securing your agile, mobile clinicians breach case study€¦ · receipt of intellectual property...
TRANSCRIPT
Securing Your Agile, Mobile Clinicians — Breach Case Study
Phil Alexander, Information Security Officer, UMC Health System
Ellen M. Derrico, Sr. Director Healthcare, RES Software
Conflict of Interest
Phil Alexander, B.S., Security +, CEH, C|CISO
Has no real or apparent conflicts of interest to report.
Conflict of Interest
Ellen Derrico, B.Sc., MBA
Salary: RES Software
Royalty: N/A
Receipt of Intellectual Property Rights/Patent Holder: N/A
Consulting Fees (e.g., advisory boards): N/A
Fees for Non-CME Services Received Directly from a Commercial Interest or
their Agents (e.g., speakers’ bureau): N/A
Contracted Research: N/A
Ownership Interest (stocks, stock options or other ownership interest excluding
diversified mutual funds): N/A
Other: N/A
Agenda
• Introduction
• Set up of the security problem
• UMC Health System – a case study of security best
practices
• Wrap up and Q&A
Learning Objectives
• Learning Objective 1: Diagram factors that affect quality of care delivery
and cost highlighting where security factors into both areas
• Learning Objective 2: Show relationship between the clinical workforce’s
need for agility, mobility and engagement and IT’s challenge to manage
risk, security and compliance
• Learning Objective 3: Recognize best practices implementing successful
security programs, education, training and technology at UMC Texas
• Learning Objective 4: Define cost justification in spending for security
education, training and technology
STEPS — Satisfaction
Security
technology,
education, and
breach plan
Patients express more
satisfaction knowing their
records are safe & their
private information is
better protected
Security
education
programs
Engaging programs help
clinicians be more
security conscious, less
stressed, and more
focused on patients
• Reduction of executed phishing emails by 70%
• Auditing issues down 80%
• Clinician satisfaction up 88%
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
The Healthcare Landscape & Role of Security
How do we balance quality of care and sustainability in an increasingly
risky environment and how risky is it?
Overall Healthcare Landscape
Patient
Engagement
Cost
Reduction
Organizational
Agility
SUSTAINABILITY
CARE DELIVERY
Manage Risk
Compliance &
Security
Can you afford to have your name in the press for the next big data breach?
An alarming 91 percent of healthcare organizations reported a data breach in the past two years. Some
45 percent of them were the victims of deliberate attacks by cybercriminals seeking to steal the medical
and financial information of their patients – a figure that has risen 125 percent since 2010:
https://www.yahoo.com/tech/report-nearly-half-of-us-healthcare-organizations-118323228724.html.
Breach Data
Breach by Incident Type and Counter Measures
Immediate offboarding
and computer lock down
White & black listing
Profile management
Immediate offboarding
and computer lock down
All of the above
Counter Measures:
Why is Security So Important?
• According to the Spotlight Report: Insider Threat, conducted by the Crowd Research Partners, the biggest risk for a data breach is with privileged users like clinicians (59% of the threat).
• Clinicians are busy and should be focused on patients, so sometimes they might not be concentrating on whether or not to click on an email or a link.
• Clinicians roam – they are mobile and use multiple devices. Devices can be lost or stolen. More devices and more movement = more risk.
• On May 27th, NBC Nightly News aired another report by Stephanie Gosk on how these data are being used to steal and sell on the open market identities, medical services and to fraud insurance providers: http://www.nbcnews.com/news/us-news/electronic-medical-records-latest-target-identity-thieves-n365591.
UMC Health System, Texas
A case study on how best to approach security — the 3-prong approach
for mitigating risk of breach.
3 Pronged Approach to Security & Compliance
Education
Technology
Response
Education & Awareness • Myth or Reality
– User are the weakest link
– Users hate security training
• My PHILosophy
– Educate without users knowing
– Less “HIPAA” – Rules & Regulations w/o Relationships Result in Rebellion
– It’s not business it’s personal
– Start with Why
Education & Awareness Outcomes
Phishing incidents down 70%
Email & File Encryption up 50%
Technology
• Provisioning & De-Provisioning
– Role based access
– Quickly and accurately provision/de-provision,
– Variety of users — staff/students/vendors/etc.
• Delivery of Services
– Printing – quickly print to the right device in the right location, without human intervention (printer mapping)
– Faster VDI loading due to not loading unneeded drivers
• Security
– AV and Firewalls are 8th grade level
– White Listing applications and files types (exe, zip, etc.)
Technology Outcomes
Printer related incidents down from 65% to 5%
Onboarding went from 3-4 months to less than 10 minutes
Off-Boarding dropped 6month to instantaneous
Response
• Assume you are already breached
– Where’s Waldo / Capture the Flag
• Monitoring and detection
– CSIRT team
– “Grow a Geek”
• Planning
– Written and tested plan
• Cat 1-7
• Go-Dark
Response Outcomes
CSIRT incidents from ~5mo Cat4 to ~20 Cat1-6
Risks identified = 25 HIGH
Security Breaches take
time to clean up
We found that it took one of
our customers 3-4 days to
clean up an executed
malware virus that came in
through email
Security breaches
are expensive
Ponemon Institute
survey* found average
cost of a healthcare
security breach is $3.8
million
STEPS — Savings
• Est. savings for cleanup of basic infections $28k per year
• Est. saving of onboarding and off boarding users was $187k per year
*http://www.nbcnews.com/tech/security/ponemon-institute-n364871
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
• Correct answer is: False.
While we would love to say this is true, the rate at which virus and
malware are being created (in the last 2 years it has doubled!), it is not a
matter of “if” but “when”. You can significantly reduce the possibility of a
breach by adding extra layers of security and by training and educating
your staff, and you can prepare and reduce impact by having a plan for
when it happens.
Thank You & Questions
Ellen M. Derrico
+1 484 787 8370
Twitter handle: @ellenmd1
linkedin.com/in/ellenderrico
Phil Alexander
+1 806 775 9099
twitter.com/PhilDAlexander
linkedin.com/in/philalexander1