Midwest HIMSS Fall Tech Conference: Preparing for Cyber Attacks

Online Tech is liveblogging from Milwaukee at Rock IT Around the Clock! That’s the theme for the HIMSS Midwest Area Chapters Fall Technology Conference November 10-12, where we’re exhibiting our HIPAA hosting solutions at booth #501. Here’s our takeaways from a session on cyber security:

Session: Cyber Attacks from Shanghai: Prepared?
Speaker: Ali Pabrai

Firewalls are our first line of defense!

Antivirus control

Many vulnerabilities enter the network via employees’ email activities.

Authentication control

This is a critical area
We struggle with password management and credential information. It can lead to more problems.

Key: Encrypt all passwords during transmission and storage on all system components. There are too many generic accounts (physician accounts, and nurse accounts, etc.)

Implement two-factor authentication for remote access.

We’re going to get more, not less remote access
When OCR does audits, one of the questions they ask is whether or not you have two-factor authentication.
Especially people who have to meet more than just HIPAA requrements (like PCI), it’s a mandate for other compliances

Audit Log consolidation control.

Establish process for linking all access to system components (especially privileged access such as root) to each individual.
Implement automated audit trails for all system components to reconstruct the event.
Secure these audit trails so they cannot be altered.

*****Keys: review logs for all system components at least daily, and retain audit trail history for at least one year, with a minimum of 3 months online availability

1 in 4 breaches lead to identity theft (in 2012)

Encryption: Last line of defense!!

Develop an encryption policy
Establish standards for encryption across data at rest and data in motion
Ensure enforcement of policy and standards across enterprise
Implement additional controls as needed

If there’s one control that should have the floodlights on it, it’s encryption. It’s one of the most important things to implement in 2014 and beyond. And encryption should be looked at from a dozen different places.

THE BOTTOM LINE: What is your enterprise standard for encryption, from mobile devices to cloud computing?

For consistency
During audits, a lot of inconsistency is found
The entire healthcare IT fabric is changing. From mobile, all the way to cloud. Lots of information is moving to the cloud.
It’s hard for information in the cloud to be meeting the requirements of the HIPAA rule.
You have to ensure that your BAAs have been updated to reflect the changes associated with CSPs.

Unsecured PII, Breach notification mandate:

Organizations must provide required breach notification
You have to encrypt or destroy your information.
Huge risks: copier breaches, lost USB devices, stolen laptops.
Cyber attacks are not highly targeted, thoroughly researched, amply funded, designed to evade detection, multi-modal/multi-step and tailored to a particular organization.

Assume that your organization might already have been compromised, and start from there. What have you deployed? You may have a firewall and antivirus, but if you don’t have two factor, or mobile device management or device encryption, there’s still work to be done.

Seven steps to enterprise security:

Security responsibility
Risk analysis
Security strategy and policies
Remediate
Secure third parties
Training (more robust and complete than just 30 minutes once a year)
Evaluate
THEN…REPEAT

This helps availability, integrity, and confidentiality.

“Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” –The Art of War

Are you converting those security incidents into security intelligence?
***Get your enterprise security system security plan developed***