cybersecurity blueprint for healthcare organizations (microsoft)
TRANSCRIPT
Overcome vulnerability
A proactive approach
Staff knowledge
Foundation building
Necessary investments
Strategic data protection
Optimal security program
Building Rigor into CybersecurityA Blueprint for Healthcare Organizations
Published by
Overcome vulnerability
A proactive approach
Staff knowledge
Foundation building
Necessary investments
Strategic data protection
Optimal security program
Building Rigor into Cybersecurity 2
Overcome vulnerability
Medical identity information is worth about $50 on the street, while a stolen social security or credit card number only brings in about $1, according to statistics cited by the Federal Bureau of Investigations (FBI).1
Couple the allure of this valuable information with the fact that the healthcare industry has struggled to implement data-protection strategies. Add in the fact that more patient information could be susceptible to exposure – as planned usage of cloud for five key use cases increased 65 percent between 2014 and 2016, according to the 2016 HIMSS Analytics Cloud Survey.2
What do you get? The kind of vulnerability that cybercriminals love to prey on.
Not surprisingly, 66 percent of organizations had experienced a security incident with 70 percent of these organizations reporting disruption to their IT systems last year, according to the HIMSS 2015 Cybersecurity Survey.3 What’ s more, individual cyberattacks have affected as many as 78 million records.4
Overcome vulnerability with vigilance
Perhaps most troubling: there’s not much relief in sight, as the frequency and sophistication of attacks continue to escalate.
“It is not simply the kind next door trying to hack into healthcare systems anymore. It is someone who is highly skilled or it is an organized effort,” said Lee Kim, JD, director of privacy and security at HIMSS. “So, our threats have definitely become more sophisticated and severe.”
In addition, according to an analysis of data from the Microsoft Security Intelligence Report from Tim Rains, director of security at Microsoft, ransomware represents less risk than other types of malware. However, he points out that the rapid evolution of ransomware suggests that the risk could rise in the future.5
Healthcare organizations must up their security game.
“Traditional reactive systems such as anti-virus
eBOOK: 2016 Trends in Cybersecurity:
A Quick Guide to the Most Important Insights in Security
or anti-spam are no longer enough. Healthcare organizations need to do more,” said Hector Rodriguez, national director and CTO, Microsoft US Health. “With the healthcare industry under attack, leaders are realizing that they need to invest in the technology, resources and people that will enable them to build the level of cyber sophistication required to protect their organizations in today’s world.” References1. FBI Cyber Division Bulletin: Health Care Systems and Medical
Devices at Risk for Increased Cyber Intrusions. https://publicintelligence.net/fbi-health-care-cyber-intrusions/
2. 2016 HIMSS Cloud Survey. http://www.level3.com/~/media/files/brochures/en_cloud_br_cloudsurvey.pdf
3. 2015 HIMSS Cybersecurity Survey. http://www.himss.org/2015-cybersecurity-survey
4. U.S. Department of Health and Human Services. Breaches Affecting 500 or More. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
5. Microsoft Cyber Trust Blog. Rains, T. Ransomware: Understanding the Risk. https://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/
Overcome vulnerability
A proactive approach
Staff knowledge
Foundation building
Necessary investments
Strategic data protection
Optimal security program
Building Rigor into Cybersecurity 3
A proactive approach
Instead of taking a passive approach to data security – assuming an “it will never happen to me” stance – healthcare organizations must instead adopt a “zero trust” strategy.
“We have grown so dependent on doing things electronically, the ability to have our computers up and running is almost akin to breathing or having access to water. So, organizations need to more proactively plan for around-the-clock access to data,” Kim said.
They need to mount a more impenetrable defense against cyberattacks. Healthcare organizations should inspect everything from internal and external networks to people to processes. In addition, it’ s important to ensure that business associates, trading partners and other third parties are aligned with organizational security strategies.
Even more important, organizations must mount a zealous offense – stopping cyberattacks before they hit.
“Healthcare organizations need to start implementing strategic and tactical data
A proactive cybersecurity approach
protection strategies before an attack has a chance to materialize,” said Leslie Sistla, CISO, Microsoft Worldwide Health. “Usually organizations don’t know if they have an intruder on their network. They need to go on the offensive and understand what normal behavior looks like and start to look for suspicious behavior. They can start to look for anomalies such as suspicious messaging or someone who is logged in from a different mobile device or users accessing servers they don’t normally access.”
To support these aggressive game plans, organizations must rely heavily on:
■■ Data encryption when data is in transit and at rest
■■ Increased user education and awareness■■ Tools that automate and enforce encryption■■ Vigilant shutdown of shadow IT
throughout the organization■■ Management of encryption keys■■ Utilization of advanced analytics and
threat protection
eBOOK: Anatomy of a Breach:
How hackers break in – and how you can fight back
ROADMAP: Follow this roadmap to secure
privileged access against determined adversaries.
Overcome vulnerability
A proactive approach
Staff knowledge
Foundation building
Necessary investments
Strategic data protection
Optimal security program
Building Rigor into Cybersecurity 4
According to the HIMSS 2015 Cybersecurity Survey, 51 percent of security incidents are identified by an organization’s internal security team and 50 percent by an internal staff member who is not part of the security team.1 As the first line of defense against cyberattacks, staff members need to be well informed when it comes to data protection. But that isn’t happening.
In fact, HIMSS survey respondents did not express much confidence in their organization’s abilities to detect security incidents. A small percentage indicated that their organizations were highly prepared to detect zero day attacks (20.2 percent),
negligent insider attacks (20.5 percent), malicious insider attacks (21.5 percent) and advanced persistent threat analytics (27.6 percent). That’s why education is so important.
“When it comes to the use of mobile devices and data, staff members need to understand what is appropriate and not appropriate,” said Craig Eidelman, mobility specialist, Microsoft US Health and Life Sciences. “It’s important to ensure that all employees understand just how critical security is but still realize that they can leverage mobile devices when they need to get critical information to take care of patients.”
Staff knowledge
The more staff members know, the better
CASE STUDY: St. Luke’s Health System Uses Cloud-based Tools to Boost Mobility and Improve Quality of Care
To support these efforts, organizations can implement educational programs that provide advice on how to protect computers and data from cybercriminals. Such education could show staff how to fully optimize mobile technology while keeping data safe. For example, if staff members want to communicate with others, they need to understand that instead of sending a text message, using a secure mobile app specifically designed for collaboration is a safer option.References1. 2015 HIMSS Cybersecurity Survey. http://www.himss.org/2015-
cybersecurity-survey
Overcome vulnerability
A proactive approach
Staff knowledge
Foundation building
Necessary investments
Strategic data protection
Optimal security program
Building Rigor into Cybersecurity 5
Foundation building
Developing an effective cyber security program is not done here and there – but instead requires taking a holistic approach that includes adopting the right framework, identity model, strategies and actions.
The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity can help healthcare organizations get started by providing a structure to create, guide, assess or improve comprehensive cybersecurity programs. The framework provides a set of standards, guidelines and practices to help organizations manage cyber risks.1
A hybrid identity model can then help healthcare organizations keep tabs on data – and exactly who has access to it. In this model, a single user identity is utilized for authentication and authorization to all resources, including cloud and on-premise systems and applications.
With this foundation in place, organizations can launch a pragmatic three-part data-protection strategy that includes blocking attacks at the front
Building the foundation line; mounting defenses to contain attackers; and backing up data in case of emergencies.
Healthcare organizations can immediately put these strategies into play by taking actions such as:
■■ Assuming that their organization will be the target of a breach
■■ Securing credentials by reducing administrator ID■■ Identifying abnormal behaviors■■ Providing proactive recommendations
for investigation and remediation■■ Safeguarding email.
It’s especially important for healthcare organizations to properly secure the “privileged access” that administrators have to myriad systems.
“Organizations need to follow protocols and put in multiple layers of protection for accounts that have privileged access,” Eidelman said. “By doing so, organizations can make it more difficult for hackers with malicious intent to break into these accounts.”References1. NIST. Framework for Improving Critical Infrastructure
Cybersecurity. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
eBOOK: Securing Mobile Devices using NIST Guidelines
Securing Mobile Devices using NIST Guidelines
Mobile technology is an integral part of a patient-centric, successful health system. As healthcare providers and healthcare covered entities continue to use mobile devices to increase levels of patient care, they need to be secure. The National Institute of Standards and Technology’s (NIST) Cybersecurity Center of Excellence has begun a journey to create specific technological guidelines and standards focused on securing mobile devices. To do this, they have created guidelines for healthcare providers to help asses risk and then implement architectural strategies that allow healthcare providers to decrease vulnerability and protect health data and information. Microsoft solutions can help you meet and even exceed security-based goals such as these to create an integrated IT and end user experience. Let us tell you more…
CASE STUDY: Grady Health EMR Integration Cures Hospital’s Identity Management Ills
Overcome vulnerability
A proactive approach
Staff knowledge
Foundation building
Necessary investments
Strategic data protection
Optimal security program
Building Rigor into Cybersecurity 6
Necessary investments
A comprehensive cybersecurity initiative necessitates investing in the optimal platforms, instrumentation and people that can help get the job done.
“The number one thing organizations can do if they are updating devices or purchasing new systems is some due diligence. You need to determine and understand how security is built into the device or application before you buy it,” Kim said. “It’s always good to not just believe claims at face value and to dig a little deeper to truly assess the security capabilities.”
Organizations then need to focus on the broader picture. “Healthcare leaders have to think about the entire environment, end to end,” Sistla said. “They have to make sure there are good practices and maturity around all of the elements of data security, from people, devices, operating systems, applications and data. The primary focus has been around investing in risk management of clinical systems and there has been less rigor around investing that same level of effort for administrative and financial systems and their security and risk mitigation.
Invest in platform, people and instrumentationSo, healthcare organizations now have to fill in some gaps.”
A well-developed platform enables organizations to have a clearly defined security policy that includes a vision as well as standards and guidance. Organizations can then practice good security hygiene and block attacks with patches and identity monitoring.
With the proper investments in instrumentation, organizations can leverage the tools needed to
“Healthcare leaders have to think about the entire environment, end to end. They have to make sure there are good practices and maturity around all of the elements of data security.”Leslie SistlaCISOMicrosoft Worldwide Health
fully monitor networks, hosts and logs. And, by investing in human resources and training, organizations can fully leverage the knowledge of data scientists and analysts to build a foundation of defense – and call upon users to protect organizations at the perimeter.
eBOOK: 7 Ways to Improve
Your Security Posture
Overcome vulnerability
A proactive approach
Staff knowledge
Foundation building
Necessary investments
Strategic data protection
Optimal security program
Building Rigor into Cybersecurity 7
Strategic data protection
While HIPAA compliance is important, it is far from the be-all and end-all.
“Traditionally, healthcare organizations have looked at security as an afterthought or as part of a HIPAA auditing exercise,” Rodriguez said. “HIPAA compliance, however, is not the same thing as cybersecurity.”
As part of their effort to deploy an end-to-end enterprise cybersecurity plan, healthcare organizations should go beyond checking off HIPAA compliance boxes and instead:
■■ Develop a “where used matrix” – “Do you know where your data is?”
■■ Employ a data backup and recovery plan for all critical information
■■ Perform and test regular backups and isolate critical backups from the network
■■ Include “recovering from a cyberattack” in disaster recovery plans
■■ Use a different communication mode if breached; hackers may be listening on the current system
■■ Employ an end-to-end data encryption strategy, control your encryption keys
■■ Ensure business associates are working with your security and compliance needs
From compliance to strategic data protection■■ Employ analytics in your security – behavioral,
machine learning, partner information, advanced threat analytics
■■ Work to minimize “Shadow IT” – still a major challenge
■■ Whitelist apps to help prevent malicious software and unapproved programs
■■ Keep software up-to-date with the latest patches and support
■■ Keep anti-virus software current■■ Apply the “least privilege” principle to all
systems and services■■ Educate users, patients, affiliates, and so on,
and restrict permissions to install and run unwanted apps
“HIPAA compliance is not the same thing as cybersecurity.”Hector RodriguezNational Director and CTOMicrosoft US Health
RISK REPORT: Calculate and Assess
Your Security Risk
CYBER TRUST BLOG: Understanding the
Risk of Ransomware
Overcome vulnerability
A proactive approach
Staff knowledge
Foundation building
Necessary investments
Strategic data protection
Optimal security program
Building Rigor into Cybersecurity 8
http://microsoft.com/security
Optimal security program
Protect and set healthcare organizations free
For more information on the Microsoft Security Programs
© 2016 Microsoft. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Case studies results based on use of specific systems customized for a particular organization; other companies’ results may vary. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. The information contained in this document represents the current view of Microsoft Corporation as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
Healthcare organizations have traditionally viewed clinical systems as mission critical. Developing security programs and investing in data-protection technologies have always been seen as a necessary – but far less strategic – imperative.
An optimal security program, however, can help healthcare organizations transform for the better.
“Cybersecurity initiatives are not just about data protection but about becoming a proactive organization ready to grow,” Rodriguez said. For example, with an optimized cybersecurity program in place, healthcare organizations can more adeptly:
■■ Bring new organizations in and grow through mergers and acquisitions
■■ Quickly launch new service lines■■ Confidently leverage the cloud and experience
related cost savings.
“With a strong data security program, your organization can become more agile. You can move to the cloud to manage your infrastructure more cost effectively and optimally,” Rodriguez said. “It really can be very liberating.”
Microsoft can help create a cybersecurity program that can contribute to defend against the many threats in today’s healthcare environment. It can also help enable organizations to freely move toward achieving their strategic goals in a mobile-first, cloud-first world by leveraging:
■■ Identity management and protection services■■ App security, visibility and monitoring services■■ Device management■■ Rights management, secure islands,
encryption strategy■■ Advanced threat analytics.