securing your agile, mobile clinicians breach case study€¦ · receipt of intellectual property...
TRANSCRIPT
![Page 1: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/1.jpg)
Securing Your Agile, Mobile Clinicians — Breach Case Study
Phil Alexander, Information Security Officer, UMC Health System
Ellen M. Derrico, Sr. Director Healthcare, RES Software
![Page 2: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/2.jpg)
Conflict of Interest
Phil Alexander, B.S., Security +, CEH, C|CISO
Has no real or apparent conflicts of interest to report.
![Page 3: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/3.jpg)
Conflict of Interest
Ellen Derrico, B.Sc., MBA
Salary: RES Software
Royalty: N/A
Receipt of Intellectual Property Rights/Patent Holder: N/A
Consulting Fees (e.g., advisory boards): N/A
Fees for Non-CME Services Received Directly from a Commercial Interest or
their Agents (e.g., speakers’ bureau): N/A
Contracted Research: N/A
Ownership Interest (stocks, stock options or other ownership interest excluding
diversified mutual funds): N/A
Other: N/A
![Page 4: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/4.jpg)
Agenda
• Introduction
• Set up of the security problem
• UMC Health System – a case study of security best
practices
• Wrap up and Q&A
![Page 5: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/5.jpg)
Learning Objectives
• Learning Objective 1: Diagram factors that affect quality of care delivery
and cost highlighting where security factors into both areas
• Learning Objective 2: Show relationship between the clinical workforce’s
need for agility, mobility and engagement and IT’s challenge to manage
risk, security and compliance
• Learning Objective 3: Recognize best practices implementing successful
security programs, education, training and technology at UMC Texas
• Learning Objective 4: Define cost justification in spending for security
education, training and technology
![Page 6: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/6.jpg)
STEPS — Satisfaction
Security
technology,
education, and
breach plan
Patients express more
satisfaction knowing their
records are safe & their
private information is
better protected
Security
education
programs
Engaging programs help
clinicians be more
security conscious, less
stressed, and more
focused on patients
• Reduction of executed phishing emails by 70%
• Auditing issues down 80%
• Clinician satisfaction up 88%
![Page 7: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/7.jpg)
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
![Page 8: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/8.jpg)
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
![Page 9: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/9.jpg)
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
![Page 10: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/10.jpg)
The Healthcare Landscape & Role of Security
How do we balance quality of care and sustainability in an increasingly
risky environment and how risky is it?
![Page 11: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/11.jpg)
Overall Healthcare Landscape
Patient
Engagement
Cost
Reduction
Organizational
Agility
SUSTAINABILITY
CARE DELIVERY
Manage Risk
Compliance &
Security
![Page 12: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/12.jpg)
Can you afford to have your name in the press for the next big data breach?
![Page 13: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/13.jpg)
An alarming 91 percent of healthcare organizations reported a data breach in the past two years. Some
45 percent of them were the victims of deliberate attacks by cybercriminals seeking to steal the medical
and financial information of their patients – a figure that has risen 125 percent since 2010:
https://www.yahoo.com/tech/report-nearly-half-of-us-healthcare-organizations-118323228724.html.
Breach Data
![Page 14: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/14.jpg)
Breach by Incident Type and Counter Measures
Immediate offboarding
and computer lock down
White & black listing
Profile management
Immediate offboarding
and computer lock down
All of the above
Counter Measures:
![Page 15: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/15.jpg)
Why is Security So Important?
• According to the Spotlight Report: Insider Threat, conducted by the Crowd Research Partners, the biggest risk for a data breach is with privileged users like clinicians (59% of the threat).
• Clinicians are busy and should be focused on patients, so sometimes they might not be concentrating on whether or not to click on an email or a link.
• Clinicians roam – they are mobile and use multiple devices. Devices can be lost or stolen. More devices and more movement = more risk.
• On May 27th, NBC Nightly News aired another report by Stephanie Gosk on how these data are being used to steal and sell on the open market identities, medical services and to fraud insurance providers: http://www.nbcnews.com/news/us-news/electronic-medical-records-latest-target-identity-thieves-n365591.
![Page 16: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/16.jpg)
UMC Health System, Texas
A case study on how best to approach security — the 3-prong approach
for mitigating risk of breach.
![Page 17: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/17.jpg)
3 Pronged Approach to Security & Compliance
Education
Technology
Response
![Page 18: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/18.jpg)
Education & Awareness • Myth or Reality
– User are the weakest link
– Users hate security training
• My PHILosophy
– Educate without users knowing
– Less “HIPAA” – Rules & Regulations w/o Relationships Result in Rebellion
– It’s not business it’s personal
– Start with Why
![Page 19: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/19.jpg)
Education & Awareness Outcomes
Phishing incidents down 70%
Email & File Encryption up 50%
![Page 20: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/20.jpg)
Technology
• Provisioning & De-Provisioning
– Role based access
– Quickly and accurately provision/de-provision,
– Variety of users — staff/students/vendors/etc.
• Delivery of Services
– Printing – quickly print to the right device in the right location, without human intervention (printer mapping)
– Faster VDI loading due to not loading unneeded drivers
• Security
– AV and Firewalls are 8th grade level
– White Listing applications and files types (exe, zip, etc.)
![Page 21: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/21.jpg)
Technology Outcomes
Printer related incidents down from 65% to 5%
Onboarding went from 3-4 months to less than 10 minutes
Off-Boarding dropped 6month to instantaneous
![Page 22: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/22.jpg)
Response
• Assume you are already breached
– Where’s Waldo / Capture the Flag
• Monitoring and detection
– CSIRT team
– “Grow a Geek”
• Planning
– Written and tested plan
• Cat 1-7
• Go-Dark
![Page 23: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/23.jpg)
Response Outcomes
CSIRT incidents from ~5mo Cat4 to ~20 Cat1-6
Risks identified = 25 HIGH
![Page 24: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/24.jpg)
Security Breaches take
time to clean up
We found that it took one of
our customers 3-4 days to
clean up an executed
malware virus that came in
through email
Security breaches
are expensive
Ponemon Institute
survey* found average
cost of a healthcare
security breach is $3.8
million
STEPS — Savings
• Est. savings for cleanup of basic infections $28k per year
• Est. saving of onboarding and off boarding users was $187k per year
*http://www.nbcnews.com/tech/security/ponemon-institute-n364871
![Page 25: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/25.jpg)
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
![Page 26: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/26.jpg)
Poll — Security Question #1
Security breaches can occur through:
A. Viral attacks
B. Malware attacks
C. Phishing
D. All of the above
![Page 27: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/27.jpg)
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
![Page 28: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/28.jpg)
Poll — Security Question #2
The responsibility of preventing security breaches fall to:
A. Chief Security Officer
B. IT Staff
C. End Users
D. All of the above
![Page 29: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/29.jpg)
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
![Page 30: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/30.jpg)
Poll — Security Question #3
True/False:
• You can fully prevent a security breach with the right technology,
programs, education and training on security.
• Correct answer is: False.
While we would love to say this is true, the rate at which virus and
malware are being created (in the last 2 years it has doubled!), it is not a
matter of “if” but “when”. You can significantly reduce the possibility of a
breach by adding extra layers of security and by training and educating
your staff, and you can prepare and reduce impact by having a plan for
when it happens.
![Page 31: Securing Your Agile, Mobile Clinicians Breach Case Study€¦ · Receipt of Intellectual Property Rights/Patent Holder: N/A Consulting Fees (e.g., advisory boards): N/A Fees for Non-CME](https://reader033.vdocuments.site/reader033/viewer/2022052000/6012a28982f54a24af0a182d/html5/thumbnails/31.jpg)
Thank You & Questions
Ellen M. Derrico
+1 484 787 8370
Twitter handle: @ellenmd1
linkedin.com/in/ellenderrico
Phil Alexander
+1 806 775 9099
twitter.com/PhilDAlexander
linkedin.com/in/philalexander1