Embed Size (px)
DESCRIPTION
CHIME LEAD New York 2014 "Case Studies from the Field: Putting Cyber Security Strategies into Action" Learn from those in the trenches who have deployed effective cyber strategies in their organizations, foiled attacks and managed breach situations. Learn approaches for success and pitfalls to avoid by exploring the experience of others with deployment and management of cyber security strategies and plans. Learning Objectives: Identify successes, challenges and lessons learned with implementation of cyber strategies Identify success strategies for gaining the C Suite support and ways cyber security can be integrated into the organization's culture and work processes. Identify best practices with anticipating new and emerging threats and ways to maintain a proactive position instead of reactive Identify approaches for breach preparation and breach management Featured Speakers: Neal Ganguly, MBA, FCHIME, FHIMSS, CHCIO VP & CIO JFK Health System Miroslav Belote Director of IT – Infrastructure and Information Security Officer JFK Health System Nassar Nizami CISO Yale-New Haven Health System
Citation preview
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Neal Ganguly, MBA, FCHIME, FHIMSS, CHCIO
VP & CIOJFK Health System
#LEAD14
UsernamePassword
Case Studies from the Field ________
Putting Cyber Security Strategies into Action
Miroslav BeloteDirector of IT – Infrastructure
and Information Security Officer
JFK Health System
Moderator: Pam Matthews, RN, MBA, CPHIMS, FHIMSS, Vice President, Education & Business Development, CHIME
Sponsors:
Nassar NizamiCISO
Yale-New Haven Health System
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Case Studies from the Field________
Putting Cyber Security Strategies into Action
● Speaker: Nassar Nizami, CISO, Yale-New Haven Health System ●
#LEAD14
Yale New Haven Health SystemWho We Are
• Four Member Delivery Network• Multiple Clinical Affiliations• Affiliated with Yale University• Destination Hospital for Patients
Throughout the United States• Currently Going Through an Affiliation
and Acquisition Period
Enterprise-Wide Clinical Systems
Application Inventory
• Inventory of applications in a spreadsheet with key information
• Information we are interested in
Information we require
External Data Flow
Data Loss Prevention
Desktop/Laptops
Web
File shares
Cloud
Mobile Devices
Exact Data Match
• Patten based matches• Common • xxx-xx-xxx
• Potential SSN• False Positives
• Exact Data Match• Match on known and indexed data
• First Name, Last Name, MRN from EMR• First Name, Last Name,, Employee ID
from HR system• False positives decrease
significantly
Desktop/Laptop
• Client installed on desktops and laptops
• Scans for • Files copied to removable
media• Internet traffic• Local drive scan
• Pattern based matching (HIPAA Policies)
• Data scanned when copied to removable media
Desktop Challenges
Computer Slow Down
Hardware Refresh
Complete Desktop Scan
Selective Scan
Good Support for Windows OS
Support Lacking for non-Windows OS
Web
• Dedicated servers for HTTP• ~80% of our overall traffic
• Dedicated servers to scan select protocols like FTP, IRC etc.• Traditionally not been a problem area• Ended up blocking many protocols
• Challenges:• Encrypted traffic is tough to scan
• Solution requires robust proxy server infrastructure and proper certificate deployment
EDMHIPAA
LexiconsInterne
t
Internal
Network
• Challenges:• Images, especially screen shots• PDF files scanned as images• Encrypted attachments• False positives
• Marketing & HR
• Policy requires that the emails with PHI or sensitive information must be encrypted manually
• Keyword in subject line• Require prior approval
• All outbound emails are scanned for PHI• Encrypted if PHI is found
File Shares
• Started with ad-hoc scanning – First 2-3 years
• Periodic since last year– Scanning has improved
• Several terabytes in a couple of days
File Share Management
• File share permission and auditing tool– Who has access to what shares?
• Thousands of shares– Many more folders and sub-folders
• Integrated with DLP– Flags folders with sensitive information– Extremely helpful in prioritizing
Governance & Timeline
• Acquired solution• Implemented Email & Web
– Email was a quick win
• Desktop – four years for 80% coverage
• Committee to direct implementation
Cloud & Mobile Devices
• Hosted emails, Office365, Box.net etc.
• No good solution• Some vendors offer
basic DLP capabilities• Scanning maybe
possible if data orginiates from corporate network
• No good solution• Computing capability• Different OS• Limited access to API
• VPN back to corporate• Slow• Can be bypassed
Lessons Learned
User Communication Skilled Team Multiple Servers
Part of Solution Slowness
Lessons Learned
• User communication• Dedicated & skilled team
– Takes time to understand false positives
• Scalability– Plan for multiple servers with lots of
processing power
• DLP alone is not effective tool against someone who is trying to bypass controls– Part of a solution
• Desktop client may cause slowness
Next Steps/Wish List
• Notification to management• Active blocking of network protocols• Incorporate SSL
– Technically challenging
• Apple computers• Mobile device integration• Cloud based storage• Involve business*
reference
Facts & Figures
• Medical staff5675
• Employees18,345
• Total Licensed Beds 2130• Inpatient Discharges 93,923• Outpatient Visits
1,397,632• Total Assets
$3.6 billion• Net Revenue
$2.6 billion
Q & A
Contact InformationNassar Nizami
A CHIME Leadership Education and Development Forum in collaboration with iHT2
