Presentation is loading. Please wait.

Presentation is loading. Please wait.

Healthcare Cybersecurity: State of Industry

Published byAnna Dennis Modified over 6 years ago

Similar presentations

Presentation on theme: "Healthcare Cybersecurity: State of Industry"— Presentation transcript:

1 Healthcare Cybersecurity: State of Industry
Addressing Our ever changing Cybersecurity Risks Sean K. Lowder CISSP/CISA/CISM/CRISC © Sean K. Lowder 2016

2 Why are we under attack? Information we have is much more valuable than retailers: Complete profiles of people, and Medical information Uses of information: Fraudulent lines of credit Medical insurance fraud Order and resell medical equipment, False claims Health care fraud Blackmail and extortion Aftermath: Very difficult to remediate once compromised © Sean K. Lowder 2016

3 Healthcare Threat landscape increased
Personally Identifiable Information (PII) is still the number one target Costs on black market makes it the most attractive target State-sponsored actors China Dossiers Medical Insurance is now in 5 year plan Russia Criminal activity Symbiotic relationship with Government Mules in US for Fraud "We are facing an arms race in terms of security. Every minute, we are seeing about half a million attack attempts that are happening in cyber space." -Derek Manky, Fortinet global security strategist © Sean K. Lowder 2016

4 Cost of the Attacks* $6.5 million is the average cost of data breach
$355 is the cost per capita in healthcare *2016 Cost of Data Breach Study: Global Analysis Ponemon Institute LLC, June 2016 © Sean K. Lowder 2016

5 Our Data is everywhere Castle and Moat approach is no longer viable to protect our data Cloud Microsoft Google Amazon Hosting Data analytics Claims systems Etc. All else What don’t you know about??? (Dropbox, etc.) How confident are you of Data Loss Prevention implementation? © Sean K. Lowder 2016

6 So, what are we going to do?
What are your Threats? Who wants your stuff? How do you know where you are? Evaluate your program What are you vulnerable to? What is your focus? Highest risk gaps first, prioritize your $ © Sean K. Lowder 2016

7 Frameworks are a START Security Frameworks
ISO 27000 NIST HiTrust Frameworks provide a BASE level of security Where you have control gaps Maturity gaps for your program CAUTION!!! Don’t fall for the “but the control says…” Don’t “Lawyer up” when implementing controls Check-box Security isn’t security! © Sean K. Lowder 2016

8 Assumption of Breach Focus on Detection of events
Keep your focus on “Detection / Response” technologies Assume you are breached Go find ‘em with “hunt” teams Test your Incident response plan Table tops Full exercises Use Penetration assessments to test your SOC/SIRT © Sean K. Lowder 2016

9 Identity is the last boundary
Where are your ID’s? Cloud Applications SSO/Federation partners Who holds the Keys??? Who are your “privileged” users? How do they use their privileges (MFA)? OK to trust the person, don’t trust the ID! Are you monitoring activities? What’s normal vs. what’s not How are you managing those ID’s? Password Vaulting © Sean K. Lowder 2016

10 Vendor Risk Management
If your vendor’s security is breached, who gets the bad press? Lifecycle of a vendor for Security Oversight Birth Contracting Vendor Risk assessment Operational Monitoring Annual (or more) Vendor Risk assessments Site visits SLA Attestations (SOC2, CEO attestation) Death Where is the data??? © Sean K. Lowder 2016

11 Are you covered? Cyber Insurance What’s covered? How much do you need?
Response assistance Forensic assistance Communications Brand Damage How much do you need? Based upon Ponemon numbers…how many records could you lose? Business Value – What’s catastrophic? Incident responders on retainer Have the “paperwork” all done © Sean K. Lowder 2016

12 Questions? © Sean K. Lowder 2016

Download ppt "Healthcare Cybersecurity: State of Industry"

Similar presentations

11 THE SCIENCE OF RISK SM About Verisk Analytics.

11 THE SCIENCE OF RISK SM About Verisk Analytics.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,

Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB

1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
2012 CWAG Annual Meeting State Agency Data Breaches Loss prevention, response and remediation strategies.

2012 CWAG Annual Meeting State Agency Data Breaches Loss prevention, response and remediation strategies.
Data Risk and Security Andrew Roderick Campus Technology Committee – January 21, 2015.

Data Risk and Security Andrew Roderick Campus Technology Committee – January 21, 2015.
AUGUST 25, 2015 Cyber Insurance:

AUGUST 25, 2015 Cyber Insurance:
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Cyber Security in HealthIT Mark Longworth Independent Security Consultant

Cyber Security in HealthIT Mark Longworth Independent Security Consultant
A PM’s Guide to Surviving A Data Breach. Compliance: PCI QSA and PCI Gap Analysis FISMA HIPAA SSAE 16 GLBA, Red Flags Response Incident Response and Disaster.

A PM’s Guide to Surviving A Data Breach. Compliance: PCI QSA and PCI Gap Analysis FISMA HIPAA SSAE 16 GLBA, Red Flags Response Incident Response and Disaster.
FFIEC Cyber Security Assessment Tool

FFIEC Cyber Security Assessment Tool
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH.

Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
15 years of Web Security © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. The Rebellious Teenage Years.

15 years of Web Security © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. The Rebellious Teenage Years.
Albany Bank Corporation Security Incident Management Program.

Albany Bank Corporation Security Incident Management Program.

Similar presentations

Ads by Google