Securing Your Agile, Mobile Clinicians — Breach Case Study

Phil Alexander, Information Security Officer, UMC Health System

Ellen M. Derrico, Sr. Director Healthcare, RES Software

Conflict of Interest

Phil Alexander, B.S., Security +, CEH, C|CISO

Has no real or apparent conflicts of interest to report.

Conflict of Interest

Ellen Derrico, B.Sc., MBA

Salary: RES Software

Royalty: N/A

Receipt of Intellectual Property Rights/Patent Holder: N/A

Consulting Fees (e.g., advisory boards): N/A

Fees for Non-CME Services Received Directly from a Commercial Interest or

their Agents (e.g., speakers’ bureau): N/A

Contracted Research: N/A

Ownership Interest (stocks, stock options or other ownership interest excluding

diversified mutual funds): N/A

Other: N/A

Agenda

• Introduction

• Set up of the security problem

• UMC Health System – a case study of security best

practices

• Wrap up and Q&A

Learning Objectives

• Learning Objective 1: Diagram factors that affect quality of care delivery

and cost highlighting where security factors into both areas

• Learning Objective 2: Show relationship between the clinical workforce’s

need for agility, mobility and engagement and IT’s challenge to manage

risk, security and compliance

• Learning Objective 3: Recognize best practices implementing successful

security programs, education, training and technology at UMC Texas

• Learning Objective 4: Define cost justification in spending for security

education, training and technology

STEPS — Satisfaction

Security

technology,

education, and

breach plan

Patients express more

satisfaction knowing their

records are safe & their

private information is

better protected

Security

education

programs

Engaging programs help

clinicians be more

security conscious, less

stressed, and more

focused on patients

• Reduction of executed phishing emails by 70%

• Auditing issues down 80%

• Clinician satisfaction up 88%

Poll — Security Question #1

Security breaches can occur through:

A. Viral attacks

B. Malware attacks

C. Phishing

D. All of the above

Poll — Security Question #2

The responsibility of preventing security breaches fall to:

A. Chief Security Officer

B. IT Staff

C. End Users

D. All of the above

Poll — Security Question #3

True/False:

• You can fully prevent a security breach with the right technology,

programs, education and training on security.

The Healthcare Landscape & Role of Security

How do we balance quality of care and sustainability in an increasingly

risky environment and how risky is it?

Overall Healthcare Landscape

Patient

Engagement

Cost

Reduction

Organizational

Agility

SUSTAINABILITY

CARE DELIVERY

Manage Risk

Compliance &

Security

Can you afford to have your name in the press for the next big data breach?

An alarming 91 percent of healthcare organizations reported a data breach in the past two years. Some

45 percent of them were the victims of deliberate attacks by cybercriminals seeking to steal the medical

and financial information of their patients – a figure that has risen 125 percent since 2010:

https://www.yahoo.com/tech/report-nearly-half-of-us-healthcare-organizations-118323228724.html.

Breach Data

Breach by Incident Type and Counter Measures

Immediate offboarding

and computer lock down

White & black listing

Profile management

Immediate offboarding

and computer lock down

All of the above

Counter Measures:

Why is Security So Important?

• According to the Spotlight Report: Insider Threat, conducted by the Crowd Research Partners, the biggest risk for a data breach is with privileged users like clinicians (59% of the threat).

• Clinicians are busy and should be focused on patients, so sometimes they might not be concentrating on whether or not to click on an email or a link.

• Clinicians roam – they are mobile and use multiple devices. Devices can be lost or stolen. More devices and more movement = more risk.

• On May 27th, NBC Nightly News aired another report by Stephanie Gosk on how these data are being used to steal and sell on the open market identities, medical services and to fraud insurance providers: http://www.nbcnews.com/news/us-news/electronic-medical-records-latest-target-identity-thieves-n365591.

UMC Health System, Texas

A case study on how best to approach security — the 3-prong approach

for mitigating risk of breach.

3 Pronged Approach to Security & Compliance

Education

Technology

Response

Education & Awareness • Myth or Reality

– User are the weakest link

– Users hate security training

• My PHILosophy

– Educate without users knowing

– Less “HIPAA” – Rules & Regulations w/o Relationships Result in Rebellion

– It’s not business it’s personal

– Start with Why

Education & Awareness Outcomes

Phishing incidents down 70%

Email & File Encryption up 50%

Technology

• Provisioning & De-Provisioning

– Role based access

– Quickly and accurately provision/de-provision,

– Variety of users — staff/students/vendors/etc.

• Delivery of Services

– Printing – quickly print to the right device in the right location, without human intervention (printer mapping)

– Faster VDI loading due to not loading unneeded drivers

• Security

– AV and Firewalls are 8th grade level

– White Listing applications and files types (exe, zip, etc.)

Technology Outcomes

Printer related incidents down from 65% to 5%

Onboarding went from 3-4 months to less than 10 minutes

Off-Boarding dropped 6month to instantaneous

Response

• Assume you are already breached

– Where’s Waldo / Capture the Flag

• Monitoring and detection

– CSIRT team

– “Grow a Geek”

• Planning

– Written and tested plan

• Cat 1-7

• Go-Dark

Response Outcomes

CSIRT incidents from ~5mo Cat4 to ~20 Cat1-6

Risks identified = 25 HIGH

Security Breaches take

time to clean up

We found that it took one of

our customers 3-4 days to

clean up an executed

malware virus that came in

through email

Security breaches

are expensive

Ponemon Institute

survey* found average

cost of a healthcare

security breach is $3.8

million

STEPS — Savings

• Est. savings for cleanup of basic infections $28k per year

• Est. saving of onboarding and off boarding users was $187k per year

*http://www.nbcnews.com/tech/security/ponemon-institute-n364871

Poll — Security Question #1

Security breaches can occur through:

A. Viral attacks

B. Malware attacks

C. Phishing

D. All of the above

Poll — Security Question #1

Security breaches can occur through:

A. Viral attacks

B. Malware attacks

C. Phishing

D. All of the above

Poll — Security Question #2

The responsibility of preventing security breaches fall to:

A. Chief Security Officer

B. IT Staff

C. End Users

D. All of the above

Poll — Security Question #2

The responsibility of preventing security breaches fall to:

A. Chief Security Officer

B. IT Staff

C. End Users

D. All of the above

Poll — Security Question #3

True/False:

• You can fully prevent a security breach with the right technology,

programs, education and training on security.

Poll — Security Question #3

True/False:

• You can fully prevent a security breach with the right technology,

programs, education and training on security.

• Correct answer is: False.

While we would love to say this is true, the rate at which virus and

malware are being created (in the last 2 years it has doubled!), it is not a

matter of “if” but “when”. You can significantly reduce the possibility of a

breach by adding extra layers of security and by training and educating

your staff, and you can prepare and reduce impact by having a plan for

when it happens.

Thank You & Questions

Ellen M. Derrico

E.Derrico@ressoftware.com

+1 484 787 8370

Twitter handle: @ellenmd1

linkedin.com/in/ellenderrico

Phil Alexander

Phillip.Alexander@umchealthsystem.com

+1 806 775 9099

twitter.com/PhilDAlexander

linkedin.com/in/philalexander1