chime lead dc 2014 “key attributes for success, challenges and critical success factors” with...
DESCRIPTION
CHIME LEAD DC 2014 “Key Attributes for Success, Challenges and Critical Success Factors” with Skip Hubbard, MBA, FCHIME, LCHIME, CHCIO, SVP, Business Intelligence & Performance Improvement, Bon Secours Health SystemsTRANSCRIPT
Creating an Effective Cyber Security Strategy
________ Key Attributes for Success, Challenges and
Critical Success Factors
Skip Hubbard, MBA, FCHIME, LCHIME, CHCIO SVP, Business Intelligence & Performance Improvement
Bon Secours Health System
#LEAD14
A CHIME Leadership Education and Development Forum in collaboration with iHT2
2
A $3.4 billion not-for-profit Catholic health system, Bon Secours Health System, Inc. (BSHSI) owns, manages or joint ventures:
• 19 Acute Care Hospitals ‒ 14 Owned ‒ 5 Joint Ventures
• 15 Post-acute Centers • 14 Home Care/Hospice Providers • 2.3 Million Patient Care Encounters • 9 Communities in 6 states • Over 23,000 caregivers • 850 Physicians • 60,000 System users • 136,000 Clinical Portal users
A CHIME Leadership Education and Development Forum in collaboration with iHT2
What is Needed
• Build Relationships
• Establish the Culture
• Education
• Risk Analysis
• Build a Core Security Team
• Build Infrastructure
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Build Relationships
• Board (Governance & Relationship)
• Executive Awareness & Support
• Internal, Teams Across Disciplines – IA, Privacy, CRO
– HR, Legal, Technology …
• External Relationships – Law Enforcement
– Media Firm
– Cyber liability Insurer
• Education
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Establish the Culture
• Leaders are aware and talk about security
• Education of everyone (staff, faculty, physicians, …)
• Framework – Detailed Plan – Testing – Are you using NIST or ISO …
– Issues and Investigations protocols
– Incident Reporting: (PHI, PII, PCI, Hacks)
• Do Audits of: – Easy-to-guess password on system audits
– Vendor management – SSAE16, SOC2 Type2 Reports
– Access modes & points - Cloud computing
• In healthcare security involves Privacy & Cyber Security
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Risk Analysis
• Risk Assessment:
– Part of the companies ‘ERM’ ?
– What is your risk tolerance, for each class of data • Level of user access to data & systems
• Leakage thru employee – (error, misuse)
– "Lifecycle" approach to Policy and Procedures
– Technology portfolio • Spending/Budget for Security
• Up-to-date ? – – System Patch Levels - Virus Protection Levels
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Build a Core Security Team
• Determine Core Security Team
– Knowledge of Regulation (Federal & State) • what states people live in, if data accessed
– Turnover & Retention
– Tools & Training
• Incident Response Team Needs – Plans & Escalation plan
– Breach reporting
– How & Where to document
– Where are the logs? Do you have the right logs?
Great Workplace
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Build Infrastructure
• Understand your environment – DLP, IDS, Firewalls
– Segmentation
– Strong passwords
• Physical Security (& Education)
• Encryption - ‘everything’
• Change Management (i.e iOS 8.0.1)
• Disaster Recovery
• Team training
Basic must be in place
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Understanding your Environment
• Users – Login patterns (service accounts during night time, login after terms)
– Account Volumes
– Last used and time since password change
– Failed Login Attempts
– Internal and External access
• Usage – Understand Both Systems & Network Configurations
– Identity of New Network Segments
– Bandwidth usage of network
– FTP (22) and Secure (443) site statistics and destinations
– Website attempts; Blacklisted sites (i.e. outbound blocked sites) or do Whitelisting
Metrics; There is a strong relationship between metrics and problems
A CHIME Leadership Education and Development Forum in collaboration with iHT2
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Be Prepared
• The Board wants answers
• HHS-CMS-OCR demands quick answers
• Staff wants full access
• Your community – Public wants assurances
• You want to sleep at night
Q & A
Skip Hubbard [email protected]
A CHIME Leadership Education and Development Forum in collaboration with iHT2