Healthcare Privacy and Security Sessions at the 2018 HIMSS Global Conference & Exhibition

By Ram Ramadoss, HIMSS Privacy and Security Committee member

Privacy and cybersecurity have become significant areas of focus from the entire cross-section of healthcare providers, health plans and medical device vendors in light of massive ransomware attacks across the industry. In 2017, the healthcare industry witnessed major cybersecurity attacks including exploitation of medical devices.

Digital connectivity without security cannot deliver effective patient care and could cause potential patient safety issues. If you are a healthcare provider and if you plan to maintain sustainable role in the industry, cybersecurity focus is no longer optional. You should develop and implement a sound risk based information security program regardless of your size.

With so many cybersecurity educational offerings at HIMSS18, you can gain significant knowledge, discuss with several cybersecurity technology vendors and walk away with a solid understanding of risks and cybersecurity best practices. Healthcare cybersecurity knowledge combined with the application can help your organization build a robust security program.

HIMSS18 provides you with the following major privacy and cybersecurity tracks:

There are several privacy and cybersecurity sessions scheduled on Tuesday, Wednesday, Thursday and Friday of the conference. View all sessions on each day

This is part 1 of a 2 part series, read part 2

Tuesday, March 6

HIPAA and a Cloud Computing Shared Security Model, Session 59

At 1:00 pm, Adam Greene, partner, Davis Wright Tremaine, LLP, will present how shared security model works in cloud computing environment. The healthcare providers and the cloud service providers have specific responsibilities from compliance and security point of view. This session will focus on how the HIPAA Security Rule and other security laws apply to a cloud computing shared security model. Learn more

The Five Pillars of a Best-in-Class Cybersecurity Program, Session 90

At 4:00 pm, Kevin Charest, divisional senior vice president and chief information security officer, Health Care Service Corporation will share his experience in building and maintaining a cost effective, adaptable and comprehensive security program. Charest’s session will detail the five vital pillars of building and running an effective cybersecurity program, touching on key best practices undertaking this implementation, barriers you may encounter and how to overcome them and expected successes.

Wednesday, March 7

Attacking Your Own Network: A Lesson on Penetration Testing

At 8:30 am, Chuck Kesler, chief information security officer, Duke Medicine and John Nye, vice president, Cybersecurity Strategy will explore the key benefits of offensive security and the common reasons why healthcare organizations are resistant to penetration testing. Kesler and Nye are also planning to discuss the key components and benefits of offensive assessments such as social engineering, phishing and penetration testing and risks of not conducting them. Join this session to learn the terms and techniques used by ethical hackers and gain a stronger understanding of offensive assessments. Learn more

Detecting Cyberthreats with ATT&CK™-Based Analytics

At 10:00 am, Denise Anderson, president, National Health Information Sharing and Analysis Center (NH-ISAC) and Julie L. Connolly, principal cybersecurity engineer, the MITRE Corporation will explain the detection techniques and advanced analytics capabilities to detect ongoing attacks and breaches. The Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK) family of models, developed for public use by the MITRE Corporation, provides a methodology for characterizing and describing the actions an adversary may take while operating on specific platforms within an enterprise network. HHS and the National Health Information Sharing and Analysis Center NH-ISAC have embraced the ATT&CK methodology.

Risk Management Framework for DoD Medical Devices

At 11:30 am, The U.S. Department of Defense (DoD) will describe the DoD Risk Management Framework (RMF) requirements, workflows and the Defense Health Agency’s role in RMF for medical devices. They will also describe the Defense Health Agency Cybersecurity’s role in risk management framework. Learn more

10 Challenges in Managing Medical Device Cybersecurity

At 11:30 am, Juuso Leinonen, project engineer, ECRI Institute will outline how their member hospitals procure and secure their networked medical devices and address top 10 issues and risks. Leinonen will also present how IT and clinical engineering can work together to spot these issues and tackle them in a practical manner. The ECRI Institute, a non-profit organization, has been dedicated to bringing the discipline of applied scientific research to discover which medical procedures, devices, drugs, and processes are best, all to enable you to improve patient care. Learn more

Securing Medication Use Analytics and Surveillance in the Cloud

At 2:30 pm, Richard S. Schaefer, manager of other clinical department/lab services/pharmacy and Shauna R. Leonard, chief, pharmacy service, Kansas City VA Medical Center will present their implementation of the analytic and surveillance system in the cloud using an Infrastructure as a Service model. Richard and Shauna will discuss how Veterans Health Administration benefited from state-of-the-art cybersecurity measures implemented by the cloud provider, enhancing patient data security while complying with industry standards in data protection. They will also share their results of comparison of the benefits of cloud computing for enterprise clinical practice governance and standardization versus standard site implementation. Learn more

Cybersecurity, HIMSS and You: What’s Happening Now and In The Future

At 3:00 pm, core members of the HIMSS Privacy and Security Committee will highlight its work over the past fiscal year, provide resources and tools you can use, describe the cyber threat landscape and inform you on what you need to know today and tomorrow about cybersecurity. Learn more

Exploring the Darknets

At 4:00 pm Stephen Heath, vice president, security for Intrinium will explain the terms "darknets" and "darkweb" that frequently make headlines and how these work. Attendees will recognize how cyber-criminals operate within the marketplaces of the darknet. Heath’s presentation will contrast the reality of the darknet versus the urban legend created by sensationalized headlines and help you to evaluate the risk of darknet usage within your organization. He will also illustrate how stolen prescription drugs, protected health information, credit cards and even organs are rumored to be bought and sold. Learn more

Enjoy your time at #HIMSS18! I hope these highlights assist you to plan your cybersecurity agenda and get the most out of your time in Las Vegas.