This document discusses cyber security strategies at JFK Health, a 498-bed acute care medical center. It outlines JFK Health's implementation of various cyber security technologies and processes to protect patient data, including intrusion detection systems, encryption of devices and data, secure messaging/texting, and endpoint patch management. It also discusses the challenges of balancing security, costs, and user experience. Regular audits, education of staff, and executive support are emphasized as important factors for success.

1. A CHIME Leadership Education and Development Forum in collaboration with iHT2
Case Studies :Putting Cyber Security Strategies into Action
________
Key Attributes for Success, Challenges and Critical Success Factors
Miroslav Belote, Director IT – Infrastructure, JFK Health
#LEAD14

2. 498 Bed Acute Care Medical Center
98 Bed Johnson Rehabilitation Institute
500 Long Term Care Beds (4 facilities)
Neuroscience Institute of New Jersey
Multi-specialty Physician Group
Assisted Living, EMS, Homecare & Hospice
Accountable Care Organization (MSSP & Comm)
Regional Health Information Exchange
Family Medicine, Rehab & Neuro Residency Programs
JFK Health Overview

3. JFK Health Overview
Inpatient Admissions: 22,000
ED Visits: >80,000
Live Births: 2,392
Outpatient Visits: 210,000
Affiliated Physicians: 800
Employed Physicians: 150
ACO Covered Lives: 50,000

4. HIPAA compliance / Meaningful Use attestation
Increased risk of attacks
•Value of health records
•Cyber terrorism / Malicious hacker activities
Public awareness/concerns over breaches & identify theft
Reputation of the institution at stake
Increasing demand for data on mobile platforms
Highly publicized and sensationalized breach cases
Growth of data exchanges/HIEs
Cyber Security – Drivers

5. Cyber Security – Framework
Governance (Leadership, Board)
Awareness
Education
Identification (Risks, Tools, Skills)
Mitigation (Policies, Controls)
Validation (Audit)

6. Financial
•Automated tools
•Technical expertise
Behavioral
•Culture change – training & awareness
•Responsibility and accountability
•System’s ‘Ease of Use’ vs ‘Best Practices’
Leadership
•Acceptance, adoption & enforcement
•Cost justification
Cyber Security – Challenges

7. “Frankly, health care organizations are struggling to keep up with this,” said information security expert Ernie Hood, of The Advisory Board Company. - David Pittman, Politico, July 2014
“The (healthcare) industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI stated.- David Pittman, Politico, July 2014
"One of the more serious aspects of medical identity theft, unlike traditional financial identity theft crime, is that in the extreme, this could lead to your death," said Ponemon Chairman and Founder Larry Ponemon, in an interview with Healthcare IT News. "Because your medical file could change on blood type, on allergy, on previous procedures.“ - Erin McCann, Healthcare IT News
Cyber Security – Challenges

8. More than Just a ‘Check Mark’
It’s the Right Thing to Do
•For the Patient
•For the Providers
•For the Organization
ALWAYS Work In Progress
Cyber Security

9. Technology
People
Process
Best Practices
Cyber Security @ JFK Health

10. IMPLEMETED or IN-PROGRESS
Intrusion detection / protection systems
Remote monitoring services
End user device encryption
Remote access
Patient data / systems audits
Secure web gateway and web filtering – additional layer of malware protection
Cyber Security @ JFK – Technology

11. IMPLEMETED or IN-PROGRESS
Endpoint patch management
•Configuration management
•Virus and malware protection
•Windows system update services
•Leverage for identifying and addressing ADOBE and JAVA vulnerabilities
Email services
•SPAM/Virus protection services
•Secure/Encrypted email
Mobile Device Management
Secure Messaging / Texting
Cyber Security @ JFK – Technology

12. FUTURE PLANS Adaptive authentication Encryption of enterprise data
• In transit
• At rest
• Corporate ‘Drop Box’ Patient data
• Improved and expanded application audit logs
• Minimize and secure printing of patient data SIEM - Security Information & Event Management
• System log analytics
• Predictive analysis
• Anomaly identification and notification
Cyber Security @ JFK – Technology

13. SECURE MESSAGING/TEXTING – USE CASE
New Emergency Department facility
•60,000 Sq. feet (3X original space)
•70+ private rooms
•Dedicated triage, EMS and ancillary space
•4 distinct ‘pods’ - multiple levels of acuity, pediatrics and fast-track
•Physical changes to space pose communication challenges
Cyber Security @ JFK – Technology

14. SECURE MESSAGING/TEXTING – USE CASE
Technology Implemented
•VoIP Technology
Hospital provided 4G phones secured with locked down image
Personal 4G phones when compatible with private WiFi requirements
WiFi-VoIP phones
MDM tools
•Private/Secure Wi-Fi based calling
In-House extensions
Outside numbers
•Secure Mobile Communications/Texting
Consults
Secure texts (including pictures)
Activity/usage reports available
ASP Model – secured and redundant data storage
Physician and hospital directories
Active Directory integration (coming soon)
Cyber Security @ JFK – Technology

15. LESSONS LEARNED
BYOD vs Corporate Devices
•Staff reluctant to use personal devices
•Physicians prefer to use personal devices
•Infection control issues
•Specific device configurations for performance
•Device support and maintenance
•Costs associated with providing corporate devices
Cyber Security @ JFK – Technology

16. LESSONS LEARNED
Data Governance / Security
•Hosted vs On-Premise solutions
•Access to data for auditing purposes
•Device authentication/PIN policy compliance
•Physician orders via mobile apps
Technology
•Ability to setup and support VoIP for best performance
•Performance monitoring tools
•MDM product selection
•‘Medical grade’ network requirements
Cyber Security @ JFK – Technology

17. Identify your champions
•Medical staff leadership
•Nursing leadership
•CXO Suite
•Compliance committee of the board
Educate
•Champions have to understand not only the costs, but the risks associated with a poor security program
•Develop an education module for all new employees
•Semi-annual staff wide education around privacy and security
Regulatory updates
Changes in technology tools
Policy changes
RECENT CASES ‘IN THE NEWS’
•Reinforce proper behaviors
•Publicize ‘consequences’ of non-compliance
Develop strong partnership between Privacy & Security Officers
Cyber Security @ JFK – People

18. Audit
•Quarterly internal audit of user/system access
•Annual validation/review of appropriate user/system access
•On-going patient information (EPHI) access audit/security
Real-time application level
Enterprise application logs capture/reporting tools
Secure / encrypted email
Secure texting and messaging
•HIPAA compliance and Meaningful Use attestation
Conduct risk assessment analysis at least annually
Obtain or develop risk assessment tools
Maintain issues & issue remediation logs
Engage external subject matter experts to perform audits
Obtain & review SAS70/SOC compliance reports from hosting providers
Policy and Procedures
•Organize to make search simple and accurate
•Review key security policies annually
•Adjust/modify policy with technology changes, if appropriate
Cyber Security @ JFK – Process

19. Q & A
Miroslav Belote - MBelote@jfkhealth.org
A CHIME Leadership Education and Development Forum in collaboration with iHT2