PRIVACY & SECURITY FORUM: A HIMSS EVENT

Boston, MA
Dec. 5-7, 2016
THE COUNTDOWN IS STARTING ON MORE HIMSS EVENTS - CHECK OUT OUR CALENDAR!

Schedule

8:30am - 9:00am
Badge Pick-up & Breakfast
Ballroom Foyer

9:00am - 9:05am
Welcome Remarks
General Session

Tom
Sullivan
Editor in Chief
Healthcare IT News

9:05am - 9:45am

KEYNOTE

The Fog of More, the Challenge of Simplifying Security
Grand Ballroom

Organizations have invested massive resources to defend their systems, but it seems like it is never enough, especially as the threat landscape continues to evolve. In this extraordinarily insightful talk, cybersecurity expert Tony Sager will provide a roadmap to the future of cybersecurity. Tony retired from the NSA after 34 years in June 2012, and today he’s the senior vice president and Chief Evangelist for the non-profit Center for Internet Security.

At the Center, Tony’s mission is simple but critically important: Identify, develop, validate, and sustain best practices in cybersecurity. The Center combats evolving cybersecurity challenges by helping healthcare and other organizations adopt key best practices to achieve immediate and effective defenses against today’s most pervasive and dangerous cyberattacks.

The controls, which reflect a worldwide consensus, change and evolve with the threat landscape. In this session, Tony will give attendees key insights into some of the most important cyber hygiene actions an organization can take to protect their data and networks – and how to prioritize limited resources.

Tony
Sager
Senior Vice President
Center for Internet Security

9:45am - 10:00am
Healthcare Organizations Under Attack: Protecting PHI and PII
Grand Ballroom

Protected health information (PHI) and Personally Identifiable Information (PII) are extremely valuable to cybercriminals as they pay more for health records than any other personal records. Thus, hackers are increasingly targeting healthcare organizations and their ecosystem.  Patients, providers, contract research organizations, academia, and others need to exchange sensitive information, such as when collaborating on clinical trials, delivering care via telemedicine and communicating with patients. Increasingly, mobile devices are being used to capture data from IoT sensors and medical devices.  PHI and PII must be safeguarded every step of the way, therefore, identity verification and authentication are essential. But what other security measures need to be taken? This session will highlight major emerging risks to PHI, PII and offer timely insights on mitigating those risks by applying best practices for securing data on mobile devices and patient information from medical devices or other IoT devices.

Jon
Cohen
Vice President, Strategy & Corporate Development, Enterprise Business Unit
Synchronoss Technologies

10:00am - 10:30am
Ready or Not: Here Comes the Internet of Things
Grand Ballroom

The potential of the Internet of Things is fueling interest (and hype) all across media and industry. But we aren’t ready. The Internet of Things will change the way markets and businesses work — and it could get messy. This session will report on the findings from a global research study at MIT Sloan Management Review on IoT. The study found that IoT is particularly valuable when combined with strong analytics capabilities; organizations with strong analytical foundations are three times more likely to get value from IoT than those with weaker analytics capabilities.

But because data is valuable, we need to be ready for people to want to take it.

The IoT context intensifies the need for security. For example, physical control of devices make attacks easier. But beyond these, more insidious attacks might be ones that we don’t notice, as poisoned data streams may be difficult to discern with the volume of data that IoT devices produce. Despite these issues, 76% of the survey’s respondents don’t feel they need to improve their sensor data security and 68% don’t feel they need to improve their overall data security.

In this session, one of the study’s authors and researchers, discusses the study’s results, explaining how organizations gain value from IoT, the current global perspective on IoT security, why protecting your organization against the IoT is a complex endeavor but on that must be undertaken.

 

Stephanie
Jernigan
Assistant Professor, Operations Management Department
Boston College

10:30am - 11:00am
Networking Break
Grand Ballroom Foyer

Take this opportunity to mingle with your peers in a relaxed setting to build relationships and establish future partnerships. Coffee will be served in the exhibit area so make sure to stop by our sponsor tables.

11:00am - 11:45am

Leadership Panel

The Future of Healthcare Security
Grand Ballroom

When it comes to privacy & security, many of the people, processes, and technology that work today, likely will not be as effective in in a year or two, maybe not even next month. That's the nature of the beast in healthcare's fast growing threat landscape.

In this session, our panel of experienced healthcare security leaders discuss their organizations’ long-term strategic plan. What do they expect their security teams and programs to look like two to five years from today? What new skills must the CISO possess? How will they address and stay head of growing and emerging threats such as malware and the Internet of Things? How will they simultaneously allow access to and secure big data? Will they move to the cloud? Do they expect to outsource more services? What is their approach to consumerism and mobile security?

Wayne Gretzky said, “I skate to where the puck is going to be, not where it has been.”

In this session, attendees will hear the privacy & security equivalent of that quote, and in the process gain insights into how to evolve their own programs.

Brad
Miller
Vice President of Clinical Solutions
Caradigm
Paul
Martini
Cofounder and Chief Architect
iboss
Chad
Wilson
Director of IT Security
Children's National Medical Center
Mark
Eggleston
CISO and Privacy Officer
Health Partners
Mansur
Hasib
Program Chair, Cybersecurity Technology
University of Maryland University College

11:45am - 12:00pm
Maintaining Privacy While Leveraging Big Data
Grand Ballroom

The secondary use of personal health data can transform healthcare quality and medical innovation, but is only possible with consent or the data being fully de-identified. The application of new risk-based privacy techniques now make de-identification possible at a global scale. While privacy is the responsibility of all healthcare organizations, life-science companies and data leaders (real-world evidence) are driving and benefiting from the implementation of new global privacy standards in the health data sharing space. Leading companies are building dedicated data platforms in specific disease areas that extend across multiple countries and encompass sophisticated data collections and technology-enabled analytics. This talk explores the topic of maintaining privacy when leveraging data. 

 

Khaled
El Emam
Founder and Director
Privacy Analytics Inc.

12:00pm - 12:35pm

CISO SPOTLIGHT

Security Graveyard: The Death of 10 Outdated Security Tools and How to Replace Them
General Session

Intermountain Healthcare’s Chief Security Officer Karl West examines our shifting security landscape and provides his take on what new practices are worth the investment. He will also provide a post mortem on outdated security practices and practical tips on innovating your organization’s security model to keep your data secure and your patients safe.

Karl
West
Chief Information Security Officer, AVP Information Systems
Intermountain Healthcare

12:35pm - 1:30pm
Networking Luncheon
Grand Ballroom Foyer

1:30pm

1:30pm - 2:00pm
Best Practices for Securing Data in the Cloud
Grand C

John Houston is the Vice President of privacy and security and Associate counsel for UPMC, a $12 billion integrated healthcare delivery system headquartered in Pittsburgh, Pa. Among his many duties, John plays a key oversight role in the acquisition, licensing, and use of technology.

UPMC spends millions on technology. These days, most acquisitions are "cloud-based deals", with far fewer being made for on premise software, when compared to the past. Needless to say, when it comes to securing data in the cloud, UPMC has a lot at stake.

In this session, John will discuss the market forces driving UPMC to the cloud. More importantly, he'll provide an overview of UPMC's cloud acquisition process, which he developed to make sure remote IT services are reliable and effectively delivered and that the data is appropriately safeguarded.

This information will benefit all providers, large and small.

1:30pm - 2:00pm
HIPAA & mHealth: Key Challenges and Solutions
Grand D

More and more, patients expect to be able to use their tablets and smart phones to access their health care treatment and payment information. To meet this demand, health care organizations have rushed to meet this demand, creating a range of applications to assist with patient scheduling, payment for treatment, and sharing of medical records.

Yet, this increased integration has come with questions about the applicability of the privacy and security standards of HIPAA. To address these concerns, the HHS Office for Civil Rights - the office which enforces HIPAA - developed an online campaign to solicit questions regarding HIPAA requirements and the development of mobile technologies.

This presentation will review a sampling of these questions and provide practical guidance on how health care organizations can address the unique challenges posed by the offering of mHealth platforms and services.

Three key takeaways:

  • Gain awareness of the types of product and service offerings likely to trigger HIPAA requirements.
  • Learn to address some key challenges posed during the HHS-OCR online questions campaign.
  • Receive baseline guidance that can be used to guide the development and offering of mHealth solutions (e.g. considering BAA terms).
Jeffrey
Dunifon
Associate Attorney
Baker & McKenzie

1:30pm - 2:00pm
Cybersecurity Incident Response: How to Survive an Attack
Grand A/B

Despite good investments in security, cyber events still occur. Are you confident that you and your staff would know how to properly respond to cybersecurity incident? In this session, Mark Dill, the former director of information security for the Cleveland Clinic, will draw on his years of experience to outline the key componets of a cyber security incident response plan.

Among other things, he’ll:

  • Explain key steps in incident response plan
  • Describe the process for properly investigating, containing, and recovering from an incident
  • Explain the value in having well-defined “playbooks,” particularly for handling evidence procedures
  • Confirm the Incident Response maturity roadmap
  • Provide informational resources
Mark
Dill
Principal Consultant
tw-Security
2:10pm

2:10pm - 2:40pm
When Vendors Offshore Your Data: How to Protect Your Organization
Grand C

Even under the best of circumstances, managing vendors presents a host of challenges for covered entities. This task becomes even more difficult - and complicated - when covered entities consider vendors that use offshore resources or are offshore themselves. And such vendors are becoming more and more common.

In this session, healthcare attorney Erin Whaley explains the issues a covered entity must understand and address before entering into an offshore arrangement. These include, among others, issues related to conducting due diligence and negotiating business associate agreements.

In this session, attendees will learn about:

  • Various types of offshoring arrangements that deserve further thought and consideration.
  • Practical tips for managing risk associated with the use of offshore resources.
  • How the laws of foreign countries may impact a covered entity’s data.
Erin
Whaley
Partner
Troutman Sanders

2:10pm - 2:40pm
Ghost in the Machine: Ransomware's Impact on HIPAA Compliance
Grand D

Ransomware attacks frequently appear in the news, especially in healthcare where entities suffering an attack are obligated to report it as a likely breach. The looming threat has many entities fearing the consequences, which can be far reaching. However, HIPAA offers some means of addressing concerns associated with ransomware as well as the ability to potentially reduce risks. This session will address recent HIPAA-based guidance regarding ransomware and assess how policies and procedures should be modified to consider the continually evolving threat presented by ransomware.

Matthew
Fisher
Associate Attorney
Mirick, Oconnell, DeMallie & Lougee

2:10pm - 2:40pm
Enabling Mobile Healthcare in an Era of Accelerating Change
Grand A/B

Whether it's a new app, smart phone operating system, or medical device, advances in mobile technology seem to be accelerating at warp speed. Without a doubt, mHealth presents unique opportunities for increasing clinician productivity and engaging patients - from devices at the bedside to health data tracking in the home. But it also presents often daunting privacy and security challenges.

Nobody knows that better than Karl West, CISO of Intermountain Healthcare, which operates 22 hospitals in Utah and one in Idaho. Intermountain has a long history of securely adopting, developing, and implementing new technologies, including an aggressive but prudent adoption of mHealth.

In this presentation, West will address the forces fueling the mHealth revolution, discuss Intermountain’s mobile initiatives, and then explain what he considers the best and most practical way to mitigate the related risks.

Only by developing the appropriate security architecture, West says, can a healthcare organization successfully assimilate mHealth technology into the delivery of healthcare AND execute privacy and security strategies for emerging mobile technologies.

In this session, he'll outline the process required to do that.

Karl
West
Chief Information Security Officer, AVP Information Systems
Intermountain Healthcare
2:50pm

2:50pm - 3:20pm
Embracing the Cloud and Managing Risk
Grand C

Extending your organization's security perimeter beyond the walls of your data center and into the cloud can be an overwhelming task from a security perspective.

In this talk, you will learn how to use the OWASP Top 10, STRIDE threat modeling and OCTAVE Allegro risk analysis to evaluate and rank cloud service providers against the needs of your business.

Matt
Trevors
Senior Cyber Security Engineer
CERT Division of the Software Engineering Institute at Carnegie Mellon University

2:50pm - 3:20pm
Ask a Healthcare Attorney: Cybersecurity Insurance, BAAs, and other Hot Topics
Grand D

In this session, our panel of healthcare attorneys will provide practical advice and insight on key healthcare privacy and security topics. Whether you’ve got a question on cyber security insurance, BAAs, HIPAA audits, or any other topic, this session is designed to deliver the sound guidance you need. So bring your questions, step to the microphone, and ask away!

Mike
Miliard
Editor
Healthcare IT News
Matthew
Fisher
Associate Attorney
Mirick, Oconnell, DeMallie & Lougee
Erin
Whaley
Partner
Troutman Sanders
Jeffrey
Dunifon
Associate Attorney
Baker & McKenzie

2:50pm - 3:20pm
Desktop Virtualization: A Vital Tool in the Cyber Security Arsenal
Grand A/B

Virtualization has long performed a vital role in the data center: reducing hardware costs, improving reliability, simplifying housekeeping tasks such as backups and restores.  Given the current wave of  ransomware, the snapshot and export features of virtualization make it a leading candidate to thwart malware. In this session, cybersecurity expert Edward Sihler will discuss this, along with the other cyber security benefits such as tripping malware’s self-destruct before infection and support for a desktop firewall that is not part of the desktop OS.

Edward
Sihler
Technical Director
Maine Cyber Security Cluster

3:20pm - 3:50pm
Networking Break
Grand Ballroom Foyer

Take this opportunity to mingle with your peers in a relaxed setting to build relationships and establish future partnerships. Coffee will be served in the exhibit area so make sure to stop by our sponsor tables.

3:50pm - 4:30pm
Medical Device Security - Taming the Wild West
Grand Ballroom

As more data from medical devices is fed into EHRs on a provider’s network, finding ways to secure and protect the devices from viruses and other cyber threats has become a vital part of any comprehensive security program.

But securing these devices is a tough nut to crack for a number of reasons. Many are not managed by the IT department; clinicians are often resistant to new security safeguards that may impact their workflow; medical device vendors are often unresponsive to requests for security upgrades to existing software; and some of the upgrades can be prohibitively expensive.

In this session, senior security officers at three major healthcare systems share with attendees their approach to securing medical devices.

Among other things, they’ll address:

  • Practices for assessing and mitigating medical device risks
  • Processes for approving requests for new medical devices
  • Responding to infected devices
  • Vendor management
  • Educating clinicians and administrators to the security risks medical devices pose.
Rick
Hampton
Wireless Comunications Manager
Partners HealthCare
Tom
Sullivan
Editor in Chief
Healthcare IT News

4:30pm - 5:00pm

BIG DATA

Everyone Wants Big Data: How Do You Keep it Safe?
Grand Ballroom

Geisinger Health System is an industry leader when it comes to using big data to improve healthcare, patient experience, and drive organizational efficiency. And when it comes to securing all that data, much of the responsibility fell to Bipin Karunakaran, vice president of enterprise data management, who worked with a clinical partner to implement a secure big data platform.

The platform protects PHI and business sensitive information (BSI) by tokenizing, encrypting, and creating zones of data. The solution also includes auditing of user activity, real-time behavioral analysis, and alerts for malicious activity.

In this session, Bipin gives an overview of the Geisinger big data platform and provides insights to attendees looking to better secure their big data without choking off access.

Bipin
Karunakaran
Vice President, Enterprise Data Management
Geisinger Health System

5:00pm - 5:30pm
The 2016 Election Results: Exploring the Impact on Healthcare Policy
Grand Ballroom

In this session, Jeff Coughlin, HIMSS’s director of state and federal affairs, examines election results at the presidential, congressional, and state levels, and possible impacts on healthcare and health IT. Attendee questions are encouraged. Jeff will also discuss potential actions HIMSS and its members can take to educate newly elected officials on the importance of health IT.  

Learning Objectives:

Describe the key outcomes of the 2016 Presidential, Congressional and State elections.

Explain the potential impact of the elections on healthcare and health IT policy.

Identify ways HIMSS members can support engagement with the new administration and 115th Congress.

Jeff
Coughlin
Senior Director of State and Federal Affairs
HIMSS

Get Updates

Sign up to get the latest information on upcoming events.

 

Subscribe