"Case Studies from the Field: Putting Cyber Security Strategies into Action" with Miroslav Belote, Director of Systems & Privacy Officer, JFK Health Systems
This document discusses cyber security strategies at JFK Health, a 498-bed acute care medical center. It outlines JFK Health's implementation of various cyber security technologies and processes to protect patient data, including intrusion detection systems, encryption of devices and data, secure messaging/texting, and endpoint patch management. It also discusses the challenges of balancing security, costs, and user experience. Regular audits, education of staff, and executive support are emphasized as important factors for success.
Cybersecurity Trends and CyberVision : 2015 - 2025
Similar to "Case Studies from the Field: Putting Cyber Security Strategies into Action" with Miroslav Belote, Director of Systems & Privacy Officer, JFK Health Systems
Similar to "Case Studies from the Field: Putting Cyber Security Strategies into Action" with Miroslav Belote, Director of Systems & Privacy Officer, JFK Health Systems (20)
Salient Features of India constitution especially power and functions
"Case Studies from the Field: Putting Cyber Security Strategies into Action" with Miroslav Belote, Director of Systems & Privacy Officer, JFK Health Systems
1. A CHIME Leadership Education and Development Forum in collaboration with iHT2
Case Studies :Putting Cyber Security Strategies into Action
________
Key Attributes for Success, Challenges and Critical Success Factors
Miroslav Belote, Director IT – Infrastructure, JFK Health
#LEAD14
2. 498 Bed Acute Care Medical Center
98 Bed Johnson Rehabilitation Institute
500 Long Term Care Beds (4 facilities)
Neuroscience Institute of New Jersey
Multi-specialty Physician Group
Assisted Living, EMS, Homecare & Hospice
Accountable Care Organization (MSSP & Comm)
Regional Health Information Exchange
Family Medicine, Rehab & Neuro Residency Programs
JFK Health Overview
3. JFK Health Overview
Inpatient Admissions: 22,000
ED Visits: >80,000
Live Births: 2,392
Outpatient Visits: 210,000
Affiliated Physicians: 800
Employed Physicians: 150
ACO Covered Lives: 50,000
4. HIPAA compliance / Meaningful Use attestation
Increased risk of attacks
•Value of health records
•Cyber terrorism / Malicious hacker activities
Public awareness/concerns over breaches & identify theft
Reputation of the institution at stake
Increasing demand for data on mobile platforms
Highly publicized and sensationalized breach cases
Growth of data exchanges/HIEs
Cyber Security – Drivers
6. Financial
•Automated tools
•Technical expertise
Behavioral
•Culture change – training & awareness
•Responsibility and accountability
•System’s ‘Ease of Use’ vs ‘Best Practices’
Leadership
•Acceptance, adoption & enforcement
•Cost justification
Cyber Security – Challenges
7. “Frankly, health care organizations are struggling to keep up with this,” said information security expert Ernie Hood, of The Advisory Board Company. - David Pittman, Politico, July 2014
“The (healthcare) industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI stated.- David Pittman, Politico, July 2014
"One of the more serious aspects of medical identity theft, unlike traditional financial identity theft crime, is that in the extreme, this could lead to your death," said Ponemon Chairman and Founder Larry Ponemon, in an interview with Healthcare IT News. "Because your medical file could change on blood type, on allergy, on previous procedures.“ - Erin McCann, Healthcare IT News
Cyber Security – Challenges
8. More than Just a ‘Check Mark’
It’s the Right Thing to Do
•For the Patient
•For the Providers
•For the Organization
ALWAYS Work In Progress
Cyber Security
10. IMPLEMETED or IN-PROGRESS
Intrusion detection / protection systems
Remote monitoring services
End user device encryption
Remote access
Patient data / systems audits
Secure web gateway and web filtering – additional layer of malware protection
Cyber Security @ JFK – Technology
11. IMPLEMETED or IN-PROGRESS
Endpoint patch management
•Configuration management
•Virus and malware protection
•Windows system update services
•Leverage for identifying and addressing ADOBE and JAVA vulnerabilities
Email services
•SPAM/Virus protection services
•Secure/Encrypted email
Mobile Device Management
Secure Messaging / Texting
Cyber Security @ JFK – Technology
12. FUTURE PLANS Adaptive authentication Encryption of enterprise data
• In transit
• At rest
• Corporate ‘Drop Box’ Patient data
• Improved and expanded application audit logs
• Minimize and secure printing of patient data SIEM - Security Information & Event Management
• System log analytics
• Predictive analysis
• Anomaly identification and notification
Cyber Security @ JFK – Technology
13. SECURE MESSAGING/TEXTING – USE CASE
New Emergency Department facility
•60,000 Sq. feet (3X original space)
•70+ private rooms
•Dedicated triage, EMS and ancillary space
•4 distinct ‘pods’ - multiple levels of acuity, pediatrics and fast-track
•Physical changes to space pose communication challenges
Cyber Security @ JFK – Technology
14. SECURE MESSAGING/TEXTING – USE CASE
Technology Implemented
•VoIP Technology
Hospital provided 4G phones secured with locked down image
Personal 4G phones when compatible with private WiFi requirements
WiFi-VoIP phones
MDM tools
•Private/Secure Wi-Fi based calling
In-House extensions
Outside numbers
•Secure Mobile Communications/Texting
Consults
Secure texts (including pictures)
Activity/usage reports available
ASP Model – secured and redundant data storage
Physician and hospital directories
Active Directory integration (coming soon)
Cyber Security @ JFK – Technology
15. LESSONS LEARNED
BYOD vs Corporate Devices
•Staff reluctant to use personal devices
•Physicians prefer to use personal devices
•Infection control issues
•Specific device configurations for performance
•Device support and maintenance
•Costs associated with providing corporate devices
Cyber Security @ JFK – Technology
16. LESSONS LEARNED
Data Governance / Security
•Hosted vs On-Premise solutions
•Access to data for auditing purposes
•Device authentication/PIN policy compliance
•Physician orders via mobile apps
Technology
•Ability to setup and support VoIP for best performance
•Performance monitoring tools
•MDM product selection
•‘Medical grade’ network requirements
Cyber Security @ JFK – Technology
17. Identify your champions
•Medical staff leadership
•Nursing leadership
•CXO Suite
•Compliance committee of the board
Educate
•Champions have to understand not only the costs, but the risks associated with a poor security program
•Develop an education module for all new employees
•Semi-annual staff wide education around privacy and security
Regulatory updates
Changes in technology tools
Policy changes
RECENT CASES ‘IN THE NEWS’
•Reinforce proper behaviors
•Publicize ‘consequences’ of non-compliance
Develop strong partnership between Privacy & Security Officers
Cyber Security @ JFK – People
18. Audit
•Quarterly internal audit of user/system access
•Annual validation/review of appropriate user/system access
•On-going patient information (EPHI) access audit/security
Real-time application level
Enterprise application logs capture/reporting tools
Secure / encrypted email
Secure texting and messaging
•HIPAA compliance and Meaningful Use attestation
Conduct risk assessment analysis at least annually
Obtain or develop risk assessment tools
Maintain issues & issue remediation logs
Engage external subject matter experts to perform audits
Obtain & review SAS70/SOC compliance reports from hosting providers
Policy and Procedures
•Organize to make search simple and accurate
•Review key security policies annually
•Adjust/modify policy with technology changes, if appropriate
Cyber Security @ JFK – Process
19. Q & A
Miroslav Belote - MBelote@jfkhealth.org
A CHIME Leadership Education and Development Forum in collaboration with iHT2