health sector cybersecurity strategic plan · from different initiatives and good practices sharing...
TRANSCRIPT
![Page 1: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/1.jpg)
Health sector Cybersecurity Strategic PlanRUI GOMES
Head of Information Systems, SPMS30.11.2016
Portuguese Ministry of Health, Shared Services
LNEC Congress Center, Av. Brasil, 101, Lisbon
![Page 2: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/2.jpg)
IntroductionCybersecurity Challenges at National Level
![Page 3: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/3.jpg)
Who am I ?
My name is Rui Gomes and I’m the IT Director at
SPMS
![Page 4: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/4.jpg)
About SPMS
Our mission is to supply shared services to entities operating in the Healtharea in Portugal ...
![Page 5: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/5.jpg)
About SPMS
...and in this way
Centralize Optimize
+
Rationalize
+
the provision of services for the National Health Service
![Page 6: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/6.jpg)
About SPMS
Million People10
Public Hospitals50
PrimaryCareCenters356
Running SPMS ICT solutions90%
ICT solutions60
Portuguese Health Sector
![Page 7: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/7.jpg)
The Challenge
NATIONAL CONTEXT
FINANCEELETRONIC CERTIFICATES
ELECTRONIC PRESCRIPTIONS
NATIONAL PROGRAMSPRODUCTION AND PLANNING
NATIONALREGISTRATIONS
LOCAL | REGIONAL CONTEXT
PRIMARY HEALTH CARE
ADMINISTRATIVOS
HEALTH DATA PLATFORM
RNU
RNP
SGES
MPI SIGLIC
RHV
HOSPITALS / ULS ARS
CLÍNICOS
SINUS
SONHO CSP
SCÍNICO
SAM + SAPE
ADMINISTRATIVOS CLÍNICOS
SONHO V1
SONHO V2
SCÍNICO
SAM + SAPE
BAS
PRVR
RENTEV
RENNDA
FINANCEIROS
PORTAL PROFISSIONAIS
PORTAL UTENTE
PORTAL INSTITUIÇÕES
CTH
SIGPS
RNCCI
SIM@SNS
GID
SISO
SIVIDA
SINAVE
MIM@UF
SIDC / SICC
RHV
FHS
WEBGDH
SIARS
FAMIG
SGTD
SIDC / SICC
RHV
SICO
CIT
ATESTADOS
PEM
PEM - CRD
PEM - H
SIGAI
SCDGF
SICA
BI GDH
SAGMD
SICC
SITAM
SIGEF
BI RH
EUROPEAN PROJECTS
![Page 8: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/8.jpg)
PresentationGoals
Share the Plan and challengeswe
face in raising the Cybersecurity levels of the entities we serve and the
strategydeployed to overcome in
order to complywith the best practices in the sector
![Page 9: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/9.jpg)
The ChallengeCybersecurity Challenges at National Level
![Page 10: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/10.jpg)
Half experienced 1 to 5 attacks in 2015
The Challenge
In 2013 and 2014 healthcare companies saw a 70% increase in Cyber-attacks
A third of which succeeded
![Page 11: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/11.jpg)
Entitiesare autonomousand implement
Cybersecurityseparately
The Challenge
A commonstrategy ischallengingto implementsince itcan’t be imposed
![Page 12: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/12.jpg)
Institutions rarely think of Cybersecurity controls as part of a management security system
The Challenge
Cybersecuritycontrols
ManagementSecuritySystem
Only a few implement a fully secure managed automated system from
management to the operations
Management + Operations
FULLY SECURE MANAGED AUTOMATED SYSTEM
![Page 13: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/13.jpg)
The initiatives aren’t sustainable in time
The Challenge
…and have doubtful value
![Page 14: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/14.jpg)
SolutionCybersecurity Challenges at National Level
![Page 15: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/15.jpg)
Example
Solution
Make sure everyone acknowledges the situation and
understands the risks and impact
Trojans are used by criminals and encrypt some or all hard drives
Ransomware encryption
Lock Screen
Master Boot Record
Acknowledge
![Page 16: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/16.jpg)
Solution
![Page 17: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/17.jpg)
Solution
Keep systems and programs updated
Daily BackupsAwareness and
Training for Users
Using Network Protections
Good Endpoint Protection Solutions
![Page 18: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/18.jpg)
Strategy success factors
Solution
Acknowledging the problem
Involving the proper stakeholders
Changing mindsetsPromoting each
party's involvement in the program
Providing a centralized common framework
Accessing entity’s Cybersecurity level
Involving suppliers and providers
Supporting the implementation Measuring
the results
Building upon the improvements
![Page 19: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/19.jpg)
MEDIUMLOW
Solution
HIGHInvestment
Remaining Risk
Investment in security will bring down risk.. But some risk will
always exist
R
i
s
k
![Page 20: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/20.jpg)
Solution
Look at security in a different way
Recognize it’s ability to generate value
Obtain benefits, optimize resources and Risk to create value
![Page 21: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/21.jpg)
Solution– IndustryLeads
Suppliers and providers have
the best knowledge of systems
trends and capabilities
SPMS is committed toadopt an
innovative cybersecurity programmeto
preserve health information protecting
citizens at the same time promoting the
industry at the Portuguese market
![Page 22: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/22.jpg)
Solution– IndustryLeads
Effective Collaboration
Special Partners
Proposing Collaboration -examples
![Page 23: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/23.jpg)
Solution– Program Management
Risk & Security Best
Practices
eSIS Risk & Security Continuous Improvement Dashboard
SPMS and eSIS Risk & Security Best Practices Program
Local Risk & Security Improvement Initiatives
SPMS Risk & Security Improvement Initiatives
Continuous Improvement Follow Up
ControlGuidelines
Share Best Practices
Implementation ImplementationDefinitionContributions to
Best Practices
ControlGuidelines
Program CoordinationTrack 00
SPMS Continuous ImprovementTrack 01
eSIS Continuous ImprovementTrack 02
Out of Scope
Q1 Q2 Q3
![Page 24: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/24.jpg)
Q2Q1Q4Q3Q2Q1Q4
2016 20172015
TRACK 02eSIS Continuous
Improvement
TRACK 01SPMS
ContinuousImprovement
TRACK 00Program
Coordination
Pilot Projects
Programs/Projects at SNS Local Entities
Solution– Program
Following eSIS Risk & Security Continuous Improvement Program
Defining the Information Security Initiative Protection’s Scope
Identifying Security commitments and activities assumed by PE
Coordination/Following Manage/OrganiseArquitecture, Operations &
ResourcesAudit, Risk & Control Cybersecurity Ongoing Quick FixLABELS
Adopting Information Security Management, Policies and Procedures
Implementing Information Security System Requirements
Adopting a Information Security Incident Registration System Disaster Recovery Implementation
Adopting Procedures for Business Continuity
Implementing Risk & Security Management System
Ongoing Quick-Fix
Adapting the existing Information Security Policy
Adopting the Information Security Management’s Communication Model
Identifying Applicable Legal Compliance to International Norms
Adopting the Information Security Management’s Organic Unit
Creating a Dynamic Resources Inventory in the Scope of Protection - Architecture
Elaborating a Risk and Crytical Services Analisys Prototype Adopting a Identity Management System at SPMS
Identifying vulnerabilities, threats and risks associated to assets
![Page 25: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/25.jpg)
Solution
Organization Goals
Information System Related Goals
Risks Associated with the Information Systems
Information System Management Enablers
Processes
Organizational Structures
Principles, Policies and Culture
Resources
InformationServices, Infrastructure
& Applications
People and Competences
Information System Operation
Processes/Procedures Information Technology People
Operational Best Practices
Data/Information Architecture
Technologic Architecture
Infrastructure & Networks
Internal
ExternalDevices
Applications/Solution Architecture
Facts & Figures• The framework represents the
information security and risk vision forSPMS Information System. Alignment of objectives and related risks;
• The different framework components symbolizes the fundamental elements for (as-is) and (to-be) state:
• Objectives;• Risks;• Management enablers• Operational tools.
• The framework covers an holistic vision for information security, integrating the organization elements: People, Processes and Technology.
• The framework allows better knowledge from the gaps and the specific action plans to address;
• Works as a guide to governance, management and operation of risk and security promoting better coordination from different initiatives and good practices sharing between partys.
• The framework is aligned within good practices internationally referenced for risk, security management and cybersecurity for healthcare.
![Page 26: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/26.jpg)
Solution
Organization Goals
Information System Related Goals
Risks Associated with the Information
Systems
Information System Management Facilitators
Processes
Organizational Structures
Principles, Policies and Culture
Resources
Information Services, Infrastructure & Applications
People and Competences
Information System OperationProcesses/Procedures Information Technology People
Operational Best Practices
Data/Information Architecture
Technologic Architecture
Infrastructure & Networks
Internal
ExternalDevices
Applications/Solution Architecture
1. Information Security & Risk Framework
2. Information Security & Risk Documentation
3. Information Security Policies, standards and
Procedures
4. Information Security Principles
5. Information Security Objectives
6. Information Security Policy
7. Acceptable Use Policy
8. Cybersecurity Controls – Account Monitoring
and Control
Information System Related Goals
Principles, Policies and Culture
Information
Operational Best Practices
![Page 27: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/27.jpg)
Solution
Using Cybersecurity Controls on Activation Program
Based on “The Center for Internet Security Critical Security Controls for Effective Cyber Defense Version 6.0. SANS”
Critical Security Control #1: Inventory of authorized and
Unauthorized Devices
Critical Security Control #2 Inventory of authorized and
Unauthorized Software
Critical Security Control #3 Secure Configurations for Hardware and Software
Critical Security Control #4 Continuous Vulnerability
Assessment and Remediation
Critical Security Control #5 Controls Use of Administrative
Privileges
Critical Security Control #6 Maintenance, Monitoring and
Analysis of Audit Logs
Critical Security Control #7 Email and Web Browser Protection
Critical Security Control #8 Malware Defenses
Critical Security Control #9 Limitation and Controls of
Network Ports
Critical Security Control #10 Data Recovery Capability
Critical Security Control #11 Secure Configurations for
Network Devices
Critical Security Control #12 Boundary Defense
Critical Security Control #13 Data Protection
Critical Security Control #14 Controlled Access Based on the
Minimum Need to Know
Critical Security Control #15 Wireless Access Control
Critical Security Control #16 Account Monitoring and Control
Critical Security Control #17 Security Skills Assessment and
Appropriate Training to Fill Gaps
Critical Security Control #18 Application Software Security
Critical Security Control #19 Incident Response and
Management
Critical Security Control #20 Penetration Tests and Red Team
Exercises
![Page 28: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/28.jpg)
HEALTH SECTOR
GLOBAL MATURITY
eSIS
17%28%39%SPMS
Solution
?46%83%
? !
94%
13
01 01
34
32
2
![Page 29: Health sector Cybersecurity Strategic Plan · from different initiatives and good practices sharing between partys. • The framework is aligned within good practices internationally](https://reader034.vdocument.in/reader034/viewer/2022042404/5f1b5a0128a8d5229310c3a8/html5/thumbnails/29.jpg)
Solution– Risk and Security Dashboards
Security Related Goals
Governance and Management
Enablers
Operational Resources &
Practices
Guidelines
Guidelines
Guidelines
SPMS LocalInst.
LocalInst.
LocalInst.
LocalInst.
LocalInst.
LocalInst.
LocalInst.
TOTAL
TOTAL
Good Practices and Guidelines
Continuous Improvement Overview
92% 88% 66% 79% 98% 87% 94% 91%
42% 5% 17% 3% 27% 9% 21% 9%
69% 52% 60% 41% 89% 51% 48% 59%
71% 48% 47% 41% 71% 49% 54% 53% 57%
58%
19%
86%