healthcare information security: what healthcare executives need

Healthcare Information Security: What Healthcare Executives Need to Know

Russell Branzell, CHCIO, FCHIME, FACHE

President and CEO

College of Healthcare Information Management Executives

AHA/Health Forum Leadership Summit, July 18, 2016

AEHIA, AEHIS and AEHIT were formed in 2014 with the goal of spreading professional development and best practices

across the health IT landscape. Each association focuses on the unique needs of these roles while emphasizing the

common skill of leadership that unites them.

Senior leaders in healthcare IT APPLICATIONS

Senior leaders in healthcare IT SECURITY

Senior leaders in healthcare IT TECHNOLOGY

threatmap.fortiguard.com

More than 98% of all processes are automated, more than 98% of all devices are networkable, more than 95% of

patient information is digitized and accountable care/patient engagement rely on it.

Any outage, corruption of data, loss ofinformation risks patient safety and care.

BYODPhysician Alignment

ACOs

Patient Engage-ment

ICD-10

Tele-medicine

MU

FISMA

BAs

HIEsHIPAA/HITEC

H

Research

&

Black markets will help attackers outpace defenders

• Darknets will be more active, participants will be vetted,

cryptocurrencies will be used, greater anonymity in

malware, more encryption in communications and

transactions

• Hyperconnectivity will create greater opportunity for

incidents

• Exploitation of social networks and mobile devices will grow

• More hacking for hire, as-a-service, and brokeringRAND Corporation 2014

• 12 year old learning computers in middle school

• 14 year old home schooled girl tired of social events

• 15 year old in New Zealand just joined a defacement group

• 16 year old in Tokyo learning programming in high school

• 19 year old in college putting course work to work

• 20 year old fast food employee that is bored

• 22 year old in Mali working in a carding ring

• 24 year old black hat trying to hack whoever he can

• 25 year old soldier in East European country

• 26 year old contractor deployed over seas

• 28 year old in Oregon who believes in hacktivism

• 30 year old white hat who has a black hat background

• 32 year old researcher who finds vulnerabilities in systems

• 35 year old employee who sees a target of opportunity

• 37 year old rogue intelligence officer

• 39 year old disgruntled admin passed over

• 41 year old private investigator

• 44 year old malware author paid per compromised host

• 49 year old pharmacist in midlife crisis

• 55 year old nurse with a drug problem

• Theft - fraud & loss: nearly half of all breaches involve some form of

theft or loss of a device not properly protected

• Insider abuse: Nearly 15% of breaches in healthcare are carried out

by knowledgeable insiders for identity theft or some form of fraud

• Unintentional action: Almost 12% of breaches are caused by

mistakes or unintentional actions such as improper mailings, errant

emails, or facsimiles

• Cyber attacks: There was almost a doubling of these types of

attacks in 2014

• And, there are many, many others …..

Verizon 2014 Data Breach Investigations Report

&

• Medical identity theft and fraud costs billions each

year, affecting everyone

• Healthcare directed attacks have increased more

than 20% per year for the last three years

• Identity theft comes in all forms and is costly

– Insiders selling information to others

– Hackers exploiting systems

– Malware with directed payloads

– Phishing for the “big” ones

&• 68% of healthcare data breaches due to loss or theft of assets

• 1 in 4 houses is burglarized, a B&E happens every 9 minutes, more

than 20,000 laptops are left in airports each year….…

• First rule of security: no one is immune

• 138%: The % increase in records exposed in 2013

• 6 – 10%: The average shrinkage rate for mobile devices

• Typical assets inventories are off by 60%

“Unencrypted laptops and mobile devices pose significant risk to

the security of patient information.”-Sue McAndrew, OCR

:,• It is estimated that more than half of all security

incidents involve staff

• 51% of respondents in a SANS study believe the

negligent insider is the chief threat

• 37% believe that security awareness training is

ineffective.

• Traditional audit methods & manual auditing is

completely inadequate

• Behavior modeling, pattern analysis and anomaly

detection is what is needed

?

• Most cybersecurity insurance only covers a fraction of large breach costs

• Insurance providers are looking to increase premiums and enhance

underwriting provisions to avoid losses associated with large incidents

• Additional exclusionary language

• Right to investigate independently

• Columbia Casualty vs. Cottage Health System

Discovery,

Notification &

Response

Business

Disruption

ID Theft

Monitoring

Investigation/Review

Civil

Penalties

Federal

CAP/RA

State

Actions

Law Suit

Defense

Criminal

Penalties

Insurance

Degradation of

Brand/Image

Distraction of

Staff

VBP Payments

Impacts

HCAPPS Score

Impacts

Patient

Confidence/Loyalty

Physician

Alignment/Nurses

and Staff Agreement

• Lack of qualified personnel

• Lack of financial resources

• Volume and expanding types of threats

• Not enough cyber threat intelligence

• Too many software applications, devices,

network touch points

• Lack of effective tools

• HC CISOs gave themselves an average maturity rating

of 4.35 on a scale of 1-7

• Missing critical technologies to fight today’s threats

• More than half spend less than 3% of their IT budget on

protecting data

• Almost half have a full time CISO or information security

manager

• Implement continuous program of risk assessment and management

• Increase knowledge of threat actors

• Maintain current environment

• Improve detection and reaction capabilities

• Implement data exfiltration controls

• Enhance user education and accountability

• Implement active vendor security management

• Address long term challenges around medical devices

• Plan for incidents

• 70% of Board Members feel they understand cyber risks

• 43% of CIO/CISOs think Boards are informed about threats to IT

• Board members do admit limited knowledge about cybersecurity

• Board members and IT security need to communicate more often

• It took major breaches like Target, Anthem and Community Health

to get the Board’s attention

• Boards are still in the dark concerning security risks and incidents

…• Be a leader

• Possess business acumen

• Be comfortable managing risk

• Be a team player

• Plan ahead

• Be an effective communication

• Understand and apply

psychology/sociology

• Be politically savvy

Know privacy and security – its everyone’s job.

• Actively participate in the industry

• Open and maintain a useful dialogue

• Work on expanding awareness and education

• Change perception

/

• Forester Research

• Fortinet

• IBM

• Ponemon Institute

• RAND Corporation 2014

• Solutionary Annual Threat

Reports

• Symantec

• Verizon 2014 Data Breach

Investigations Report

• Mac McMillan, CISM, CEO,

CynergisTek, Inc.

Healthcare Information Security: What Healthcare Executives Need to Know

Russell Branzell, CHCIO, FCHIME, FACHE

President and CEO

College of Healthcare Information Management Executives

AHA/Health Forum Leadership Summit, July 18, 2016