The CyberPHIx | A Meditology Services Podcast
The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.
Got a topic that you want to hear about? We are all ears!
Submit your idea for Podcast topics to: firstname.lastname@example.org
Healthcare 2020 | A Vision for Securing Medical Devices and IoT Technologies
Run time (49:18)
The digitization of healthcare delivery is upon us. One estimate of medical IoT adoption, estimates that 87% of healthcare organizations will have adopted IoT by the end of 2019. (Forbes, March 2019).
Information security management strategies to cope with the widespread use of medical devices and medical Internet of Things (IoT) technologies are the focus of this CyberPHIx podcast. Mike Wilson, SVP and Global CISO of Molina Healthcare and Brian Selfridge, Partner of Meditology Services, discuss medical devices, IoT and the evolving information security management role. Highlighted topics include:
Medical Device Risk Management and IoT:
- Inventory management
- IoT Tools landscape (existing and emerging tools)
- Prioritizing security among devices; determining which type of devices to address first
- Skill sets needed to effectively manage medical devices and IoT technology
- The role of the medial device manufacturers and the FDA in security leadership
The future of the healthcare CISO role in a digital age:
- What does the healthcare look like in 2020-2030 and how is the CISO role evolving?
- Why is healthcare so challenging from a security perspective relative to other industries?
- What trends do we see emerging in healthcare security regulations at the federal, state, and international levels?
Teaching an Organization to Phish: Email Security Tactics
Run time (38:31)
Email is the most frequently reported initial point of compromise. In a recent HIMSS study, 59 percent reported that Email Phishing was the initial point of data compromise for all organizations surveyed, and 69 percent of incidents at hospitals.
Dan Reither, a 25-year data security veteran, leads our Podcast exploring email security strategies ranging from technical solutions, data loss prevention, and widespread education of your workforce to social engineering threats. As a strong believer in “deputizing” the workforce and vendor network on email security threats, notification and handling; Dan provides valuable insight to healthcare security managers. Dan is the Manager of Information Security for Health Partners Plans and Vice President of the ISC2 Philadelphia chapter.
Dan and Brian Selfridge, Partner with Meditology Services discuss email security trends and best practices including:
- A look at the evolution of email-attacks from basic phishing to more sophisticated social engineering campaigns. As email security has gotten stronger, there is a shift from taking advantage of technical inefficiencies to more targeted, social engineering.
- A discussion of best practices for securing email platforms and incident response approaches to reduce damage email attacks.
- An evaluation of security protections and technical solutions to handle spam, AV, DLP, and phishing and their effectiveness in different scenarios. A primary technical email security foundation is a gateway and a phishing solution.
- Acknowledgement of the success that malicious actors are having with email-based attacks. Be sure you talk to your vendors and employees underscoring the importance of identifying and properly handling suspicious email activity. All employees across the organization should be “deputized” as security team members and viewed as the front line in detecting and handling email attacks.
An Inside Look at Health Information Exchange Security & Privacy
Run time (45:43)
Health Information Exchanges (HIEs) play a critical role in improving the continuity of patient care across healthcare entities and geographies. HIEs often operate behind the scenes to coordinate the secure sharing of information across healthcare entities.
Organizations considering using or interfacing with a Health Information Exchange (HIE) will benefit by listening to this podcast discussion about security and privacy trends with Nick VanDuyne, Executive Director at NY Care Information Gateway and Meditology’s Brian Selfridge.
As the manager of a regional health information gateway partnered with the state of New York, Nick gives us an insider view of risk management security issues and approaches including:
- Key questions to ask in evaluating HIE or Regional Health Information Organizations (RHIOs). Specifically, how to evaluate the security and privacy controls of the entity.
- Challenges faced by the “big data” aspect of an HIE or RHIO and security approaches to address them. As well as methods for reconciling the security and privacy expectations of a wide range of disparate stakeholders that share and use health data (hospitals, state agencies, and others).
- The use of security certifications in providing demonstrable assurance of security controls to your members and business partners.
- An insider view of the inherent security strengths or vulnerabilities of healthcare data communication protocols like HL7, DICOM and newer HIE-specific protocols such as DIRECT.
- Opinions about emerging technologies and security considerations for the next wave of innovations poised to hit the healthcare market.
Making the Cyber-Band: How to Assemble a Team of Security Rock Stars
Run time (46:34)
Join us for this very special CyberPHIx podcast panel of elite healthcare leaders sharing insights on how to build a team of security rock stars. These seasoned CISOs share their approaches to address two major issues facing healthcare risk management programs: 1) Dealing with a severe worker shortage and 2) Defining the role of automation in their long-term management plans.
Panelists: John Abella, IT Security and Enterprise Architecture at Main Line Health, Chuck Goff, Cyber Security Program Manager at Dartmouth Hitchcock Medical Center and Andrew Seward, CISO at Elliot Health Systems
Our CISO panel discussion explores the following strategies for building the best InfoSec programs:
- The use of job design and workplace policies to attract and retain valuable talent to work in Information Security functions. Many healthcare organizations often must attract talent away from big cities to smaller communities and smaller organizations. Designing jobs that provide intellectual challenge and personal growth opportunities can help. Also, establishing policies and programs that promote teleworking, flex time and other quality of life benefits helps in competing for workers in a limited labor pool; and don’t forget to add some humor into the mix!
- The view that automation is very helpful and not a displacement of InfoSec jobs. There are already too few workers to fill the demand for information security positions. Rather than replacing jobs, automation helps organizations reduce repetitive, labor-intensive tasks and frees employees to spend their work time on the most valuable and impactful projects. The ROI for automation can usually be found within a few years.
- The downsides to implementing security automation are often in the long-range timeline expectations in healthcare settings. Implementation of security automation in healthcare can be affected by other organizational priorities, buy-in required from other stakeholder departments and developing the internal knowledge to best manage the automation tool.
- It is imperative to understand the key characteristics of successful Security personnel to make the best hiring decisions. Look for people not just with super-specialized areas of technical expertise. Instead recruit on the core job skills of communication, ability to learn new tools, desire to take pride in their work, good coaching and teaching skills, passion for the mission and the ability to have fun in the process.
Clinical Perspectives on Security: A Balancing Act
Run time (34:31)
Hear directly from a forward-thinking physician on how information security and compliance impacts the patient care setting. We sat down with Dr. Geoffrey Mills for a conversation on the intersection of security policies and controls with patient care. Dr. Mills is a Family Medicine physician at Jefferson Health, a large integrated academic medical center in Philadelphia. He is also an Associate Professor at Jefferson and serves as the assistant residency program director in addition to engaging in primary care research.
In this episode, Dr. Mills and CyperPHIx host Brian Selfridge explore data security within the clinical setting including these issues:
- Striking a balance between optimizing information systems, security data and patient care
- Exploring the challenge of providing patient privacy while supporting continuity of care
- Capabilities and perspectives of the next generation of physicians on the role of data security, compliance in clinical service delivery
Learn what physicians and other clinicians think about data security and compliance in this in this informative discussion.
View from the C-Suite: Trends in IT Security Risk Management
Run time (38:34)
Leadership can be a lonely role. It helps to hear from others in the C-Security suite to share perspectives and validate information security trends in healthcare settings.
This podcast features, Doug Copley, a 25-year veteran in healthcare security, having served as the Chief Information Security Officer for several healthcare entities including large academic medical centers, health information exchanges, and other healthcare entities. As thought leader on cybersecurity and healthcare IT security, Doug’s leadership includes notable roles such as founding the Michigan Healthcare Cybersecurity Council.
In this CyberPHIx episode, Doug shares insights on a range of senior-level topics related to building and managing successful information security programs including the following:
Doug and host Brian Selfridge (Meditology Services) have a candid conversation about emerging trends in data security. This Podcast features discussions about the following topics:
- Building a healthcare security program from the ground up
- The role and key skills of a C-level security executive in 2019 and beyond
- Emerging technologies including blockchain, AI and other emerging technologies
Passion for Security: The Future of Healthcare’s Workforce, Technologies, and Regulations
Run time (48:19)
Passion for security, getting to the heart of an issue and cutting through the “IT fluff” are the topics of our latest podcast with Joey Johnson, CISO of Premise Health. Premise Health is a leading provider of direct 24/7 healthcare access services; offering more than 600 health and wellness centers in 44 states to many employers including many Fortune 1000 companies.
Joey and host Brian Selfridge (Meditology Services) have a candid conversation about emerging trends in data security. This Podcast features discussions about the following topics:
- Passion on the job as the most important job skill for data security
- Strategies for dealing with IT staffing shortages
- How to call B.S. on the latest, greatest trending technology requisition
- Methods for effectively evaluating and prioritizing new security technologies, applications and services being introduced into the healthcare market
- Navigating emerging data Privacy requirements both at the state and International levels.
Re-Engineering Vendor Security Risk Management
Run time (37:12)
You can outsource your systems and services, but you cannot outsource your risk.
In 2008, the FDIC set a benchmark for vendor data risk by stating that a financial institution’s BOD and officers are responsible for third-party actions as it affects data security. In healthcare, these same standards are starting to be applied, leading to increased oversight of vendor relationships.
In this CyberPHIx podcast, Kelly White, Founder and CEO of Risk Recon, outlines some key concepts for effective vendor risk management drawing on experience in healthcare as well as other industries very vulnerable to third-party data security breaches.
Kelly’s position in the security automation market, provides us with insight into emerging trends of innovation and technology to better assess risk and potential impact of vendor data sharing.
Our discussion with Kelly touches on some of the following trends:
- Understanding vendor risk management in peer industries, such as financial services, reveals opportunities for innovation and more effective oversight over vendor relationships in the healthcare sector.
- The Value of Risk is a key risk management concept that supersedes the rating of risk by the size of vendors. In risk management activities with small or medium-sized vendors, focusing the lens on the Value of the Risk will help set priorities that are most effective in leading to remediation.
- Healthcare is an industry primed to adopt and lead innovation and automation in risk management. The next wave of rapid security automation/innovation is likely to come out of the healthcare industry.
Detecting and Responding to Cyber Attacks
Run time (16:23)
The FBI reported last year that the average dwell time for hackers in the healthcare environment is 270 days before they are detected. Identifying and dealing with potential security gaps is especially important during security due diligence of new entities.
Learn ways that security time gap can be closed in our recent CyberPHIx podcast episode with Peter Merrill, Director of Information Security at Dartmouth/Hitchcock Health Care System and Meditology’s Brian Selfridge.
Our discussion with Peter touches on the following topics regarding security due diligence of merged and affiliated entities:
- Maintaining good security measures is a good business practice whether or not your organization is acquiring or integrating a new entity.
- Learn which security projects to prioritize when affiliating and integrating a new entity.
- Create a security program that balances the organization’s culture and preference for techniques used in ethical hacking and other security due diligence methods.
- How to deal with different security approaches within affiliated entities.
Hanging a Lantern on Data Security: Senior-Level Exposure
Run time (18:04)
Our second CyberPHIx podcast interview with Mark Eggleston, CISO of Health Partner Plans centers on communicating strategically with board-level and senior management executives. Mark and Meditology Services partner, Brian Selfridge discuss how to present data security initiatives and issues to senior management including some of these topics:
- Providing a concise, risk management strategy overview on key security issues will bolster the security function’s role within the organization.
- Build relationships with senior management. Learn how they like information delivered and what key interests they have.
- The most effective communication tools are one-page summaries containing best practices and an illustration of risk reduction levels. In general, stay away from slide decks and too much technical detail for board level briefings.
- Create a 360-view of data security by engaging other members of the IT organization, compliance and legal in risk management conversations in a regular and organized setting.
Clearing the Fog of Data Security within the Cloud
Run time (23:27)
Cloud-based services offer new functionality and efficiency for healthcare organizations, but also bring with them new security considerations for protecting PHI. In this CyberPHIx podcast, Mark Eggleston, VP and Chief Information Security and Privacy Officer of Health Partner Plans discusses implementation strategies for cloud-based applications. Mark and Meditology Services partner, Brian Selfridge discuss the following approaches for managing data security risk within cloud-based applications:
- Identify a business case for securing data in the cloud-environment. Determine if your organization has the experience to implement the cloud-solution internally or might benefit from a third-party with experience in implementing a specific cloud-solution.
- Ensure that Service Level Agreements (SLAs) and Managed Service Agreements (MSAs) with Cloud-Provider include specific security requirements that include scenarios for end-of-service, ongoing risk assessment and downstream data sharing with 4th-party vendors.
- Clearly define user access roles to ensure cloud providers are aligning with the minimum necessary requirements.
- Prepare to educate board-level and senior management about the gaps in security controls with the cloud-providers. Providing a concise, risk management strategy will bolster the security function’s role within the organization.
Security Audit Fatigue: How Efficient Audits Can Drive Business Value
Run time (43:12)
Handling thousands of security audit questions per month while also conducting routine internal audits is a daunting and tiring task. Audit fatigue is real! However, meeting security audit requests has become a standard for doing business in the healthcare industry. This CyberPHIx episode examines successful approaches to handling security audits from a vendor’s perspective. Hear from Chris Risley, Executive Director Enterprise Risk Management of NASCO, an exclusive provider of claims processing and other services to Blue Cross / Blue Shield Plans across the country. This discussion addresses some of the following questions:
- How do you help your organization to combat audit fatigue?
- What standards do you have in place to improve responsiveness and drive efficiencies in the audit process?
- How do you handle capacity constraints in managing a portfolio of audits with limited bandwidth and staff?
- How does effective security risk management correlate to business value and how is that value communicated to leadership and the marketplace?
Security Certifications: Lessons from the Trenches
Run time (38:42)
Security framework certifications such as HITRUST and SOC 2 take center stage in this episode of CyberPHIx. Hear from Derek Vorphal, VP and CISO at Davis Vision, a provider of managed vision care plans nationally. Derek and Meditology Services partner, Brian Selfridge have a candid conversation about where certifications really fit into the overall spectrum of information security risk management tools for healthcare organizations. Our discussion with Derek addresses some of the following issues:
How well do security certifications reduce the number of security audit inquiries?
Can security certification requirements be useful in managing day-to-day information security risk management?
Derek offers advice for people in the early stages of the certification process.
A broad range of staffing skills are needed to complete the certification process.
Seeing the Forest for the Trees: Effective Governance for Risk & Compliance
Run time (17:07)
Developing a cohesive system for meeting HIPAA compliance standards and the never-ending emergence of new security threats can be overwhelming. Approaches to effective compliance management are addressed in this short interview with Bob Quandt, owner of Bullseye Compliance, an experienced healthcare information security officer and leader that has held roles with ShareCare, HCA and several other health entities. The discussion focuses on common challenges faced to by Chief Information Security and Compliance Officers including the security frameworks that work best in healthcare; risk registers and risk tracking approaches; and the importance of obtaining buy-in across departments and varying management levels for new solutions and processes.
Respond, Control and Track: CISO Speaks to Key Data Security Approaches
In this podcast, healthcare system CISO, Keith Henkell, shares his approach to key data security activities including Privileged Access Management, OCR Audit Reponse and Security Metrics Tracking techniques. Specific discussions center on strategies to reduce privilege-related breaches from occurring such as the use of multifactor authentication and reduction of local admin accounts. Also, Keith provides tips for using security metrics to craft a story for upper management including maturity score of your overall program, coverage indicators from existing security tools and a risk register.
Staying in the Swing of Things: Data Security during a Merger, Acquisition or Divestiture (Time: 24:38)
Mergers and acquistions have a major impact on day-to-day privacy and data security programs. In this podcast, two veteran data security and privacy experts from Tivity Health (formerly Healthways), help security teams prepare for these events by sharing first-hand experiences on maintaining and migrating data privacy and data security programs following a divestiture and reorganization. Listen now to hear as Tivity Health’s Jana Courmier, VP of Privacy, Compliance & Accreditation and Paul Wolf, Information Security Officer outline topics such as: maintaining security controls and processes, managing personnel and reduction in staff and communicating effectively with clients.
CISO Sales Pitch: Information Security Strategy (Time: 24:06)
A key component of a successful data security strategy is centered on people; specifically navigating and managing cultural expectations and the organization’s philosophy on data management. Expert health system CISO, Nick Falcone, shares first-hand experiences in establishing a formal risk management program with anecdotes and strategies on working within the organization’s culture.
For detailed show notes, please visit our Podcast page.