protect your practice against cyber threats may 12th, …€¦ · hipaa hitech’s main function...

PROTECT YOUR

PRACTICE AGAINST

CYBER THREATS

May 12th, 2020

Let’s introduce

ourselves

Tyler Lewan

Account Executive

Josh Prager

Lead Engineer

Thank You

Today’s plan

Education Prevention ResponseDetection Recover

Education

Why is healthcare such a target?

Stolen medical records worth $$$• MA psychiatrist created false diagnoses to submit

false claims, not a patient

• MO thief used stolen info to get real ID, obtain prescription

• OH dental office employee used PHI to obtain prescription

• PA man’s identity used at 5 hospitals for $100K treatment

• CO man received bill for $44k for surgery that he had not undergone

Trustwave report, 2018

Cybersecurity Challenges

Already spent $$ on firewall, anti-virus, and Backup!Expensive

Believe your IT team has you coveredBlind Trust

Don’t believe it will happen to you - it’s just the big guys that get targetedToo Small

Met HIPAA regulations, isn’t that enough?Inconvenient

What can you

do to protect

your

house against a

break in?

Detection

Alarm

Motion Sensor

Doorbell Camera

Neighborhood

Watch

Response

Dog

Insurance

Police

Baseball Bat

NIST Cybersecurity Framework

Recover

Restoration Services

Red Cross

Insurance

Legal

Prevention

Doors

Windows

Locks

Education

Yard Signs

Guess the Year• Phones first included navigation

• Newest Galaxy phone could scroll the internet!

• 80% of Netflix subscribers received DVDs through the mail

• Windows 7 introduced

• Donald Trump created his Twitter account

• HIPAA HITECH Enacted

HIPAA HITECH’s main function was for data privacy, not data security

2009

Don’t wait for legislation

Didn’t know what today would

look like 10 years ago

Can’t predict what

legislation we will need to protect

us in the future

Telemedicine

Prevention

No single solution is guaranteed to prevent attacks

A multi-layered portfolio is highly recommended

Prevention

Attacks bypassing basic security

measures will happen

Web Gateway Security

Internet security is a race against time

Offers protection against online threats by enforcing company security

policies, filtering malicious traffic in real-time, and blocks them on your network

within seconds – before they reach the user.

the ability for your solution to

dynamically analyze behavior in

order to recognize

malicious software by its actions,

not its appearance

Antivirus Technologies

75%

Sources: microsoft.com/safety; microsoft.com/wdsi; support.microsoft.com/products/security

Key to effective protection:

More than just backup – they will

revive your systems and have

your staff are operating in almost

no time

Includes features like

continuous data protection,

cloud-based replication and

recovery

Business Continuity Solutions

• Wood Ranch Medical (CA)

• Eye Care Associates (OH)

• N.E.O. Urology (OH)

• Know who is accessing your data

• Confirm identities

• Prevent non-compliant devices from

accessing your systems

75%

Verizon 2017 Breach Investigations Report

Password Policies

Multi-Factor Authentication

Additional layer of protection

Protect against phishing and other access

threats

Verifies the identity of all users with strong

two-factor authentication - before

granting access to applications

For better security, the latest security patches and other critical

updates can be automatically installed through patch

management services to protect from latest known attacks

Computer Updates

Encrypt files at rest, in

motion (email) and

especially on laptops

Encryption

Security Awareness

Sources: microsoft.com/safety; microsoft.com/wdsi; support.microsoft.com/products/security

Your staff can be your greatest

weakness. Threats bypasses

defenses when they trick an

employee.

Look for experts with

experience handling

healthcare cybersecurity

The Right Controls

• Web Gateway Security

• Anti-Virus

• Business Continuity Solution

• Multi-Factor Authentication

• Encryption

• Security Training

Overview

Detection

If a breach is not detected

quickly the damage is

already done

The quicker a breach is

detected, the less cost an

organization will incur as a

result of the breach.

Detection

Phishing

Phishing emails hold the

potential to bypass many of

your cybersecurity defenses

31%

PhishMe research

Phishing

Train your team to spot red flags

Think before you click

Hover over

link to revel

where it is

pointing

Generic non-

personalized

greeting

CAN-SPAM

requires

physical

mailing

address

No opt-out

link (has to be

managed

outside

organization)

Shadow IT Detection:

• Conditional access and level

controls

• Save-As, Copy, Paste restrictions

Security Management Tools

Advanced Endpoint Detection

Replaces traditional anti-virus solutions

Stops threat by • swiftly killing malicious processes• quarantining infected files• disconnecting the infected endpoint device from the network

Dark Web Monitoring

Stolen credentials are used to

test for open door

access

Know which passwords and

accounts that have been

posted on the Dark Web

81%

Sources: microsoft.com/safety; microsoft.com/wdsi; support.microsoft.com/products/security

Overview

• HIPAA Standards

• Phishing Emails

• Security Management Tools

• Advanced Endpoint Detection

• Dark Web Monitoring

Response

Being prepared to mitigate

and report damage and notify

and reassure customers

Key Components of Successful Response Planning

Response Team Members - know who is responsible for what and when they are responsible for it

Return Time Objectives (RTO) - dictates the type of preparations and your business continuity budget

Recovery Point Objectives (RPO) - looking at the time between data backups and the amount of data that could be lost in between backups

Steps to take if you’ve been breached

Respond quickly and appropriately in a

compliant manner

1. Get help: legal and technical

2. Assess the damage

3. Address any HIPAA reporting

obligations

4. Depending on the situation, contact

law enforcement

Recovery

Restoring any

capabilities or

servers that were

impaired by the

attack

Recovery Planning

Explore “what if” scenarios

Look at other cyber

events that have impacted

other practices

Help identify gaps before a

cyber security event occurs

Downtime

The biggest expense from an attack

• operational stoppage, idle workers

• productivity loss

• hardware repair/replacement

10X

Sources: Datto

Factor time trying to restore your system from backups

Recovery vs backup

Having copies of data doesn’t mean you can keep your practice running

• Evaluate multiple cloud and on-premises deployment options to find the right

fit for your organization

• Look for solutions that keeps your workloads available and offers redundant

devices

Questions?

16 Ways

To protect your

practice from a

cyber attack!

Thank you• Tyler Lewan

• Account Executive

• Tlewan@verticalsol.com

• Cell : 847-987-9606

• Josh Prager

• Lead Engineer

• Jprager@verticalsol.com

Vertical Solutions