4T Ways to Better Protect Patient Data

1. 4T Ways to Better Protect Patient Data Ryan Witt @WittRZ +1.650.492.3480 rzwitt@gmail.com

2. Healthcare Growth Acceleration • Value Proposition Development • Healthcare Cybersecurity Strategy • Healthcare Industry Marketing • Go to Market Strategy • Business Development • Product Alignment • Thought Leadership & Evangelism About The Speaker Board Member Security & Privacy Workgroup Leader Ryan Witt @WittRZ +1.650.492.3480 rzwitt@gmail.com Member www.losaltosconsulting.com Member

3. The 4Ts… Training Timely Updates Testing Technology

4. State of Healthcare – 20162016 Healthcare Cybersecurity Reports – HIMSS / Ponemon

5. Healthcare’s Evolving Threat Landscape 2016 Ransomware 2015 Phishing 2017 Medical Devices FBI – Healthcare is the country’s most vulnerable industry to cyber threats.

6. Well, how did we get here… EMR Focus Pace of Change Well… Check the Box

7. Transforming Healthcare Retail Clinics Wellness Programs Hospitals at Home HOSPITAL Home Monitoring Health Kiosks TeleHealth Services Mobile Care Services Wearable Med Devices

8. Healthcare Industry Vulnerability 89% 45% 69% Healthcare had at least one breach in last 2 years Healthcare had at least two breaches in last 2 years Healthcare believe that they are more vulnerable

9. Training 69% HC says employee negligence is of great concern 44% say Healthcare lacks key security skills Training • “Human-ware” still biggest challenge • Phishing attacks very successful • Over-focus on compliancy • “Something for nothing” gullibility persists • Don’t click the link!!!!! • Many free resources available 52% have made security training investments 48% of ID theft occurs through unintended employee action

10. Number of US Acute Care Hospital Without Deployed Security Technology Technology Technology Responders believe that security technology is adequate 54% 2016 HIMSS Cybersecurity Survey

11. Recent Guidance • 63% of the 27 biggest U.S. hospitals have a grade of C or lower in patching cadence– Ponemon Report 2016 Timely Updates • Use of unpatched or unsupported software on systems which access ePHI could introduce additional risk into an environment. • Continued use of such systems must be included within an organization’s risk analysis and mitigation strategies • EMR systems and office productivity software, software which should be monitored for patches and vendor end-of-life for support include: • Router and firewall firmware • Anti-virus / anti-malware software • Multimedia and runtime environments (e.g., Adobe Flash, Java, etc. Timely Updates

12. 43% of responders have no set testing schedule • 41% of responders perform vulnerability tests annually Proactive Vs. Reactive Cybersecurity Motivation (% of respondees) Testing Testing

13. Get proactive on network security • Have a Security Risk Assessment • Develop a Cybersecurity Strategic Plan • Secure Hospital Board Buy in • Focus on the 4T’s!!! Recommendations

14. Cloud Usage NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems NIST Special Publication 800-52: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the HIPAA Security Rule NIST Special Publication 800-77: Guide to IPsec VPNs NIST Special Publication 800-88: Computer Security NIST Special Publication 800-111: Guide to Storage Encryption Technologies for End User Devices NIST Special Publication 800-113: Guide to SSL VPNs Federal Information Processing Standards Publication 140-2  NIST HIPAA Security Toolkit Application NIST Cyber Security Framework to HIPAA Security Rule Crosswalk Resources…information is readily available http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

15. Q&A www.losaltosconsulting.com Ryan Witt @WittRZ +1.650.492.3480 rzwitt@gmail.com