Cyber security governance in an academic medical center: Post incident

The University of California’s response to a 2015 cyber breach challenged not only internal structures and priorities but also the wider industry, prompting a more robust discussion on cyber security governance in an academic medical setting.

The challenge facing the University of California is how to secure the shared IT landscape of 10 campuses and 5 medical centers with 250'000 student users and 200'000 employees. The threat includes the component of nation-states that are interested in stealing research.

Following a cyber hack that affected 4.5 million records and resulted in multiple lawsuits that are still pending, a new cyber security plan was implemented covering governance, risk management, modern technologies, security environment, and a system wide culture change.

Governance

In governance terms, a new Cyber Risk Governance Committee was formed to oversee the system spanning all ten campuses and five medical centers, with a Cyber Risk Executive from each campus reporting directly to the respective chancellor. This elevates the profile of cyber security and ensures decisions involve top decision-makers. In addition, a Cyber Risk Advisory Board brought in external partners and industry collaboration.

Enhanced risk management

For the new risk management, the cybersecurity framework of the National Institute of Standards and Technology (NIST) was adopted (to benefit from higher industry standards) and risk assessment was reformed to be system-wide to better determine the state and needs of each campus and medical center.

Modern technology

Use of more modern technology meant greater capabilities to identify, protect, detect, respond and recover from incidents. The challenge of ten campuses was turned into strength in combined purchasing power, and greater collaborative situational awareness.

Security environment

The security environment was enhanced with a Cyber Risk Coordination Center that had the new capacity of monitoring threats 24 hours a day 365 days a year. Information could be shared across the whole system with dashboard overviews for senior management.

System-wide culture change

The system-wide culture change was to ensure the active involvement of people in promoting cyber security. Cyber security training became one of the two system-wide mandatory trainings (the other being sexual harassment). Escalation protocols ensure that flags get raised early and addressed quickly. An annual cyber security summit provides for cyber executives to share their observations and training experiences.

Insuring cyber security

While the risk cannot be controlled, the ability to respond can be controlled. With the new security plan, new comprehensive insurance had to be purchased. The complexity of the systems and the state of the market at the time limited broad options for procuring insurance. But working with industry resulted in the limits increasing over the last few years. It took a loss to get people’s attention, but strengthened the internal working environment and the work with external partners.

Summary of the Centre for Global Dialogue's Transforming Healthcare event in February 2017. Summary by David M. Taylor.