Session Descriptions

Monday, June 11

9:00-10:15 am Plenary Session

NIST Cybersecurity Framework

The NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. Matt Barrett, Program Manager for the NIST Cybersecurity Framework, will discuss the latest update to the Framework and how it can help your organization.

10:45 am – 12:00 pm Concurrent Tracks

Human vs. Machine: Embracing the Old or Exploring the New Frontiers

This session will focus on the relative merits of using technology versus human behavior to address diverse data risks for your privacy program. The discussion will address the pros and cons of:

  • Tighter role-based access to systems versus training and awareness of what is allowed
  • Privacy monitoring by human beings using experience and expertise versus behavioral analytics anomaly detection
  • Offering encrypted devices versus data loss protection settings to prevent storage on unencrypted devices
  • Implications of all of the above in the unique environment of an AMC

This panel of compliance and privacy professionals will draw on their experience of working in AMCs and understanding the complex environment. Panel: Marti Arvin (CynergisTek), Holly Benton (Duke University), Lauren Steinfeld (Penn Medicine)

Building a Secure & Compliant Public Cloud Foundation

In this session, AHEAD will demonstrate how it worked with New Hanover Regional Medical Center (NHRMC) to build a highly secure and healthcare standard compliant public cloud foundation on AWS. AHEAD’s AWS foundational approach covers account structure, workload assessment, network design, identity and access management, data center connectivity, firewalls, routing, monitoring, and multiple compliance checks – all deployed and enforced through automation and configuration management. For each layer of the foundational AWS environment, AHEAD worked with NHRMC on a design which aligned with its existing toolset and security standards, including integration with NHRMC’s data center and enterprise security processes. The resulting solution provides NHRMC with the flexibility of using AWS as an alternative to its data centers to take advantage of cloud-only services while ensuring compatibility and alignment with NHRMC’s operational and governance processes. Panel: Brantley Richbourg & Eric Shanks (AHEAD)

NIST 800-63: Real World vs. Government Guidelines

The speakers will present an overview of the realities of implementing NIST’s 800-63. They will provide a concise overview of what this regulation means to the modern healthcare organization, strategies for implementing these standards in a large teaching hospital, and how this standard has been used across numerous healthcare organizations. Panel: Sara Schweitzer (Mayo Clinic), John Nye (CynergisTek)

1:00-2:15 pm Concurrent Tracks

50 Shades of Guest

It’s not just BYOD. Our real challenge is managing the 50 shades of guests now entering enterprise networks: classifying and controlling every combination of managed and unmanaged users and devices, while also taking into consideration dynamic factors of security posture, geographic location and more. Join our panel for a technical exploration of defining, identifying, posturing, monitoring and controlling access of the 50 shades of guests. Session content is audience-driven as we discuss applications of real-world tools or technologies such as MDM, NAC, client agents, guest onboarding products, wireless, network monitoring and access control in healthcare environments. Panel: Jennifer Minella (Carolina Advanced Digital) & Chuck Kesler (Duke Health)

Compliance vs. Evidence-Based Cybersecurity

Compliance regimes such as HIPAA have a tendency to morph into a checklist exercise that does not necessarily equal cybersecurity. The same goes for standards such as NIST which are expensive to align with but have been shown to be ineffective when used incorrectly, especially within government agencies that are required to follow them. With these in mind, we have started to explore and formulate evidence-based cybersecurity based on practices that have been shown to be effective with either real data or empirical evidence. Our ultimate goal is to help organizations improve real security with compliance resulting as a natural by-product, not vice versa. This talk will provide a summary of our work so far. Panel: Anurag Shankar (Indiana University)

Privileged Account Management

Privileged accounts, those with security-relevant functionality beyond regular user accounts, are exploited in about 80 percent of computer hacks. And as if the bad guys aren’t challenging enough, privileged accounts are the objects of desire for red team testers and IT auditors who always seem to be looking for chinks in the armor. This prompts organizations to proactively apply security controls leveraging people, process and technology through well-thought strategies to manage risk while enabling business. Accounts used by system, application and database administrators, as well as accounts used to configure and maintain network infrastructure or control the functioning of medical devices, workstations and mobile devices are all part of the management strategy. Hear how two large organizations are prioritizing and dealing with these challenges, and glean a few golden nuggets from their lessons learned. Panel: Lee Olson (Mayo Clinic), Mike Dockery (Cincinnati Insurance Company)

2:45-4:00 pm Concurrent Tracks

New Frontiers in Risk and Opportunity: A New Hope or A Dark Future?

In this roundtable discussion, presenters will analyze the latest trends and technologies transforming healthcare privacy and security. They will dive into especially hot topics including artificial intelligence in healthcare compliance, social media monitoring for privacy violations, new collaboration models for healthcare privacy and security teams, and how to get ahead of what’s coming from OCR. The presenters each bring a unique perspective on patient privacy to the table. Healthcare organizations increasingly find their names in the headlines, not celebrating their research or medical breakthroughs, but reporting costly and reputation-damaging data breaches that expose the sensitive information of thousands of patients. Hear from healthcare compliance and IT security experts about their latest efforts to prevent this from happening to their organizations. Presenters will emphasize their experiences evaluating, implementing, and using privacy monitoring technologies that rely on proactive detection models, and how these tools have transformed their program operations and outcomes. Panel: Carlos Cruz (Tri-City Medical Center), Michael Gregory (Community Healthcare System), Robert Lord (Protenus)

Meeting Workforce Needs in Healthcare Cybersecurity and Privacy: Development of an Innovative Curriculum at the University of Texas at Austin

Increasing numbers of threats, crypto-ransomware attacks, and visible data breaches in healthcare settings underscore that workforce needs in healthcare cybersecurity and privacy are acute. The development of new curricula to meet this talent gap, that will successfully equip individuals with the skills and competencies they need to be job-ready, is paramount. This session will describe new cybersecurity and privacy modules developed by educators in the Health Informatics and Health IT (HIHIT) Program at The University of Texas at Austin (UT Austin) to rapidly make individuals job-ready to meet workforce needs. UT Austin has been nationally recognized for creating innovative programs in Health IT to meet workforce demands. In 2010, the program was launched with a University-Based Training Grant from the Office of National Coordinator (ONC) for Health IT. Using the ONC funding, faculty in the program partnered with large healthcare organizations and members of the Health IT industry to develop a unique learning center and a curriculum that includes both didactic education and hands-on learning with current technologies. To date, the program has educated more than 1,200 individuals and 96% of those seeking Health IT positions have found jobs with 143 employers nationwide. Graduates of the nine-week program receive a certificate in HIHIT from UT Austin’s McCombs School of Business, and are eligible to sit for exams offered by four external credentialing organizations, including the Certified Associate in Project Management from the Project Management Institute.

Most recently, the HIHIT Program has partnered with the Army Garrison at Ft. Hood to become a Ft. Hood Army Career Skills Program to deliver health informatics and health IT education to college-educated, transitioning soldiers via distance education, with the goal of equipping them to be ready for civilian careers in Health IT. The same approach utilized to develop the very successful HIHIT certificate program was used to create new modules in cybersecurity and privacy for integration into the existing curriculum, or for delivery as stand-alone educational units, keeping in mind the keen interest expressed by transitioning soldiers to enter this field. The panel members will begin with a summary of the program, followed by comments about the curriculum development process, and how the curriculum modules meet the needs of industry and healthcare organizations.

Panel: Leanne Field (University of Texas at Austin), Julie Rennecker (Third Rock)

Case Studies: Next-Gen Endpoint Security Solutions

In this roundtable, three AMC CISOs will discuss the results that they have seen from deploying next-generation endpoint detection and response (EDR) products in their organizations. You will learn how EDR solutions differ from traditional anti-virus and endpoint protection products, how they approached deploying EDR solutions across tens of thousands of systems in their organizations, the results that they have seen from using EDR, critical success factors to consider when implementing an EDR solution, vendors that provide EDR solutions, and how EDR solutions fit in with a broader set of cybersecurity controls. Panel: Jennings Aske (New York Presbyterian), Jigar Kadakia (Partners HealthCare), Chuck Kesler (Duke Health)

Tuesday, June 12

9:00-10:15 am Plenary Session

Quiz the Regulator

In this popular session, a key staff member from the U.S. Department of Health and Human Services will discuss plans for HIPAA and HITECH regulation development, enforcement, auditing, guidance, etc. A key facet of this session is a long Q&A period. Invited speaker: Kathryn Marchesini, Chief Privacy Officer, Office of the National Coordinator for Health IT.

10:45 am -12:00 pm Concurrent Tracks

Traps, Tricks & Trepidation in HIPAA & Hybrid Entity Designations at Universities & AMCs

This session will focus on HIPAA and complexities of the hybrid entity designation issues particular to universities and AMCs. Topics include:

  • Determining whether a university is a hybrid entity and what the “covered components” are that must comply with HIPAA
  • Establishing correct HIPAA “relationships” between the university’s covered components, the affiliated AMC, and the affiliated faculty practice plan or physician groups, including when an affiliated covered entity (ACE) or an organized health care arrangement (OHCA) is appropriate
  • Addressing areas of vulnerability in HIPAA compliance resulting from the university-AMC-faculty practice plan relationships, including: when business associate agreements are needed between the entities; “co-employment arrangements” when physicians are employees of the university when performing research and employees of the AMC/faculty practice plan when performing clinical care; and controlling faculty and student access to health information for research

Panel: Marti Arvin (CynergisTek), Holly Benton (Duke University), Lauren Steinfeld (Penn Medicine)

An Integrated Proactive Privacy & Information Security Program

This presentation will focus on the development of a fully integrated proactive privacy and information security program in the healthcare environment. The components of an effective integrated program will be highlighted as will the benefits of an integrated approach. In addition, the presentation will focus on the elements of a proactive privacy and information security program. The principles of privacy and information security by design will be explained and methods for implementing a privacy and information security strategy throughout an organization including practical tips for implementing privacy and information security by design will be presented. Panel: Jacki Monson & Sarah Kitterman (Sutter Health)

Unpacking the Health Care Industry Cybersecurity Task Force 2017 Report

The Health Care Industry Cybersecurity Task Force’s report published in 2017 identified six high level imperatives with recommendations and action items for each to increase awareness, improve security, and reduce risks. This presentation will dissect and analyze the various recommendations and action items in the report, including the risk management approaches and best practices, while also taking into consideration the unique aspects and technological and regulatory challenges faced by the healthcare industry and its inherent and imposed limitations. Other topics include: how EHR manufacturers and providers can address the confluence of many technologies, including traditional EHRs, wearables and biomedical devices; how to address the patient’s right of limiting access; Privacy By Design, and the implications it has on the design and implementation of secure systems; how threat actors can leverage this network of shared information; future threat vectors and possible defensive mechanisms, both technical and governance; as well as some of the legal barriers and opportunities to build common defenses. Panel: Gary Warner (University of Alabama at Birmingham), Steve Snyder (Smith Moore Leatherwood), and Sayee Balaji Chandrasekaran, Monty LaRue & Luther Stephens (Allscripts)

1:00-2:15 pm Concurrent Sessions

GDPR for AMCs 

Description coming soon. Panel: David Holtzman (CynergisTek), Robert Webster- (LabCorp) & Lynn Rohland (RGP)

Protecting the Diamond Mine of Data in the AMC

Academic Medical Centers (AMCs) are a hub of research and clinical trial activity. The number of outside parties involved in collaborative studies creates unique challenges in securing protected patient data. The core element of research studies is sensitive health data. So how can it be secured from unintended release? Knowing that data is the diamond mine of academic research, how well do outside clinical trial and research partners fare in securing and protecting sensitive data records from malicious intent or data misuse? This session will cover:

  • Unique challenges to AMCs (research studies, clinical trials)
  • Profiles of typical AMC vendor population and associated risk factors
  • Top three vendor security risk factors for AMCs

Panel: Johannes Boheme (Wake Forest Baptist Health), Cliff Baker (CORL Technologies)

Hollywood’s Hype & the Harsh Reality of a Ransomware Attack

No amount of advance planning can totally prepare an organization for a large-scale ransomware attack. From the moment of discovery, IT departments are aggressively fighting the clock to stop the spread to not only the EHR, biomedical, laboratory, and pharma systems, but also to the revenue cycle management, facilities, cafeteria, and supply-chain management systems. No endpoint is safe, including servers, workstations, printers, environmental control systems, or physical security controls. Healthcare executives are inclined to turn to the CIO to lead the initial recovery efforts but the recovery challenge transcends many different business units, including legal, finance, human resources, public relations, audit, and the entire compliance team (compliance, privacy and security). This presentation will provide lessons learned from actual ransomware attacks drawing on firsthand experience of working with multiple organizations that experienced a significant event in 2017. It will include the timeline from initial discovery through technical recovery and will also focus on the non-technical actions needed to meet the legal, regulatory, and contractual requirements. It will also address the human impacts of ransomware and strategies to help mitigate the negative effects. Attendees will gain a focused perspective on the human impact to the organization, explore the responsibilities of various departments following a serious security event, and review considerations that would help determine if the event is a reportable breach. Panel: Dave Dillehunt (FirstHealth of the Carolinas), Clyde Hewitt (CynergisTek)

2:45-4:00 pm Concurrent Sessions

Emerging Security & Privacy Issues Arising from the Proliferation of Devices in the Health Care Workplace

This roundtable discussion will examine key security and privacy issues arising from the use of electronic devices in and with health care organizations. In part, panelists and the audience will discuss security and privacy issues related to electronic health care data stored on and transmitted from wearable and implantable devices. How do device companies protect the security and privacy of health care data – including data generated in research studies – during its creation, storage and transmission? Additionally, panelists and the audience will examine the security risks posed by the use of employee and/or employer electronic devices in the workplace. As one example, there are newly emerging physical security risks for health care providers and research facility sites posed by bad actors gaining access to (proliferating) employee devices. Panel: Robert Van Arnam & Dominic Madigan (Williams Mullen), David Kuraguntla, DO (GraftWorx, LLC)

Creating an OCR-Quality Risk Management Program

Encompass Health will share how they established risk management processes that correlated directly with OCR guidance. Some of the challenges they faced were the vast scope and complexity of the organization, as well as its regular expansion via strategic acquisitions, which meant the scope of information assets, threats, vulnerabilities and security controls was continuously evolving. Another challenge was that while the HIPAA legislation and OCR guidance explicitly state that organizations must conduct a risk assessment, the exact form that assessment should take is open to interpretation. Hear how they completed a comprehensive, OCR-quality risk analysis that aligns with the NIST framework. The risk analysis is granular, down to individual media and medical devices where ePHI resides. Their software supports ongoing risk analysis and risk management, consistent with a constantly evolving asset, threat and vulnerability environment. This has resulted in increased confidence in the accuracy, detail, timeliness and scope of risk analysis, as well as anticipated savings in resources needed to generate Board-required risk assessment. Panel: Rich Curtiss (Clearwater Compliance), Mitch Thomas & Shane Eaker (Encompass Health)

Incident Response for Executives

The surge in malicious attacks on healthcare organizations has certainly raised the awareness of executives and boards to have a coordinated response process. It also proves that the incident response process should not be assigned solely to the CIO. Given the quick litigation filed following recent ransomware attacks, it is critical to have the ability to continue operations parallel to the technical recovery. Historically, the focus on business continuity has been on clinical operations, but recent events stress the importance of having downtime procedures for non-clinical processes as well, including financial, HR and supply chain management. This presentation will explore the managerial priorities and operational impacts associated with incident response. Panel: Sri Bharadwaj (UC-Irvine)

This continues to be an excellent conference, well planned and implemented. Great value, great information, and great networking.
—2014 Conference Attendee

Click here to see the speaker bios.

Learn More