SUMMARY / Healthcare

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

ISMG’s Global Summit Series will take place across four continents focusing on global security topics such as fraud and breach prevention and on many key industry verticals such as finance, government, retail, energy and healthcare.

All content will be driven by our global editorial team including executive editors from publications like DataBreachtoday, BankInfoSecurity, GovInfoSecurity and HealthcareInfoSecurity. These events will provide the opportunity to learn from industry influencers, earn CPE credits, meet with leading technology providers and be a part of the ISMG community of over 700,000 subscribers.

Details

New York, NY

June 18th & 19th, 2019

$895

View Past Sessions

Registering For a Group?
Call + 1 (609)-356-1499

Event Gallery

Mitch Parker

CISO, Indiana University Health System

Howard Anderson

News Editor, ISMG

Cris Ewell

CISO, Seattle Children's Hospital

Richard Jacobs

Assistant Special Agent in Charge, Cyber Branch, FBI New York Division

Phil Reitinger

President & CEO, Global Cyber Alliance; former Deputy Undersecretary for Cybersecurity, Department of Homeland Security; former CISO, Sony

Jennings Aske

CISO, New York Presbyterian

Jay Kramer

former Supervisory Special Agent, Cyber Division, Federal Bureau of Investigation

Jim Cunha

Senior Vice President of Bank Administration, Federal Reserve Bank of Boston

PAST SPEAKERS / Featured Speakers

Suzanne Schwartz, MD

Associate Director for Science and Strategic Partnerships, FDA Center for Devices and Radiological Health

Heath Renfrow

CISO, LEO Cyber Security; formerly CISO of US Army Medicine and CISO of US Critical Infrastructure at the US Army Corps of Engineers

Vikrant Arora

CISO, Hospital for Special Surgery

Hussein Syed

CISO, RWJBarnabas Health

Anahi Santiago

Chief Information Security Officer, Christiana Care Health System

Stephen R. Katz

Former CISO, Merrill Lynch and Citi

Phil Curran

CISO, Cooper University Health Care

Mark Eggelston

VP, CISO and CPO, Health Partners Plans

Cris Ewell

CISO, Seattle Children's Hospital

Connie Barrera

Director of Information Assurance and CISO, Jackson Health System

Nicholas Heesters

OCR Health Information Privacy & Security Specialist, HHS

David Houlding

Principal Healthcare Program Manager, Microsoft

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Mitch Parker

CISO, Indiana University Health System

Vito Sardanopoli

member of HHS cyber task force, CISO Atlantic Health

Randy Trzeciak

Director, CERT Insider Threat Center, CMU

Brian Lancaster

VP of IT and CIO, University of Nebraska Medical Center

Kevin McDonald

Director, Clinical Information Security, Mayo Clinic

Richard Conti

Information Security Specialist, The Children's Hospital of Philadelphia

Greg Garcia

Executive Director for Cybersecurity Healthcare and Public Health Sector Coordinating Council

Mark Jarrett

SVP & Chief Quality Officer and Associate Chief Medical Officer, Northwell Health

Mary Kavaney

Assistant Deputy Secretary, Global Cyber Alliance

Kirk Nahra

Privacy Attorney, Wiley Rein

Dale Nordenberg, MD

Executive Director, Medical Device Innovation, Safety and Security Consortium

Steven Teppler

Attorney; Bitcoin/Blockchain Expert, Mandelbaum Salsburg P.C.

Sonia Arista

National Healthcare Practice Director, Fortinet

Paul Singleton

Systems Engineer Cloud Security, Cisco

Ryan Witt

Managing Director, Healthcare Industry Practice, Proofpoint

Meet Our Speakers

What’s Wrong With Relying on HIPAA Compliance?

CISO Jennings Aske on the Need to Use a Comprehensive Framework

Asking Cloud Providers the Right Questions

Eric Chiu of HyTrust on Scrutinizing Vendors

Breach Investigations: Switching Sides

Former FBI Agent Jay Kramer on His New Legal Role in the Private Sector

Data Security Lessons Healthcare Can Learn From DoD

Dave Summitt Describes Applying Defense Department Strategies to Health Data Protection

Step One: Admitting We Have a Cybersecurity Problem

Reitinger of Global Cyber Alliance on Tackling Risk Management

How the Dark Web Presents New Insider Threats

Carnegie Mellon's Michael Theis Offers Update on Latest Trends

Past Schedule / Session Date & Times

Tuesday, June 18^th
Wednesday, June 19^th

Hall A
Hall B
Hall C
Hall D

8:00 am - 8:45 am

Registration, Breakfast & Exhibit Browsing

8:45 am - 9:00 am

Opening Remarks

9:00 am - 9:45 am

Keynote: Threat Hunting, From a Model-Driven Cyber Security Approach

Hear from our industry expert, who was hired as a CISO and immediately charged with taking multiple sources of log files from newly deployed controls and determine how best to allocate scarce resources for cyber hunting. Soon, while the project was underway, six other implementations of machine-learning-driven point solutions catapulted his company’s Global Security into a model-driven security deployment using data analytics. In this keynote address, which will set the tone for our cybersecurity discussions at this two-day event, our speaker will discuss what his organization learned from this experience, and the implications for security talent management and information sharing going forward.

9:55 am - 10:25 am Breach Track

DDoS and the Era of Cyber Extortion

Cyber-extortion has reached new proportions, with a wide variety of methods, such as distributed-denial-of-service attacks and ransomware variants being used to extort individuals and organizations. Recently uncovered ransomware-DDoS hybrid attacks, like Cerber, showcased how attackers have added DDoS capabilities to ransomware. Cybersecurity experts predict these attacks will only increase. And as events, such as the takedown of Brian Krebs’ website, prove, DDoS attacks continue grow, posing big concerns for all businesses and organizations. The biggest question now is: Who’s next?

This session presents real cases of cyber-extortion waged against corporate and high net-worth individuals, including hacking techniques for full network compromise and deployment of ransomware kits. Attendees will walk away from this session with knowledge about the tools and strategies needed to elevate cyber-resilience.

9:55 am - 10:25 am Technology Track

Why is the Healthcare Industry So Far Behind on Cyber Security?

The health care industry has a firm responsibility to defend the security of its clients’ data. With most health care data stored online, that means hospitals and other health care facilities need to have top-tier cyber security standards in place. Right now, that’s not happening – and that’s a real problem.

10:25 am - 10:40 am

Exhibit & Networking Break

10:40 am - 11:10 am Breach Track

Credential Theft as a Primary Attack Vector - Detect and Respond to Privileged and Service Account Attacks

Privileged accounts have been at the center of each recent high-profile attack. Moreover, attackers are leveraging Privileged credentials as their entry point to high value systems within the network. This session will explain how hackers that successfully exploit these credentials are able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection. With a solid understanding of this well-used method of attack, attendees will learn how to properly secure and manage these powerful credentials. During this session CyberArk will discuss growing trends in regards to attacks and what Security Leaders are doing to protect their organizations from these advanced attacks. CyberArk will also walk through a typical attack that utilizes privileged accounts and how passwords can be exploited to break down the front door. The session will touch on the growth and prevalence of privileged credentials. We will discuss how to securely store and manage credentials and how to reduces the attack surface, specifically attack surfaces favored by insiders and outsiders with insider credentials. We will also discuss detecting credential harvesting and blocking future attempts. All while maintaining governance and compliance standards.

10:40 am - 11:10 am Technology Track

Automation as a Force Multiplier in Cyber Incident Response

It’s rare to read a headline concerning a data breach and not think about how it relates to the shortage of skilled cyber-incident and fraud responders. Without an adequate workforce, fraud and security teams are overwhelmed by the current volume of alerts they receive on a daily basis. What’s more, the shortage of skilled labor means existing teams are overworked and subject to what the industry calls “Alert Fatigue,” due, in part, to an estimated 52 percent false-positive rate. An automated alert response capability with integrated, trackable workﬂows designed around recognized standards and best practices is now a necessary part of a SOC/CSIRT/fraud department toolbox, and is an integral part of any cyber-response plan. The skilled-labor shortage cannot simply be solved through the use of traditional security-incident-response platforms (SIRP) or security orchestration and automated response (SOAR) solutions; the answer lies in a coalescence of these technologies to provide a synergetic solution that addresses automation, knowledge transfer and intelligent workﬂow.

11:20 am - 11:50 am

Panel: Lack of Cybersecurity at Healthcare Organizations: Personnel, Budgets, Buy-in, Technology - Dare to Name the Culprit?

11:50 am - 12:35 pm

Speed Networking with Presenters and Peers

One of the most valuable ways to learn is through interaction with your peers. Our “Speed Networking” session will provide an opportunity to meet practitioners who have similar challenges in the areas of fraud and breach prevention, and discuss solutions to potential obstacles. Mingle, share and learn in this unique, rapid-fire and interactive environment.

12:35 pm - 1:25 pm

Lunch

1:25 pm - 2:05 pm

We're at War: Cyberattacks a Wake-Up Call for the Healthcare Sector

The hack of health insurer Anthem exposed data on 80 million Americans. A breach of an electronic health records vendor affected dozens of clinics. A California hospital paid a ransom to get data decrypted by hackers. These and other headline-grabbing breaches are getting the attention of CEOs and boards of directors. And these senior leaders are coming to an important conclusion: In the current threat environment, healthcare organizations must adopt a “wartime” mindset against their sophisticated, persistent attackers. An organization with a wartime mindset is focused on just one thing: Stop the enemy.

In this keynote address, a senior federal official at the agency that investigates health data breaches and enforces HIPAA will address these and other critical questions:

Why is healthcare such an attractive target?
What are the main vulnerabilities in today’s environment?
Which important risk mitigation steps are being overlooked?
What are the essential elements of a successful wartime defense strategy?

2:10 pm - 2:45 pm

Ransomware: Healthcare is Fighting Back

Ransomware attacks on healthcare organizations have dominated the headlines lately. But what can organizations do to proactively improve their ransomware defenses? Our speaker will offer proven strategies for building stronger phishing defenses.

2:55 pm - 3:25 pm

Panel: Medical Devices: Worry About Vulnerabilities or Manage Risk?

3:25 pm - 3:40 pm

Exhibit & Networking Break

3:40 pm - 4:20 pm

Security Vulnerabilities in BA's Environments: Low-Hanging Fruits or Your Biggest Challenges

The healthcare industry is at an information security crossroads, ill-prepared for the cyberattacks increasingly targeting healthcare organizations. This session will review how the reliance on third-party vendors have hindered the healthcare industry’s ability to prevent, detect and respond to the current cyberthreat landscape. This session also will review how the healthcare industry must embrace security frameworks, such as the NIST Common Security Framework and ISO 27001, along with practices used by other industry verticals to address cyberthreats, thereby facilitating regulatory compliance.

4:25 pm - 5:00 pm

Panel: We've Been Breached, Now What? How to Effectively Work with Law Enforcement and Regulators

Too many organizations continue to address breach response from a reactive mode – having a crude disaster-recovery plan in place in case something “does” happen, rather than accepting that something “will” happen and proactively preparing for it. In this session, a panel of legal, technical and law-enforcement experts will discuss what well-prepared organizations are doing right when it comes to proactive interaction with law enforcement, information sharing and breach investigation/response.

5:00 pm - 5:15 pm

Closing Remarks

5:15 pm - 6:15 pm

Cocktails & Networking

View Second Day's Schedule

Hall A
Hall B
Hall C
Hall D

8:00 am - 8:45 am

Registration & Breakfast

8:45 am - 9:00 am

Opening Remarks

9:00 am - 9:45 am

Mobile Security - The Challenge for Healthcare

Healthcare in America is changing. New rules, new laws, new technologies and new expectations are driving healthcare providers to adapt to new ways of delivering services. Mobile technologies are a key part of making healthcare portable and personal. Tablets, smartphones and other handheld devices can give practitioners the freedom they need to deliver services with the speed and reliability patients expect. However, this increased focus on mobility carries numerous security risks. Malware, attacks, and theft can jeopardize data confidentiality and damage patient trust. The new HIPAA Omnibus ruling also puts increased focus on the need to secure electronic patient health information (ePHI). In this session we will explore the challenges of mobility in Healthcare including techniques that can help deliver strong security and protect, without sacrificing the freedom and accessibility practitioners require.

9:55 am - 10:25 am Breach Track

Six Steps to Secure Access for Privileged Insiders and Vendors

Many organizations trying to secure privileged access for employees or vendors focus solely on the privileged credentials or identities. But that’s only half the battle. Securing the access pathways is just as critical to protecting your critical systems and data from cyberthreats. This session outlines the six steps companies need to take to secure privileged access, while simultaneously improving business productivity.

9:55 am - 10:25 am Technology Track

Intelligence Sharing Advances: How IOCs Helped Thwart U.S. WannaCry Breaches

Hear from our industry expert about how The HITRUST Cyber Threat XChange (CTX) is sharing bi-directional indicators with the Department of Homeland Security. HITRUST’s Cyber Lab, in partnership with Trend Micro, identified malicious indicators of compromise (IOCs) several weeks in advance of the WannaCry outbreak. CTX members were able to automatically receive indicators, update defenses and stop the WannaCry threats before systems were compromised. To date, this program has helped U.S. healthcare organizations become leaders in sharing threat indicators of malicious threats from many attack vectors. This session explores how sharing IOCs has helped healthcare providers protect the valuable data, PHI and medical systems sought after by cybercriminals and targeted attacks.

10:25 am - 10:40 am

Exhibit & Networking Break

10:40 am - 11:25 am

Responding and (Hopefully) Recovering From a Breach: An Action Plan

In the past, many reported health data breaches involved missteps, such as the theft of laptops or inappropriate access to records by insiders. Today, however, healthcare organizations are also frequent targets for attacks from nation-states looking for intellectual property or patient information as well as hackers interested in making a quick buck.

Our panelists will engage the audience in a lively discussion of critical questions of interest to information security leaders, including:

Why is healthcare increasingly under attack?
What kinds of threats loom on the horizon?
What are the key security shortcomings at hospitals, clinics and insurers?
What are the implications for your information security strategy?
What should healthcare entities know about cyber insurance coverage?

11:35 am - 12:05 pm

How the NIST Framework Can Be Used to Assist, But Not Ensure, Cybersecurity and Compliance

The healthcare industry is at an information security crossroads, ill-prepared for the cyberattacks increasingly targeting healthcare organizations. This session reviews how the focus on security regulatory compliance has hindered the healthcare industry’s ability to prevent, detect and respond to the current cyber threat landscape. This session also reviews how the healthcare industry must embrace security frameworks, such as the NIST Common Security Framework and ISO 27001, along with practices used by other industry verticals to address cyber threats, thereby facilitating regulatory compliance.

12:05 pm - 1:00 pm

Lunch

1:00 pm - 1:40 pm

Panel: Breach Management Challenges - So, What's Not Working?

1:45 pm - 2:30 pm

Multifactor Authentication in Healthcare - Are We Sacrificing Security for Convenience?

When it comes to authentication, user names and passwords still dominate in healthcare, despite experts urging the implementation of multifactor authentication. That’s due, in part, to the pressure of providing busy clinicians quick and easy access to patient information. If authentication is cumbersome, physicians, nurses as even patients often push back. Our panelists will discuss how they’re bolstered authentication at their organizations, the emerging technologies they’re using and how they have built support among clinicians and others.

2:30 pm - 2:40 pm

Exhibit & Networking Break

2:40 pm - 3:15 pm

Panel: The Evolving Regulatory Environment and Its Impact on Privacy and Security of Online Medical Records

Data protection legislation and regulatory enforcement actions are rapidly changing throughout the world and are having an immediate impact on how organizations globally approach cybersecurity, privacy, breach notification and data storage and protection. However, too frequently, U.S. healthcare sector organizations have built their security programs by focusing on the compliance requirements of the HIPAA security, privacy and breach notification rules. But is that preoccupation with HIPAA compliance leaving the healthcare sector even more vulnerable? This panel reviews how online medical records are impacting privacy and regulation and are setting the tone for other emerging data-protection related regulations in the healthcare space.

3:20 pm - 4:00 pm

Panel: Cybersecurity and Patient Privacy in Healthcare: The Balancing Act

How do you balance privacy with data exchange among clinicians, access for patients and medical breakthroughs for researchers? This session examines whether there’s a “right balance” for protecting patients’ confidentiality, bolstering cybersecurity and providing individuals with access to their own health data, while also optimizing the potential for new research discoveries and improved clinical care. Steve Chabinsky, Commissioner of the President’s Commission on Enhancing National Cybersecurity and a former Deputy Assistant Director for cyber at the FBI, kicks off our panel discussion with some examples and key themes related to patient privacy. The healthcare industry is made up of thousands of small clinics and laboratories that hold highly sensitive information yet are potentially the weak links for breaches that can impact larger entities and millions of individuals. How can these organizations protect data from cyberattacks, when many more sophisticated organizations and even government agencies haven’t mastered cybersecurity?

4:00 pm - 4:15 pm