Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner

 Mark Gaynor, PhD – Saint Louis University School of Public Health, St. Louis, MO Associate Professor, Department of Health Management and Policy  Feliciano Yu, M.D. – Washington University School of Medicine, St. Louis, MO CMIO of Barnes Children’s Hospital and Assistant Professor at Washington University School of Medicine  Bryan Duepner, MHA – Saint Louis University School of Public Health, St. Louis, MO Graduate Research Assistant

 Security Management Reasons What are management models? ISO Model Maintenance Model  Conclusion Importance of security management

 Avoid overconfidence after implementation of improved information security procedures  Organizational changes: New assets acquired New vulnerabilities emerge Business priorities and strategic goals shift Partnerships change Organizational divestiture and acquisition Employee hire and turnover

 Security is an ongoing task that never finishes  Security must be a way of thinking, not an afterthought  Security management Cycle Testing current security procedures Identifying the weaknesses, Improving the system, Restart the cycle  Security systems must evolve More expensive to reengineer information security profile than evolve it

 Basic question: How can the need for information and the need to protect privacy be balanced?  Strict authorization control Credentials to access information  Audit and accountability Audit all access to all patient information Hold people accountable for unauthorized access

 Management model must be supported by top management to promote adoption and smooth operation of ongoing security program

 Effective security systems are layered  Layered home security system Locked door Alarm system Big dog Safe Only as good as weakest link Firewall to prevent outside access Large Pet Door

 Layered computer security All systems have strong passwords All applications have strong passwords All system are in secure locations Firewall to prevent outside access

 Five areas of ISO model transformed into five areas of security management: Fault management Configuration and change management Accounting and auditing management Performance management Security program management

 Identifying, tracking, diagnosing, and resolving faults in system  Vulnerability assessment with simulation and penetration testing simulated attacks exploiting documented vulnerabilities Real testing for undocumented vulnerabilities  Tracking and resolving user complaints  Train help desk personnel to recognize security problem and how to report them

 Administration of the configuration of security program components  Administration of changes in strategy, operation, or components  Nontechnical changes: Impact procedures and people  Technical changes: Technology implemented to support security efforts in the hardware, software, and data components

 Information system auditing is used to monitor use of particular component of a system  Reviewing use of a system, not to check performance, but to determine misuse or malfeasance; automated tools can assist  Look for abnormal access Sequential access to patient records in a large hospital is one possible abnormal access pattern

 Important to monitor performance of security systems and underlying IT infrastructure to determine if they are working effectively  Common metrics are applicable in security, especially when components being managed are associated with network traffic  Need baselines to establish performance of security system

 Designed to focus organizational effort on maintaining systems  Five areas recommended for maintenance model: External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review

 University Information Security Office provides the following security services to xyz School of Medicine Will be the central Information Security Office for the School of Medicine Create, maintain, review and communicate information security policies, guidelines and procedures Review, document, approve and track exceptions to those policies, guidelines and procedures Track and communicate legal and regulatory legislation that will impact the University Work with business units to develop Business Continuity plans for the School of Medicine Track compliance efforts

Develop and present training and awareness materials Implement security controls to monitor and protect the network from attacks or disclosures Communicate with departments through security liaisons changes in policy, controls or requirements Track reported incidents and their resolutions Conduct Risk Assessments of new or modified processes or configurations Work with departments to help them develop secure operating procedures Serve as an intermediary to the departments during external audits

 Comprehensive view  Aggregates logs and events from all network devices, security systems, and applications  Events happen and may create an incident

 Importance of Security Management Necessary for protection of assets Models used to provide a framework for security decisions within the organization Different models can be used at different times, or simultaneously, for different purposes  Security is more a management problem than a technical problem