health sector cybersecurity strategic plan · from different initiatives and good practices sharing...
TRANSCRIPT
Health sector Cybersecurity Strategic PlanRUI GOMES
Head of Information Systems, SPMS30.11.2016
Portuguese Ministry of Health, Shared Services
LNEC Congress Center, Av. Brasil, 101, Lisbon
IntroductionCybersecurity Challenges at National Level
Who am I ?
My name is Rui Gomes and I’m the IT Director at
SPMS
About SPMS
Our mission is to supply shared services to entities operating in the Healtharea in Portugal ...
About SPMS
...and in this way
Centralize Optimize
+
Rationalize
+
the provision of services for the National Health Service
About SPMS
Million People10
Public Hospitals50
PrimaryCareCenters356
Running SPMS ICT solutions90%
ICT solutions60
Portuguese Health Sector
The Challenge
NATIONAL CONTEXT
FINANCEELETRONIC CERTIFICATES
ELECTRONIC PRESCRIPTIONS
NATIONAL PROGRAMSPRODUCTION AND PLANNING
NATIONALREGISTRATIONS
LOCAL | REGIONAL CONTEXT
PRIMARY HEALTH CARE
ADMINISTRATIVOS
HEALTH DATA PLATFORM
RNU
RNP
SGES
MPI SIGLIC
RHV
HOSPITALS / ULS ARS
CLÍNICOS
SINUS
SONHO CSP
SCÍNICO
SAM + SAPE
ADMINISTRATIVOS CLÍNICOS
SONHO V1
SONHO V2
SCÍNICO
SAM + SAPE
BAS
PRVR
RENTEV
RENNDA
FINANCEIROS
PORTAL PROFISSIONAIS
PORTAL UTENTE
PORTAL INSTITUIÇÕES
CTH
SIGPS
RNCCI
SIM@SNS
GID
SISO
SIVIDA
SINAVE
MIM@UF
SIDC / SICC
RHV
FHS
WEBGDH
SIARS
FAMIG
SGTD
SIDC / SICC
RHV
SICO
CIT
ATESTADOS
PEM
PEM - CRD
PEM - H
SIGAI
SCDGF
SICA
BI GDH
SAGMD
SICC
SITAM
SIGEF
BI RH
EUROPEAN PROJECTS
PresentationGoals
Share the Plan and challengeswe
face in raising the Cybersecurity levels of the entities we serve and the
strategydeployed to overcome in
order to complywith the best practices in the sector
The ChallengeCybersecurity Challenges at National Level
Half experienced 1 to 5 attacks in 2015
The Challenge
In 2013 and 2014 healthcare companies saw a 70% increase in Cyber-attacks
A third of which succeeded
Entitiesare autonomousand implement
Cybersecurityseparately
The Challenge
A commonstrategy ischallengingto implementsince itcan’t be imposed
Institutions rarely think of Cybersecurity controls as part of a management security system
The Challenge
Cybersecuritycontrols
ManagementSecuritySystem
Only a few implement a fully secure managed automated system from
management to the operations
Management + Operations
FULLY SECURE MANAGED AUTOMATED SYSTEM
The initiatives aren’t sustainable in time
The Challenge
…and have doubtful value
SolutionCybersecurity Challenges at National Level
Example
Solution
Make sure everyone acknowledges the situation and
understands the risks and impact
Trojans are used by criminals and encrypt some or all hard drives
Ransomware encryption
Lock Screen
Master Boot Record
Acknowledge
Solution
Solution
Keep systems and programs updated
Daily BackupsAwareness and
Training for Users
Using Network Protections
Good Endpoint Protection Solutions
Strategy success factors
Solution
Acknowledging the problem
Involving the proper stakeholders
Changing mindsetsPromoting each
party's involvement in the program
Providing a centralized common framework
Accessing entity’s Cybersecurity level
Involving suppliers and providers
Supporting the implementation Measuring
the results
Building upon the improvements
MEDIUMLOW
Solution
HIGHInvestment
Remaining Risk
Investment in security will bring down risk.. But some risk will
always exist
R
i
s
k
Solution
Look at security in a different way
Recognize it’s ability to generate value
Obtain benefits, optimize resources and Risk to create value
Solution– IndustryLeads
Suppliers and providers have
the best knowledge of systems
trends and capabilities
SPMS is committed toadopt an
innovative cybersecurity programmeto
preserve health information protecting
citizens at the same time promoting the
industry at the Portuguese market
Solution– IndustryLeads
Effective Collaboration
Special Partners
Proposing Collaboration -examples
Solution– Program Management
Risk & Security Best
Practices
eSIS Risk & Security Continuous Improvement Dashboard
SPMS and eSIS Risk & Security Best Practices Program
Local Risk & Security Improvement Initiatives
SPMS Risk & Security Improvement Initiatives
Continuous Improvement Follow Up
ControlGuidelines
Share Best Practices
Implementation ImplementationDefinitionContributions to
Best Practices
ControlGuidelines
Program CoordinationTrack 00
SPMS Continuous ImprovementTrack 01
eSIS Continuous ImprovementTrack 02
Out of Scope
Q1 Q2 Q3
Q2Q1Q4Q3Q2Q1Q4
2016 20172015
TRACK 02eSIS Continuous
Improvement
TRACK 01SPMS
ContinuousImprovement
TRACK 00Program
Coordination
Pilot Projects
Programs/Projects at SNS Local Entities
Solution– Program
Following eSIS Risk & Security Continuous Improvement Program
Defining the Information Security Initiative Protection’s Scope
Identifying Security commitments and activities assumed by PE
Coordination/Following Manage/OrganiseArquitecture, Operations &
ResourcesAudit, Risk & Control Cybersecurity Ongoing Quick FixLABELS
Adopting Information Security Management, Policies and Procedures
Implementing Information Security System Requirements
Adopting a Information Security Incident Registration System Disaster Recovery Implementation
Adopting Procedures for Business Continuity
Implementing Risk & Security Management System
Ongoing Quick-Fix
Adapting the existing Information Security Policy
Adopting the Information Security Management’s Communication Model
Identifying Applicable Legal Compliance to International Norms
Adopting the Information Security Management’s Organic Unit
Creating a Dynamic Resources Inventory in the Scope of Protection - Architecture
Elaborating a Risk and Crytical Services Analisys Prototype Adopting a Identity Management System at SPMS
Identifying vulnerabilities, threats and risks associated to assets
Solution
Organization Goals
Information System Related Goals
Risks Associated with the Information Systems
Information System Management Enablers
Processes
Organizational Structures
Principles, Policies and Culture
Resources
InformationServices, Infrastructure
& Applications
People and Competences
Information System Operation
Processes/Procedures Information Technology People
Operational Best Practices
Data/Information Architecture
Technologic Architecture
Infrastructure & Networks
Internal
ExternalDevices
Applications/Solution Architecture
Facts & Figures• The framework represents the
information security and risk vision forSPMS Information System. Alignment of objectives and related risks;
• The different framework components symbolizes the fundamental elements for (as-is) and (to-be) state:
• Objectives;• Risks;• Management enablers• Operational tools.
• The framework covers an holistic vision for information security, integrating the organization elements: People, Processes and Technology.
• The framework allows better knowledge from the gaps and the specific action plans to address;
• Works as a guide to governance, management and operation of risk and security promoting better coordination from different initiatives and good practices sharing between partys.
• The framework is aligned within good practices internationally referenced for risk, security management and cybersecurity for healthcare.
Solution
Organization Goals
Information System Related Goals
Risks Associated with the Information
Systems
Information System Management Facilitators
Processes
Organizational Structures
Principles, Policies and Culture
Resources
Information Services, Infrastructure & Applications
People and Competences
Information System OperationProcesses/Procedures Information Technology People
Operational Best Practices
Data/Information Architecture
Technologic Architecture
Infrastructure & Networks
Internal
ExternalDevices
Applications/Solution Architecture
1. Information Security & Risk Framework
2. Information Security & Risk Documentation
3. Information Security Policies, standards and
Procedures
4. Information Security Principles
5. Information Security Objectives
6. Information Security Policy
7. Acceptable Use Policy
8. Cybersecurity Controls – Account Monitoring
and Control
Information System Related Goals
Principles, Policies and Culture
Information
Operational Best Practices
Solution
Using Cybersecurity Controls on Activation Program
Based on “The Center for Internet Security Critical Security Controls for Effective Cyber Defense Version 6.0. SANS”
Critical Security Control #1: Inventory of authorized and
Unauthorized Devices
Critical Security Control #2 Inventory of authorized and
Unauthorized Software
Critical Security Control #3 Secure Configurations for Hardware and Software
Critical Security Control #4 Continuous Vulnerability
Assessment and Remediation
Critical Security Control #5 Controls Use of Administrative
Privileges
Critical Security Control #6 Maintenance, Monitoring and
Analysis of Audit Logs
Critical Security Control #7 Email and Web Browser Protection
Critical Security Control #8 Malware Defenses
Critical Security Control #9 Limitation and Controls of
Network Ports
Critical Security Control #10 Data Recovery Capability
Critical Security Control #11 Secure Configurations for
Network Devices
Critical Security Control #12 Boundary Defense
Critical Security Control #13 Data Protection
Critical Security Control #14 Controlled Access Based on the
Minimum Need to Know
Critical Security Control #15 Wireless Access Control
Critical Security Control #16 Account Monitoring and Control
Critical Security Control #17 Security Skills Assessment and
Appropriate Training to Fill Gaps
Critical Security Control #18 Application Software Security
Critical Security Control #19 Incident Response and
Management
Critical Security Control #20 Penetration Tests and Red Team
Exercises
HEALTH SECTOR
GLOBAL MATURITY
eSIS
17%28%39%SPMS
Solution
?46%83%
? !
94%
13
01 01
34
32
2
Solution– Risk and Security Dashboards
Security Related Goals
Governance and Management
Enablers
Operational Resources &
Practices
Guidelines
Guidelines
Guidelines
SPMS LocalInst.
LocalInst.
LocalInst.
LocalInst.
LocalInst.
LocalInst.
LocalInst.
TOTAL
TOTAL
Good Practices and Guidelines
Continuous Improvement Overview
92% 88% 66% 79% 98% 87% 94% 91%
42% 5% 17% 3% 27% 9% 21% 9%
69% 52% 60% 41% 89% 51% 48% 59%
71% 48% 47% 41% 71% 49% 54% 53% 57%
58%
19%
86%