A CHIME Leadership Education and Development Forum in collaboration with iHT2

Creating an Effective Cyber Security Strategy

________ Key Attributes for Success, Challenges and

Critical Success Factors

Gary Barnes, CIO – Medical Center Health Systems, Odessa, Texas Brad Dummer, Security Officer – Medical Center Hospital Systems, Odessa Texas

David Mendenhall, CTO, John Peter Smith Health Network, Fort Worth, Texas

#LEAD14

Medical Center Hospital System Overview

• 403 Bed Hospital

• 21 Outpatient Clinics

• 300 Active and Associate Medical Staff

2014:

• Inpatient Admissions: 13,737

• Emergency Room: 52,389 patient visits

• Labor and Delivery: 1,805 deliveries

Accreditations

• Designated Lead Level II Trauma Center

• Approved Commission on Cancer Program

• Maintained accreditation with The Joint Commission on national

standards for healthcare quality and safety since 1957

• TJC DSC designated for Stroke, Diabetes, and Bariatric

• HIMSS Stage 6

• Meaningful use Stage 2

Reasons to be Concerned • Private or sensitive data exposed • Denial of service attack • Financial losses • Customer records compromised or

stolen • Reputation effected

Motivations for Privacy and Security

• Security risks associated with organized crime's targeting of patient information

• OCR HIPAA Audits

• Avoidance of media attention resulting from a potential breach

• Address privacy and security gaps exploited in an existing breach

• Patient lawsuits related to privacy and security

• Our first detailed security audit was in 2011 & revealed over 186 areas of improvement.

• Security officer at the time was overwhelmed!

• Now that I know about the risk , I was very concerned

Cyber Security Life Cycle

How do you get so

many tasks/risk

addressed timely?

Goals and Process Monitor Tool

186 Areas of Improvement

Manager Daily huddle

Daily Malware Response Report

• IS11776\NRCPC14- In the NRC. Top URL users report for

last week from the firewall report. So why is a machine that is largely not being used have a highest web usage reports? Could not establish communication or management with the PC. Upon looking in Infoblox a static entry was found in DNS pathing IS11776 to the 54 subnet. Deleted out of date entries in Infoblox. Communication/management was established with the PC. Machine was 41 Windows updates out of date. PC was missing chipset drivers. A review of Internet history showed no anomalous activity.

•

Knowledge Sharing

External Access – Organization to Organization and Contractors

Blocking and Thwarting Workstation Infections

Safeguarding External Facing Servers

Safeguarding Internal Servers

Keeping the Workstation Clean

Staying Compliant

External Access – Org to Org

• VPN and NAT Access Validated Yearly

– Good time to Check BAA (Business Associate Agreements). Current and up-to-date.

– Close access to/from outside entities that no longer have an association.

– Catch any NAT'ed resources that are no longer used

External Access – Contractors

• Contractors (Outside Clinic Personnel, Coders, Collections)

– Access expired every 6 months

– Outside users must review and test on HIPAA/Hospital training material

– Once the test is passed, users must contact Call Center to verify employment/relationship

• Catches nurses/practitioners that have bounced from clinic to clinic

* This is done for Students as well*

Blocking and Thwarting Workstation Infections

• Block Dangerous World Region traffic from coming in or going out - Russia, China

– Both on Firewall and Email systems

– Outgoing is important to block - keeps already infected devices from contacting Master Controllers in those regions

• DNS Firewall

– Keeps devices from going to malware websites or clicking on malicious links

– Preventing infections from happening

– Disrupting infected clients ability to communicate with Master Controllers

Safeguarding Externally Facing Servers

• Incorporate regular external vulnerability scans into security routine

• Stay on top of new vulnerabilities - POODLE, ShellShock, CryptoLocker

• Regularly scan for new devices in external ranges

– Teams sometimes implement new devices without following procedures

Safeguarding Internal Devices Why it’s important!

• Reason - Internal cyber-attacks are increasing!

– In a new Harvard Business Review article, Professor David Upton of Saïd Business School, and Professor Sadie Creese of Oxford’s Global Cyber Security Capacity Centre warn that internal cyber attacks against companies, are an increasing threat that costs tens of billions of dollars a year worldwide, can destroy companies, and sink the careers of many senior executives.

Safeguarding Internal Devices

• Run regular internal vulnerability scans

– Should be as robust as external vulnerability scans

• Put procedures in place to build hardened secure servers

• Tune IPS alerts as tightly as possible

– Send real-time alerts

– Feel for what is going on in environment

Keeping Workstations Clean!

• Keeping workstations clean!

– Patch all software (3rd Party) as well as OS

• Cyber-attacks are going after software that usually remains unpatched - Adobe, Java

– Manage and monitor for patch/antivirus compliance.

• Put mechanism in place to push emergency patches/fixes out quickly

Lessons Learned – Staying Compliant

• Once remediated, control must be reevaluated timely

– It is no use to fix something once and never check on it again.

• Develop systems to automatically generate notices/tickets and to keep track of findings.

Medical Center Hospital Systems - Security Management System

• Uses the ticketing system to auto-generate tickets for specified

time periods

• All procedures and results are stored in SharePoint

• Auto generated ticket always contains the location (URL) of the audit procedure

– When loaded, the procedure is editable on the fly so changes to audit can be incorporated as it is being carried out – keeps the procedure fresh!

John Peter Smith (JPS) Health Network

Overview

• 587 Bed Hospital

• 40 Outpatient Clinics

• County hospital serving Tarrant County Texas

• Founded in 1877

John Peter Smith (JPS) Health Network Overview

• HIMSS Stage 6 for In-patient and Ambulatory

• TJC Accredited (next review in Spring 2015)

• Level One Trauma Center

• Teaching Hospital (multi-specialties)

• Over 6,000 babies delivered annually

• 30 Bed NICU that can flex to 45

• Behavioral Health Services

– 4 Partial Hospitalization Programs using Telemedicine

• Voted by our employees as one of best Hospital IT Organizations

to work for in 2013

• 2014 Statistics Annualized:

– 1.1 Million Encounters

– 22,000 Inpatient stays

– 118,000 Emergency room visits (325 per day)

Turmoil in IT

• I Began in June 2011

• CIO was a contractor leading the Epic implementation

• Past CIO was in place for only 7 months

• Two data centers, only one active

• Security policies were in a stack on my desk – never implemented

• Resignation of IT Security Manager was on my desk – Frustrated by lack of management support

– Felt like he was beating his head against a wall

– His ideas were not being taken seriously

• October 2011 – Hit by attack – (DID NOT Lose any data)

Where We Were

• First detailed security review – 2007 – Revealed over 300 vulnerabilities

– As of November 2011 – over 300 remained

• Second detailed security review – 2009 – Revealed over 350 vulnerabilities

– As of November 2011 – over 350 remained

• Third detailed security review – November 2011 – Revealed over 400 vulnerabilities

– As of June 2012 – only 20 remained (95% reduction)

What We Did

• Developed an enterprise security program

Reactive

Education

Technology

Review

Proactive

Education

Technology

Review

Audit Plan

Where Are We Now

• Twice Annual Security Reviews: – HIPAA / HITECH / ISO 27001 (SPRING REVIEW)

– PCI – DSS (FALL REVIEW)

• Spring 2014 Review – 105 Security Vulnerabilities found

– By October 2014, 10 Vulnerabilities remain

– Remediation / Action plans for all Vulnerabilities

• Fall 2014 Review – 5 Vulnerabilities found

– Remediation / Action plans for all Vulnerabilities

• Education of Every New Employee

Perimeter Security • Firewall • IPS • Content Filtering

Monitoring and Audit • SIEM • HIPAA / MU / ISO • PCI - DSS

Internal Security • Access Controls • End Point Protection • Data Loss Prevention

What we have implemented

Where Do We Need To Go

• Alignment with Organizational Pillars and Strategies

• Alignment with Internal Audit

• Implement full Security Education as part of Annual CBLs for every employee

• Role Based Security

• On-boarding and Off-boarding

New Challenges Facing JPS

• Rolling out Epic to Homeless Shelters

• Allowing a “Clinician on the Street” model

• Partnership with local University

• Growing research needs

• Growing medical student population that only wants data / information on smart devices.

Security Strategies

• Create a security program – All the things you are doing

– All the things you want to do

– Assign responsibilities

– Develop policies and procedures

• Don’t do it alone – Align with partners

– Bring in outside auditors • Audit your Auditors

• Ensure that security procedures are not separates from IT procedures – ITIL

– COBIT

Security Strategies

• Never enough money or resources – Start with technologies / processes that can happen quickly

– Start with your outside perimeter defense and work your way in – all the way to protecting data in motion and data at rest

– Don’t be afraid of Proof of Concepts

• Reduce your Attack Surface

• Work toward Best in Class Technologies – SIEM – Security Incident Event Management

– MSSP – Managed Security Service Provider

– DLP – Data Loss Prevention

– Vulnerability scanning

– Threat Analysis

– One at a time

• Ensure that security is top of mind for everyone

• EDUCATE, EDUCATE, EDUCATE

Security Strategies

• Think of Security as a Eco System

• Think of Security as Multiple Trajectories

Reactive

Education

Technology Review

SIEM

DLP

MSSP

ITIL

Proactive Education Technology Review

Q & A

Gary Barnes – gbarnes@echd.org Brad Dummer – bdummer@echd.org

David Mendenhall – dmenden@jpshealth.org

A CHIME Leadership Education and Development Forum in collaboration with iHT2

Insert Twitter handle(s) here