Speaker:
Prashanth Mekala, Supervisory Special Agent, FBI

The U.S. Department of Justice just indicted two alleged hackers in China in the highly sophisticated cyberattack on health insurer Anthem that exposed data on nearly 80 million Americans. Meanwhile, ransomware, business email compromises, intellectual property theft and other headline-grabbing breaches and cybercrimes in the healthcare sector are getting the attention of CEOs and boards of directors. What other difficult cybercrime cases are federal law enforcement agencies trying to crack, and how can your organization avoid becoming the next victim making headlines?

Our presenter - Prashanth Mekala, FBI, Supervisory Special Agent, New York Field Office will address:

• Why healthcare is such an attractive target for cybercriminals, including nation state attacks;
• Latest trends in ransomware, IP theft, and other cybercrimes hitting healthcare;
• The main vulnerabilities in today's environment;
• Essential elements of a successful wartime defense strategy.

Speaker:
Thien La, CISO, Wellmark Blue Cross Blue Shield

What does it take to securely migrate nearly all your systems and data onto the cloud, phase out your own on-premises data center, and build shared cyber risk responsibility with third-parties? That's a journey under way at health insurer Wellmark. The health insurer's vice president and CISO Thien La will describe the company's migration to the cloud, including:

• Risks and reward, pros and cons;
• Getting buy-in from the board;
• Unique challenges of securing PHI on the cloud;
• What happens if there's a breach?

Speaker:
Christopher Bontempo, VP Security Marketing, IBM Security

Health organizations face a wide range of new cyber security threats like crypto-jacking and IoT vulnerabilities while still facing the heavy load of compliance and basic security blocking and tackling. Security requires an end to end framework based approach to manage well against a constantly evolving threat environment - but where should you start to get your biggest immediate reductions in risk? Join us for this session to hear lessons derived from IBM Security clients on where to start and where to go next..

Speaker:
Mike Dodson, Sr. Director Global Solution Engineering, Venafi

With the extensive network systems found in the health care industry, SSH keys are widely used to provide privileged administrative access and to secure machine-to-machine automation for important business functions. However, SSH keys are routinely untracked, unmanaged and unmonitored. This lack of visibility and control can create HIPAA violations by not adequately restricting access to Electronic Protected Health Information (ePHI). If SSH keys are not surely managed, the organization does not know who has access.

Only eight percent of heath care companies have accurate SSH key inventories. In addition, nearly half allow all or most of their administrators to manage SSH keys for the systems they control, resulting in an ad hoc process using inconsistent security practices. With no expiration and a lack of life cycle management, health care organizations can wind up with millions of SSH keys and a broad attack surface for insider threats and cybercriminals.

In this session, we'll examine SSH study results that reveal widespread lack of security controls for SSH keys in the health care industry. We'll discuss the common mistakes that almost all health care organizations make around security, policy, and auditing practices when managing SSH keys. We'll note the SSH key risks that are not addressed by IAM/PAM solutions and why they are probably some of the biggest risks in your network. The session will conclude with a 4-step approach to protecting SSH keys in health care networks.

Speaker:
Amanda Rogerson, Lead Healthcare Product Manager, Duo Security

Healthcare records remain one of the "holy grail" personally identifiable information (PII) data types for criminals. With patient data being more valuable to attackers than ever, alongside stricter HIPAA and HITECH compliance requirements and an ever-growing device inventory to manage, IT teams modernization projects must account for these risks in their strategic planning. To mitigate the risks being faced efficiently, healthcare organizations need to adopt a 'zero-trust' security approach and start viewing every threat surface, access point, identity, and login attempt as the new security perimeter.

By deploying solutions that can verify users and establish device trust while protecting every application (both cloud and legacy), healthcare organizations can quickly and effectively reduce their threat surface and meet compliance requirements.

Speaker:
Mark Bower, General Manager and CRO, Egress Technologies

Insider threat and email attack risks are a major issue in the health industry, 95% of IT executives have identified insider threats as a top concern in last 12 months, 79% think employees have put data at risk accidentally and 61% say employees have done so maliciously.

In this session will look at how organisations can use new analytic-driven machine learning to detect malicious human data handling risks and reduce human-error HIPAA violations. We will examine the types of insider threats leading to data exposure by distinguishing between malicious versus accidental breaches, highlight how adopting a risk-based approach to secure content and data sharing is vital for contemporary data protection. We will show through new techniques, how healthcare entities can protect employees from risky behavior and secure patient data without traditional friction that can impact adoption or interrupt care. Discover how companies like Epiphany Healthcare have streamlined the capture and use of clinical research data from over 900 hospitals, and how Raleigh Neurology ensures children's mental health privacy throughout high touch, high risk data workflows.

Speakers:
Cris Ewell, CSO and CPO, NRC Health
Mitch Parker, CISO, Indiana University Health System

The federal government says it will scrutinize healthcare providers and health IT vendors that participate in so-called "information blocking." But what are the top technical challenges and other barriers in ensuring that health information is being appropriately, legally and securely shared with clinicians, patients and potentially industry competitors?

Our panel, including Cris Ewell, CISO at UW Medicine; Mitch Parker, CISO at Indiana University Health System; Sean Murphy, former CISO Premera Blue Cross Blue Shield and current CISO at Boeing Employees Credit Union - will share their suggestions and experiences, including:

• Most secure ways for sharing patient data;
• Pros and cons for utilizing health information exchange organizations, EHRs and patient portals to exchange data
• Other methods of exchange, including direct secure messaging and blockchain

Speakers:
Chris Frenz, AVP of IT Security, Mount Sinai South Nassau
Nicholas Heesters, Attorney, Senior advisor for Cybersecurity, HHS Office for Civil Rights
Sonia Arista, National Healthcare Practice Director, Fortinet

In this session, HHS OCR provides an update on its latest HIPAA compliance and regulatory efforts - including possible modifications to the HIPAA rules. Then a panel of experts discusses:

• Latest health data breach trends, including soaring hacker incidents;
• The evolving regulatory climate and its impact on health data cyber efforts;
• Does HIPAA need to be modified?

Speakers:
Chris Frenz, AVP of IT Security, Mount Sinai South Nassau
Jennings Aske, CISO, New York-Presbyterian
Michael McNeil, SVP, Global CISO, Mckesson
Suzanne Schwartz, MD, Director, Office of Strategic Partnerships and Technology Innovation (OST), FDA’s Center for Devices & Radiological Health (CDRH)

Suzanne Schwartz, MD, Associate Director for Science and Strategic Partnerships, at the Food and Drug Administration's Center for Devices and Radiological Health, will provide an update on FDA's medical device cyber efforts. That includes the status of a draft update to the cybersecurity guidance for premarket devices. Then, a panel of experts will discuss progress underway, including:

• Jennings Aske, New York Presbyterian CISO, who is on working with others in the industry on an effort around a software bill of materials for medical devices;
• Michael McNeil, global security officer at Philips, who will offer a device maker's cyber perspective;
• Chris Frenz, Interfaith Medical Center CISO who will discuss the zero-trust approach that his organization is taking in securing its medical devices.

Speaker:
Mounil Patel, Field CTO, Mimecast

More cloud? Definitely more goals. Healthcare technology leaders are in a constant struggle to do more with fewer resources. Is the organization's security strategy the root of the problem or an enabling factor to ensure patient safety while improving the quality of healthcare delivery? Come learn how to control the risk of leveraging cloud email platforms while reducing the complexity of infrastructure and management overhead.

Speaker:
Preston Duren, Director, Cybersecurity Operations, Fortified Health Security

Many healthcare organizations today are hiring managed security service providers (MSSP) to manage specific security initiatives, or in some cases, outsourcing their entire security program. This approach is especially beneficial to those that have limited IT resources, lack internal security expertise, struggle to hire security talent, or simply need to implement a security program faster than they could in-house. But hiring an MSSP without the specific healthcare experience can pose just as much risk as cyber threats and attacks. Preston Duren, Director of Cybersecurity Operations at Fortified Health Security will discuss best practices for IT leaders to use when evaluating MSSPs and the importance of choosing the right partner. Topics include:

• Understanding the nuances of securing a healthcare environment;
• Key skills, certifications, and experience necessary for an effective healthcare MSSP;
• Real-life examples of damage and disruption that can be caused by an inexperienced cybersecurity team.

Speakers:
Cris Ewell, CSO and CPO, NRC Health
Jigar Kadakia, CISO & CPO, Partners HealthCare

What approaches are healthcare entities taking with their credentialing and IAM to better verify and manage the identities of patients, clinicians, researchers, vendors and others who want or need access to health and other critical data? Our panelists Cris Ewell, CISO at UW Medicine and Jigar Kadakia, CISO and chief privacy officer at Partners HealthCare discuss:

• Challenges and approaches to IAM;
• Why role-based EHR access is such a thorny issue;
• Privileged access dilemmas

Speakers:
Jennings Aske, CISO, New York-Presbyterian
Mitch Parker, CISO, Indiana University Health System

How do you find a needle in a haystack - whether it's a malicious insider or clues that a massive or devastating cyberattack could be underway? Our panel - including Mitch Parker, CISO at Indiana University Health System; and Jennings Aske, CISO NY Presbyterian - will discuss:

• Challenges and approaches to breach, incident detection;
• Getting the most out of behavioral analytics and other tools;
• Promising developments and technologies in detection.

Speakers:
Chris Frenz, AVP of IT Security, Mount Sinai South Nassau
Jigar Kadakia, CISO & CPO, Partners HealthCare
Michael McNeil, SVP, Global CISO, Mckesson

What are the new data security, patient safety and privacy worries evolving with each new cyberattack on the healthcare sector? Our panel of experts - Jigar Kadakia, CISO of Partners HealthCare; Michael McNeil, global security officer at Philips; and Chris Frenz, CISO Interfaith Medical Center - will discuss what keeps them up at night, including:

• Ransomware and other cyber extortion;
• Threats impacting data integrity of medical devices;
• Careless vendors and immature business associates;
• What healthcare entities can do to stay ahead of these threats?