1 / 47

Changing Your Corporate Information Security Culture: The Battle For Hearts And Minds

Changing Your Corporate Information Security Culture: The Battle For Hearts And Minds. AMC Security & Privacy: Progress & Prospects Research Triangle Park, NC. Panelists. James McNamee , PhD Associate Dean of Information Services and CIO University of Maryland School of Medicine

bary
Download Presentation

Changing Your Corporate Information Security Culture: The Battle For Hearts And Minds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Changing Your Corporate Information Security Culture:The Battle For Hearts And Minds AMC Security & Privacy: Progress & Prospects Research Triangle Park, NC

  2. Panelists James McNamee, PhD Associate Dean of Information Services and CIO University of Maryland School of Medicine Matt Kramer, GSEC Technical Security Manager University Physicians, Inc. Kathy Maddock, MSA, FACMPE Senior Administrator, Dept. of Family Medicine University of Maryland School of Medicine

  3. Changing AHCSecurity Culture James McNamee, PhD Associate Dean of Information Services and CIO University of Maryland School of Medicine

  4. What Is Culture? • Shared attitudes, values, goals, and practices that characterize a company or corporation • Organizations have a culture whether they admit it or not • Often undocumented • Sometimes readily apparent

  5. Elements of Culture • Attitudes • Having significant feelings or emotions • Values • Relative worth or importance of people and things • Goals • Ends toward which effort is directed • Practices • The usual ways of doing things

  6. Shadow Culture Attitudes Values Culture Goals Practices Norms Assumptions

  7. Example of AHC Culture • Attitudes • “Change means more work for me” • “I know best what the patient needs” • Values • “We deliver high-quality health care” • “My role is patient care. The rest is someone else’s responsibility” • Goals • “Reducing medical errors is a high priority” • “I won’t become a member of the thought police!” • Practices • “I don’t need to lock my PDA. It’s always in my possession” • “I know everyone in Billing and I trust they won’t misuse PHI”

  8. Culture Change • Change in attitude • “Change means more work for me” • “Change makes work interesting, a sense of accomplishment” • Broadening a value • “My role is patient care. The rest is someone else’s responsibility” • “Patient privacy is more than closing the exam room door” • Re-interpreting a goal • “Reducing medical errors is a high priority” • “Our patients should feel safe in every possible way” • Simple new practices • “I don’t need to lock my PDA. It’s always in my possession” • “Click, click, click. My PDA is unlocked and ready to use”

  9. Making a Culture Change • Fundamentally different way to think about security • Motivating people to think, act or feel differently • Steps along the way • Identify shared problems • Establish new behaviors to solve them • Reinforce those behaviors • Repeat until new behaviors eventually stick

  10. Instant Motivation “The critical task of a leader is to create a sense of crisis. No organization is going to change in a fundamental way unless it believes there’s real pain staying the way [it is],” Louis Gerstner, former CEO of IBM

  11. “Sense of Crisis” • When your neighbor is unemployed, it’s a Recession. • When your spouse is unemployed, it’s a Depression. • When you’re unemployed, it’s a CRISIS!”

  12. Opportunities From Crisis • What a sense of crisis does • Bring immediate attention • Heighten emotion • Motivate in proportion to the threat of survival • Emotional energy lowers resistance to change • Emotions can be channeled to reshape culture • Jawboning is good but… • Leaders must “walk the talk”

  13. Security Crisis • Multiple worms and viruses hit a partner hospital’s data network • Stopped nearly all data traffic for 36 hrs • Crippled workflow for weeks • Impacted medical school, faculty practice and others on campus

  14. Leaders Walk the Talk • At the urging of their CIOs, senior leaders jointly issued a very strong statement: • “[W]e experienced a wake-up call.” • “[W]e need to take a new approach to securing the computers and networks...” • “There will be no tolerance for risking our organization’s network and computing infrastructure.”

  15. Walk the Talk • “We are directing our respective IT leaders and support teams to take any and all appropriate action to defend our network and computing infrastructure.” • Importance of emotional communication • “wake-up call”, “new approach”, “defend”, “no tolerance”, “any and all appropriate measures” • CIOs responded

  16. Guiding Principles • Weakest Link • Everyone is at risk when a few use weak security practices • Mutual Good • Everyone benefits from better security • One for All and All for One • Everyone must follow IT security “best practices” • HIPAA Security policies are IT security best practices • HIPAA Security policies apply to everyone

  17. Impact of Security ControlsOn Culture • LOW - Physical • Locked rooms, restricted access • MEDIUM - Technical • Unique logons, complex passwords • HIGH - Administrative • New practices, more responsibilities, very different behaviors

  18. Make Security Painless • Use non-intrusive measures • Don’t inspect network traffic or PC files • Automate routine security procedures • Remotely install SAV and manage files • Offer enticements, not just threats • Free PC upgrades to run W2K • Avoid extremes • Don’t quarantine computers for minor misbehavior • Don’t try to make the network safe… Make it safer!

  19. Results

  20. Conclusion • Culture change is hard work, takes time “People do what you inspect, not what you expect.“ Louis Gerstner, former CEO of IBM • Assess, inform, change, educate, inspect. Repeat. “You get what you measure. Measure the wrong thing and you get the wrong behaviors.” John H. Lingle, PhD

  21. Changing Security Culture Matt Kramer; GSEC Enterprise Security Manager University Physicians, Inc.

  22. University Physicians, Inc. University Physicians, Inc. (UPI) coordinates and supports the clinical activities of the University of Maryland School of Medicine. We employ over 1,000 non-physician staff who support the clinical practices of our faculty. Our staff provides administrative support functions such as business development, finance, human resources, information technology, compliance, legal affairs, practice operations support, and reimbursement management. The University of Maryland School of Medicine has approximately 1,000 full-time faculty members involved in teaching, research, and clinical practice. UPI has 22 professional associations that represent distinguished physicians in over 40 specialties and subspecialties.

  23. Why Change the Security Culture? • Your security program is only as strong as your weakest link… • The weakest link will usually be your staff..

  24. Keep it simple • Policies should be short and specific so the underlying reasons are easily understood. • (i.e. Workforce Authorization and Termination Policy) • Minimize impact to operations as much as possible • Use technology to streamline processes • Certain strong authentication can provide greater security while reducing staff involvement

  25. Make it Personal • Employees are patients also • Hopefully will improve the confidentiality of information among co-workers • Recent identity theft hype help increase the sensitivity of people to the security of their personal information. • Leads to staff support for anti-virus, anti-spyware, URL filters, etc…

  26. Use Real Life Examples and Consequences • News stories relating to information disclosure or other information security event at other institutions • Still somewhat intangible • Internal examples are best • What happened to those found in violation of policy?

  27. Top Down Approach • If senior management doesn’t follow the rules, there’s little chance the general staff will. • Keep management involved • Have some form of dedicated training sessions for management. • Provide a support structure

  28. Peer Pressure • Individually – • Use physician sponsors… • Organizationally – • Participate in regional/national workgroups • What are other institutions doing? • Get help defining what’s “Reasonable”

  29. Continued Communication and Awareness • “Campaign” Posters in both administrative areas as well as clinical areas • Monthly newsletters and/or emails • Policy reminders • Privacy and Security News • US-CERT’s Security Tips • Annual Training for all staff • Specialized training for IT staff and managers

  30. TIPS for Protecting Patient Information Jane Doe PDA’s • Never leave your mobile device unattended • Turn on the password lock feature • Enable the auto-lock and/or the auto-shutdown feature when not in use Incident Reporting When you see suspicious or inappropriate behavior by a system or a person, you must: Inform your supervisor and Report it to your Security Liaison Workstations & Laptops CONFIDENTIAL • Get permission before you install • Software • Games • Screen savers • Other programs • Verify the sender before opening emails Confidentiality Respect the privacy of our patients; Only share PHI with persons authorized to receive it Internet Usage • Be careful when using the Internet • Do not use your work email address when registering with a non-work related company • Do not accept any downloads from websites unless you are reasonably sure it is safe • Be cautious when giving out personal information over the internet, especially when you did not initiate the process 5 Passwords Do not leave passwords in obvious or easily accessible locations; Do not share your password with anyone including your co-workers and supervisor

  31. Performance Review • Hold Staff accountable • Do spot checks • Reward good performance • Penalize poor performance

  32. Be Patient • Change takes time and commitment. • Start with baby steps... • Training • Campaign Posters • Newsletters

  33. Getting TheAdministrator’s Attention Kathy Maddock, MSA, FACMPE Senior Administrator Department of Family Medicine University of Maryland School of Medicine

  34. Why Is It So Hard To GetThe Administrator’s Attention • Most administrators have a full plate. • Getting on their radar screen. • Some administrators of larger depts. employ their IT person- it is easier to get their techies to handle all the HIPAA stuff or they will find someone else. • Too many rules and too difficult to implement HIPAA security ..it just isn’t natural for the administrator.

  35. Obstacles For The Administrator In The Academic Setting • In the academic setting, there are just too many IT departments..this decentralized infrastructure makes training confusing. • Some HIPAA tasks and training dependent upon other entities to be ready in order to implement-this builds in frustration.

  36. Helping The Administrator To Help The Physician • Physicians not want to make the changes necessary to be HIPAA-compliant. • Administrators feeling that they do not have authority with their docs and need the Dean to back them. • The job still has to get done.. Administration should not become an obstacle.

  37. Getting Everyone On Board • Review the top five list every month-keep it simple …Break down the HIPAA action items into small tasks over several months. • Teach the “reality tips”- what they really need to do and what they do not need to do. • Administrators do not do well hearing IT speak. Recruit another administrator to talk to them in their language.

  38. More Tips • Send out reminder emails during the month to keep everyone on track. • Encourage the administrators to stay involved in the process. It takes a team to get HIPAA implemented. • Meet one-on-one with staff and physicians.

  39. This is the Peer Engagement Part of this Session This part is designed to engage you (the audience) in exploring this topic. It is your opportunity to: - hear how your AMC peers see the topic and how their AMCs are handling it and -for you to provide information about how your AMC is handling the topic.

  40. Engagement Process • Facilitators: • Stimulate audience discussion with: • requests for questions and comments , • Pre-designed questions and “instant polls” that are designed to assess how the audience of AMC peers sees the topic and to start further questions and comments from the audience. • Collect the results for reporting in the “track reporting” part of each plenary session and a planned GASP (Guidelines for AMCs on Security and Privacy) update. • Audience (and panelists): Respond to the questions, comments, provide your own.

  41. Instant Poll Rules • Facilitators role: • Require audience members and panelists to shut their eyes (to promote more honest voting) • Ask for a show of hands for each item to be voted on. • Audience role: • Vote as you see fit. • Voting is anonymous. • Follow-up questions may ask voters to describe why they voted as they did, if they are comfortable doing so. • Anonymity: • For some issues, you may wish to keep your vote private; the “eyes-shut” voting rule is the main rule that assures this. • Also, the facilitators will take only the notes that you see on the screen and will not identify you by name or institution unless you explicitly say that you are willing to be so identified.

  42. Changing Your AMC’s Information Security Culture • The weakest link is medical staff! • Strongly agree ____ • Disagree ___ • Neither agree nor disagree ___ • Agree ___ • Strongly agree __ • What practices ___

  43. Changing Your AMC’s Information Security Culture • Business associates and non-employee treatment providers are of equal concern as employees. • Strongly agree ____ • Disagree ___ • Neither agree nor disagree ___ • Agree ___ • Strongly agree __

  44. Changing Your AMC’s Information Security Culture • The critical task of security leader is to create a sense of crisis! • Strongly disagree ____ • Disagree ___ • Neither agree nor disagree ___ • Agree ___ • Strongly agree ___

  45. Changing Your AMC’s Information Security Culture • What culture change motivators have worked for you? • Is security effective if some groups play by different rules? • Can better technology make culture change less painful? Or even unnecessary? • Culture change happens eventually. How long is “eventually”? • Will local sanctions thrive as national sanctions wane?

  46. What follow-up activities would be helpful to AMCs in dealing with this topic? • {Audience/panelists responses}

  47. Engagement Quality Instant Poll • This session did a good job of engaging the panelists and the audience on the topic. 1 - Strongly Disagree ___ 2 - Disagree ___ 3 - Neither agree not disagree ___ 4 – Agree ____ 5 - Strongly agree ____

More Related