10/17/2014
1
What’s up with all the security
breaches in the news?
(and what should we be doing about it!!??)
October 24, 2014
HCCA Mountain Regional Conference
Denver, CO
Speaking Today
� Drew Labbo
� MBA, CISSP
� Children’s Hospital Colorado
� Information Security Officer & Director Information Security
�RMHG LLC – Rocky Mountain HIPAA Guru
� Principal
2
3
10/17/2014
2
Does this sound overly vigilant and risk averse?
� Secure Data Center (SSAE 16 Type 2, SOC2 Audit)
� Server operating system hardening security review
� NIST 800-53A application controls assessment
� Web Application penetration testing
� Recording of vendor remote access sessions
� Anti-virus software and patching plan on servers that run the application
� Minimum necessary ports and services enabled on site-to-site VPN connection for data transfer
Sample Information Security Requirements for new Software Acquisition and Implementation
Breaches on the rise
5
Ineffective to blame Third Party
6
10/17/2014
3
Why All the Hacking and Breaches These Days!!??� IT started as a house in the middle of nowhere
� Isolated, undetected, and away from crime
� Securing the house was not a priority
7
Urban Sprawl Surrounded The House
8
Internet access, hackers, criminals
Evolution of the Hacking World
Hacking for Sport
Criminals
Hacktivism
Hacker for Hire
Government Cyberwarfare
10/17/2014
4
IT Developers Usually Don’t Inherently Understand Security Risks
10
Securing the House
11
Locks on Doors
Locks on WindowsLocks on sky lights
Locks on Garage
Burglar Alarm Security System
Securing IT Systems
12
Data Center Security
(SSAE 16 Type 2,
SOC2)
Server OS security (hardening)
Web software security (OWASP)
Software security (NIST 800-53A)
Security intrusion
detection/prevention
(Anti-virus, encryption IDS/IPS, log
monitoring, secure remote
connections)
10/17/2014
5
13
Securing IT Systems
14
Data Center Security
(SSAE 16 Type 2,
SOC2)
Server OS security (hardening)
Web software security (OWASP)
Software security (NIST 800-53A)
Security intrusion detection/prevention
(Anti-virus, encryption, IDS/IPS, log
monitoring, patching, secure remote
connections)
Does this sound overly vigilant and risk averse?
15
Data Center Security
(SSAE 16 Type 2,
SOC2)
Server OS security (hardening)
Web software security (OWASP)
Software security (NIST 800-53A)
Security intrusion detection/prevention
(Anti-virus, encryption, IDS/IPS, log
monitoring, patching, secure remote
connections)
10/17/2014
6
What Are Other Healthcare Orgs Doing?
� Lack of sophistication and understanding
� Vendors: “Well [insert hospital name here] didn’t request all this
extra security stuff”
� [insert hospital name here]: “Oh my, we didn’t consider this
when we evaluated security of this vendor’s software!”
16
Government Audits (KMPG Contracted)
17
KMPG Findings
18
10/17/2014
7
Would you buy a house without locks on the doors and windows?
19
Data Center Security
(SSAE 16 Type
2/SOC2)
Server OS security (hardening)
Web application security (OWASP)
Application security (NIST 800-53A)
Security intrusion
detection/prevention
(Anti-virus, encryption IDS/IPS, log
monitoring, secure remote
connections)
Questions?
� www.rmhguru.com
