Tuesday, March 2, 2010

The BIDMC IS Security Team

I've just arrived at HIMSS and will begin my day with a breakfast meeting, the Standards Town Hall keynote in Building C Georgia Ballroom 3 from 8:30-9:30am, and numerous chats with colleagues, vendors, and media. I hope to see you at the Convention Center or at the Meet the Bloggers event from 3:30pm-4:30pm at the Social Media Center. I'll be wearing a coal (slightly gray) Kevlar suit.

Yesterday, the new Massachusetts data protection regulations went into effect. Given the increased compliance demands in our state and nationally, I'm often asked to describe the structure and staffing of the BIDMC IS Security Team.

BIDMC spends over $1 million dollars per year on people and infrastructure to protect the confidentiality and integrity of healthcare data.

The Chief Information Security Officer (CISO) reports to my second in command, the Chief Administrative Information Officer (essentially the COO of IT).

The Security Team includes the CISO and two other technical staff. Both are CISSP certified and SANS Audit certified.

At a high level the IS Security Team is responsible for the overall information security program throughout the hospital. To deliver on such a charge they create security policy and controls in collaboration with business owners. They also perform audits and control all of our specialized security equipment.

The Security Team is a close partner with other aspects of the IT organization. For example, the desktop organization deploys, operates, and manages the antivirus solution. They are responsible for ensuring the .DAT files are current and that managed systems have the antivirus loaded and operational. The Security Team has built a scripted audit that runs on a daily basis. The audit verifies that systems are still properly communicating with the centralized service. If not, email alerts are issued and the appropriate IS teams can follow up.
Similar audits are in place for firewall rules, (the firewalls are operated by the network team using rules which are developed by the security team ), user access to clinical content, and remote vendor access to systems.

The team has operational responsibilities for 12 intrusion detection sensors located throughout the core network, 8 intrusion protection devices, 2 SSLVPN appliances, a secure file transfer service, and 2 web content filtering systems. These systems all report back to a centralized syslog service that all IS teams can access as needed to ensure the reliability and integrity of systems they maintain.

The Security Team has just celebrated its 4 year anniversary. Along the way they have written many Perl scripts, and numerous workflow applications in .NET that use SQLServer repositories. Automated forms and workflow management help drive our audits.

If you are starting your own IS security team, you may find the job descriptions we use to be helpful.


Security is a journey and we must innovate constantly. The IS Security Team keeps us on the right path.

1 comment:

Mary Schmidt said...

John,

I'm attending the blog meeting (I'll be the weary-looking blonde in leopard print jacket - non-kevlar ;-))

Quick question re security: How does/will cloud computing be addressed? I know some are very leery of such due to security concerns (yet some of the most leery think nothing of posting all their personal credit info on Amazon or Paypal.)

And - how is the healthcare industry dealing with security and info social media - or are they?