Más contenido relacionado

Presentaciones para ti(20)

Similar a Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits(20)


Más de Tripwire(20)


Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits

  2. Agenda  Introduction  Mercy Health (Who we are)  Organizational/Operational Challenges  Business Case and Implementation Methodology  Present and Future  Questions 9/6/2018 2
  3. Introduction Dieu Tran – Executive Director, IT Business Risk Services and Analytics (Mercy Health)  Designations – CISA, CISSP, GSNA, CRISC, CRMA, GISF, PCI-ISA Jody Howard – Manager PCI Compliance (Mercy Health)  Senior IT Architect 9/6/2018 3
  4. Who we are  5th Largest Catholic Healthcare System in the US Mercy Health (Who we are)  ~$5.5 Billion in Annual Revenue  30 acute care hospitals  11 Specialty Hospitals (Heart, Children's, Rehab and Ortho)  Virtual Care center  Over 800 Clinics Physician Practices and Outpatient Facilities  Operates in seven-state area encompassing Missouri, Arkansas, Oklahoma, Kansas, Louisiana, Mississippi and Texas  ~44,000 co-workers and over 2,100 physicians 9/6/2018 4
  5. Challenges Organizational ◦ Establishing compliance culture – history of audit findings ◦ Leadership (External Audit) ◦ Security Concerns ◦ Complex and Challenging Technical Environment ◦ Staffing Operational Challenges ◦ IT burdened with ad hoc data requests ◦ Data Integrity, Incomplete data, duplicate requests ◦ Difficult to review results and ensure consistency ◦ Unclear process ◦ Unclear accountability Change ◦ New/changing regulatory and compliance requirements (External Auditors, PCI, and HIPAA Security/Privacy) ◦ Governance 9/6/2018 5
  6. Business Case and Implementation Approach Business Case Savings (time and money) Successful audit and compliance efforts Reporting to support controls in place Governance of controls  Implementation Approach  Prioritize  Engage owners early  Define reporting needs  Training 9/6/2018 6
  7. IT Service Management ITIL Components 9/6/2018 7 People Process Technology
  8. Process Change Management Process ◦ Reinvigorated need for approvals prior to modifications ◦ Clarified definition of a “change” Governance ◦ Senior Management review and approval for each change to monitoring profile once in production ◦ Clear communication on additional volume of work created ◦ Opportunity to focus on groups that were less compliant Monitoring rules ◦ Accepted Tripwire as a recognized expert and used the published rules as often as possible (OS, database …) ◦ Avoided historic pitfalls of internal debates to merits of monitoring critical items 9/6/2018 8
  9. People Policy created to support effort ◦ Initially Change Management ◦ Added PCI compliance as Tripwire became viewed as critical success factor Meetings with technical teams ◦ Often “selling” effort one person at a time ◦ Open and honest discussions ◦ Focus on real purpose of monitoring Auditing ◦ Remediation notes ◦ Change orders ◦ Matching criteria 9/6/2018 9
  10. Technology Integration into ITSM Tool ◦ Used to validate approved change orders ◦ Remediation becomes component of daily routine obligations ◦ Change detection, File integrity monitoring and Vulnerability Notifications Rule Tuning ◦ Focus on most critical elements leveraging data analytics ◦ Often used features to identify “normal” activity limited to a specific account to reduce volume of alerts Reporting ◦ Reporting to application owners during rule development phase ◦ Reporting attached to each incident showing the details of modifications ◦ Reporting to Governance group for volume of activity ◦ Reporting to internal auditors to demonstrate good faith effort and help focus auditing efforts 9/6/2018 10
  11. Present and Future  Present  Tripwire Enterprise change detection viewed as a key strategy for SOC, PCI and commercialization efforts  Expansion from Change Detection to also include File Integrity Monitoring and Threat Detection  Visibility and monitoring for Epic Financial data  Better visibility and governance around change management  Reliable IT Environment around financial reporting  Reporting to support controls in place  Future  Using for other regulatory compliance needs  Security Configuration Management 9/6/2018 11
  12. Tripwire Solutions For Healthcare Challenges Onyeka Jones, Product Manager, Healthcare Solutions
  13. 13 #1: Secure PHI Detection and alerts on all changes to established baseline— what, who, and business context Detect unauthorized changes on critical assets and EHR systems Extensive library of security configuration best-practices to establish and monitor configurations Assess configurations against security policies Discover assets, vulnerabilities and malicious changes, and help automate the workflow and process of remediation Identify risk on critical assets and EHR systems End-to-end visibility: discovery, inventory, and change data for all your critical assets and EHR systems Know what’s happening in your environment
  14. 14 #2: Achieve Compliance Out-of-the-box audit report templates, and automated compliance reporting Reduce the time spent on compliance Continuous monitoring and reporting identifies remediation to stay compliant Maintain compliance over time Industry’s most comprehensive library of policy tests for all major standards Demonstrate compliance with standards HIPAA, PCI, NIST and many more Logging of changes to in-scope assets with details on who and when Produce data for audits and for forensics
  15. 15 #3: Address the Skills Gap Integrity monitoring and change audit to find root cause Ensure system availability and speed up investigation Integration with ITSM to tell authorized from unauthorized changes Validate changes and reduce unplanned work Real-time change detection— what, who, when and what it means Control changes that compromise systems Automate manual processes associated with dealing with change—isolate and escalate changes and events of interest Deal with security data overload
  16. Tripwire Capabilities
  17. 17 Log Management Configuration Assessment Change Detection Policy ManagementVulnerability Assessment Asset Discovery Centralized Operations Reporting & Analytics IT OT Factory automation systems Network devices & SCADA systems Capabilities
  18. 18 Lack of Visibility to Security Posture of Critical Assets, including EHR Systems Lack of Resources to Combat Growing Cyberattacks against Healthcare Maintaining and achieving compliance with HIPAA/HITRUST/NIST is time consuming Tripwire Enterprise EHR monitoring solution provides a detailed understanding of good vs. bad changes on all critical assets and EHR systems Tripwire Enterprise helps you achieve and maintain compliance HIPAA, NIST, PCI and other security controls, with audit-ready evidence Assess on-premise, virtual and cloud assets in a single product. Integrate with CMDB tools. Managed services to supplement your team
  19. 19 Advanced vulnerability risk scoring and prioritization helps you focus on the most critical vulnerabilities. Prioritze changes in Tripwire Enterprise based on risk Industry’s most robust risk scoring algorithim helps you accurately assess vulnerabilities in your environment Comprehensive discovery and profiling of all assets on your network to help you quickly identify vulnerabilities on your network. Limited Resources, Infinite Vulnerabilities False Positives Waste Everyone’s Time Lack of visibility to devices on my network
  20. integrity monitoring secure configuration management unauthorized changes ensure compliance Benefits Stronger Security Posture, Faster Incident Investigation and Proof of Compliance
  21. 21