Protect, Protect, Protect… Now SHARE

1. Protect, Protect, Protect… Now SHARE • John D. Halamka MD • Chief Information Officer

2. The State of the Internet • Studies indicate 48% of internet systems are infected now (worldwide) • Escalation of malware quality and quantity, began in March-April of 2011 (organized crime now uses internet identity theft as a business) • A new virus is released every 30 seconds, there is a 400% increase in Android device hacking, and150000 malware variants are found on the internet at any moment (80% are on legitimate websites) • Risk exists on all Windows, Mac OS X, and Linux platforms (alas, there is no silver bullet)

3. The State of the Internet • Commercialization of root kits • Fast flux re-packaging • Signature solutions becoming less effective • Angry Birds • Steganography on the rise • Content cloaking on Google and Facebook • Adobe and Java vulnerabilities

4. The State of BIDMC • 14501 total devices on network • 3353 research, departmental and personal devices are not managed by IT (these are the most often infected) • 11566 BIDMC user accounts • 589 Needham user accounts • 212 Websites or applications with remote access

5. The Risk • Every day users download malware and we eliminate it via early detection, remote access to the device or a visit to the device • We have much more sophisticated monitoring systems than most hospitals so we can see what is happening • We have hired numerous industry specialists from McAfee, RSA and Verizon to study our environment. • Although they have made a few technology suggestions, the major need is policy improvement

6. The Risk - Home Computers

7. Mitigation • Surveillance and Detection • Scheduled vulnerability scans of managed devices using Nexpose • Augment internal capability with Dell SecureWorks hosting services • More extensive use of logs to identify and correlate suspicious behavior • Containment and Cleaning • Locking down outbound connection from servers, i.e. “white listing” • More aggressive anti-virus update cycle as released rather than time of day • More frequent full scans 3x daily rather than 2x weekly • Higher sensitivity settings on scans

8. Mitigation • Prevention • Increase Internet content filtering restrictions • Reduce/eliminate local administrative rights on workstations and laptops • Introduce McAfee Site Advisor to alert users of web site reputation • Stepped up use of Intrusion Protection blocks on web activity • More aggressive updates of Java, Adobe and other high risk apps • Two-factor identification for remote users • Isolate FDA regulated devices

9. Mitigation • Metrics and Controls • Baseline “risk” level of each subnet • Past incidence of malware • Extent of local administrative rights • Content filtering rules • Average Nexpose score • Incidence of devices with out-of-date anti-virus files

10. Digital Loss Prevention Pilot • Determine impact of controls • Tune as needed • Apply across the enterprise only after Ops review of data and additional policymaking • Observe and adjust on continuing basis

11. My Breaches in 2012 • The Stolen Laptop • The Infected Radiology Workstation

12. A 20 Step Program • 1. Inventory of Authorized and Unauthorized Devices • 2. Inventory of Authorized and Unauthorized Software • 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers • 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • 5. Boundary Defense • 6. Maintenance, Monitoring, and Analysis of Security Audit Logs • 7. Application Software Security • 8. Controlled Use of Administrative Privileges • 9. Controlled Access Based on Need to Know • 10. Continuous Vulnerability Assessment and Remediation

13. A 20 Step Program • 11. Account Monitoring and Control • 12. Malware Defenses • 13. Limitation and Control of Network Ports, Protocols, and Services • 14. Wireless Device Control • 15. Data Loss Prevention • 16. Secure Network Engineering • 17. Penetration Tests • 18. Incident Response Capability • 19. Data Recovery Capability • 20. Security Skills Assessment and Appropriate Training to Fill Gaps

14. Creating a Secure Regional HIE HIE Services Repository of physician names, entities, affiliations, and security credentials Provider directory “Lookup” services Repository of security certificates for authorized users of HIE services Certificate repository Adaptor that transforms messages from one standard to another without decrypting the message DIRECT gateway “Message-handling” services Secure, encrypted mailbox for users without standards-compliant EHR Web portal mailbox

15. 3 ways to connect to MA HIway User types HIE Services 3 methods of accessing HIE services Physician practice Provider directory EHR connects directly Hospital Certificate repository EHR connects through LAND Long-term care Other providers Public health Health plans DIRECT gateway Browser access to webmail inbox Web portal mailbox Labs and imaging centers

16. Golden Spike Transactions MA HIway production exchanges transacted on October 16, 2012 Participating vendors: Orion Health, Meditech, Cerner, eClinicalWorks, LMR (Partners), webOMR (BID), Epic, Siemens

17. Phase 1 infrastructure • Release 1 (October 16, 2012) • Direct Gateway with 4 integration options: SMTP/SMIME, XDR/SOAP, LAND appliance • Provider directory v1 • AIMS/Public key infrastructure v1 • Release 2 (December 17, 2012) • Participant enrollment portal (November, 2012) • Webmail (November, 2012) • HL7 Gateway (syndromic surveillance, ELR, CBHI) • IMPACT (SEE, web-based CDA-editor for long-term care facilities) • Provider directory v2 • AIMS/Public key infrastructure v2 • Vendor-hosted cloud supports both HIE and HIX/IES • Orion Health prime contractor • Unlimited license for Oracle Software for all 3 Phases of HIE and HIX/IES • Enterprise license for Orion Rhapsody Integration Engine • Leveraging existing IBM Initiate licenses

18. Updated plan Original high-level plan from 12/11/2011 Updated plan as of 10/23/2012    

19. Questions? • http://geekdoctor.blogspot.com