csa presentation november 2016 sloane ghx
TRANSCRIPT
![Page 1: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/1.jpg)
Fixing the breakdown between securing your Business, your Customers and your Data SLOANE STRICKERCSO, GLOBAL HEALTHCARE EXCHANGE
![Page 2: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/2.jpg)
Yeah that’s right. I’m going to talk about security
Well,…, data security that is
![Page 3: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/3.jpg)
IntroHospitals and healthcare systems are under increasing regulatory demands to protect patient data, while at the same time sharing data to improve coordination patient care. How do we really ensure our data security and help our customers meet these stringent regulatory requirements. How does technology help, hinder or even obfuscate this?How can companies – not just in healthcare - implement and maintain a real-world, proactive security framework that ensures both compliance, customer obligations and true data protection?
COMPLIANCE AGREEMENTS PROTECTION
![Page 4: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/4.jpg)
Topics• Real world security & compliance
1. To be compliant (i.e. pass the audit)2. To get customers (i.e. trust and competency)3. To protect assets (i.e. really protect your data)
• But.., there are continuous changes and shifts in the security landscape
• Compliance and Consequences• Technology• Attackers• Customer Expectations
• How?• The right Controls, the right Compliance and the right
Commitment
![Page 5: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/5.jpg)
![Page 6: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/6.jpg)
![Page 7: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/7.jpg)
![Page 8: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/8.jpg)
![Page 9: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/9.jpg)
Real Security?
VS
![Page 10: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/10.jpg)
AN ERA OF CHANGE IN SECURITY
Compliance and Consequences
Technology
Attackers
Customer Expectations
![Page 11: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/11.jpg)
SHIFT: COMPLIANCE AND CONSEQUENCES
• The business has to adhere to regulations, guidelines, standards, etc.
• HIPAA, HITECH, PCI DSS, GLBA, BASEL II, SOX, etc.• EU Privacy laws, …, and many more state or international
standards• Internal and external Audits (like OCR’s new HIPAA
Audit Program) are changing the economics of risk and creating “impending events”
• Possible OCR HIPAA audits according to the new HIPAA Privacy, Security, & Breach Notification Audit Program
• St Joseph’s Health System hit with $2.14 penalty last monthHackers may attack you but auditors will show up
![Page 12: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/12.jpg)
SHIFT: TECHNOLOGY
• Shifts in worker mobility and devices are redefining the IT landscape
• Shifts in on-premise to SaaS, PaaS and IaaS (e.g. cloud)
• Cloud is changing our notion of a perimeter• System communication is fundamentally changing
• Many transactions occur over HTTP/HTTPS• The security model if shifting from good people vs. bad people to enabling partial trust
• Can’t mitigate every possible risk You may get hacked but you will get impacted
![Page 13: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/13.jpg)
SHIFT: ATTACKERS• Cyber criminals are becoming organized and motive-driven
• An entire underground economy exists to support cybercrime
• Ransomware and blackmail• Disruption, exposure and embarassment
• Attackers are shifting their methods to exploit both technical and human weaknesses
• Attackers are after much more than monetizable data
• Hactivism• State-sponsored attacks• IP attacks / breaches
If you do get hacked, how much will it actually cost you?
![Page 14: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/14.jpg)
SHIFT: CUSTOMER EXPECTATIONS
• Customers are starting to use security as a discriminator
• In many ways security has become a non-negotiable expectation
• Security being woven into Service Level Agreements (SLAs)
• As well as HA, DR and BCP availability levels and assurance• Price, process maturity and scale can only go so far
• “Assurance” is also key• Customer requested questionnaires and on-site visits
If you don’t get the upper hand of trust fast, someone else will
![Page 15: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/15.jpg)
So how do we cover all this so we can do business?
![Page 16: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/16.jpg)
• Enterprise Security Architecture
• Encryption at-rest/in-flight• Fine grain role based
access/permissions• Every access/every action
captured for audit, control, security
• Audit ready reporting• Audits, Certs and
Assessments• SOC-I, SOC-2, PCI• HIPAA - HITECH• Global Privacy Regulatory
THE MINUMUM SECURITY AND AUDIT
![Page 17: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/17.jpg)
1. How do you or your service provider(s) ensure that sensitive data is protected?
2. Can you or they provide a SOC1 (SSAE16) Report, a SOC2 Report, and/or a Business Associate Agreement (and BAA must be updated for new OCR rules)?
3. What Security and Controls framework/guidelines do you or the follow?
4. Do you or they maintain a dedicated security team and proactively assess risk and vulnerabilities?
5. Do you or they provide incident responseor service availability SLAs, targetsand/or historical baselines?
6. Are you or they prepared for a possible audits like the new OCR HIPAA audit or customer inquiry?
17
Are your and/or you partners, providers and customers secure?
![Page 18: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/18.jpg)
Working with Customers or Providers
• Integrating Security Controls & Ecosystem– Develop a coordinated information security and business relationship– Ensure a complete understanding of the GHX platform & processing– GHX and client-side due diligence and scoping of sensitive data– Understand applicable U.S. federal, state, and international compliance requirements– Providing Documentation such as SOC 1 Report and PCI Compliance Attestation– Sign Business Associate Agreements (BAA) to help customers meet
HIPAA / HITECH obligations– Conduct security reviews for customers if applicable– Ensure all needs, requests and agreements are in place
to begin business and realize value
![Page 19: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/19.jpg)
Securing with Customers or Providers
Trust & Advantage
Assurance& Evidence
Value & Engagement
1. Security Position(s)2. Customer’s Security Needs3. Provide Answers Quickly
1. Provide SOC Report & BAA2. Security Team Meetings
and Additional Questions
1. Implement Quickly withSecurity Aspects in Place
2. Realize value on both sides
![Page 20: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/20.jpg)
So how do we handle all these new vulnerabilities?
![Page 21: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/21.jpg)
FORCES IMPACTING SECURITY POSTURE
Security Posture
Evolving Endpoints
DissolvingPerimeters
EncryptedTrafficVisibility
New SecurityControlAdaptation
Complexityof Privacy
IncidentResponse
![Page 22: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/22.jpg)
Other Key Best-Practices
Understanding VulnerabilitiesSDLC Security integratedProduct Security RequirementsAwareness of ops, supportDeployment & UpdatesMarket RequirementsThreat ModelingGather Customer Requirements
SecOps and a Security mindset to think and test like a hacker…
Market RequirementsThreat ModelingGather Customer RequirementsSecurity TeamSecurity CouncilSecurity LeadershipSecurity as a ServiceSecurity Value Proposition
![Page 23: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/23.jpg)
MODERN ENTERPRISE DEFENSE IN DEPTH
• Foundational Defense in Depth
• Multiple layers of defense• Consistency of application• Diversity of layers
• New Requirements• Deployment Agnostic• Competency in Failure• Take Action on Noisy
Threat Intelligence
• Extended Enterprise Security
• Advanced Malware Scanning
• “Hunting” Capabilities• BYOD/CYOD defenses• Cloud Application Security• Mobility Defense in Depth
• Coverage & Adjustability• New requirements• New Threats• New TechnologiesGet Proactive!
![Page 24: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/24.jpg)
• SSO / Access Control • Authentication• Authorization• Encryption in Flight• Encryption at Rest• Certificate Management• Complete Audit History• User and System Logs
ADVANCED SECURITY
![Page 25: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/25.jpg)
Must move from reactive security to proactive security
![Page 26: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/26.jpg)
So how do we stay compliant?
![Page 27: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/27.jpg)
Key Compliance Aspects
Guidelines and RequirementsMonitoring and AlertingAudit trails and logging
Documentation and ReportsMust move from knock-on-wood to safe harbor position
![Page 28: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/28.jpg)
• Functional Controls • Assess, identify, treat and
reduce security vulnerabilities & risk to meet HIPAA / HITECH compliance and SSAE16 / SOC 1 reporting obligations
• Administrative Controls• Policies, procedures, training
and agreements protecting confidential and competitively sensitive data and intellectual property
• Process Controls• Regular reviews, maintenance
and external audits of security policies, procedures, and controls including incident response
• Physical Controls• Access restrictions, identification
requirements, monitoring and alarms• Technical Controls
• Access management, vulnerability management, intrusion detection and prevention, logging and monitoring, malicious code protective measures, encryption, configuration management, penetration testing, network access control, high availability and business continuity
• External Audit• SOC 1, SOC 2, AT-101 annual audits
and reports regulated and set by the AICPA’s Statement on Standards for Attestation Engagements No. 16. (SSAE16)
THE RIGHT CONTROLS AND AUDITS
![Page 29: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/29.jpg)
Provide this documentation up front and build customer confidence early!
![Page 30: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/30.jpg)
![Page 31: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/31.jpg)
“If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”
― Jim Barksdale
![Page 32: Csa presentation november 2016 sloane ghx](https://reader036.vdocuments.us/reader036/viewer/2022070513/58836cd61a28ab536b8b6775/html5/thumbnails/32.jpg)
Questions
or
“Stump the Presenter”