Securing Your Agile, Mobile Clinicians — Breach Case Study

Securing Your Agile, Mobile
Clinicians — Breach Case Study
Phil Alexander, Information Security Officer, UMC Health System
Ellen M. Derrico, Sr. Director Healthcare, RES Software
Conflict of Interest
Phil Alexander, B.S., Security +, CEH, C|CISO
Has no real or apparent conflicts of interest to report.
Conflict of Interest
Ellen Derrico, B.Sc., MBA
Salary: RES Software
Royalty: N/A
Receipt of Intellectual Property Rights/Patent Holder: N/A
Consulting Fees (e.g., advisory boards): N/A
Fees for Non-CME Services Received Directly from a Commercial Interest or
their Agents (e.g., speakers’ bureau): N/A
Contracted Research: N/A
Ownership Interest (stocks, stock options or other ownership interest excluding
diversified mutual funds): N/A
Other: N/A
Agenda
• Introduction
• Set up of the security problem
• UMC Health System – a case study of security best
practices
• Wrap up and Q&A
Learning Objectives
• Learning Objective 1: Diagram factors that affect quality of care delivery
and cost highlighting where security factors into both areas
• Learning Objective 2: Show relationship between the clinical workforce’s
need for agility, mobility and engagement and IT’s challenge to manage
risk, security and compliance
• Learning Objective 3: Recognize best practices implementing successful
security programs, education, training and technology at UMC Texas
• Learning Objective 4: Define cost justification in spending for security
education, training and technology
STEPS — Satisfaction
Security
Security
education
technology,
programs
education, and
Engaging programs help
breach plan
clinicians be more
Patients express more
security conscious, less
satisfaction knowing their
stressed, and more
records are safe & their
focused on patients
private information is
better protected
•
•
•
Reduction of executed phishing emails by 70%
Auditing issues down 80%
Clinician satisfaction up 88%
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
The Healthcare Landscape
& Role of Security
How do we balance quality of care and sustainability in an increasingly
risky environment and how risky is it?
Overall Healthcare Landscape
CARE DELIVERY
Organizational
Agility
Patient
Engagement
Cost
Reduction
SUSTAINABILITY
Manage Risk
Compliance &
Security
Can you afford to have your name in the press
for the next big data breach?
Breach Data
An alarming 91 percent of healthcare organizations reported a data breach in the past two years. Some
45 percent of them were the victims of deliberate attacks by cybercriminals seeking to steal the medical
and financial information of their patients – a figure that has risen 125 percent since 2010:
https://www.yahoo.com/tech/report-nearly-half-of-us-healthcare-organizations-118323228724.html.
Breach by Incident Type and Counter Measures
Counter Measures:
Immediate offboarding
and computer lock down
White & black listing
Profile management
Immediate offboarding
and computer lock down
All of the above
Why is Security So Important?
• According to the Spotlight Report: Insider Threat, conducted by the
Crowd Research Partners, the biggest risk for a data breach is with
privileged users like clinicians (59% of the threat).
• Clinicians are busy and should be focused on patients, so sometimes
they might not be concentrating on whether or not to click on an
email or a link.
• Clinicians roam – they are mobile and use multiple devices. Devices
can be lost or stolen. More devices and more movement = more
risk.
• On May 27th, NBC Nightly News aired another report by Stephanie
Gosk on how these data are being used to steal and sell on the open
market identities, medical services and to fraud insurance providers:
http://www.nbcnews.com/news/us-news/electronic-medical-recordslatest-target-identity-thieves-n365591.
UMC Health System, Texas
A case study on how best to approach security — the 3-prong approach
for mitigating risk of breach.
3 Pronged Approach to
Security & Compliance
Technology
Education
Response
Education & Awareness
• Myth or Reality
– User are the weakest link
– Users hate security training
• My PHILosophy
– Educate without users knowing
– Less “HIPAA” – Rules & Regulations w/o Relationships Result in Rebellion
– It’s not business it’s personal
– Start with Why
Education & Awareness Outcomes
Phishing incidents down 70%
Email & File Encryption up 50%
Technology
• Provisioning & De-Provisioning
– Role based access
– Quickly and accurately provision/de-provision,
– Variety of users — staff/students/vendors/etc.
• Delivery of Services
– Printing – quickly print to the right device in the right location,
without human intervention (printer mapping)
– Faster VDI loading due to not loading unneeded drivers
• Security
– AV and Firewalls are 8th grade level
– White Listing applications and files types (exe, zip, etc.)
Technology Outcomes
Printer related incidents down from 65% to 5%
Onboarding went from 3-4 months to less than 10 minutes
Off-Boarding dropped 6month to instantaneous
Response
• Assume you are already breached
– Where’s Waldo / Capture the Flag
• Monitoring and detection
– CSIRT team
– “Grow a Geek”
• Planning
– Written and tested plan
• Cat 1-7
• Go-Dark
Response Outcomes
CSIRT incidents from ~5mo Cat4 to ~20 Cat1-6
Risks identified = 25 HIGH
STEPS — Savings
Security breaches
Security Breaches take
are expensive
time to clean up
Ponemon Institute
We found that it took one of
survey* found average
our customers 3-4 days to
cost of a healthcare
clean up an executed
security breach is $3.8
malware virus that came in
million
through email
•
•
Est. savings for cleanup of basic infections $28k per year
Est. saving of onboarding and off boarding users was $187k per year
*http://www.nbcnews.com/tech/security/ponemon-institute-n364871
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
• Correct answer is: False.
While we would love to say this is true, the rate at which virus and
malware are being created (in the last 2 years it has doubled!), it is not a
matter of “if” but “when”. You can significantly reduce the possibility of a
breach by adding extra layers of security and by training and educating
your staff, and you can prepare and reduce impact by having a plan for
when it happens.
Thank You & Questions
Ellen M. Derrico
Phil Alexander
[email protected]
[email protected]
+1 484 787 8370
+1 806 775 9099
Twitter handle: @ellenmd1
twitter.com/PhilDAlexander
linkedin.com/in/ellenderrico
linkedin.com/in/philalexander1