A CHIME Leadership Education and Development Forum in collaboration with iHT2

Case Studies :Putting Cyber Security Strategies into Action

________ Key Attributes for Success, Challenges and Critical

Success Factors

Miroslav Belote, Director IT – Infrastructure, JFK Health

#LEAD14

498 Bed Acute Care Medical Center

98 Bed Johnson Rehabilitation Institute

500 Long Term Care Beds (4 facilities)

Neuroscience Institute of New Jersey

Multi-specialty Physician Group

Assisted Living, EMS, Homecare & Hospice

Accountable Care Organization (MSSP & Comm)

Regional Health Information Exchange

Family Medicine, Rehab & Neuro Residency Programs

JFK Health Overview

JFK Health Overview

Inpatient Admissions: 22,000

ED Visits: >80,000

Live Births: 2,392

Outpatient Visits: 210,000

Affiliated Physicians: 800

Employed Physicians: 150

ACO Covered Lives: 50,000

HIPAA compliance / Meaningful Use attestation

Increased risk of attacks

• Value of health records

• Cyber terrorism / Malicious hacker activities

Public awareness/concerns over breaches & identify theft

Reputation of the institution at stake

Increasing demand for data on mobile platforms

Highly publicized and sensationalized breach cases

Growth of data exchanges/HIEs

Cyber Security – Drivers

Cyber Security – Framework

Governance (Leadership, Board)

Awareness

Education

Identification (Risks, Tools, Skills)

Mitigation (Policies, Controls)

Validation (Audit)

Financial

• Automated tools

• Technical expertise

Behavioral

• Culture change – training & awareness

• Responsibility and accountability

• System’s ‘Ease of Use’ vs ‘Best Practices’

Leadership

• Acceptance, adoption & enforcement

• Cost justification

Cyber Security – Challenges

“Frankly, health care organizations are struggling to keep up with this,” said information security expert Ernie Hood, of The Advisory Board Company. - David Pittman, Politico, July 2014

“The (healthcare) industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI stated.- David Pittman, Politico, July 2014

"One of the more serious aspects of medical identity theft, unlike traditional

financial identity theft crime, is that in the extreme, this could lead to your death," said Ponemon Chairman and Founder Larry Ponemon, in an interview with Healthcare IT News. "Because your medical file could change on blood type, on allergy, on previous procedures.“ - Erin McCann, Healthcare IT News

Cyber Security – Challenges

More than Just a ‘Check Mark’

It’s the Right Thing to Do

• For the Patient

• For the Providers

• For the Organization

ALWAYS Work In Progress

Cyber Security

Technology

People Process Best Practices

Cyber Security @ JFK Health

IMPLEMETED or IN-PROGRESS Intrusion detection / protection systems

Remote monitoring services

End user device encryption

Remote access

Patient data / systems audits

Secure web gateway and web filtering – additional layer of malware protection

Cyber Security @ JFK – Technology

IMPLEMETED or IN-PROGRESS Endpoint patch management

• Configuration management

• Virus and malware protection

• Windows system update services

• Leverage for identifying and addressing ADOBE and JAVA vulnerabilities

Email services

• SPAM/Virus protection services

• Secure/Encrypted email

Mobile Device Management

Secure Messaging / Texting

Cyber Security @ JFK – Technology

FUTURE PLANS Adaptive authentication

Encryption of enterprise data

• In transit

• At rest

• Corporate ‘Drop Box’

Patient data

• Improved and expanded application audit logs

• Minimize and secure printing of patient data

SIEM - Security Information & Event Management

• System log analytics

• Predictive analysis

• Anomaly identification and notification

Cyber Security @ JFK – Technology

SECURE MESSAGING/TEXTING – USE CASE New Emergency Department facility

• 60,000 Sq. feet (3X original space)

• 70+ private rooms

• Dedicated triage, EMS and ancillary space

• 4 distinct ‘pods’ - multiple levels of acuity, pediatrics and fast-track

• Physical changes to space pose communication challenges

Cyber Security @ JFK – Technology

SECURE MESSAGING/TEXTING – USE CASE

Technology Implemented

• VoIP Technology Hospital provided 4G phones secured with locked down image Personal 4G phones when compatible with private WiFi

requirements WiFi-VoIP phones MDM tools

• Private/Secure Wi-Fi based calling In-House extensions Outside numbers

• Secure Mobile Communications/Texting Consults Secure texts (including pictures) Activity/usage reports available ASP Model – secured and redundant data storage Physician and hospital directories Active Directory integration (coming soon)

Cyber Security @ JFK – Technology

LESSONS LEARNED BYOD vs Corporate Devices

• Staff reluctant to use personal devices

• Physicians prefer to use personal devices

• Infection control issues

• Specific device configurations for performance

• Device support and maintenance

• Costs associated with providing corporate devices

Cyber Security @ JFK – Technology

LESSONS LEARNED Data Governance / Security

• Hosted vs On-Premise solutions

• Access to data for auditing purposes

• Device authentication/PIN policy compliance

• Physician orders via mobile apps

Technology

• Ability to setup and support VoIP for best performance

• Performance monitoring tools

• MDM product selection

• ‘Medical grade’ network requirements

Cyber Security @ JFK – Technology

Identify your champions • Medical staff leadership • Nursing leadership • CXO Suite • Compliance committee of the board

Educate • Champions have to understand not only the costs, but the risks

associated with a poor security program • Develop an education module for all new employees • Semi-annual staff wide education around privacy and security

Regulatory updates Changes in technology tools Policy changes

RECENT CASES ‘IN THE NEWS’ • Reinforce proper behaviors

• Publicize ‘consequences’ of non-compliance

Develop strong partnership between Privacy & Security Officers

Cyber Security @ JFK – People

Audit • Quarterly internal audit of user/system access

• Annual validation/review of appropriate user/system access

• On-going patient information (EPHI) access audit/security Real-time application level Enterprise application logs capture/reporting tools Secure / encrypted email Secure texting and messaging

• HIPAA compliance and Meaningful Use attestation Conduct risk assessment analysis at least annually Obtain or develop risk assessment tools Maintain issues & issue remediation logs Engage external subject matter experts to perform audits Obtain & review SAS70/SOC compliance reports from hosting providers

Policy and Procedures • Organize to make search simple and accurate

• Review key security policies annually

• Adjust/modify policy with technology changes, if appropriate

Cyber Security @ JFK – Process

Q & A

Miroslav Belote - MBelote@jfkhealth.org

A CHIME Leadership Education and Development Forum in collaboration with iHT2