chime lead dc 2014 “key attributes for success, challenges and critical success factors” with...

Creating an Effective Cyber Security Strategy

________ Key Attributes for Success, Challenges and

Critical Success Factors

Skip Hubbard, MBA, FCHIME, LCHIME, CHCIO SVP, Business Intelligence & Performance Improvement

Bon Secours Health System

#LEAD14

A CHIME Leadership Education and Development Forum in collaboration with iHT2

2

A $3.4 billion not-for-profit Catholic health system, Bon Secours Health System, Inc. (BSHSI) owns, manages or joint ventures:

• 19 Acute Care Hospitals ‒ 14 Owned ‒ 5 Joint Ventures

• 15 Post-acute Centers • 14 Home Care/Hospice Providers • 2.3 Million Patient Care Encounters • 9 Communities in 6 states • Over 23,000 caregivers • 850 Physicians • 60,000 System users • 136,000 Clinical Portal users


What is Needed

• Build Relationships

• Establish the Culture

• Education

• Risk Analysis

• Build a Core Security Team

• Build Infrastructure


Build Relationships

• Board (Governance & Relationship)

• Executive Awareness & Support

• Internal, Teams Across Disciplines – IA, Privacy, CRO

– HR, Legal, Technology …

• External Relationships – Law Enforcement

– Media Firm

– Cyber liability Insurer

• Education


Establish the Culture

• Leaders are aware and talk about security

• Education of everyone (staff, faculty, physicians, …)

• Framework – Detailed Plan – Testing – Are you using NIST or ISO …

– Issues and Investigations protocols

– Incident Reporting: (PHI, PII, PCI, Hacks)

• Do Audits of: – Easy-to-guess password on system audits

– Vendor management – SSAE16, SOC2 Type2 Reports

– Access modes & points - Cloud computing

• In healthcare security involves Privacy & Cyber Security


Risk Analysis

• Risk Assessment:

– Part of the companies ‘ERM’ ?

– What is your risk tolerance, for each class of data • Level of user access to data & systems

• Leakage thru employee – (error, misuse)

– "Lifecycle" approach to Policy and Procedures

– Technology portfolio • Spending/Budget for Security

• Up-to-date ? – – System Patch Levels - Virus Protection Levels


Build a Core Security Team

• Determine Core Security Team

– Knowledge of Regulation (Federal & State) • what states people live in, if data accessed

– Turnover & Retention

– Tools & Training

• Incident Response Team Needs – Plans & Escalation plan

– Breach reporting

– How & Where to document

– Where are the logs? Do you have the right logs?

Great Workplace


Build Infrastructure

• Understand your environment – DLP, IDS, Firewalls

– Segmentation

– Strong passwords

• Physical Security (& Education)

• Encryption - ‘everything’

• Change Management (i.e iOS 8.0.1)

• Disaster Recovery

• Team training

Basic must be in place


Understanding your Environment

• Users – Login patterns (service accounts during night time, login after terms)

– Account Volumes

– Last used and time since password change

– Failed Login Attempts

– Internal and External access

• Usage – Understand Both Systems & Network Configurations

– Identity of New Network Segments

– Bandwidth usage of network

– FTP (22) and Secure (443) site statistics and destinations

– Website attempts; Blacklisted sites (i.e. outbound blocked sites) or do Whitelisting

Metrics; There is a strong relationship between metrics and problems



Be Prepared

• The Board wants answers

• HHS-CMS-OCR demands quick answers

• Staff wants full access

• Your community – Public wants assurances

• You want to sleep at night

Q & A

Skip Hubbard [email protected]
