"case studies from the field: putting cyber security strategies into action" with miroslav...
DESCRIPTION
"Case Studies from the Field: Putting Cyber Security Strategies into Action" with Miroslav Belote, Director of Systems & Privacy Officer, JFK Health SystemsTRANSCRIPT
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Case Studies :Putting Cyber Security Strategies into Action
________ Key Attributes for Success, Challenges and Critical
Success Factors
Miroslav Belote, Director IT – Infrastructure, JFK Health
#LEAD14
498 Bed Acute Care Medical Center
98 Bed Johnson Rehabilitation Institute
500 Long Term Care Beds (4 facilities)
Neuroscience Institute of New Jersey
Multi-specialty Physician Group
Assisted Living, EMS, Homecare & Hospice
Accountable Care Organization (MSSP & Comm)
Regional Health Information Exchange
Family Medicine, Rehab & Neuro Residency Programs
JFK Health Overview
JFK Health Overview
Inpatient Admissions: 22,000
ED Visits: >80,000
Live Births: 2,392
Outpatient Visits: 210,000
Affiliated Physicians: 800
Employed Physicians: 150
ACO Covered Lives: 50,000
HIPAA compliance / Meaningful Use attestation
Increased risk of attacks
• Value of health records
• Cyber terrorism / Malicious hacker activities
Public awareness/concerns over breaches & identify theft
Reputation of the institution at stake
Increasing demand for data on mobile platforms
Highly publicized and sensationalized breach cases
Growth of data exchanges/HIEs
Cyber Security – Drivers
Cyber Security – Framework
Governance (Leadership, Board)
Awareness
Education
Identification (Risks, Tools, Skills)
Mitigation (Policies, Controls)
Validation (Audit)
Financial
• Automated tools
• Technical expertise
Behavioral
• Culture change – training & awareness
• Responsibility and accountability
• System’s ‘Ease of Use’ vs ‘Best Practices’
Leadership
• Acceptance, adoption & enforcement
• Cost justification
Cyber Security – Challenges
“Frankly, health care organizations are struggling to keep up with this,” said information security expert Ernie Hood, of The Advisory Board Company. - David Pittman, Politico, July 2014
“The (healthcare) industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI stated.- David Pittman, Politico, July 2014
"One of the more serious aspects of medical identity theft, unlike traditional
financial identity theft crime, is that in the extreme, this could lead to your death," said Ponemon Chairman and Founder Larry Ponemon, in an interview with Healthcare IT News. "Because your medical file could change on blood type, on allergy, on previous procedures.“ - Erin McCann, Healthcare IT News
Cyber Security – Challenges
More than Just a ‘Check Mark’
It’s the Right Thing to Do
• For the Patient
• For the Providers
• For the Organization
ALWAYS Work In Progress
Cyber Security
Technology
People Process Best Practices
Cyber Security @ JFK Health
IMPLEMETED or IN-PROGRESS Intrusion detection / protection systems
Remote monitoring services
End user device encryption
Remote access
Patient data / systems audits
Secure web gateway and web filtering – additional layer of malware protection
Cyber Security @ JFK – Technology
IMPLEMETED or IN-PROGRESS Endpoint patch management
• Configuration management
• Virus and malware protection
• Windows system update services
• Leverage for identifying and addressing ADOBE and JAVA vulnerabilities
Email services
• SPAM/Virus protection services
• Secure/Encrypted email
Mobile Device Management
Secure Messaging / Texting
Cyber Security @ JFK – Technology
FUTURE PLANS Adaptive authentication
Encryption of enterprise data
• In transit
• At rest
• Corporate ‘Drop Box’
Patient data
• Improved and expanded application audit logs
• Minimize and secure printing of patient data
SIEM - Security Information & Event Management
• System log analytics
• Predictive analysis
• Anomaly identification and notification
Cyber Security @ JFK – Technology
SECURE MESSAGING/TEXTING – USE CASE New Emergency Department facility
• 60,000 Sq. feet (3X original space)
• 70+ private rooms
• Dedicated triage, EMS and ancillary space
• 4 distinct ‘pods’ - multiple levels of acuity, pediatrics and fast-track
• Physical changes to space pose communication challenges
Cyber Security @ JFK – Technology
SECURE MESSAGING/TEXTING – USE CASE
Technology Implemented
• VoIP Technology Hospital provided 4G phones secured with locked down image Personal 4G phones when compatible with private WiFi
requirements WiFi-VoIP phones MDM tools
• Private/Secure Wi-Fi based calling In-House extensions Outside numbers
• Secure Mobile Communications/Texting Consults Secure texts (including pictures) Activity/usage reports available ASP Model – secured and redundant data storage Physician and hospital directories Active Directory integration (coming soon)
Cyber Security @ JFK – Technology
LESSONS LEARNED BYOD vs Corporate Devices
• Staff reluctant to use personal devices
• Physicians prefer to use personal devices
• Infection control issues
• Specific device configurations for performance
• Device support and maintenance
• Costs associated with providing corporate devices
Cyber Security @ JFK – Technology
LESSONS LEARNED Data Governance / Security
• Hosted vs On-Premise solutions
• Access to data for auditing purposes
• Device authentication/PIN policy compliance
• Physician orders via mobile apps
Technology
• Ability to setup and support VoIP for best performance
• Performance monitoring tools
• MDM product selection
• ‘Medical grade’ network requirements
Cyber Security @ JFK – Technology
Identify your champions • Medical staff leadership • Nursing leadership • CXO Suite • Compliance committee of the board
Educate • Champions have to understand not only the costs, but the risks
associated with a poor security program • Develop an education module for all new employees • Semi-annual staff wide education around privacy and security
Regulatory updates Changes in technology tools Policy changes
RECENT CASES ‘IN THE NEWS’ • Reinforce proper behaviors
• Publicize ‘consequences’ of non-compliance
Develop strong partnership between Privacy & Security Officers
Cyber Security @ JFK – People
Audit • Quarterly internal audit of user/system access
• Annual validation/review of appropriate user/system access
• On-going patient information (EPHI) access audit/security Real-time application level Enterprise application logs capture/reporting tools Secure / encrypted email Secure texting and messaging
• HIPAA compliance and Meaningful Use attestation Conduct risk assessment analysis at least annually Obtain or develop risk assessment tools Maintain issues & issue remediation logs Engage external subject matter experts to perform audits Obtain & review SAS70/SOC compliance reports from hosting providers
Policy and Procedures • Organize to make search simple and accurate
• Review key security policies annually
• Adjust/modify policy with technology changes, if appropriate
Cyber Security @ JFK – Process
Q & A
Miroslav Belote - [email protected]
A CHIME Leadership Education and Development Forum in collaboration with iHT2