Upload
chris-baldwin
View
133
Download
0
Tags:
Embed Size (px)
Citation preview
#518 - CSB IT SECURITY A PRACTICAL AND MODULAR
APPROACH TO INFORMATION SECURITY
C H R I S B A L D W I NB R U C E H A L L
T Y L E R W R I G H T S O N
Anthem Breach
Office for Civil Rights Fines
HITECH Breach Enforcement
Meaningful Use Audits
Phishing Exploits | Internet Links | Downloads | Mobility
HIPAA | HITECH | Omnibus Rule
Personal Information Security Concerns
Policy Development
Contingency Plans
CSB IT Security
AdministrativeSafeguards
Technical Safeguards
PhysicalSafeguards
Solving“The Hacker Problem”
EffectiveSecurity Management
Goals for Today – Building an Effective Security Program
About CSB IT Security
Compliance vs. Security
Maturity Level Continuum – Where are you?
A Modular Approach to Information Security
CSB Security Solutions -- Offerings
Questions
About: CSB IT Security
Established in 2012
Chris Baldwin, Bruce Hall, Tyler Wrightson
Experience: HIPAA Risk Assessments, OCR Breach investigation, CMS
Meaningful Use Audits, Program Development, Technical
Assessments, Awareness and Training, Social Engineering/Testing
Clients: Hospitals, Physician Practices, IPAs, Managed Care Entities,
Business Associates
Healthcare Experience | Compliance Experience | Security Experience
Compliance vs. Security
Compliance
HIPAA Security RuleHITECH Breach Notification and EnforcementOCR Investigations and penaltiesOCR Pilot AuditsHIPAA Final Omnibus RuleOCR Audit Program – 2015….State Specific laws – Protected Health Information | Personal
InformationDon’t forget Payment Card Information (PCI 3.0)
Compliance : OCR FINDINGS: TOP ISSUES
Compliance: RESOLUTIONS BY YEAR AND TYPE
Compliance: Standards
NIST 800-66 Introductory Resource Guide to the HIPAA Security Rule
NIST 800-30 Guide for Conducting Risk AssessmentsNIST 800-34 Contingency Planning – Federal Information Sys
temsCMS Guide On Conducting a Risk AnalysisONC Guide to Privacy and Security of Electronic Health Infor
mationNIST 800-111 Guide to Storage EncryptionOffice for Civil Rights Audit Protocols
Compliance: Gotchas….
Breach | OCR | Self-Reporting | Patient Complaint | Business Associate
Physical, Technical and Administrative SafeguardsComprehensive Risk AssessmentPolicies and ProceduresLaptop EncryptionContingency PlansAccess Control AuditingStorage and Transmission – Data Loss PreventionPrivacy! No longer 2% of separation
Beyond Compliance to Security
Home Security: Your neighborhood…. “Threats” and “vulnerabilities”“Likelihood” and “impact”Setting priority based upon risk….
If a burglar were standing in your living room in the middle of the night, would you know it?
Focusing on Security
CEO’s are asking:Could the Anthem breach or
the Target breach or the Partners breach happen to us?
Compliant and Secure!
CSB IT Security
Building Block Approach toInformation Security
CSB IT Security – Maturity Model
Governance
Risk Assessment and ongoing security roadmap
Comprehensive approach to physical, technical and administrative safeguards
Policies and procedures that are practical, effective and compliant
Workforce security – awareness and training – social engineering and testing with real-time feedback
Integrated contingency planning and incident response
Real-time vulnerability management and threat detection
A Modular Approach to Information Security
CSB Security Offerings
Security Management“The Hacker Threat”
Security Management
Security Management
Risk Assessment – Measurable Results
Security Management
Building Effective Governance – Managing the Security AgendaInformation Privacy and Security Committee Charter
Purpose Committee Authority Membership Objectives Meeting Frequency Documentation
Security Management
Policies and Procedures
Security Management
Awareness and Training Using metrics to change behavior Periodic phishing tests (Social Engineering)
Pass / Fail metrics Willingness to provide credentials Use of tests that seem real – “trickery” Scoring by individual Immediate feedback and training loop Quote: “I was one of those who entered my UserID and password – I won’t do
that again”
Security Management
CSB approach – we understand healthcare….
“Partners Healthcare Data Breach Effects 3,300 Patients”
Phishing test:
“Now that we are nearing the end of Flu season, we need your help in responding to a Joint Commission Survey” – Please enter your network credentials….
Security Management
Social engineering Testing
Category Definition
Low
Loss of confidentiality, integrity, or availability would have a limited adverse impact and might: (1) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with noticeably reduced effectiveness; (2) result in minor damage to organizational assets; (3) result in minor financial loss; or (4) result in minor harm to individuals.
Moderate
Loss of confidentiality, integrity, or availability would have a serious adverse impact and might: (1) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with significantly reduced effectiveness; (2) result in significant damage to organizational assets; (3) result in significant financial loss; or (4) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.
High
Loss of confidentiality, integrity, or availability would have a severe or catastrophic adverse impact and might: (1) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (2) result in major damage to organizational assets; (3) result in major financial loss; or (4) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.
Security Management
Contingency Planning
“The Hacker Problem”
“The Hacker Problem”
Penetration Testing Mimicking the methods used by hackers and criminals to break into
organizations to identify whether meaningful vulnerabilities exist
“The Hacker Problem”
Vulnerability Assessments Assessments designed to identify all vulnerabilities present in key systems
which are likely to be targeted by hackers.
“The Hacker Problem”
Threat Detection Real time monitoring of key workstation, server and network systems which
are likely to be targeted by hackers
Questions?
For assistance:
Text “HM” or “HT” to -- 508-817-7692SM – Security Management / Administrative AssistanceHT – Hacker Threat Assistance
Call 508-213-4020, enter 1 for inquiries oremail: [email protected] orJoin our email list: http://eepurl.com/bg0yY9 orBrowse to: www.csbitsolutions.com