Post on 21-Jan-2017
transcript
Fixing the breakdown between securing your Business, your Customers and your Data SLOANE STRICKERCSO, GLOBAL HEALTHCARE EXCHANGE
Yeah that’s right. I’m going to talk about security
Well,…, data security that is
IntroHospitals and healthcare systems are under increasing regulatory demands to protect patient data, while at the same time sharing data to improve coordination patient care. How do we really ensure our data security and help our customers meet these stringent regulatory requirements. How does technology help, hinder or even obfuscate this?How can companies – not just in healthcare - implement and maintain a real-world, proactive security framework that ensures both compliance, customer obligations and true data protection?
COMPLIANCE AGREEMENTS PROTECTION
Topics• Real world security & compliance
1. To be compliant (i.e. pass the audit)2. To get customers (i.e. trust and competency)3. To protect assets (i.e. really protect your data)
• But.., there are continuous changes and shifts in the security landscape
• Compliance and Consequences• Technology• Attackers• Customer Expectations
• How?• The right Controls, the right Compliance and the right
Commitment
Real Security?
VS
AN ERA OF CHANGE IN SECURITY
Compliance and Consequences
Technology
Attackers
Customer Expectations
SHIFT: COMPLIANCE AND CONSEQUENCES
• The business has to adhere to regulations, guidelines, standards, etc.
• HIPAA, HITECH, PCI DSS, GLBA, BASEL II, SOX, etc.• EU Privacy laws, …, and many more state or international
standards• Internal and external Audits (like OCR’s new HIPAA
Audit Program) are changing the economics of risk and creating “impending events”
• Possible OCR HIPAA audits according to the new HIPAA Privacy, Security, & Breach Notification Audit Program
• St Joseph’s Health System hit with $2.14 penalty last monthHackers may attack you but auditors will show up
SHIFT: TECHNOLOGY
• Shifts in worker mobility and devices are redefining the IT landscape
• Shifts in on-premise to SaaS, PaaS and IaaS (e.g. cloud)
• Cloud is changing our notion of a perimeter• System communication is fundamentally changing
• Many transactions occur over HTTP/HTTPS• The security model if shifting from good people vs. bad people to enabling partial trust
• Can’t mitigate every possible risk You may get hacked but you will get impacted
SHIFT: ATTACKERS• Cyber criminals are becoming organized and motive-driven
• An entire underground economy exists to support cybercrime
• Ransomware and blackmail• Disruption, exposure and embarassment
• Attackers are shifting their methods to exploit both technical and human weaknesses
• Attackers are after much more than monetizable data
• Hactivism• State-sponsored attacks• IP attacks / breaches
If you do get hacked, how much will it actually cost you?
SHIFT: CUSTOMER EXPECTATIONS
• Customers are starting to use security as a discriminator
• In many ways security has become a non-negotiable expectation
• Security being woven into Service Level Agreements (SLAs)
• As well as HA, DR and BCP availability levels and assurance• Price, process maturity and scale can only go so far
• “Assurance” is also key• Customer requested questionnaires and on-site visits
If you don’t get the upper hand of trust fast, someone else will
So how do we cover all this so we can do business?
• Enterprise Security Architecture
• Encryption at-rest/in-flight• Fine grain role based
access/permissions• Every access/every action
captured for audit, control, security
• Audit ready reporting• Audits, Certs and
Assessments• SOC-I, SOC-2, PCI• HIPAA - HITECH• Global Privacy Regulatory
THE MINUMUM SECURITY AND AUDIT
1. How do you or your service provider(s) ensure that sensitive data is protected?
2. Can you or they provide a SOC1 (SSAE16) Report, a SOC2 Report, and/or a Business Associate Agreement (and BAA must be updated for new OCR rules)?
3. What Security and Controls framework/guidelines do you or the follow?
4. Do you or they maintain a dedicated security team and proactively assess risk and vulnerabilities?
5. Do you or they provide incident responseor service availability SLAs, targetsand/or historical baselines?
6. Are you or they prepared for a possible audits like the new OCR HIPAA audit or customer inquiry?
17
Are your and/or you partners, providers and customers secure?
Working with Customers or Providers
• Integrating Security Controls & Ecosystem– Develop a coordinated information security and business relationship– Ensure a complete understanding of the GHX platform & processing– GHX and client-side due diligence and scoping of sensitive data– Understand applicable U.S. federal, state, and international compliance requirements– Providing Documentation such as SOC 1 Report and PCI Compliance Attestation– Sign Business Associate Agreements (BAA) to help customers meet
HIPAA / HITECH obligations– Conduct security reviews for customers if applicable– Ensure all needs, requests and agreements are in place
to begin business and realize value
Securing with Customers or Providers
Trust & Advantage
Assurance& Evidence
Value & Engagement
1. Security Position(s)2. Customer’s Security Needs3. Provide Answers Quickly
1. Provide SOC Report & BAA2. Security Team Meetings
and Additional Questions
1. Implement Quickly withSecurity Aspects in Place
2. Realize value on both sides
So how do we handle all these new vulnerabilities?
FORCES IMPACTING SECURITY POSTURE
Security Posture
Evolving Endpoints
DissolvingPerimeters
EncryptedTrafficVisibility
New SecurityControlAdaptation
Complexityof Privacy
IncidentResponse
Other Key Best-Practices
Understanding VulnerabilitiesSDLC Security integratedProduct Security RequirementsAwareness of ops, supportDeployment & UpdatesMarket RequirementsThreat ModelingGather Customer Requirements
SecOps and a Security mindset to think and test like a hacker…
Market RequirementsThreat ModelingGather Customer RequirementsSecurity TeamSecurity CouncilSecurity LeadershipSecurity as a ServiceSecurity Value Proposition
MODERN ENTERPRISE DEFENSE IN DEPTH
• Foundational Defense in Depth
• Multiple layers of defense• Consistency of application• Diversity of layers
• New Requirements• Deployment Agnostic• Competency in Failure• Take Action on Noisy
Threat Intelligence
• Extended Enterprise Security
• Advanced Malware Scanning
• “Hunting” Capabilities• BYOD/CYOD defenses• Cloud Application Security• Mobility Defense in Depth
• Coverage & Adjustability• New requirements• New Threats• New TechnologiesGet Proactive!
• SSO / Access Control • Authentication• Authorization• Encryption in Flight• Encryption at Rest• Certificate Management• Complete Audit History• User and System Logs
ADVANCED SECURITY
Must move from reactive security to proactive security
So how do we stay compliant?
Key Compliance Aspects
Guidelines and RequirementsMonitoring and AlertingAudit trails and logging
Documentation and ReportsMust move from knock-on-wood to safe harbor position
• Functional Controls • Assess, identify, treat and
reduce security vulnerabilities & risk to meet HIPAA / HITECH compliance and SSAE16 / SOC 1 reporting obligations
• Administrative Controls• Policies, procedures, training
and agreements protecting confidential and competitively sensitive data and intellectual property
• Process Controls• Regular reviews, maintenance
and external audits of security policies, procedures, and controls including incident response
• Physical Controls• Access restrictions, identification
requirements, monitoring and alarms• Technical Controls
• Access management, vulnerability management, intrusion detection and prevention, logging and monitoring, malicious code protective measures, encryption, configuration management, penetration testing, network access control, high availability and business continuity
• External Audit• SOC 1, SOC 2, AT-101 annual audits
and reports regulated and set by the AICPA’s Statement on Standards for Attestation Engagements No. 16. (SSAE16)
THE RIGHT CONTROLS AND AUDITS
Provide this documentation up front and build customer confidence early!
“If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”
― Jim Barksdale
Questions
or
“Stump the Presenter”