Healthcare security teams are in a tough spot. While the provider industry is taking security seriously, they are at the mercy of the software vendors who provide the healthcare organizations with the data delivery, processing and storage solutions that are critical to delivering patient care and keeping patient data secure. Given the reliance on these systems, it begs the question – how secure are these solutions?
Seth Fogie has spent the last 10+ years in the trenches of the healthcare industry and has seen the good, bad and ugly of what is being provided to your providers. As an insider, Seth has experienced the unique tension healthcare security teams face as they work to securely implement these solutions and will share some of what has been found.
The core of this presentation will focus on vulnerabilities and design issues within healthcare solutions. As we will illustrate through the dissection of numerous clinical focused systems, including radiology reading, EMR downtime, patient entertainment, pharmacy distribution, nurse communication, M&A EMR, clinical documentation and temperature monitoring systems, the prognosis doesn't look good. Unfortunately, it is our experience that there are few solutions within the hospital enterprise that do not have issues.
The goal for this public 'biopsy'? The healthcare security community needs help increasing the pressure to ensure all of our data is safe from poorly designed and developed vendor solutions. While we can't play the name and shame game for a number of reasons, we want to increase awareness through numerous technical illustrations and ask for your help in increasing scrutiny on all healthcare solutions. This isn't just an application security problem – it is all our healthcare data at risk and this audience is positioned in a unique spot to help.
Seth Fogie serves as the Information Security Director at Penn Medicine where he is a member of the leadership team helping to build and maintain a world class security program for the enterprise. In Seth's 20 + years of experience in the field of security, he has also led a security software development company, served as CTO for a development firm focused on the creation of educational environments for hands-on security exercises, and has authored numerous books/articles on information security related subjects. In addition to Seth's current role at Penn Medicine, he also enjoys opportunities to perform security research and testing, helping numerous healthcare vendors remediate and correct security deficiencies, making the healthcare industry safer for all!
Guy Raz is a Sr. Systems Engineer at ExtraHop with previous experience as a Network Engineer and Solution Architect. As a Systems Engineer, Guy is one of the SMEs leading the unique ExtraHop approach to cloud-native NDR for the hybrid multi-cloud enterprise. Before joining the Systems Engineer team, Guy was one of the ExtraHop Solution Architects, responsible for conducting deep technical and business discovery sessions, assisting in troubleshooting and problem resolution during war-room and security/network investigations, and developing strategies for acquiring high-value data from the wire; requiring in-depth technical understanding of L2-L7 networking principles.
Before ExtraHop, Guy was a Network Engineer at Cox Communications, where he helped architect the next generation DOCSIS infrastructure to provide gig-speed internet to customers through automation in provisioning and quality assurance of end user experience