Cyber-Security for Healthcare

1. Cyber-Security for Healthcare Jim Rice Director, Security Consulting

2. Professional Profile: Dr. Jim Rice Jim Rice is a Director of Security Consulting Services for Sirius Computer Solutions. After joining Sirius in 2000, he has worked with clients in a wide variety of industries - including healthcare, financial services, government, manufacturing, and insurance; addressing a wide variety of IT optimization, availability, recoverability, security, regulatory response, IT service deployment, and IT service governance challenges. He has been responsible for building Consulting, Enterprise Architecture, and Security Consulting capabilities ensuring client solutions are optimized for business. Jim holds degrees in electrical engineering, business information systems, an MAPM, and an MBA. Jim holds a doctorate in organizational leadership and information systems technologies. His dissertation examined the correlation between IT governance maturity and patient care costs in United States healthcare systems. Jim is ITIL v2 and v3 certified. He holds an IBM healthcare industry masters certification. He was a member of the ISO/IEC JTC 1, WG6 focusing on IT service governance standards. Jim is a Research Fellow for the Center for Global Business Research and mentors doctoral students in the University of Phoenix, School of Advanced Studies. Jim is also on the board of directors for the Minnesota chapter of HIMSS. jim.rice@siriuscom.com jamescrice@email.phoenix.edu 612-384-7709 (m) 210-918-9462 (w)

3. Sirius Healthcare ConsultingFormat & Rules of the Road Facilitated Discussion Summary Finding Provided Following Workshop

4. Healthcare ConsultingBuilding a Program • Activities • Current State Analysis • Policies, Practice, Controls, Audit • Future State Planning • Business Alignment, Goals, Priorities • GAP Analysis • People Skills & Capacity • Governance Process • Technology Rowe, B. R., & Pokryshevskiy, I. D. (2013, February). Economic analysis of an inadequate cyber-security technical infrastructure. Nation Institute of Standards and Technology. Retrieved from https://www.nist.gov/sites/default/files/documents/director/planning/report13-1.pdf

5. Healthcare Consulting2017 Outlook Security in Healthcare equals Reputation • Rapidly evolving regulatory environment creates business risk • Significant M&A results in inconsistent security controls • Nature of information increases its value to identity thieves • Malicious modification of medical data results in patient risk – health & safety Safety Privacy Reputation Compliance

6. Healthcare SecuritySecurity Architecture Review (SAR) A Security Architecture Review is a client collaboration to learn about and prioritize gaps and value opportunities in the security environment • Healthcare Client Security Posture • Reviews the depth and breadth of the client security capabilities with client security team • Delivers a color coded gap analysis of the client capability • Executive prioritize gaps in the security framework and identify industry best practices for remediation

7. Sirius Security ConsultingServices Framework Technical Architecture Review, Remediation, and Oversight Consulting Security Architecture Review Consulting (SAR – Identify and Prioritize Client Security Gaps) External Vulnerability Assessment Service (External Scan, Report, Recommendation) Internal Vulnerability Assessment Service (Internal Scan, Report, Recommendation) IT Service Security Roadmap Consulting (Data Classification, Review Application Configuration, & Perform Code Review) Security Risk Remediation Services (Security Technologies, Products, & Product Affinity Services) Penetration Testing Services Security & Risk Governance Consulting (Policies, Roles and Decision Making Processes) Regulatory Compliance Assessment & Audit Services (Assessment & Audit Services for Compliance with Industry Controls) Managed Security Services (Monitor Network Devices and Network Traffic, Identify Events, & Escalate Incidents) Security Incident Response, Forensics and Remediation Services (Respond Exploitation, Root Cause Analysis, & Legal Expert Services) Security and Policy Awareness Consulting (Educate stakeholders about business protection policies and processes) Vendor & Partner Risk Assessment Service (Vender Management and Due Diligence) (ISO27001, ISO38550, NIST, FISMA, ITIL, Calder-Moir, COBIT (HIPAA/HITECH, SOX, HITRUST, PCI, TAC202) (Sirius Managed Services) (Sirius Security Services)

8. Sirius Healthcare Consulting2017 Outlook Its All About the Data • Medical Data Analytics is Driving Aggregation (MDM) • Significant Biometric Data Collection is Increasing the Volume of Information and Opportunity for Corruption (IoT) • Data Privacy Stewardship is the focus of legislation and regulation

9. Sirius Healthcare Consulting2017 Outlook 2017 Threats are evolving • Social Hacking is resulting in more focus on identity and authorization management and security awareness programs • Data Theft by Professional Hackers is is driving a focus on end-point protection and encryption • Malicious Data Modificationthreat is increasing because of biometric data collection (IoT) and is driving a focus on network security and threat analytics • Data Ransom as a Service is returning data protection to its roots and increasing the use of ”air-gap” backup methods

10. Sirius Security ConsultingSecurity Roadmap Consulting • Extended Analysis & Planning • Collects internal and external security posture details through interviews and automated tools. • Evaluates security and compliance of environment against established security controls, such as HIPAA/HITECH, MU, PCI, NIST, FISMA, and ISO. • Produce a specific and actionable roadmap to remediate identified compliance gaps and security vulnerabilities Designed for clients who need to address audit findings, support executive initiatives, support M&A activity, plan for post incident remediation, enable contractual commitments, and support brand reputation efforts.

12. Sirius Security ConsultingSecurity Consulting Resources More Information: Sirius Security & Compliance http://www.siriuscom.com/solutions/security-compliance/