healthcare information security: what healthcare executives need
TRANSCRIPT
Healthcare Information Security: What Healthcare Executives Need to Know
Russell Branzell, CHCIO, FCHIME, FACHE
President and CEO
College of Healthcare Information Management Executives
AHA/Health Forum Leadership Summit, July 18, 2016
AEHIA, AEHIS and AEHIT were formed in 2014 with the goal of spreading professional development and best practices
across the health IT landscape. Each association focuses on the unique needs of these roles while emphasizing the
common skill of leadership that unites them.
Senior leaders in healthcare IT APPLICATIONS
Senior leaders in healthcare IT SECURITY
Senior leaders in healthcare IT TECHNOLOGY
threatmap.fortiguard.com
More than 98% of all processes are automated, more than 98% of all devices are networkable, more than 95% of
patient information is digitized and accountable care/patient engagement rely on it.
Any outage, corruption of data, loss ofinformation risks patient safety and care.
BYODPhysician Alignment
ACOs
Patient Engage-ment
ICD-10
Tele-medicine
MU
FISMA
BAs
HIEsHIPAA/HITEC
H
Research
&
Black markets will help attackers outpace defenders
• Darknets will be more active, participants will be vetted,
cryptocurrencies will be used, greater anonymity in
malware, more encryption in communications and
transactions
• Hyperconnectivity will create greater opportunity for
incidents
• Exploitation of social networks and mobile devices will grow
• More hacking for hire, as-a-service, and brokeringRAND Corporation 2014
• 12 year old learning computers in middle school
• 14 year old home schooled girl tired of social events
• 15 year old in New Zealand just joined a defacement group
• 16 year old in Tokyo learning programming in high school
• 19 year old in college putting course work to work
• 20 year old fast food employee that is bored
• 22 year old in Mali working in a carding ring
• 24 year old black hat trying to hack whoever he can
• 25 year old soldier in East European country
• 26 year old contractor deployed over seas
• 28 year old in Oregon who believes in hacktivism
• 30 year old white hat who has a black hat background
• 32 year old researcher who finds vulnerabilities in systems
• 35 year old employee who sees a target of opportunity
• 37 year old rogue intelligence officer
• 39 year old disgruntled admin passed over
• 41 year old private investigator
• 44 year old malware author paid per compromised host
• 49 year old pharmacist in midlife crisis
• 55 year old nurse with a drug problem
• Theft - fraud & loss: nearly half of all breaches involve some form of
theft or loss of a device not properly protected
• Insider abuse: Nearly 15% of breaches in healthcare are carried out
by knowledgeable insiders for identity theft or some form of fraud
• Unintentional action: Almost 12% of breaches are caused by
mistakes or unintentional actions such as improper mailings, errant
emails, or facsimiles
• Cyber attacks: There was almost a doubling of these types of
attacks in 2014
• And, there are many, many others …..
Verizon 2014 Data Breach Investigations Report
&
• Medical identity theft and fraud costs billions each
year, affecting everyone
• Healthcare directed attacks have increased more
than 20% per year for the last three years
• Identity theft comes in all forms and is costly
– Insiders selling information to others
– Hackers exploiting systems
– Malware with directed payloads
– Phishing for the “big” ones
&• 68% of healthcare data breaches due to loss or theft of assets
• 1 in 4 houses is burglarized, a B&E happens every 9 minutes, more
than 20,000 laptops are left in airports each year….…
• First rule of security: no one is immune
• 138%: The % increase in records exposed in 2013
• 6 – 10%: The average shrinkage rate for mobile devices
• Typical assets inventories are off by 60%
“Unencrypted laptops and mobile devices pose significant risk to
the security of patient information.”-Sue McAndrew, OCR
:,• It is estimated that more than half of all security
incidents involve staff
• 51% of respondents in a SANS study believe the
negligent insider is the chief threat
• 37% believe that security awareness training is
ineffective.
• Traditional audit methods & manual auditing is
completely inadequate
• Behavior modeling, pattern analysis and anomaly
detection is what is needed
?
• Most cybersecurity insurance only covers a fraction of large breach costs
• Insurance providers are looking to increase premiums and enhance
underwriting provisions to avoid losses associated with large incidents
• Additional exclusionary language
• Right to investigate independently
• Columbia Casualty vs. Cottage Health System
Discovery,
Notification &
Response
Business
Disruption
ID Theft
Monitoring
Investigation/Review
Civil
Penalties
Federal
CAP/RA
State
Actions
Law Suit
Defense
Criminal
Penalties
Insurance
Degradation of
Brand/Image
Distraction of
Staff
VBP Payments
Impacts
HCAPPS Score
Impacts
Patient
Confidence/Loyalty
Physician
Alignment/Nurses
and Staff Agreement
• Lack of qualified personnel
• Lack of financial resources
• Volume and expanding types of threats
• Not enough cyber threat intelligence
• Too many software applications, devices,
network touch points
• Lack of effective tools
• HC CISOs gave themselves an average maturity rating
of 4.35 on a scale of 1-7
• Missing critical technologies to fight today’s threats
• More than half spend less than 3% of their IT budget on
protecting data
• Almost half have a full time CISO or information security
manager
• Implement continuous program of risk assessment and management
• Increase knowledge of threat actors
• Maintain current environment
• Improve detection and reaction capabilities
• Implement data exfiltration controls
• Enhance user education and accountability
• Implement active vendor security management
• Address long term challenges around medical devices
• Plan for incidents
• 70% of Board Members feel they understand cyber risks
• 43% of CIO/CISOs think Boards are informed about threats to IT
• Board members do admit limited knowledge about cybersecurity
• Board members and IT security need to communicate more often
• It took major breaches like Target, Anthem and Community Health
to get the Board’s attention
• Boards are still in the dark concerning security risks and incidents
…• Be a leader
• Possess business acumen
• Be comfortable managing risk
• Be a team player
• Plan ahead
• Be an effective communication
• Understand and apply
psychology/sociology
• Be politically savvy
Know privacy and security – its everyone’s job.
• Actively participate in the industry
• Open and maintain a useful dialogue
• Work on expanding awareness and education
• Change perception
/
• Forester Research
• Fortinet
• IBM
• Ponemon Institute
• RAND Corporation 2014
• Solutionary Annual Threat
Reports
• Symantec
• Verizon 2014 Data Breach
Investigations Report
• Mac McMillan, CISM, CEO,
CynergisTek, Inc.
Healthcare Information Security: What Healthcare Executives Need to Know
Russell Branzell, CHCIO, FCHIME, FACHE
President and CEO
College of Healthcare Information Management Executives
AHA/Health Forum Leadership Summit, July 18, 2016