Duo Security is a cloud-based trusted access provider protecting the world’s fastest-growing companies and thousands of organizations worldwide, including Denver Health and Hospital Authority, Dresser-Rand Group, Etsy, NASA, Facebook, K-Swiss, The Men’s Wearhouse, Paramount Pictures, Random House, SuddenLink, Toyota, Twitter, Yelp, Zillow, and more. Duo Security’s innovative and easy-to-use technology can be quickly deployed to protect users, data, and applications from breaches, credential theft and account takeover. Duo Security is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures and True Ventures. Try it for free at Duo.com.
The ISSA Healthcare Special Interest Group Half Day Knowledge Session will Include:
- Office for Civil Rights Health Care Privacy & Security Update
- Creating Hunt Teams: Avoiding the Pitfalls
- Exposing the Exposures in Health Care Web Applications
If you work at a healthcare organization or are interested in learning more about healthcare information security, please register to join us!
Please note that the event registration is open to 65 registrants maximum. The event is $50 for non-members and free to ISSA members. The event also offers 3 CPEs and will include a complimentary appetizer style buffet for lunch and snacks throughout the day; water/coffee/soft drinks; a happy hour and a $10 Dave and Buster's game card.
Dave & Busters
2000 S. Colorado Blvd.
Denver, CO 80222
Please Note: Guests of the ISSA Healthcare Special Interest Group Meeting will park in the parking garages located off of Colorado Blvd. and Colorado Center Drive. This is complimentary parking as the front parking lot is under construction.
• 12:00 pm – 1:00 pm: Lunch/Arrival
• 1:00 pm – 2:00 pm: Office for Civil Rights Health Care Privacy & Security Update
• 2:00 pm – 2:55 pm: Creating Hunt Teams: Avoiding the Pitfalls
• 2:55 pm – 3:05 pm: Break
• 3:05 pm – 4:00 pm: Exposing the Exposures in Health Care Web Applications
• 4:00 pm – 5:00 pm: Happy hour, networking, and gaming time!
Drew Labbo, CISO Denver Health, Moderator
Drew Labbo is currently the CISO of Denver Health and Hospital Authority. Drew has over 18 years’ experience with information security and technology and over 12 years’ experience as a Privacy and Data Security Officer. He is an expert on HIPAA Privacy and Security Rule regulations as well as HITECH and Omnibus regulatory updates. Drew holds an MBA in Health Administration from the University of Colorado, and he has been a CISSP for 12 years. Drew has been a speaker and information security expert panel participate at numerous conferences and professional events.
Hyla Schreurs joined the U.S. Department of Health and Human Services, Office for Civil Rights, Rocky Mountain Region, as an Equal Opportunity Specialist in 2004, and has served as a Supervisory Equal Opportunity Specialist since 2009. Hyla has undergraduate degrees from the University of California at Davis, and Colorado State University. She graduated with a Juris Doctor in 2003 from the University of Colorado at Boulder, School of Law, and is licensed to practice law in Colorado.
Session 1: Hyla Schreurs: "Office for Civil Rights Health Care Privacy & Security Update": Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. Putting patients "in the driver's seat" with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system. As electronic medical records (EMRs) are more widely adopted, patient information is potentially more readily available than ever. However, health data in electronic format also creates challenges and complexities to understanding and controlling appropriate access and releases of protected health information while also protecting patients' security and privacy. Hyla Schreurs will discuss the Office for Civil Rights' new health information access guidance, will provide insight into regulatory information security guidance around ransomware, and will share an update on the latest HIPAA breach enforcement trends.
Alan Orlikoski is a Principal Incident Responder for Oracle’s Incident Management team. As part of the Incident Management team, he provides emergency services when a security incident occurs. He also provides guidance to improve the security operation centers, incident response management programs, analyzes and tests existing incident response plans, conducts forensic investigations, and provides incident response and forensics training. Mr. Orlikoski has an extensive computer forensics background and has been a leader in some of the largest incident response and security operations center development programs in the history of the company. With over 16 years of experience in both private and public sectors of the IT industry, Mr. Orlikoski is professionally certified in IT Security (Cyber Forensics, Penetration Testing, Protection, and Vulnerability Analysis & Defense) and Project/Program Management. Mr. Orlikoski entered the security field as an US Air Force officer, and later specialized in computer forensics and architecting cyber defense solutions outside of the military.
Session 2: Alan Orlikoski: "Creating Hunt Teams: Avoiding the Pitfalls": Attacker Tools, Techniques and Procedures (TTP) have evolved and automated alerts are no longer enough to protect health care organizations from advanced, targeted and persistent threats. Attackers associated with these threats are able to avoid detection from automated alerting tools and move throughout your environment. The number and breadth of these types of attacks have reached a level where every company/organization must address this threat. To combat these attackers, defenders in health care must advance their security program to incorporate Hunting. Hunting is the process of looking for interesting events that are not defined as malicious by existing automated tools. Hunting uses the knowledge, tools and experience that already exist within an organization to identify malicious activities that cannot be detected with automated alerts. This presentation covers the essentials for creating a Hunt Team: hunting best practices (tools and methodologies), and required skillsets for hunting personnel. It offers a framework to develop and mature hunting activities by providing real world examples of effective hunts.
Aaron Cure is a senior security consultant at Cypress Data Defense and an instructor and contributing author for the SANS DEV544 Secure Coding in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant. He also has experience developing security tools, performing secure code reviews, vulnerability assessments, and penetration testing, as well as risk assessments, static source code analysis, and security research. Aaron holds the GIAC GSSP-.NET, GWAPT, GPEN, GMOB, and CISSP certifications and is located in Arvada, CO. Outside the office Aaron enjoys boating, travel, and playing hockey.
Session 3: Aaron Cure: "Exposing the Exposures in Health Care Web Applications": Exposing healthcare data over the web continues to allow attackers to compromise an organization's clients, customers and employees. These applications are often deployed with compressed development timelines, and as a result often contain several common security vulnerabilities. This presentation will discuss and demonstrate exploitations of the most common vulnerabilities identified during security reviews using tools such as Burp Suite, BeEF, and sqlmap. We will also discuss ways to mitigate these vulnerabilities.
Thursday, 27. October 2016 - 12:00 till 17:00