The NCTRC Webinar Series Presented by The National Consortium of - - PowerPoint PPT Presentation
July 18 th , 2019 The NCTRC Webinar Series Presented by The National Consortium of Telehealth Resource Centers Cybersecurity and Telehealth Julie Chua, Jordan Berg, Risk Management Branch Chief Telehealth Technology Assessment Specialist
Presented by The National Consortium of Telehealth Resource Centers
July 18th, 2019
Jordan Berg, Telehealth Technology Assessment Specialist National Telehealth Technology Assessment Center Alaska Native Tribal Health Consortium (ANTHC) Julie Chua, Risk Management Branch Chief HHS Office of Information Security
4
Provide FREE RESOURCES for Telehealth program development and sustainability
Qualitative Research with medical professionals, HPH, CIOs/CISOs etc
Our Mandate
Become the leading collaboration center for developing healthcare cybersecurity focused resources Continue to build upon the HICP publication Develop new cybersecurity resources
Our Future
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) aims to raise awareness, provide vetted cybersecurity practices, and move towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. It seeks to aid Healthcare and Public Health organizations to develop meaningful cybersecurity objectives and outcomes. The four-volume publication includes a main document, two technical volumes, and resources and templates 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) To strengthen the cybersecurity posture of the HPH Sector, Congress mandated the effort in the Cybersecurity Act of 2015 (CSA), Section 405(d).
An industry-led process to develop consensus-based guidelines, practices, and methodologies to strengthen the HPH-sector’s cybersecurity posture against cyber threats.
The 405(d) Task Group is convened by HHS and comprised of over 150 information security officers, medical professionals, privacy experts, and industry leaders.
What is the 405(d) Initiative?
2017 HHS convened the 405(d) Task Group leveraging the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.
National Pretesting sessions were both in-person and virtual, and feedback was gathered with focus groups of 9-15 participants via roundtable discussion. A total of 123 took part in the pretesting efforts Who is Participating
Qualitative research to establish the level of the health sector’s awareness and prioritization of cybersecurity
Medical Community Baseline
7 Focus Group 4 in-person 3 virtual
New Jersey New York V i r g i n I s l a n d s Alabama Florida Georgia Kentucky Mississippi North Carolina South Carolina Tennessee Arkansas Louisiana New Mexico Oklahoma Texas CT Maine Mass New Hampshire VT Delaware Maryland Pennsylvania Virginia West Virginia Illinois Indiana Michigan Minnesota Ohio Wisconsin Colorado Montana North Dakota South Dakota Utah Wyoming Idaho Oregon Washington Was hingtSeries of one-on-
practitioners and practice administrators from the Northwest, Northeast, and Southeast
E-mail phishing is an attempt to trick you into giving out information using e-mail.
An inbound phishing e-mail includes an active link or file (often a picture or graphic). The e-mail appears to come from a legitimate source. Clicking to open the link or file takes the user to a website that may solicit sensitive information or proactively infect the computer.
Vulnerabilities Practices to Consider
Lack of awareness training Lack of IT resources for managing suspicious emails Lack of software scanning e-mails for malicious content/ bad links Lack of e-mail detection software testing for malicious content Lack of e-mail sender and domain validation tools Be suspicious of e-mails from unknown senders, e-mails that request sensitive information such as PHI or personal information, or e-mails that include a call to action that stresses urgency or importance Train staff to recognize suspicious e-mails and to know where to forward them Never open e-mail attachments from unknown senders Tag external e-mails to make them recognizable to staff Implement advanced technologies for detecting and testing e-mail for malicious content or links
Ransomware is a type of malware (malicious software) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker, until a ransom is paid. Vulnerabilities Practices to Consider
Lack of system backup Lack of anti-phishing capabilities Unpatched software Lack of anti-malware detection and remediation tools Lack of testing and proven data back- up and restoration Lack of network security controls such as segmentation and access control Patch software according to authorized procedures Use strong/unique usernames and passwords with multi- factor authentication Limit users who can log in from remote desktops Separate critical or vulnerable systems from threats Implement a backup strategy and secure the backups, so they are not accessible on the network they are backing up Establish cyber threat information sharing with other health care organizations
Loss of mobile devices such as laptops, tablets, smartphones, and USB/thumb drives have costs far greater than the value of the equipment. Vulnerabilities Practices to Consider
Lack of asset inventory and control Lack of encryption Lack of physical security practices and safeguards Lack of effective vendor security management Lack of “End-of Service” process to clear sensitive data before assets are discarded Maintain a complete, accurate, and current asset inventory Encrypt sensitive data, especially when transmitting to
Implement proven and tested data backups, with proven and tested restoration of data Implement a safeguards policy for mobile devices supplemented with user awareness training on securing devices Promptly report loss/theft to designated individuals to terminate access to the device and/or network Define a process for cleaning sensitive data from every device before it is retired, refurbished or resold
Insider threats exist within every organization where employees, contractors, or other users access the organization’s technology infrastructure, network, or databases. Threats can be accidental and intentional. Vulnerabilities Practices to Consider
Files with sensitive data accidentally e- mailed to incorrect or unauthorized addresses Lack of monitoring, tracking, and auditing of access to patient information in EHR and other critical assets (e-mail, file storage) Lack of technical controls to monitor the e-mailing of sensitive data outside the organization’s network Lack of training about social engineering and phishing attacks Train staff and IT users on data access and financial control procedures to mitigate social engineering and procedural errors Implement and use workforce access auditing of health record systems and sensitive data Implement and use privileged access management tools to report access to critical technology infrastructure and systems Implement and use data loss prevention tools to detect and block leakage of PHI and PII via e-mail and web upload
Threat: Attacks Against Connected Medical Devices That May Affect Patient Safety Impact:
unavailable medical devices and systems
for patient treatment and recovery
Vulnerabilities Practices to Consider
Devices not patched promptly Equipment not current, or legacy equipment that is outdated and lacks current functionality Devices cannot be monitored by
systems Heterogeneity of medical devices means that identifying vulnerabilities and remediation processes is complex and resource intensive Establish and maintain contact with medical device manufacturer’s product security teams Implement pre-procurement security requirements form vendors Patch devices after patches have been validated, distributed, and properly tested Assess inventory traits for devices that may include MAC, IP,
security risks Engage information security as a stakeholder for clinical device procurement
28
30
www.telehealthtechnology.org
1-844-242-0075
31
The NCTRC Webinar Series Occurs 3rd Thursday of every month.
Telehealth Topic: Finding and Vetting the Perfect Specialty Service Provider Date: Thursday, January 17th 2019 Times: : 9:00AM HST, 10:00AM AKST, 11:00AM PST, 12:00PM MST, 1:00PM CST, 2:00PM EST