HIPAA Data Security Best Practices

Kyle: Hello, and welcome to today's healthitsecurity.com webcast, sponsors by Health Systems, HIPAA Data Security Best Practices. I'm Kyle Murphy, senior director of editorial at Xtelligent Media and moderator of today's presentation. Before moving on, I would like to take a moment to thank today's sponsor. Health Systems Alliance IT and Business to help organizations build a competitive edge. More than 13,000 organizations around the world rely on Health Systems to solve their most pressing challenge and keep business running smoothly everyday. GoAnywhere MFT is health systems file transfer solution that uses open PGP or AES encryption and industry standard protocols to comply with HIPAA and HITECH regulations. The software exchanges files via batch, collaboration and ad hoc methods. Uses workflows to executes tasks before and/or after transfers and offers health care teams multiple options for secure data exchange.

We will begin with a presentation by our speaker, followed by question and answer segment. Audience members can submit questions at any time during the webcast using the question tool to the left of their screens. For all technical matters or difficulties, click the help icon at the top right-hand corner of the screen. A copy of the presentation slides is available under event resources to the left of your screen. And a recording of the webcast will be made available following this presentation.

Dan Bowden is currently Vice President and Chief Information Security Officer at Sentara Healthcare, and integrated health system plus health plan, the largest in Virginia. Dan has been at Sentara since 2016. He was previously CISO at University of Utah Healthcare and the University of Utah for over three years, leading several highly visible projects for a total of 10 years. In 2017, Dan was named as one of the top 100 CISOs globally by F5 networks and hot topics. Dan's inside leadership brought University of Utah Health and Centra Healthcare into membership with four other large systems in one of the first formal healthcare information sharing analysis in organizations. With that, I would like to hand the floor over to Dan to begin today's presentation.

Dan: Thanks very much Kyle and it's very nice to be with everyone today. It's been a great opportunity to cover a lot of information with you today. And it's unfortunate we don't have more time, but you know how these go. We all live on meetings schedules and we do one hour blocks. So the first thing I want to say is I will provide contact information at the end on my last slide and I'm happy to followup on any of the topics that any of you would like to talk with me some more about. Because I know, inevitably, some of you will be happy that we hit somethings at the level of depth you were hoping for, and others will wish we had talked a lot more about some other things. So, please feel free to followup with me if you'd like to afterwards.

The objects that's published for this webcast today are talking about basically the best practices around protecting ePHI. Since I was the one making the presentation, I got to pick and respond to the learning objectives. But we want to talk about assessing threats, implementing methods for managing access control, audit controls for viability and use of ePHI. And then safeguarding, about changes to patient data, verifying appropriate access and preventing modifications to ePHI when it's being transmitted and used in your systems.

So the thing I want to talk about is I sort of think of who my audience is and we may some people who are working on becoming official or you're building a security program. The first best practice I would note is to make sure your organization is a subscriber to NH-ISAC. It's a very affordable subscription. And when you look at the data, the threat intel that you receive, and the opportunities for collaboration, not just within and ISAC, but the other collaboration opportunities they refer you too, it is a well worth the money and then some. If you're not familiar with what an ISAC is, back when President Obama aligned the responsibility of cyber security over the nations critical infrastructure sections, they worked on either finding existing ISACs to align to those or they went to those critical infrastructures sections, safe sectors, and said, "Let's for a information sharing analysis center." And NH-ISAC is an invaluable tool to my organization.

When I got to Sentara, this was one of the first things we did early on, we get that membership established. And we basically have it built into our process that our team grabs the notices that come out and then we document what we did with it, we treat those as threat intel. And you have a lot of really smart people on those threads who are will to collaborate and share great information. And so I would say, if you haven't done this or looked into it, it's one of the very first things early on I would do in order to build a good foundation of what your security program to be and to evolve.

The top threats I'm going to focus on today, I put those most likely to get you on TV. I think we're well aware of these. We all see and hear about phishing every day. Malware, ransomware, some well documented bad incidents have happened in the past couple of years, especially regarding medical devices and clinical disruption for some large organizations, as well as some large businesses. Insider threat, I think sometimes we assume it's an internal bad actor, sometimes that happens. We also have what I call the non... or we put on our threat template, a non-malicious insider, which could be just somebody who makes a mistake. We have lost and stolen devices or data with ePHI onboard. This one is still happening, it's still prevalent in spite of all of the examples that we've seen organizations having, going back seven, eight years now. And then unmanaged vulnerabilities. And I didn't say un-patched vulnerabilities because one reality that we all deal with in healthcare is there are some things that we, for different reasons, we can't or we make the determination that we won't patch.

I want to dig into an anti-phishing program. As I thought about this, what I wanted to relay is, there's a lot that you can do on your own with things you have in your own environment. And I won't name the vendors with the solutions, and they have some good solutions out there. And if you're in a situation where maybe you don't have contacts internally in your IT shop, or the skillsets to work on some of these things, then maybe a good idea to try to find funding for one of those tools.

DMARC, for those of you who have played with that in the past, but it's the domain messaging... Let's see. I'm trying to remember the whole word myself. I'll get it here in a second. Sorry about that. Domain message authentication reporting and conformance. Basically what this does, and Sentara's was listed, for those on NH-ISAC, they track who is doing DMARC. And we worked very hard on this the past year and I believe there was a note that went out that rated how we're all doing and Sentara's in the top 5% of health systems in adopting DEMARC. And in effect what it does is help you combat spear phishing. So makes it much more difficult, if not impossible, for someone to send email into your system that looks like it came from you. So for example, our domain that we use for email is, and we have a few that we use, but the predominant one is sentara.com. We've made it so that a malicious actor can't spoof our CEO from an @sentara.com email and send it to us. We will reject that email. And so that is a huge value-add for us.

Tagging external inbound email and phishing campaigns, I'll talk about these things together. I think you all know what phishing campaigns are in training. And tagging external inbound email, a whole bunch of you see these now where an organization either pre-pens something on the subject line or the top of the message body. When their internal people receive it, saying this came from the outside, be careful. One thing we trended was we were doing phishing campaigns before we turned on the external inbound email tagging and we were averaging around, I think 13, 14% click-rate. One month we would do a really mean campaign, another month, not so mean. We were averaging that 12 to 14% click-rate. Once we implemented the tag on top of the emails, the click-rate dropped to 2% on the following campaigns that we did.

Two-factor authentication, I listed with phishing just because a lot of phishing attacks are meant to capture credentials of the victim. And if you're using two-factor authentication and enforcing so that someone logging in from outside your network is prompted for that additional factor, even if those credentials are stolen, it prevents the bad actor from being able to authenticate. And so there's a lot of usefulness of two-factor authentication, I just choose to list it in the anti-phishing category for this presentation.

Focus on detection and reporting, you'll see I reference a lot of the NIST CFS domain language here. But there are analytic measures you can get for phishing attacks. If you're using one of the tools I mentioned, they create analytics for you to tell you how many came in, how many were clicked on, what was the disposal of those. And you can also setup manual detection reporting where a lot of has the click the spam button or forward suspicious emails here. And you can create that, but I think it's a great idea to help the organization understand, when you're quantifying the threat in terms of you being able to explain when you want to activate more controls depending on how aggressive the attacks become.

And then automate, I put automate or quickly perform response and recovery. And these are the basics of removing the email from the environment, possibly blocking URLs so people can't successfully click-out, triaging file attachments, things like that. But these are things that you can do without spending a great deal on some of the technology solutions. And I would always talk to your peer and IT organization, the CTO, et cetera, to find out what can we do with the tools that we have?

Malware/Ransomware, so I always look at the Verizon data breach investigation report when it comes out, and it's just a good, general indicator of what happened in the previous year. So in 2017, ransomware accounted for 72% of malware incidents in healthcare. And we saw a lot of the well documented carnage from those in 2017. And so I'm hopeful that 2017 was one of those anomalous years and we don't have the same rate or severity of ransomware incidents. But I basically list the kind of pillars of NIST in how to tackle this because it's a lot basic and a lot of hygiene. But identification of asset threats and vulnerabilities, protection, anti-malware, segmentation. Making sure that those endpoints are... You're able to do some of the basic detection of malware, but they're also only communicating with what they need to communicate with. Detection, functionality with intrusion preventions systems, being able to pick up command and control events, doing soft monitoring, and the response and containment.

One thing important thing I list here on response and containment is table-top exercises. When you sit down and think about a major outbreak of ransomware, it's possible your containment activities could cause availability issues or clinical disruption just while you're trying to contain the incident itself. So you very could end up in a situation where you know you're going to have to take down particular parts of your infrastructure that weren't necessarily hit with the ransomware, but you would do that in response to containing the ransomware. That's why I would say, when you're modeling out your malware, ransomware outbreaks, sit down with your security team and the technology team and have a table-top and talk about that. Talk about different variants of the ransomware, the malware, how does it behave, what are our capabilities, what if that fails? And then recovery, can you get back to a normal state, or does your organization have appropriate business continuity plans in place? It's important to understand that as well as a follow-on and part of that table-top exercise.

Insider threats, again, I talked about malicious and non-malicious, again, from the Verizon DBIR. Privileged misuse and/or errors and the lost and stolen devices accounted for 80% of the breeches and 68% of threat actors are internal. And the threat actor again could be a non-malicious person who made a mistake. One thing that we're working very hard on this year is implementing privileged access management. In my opinion, doing this well is possibly, or I would say probably more challenging than two-factor authentication. You really have to get to know who does what on servers, on your IT organization. Besides, you're probably going to make a list of who has access to do what and have a lot of conversations about just restarting who is even allowed because there may be a lot of people who you haven't kept track of what role they're in and then kind of pulling back access when they don't need it anymore.

And then your electronic health record patient record monitoring, for those who maybe not kind of triggering on what I'm talking about here, but these are the tools like the fair warnings, the Protenus, et cetera. Where you can basically be able to provide an accounting of disclosure to a patient about anyone whose touched their record. And at the same time, track internally that all of your providers and staff are not looking at patient records that they don't need to look at to facilitate either patient care or billing. And I think this is one that's going... There's be a couple of well documented OCR settlements in this realm as well. It's a very challenging tool to implement and to do well. But I would say it's definitely worth taking a hard look at how are we really doing this and what's the process for training the staff that you are doing and then doing the followup remediation when someone's violating your established policy or procedure for that. But these are the two key things when it comes back to those access control capabilities for auditing and accounting for access privileges are being used.

Lost and stolen devices, I keep thinking one day something will happen and we don't talk about this anymore. But it's still very prevalent, as you can see from the Verizon report from 2017. It's something that it sounds very simple, but it's obviously not. There's still a lot of systems that are struggling with this. But basically, any devices that aren't locked in your data center, and I would even still prescribe and recommended encrypting data arrest in your data center. But anything, the threat vector of being lost or stolen is likely. You better make sure that you encrypt those things. And so laptops, phone, tablets, USB drives, absolutely. If your organization isn't on board with a zero tolerance policy on that, I think sooner or later, there could be a problem for you.

Acquire a sanctioned BAA-backed cloud storage solution, I refer to this is the only practical way to kill the use of USB drives. You can give out encrypted USB drives, you can install technology on your endpoints that will build and access list of acceptable USB drives by manufacture to make sure they're encrypted. But ideally, I would recommend still whatever you can do to get rid of USB drives as much as possible and kind of isolate the use-cases down to a well-known number that they're being used for. But really, the only way to facilitate that is to have an option for folks to use, because if you don't provide a good option, and I regularly refer to some of the SaaS cloud storage solutions. I

think they're always going to be trying to find a way around what you're trying to accomplish. And the good SasS storage solutions today, if you're using on of the mainstream provider and you've got a DLP tool, which is also one of those things now in health systems, you really got to know where your ePHI and how your ePHI is leaving. I would put DLP in line to make sure that you know what's going in and out of our Saas environment.

All right, so who has access? And I've talked about identifying or the identity, protect, detect and respond. And so I'm going to admit, I'm probably doing this topic a disservice by trying to squeeze all of it onto one slide. I'll talk to it for a few minutes, and then we can maybe try to tackle some questions. More than happy to take opportunities to engage with any of you later on.

The things that could come, being through a couple of health systems now, working on how do you identity access management, provisioning well? I would say, if you're going to it well, including governance and everything, is start at good HR processes. If you're well engaged with HR, if they are very helpful in helping you manage the workforce. And by workforce, I'm not just talk about your own employees, but all of those affiliates, the contractors, the students, et cetera. And I really like the organizations who get involved and try to track the entire workforce in the ERP or some way centrally, because it makes it much easier to facilitate a lot of the key workflows for both security and compliance on access control.

Some of the key aspects are having authorized requester's and sponsors. If your organization, if it's the security team who approves someone having access to things, you may want to think about that again. The eHR, maybe it's owned by the CIO and the CIO calls the shots on who gets access, but maybe there's someone in the business that should be owning that system. And the same thing goes with several other key business facilitating systems where you want to know who is the authorized requester or sponsor for anyone's access. And when you're managing access, figuring out what the appropriately strong authentication methods are, talked about if we're doing a mode access, 2FA, et cetera. Single sign-on is one of those topics that comes up a lot, I won't get into it because there are a lot of pros and cons to discuss with single sign on about how you manage that.

Strong access auditing methods are crucial. I mentioned the patient record functionality and your eHR, but you may have other finance systems, et cetera. If you're in a publicly traded company, you're going to have [Sarbanes–Oxley 00:24:04]. The realm of possibilities that you may have to do access auditing well, I'm not going to say it's endless, but it can get very tedious. And I think this is another area that most of us struggle doing it very, very well. And I think that if you look at the security aspect, maybe we look at the most critical risk and do auditing to manage that, but sometimes that's not going to be good enough for a compliance audit. And so you want to make sure that you know the difference.

Re-accrediting the authorization and accesses is important. How many of us know somebody whose done five different jobs in an organization and no one actually reviewed changes to their access as they evolve through the five different jobs. So all of their access accumulated from job one to five and maybe in that evolution, they should have lost access to some things along the way. I think this is another area that a lot of systems struggle at. And this is one of those key areas that can be a security concern and most definitely a compliance concern if you undergo an audit.

And then robust access termination processes, this is one that there's a lot of ways this goes wrong. I know lot of organizations, there's a request for termination, it comes into the security team, they do their steps, they take away access to the eHR, access to active directory, couple other things they manage. They blast out an email to 15 people, but there's no close loop often on that email. So one, they may be just, "Oh, we sent the same 15 people," whether they know the person had access to that system or not. And they may or may not actually followup for the answer and the resolution to that. And then also the ability to handle those urgent non-routine access terminations, knowing what the process is for that to facilitate that well is important too.

And as I mentioned, if you were to deploy a technology platform for this, I disclose two or three years and two or $3 million worth of work into this one slide, so I didn't do it justice, but happy to talk about it some more. I've done a couple of IM platform rodeos and have good peer references who have as well.

Data in motion, this is really a large topic. I purposely just kept it to a set number of bullets to manage this discussion and happy to followup after. But when I think of data in motion, I think there are protective, detective, response and recovery aspects of this when I look at it. And the obvious protective measure is encryption. We talk about the varying levels of TLS and SSL. And those of you who have used the Qualys SSL labs tool on your website, and you'll say, "Hey, our patient portal, we're still allowing TOS, 1.2, 1.2." Then you go do some homework and find out it's because three-quarters of million patient population, there's 20 people who are still using old browsers or something and they just happened to come in that way.

And so it's a good conversation to have internally about what level of encryption are we doing, how are we managing certificates? It's one of those topics that I think we take for granted sometimes, until it becomes a problem. And then often, the internal organizational that's necessary to quickly address the problem is sometimes lacking. And so I think it's one that if you do it well, you don't have to hover over it every single day. But it is something I would recommend using a tool that's good a staying on top of your encryption posture, certificate posture, and probably have a part of your assurance tasks to do a monthly and quarterly checks on that.

I put for data in motion, DLP technology, this is crucial. I think this is another one of those things that if you're not using it, you really can't say you have any idea how PHI is leave your organization unless you just don't let people send email outside or you don't let them upload anything to the internet and you found a way to block every other avenue that they could try to haul it out. I like the DLP platforms, there are a couple that are very mature today and give you great analysis of what was sent, where it came from. And that's the detection aspect. The response aspect of it, and recovery, are maybe you have your email DLP tool setup to, by default, encrypt PHI when it sees it on the way out. And then you send the sender a note saying, "Hey, you're welcome, we encrypted your email." But maybe you should do some followup on that to say, "Why are we emailing this?" And that's where these businesses processes come into play is just understanding how did this leave, why did it leave? Is this an email that you're just sending every day, are you sure you need to send it every day? What's the relationship with the recipient?

And any files transfers you're doing, they're another thing you want to look at, even your SFTP processes. Is somebody looking at all of those situations you're sharing data and re-accrediting that that still needs to happen. And I think I left that one off, I thought about that a little while ago on data in motion. SFTP re-accrediting those automated transactions your cranking out every day, is somebody coming in on some frequency and looking at all of those saying, "Yes, that still needs to happen," or, "No, that relationship changed, it doesn't need to happen anymore." And so that was one I thought about later I wanted to add it to the slide is vetting your file transfer processes as well.

Vulnerabilities, I think we all spend a lot of time talking about this and this ties back to a lot of the concern with how we manage and security medical devices. I'm not going to hit medical devices head on in this discussion, but you all know a lot of protecting medical devices comes down to knowing where they are. Inventorying that asset, knowing what the threat and vulnerabilities are and then deciding how you're going to either patch the vulnerability or block the exploit path of the threat to the vulnerability. I would say external vulnerabilities, you should be check for this every day.

One thing, if you're subscribing to threat intel, a lot of good resources will say.... If you remember the Equifax breech on the Apache stress vulnerability, well, people who pay attention to stuff like that like I do and my team does, will say, "Hey, did you know there's another Apache stress vulnerability that just came out?" And so as soon as that came out, we went out and looked at all of our external systems. And I'll show you a tool we use, we look our external posture, we benchmark ourselves against a peer group that we admire, and we also use it to track our vendors. And we also use it to track our vendors that we believe their internet presence could cause a risk concern to our data or our service.

Policy and procedures are crucial. You can't or won't patch everything. You need to document compensating actions if you find you can't or you won't. Did you have some form of segmentation, locking down TCP/IP ports, app whitelisting, et cetera. You guys know a lot of the options there. And then if you're going to have a exception, document the exception and how long the exceptions in place. Or if there's an item you just decided this is going to be ongoing accepted risk, that's another you'll want to document. But you want your organization to know that you have a disposition process for vulnerabilities. And that's what vulnerability management is. And so I would never say an organizations failing at vulnerability management because of the existence of vulnerabilities. What I say is, "Are you tracking them and trying to stay on top of those as well as you can?"

These are some informational slides. I won't spend too much time, but on two factor authentication, some success criteria. I would say, you got to apply it to all of your workforce members you're going to allow remote access too. And really, you got to enforce it for all remote access points. And anywhere you can't do this, document that as an exception. So in your HIPAA security access control policy that says, we believe in doing access control, and your standard says, we will do two factor authentication for all remote access. If there's an exception to that standard, you'll want to track those exceptions so people know for whom and for which remote access point was the exception granted and how you're going to manage that.

Detection, I don't know how many... I know in healthcare, a lot of now are traveling towards the path of having a SIM or a managed service provider provide SOC services for us. I think this is crucial. You can do a lot of working getting analytics and feeding other feeds to your SIM to understand user behavior, high risk behavior, anomalous behavior of devices. And it gives you a great dashboard of viability and the ability to detect and then respond. And it sets up great conversation internally. This is what I would tell someone if you're a new CISO, or security leader, you want to have this incident response strategy discussion with your organization to say, "Okay, how do we do this?" A small thing might be a phishing attack that we decided wasn't really a big deal and we just took care of it internally and documented it. Or it could be a phishing attack where there was a major event and we believe a breech happened. And you want to learn to walk the organization through these steps. And there's a lot of highly disciplined guidance on this.

At Sentara, we boiled it down to this. And this is something our organization, it resonates well with them and we get great engagement from them whenever we want to update what we're doing with incident response or talk about it with them or do a table-top exercise. But you want to have that discover, the triage, the management the short-term, and then what do we do long-term and who all the players are. And you'll find out, as the security leader, when you got other key leaders in the organization who are participating in this and supportive in what you're doing, it increases your success in managing the incident and definitely lowers your stress.

This is something that internally we talk about. These two slides I just showed you, the last one and this one, they're actually boiled out of about 120 slides, really detailed presentation that we have for our organization where we break things down to some pretty excruciating detail. And some of you who work in a small, maybe a one hospital system, I know that you know what the CIO and the CTO and the HR person might be the same person. Those things happen, but I think that it's important just to know, in that role, in your organization, what kind of boxes do you determine that they need to check and who all should you bring in when appropriate.

External vulnerabilities, so we decided early 2017 that a driver was third party risk. And so we said, "Well, what can we do to track all of our third-parties?" But also flipped this tool on ourselves and said, "Well, what's our score on this?" And then, "Hey, who are four systems that are like us or even a little bigger and what they're score and how are we trending with them and what do we do?" And so we acquired this tool, we got it set up to where we have an internal look at ourselves. To tell you what a big deal this is, our COO, when he meets with me, there are two things we have to talk about, and this is one of them. If I want to talk with him about 10 things, I have to talk about this one first. And that monthly meeting we have with him, he wants to look at this and say, "Okay, what challenges are you having? What are we doing? Hey, I see that we're in the green, but I want that to be a 10 out of 10 and how do we do that?" And I say, "Well, there's going to be an Apache stress vulnerability tomorrow and that ding our score." And his question is, "Okay, well how quickly can we fix that and get back to a 10?" And so the organization takes a big deal.

If your organization has a big number of servers like we do that are available to the internet to be scanned by these tools, it's harder to maintain your score. The organizations that usually have a nine plus, 9.5, 9.8, they usually have five servers facing the internet and a pretty manageable footprint. Where if you're like us where 250, 300 or more servers and you're moving into the cloud, you got a lot more work to do managing your score. But CIO refers to this as our online cyber security credit score. And as I mentioned, we use this tool for.... this is just a side thing, it wasn't necessarily the best practices, but there's a lot of stuff we use for managing partners.

For our COO, I said there were two things he wants to see, this is the other thing. Managing the risk around medical devices is something that we track at our enterprise risk board level. So the enterprise risk management committee, it's on that list. And he knows that it revolves around what we're sucking up and managing on vulnerabilities. And so he wants to talk about this, how are things going, what's left? What don't we patch, why don't we patch that? What would it cost to get into a state of patching it? And then what are spending, Dan, to mitigate or block the exploit path between the threat and the vulnerability?

And so this has been a great discussion with our COO where he knows, hey, it's expensive. Or he's telling me, and I know. I think that he appreciates that I know we can't go buy new MRI machines for every facility, we're not going to replace all the other imaging or cardiac or lab systems just to make it so Dan can patch everything. But he knows we're working really hard on that mitigation and working to report it. And so this is a key thing that we talk about.

So I'm kind of wrapping up towards the question phase here. I think when I talk to somebody, if I was to try to make a list of things to not be a sitting duck, thing to work on continuously and work on evolving, this is the list. Like I said, a lot of the anti-phishing are things you can do with the existing tools. Working are DMARC, you can go to your email gateway, there are configurations that you can do homework on, talk to people on NH-ISAC about to manage risk there. 2FA, if you can't buy a tool right away, maybe talk about should we block or manage just remote access better? If people don't need to have it, then they don't have it. But there a lot of things you can do there to log whose using it, and whey they're using it.

Talked about privileged access management. But all of these others, I won't break them back down in all the painstaking detail again, but I would say these are key things that if you're working and constantly maturing these quarter after quarter, you won't be an easy target like a sitting duck. I tell my team the goal is to be a high, fast flying duck and a little more challenging to hit. And kind of big pictures of program management, and I'm not saying you should go make this, but this is just something that we talk to as a team where we just map out, well, what's our strategy? If were going to say, what's a one page strategy map of what we're about, this is what we make. And at the bottom we start about resources, and then we talk about, well what are we doing for talent and technology on top of the resources? And then what capabilities do we want to drive into our program as we move up that stack? And then you also see sort of a left to right theme going on where governance, risk and compliance is driver, protection, detection, response, recovery.

If you do manage something like this, the reason we do it is we talk about it every six, nine months because as you mature or your priorities change, you'll say, "This particular capability is a little bit different now. Maybe we can focus it in this one area, or maybe we should expand it across other areas. Or maybe we need to develop a new capability." Right now, Sentara, our IT shop is basically becoming a software development company. We're building native mobile apps in Microsoft Azure, Enterprise Data Platform in Azure.

And so we have another look in our strategy maps saying, "Do we have two strategy maps or do we merge onto this?" And so there's a lot of work to do because not all the tools are the same, not all the skills are the same. And sometimes you need to look at that recruiting of talent for how you manage that as well. And so we just use this to kind of step back from the program. I kind of took you through the slide running 100 feet off the ground, kind of looking at a program. This is where we kind of step back to 1000 feet and look at ourselves and ask what are we doing here?

Just kind of recapping the learning objectives there. As I mentioned, definitely a whole bunch of stuff we covered today. If for one of these you're saying, "Hey, you know what? There was one of those there Dan, I really want to learn more about and you just didn't quite hit what I was after. There's something else I'd like to talk about." I'm always happy to do followup discussions on that. So Kyle, I turn it back to you now.

Kyle: Awesome. Awesome, I hope everyone has enjoyed Dan's insights. I can attest to his preparation and insight here. We're going to move onto questions, we've got a lot. Let's see how many we can get through. Dan, first one, this is actually something that's come across my desk a few times recently. What's your stance on cyber insurance and how that integrates with security risk management?

Dan: It's a great thing. I'll tell you kind of my first-hand experience with it. I haven't had been in a situation where we've ever had to have a claim paid out, yet, knocking on wood. But it's important to get with your enterprise risk manager and be part of the vetting and negotiation. And inevitably, the underwriters going to want to sit down with you and drag you through a pretty onerous question and answer period documenting things. But I would say, if you get a chance to do it, do it because it's going to be very enlightening for you and others that you include in the interview. A good cyber insurance company will provide you a benchmark of where you were, your responses scored, relative to the other healthcare systems that they're going to insure.

So that's the administrative side. On the actual using it side, already at Sentara, I've exercised the ability to do full-on compromise assessments twice. There was one right when I got here. And for those of you who go Google it, you'll see in 2017, we had a third party incident. And so we actually weren't the source of the breech, but having a full on compromise assessment was covered. Our OGC having access to outside legal council who are experts in HIPAA and dealing with OCR was covered. And so we went ahead and exercised that. And as a CISO, if I can get a $200,000 comprise assessment for $20,000, kind of paying the deductible so to speak, I'm going to do that. And so we had another incident that turned out to be completely unrelated to cyber, but because of the way the reporting went through, I asked the question, "Hey, well, by chance, can I squeeze in another compromise assessment?" So I went ahead and did that, but I liked doing it because it gives me a chance to say, "Is all this stuff I just told you guys true?" Okay?

And so I'm happy to say that according, I'm knocking on wood again, on the last compromise assessment, yes, that's stuff working for us. It's keeping us where we want to be. But I think that you definitely need to do that. It's pretty close to table stakes now, I think, for your organization. I don't know if the disposition that OCR has had for settlement activity is going to continue at the pace it has in the past. There's a lot of dynamics in play here. But I think just the utility as a CISO you can get out of it at reduced rates on services, because your organization pays the premiums, is well worth it.

Kyle: Okay, we've got a couple questions here Dan about high trust. So the first one is, what's your position on high trust, whether Sentara's using it? The second is related to high trust, so how do you make sure third party vendors are protecting ePay, PHI, and what are your minimum requirements you ask them to provide, is high trust one of them or are there others that you use?

Dan: Great, those are great questions and they are tied together. So I'm feeling there's someone who knows me personally out there whose has a high trust connection. I think high trust, all of the frameworks are great and I think high trust, there's an important business value point to it, and I'll talk to that in a minute. But any control, like the certification for high trust, I have no problem with someone getting the certification if they need it for a business advantage. With any kind of certification process, sometimes to earn the badge, you spend a lot of money checking boxes that maybe didn't make you better. And so that's my caution, but high trust overall, especially like us, we run a health plan, I think in the future, if you're a health plan, we're in the smaller category of health plans, but we know that high trust certification is a trajectory we need to pursue, especially if we end up wanting to compete against some of the very large insurance companies.

And so we did consider that something that internally we're on a trajectory for and have a roadmap for. In terms of third parties, high trust is a great question to ask in terms of saving you time on diligence and then not asking a whole bunch of questions, if you're into that. Like I said, I think of PCI, I think there has a been a... The PCI compliance organizations have breeches. They went through a whole bunch of work to sign off on a bunch of controls and get the badge. And so just because an organization has a certification, doesn't mean they won't have a breech. But if you don't have the bandwidth to do a lot of followups, and someone tells you they have high trust, that's a good thing, I definitely will not argue that point at all.

But in terms of our questionnaires, we do use another tool in concert with the tool I showed you on third party risk, and it's a managed service tool. And so what we do is if it's what we consider a high risk vendor, we have a set of control questions that we kind of have cross walked between the NIST CFS and high trust CFS to kind of appropriately manage the risk. So if you're a really high risk vendor, you maybe get the 200 question questionnaire. If it's something that you're maybe not really high risk, but we want to keep an eye on you, you get the 25 to 50 question questionnaire. But it's definitely something you have to do for due diligence and then find a way to manage and report.

And it is helpful to do that when contract negotiations come up. A couple of high profile service providers that you're all aware of who do a lot of business with health systems that had ransomware events, in the wake of those, we had contract negotiations come up. And guess what? I showed them their score from risk recon tool, and I showed them the questionnaire that we wanted filled out and said, "Hey, this is something our business unit's going to take into account when they negotiate."

Kyle: How impressed are you Dan, that in terms of phishing attacks have evolved to the point where they're becoming increasing difficult to detect?

Dan: They are, and it's really interesting because, and this is another.... I sound like an NH-ISAC marking guide here, right? But even some of the advanced tools you can buy, there's some great resources on an NH-ISAC. I won't say they're name because they didn't tell me it was okay to call them right after the presentation. But they use these tools and they'll throw one out there and say, "Hey, this phishing email beat the tool," and they'll name which tool it beat. And what happens is the attackers, they're smart, they know what our counter-measures are, they know what the tools are, and they're trying to slip under the radar. And so I think I'm seeing the trend of the phishing attacks now, they're taking on much more of an social engineering spin. They're trying to do more impersonation either of your people or they're impersonating a vendor your physician's paid money to, and trying to get you to change the routing information on the next payment, et cetera.

And so they're doing homework on the vendors, they're calling in, impersonating those vendors. And so I think that's what feels like it's heated up to me a lot, from where I'm sitting and watching, is the social engineering aspect that's been really refined by the attackers.

Kyle: Okay, I think we got time for maybe another question here so I'm actually going to combine a couple. So Dan, your guidance regarding comminuting coordinating with the C-Suite, your ERM, legal compliance team in terms of convincing them that security matters. In your case at Sentara, how has that led to the amount of resources in terms of personnel that are dedicated to security?

Dan: It's really been the driver for building the program. I was hired specifically to build the security program at Sentara. And when I got here, there was an interim CISO, he had another job he was doing. It was very challenging and the team kind of got split up into different organizations so that we could manage HR and process. But the raw direct reports I had when I started out of the gate was in the single digits. What I did that earned a lot of credibility in the first year, 18 months, I looked at the security budget that was there and I actually was able to re-allocate almost a third of it. So I onboarded probably a couple million dollars of new things, but I offboarded an equivalent amount. So I got some things done so to speak.

People saw the 2FA tool get implemented, they saw other things happen where I told them, "Hey, here's the risk." I backed it up by saying, "Hey, comprised credentials lead to x percentage of breaches. You do this every day in other parts of your life. Here's a great tool that works this way, it's highly functional." And then I delivered. I got the money for it, but then I got it delivered and installed quickly. And so that's the key thing is map the risk, show you're trying to pay for things yourself whenever possible. And then once you get the thing, get it complimented because all of us, I think, from our history in IT or security, any of us can think of 5 or 10 things that turned into shelf ware. We've got money for it and we ran out of appetite to get it implemented. But I think those are the quick wins I got.

So the board was brought in, I was invited out to quarterly meetings with a board, cyber security oversight committee, and very quickly, within the first year, we made enough progress, they said, "Hey, we only need to see you at the audit compliance committee meeting now." But that's the key thing is if the board is not tuned in at all, what I would do is work with your boss and his boss. So if you for the CIO who reports to the COO or someone else, to get some kind of a monthly cadence where you're talking to them and show them real data. So hey, medical device, I believe it's a patient safety concern. We've got all of these devices we can't patch, this is how... You guys know the path. This is how bad things happen and show the map to that and explain what you're trying to do.

And so that's the key thing is doing a lot of homework mapping those things together. But now, I have a lot more budget than I had, triple the people I had, et cetera, because the organization knew if they gave me extra resources, I was going to do my best to make the most of it.

Kyle: Excellent. Well that concludes our question and answer segment and it also concludes today's healthitsecuity.com presentation. A special thanks to Dan Bowden for his excellent presentation today. Thanks to our audience, and of course our thanks to our sponsor Health Systems as well. For all of those that have questions that we could get to, our apologies, but we've been trying to share Dan's contact information if you want to followup there. Otherwise, just thank you for attending today and have a good day.