Day Two: Monday, May 20, 2019
7:45 am - 8:25 am Networking Breakfast
8:25 am - 8:30 am Chairperson's Opening Remarks
8:30 am - 9:05 am How to Establish Credibility and Longevity as a CISO
CISO longevity on average is strangely short. Given how long it takes to adopt change in an organization, this situation is unfortunate for both the CISO and her or his organization. In this session, I will talk about methods to balance the competing demands of a CISO and gain credibility with the organization so you can stay long enough to make a profound difference.
9:05 am - 9:35 am Analyze, Inventory and Protect Medical Devices
Security executives realize that many of the devices were not created with security in mind but to monitor, diagnose and treat patients. The devices create easy entry point for hackers from which they can hop to servers filled with patient data. Healthcare data’s value is much greater than that of a stolen credit card because the accuracy of the data is higher and less changeable. Medical devices have long product life cycles, need continuous availability and may have outdated software, which was not created with the open Internet in mind. The business and clinical teams must work closely together to lessen risk and ensure patient safety.
•Establishing and enforcing policies and standards for medical device procurement
•Capturing a complete asset inventory
•Implementing layers of security- advanced micro segmentation
•Deploying behavior-based solutions
•Balancing security, business and medical priorities
9:35 am - 9:50 am Networking Break
Sponsored by: Duo Security
9:50 am - 10:20 am Business Meetings
10:20 am - 10:50 am Business Meetings
10:50 am - 11:20 am Business Meetings
11:20 am - 11:25 am Transition
BrainWeave
11:25 am - 12:10 pm Identifying, Monitoring and Mitigating Healthcare Security Risks in the CloudAn astonishing 90% of the world’s data was created in the last two years. At the same time each day, hundreds of thousands of patients are treated by health care providers throughout the world. Tech giants have responded with highly scalable clouds that tout innovative tools that allow health care providers to take advantage of new ways to engage their patients and customers. However, the sensitive and regulated data managed by healthcare services requires heightened security and privacy controls and visibility. Beyond the benefits of scalability, agility, and redundancy, the cloud can be configured to be much more secure than traditional on premise data processing strategies. In this session, we will discuss the benefits of the cloud in healthcare innovation and ways to prevent, monitor, and address the risks to patient data, such as cyber attacks, malicious insiders, misconfigurations, human error, and social engineering, among others.
Placeholder Session by ClearData
MasterClass
11:25 am - 12:10 pm Can Cybersecurity Be Easy?Back in 2005, Marcus Ranum wrote in his “The Six Dumbest Ideas in Computer Security” article that, “sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness”. So why are we still focused on chasing “badness”? This approach might have been sufficient in the 1990s and arming ourselves with just an antivirus and a firewall gave us a sense of security, but this is definitely no longer the case.
Take-aways:
•Understand the definition of Negative Security and Positive Security models, with examples, advantages and disadvantages
•Describe the attack kill chain and intentions behind most attacks
•See demos of advanced attacks that bypass the majority of existing security controls
•Learn how to correctly implement defense-in-depth best practices
12:15 pm - 1:00 pm Enhancing Vendor Risk Management in Healthcare
Security risks related to third-party services are an ongoing healthcare concern. Effective management of security risks is vital with more healthcare digital data including patient information and proprietary medical research and patents. The attacks grow in complexity and regulations change, which requires a layered-defense coupled with agility to respond to the ever-changing adversary.
In this session explore:
•Assessing and adjusting access for third parties user and system accounts
•Deploying multi-factor authentication and endpoint protection
•Segmenting internal networks to limit third party needs
•Monitoring and training third parties
Sponsored by: Fortinet
1:00 pm - 2:00 pm Networking Lunch
Roundtable Discussions
Engage in a 45-minute targeted discussion enabling open exchange amongst industry peers.
2:00 pm - 2:50 pm Zero-Trust/Beyond Corp for Healthcare
Healthcare records remain one of the “holy grail” personally identifiable information (PII) data types for criminals. With patient data being more valuable to attackers than ever, alongside stricter HIPAA and HITECH compliance requirements and an ever-growing device inventory to manage, IT teams modernization projects must account for these risks in their strategic planning. To mitigate the risks being faced efficiently, healthcare organizations need to adopt a 'zero-trust' security approach and start viewing every threat surface, access point, identity, and login attempt as the new security perimeter. By deploying solutions that can verify users and establish device trust while protecting every application (both cloud and legacy), healthcare organizations can quickly and effectively reduce their threat surface and meet compliance requirements.
2:00 pm - 2:50 pm Increasing Your Cybersecurity Posture: Value of Partnering with a Healthcare Exclusive MSSP
Many healthcare organizations today are hiring managed security service providers (MSSP) to manage specific security initiatives, or in some cases, outsourcing their entire security program. This approach is especially beneficial to those that have limited IT resources, lack internal security expertise, struggle to hire security talent, or simply need to implement a security program faster than they could in-house. But hiring an MSSP without the specific healthcare experience can pose just as much risk as cyber threats and attacks. Dan Dodson, President of Fortified Health Security will discuss best practices for IT leaders to use when evaluating MSSPs and the importance of choosing the right partner. Topics include
- Understanding the nuances of securing a healthcare environment
- Key skills, certifications, and experience necessary for an effective healthcare MSSP
- Real-life examples of disruption that can be caused by an inexperienced cybersecurity team
2:50 pm - 2:55 pm Transition
MasterClass
2:55 pm - 3:40 pm Vulnerability Assessment, Penetration Testing, Training and Compliance and Their Importance in the Healthcare SpaceThis will highlight the importance of training and compliance requirements to reduce risk while identifying targeted activities such as Vulnerability Assessments and Penetration Testing. These activities with the appropriate overarching strategy to be conducted regularly can reduce risk to organizations in the Healthcare space as opposed to doing each activity alone with no consideration to the others
•What is a Vulnerability Assessment and why are they important?
•What is a Penetration Testing and why is it important?
•Why audit & compliance alone can't solve all of your problems
Thomas Hernandez
Managing Director, Global Cybersecurity & Risk Advisory LeaderGIBC Digital
BrainWeave
2:55 pm - 3:40 pm Do You Know Your Cyber Health Score?Are you sure your cyber tools are optimally configured and do you have a constant pulse on framework control coverage? Do you believe that 80% of your cyber risk can be solved by getting cyber hygiene correct, rather than chasing the latest advanced technology? This session will feature a roundtable discussion on cyber hygiene including:
• Auditing against compliance frameworks
• Optimizing tool configuration
• Locating gaps and overlap in coverage
• Prioritizing risk and determining your own threat tolerance levels
• Other cyber hygiene ideas
3:40 pm - 3:55 pm Networking Break
Sponsored by: Duo Security
3:55 pm - 4:25 pm Business Meetings
4:25 pm - 4:55 pm Business Meetings
4:55 pm - 5:25 pm Business Meetings
5:25 pm - 5:30 pm Transition
5:30 pm - 6:15 pm Privacy and Security of Medical Data: When Everyone Wants to Bring Their Own Device
The Health Insurance Portability and Accountability Act – provides data privacy and security provisions for protecting patients’ private medical information from different threats. Cybersecurity and privacy experts play a vital role in helping care provider industries to maintain network and data integrity. Join this discussion as a privacy and security officer share how they work together as devices and regulations continue to increase.
