Health sector Cybersecurity Strategic PlanRUI GOMES

Head of Information Systems, SPMS30.11.2016

Portuguese Ministry of Health, Shared Services

LNEC Congress Center, Av. Brasil, 101, Lisbon

IntroductionCybersecurity Challenges at National Level

Who am I ?

My name is Rui Gomes and I’m the IT Director at

SPMS

About SPMS

Our mission is to supply shared services to entities operating in the Healtharea in Portugal ...

About SPMS

...and in this way

Centralize Optimize

+

Rationalize

+

the provision of services for the National Health Service

About SPMS

Million People10

Public Hospitals50

PrimaryCareCenters356

Running SPMS ICT solutions90%

ICT solutions60

Portuguese Health Sector

The Challenge

NATIONAL CONTEXT

FINANCEELETRONIC CERTIFICATES

ELECTRONIC PRESCRIPTIONS

NATIONAL PROGRAMSPRODUCTION AND PLANNING

NATIONALREGISTRATIONS

LOCAL | REGIONAL CONTEXT

PRIMARY HEALTH CARE

ADMINISTRATIVOS

HEALTH DATA PLATFORM

RNU

RNP

SGES

MPI SIGLIC

RHV

HOSPITALS / ULS ARS

CLÍNICOS

SINUS

SONHO CSP

SCÍNICO

SAM + SAPE

ADMINISTRATIVOS CLÍNICOS

SONHO V1

SONHO V2

SCÍNICO

SAM + SAPE

BAS

PRVR

RENTEV

RENNDA

FINANCEIROS

PORTAL PROFISSIONAIS

PORTAL UTENTE

PORTAL INSTITUIÇÕES

CTH

SIGPS

RNCCI

SIM@SNS

GID

SISO

SIVIDA

SINAVE

MIM@UF

SIDC / SICC

RHV

FHS

WEBGDH

SIARS

FAMIG

SGTD

SIDC / SICC

RHV

SICO

CIT

ATESTADOS

PEM

PEM - CRD

PEM - H

SIGAI

SCDGF

SICA

BI GDH

SAGMD

SICC

SITAM

SIGEF

BI RH

EUROPEAN PROJECTS

PresentationGoals

Share the Plan and challengeswe

face in raising the Cybersecurity levels of the entities we serve and the

strategydeployed to overcome in

order to complywith the best practices in the sector

The ChallengeCybersecurity Challenges at National Level

Half experienced 1 to 5 attacks in 2015

The Challenge

In 2013 and 2014 healthcare companies saw a 70% increase in Cyber-attacks

A third of which succeeded

Entitiesare autonomousand implement

Cybersecurityseparately

The Challenge

A commonstrategy ischallengingto implementsince itcan’t be imposed

Institutions rarely think of Cybersecurity controls as part of a management security system

The Challenge

Cybersecuritycontrols

ManagementSecuritySystem

Only a few implement a fully secure managed automated system from

management to the operations

Management + Operations

FULLY SECURE MANAGED AUTOMATED SYSTEM

The initiatives aren’t sustainable in time

The Challenge

…and have doubtful value

SolutionCybersecurity Challenges at National Level

Example

Solution

Make sure everyone acknowledges the situation and

understands the risks and impact

Trojans are used by criminals and encrypt some or all hard drives

Ransomware encryption

Lock Screen

Master Boot Record

Acknowledge

Solution

Solution

Keep systems and programs updated

Daily BackupsAwareness and

Training for Users

Using Network Protections

Good Endpoint Protection Solutions

Strategy success factors

Solution

Acknowledging the problem

Involving the proper stakeholders

Changing mindsetsPromoting each

party's involvement in the program

Providing a centralized common framework

Accessing entity’s Cybersecurity level

Involving suppliers and providers

Supporting the implementation Measuring

the results

Building upon the improvements

MEDIUMLOW

Solution

HIGHInvestment

Remaining Risk

Investment in security will bring down risk.. But some risk will

always exist

R

i

s

k

Solution

Look at security in a different way

Recognize it’s ability to generate value

Obtain benefits, optimize resources and Risk to create value

Solution– IndustryLeads

Suppliers and providers have

the best knowledge of systems

trends and capabilities

SPMS is committed toadopt an

innovative cybersecurity programmeto

preserve health information protecting

citizens at the same time promoting the

industry at the Portuguese market

Solution– IndustryLeads

Effective Collaboration

Special Partners

Proposing Collaboration -examples

Solution– Program Management

Risk & Security Best

Practices

eSIS Risk & Security Continuous Improvement Dashboard

SPMS and eSIS Risk & Security Best Practices Program

Local Risk & Security Improvement Initiatives

SPMS Risk & Security Improvement Initiatives

Continuous Improvement Follow Up

ControlGuidelines

Share Best Practices

Implementation ImplementationDefinitionContributions to

Best Practices

ControlGuidelines

Program CoordinationTrack 00

SPMS Continuous ImprovementTrack 01

eSIS Continuous ImprovementTrack 02

Out of Scope

Q1 Q2 Q3

Q2Q1Q4Q3Q2Q1Q4

2016 20172015

TRACK 02eSIS Continuous

Improvement

TRACK 01SPMS

ContinuousImprovement

TRACK 00Program

Coordination

Pilot Projects

Programs/Projects at SNS Local Entities

Solution– Program

Following eSIS Risk & Security Continuous Improvement Program

Defining the Information Security Initiative Protection’s Scope

Identifying Security commitments and activities assumed by PE

Coordination/Following Manage/OrganiseArquitecture, Operations &

ResourcesAudit, Risk & Control Cybersecurity Ongoing Quick FixLABELS

Adopting Information Security Management, Policies and Procedures

Implementing Information Security System Requirements

Adopting a Information Security Incident Registration System Disaster Recovery Implementation

Adopting Procedures for Business Continuity

Implementing Risk & Security Management System

Ongoing Quick-Fix

Adapting the existing Information Security Policy

Adopting the Information Security Management’s Communication Model

Identifying Applicable Legal Compliance to International Norms

Adopting the Information Security Management’s Organic Unit

Creating a Dynamic Resources Inventory in the Scope of Protection - Architecture

Elaborating a Risk and Crytical Services Analisys Prototype Adopting a Identity Management System at SPMS

Identifying vulnerabilities, threats and risks associated to assets

Solution

Organization Goals

Information System Related Goals

Risks Associated with the Information Systems

Information System Management Enablers

Processes

Organizational Structures

Principles, Policies and Culture

Resources

InformationServices, Infrastructure

& Applications

People and Competences

Information System Operation

Processes/Procedures Information Technology People

Operational Best Practices

Data/Information Architecture

Technologic Architecture

Infrastructure & Networks

Internal

ExternalDevices

Applications/Solution Architecture

Facts & Figures• The framework represents the

information security and risk vision forSPMS Information System. Alignment of objectives and related risks;

• The different framework components symbolizes the fundamental elements for (as-is) and (to-be) state:

• Objectives;• Risks;• Management enablers• Operational tools.

• The framework covers an holistic vision for information security, integrating the organization elements: People, Processes and Technology.

• The framework allows better knowledge from the gaps and the specific action plans to address;

• Works as a guide to governance, management and operation of risk and security promoting better coordination from different initiatives and good practices sharing between partys.

• The framework is aligned within good practices internationally referenced for risk, security management and cybersecurity for healthcare.

Solution

Organization Goals

Information System Related Goals

Risks Associated with the Information

Systems

Information System Management Facilitators

Processes

Organizational Structures

Principles, Policies and Culture

Resources

Information Services, Infrastructure & Applications

People and Competences

Information System OperationProcesses/Procedures Information Technology People

Operational Best Practices

Data/Information Architecture

Technologic Architecture

Infrastructure & Networks

Internal

ExternalDevices

Applications/Solution Architecture

1. Information Security & Risk Framework

2. Information Security & Risk Documentation

3. Information Security Policies, standards and

Procedures

4. Information Security Principles

5. Information Security Objectives

6. Information Security Policy

7. Acceptable Use Policy

8. Cybersecurity Controls – Account Monitoring

and Control

Information System Related Goals

Principles, Policies and Culture

Information

Operational Best Practices

Solution

Using Cybersecurity Controls on Activation Program

Based on “The Center for Internet Security Critical Security Controls for Effective Cyber Defense Version 6.0. SANS”

Critical Security Control #1: Inventory of authorized and

Unauthorized Devices

Critical Security Control #2 Inventory of authorized and

Unauthorized Software

Critical Security Control #3 Secure Configurations for Hardware and Software

Critical Security Control #4 Continuous Vulnerability

Assessment and Remediation

Critical Security Control #5 Controls Use of Administrative

Privileges

Critical Security Control #6 Maintenance, Monitoring and

Analysis of Audit Logs

Critical Security Control #7 Email and Web Browser Protection

Critical Security Control #8 Malware Defenses

Critical Security Control #9 Limitation and Controls of

Network Ports

Critical Security Control #10 Data Recovery Capability

Critical Security Control #11 Secure Configurations for

Network Devices

Critical Security Control #12 Boundary Defense

Critical Security Control #13 Data Protection

Critical Security Control #14 Controlled Access Based on the

Minimum Need to Know

Critical Security Control #15 Wireless Access Control

Critical Security Control #16 Account Monitoring and Control

Critical Security Control #17 Security Skills Assessment and

Appropriate Training to Fill Gaps

Critical Security Control #18 Application Software Security

Critical Security Control #19 Incident Response and

Management

Critical Security Control #20 Penetration Tests and Red Team

Exercises

HEALTH SECTOR

GLOBAL MATURITY

eSIS

17%28%39%SPMS

Solution

?46%83%

? !

94%

13

01 01

34

32

2

Solution– Risk and Security Dashboards

Security Related Goals

Governance and Management

Enablers

Operational Resources &

Practices

Guidelines

Guidelines

Guidelines

SPMS LocalInst.

LocalInst.

LocalInst.

LocalInst.

LocalInst.

LocalInst.

LocalInst.

TOTAL

TOTAL

Good Practices and Guidelines

Continuous Improvement Overview

92% 88% 66% 79% 98% 87% 94% 91%

42% 5% 17% 3% 27% 9% 21% 9%

69% 52% 60% 41% 89% 51% 48% 59%

71% 48% 47% 41% 71% 49% 54% 53% 57%

58%

19%

86%

Solution

Thank Yourui.gomes@spms.min-saude.pt

Risk and Security Management StrategyVIDEO