1 / 33

Data Security: A Growing Risk and How to Mitigate

This article discusses the evolving landscape of data security and provides strategies to mitigate risks. It covers topics such as privacy and security activities in 2018, security maturity curve, key security questions for boards in 2019, and vendor risk management.

nataliem
Download Presentation

Data Security: A Growing Risk and How to Mitigate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Security:  A Growing Risk and How to Mitigate HSX Board of Trustees November 14, 2018

  2. Introductions and Agenda • HSX Privacy and Security Activities 2018 • Discussion Panel • Brian Selfridge, Meditology • Lena Licata, Eisner Ampner • John Abella, Main Line Health • Brian Wells, Merlin International • Agenda • Panel Perspectives • Discussion Questions • Open Questions

  3. HSX Privacy and Security Activities 2018

  4. Security Maturity Curve A Resilience NATION STATE HSX Target B ADVANCED PERSISTANT THREAT Threat Most Organizations C CONVENTIONAL THREAT D E Agility / Speed of Action C E D B A Reactive & Manual Tools-Based Integrated Picture Dynamic Defense Resilient Enterprise HSX Currently

  5. Privacy and Security Activities 2018 • Accomplishments • Vulnerability Testing • Q1 Internally, Q2 3rd Party, Q3 Internally, Q4 3rd Party • Onpoint CPC+ Services April 2018 • Provider API Services April 2018 • HSX MarketStreet API’s • Selected 2nd 3rd Party Security Consulting Firm: BTB and Meditology • Table Top Exercises Held May 4, 2018 and October 16, 2018 • Cyber Liability Insurance Coverage Increased from $5M to $15M • Reduced Number of HSX Administrators to NextGen Environments • Enabled 2 Factor Authentication for NextGen Connect • Enabled DNSSEC Security on HSX Domain Names

  6. Privacy and Security Activities 2018 • Accomplishments Continued • Attended Protenus PANDAS User Group May 2nd and 3rd • Data Loss Prevention (DLP) for Office 365 and Sophos • Outside Email Warning On All Incoming Email • Filtering Email from Non US Locations • HITRUST 9.1 Certification Requirements Gap Analysis • Large Gap from 8.X to 9.1. Almost Like Starting Over • Email Phishing Testing • Disable All Mailbox Email POP3 and IMAP4 Access • Disable Administrative Mailboxes Email Mobile Device and MAPI Access (Only Web Access and Requires 2 Factor Authentication)

  7. Privacy and Security • Audit and Monitoring Incidents • 10 Violations: Family Members and Self Lookup • 34 Non Violations: Random, Self Lookup, Suspicious Activity • Next Priorities • DMARC Email Security • HITRUST Annual Update • Random Controls from 19 Domains • HITRUST 2019 Re Certification • CSF v8.1 Measures • 320 Completed • CSF v9.1 Measures • 289 Completed • 31 Retired • 379 New

  8. Brian Selfridge,Meditology

  9. On the Radar: Key Security Questions for Boards in 2019 • 1. Are we complying with HIPAA and other regulations? • Scope of annual risk analyses • Tracking ongoing risks • Review of new regulations like GDPR 2. Are we appropriately managing information risk? • Multi-year strategic plan(s) • Data aggregation, data governance, & communication • Mergers, acquisitions, affiliations • Identification and retention of security expertise • Measuring the program against security standards • Third party vendor security risk • Unmanaged devices (e.g. IoT, medical devices) • Insider threats

  10. On the Radar: Key Security Questions for Boards in 2019 • 3. Are we prepared for a cyber attack? • Incident response planning • Testing the plan and including stakeholders from member organizations and the business • Preparation for emerging threats (e.g. ransomware, social engineering, hacking attacks) • Analysis of prior security incidents • Cyber threat intelligence sharing

  11. Lena Licata,Eisner Ampner

  12. A few statistics • The 2018 Verizon Data Breach Investigations Report (DBIR), provides visibility into the state of security and why breaches occur.

  13. Migration to the Cloud • The trend in today’s environment is to outsource responsibilities to firms that focus and specialize in various areas as well as move data, systems and applications to the cloud • While there are many advantages in this model, one key responsibility of management is to understand the risks of the companies where they share data. • The formal program to do so is called Vendor Risk Management. We all remember the Target data breach but who can remember the name of the HVAC company that put Target at risk?

  14. Data Mapping • Vendor Risk Management Starts with Data Mapping • What systems do I have? • What data is in those systems? • What classification is that data? Secret? Public? • Where does that data transmit to? Within the company or externally? • What controls do I have on data transmission? • If data transmits externally? What controls exist at the external location? Have I done a vendor review? • Once we know what data we have we can then identify which vendors we share that data with and via what methods.

  15. Vendor Risk Management Control vendor access to systems and sensitive information • Clients, vendors and business partners have various reasons for access to systems and information. • Protect information assets by assigning IT security to specifically monitor activities of vendors accessing any network and hardware (i.e. hard drives). • Perform IT Risk Assessments that evaluates the controls and safeguards the vendor has in place to ensure that information assets are protected from unauthorized access for all vendors receiving PII or PHI. • Understand the control environment of external hosting providers.

  16. Regularly Monitor and Assess • VRM should be a component of selecting vendors for services as well as a periodic evaluation of current vendors • Contracts with all vendors should include a clause that gives HSX the “right to audit” where HSX deems necessary depending on the services • Observations noted during assessments should be tracked to remediation with the vendor • Vendors should be re-assessed according to the risk level at the completion of their first assessment • Various industry tools can assist with the assessments • CyberGRX, CENTRL, Shared Assessments, etc

  17. John Abella,Main Line Health

  18. Proactive Security • Healthcare is focused on preventative care. • Why shouldn’t Information Security be the Same?

  19. Proactive Security • Steps toward achieving zero malware infections in an 18-month period: • No web-based email allowed: no exceptions*

  20. Proactive Security • Steps toward achieving zero malware infections in an 18-month period: • No web-based email allowed: no exceptions* • Aggressive anti-spam, anti-phishing, and anti-malware rules

  21. Proactive Security • Steps toward achieving zero malware infections in an 18-month period: • No web-based email allowed: no exceptions* • Aggressive anti-spam, anti-phishing, and anti-malware rules • Email-based URL re-writing

  22. Proactive Security • Steps toward achieving zero malware infections in an 18-month period: • No web-based email allowed: no exceptions* • Aggressive anti-spam, anti-phishing, and anti-malware rules • Email-based URL re-writing • Cloud-based internet gateway with aggressive configurations

  23. Proactive Security • Steps toward achieving zero malware infections in an 18-month period: • No web-based email allowed: no exceptions* • Aggressive anti-spam, anti-phishing, and anti-malware rules • Email-based URL re-writing • Cloud-based internet gateway with aggressive configurations • Purple team exercises where adversaries try to get malicious email / URLs past our defenses

  24. Proactive Security • Steps toward achieving zero malware infections in an 18-month period: • No web-based email allowed: no exceptions* • Aggressive anti-spam, anti-phishing, and anti-malware rules • Email-based URL re-writing • Cloud-based internet gateway with aggressive configurations • Purple team exercises where adversaries try to get malicious email / URLs past our defenses • Aggressive internal phishing testing program

  25. Proactive Security • Steps toward achieving zero malware infections in an 18-month period: • No web-based email allowed: no exceptions* • Aggressive anti-spam, anti-phishing, and anti-malware rules • Email-based URL re-writing • Cloud-based internet gateway with aggressive configurations • Purple team exercises where adversaries try to get malicious email / URLs past our defenses • Aggressive internal phishing testing program • HR sanction policy that ends in termination for repeat offenders

  26. Proactive Security • Everyone wants my data; how do we know who to trust with it? • Using third party security rating agency for first-pass on all new vendors • Have a security questionnaire that we designed that helps us understand how each vendor handles security • Have a 21-point security rider that goes on all new contracts • Need to be willing to terminate agreements or switch vendors when someone doesn’t have appropriate controls • Have transitioned to a ‘zero tolerance’ model for sending SSN out of house (this breaks a lot of things)

  27. Brian Wells,Merlin Internaional

  28. Customers Leading cybersecurity solutions provider to healthcare • Endpoint discovery and control • CASB • Identity • Security Analytics and Intelligence • Managed Security Services (MSSP) • Founded 1997 • Core competency: Cybersecurity • 70+ employees • Over $2B in technology products sold since company founding Confidential

  29. Consumer Data Security Concerns • Patient supplied data • Secondary use • Research • Population health • Other Market Street partner applications • Patient sharing of HSX hosted data • Apple Health Records • Embleema (Patient owned data on a Blockchain for secure sharing and monetization) • Patients should be notified that they own the risk of sharing HSX data • User access requirements • Identity • Proxy access • Elder children • Parents • Disposition of deceased patient data • Source of mortality data?

  30. Participant Data • Data to be stored but not shared via HIE • Genetics? • Research data? • Need to define allowable data categories • Third party use of participant data • Who vets third party compliance? • Nearly all startups will use cloud infrastructure • What if participant’s risk tolerance is lower than HSX’s? • HSX’s standards should prevail

  31. Discussion Questions

  32. Discussion Questions • From a Board Perspective What are the Topic Items Would You Recommend They Focus On? • What Are the Biggest Risks You See From Your Perspective for Privacy and Security? • Are There Any Trends You Are Seeing Happening From a Security View Point? • Without Naming Names Is There Any Interesting Incidents That You Have Observed That Are Relevant?

More Related