Securing Your Agile, Mobile Clinicians — Breach Case Study
Transcription
Securing Your Agile, Mobile Clinicians — Breach Case Study
Securing Your Agile, Mobile Clinicians — Breach Case Study Phil Alexander, Information Security Officer, UMC Health System Ellen M. Derrico, Sr. Director Healthcare, RES Software Conflict of Interest Phil Alexander, B.S., Security +, CEH, C|CISO Has no real or apparent conflicts of interest to report. Conflict of Interest Ellen Derrico, B.Sc., MBA Salary: RES Software Royalty: N/A Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME Services Received Directly from a Commercial Interest or their Agents (e.g., speakers’ bureau): N/A Contracted Research: N/A Ownership Interest (stocks, stock options or other ownership interest excluding diversified mutual funds): N/A Other: N/A Agenda • Introduction • Set up of the security problem • UMC Health System – a case study of security best practices • Wrap up and Q&A Learning Objectives • Learning Objective 1: Diagram factors that affect quality of care delivery and cost highlighting where security factors into both areas • Learning Objective 2: Show relationship between the clinical workforce’s need for agility, mobility and engagement and IT’s challenge to manage risk, security and compliance • Learning Objective 3: Recognize best practices implementing successful security programs, education, training and technology at UMC Texas • Learning Objective 4: Define cost justification in spending for security education, training and technology STEPS — Satisfaction Security Security education technology, programs education, and Engaging programs help breach plan clinicians be more Patients express more security conscious, less satisfaction knowing their stressed, and more records are safe & their focused on patients private information is better protected • • • Reduction of executed phishing emails by 70% Auditing issues down 80% Clinician satisfaction up 88% Poll — Security Question #1 Security breaches can occur through: A. Viral attacks B. Malware attacks C. Phishing D. All of the above Poll — Security Question #2 The responsibility of preventing security breaches fall to: A. Chief Security Officer B. IT Staff C. End Users D. All of the above Poll — Security Question #3 True/False: • You can fully prevent a security breach with the right technology, programs, education and training on security. The Healthcare Landscape & Role of Security How do we balance quality of care and sustainability in an increasingly risky environment and how risky is it? Overall Healthcare Landscape CARE DELIVERY Organizational Agility Patient Engagement Cost Reduction SUSTAINABILITY Manage Risk Compliance & Security Can you afford to have your name in the press for the next big data breach? Breach Data An alarming 91 percent of healthcare organizations reported a data breach in the past two years. Some 45 percent of them were the victims of deliberate attacks by cybercriminals seeking to steal the medical and financial information of their patients – a figure that has risen 125 percent since 2010: https://www.yahoo.com/tech/report-nearly-half-of-us-healthcare-organizations-118323228724.html. Breach by Incident Type and Counter Measures Counter Measures: Immediate offboarding and computer lock down White & black listing Profile management Immediate offboarding and computer lock down All of the above Why is Security So Important? • According to the Spotlight Report: Insider Threat, conducted by the Crowd Research Partners, the biggest risk for a data breach is with privileged users like clinicians (59% of the threat). • Clinicians are busy and should be focused on patients, so sometimes they might not be concentrating on whether or not to click on an email or a link. • Clinicians roam – they are mobile and use multiple devices. Devices can be lost or stolen. More devices and more movement = more risk. • On May 27th, NBC Nightly News aired another report by Stephanie Gosk on how these data are being used to steal and sell on the open market identities, medical services and to fraud insurance providers: http://www.nbcnews.com/news/us-news/electronic-medical-recordslatest-target-identity-thieves-n365591. UMC Health System, Texas A case study on how best to approach security — the 3-prong approach for mitigating risk of breach. 3 Pronged Approach to Security & Compliance Technology Education Response Education & Awareness • Myth or Reality – User are the weakest link – Users hate security training • My PHILosophy – Educate without users knowing – Less “HIPAA” – Rules & Regulations w/o Relationships Result in Rebellion – It’s not business it’s personal – Start with Why Education & Awareness Outcomes Phishing incidents down 70% Email & File Encryption up 50% Technology • Provisioning & De-Provisioning – Role based access – Quickly and accurately provision/de-provision, – Variety of users — staff/students/vendors/etc. • Delivery of Services – Printing – quickly print to the right device in the right location, without human intervention (printer mapping) – Faster VDI loading due to not loading unneeded drivers • Security – AV and Firewalls are 8th grade level – White Listing applications and files types (exe, zip, etc.) Technology Outcomes Printer related incidents down from 65% to 5% Onboarding went from 3-4 months to less than 10 minutes Off-Boarding dropped 6month to instantaneous Response • Assume you are already breached – Where’s Waldo / Capture the Flag • Monitoring and detection – CSIRT team – “Grow a Geek” • Planning – Written and tested plan • Cat 1-7 • Go-Dark Response Outcomes CSIRT incidents from ~5mo Cat4 to ~20 Cat1-6 Risks identified = 25 HIGH STEPS — Savings Security breaches Security Breaches take are expensive time to clean up Ponemon Institute We found that it took one of survey* found average our customers 3-4 days to cost of a healthcare clean up an executed security breach is $3.8 malware virus that came in million through email • • Est. savings for cleanup of basic infections $28k per year Est. saving of onboarding and off boarding users was $187k per year *http://www.nbcnews.com/tech/security/ponemon-institute-n364871 Poll — Security Question #1 Security breaches can occur through: A. Viral attacks B. Malware attacks C. Phishing D. All of the above Poll — Security Question #1 Security breaches can occur through: A. Viral attacks B. Malware attacks C. Phishing D. All of the above Poll — Security Question #2 The responsibility of preventing security breaches fall to: A. Chief Security Officer B. IT Staff C. End Users D. All of the above Poll — Security Question #2 The responsibility of preventing security breaches fall to: A. Chief Security Officer B. IT Staff C. End Users D. All of the above Poll — Security Question #3 True/False: • You can fully prevent a security breach with the right technology, programs, education and training on security. Poll — Security Question #3 True/False: • You can fully prevent a security breach with the right technology, programs, education and training on security. • Correct answer is: False. While we would love to say this is true, the rate at which virus and malware are being created (in the last 2 years it has doubled!), it is not a matter of “if” but “when”. You can significantly reduce the possibility of a breach by adding extra layers of security and by training and educating your staff, and you can prepare and reduce impact by having a plan for when it happens. Thank You & Questions Ellen M. Derrico Phil Alexander E.Derrico@ressoftware.com Phillip.Alexander@umchealthsystem.com +1 484 787 8370 +1 806 775 9099 Twitter handle: @ellenmd1 twitter.com/PhilDAlexander linkedin.com/in/ellenderrico linkedin.com/in/philalexander1