Health sector Cybersecurity Strategic Plan

RUI GOMES
Head of Information Systems, SPMS
30.11.2016

Portuguese Ministry of Health, Shared Services

LNEC Congress Center, Av. Brasil, 101, Lisbon

 Introduction
Cybersecurity Challenges at National Level
Who am I ?

My name is Rui Gomes

and I’m the IT Director at
SPMS
About SPMS

Our mission is to supply

shared services to entities
operating in the Health
area in Portugal ...
About SPMS

...and in this way

+ +
Centralize Optimize Rationalize

the provision of services for the

National Health Service
About SPMS

Portuguese Health Sector

10 Million People

50 Public Hospitals

356 Primary Care Centers

90% Running SPMS ICT solutions

60 ICT solutions
The Challenge

NATIONAL CONTEXT EUROPEAN

PROJECTS
HEALTH DATA NATIONAL PRODUCTION AND NATIONAL PROGRAMS ELETRONIC FINANCE
PLATFORM REGISTRATIONS PLANNING CERTIFICATES

PORTAL UTENTE RNU MPI SIGLIC GID SICO SIGAI SAGMD

RNP CTH CIT
SISO SCDGF SICC
PORTAL ATESTADOS
SGES SIGPS SIVIDA SICA SITAM
PROFISSIONAIS
RHV RNCCI SINAVE ELECTRONIC BI GDH SIGEF
PORTAL PRESCRIPTIONS
INSTITUIÇÕES PRVR SIM@SNS BI RH
PEM
RENTEV
PEM - CRD
RENNDA PEM - H

LOCAL | REGIONAL CONTEXT

PRIMARY HEALTH CARE HOSPITALS / ULS ARS

ADMINISTRATIVOS CLÍNICOS ADMINISTRATIVOS CLÍNICOS FINANCEIROS

SINUS SCÍNICO SONHO V1 SCÍNICO SIDC / SICC SIARS SIDC / SICC

SONHO CSP SAM + SAPE SONHO V2 SAM + SAPE RHV FAMIG RHV
BAS FHS SGTD

MIM@UF WEBGDH
Presentation Goals

Share the Plan and challenges we

face in raising the Cybersecurity
levels of the entities we serve and the
strategy deployed to overcome in
order to comply with the best
practices in the sector
 The Challenge
Cybersecurity Challenges at National Level
The Challenge

In 2013 and 2014 healthcare companies

saw a 70% increase in Cyber-attacks

Half experienced 1 to 5 attacks in 2015

A third of which succeeded
The Challenge

Entities are autonomous

and implement
Cybersecurity separately

A common
strategy is
challenging to
implement since it
can’t be imposed
The Challenge

Institutions rarely think of Only a few implement a fully secure

Cybersecurity controls as part of a managed automated system from
management security system management to the operations

FULLY SECURE MANAGED

AUTOMATED SYSTEM
Management
Cybersecurity Management + Operations
Security
controls
System
The Challenge

The initiatives aren’t sustainable in time

…and have doubtful value

 Solution
Cybersecurity Challenges at National Level
Solution

Acknowledge
Example
Make sure everyone
Trojans are used by criminals and encrypt
acknowledges the situation and
some or all hard drives
understands the risks and impact

Ransomware encryption

Master Boot Record

Lock Screen
Solution
Solution

Awareness and
Daily Backups Good Endpoint
Training for Users
Keep systems and Protection Solutions
programs updated Using Network
Protections
Solution

Strategy success factors Involving the proper

stakeholders

Acknowledging the Changing

problem Promoting each mindsets
party's involvement
Providing a
in the program
centralized common
framework
Supporting the
implementation Measuring
Accessing entity’s Involving suppliers
Cybersecurity and providers the results
level
Building upon the
improvements
Solution

Investment in security will bring

down risk.. But some risk will
always exist

Remaining Risk

LOW MEDIUM HIGH

Investment
Solution

Look at security in a
different way

Recognize it’s ability to

generate value

Obtain benefits, optimize

resources and Risk to
create value
Solution – Industry Leads

Suppliers and providers have

the best knowledge of systems
trends and capabilities

SPMS is committed to adopt an

innovative cybersecurity programme to
preserve health information protecting
citizens at the same time promoting the
industry at the Portuguese market
Solution – Industry Leads

Effective Collaboration

Proposing Collaboration - examples

Special Partners
Solution – Program Management

eSIS Risk & Security Continuous Improvement Dashboard

Continuous Improvement Follow Up

Share Best
Practices SPMS and eSIS Risk & Security Best Practices Program

Risk & Guidelines Guidelines

Control Control
Security Best
Practices SPMS Risk & Security Local Risk & Security
Improvement Initiatives Improvement Initiatives
Contributions to
Definition Best Practices Implementation Implementation

Q1 Q2 Q3
Track 00 Program Coordination

Track 01 SPMS Continuous Improvement

Track 02 eSIS Continuous Improvement

Out of Scope
 Solution – Program
2015 2016 2017
Q4 Q1 Q2 Q3 Q4 Q1 Q2
Following eSIS Risk & Security Continuous Improvement Program
TRACK 00
Program Identifying Security commitments and activities assumed by PE
Coordination
Defining the Information Security Initiative Protection’s Scope

Adapting the existing Information Security Policy

Adopting the Information Security Management’s Organic Unit

Adopting the Information Security Management’s Communication Model

Identifying Applicable Legal Compliance to International Norms

Adopting Information Security Management, Policies and Procedures

TRACK 01
Implementing Information Security System Requirements
SPMS
Continuous Creating a Dynamic Resources Inventory in the Scope of Protection - Architecture
Improvement
Identifying vulnerabilities, threats and risks associated to assets

Elaborating a Risk and Crytical Services Analisys Prototype Adopting a Identity Management System at SPMS
Adopting a Information Security Incident Registration System Disaster Recovery Implementation
Adopting Procedures for Business Continuity

Implementing Risk & Security Management System

Ongoing Quick-Fix

TRACK 02 Pilot Projects

eSIS Continuous Programs/Projects at SNS Local Entities
Improvement

LABELS Arquitecture, Operations &

Coordination/Following Manage/Organise Audit, Risk & Control Cybersecurity Ongoing Quick Fix
Resources
Solution
Organization Goals
Facts & Figures
Information System Related Goals • The framework represents the
information security and risk vision for
Information System Management Enablers SPMS Information System. Alignment of
objectives and related risks;
Processes
Principles, Policies and • The different framework components
Culture symbolizes the fundamental elements
Organizational Structures for (as-is) and (to-be) state:
• Objectives;
• Risks;
Resources • Management enablers
• Operational tools.
Services, Infrastructure People and
Risks Associated with the Information
& Applications Competences • The framework covers an holistic vision
Information Systems for information security, integrating the
organization elements: People,
Processes and Technology.
Information System Operation
• The framework allows better knowledge
Processes/Procedures Information Technology People
from the gaps and the specific action
Data/Information Architecture plans to address;

Internal • Works as a guide to governance,

Operational Best Applications/Solution Architecture
management and operation of risk and
Practices security promoting better coordination
Technologic Architecture from different initiatives and good
practices sharing between partys.
Infrastructure External
Devices • The framework is aligned within good
& Networks
practices internationally referenced for
risk, security management and
cybersecurity for healthcare.
Solution
Organization Goals
Information System Related Goals
Information System Management Facilitators
1. Information Security & Risk Framework Processes
Principles, Policies
and Culture
2. Information Security & Risk Documentation Organizational Structures

Resources
3. Information Security Policies, standards and Services, Infrastructure & People and
Information Applications
Risks Associated Competences

Procedures with the Information

Systems Information System Operation
4. Information Security Principles Processes/Procedures Information Technology People

Data/Information Architecture

5. Information Security Objectives Operational Applications/Solution Architecture

Internal

Best Practices Technologic Architecture

6. Information Security Policy
Infrastructure External
& Networks Devices

7. Acceptable Use Policy

8. Cybersecurity Controls – Account Monitoring

and Control
Solution

Using Cybersecurity Controls on Activation Program

Critical Security Control #1: Critical Security Control #2 Critical Security Control #3 Critical Security Control #4
Inventory of authorized and Inventory of authorized and Secure Configurations for Continuous Vulnerability
Unauthorized Devices Unauthorized Software Hardware and Software Assessment and Remediation

Critical Security Control #5 Critical Security Control #6

Critical Security Control #7 Email Critical Security Control #8
Controls Use of Administrative Maintenance, Monitoring and
and Web Browser Protection Malware Defenses
Privileges Analysis of Audit Logs

Critical Security Control #9 Critical Security Control #11

Critical Security Control #10 Data Critical Security Control #12
Limitation and Controls of Secure Configurations for
Recovery Capability Boundary Defense
Network Ports Network Devices

Critical Security Control #14

Critical Security Control #13 Data Critical Security Control #15 Critical Security Control #16
Controlled Access Based on the
Protection Wireless Access Control Account Monitoring and Control
Minimum Need to Know

Critical Security Control #17 Critical Security Control #19 Critical Security Control #20
Critical Security Control #18
Security Skills Assessment and Incident Response and Penetration Tests and Red Team
Application Software Security
Appropriate Training to Fill Gaps Management Exercises

Based on “The Center for Internet Security Critical Security Controls for Effective Cyber Defense Version 6.0. SANS”
Solution
? !
eSIS 21
3 34

HEALTH SECTOR
GLOBAL MATURITY

83%
94%
39%
?
28%
46%
17% SPMS
2
3

01 10
Solution – Risk and Security Dashboards

Good Practices
and Guidelines SPMS Local Local Local Local Local Local Local TOTAL
Inst. Inst. Inst. Inst. Inst. Inst. Inst.

Security Related 92% 88% 66% 79% 98% 87% 94% 91% 86%
Guidelines
Goals

Governance and
Management Guidelines 42% 5% 17% 3% 27% 9% 21% 9% 19%
Enablers

Operational
Resources & Guidelines 69% 52% 60% 41% 89% 51% 48% 59% 58%
Practices

Continuous
TOTAL 71% 48% 47% 41% 71% 49% 54% 53% 57% Improvement
Overview
Solution

Thank You
rui.gomes@spms.min-saude.pt
Risk and Security Management Strategy
VIDEO