Workforce Cybersecurity Development
An Enterprise Approach to Improving Privacy and Security in Healthcare
Workforce Cyber Behavior Programs
Awareness, Skills Development, Coaching, and Executive Briefings
Information security for healthcare systems involves a coordination of product, process, and personnel. Most healthcare organizations are making considerable investments in cybersecurity hardware and software. In improving resilience, your physical asset investments must include a consistent effort to developing the workforce. Few are leveraging an iterative approach to address the issue of personnel education across the enterprise. Every member of the workforce has accountability when it comes to security risks, however, lack of monitoring and measuring employee behavior makes it difficult to understand current posture, much less develop a desired future state.
First’s Workforce Development experts are able to identify, assess and help manage cybersecurity risk. Through more formal evaluation models, iterative approaches to education and dynamic courses, we can help your program fit into a larger framework while helping to determine the cause and effect relation between workforce education and business outcomes.
Each successive section of the course builds upon lessons from earlier sections in order to comprehensively strengthen your ability to help your healthcare facility) cope with illegal hackers, botnets, malware, ransomware, phishing, unruly vendors, data leakage, industrial spies, rogue or uncooperative employees, or bad publicity connected with IT security. Recent updates to the course address hot topics such as legal tips on confiscating and interrogating mobile devices, the retention of business records connected with cloud computing and social networks like Facebook and Twitter, and analysis and response to the risks and opportunities surrounding open-source intelligence gathering.
Workforce Education & Awareness Services
- On-Site Privacy and Security Classes (below)
- Program Assessment, Development and Implementation
- Training, Coaching, Briefings and On-site Classroom Curriculum
- LMS System Selection and Optimization
- UBA User Behavior Analytics
- Phishing Programs
- Content and Marketing Programs
- Reward Programs
Program Assessment, Development and Implementation
First’s methodology for determining your current workforce education and awareness posture is unique to healthcare. By evaluating specific employee clusters and using a defined maturity model, your assessment can act as a roadmap to making critical security decisions and prioritizing opportunities for improvement towards a target state. First is able to leverage its advisory talent, training and coaching experience, and knowledge of recognized practice to go beyond assessment to implementation and consistent resilience.
First Workforce Education Courses
Cybersecurity Essentials begins the transition from general Security Awareness to an early level of competency with the technical foundations of a security program to support an employee’s role with respect to IT systems. This course is designed for IT professionals, software developers, financial professionals, database managers, clinical engineering, and technical clinicians who work closely with, or develop your healthcare organization’s information systems.
Regardless of your organization’s size and growth rate, there are certain basic concepts that form the foundation of any effective IT security program and environment. This Cybersecurity Essentials course provides employees with an increased level security material which allows for the development or evolution of a more robust awareness program. Cybersecurity Essentials give employees a familiarity with – and ability to apply – a core knowledge set which is needed to protect electronic information and systems. All individuals who use computer technology or its output products, regardless of their specific job responsibilities, must know these essentials and be able to apply them.
Topics covered in the course include:
- Authentication, Authorization, Accountability
- Cryptography Fundamentals
- Data Protection
- Information Security Principles and Risk Management
- Networking Foundations
- Networking Security
- Security Policy and Procedures
- Defense in Depth Principles for Systems Security
The material contained in this course will help your employees bridge the gap that often exists between business process/procedure and the technology employed to support them. Employees will learn and be able to demonstrate key concepts of information security including: understanding the threats and risks to information and information resources, identifying best practices that can be used to protect them,and learning to diversify your protection strategy.
Defending Healthcare Data and Systems
Prepare yourself for the most significant challenge facing healthcare facilities today. Malicious actors first targeted government systems, followed by assaults on the financial then retail communities. Today malicious activity is finding that fruitful attacks can be launched on healthcare systems and malware is preying on the underprepared and poorly prepared members of the healthcare industry. The targeting and theft of sensitive health information along with the ransoming of system data require today’s health care leader to have a clear understanding of relevant legislation and how to measurably defend patient data and related systems.
The Defending Healthcare Data and Systems course is designed to provide attendees with an orientation to current and emerging issues in health care information security and regulatory compliance. The class provides a foundational set of skills and knowledge for students through the integration of case studies, hands-on labs, and defensible control considerations for securing and monitoring electronic protected health information (“ePHI”).
Topics covered in the course include:
- Review of actual healthcare attacks and incidents
- Examination of ‘why’ and ‘how’ patient data is being targeted
- Mitigating the damage resulting from an incident
- Review of the critical elements of the HIPAA Security Rule
- How to automate controls in support of the HIPAA Security
- Rule and other key regulations.
- Review of security controls to identify and mitigate both insider
- and external attacks
- Explanation of security frameworks, controls, and practical
- Sensitive asset identification and hardening
- Introduction to data loss prevention (DLP)
Hands-on exercises covered include log monitoring and analysis techniques, vulnerability assessment, asset encryption, and configuration analysis.
How to Fund and Build a Secure Healthcare Organization
Healthcare organization leaders now realize that cybersecurity breaches can cost their organization plenty in terms of financial liability and patient perception. They know they need to address the need for information security, however information security has historically been perceived as a cost center and therefore not been viewed favorably. Your attendance in this class will help you develop the information you need to change your organizations unfavorable view of security expenditures. Change them from unfavorable to favorable, where cybersecurity investments support and extend the business.
The biggest challenge for cybersecurity professionals is simply getting and keeping a funding source necessary to carry out a security program. There are a large number of tools, techniques and procedures available on how to deal with the never-ending, ever-expanding list of threats; and literature on security best practices are widely available. However, you will find that little information or guidance is available on how to prepare for the critical budget discussion on funding i necessary to gain and maintain a strong cyber security posture.
Most funding requests are supported by an ROI (return-on-investment) analysis. However, information security funding requests are traditionally viewed as expense, not investment. To be presented in ROI language, security investments measured against potential liability caused by security breaches.
Topics covered in the course include:
- Developing your pitch
- Finding a sponsor
- Identifying the right framework
- Developing your risk-reward curve
- Creating examples for reassurance
- Showing the right metrics
- Explaining the business value proposition
- Exploring self-funding to lessen costs
- Using the right buzzwords while avoiding scare tactics
- Bringing in the supporting role of expert opinion
- Creating the final request and presentation
Key Metrics in Healthcare Security - Gaining Visibility & Increasing Communication with the Board
Every healthcare organization and its executives are fully aware of the impact cyber security threats can have on their business. Based on all indications, this is only the beginning. The intensity and frequency of attacks targeting our field are only going to increase over the next several years. While resources are required to address security, this leads to an approach where organizations are broadly doing good things but are not focused on the activities that have an impact enterprise-wide.
The approach that many healthcare organizations take to address information security risk is: hire people and spend money. Key metrics show progress and bolster BoD funding enthusiasm. Built on decades of experience, this half-day course shows how CISO’s and CIO’s can gain added visibility into their organization, efficiently track key security metrics and create an executive dashboard to increase board communication and provide greater clarity with executive stakeholders.
Topics covered in the course include:
- Identifying key indicators of compromise in hospitals
- Tracking and monitoring key metrics
- Creating an effective real time security dashboard
- Gaining executive visibility into the overall security
- Communicating key security objectives to the BoD
Having worked with many healthcare organizations, the root cause of this lack of focus is minimal leverage of metrics-driven, simple to absorb information. Creating dashboards with proper metrics that accurately show the true state of security across entire healthcare organization is a critical communication tool. This course not only identify what the key indicators of compromise are for healthcare organizations and how to address them, but more importantly it will provide details on what metrics should be tracked and how to create executive-level real-time monitoring of security issues. By evolving from reactive to proactive security measures, organizations can properly prevent, detect and respond to cyber-attacks.
Healthcare Cybersecurity and the Law: Pre-and Post-Breach Action Planning
In healthcare, it is more important than ever that in-house and outside counsel stay abreast of the most current developments and best practices in cybersecurity.
This course is designed to work with legal teams and senior management to prepare them for data breaches and minimize their potential legal exposure by drafting internal policies and procedures as well as contractual provisions regarding discovery, investigation, remediation, and reporting of breaches. The course examines a number of recent incidents to show the extent to which a breach can reach across a healthcare organization and analyze what is required under applicable laws. This course also covers the law of business, contracts, fraud, crime, IT security, liability and policy – all with a focus on electronically stored and transmitted records within a healthcare organization. It also teaches how to prepare credible, defensible reports, whether for cyber-crimes, forensics, incident response, human resource issues or other investigations. The course also provides training and continuing education for many compliance programs under information security and privacy mandates such as GLBA, HIPAA, FISMA, and PCI-DSS.
Topics covered in the course include:
- Enforcement of HIPAA and other healthcare data security laws
- Understanding the legal and political adversaries of a health entity’s data security program, including diverse regulators, politicians, news media and class action lawyers
- Confusion over the interpretation of laws and regulations applicable to healthcare data security
- Measures for reducing legal risk in data incidents and breaches, including invocation of attorney privileges of confidentiality
- Procurement and negotiation of cyber insurance by healthcare entities
- Procurement and negotiation of technology products and services, with a view to improving data security and compliance
- Legal responsibilities of executives and boards of directors to address data security
- Smart techniques for executing cyber investigations
Assessment, Compliance and Readiness for Healthcare and Medical Devices
First combines deep healthcare, security and regulatory knowledge to bring covered entities impactful and cost conscious services that immediately reduce enterprise risk. As healthcare delivery organizations look to bolster their readiness through assessment and compliance based needs, First’s approach is designed for project based engagements that accelerate your internal efforts and provide an outside perspective of your posture as it relates to privacy, security and medical device vulnerabilities.
First’s history in health information technology, EHR’s, device integration, regulatory adherence and cybersecurity frameworks create a unique understanding of how project based support can expedite the maturity of compliance programs, policy and governance implementation, deep audit and system/device hardening initiatives. The following services and deliverables are designed specifically for healthcare entities and are inherently flexible, recognizing that budgets must be maximized and providers have a variety of operational models.
Cyber Health Assessments
Identify and Manage Cybersecurity Risk
Once a healthcare organization has an understanding of their current standing, actions can be taken to assess the steps and costs associated with reducing risk. Conducting comprehensive assessments to baseline strengths, vulnerabilities and awareness are all components of proactive programs addressing PHI and valued information that may not be defined as PHI, such as educational or research data.
Comprehensive Risk Assessments and Programs
Conducting a Risk Assessment supports awareness and development of data security programs, allowing you to achieve your business goals while maintaining sound threat prevention and vulnerability mitigation in an environment of constant exposure. First leverages a NIST-based methodology when conducting a Risk Assessment, as the Office of Civil Rights (OCR) guidance on requirements for risk analysis points to recommendations and guidelines established by NIST for conducting a risk analysis. First’s healthcare specific assessment combines several security and technical tests into a single engagement aimed specifically at addressing the requirement of a risk assessment and ongoing risk management to “harden” your EHR, source systems, medical devices and associated hardware. Our risk assessments can be conducted as needed or as a part of a more in-depth compliance management program.
Risk Assessment Activities
- External Security Assessment
- Medical Device Inventory and Vulnerability Scans
- Architecture Assessment
- Internal Security Assessment
- Wireless LAN Security Validation
- Information Security Program Assessment
- MACRA EHR Technical Controls Assessment
- Executive Briefing
After data collection, First provides a detailed report of findings, observations, recommendations, and remediation steps. First uses the NIST CSF as a primary model, yet our experience with multiple frameworks allows for refinement and development of policies and procedures that map to HIPAA and work to support your organizations privacy and security targets.
Expertise in Regulatory, Frameworks and Controls
- ISO 27001 and 27002
- COBIT 5 Control Objectives for Information Related Technologies
- NIST SP 800 Publications
- HITRUST v7
- CIS Critical Security Controls
- NIST CSF
Not all vulnerabilities are created equal. First’s automated testing evaluates EHR’s and source systems to test individual devices for known weaknesses. The First team then manually reviews the results of this testing to eliminate any false positives.
Questions that are answered include
- What are the most critical vulnerabilities that threaten the security of your healthcare business?
- What is the probability that a hacker could penetrate your perimeter and gain access to your data?
- Does your organization have unauthorized hosts on the network?
- How should the organization prioritize identified vulnerabilities, create a plan for improvement, and get the budget approved?
Pen Testing and Social Engineering Programs:
Penetration, social or behavioral engineering tests are an important element of overall vulnerability analysis. First is well versed in different penetration methodologies for healthcare entities, including internal and external network-based, web applications, mobile, wireless and physical, including social engineering. To maintain consistent quality results, each penetration test is led by an experienced information security consultant and conducted using our well-proven testing methodology, specific for healthcare clients.
First approaches each pen testing and social engineering engagement with an understanding that your organization is unique and will ultimately react differently to a standard process. Every healthcare client has variations in business processes, cultural characteristics, network topography, web and EHR applications and data requirements. First works diligently to ensure each client’s specific needs are accounted for throughout the process. No matter what type of test is conducted, the primary goals are to identify and prioritize security risks and to provide serviceable remediation recommendations.
Compliance and Readiness
Privacy and Security Rules and Policies – getting beyond compliance
Healthcare organizations are overwhelmed with regulations and requirements while protecting their critical assets. Understanding, updating and creating awareness of how to efficiently manage all this in today’s business environment is essential, yet may not warrant fulltime, in-house expertise. First’s healthcare compliance and readinessservices provide your organization immediate access to subject matter experts versed in recognized practice and approaches to go beyond compliance, creating a culture of proactive conduct. First will take that approach several steps further by leveraging our board and executive level experience to inform and educate leadership without technical rhetoric or complex decision paths.
HIPAA Security Assessment:
HIPAA compliance is an ever growing responsibility and for good reason, an ongoing effort in attentive organizations. The rules are broad and risk assessments are essential to safeguarding ePHI in accordance with 45 CFR § 164.308(a)(1). First evaluates all aspects of HIPAA, including the Security, Privacy, Data Breach Notification, and Omnibus Rules. The Risk Analysis is an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI) held by your organization. If gaps are identified, a First security advisor can assist you in developing a roadmap to achieve HIPAA compliance and OCR audit readiness adapted from guidance by OCR and NIST.
First’s Security Risk Analysis Approach includes:
- e-PHI Scope Identification
- Documentation Gathering
- Threat and Vulnerability Identification
- Control Analysis
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
Physical Security Evaluation:
The best way to identify whether your employees are following your organization’s security policies or not is to watch their behavior in action. Walking through your organization’s facilities and measuring compliance to the HIPAA Security Rule requirements versus actual employee practices, can quickly and efficiently document physical security problems that require immediate correction.
First has experience in conducting physical security walk-throughs of pre-selected facilities to observe what your employees do or do not do in line with HIPAA’s security and privacy expectations.
Web Application Security Assessment
First’s web application security testing will help your entity fully understand potential vulnerabilities in the organization’s online applications, clearly evaluating whether a public website serving your customers or a third-party supplier interface into your EHR has weaknesses that could lead to an unintended business exposure. Our web application assessment goes beyond a collection of automated tests and utilizes manual analysis to delve more deeply into application logic and security controls, giving you peace of mind and not simply a HIPAA compliance check mark.
Our assessment activities will Identify vulnerabilities and the potential impact at the infrastructure, application, and operational levels using OWASP’s Application Security Verification Standard as a recognized testing benchmark. This will provide you with an accurate view of the organization’s website security posture as presented to potential attackers.
PCI Compliance and Diagnostic:
First can help you plan, analyze, track and monitor your PCI compliance program. Our assessments address level 1 & 2 merchant status, providing an independent validation to customers, card brands, and acquiring banks. First accounts for healthcare specific processing models while helping you to understand compliance risk, control options and control strategies as you achieve and maintain PCI compliance. Our service can be customized to assist with data flow analysis, network architecture review, preliminary gap analysis and vulnerability scanning.
Policy and Governance Implementation and Refresh:
Covered entities and business associates spend exorbitant amounts of time authoring policies and procedures, leveraging internet templates or documents that are quickly out of date. First security and privacy experts can rescue your team by drafting and developing healthcare policies and governance approaches to meet regulatory requirements, specific to your organization. Our knowledge of healthcare, information security and regulatory compliance requirements set’s First apart. Our experience includes HIPAA, FISMA, PCI, and more.
Combining our experience reviewing healthcare specific policies and procedures, and our deep knowledge of the regulatory requirements, First will review, revise, modify and document existing privacy and security policies and procedures for your organization, or develop new ones as required.
Many hospitals are solely leveraging the NIST CSF, yet others will adopt recognized practices from a variety of frameworks when developing a program. First’s experience with ISO, HITRUST and CSF enable us to help our clients accelerate governance maturity and meet future state goals more quickly. In addition, our supplemental education and staffing expertise serves your organization through a full suite of workforce privacy and security solutions, bolstering enterprise resilience.
Workforce Staffing for Health Cybersecurity
First’s Cyber Health team is focused on presenting you hard to find privacy and security experts to fulfill specialist positions in a variety of engagement approaches. Our FirstFLEX program allows you to take advantage of consultative, temp to perm or permanent placements depending on your needs, timing and budget. All of First’s resources are vetted by our internal team of healthcare cybersecurity experts, coming to you with practical cyber knowledge, regulatory awareness and healthcare experience.
Providing a deep understanding of HIPAA Privacy and Security, CIS Critical Security Controls, CSF approaches and recognized defense in depth practices, First personnel underscore our commitment to staying current with the many drivers and vectors that influence cybersecurity strategy in healthcare.
Augmenting your team with the skills to limit disclosures of PHI and ePHI – while guarding against threats or hazards to the privacy and security that would compromise such information – defines our holistic approach. Remaining vigilant in the pursuit of protecting patients and your valued data is further bolstered through our integrated advisory and education solutions.
FirstFLEX On-Site or Remote Staffing Solutions
First offers our clients the flexibility to access our cybersecurity experts through on-site or remote engagements, depending on the needs and sensitivities of the initiative. FirstADVISE, FirstTEMP and FirstEMPLOY provide our clients the ultimate ability to leverage their workforce with experienced healthcare privacy and security resources.
is our premium staffing solution, providing your organization immediate benefit through engaging highly experienced security resources that add value day one. First experts assist your project based or strategic needs with the ability to leverage our advisory solutions in situations where an outside perspective is beneficial. The ability to manage your budget and eliminate responsibilities and conditions associated with an employee are key drivers of FirstADVISE.
is a highly flexible solution, allowing you to immediately fill your vacancy with an exceptional security resource who is well versed in the specific security disciplines your organization is in need of, bolstering your team without delay. The FirstTEMP “try and buy” approach allows you to assess the positive impact of the individual, assuring a cultural and long term fit before offering employment.
is the solution that will solve your security employee vacancy challenges. With one of the most extensive and targeted talent networks in security and healthcare IT, First will help you fill open security vacancies quickly. Over a decade of experience in finding top talent from the analyst level to the executive suite gives you the assurance that the individuals we present have been vetted with vigor by our own healthcare security experts and objective third party evaluation tools.
Offering a flexible contracting approach that specifically addresses your resource needs, FirstFLEX affords you the option to match the specific solution with your specific resource need, today and in the future. To the benefit of our clients, First will leverage its security, healthcare and professional recruiting expertise including;
Top Talent, Vetted for Assurance
First’s executive team and security leadership is committed to constantly updating our knowledge of the industry and how the risks you are facing relates to the talent you are looking to engage. Our VP of Cybersecurity, Dr. Eric Cole, is a well know industry expert that sat on the Commission on Cyber Security for the 44th President and was inducted into the InfoSecurity Hall of Fame in 2014. First also leverages the SANS Technology Institute for training and evaluation of our security talent.
Recognized Recruiting Expertise
First’s well versed security recruiting team and industry recognized leadership all take part in ensuring that our personnel are thoroughly vetted and objectively tested via a process that provides you assurance in engaging our services. Objective skill testing is provided by the SANS Technology Institute, to provide an extra layer of protection in your FirstFLEX investment.
First has been recognized by Modern Healthcare as one of the industry’s Best Places to Work. Our talent acquisition team combines health technology and security recruiting experience in understanding your security position requirements.