Hundreds of educators and information technology (IT) leaders from the University of Maryland, Baltimore (UMB) and affiliated organizations gathered April 8 in the Southern Management Corporation Campus Center to discuss best cybersecurity practices, and share strategies for operating in an increasingly complex and changing information environment.
(View a photo gallery.)
Opening keynote speaker Joseph St. Sauver of Farsight Security set the tone for the day, comparing the countervailing efforts of IT security teams and hackers to an arms race, where each side must constantly evolve to meet new threats or overcome new defenses.
“The single most important thing you can do … patch your systems,” he said. Patches are software updates designed to fix or improve a system to reduce vulnerability, often in response to newly discovered malware. St. Sauver urged attendees not to wait until new upgrades are tested, but to “set your systems to patch automatically.” The risks of operating a computer network without the very latest security patches, he told the group, are far greater than the risk that a new patch might be ineffective.
Managing data security in UMB’s environment is made even more challenging by the need to maintain interoperability between many different systems – clinical systems, research networks, and business units, as well as affiliated networks like the University of Maryland Medical System (UMMS).
Such interoperability is more than a convenience, said Kathryn Montgomery, PhD, RN, NEA-BC, associate dean at the University of Maryland School of Nursing. “We all know the explosion of the digital age made capacity for data storage and computational capacity way beyond our dreams of even five years ago,” she told an early panel’s audience. “We really can advance the scientific questions and we’re really challenging some of our traditional views about methods and designs.” Montgomery said she was mindful of the risks outlined by earlier speakers, but wouldn’t be dissuaded by her vision of achieving an “agile capacity to study important health care questions, expand discovery, dissemination, translation and knowledge utilization, improve clinical decision-making and achieving better outcomes for patients and population health.”
For the past two years, UMB, UMMS, and Faculty Practice, Inc. (FPI) have worked together to safely realize that vision under a shared security framework, the UMB Security Collaborative. Together, the collaborative shares brainpower and resources to ensure faculty, and medical and administrative staff can share clinical information safely and relatively unhindered.
“Our challenge is that as those users become increasingly mobile with a very diverse complement of tools such as tablets and phones and laptops, how to provide that seamless experience to them whether they are logging on from the School of Medicine building or from one of our hospitals on the other end of the state, and to do so without exposing our network to unnecessary risk,” said Kevin Crain, information security officer with the University of Maryland Medical Center.
“We share a lot of information about best practices and strategies that we all need to be aware of,” explained Frederick Smith, MS, director of the University’s Center for Information Technology Services (CITS) Office of Security. “The biggest challenge I’m facing now is user education and awareness.”
Smith told the audience the University is “bombarded” with email enticing users to provide sensitive information and access to computers, called “phishing” attacks. “We just need people to understand that if it’s not a business-related email, delete it,” he said.
When breaches do occur, the challenge is often discovering them quickly so smaller problems don’t escalate, said Matthew Kramer, director of information technology and services for FPI. “The ones that we do detect, we’re 200 days behind the curve on that, so we do need to strengthen our detection capabilities.”
The UMB Security Collaborative’s teamwork was recently tested, and passed with high marks. On March 11, fire severely damaged an FPI data and communications hub. “We lost all capability to communicate both internally and externally,” recalled Kramer. “As soon as Peter [Peter J. Murray, PhD, UMB chief information officer and vice president] became aware of the situation, he activated the security collaborative to assist in three areas, first and foremost to help us to communicate.”
Kramer added “by pulling together the resources of the security collaborative we had additional expertise available to me and the rest of my team to assist in putting together our IT recovery plan.”
That’s the value in working together, agreed Sharon Bowser, MBA, assistant dean and chief information officer, University of Maryland School of Medicine. “I’m not just in it alone,” she said. “We take the best of what each of us has and build on it.”
Working together, she added, “allows us to implement security practices that look a little less complex to our faculty, staff, and students who have to traverse across these boundaries.”