2022 Agenda

Last year Humber River Hospital embarked on an organizational wide strategy to bolster its cyber defences. Now, one year later, there is much to report, backed up with real world data, and some innovative strategies as well.

Cyber-attacks continue to be a source of concern among healthcare organizations, and best practices must be implemented industry-wide. Gain a valuable update on the work Humber River Hospital is doing, and their current successes.

Key Session Takeaways Include:

• Bold strategies to mitigate the human element in cyber resilience, including the elimination of outside email
• What does the data show after outside emails were greatly curtailed, and how there was no negative impact to front -line workers
• Creative solutions to business continuance, such as cold passive business infrastructure
• How and why cold passive systems work, and how to best deploy them effectively

All healthcare organisations are experiencing cyber attacks in one form or another. Some are more severe ransomware attacks, while some are more traditional phishing attacks.

The current model is to remain insulated and divulge as little as possible in order to contain the fallout. But this limits the ability of the community to improve their cyber defences.

There is a better option if we can work out the logistics.

Key Session Takeaways Include:

• Move toward information sharing models that benefit the entire community
• What a collaborative model in cybersecurity would look like
• How to navigate and hurdle the current barriers to a collaborative model

Digital transformation in the Healthcare industry is causing an explosion of hyper-connected IT, IoT (Internet of Things) and IoMT (Internet of Medical Things) devices and, with it, a greatly expanded cyber-attack surface. With constant transformation and the explosion of interconnected devices, how do you even begin to plan for a zero-trust architecture beyond the managed users and workstations?

Key Takeaways and Learning Objectives Include:

• How NIST (National Institute of Standards and Technology) defines Zero Trust and their 7 steps to get there
• Some of the common pitfalls to avoid
• Why Zero Trust doesn’t stop at managed users and workstations – IoMT devices must be included in the architecture planning up-front

Medium-sized hospitals closer to home are an important fabric of the Canadian healthcare landscape. Given the large cost entailed in cyber security, and the volume of IT support required, it becomes a huge challenge for most small to medium-sized hospitals to achieve robust cyber defences. But there are success stories. Headwaters has come back stronger from a cyber attack, with the help of their support team, partnerships, and an all-hands-on deck approach.

Key Takeaways and Learning Objectives Include:

• What led to the discovery and how the IT team responded
• How partners were integrated into the response
• What were the critical factors that allowed them to come back online so quickly

Hospitals must manage a great deal of connected devices, from support devices such as building automation, and facility security devices, to diagnostic machines and patient monitoring devices. The hospital of today is much different from even just 5 years ago. And so too are the risks.

In the wake of numerous attacks on vulnerable IoMT devices, there has been a push to understand the risks posed by smart devices. While IoT devices have revolutionized the way the world operates, including how healthcare delivers and manages care, they are often seen as easy conduits for cyber-attacks.

Key Takeaways and Learning Objectives Include:

• Gain insight into how cyber risk and attacks on hospitals have evolved over time and how IoMT devices have played a role in these attacks
• Learn from real-life examples of how attacks, breaches, and vulnerabilities target these devices
• Acquire best practices security and risk management teams should deploy mitigate the true risk of their environments.

COVID has dramatically shifted the technological landscape of healthcare.  From virtual visits to remote patient monitoring, healthcare has clearly demonstrated that this is a digitally focused enterprise. As such, the healthcare business model relies heavily on a robust IT and cyber security posture.

 Technical and security staff play a vital role in preventing and managing cyber attacks. However, cyber security is everyone’s responsibility. To build resilience, healthcare organizations must make IT infrastructure and cyber security an organizational priority. CIOs, IT departments, and clinical executives must support the investment in technical safeguards that create redundancy, and the ability to detect, respond, and react to cyber incidents.

In parallel, IT and clinical partnerships, as well as an effective governance model, are required to ensure the successful adoption of cyber security best practices and creating sustainable business continuity models.

 Key takeaways include:

• “All-for-one and one-for-all” - Cyber security is everyone’s responsibility
• Challenges and opportunities in making IT infrastructure and cyber security an organizational priority
• Role of governance in prioritization and rapid decision-making to support business continuity during cyber incidents

Addressing Cyber Security in Ontario is a team sport! Learn about the Ontario Health Provincial Cyber Security Model and how the Ontario healthcare sector is working together to address the shared challenges and risks of cyber security. This session will explore early successes, pragmatic advice for those looking to improve their cyber security, and challenges to come as the model is refreshed and the program enters its next phase of delivery.

Key Session Takeaways Include:

• Understanding of the benefits of the Ontario Health Provincial Cyber Security Model 
• Lessons learned, from early successes and challenges  
• Pragmatic next steps for your Cyber Security program

Lyndon Dubeau
VP, Innovations, Connected Health, Ontario Health

For anyone tasked with cybersecurity, it is not a question of if an attack or breach will occur, but when. This requires a deliberate, careful and process -driven plan to deflect and recover from an attack.

Key Session Takeaways Include:

• What are the practical realities of handling an incident response
• What are your legal and practical obligations during an incident
• What are the steps you need to take for a data breach, including ransomware

The challenges unique to the CIO role necessitates some information sharing and lessons learned; yet, it is imperative to be vigilant against divulging your strengths, vulnerabilities and areas of focus.

In this closed-door CIOs only session, you will be free to gather with your peers to exchange ideas, strategies, findings, and other areas of concern in private.

Recent trends in cybersecurity insurance indicate a pivot toward pay-outs, with firms such as Lloyd’s of London adding restrictions, especially to nation-state cyberattacks. AXA has stopped paying ransom to cyber attackers. Adding to this, premiums are rising due to the increased cyber incidences.

With new limits emerging on what healthcare organizations can expect, what can policy owners do to ensure they are covered for all risks?

Key Session Takeaways Include:

• The trends taking hold globally, and in both private and public healthcare settings
• What insurers are doing to protect policy owners and policy design
• Critical strategies policy owners should be doing – and including – in their cyber policies
• Current trends in ransomware pay-outs

As we move towards a provincial cybersecurity model, integrated identity security solutions that span both applications and data governance will be essential to protect our newly formed health networks. The health sector is held to a higher standard when it comes to regulatory compliance and making sure access to sensitive applications and data is limited to only those who truly need it and only when they need it. The ability to safely control access to critical systems, onboard new employees and contract clinical staff, pass compliance audits, facilitate M&A and cloud migration initiatives, are all functions of Identity Security. Join us for a discussion with Andrew Greenspan as he shares how New York City Health & Hospitals implemented an integrated identity solution for the largest municipal healthcare delivery system in the United States.

Key Takeaways and Learning Objectives Include:

• Why Identity management has moved beyond human capacity
• How an identity framework facilitated NYCHH’s rapid pandemic response
• How Identity Governance aligns with NIST and other cybersecurity frameworks
• Understanding the challenges of regional governance
• Where to start with an identity governance program