynamic applications, connected devices that multiply like rabbits, and an ecosystem whose balance means the difference between life and death. The trends in healthcare, driven by a combination of business objectives and compliance requirements, are changing rapidly as the business, technology, and use cases evolve. Secure mobility, resilient networks, architectures to support hybrid infrastructures and analytics are a few of the dominant needs in today’s healthcare edge, and lay the groundwork for enabling IoT/IoHT, smart buildings and sensors, BLE and analytics for tracking and wayfinding, secure authentication and visibility including Network Access Control and other Intelligent Edge functions. Jennifer Minella, Carolina Advanced Digital
- Jennifer Minella is currently VP of Engineering and Consulting CISO with Carolina Advanced Digital, Inc. In her engineering role, Minella leads strategic research and consulting for government agencies, educational institutions and Fortune 100 and 500 corporations. In addition to her normal business roles, Minella is a published Author, Editorial Contributor, and trusted Adviser for information security topics to media. No stranger to public speaking, she’s presented at RSA Conference, NSA Trusted Computing Conference, Interop, Infosec World, Deep Sec, SecTor, CSI and many others. Jennifer is involved in the research, testing, and design of secure and intelligent edge networks including wired, wireless, and BLE to support IoT, IoHT, Smart Buildings and trends in network security.
- Kevin Shabow is the VP/GM for Hewlett Packard Enterprise in the Carolinas. His company focuses on Solutions for Enterprise IT, specifically Hybrid IT, The Internet of Things (IoT) and Services. Prior to Hewlett Packard Kevin held Sales Management and Executive positions with GE, Gateway, Absolute Software and Lenovo. A seasoned sales executive, Kevin is passionate about the value of sales as agents of change and transformation for customers. He has published articles on the impact of great customer service and it’s role in developing a competitive advantage. Kevin graduated from Towson University with a BS in Business and Psychology. He resides in Raleigh NC and is an avid runner.
- Tim Study is currently a Healthcare Practice Manager at HPE. His role at HPE is to help grow HPE’s presence in Healthcare and build and introduce new innovative solutions. HPE works extensively with all the major healthcare ISV’s to insure HPE supports and provides best end to end infrastructure for all mission critical applications. Tim has over twenty five years of experience in the Healthcare Industry, he has worked with IBM as a healthcare executive, Microsoft as a BDM and Partner Manager for Health and Human Services, with VHA as an IT Consultant, and Digital Equipment Corporation. He has a clinical background in Diagnostic Radiology and was on the faculty at the University of New Mexico and University of Kansas Medical Centers. He is also an author of a textbook entitled “Essentials of Nuclear Medicine Science” and has authored numerous scientific journal articles.
Join our alliance of more than 300 organizations dedicated to transforming healthcare through information technology, informatics and analytics.