tkcg - cybersecurity are you prepared for tomorrow 070815 final lmn
TRANSCRIPT
Cybersecurity:
Are You Prepared for Tomorrow?
July 8, 2015 © 2015 The Kiran Consortium Group, LLC
Table of Contents
Reproduction of this presentation in part or in its entirety is prohibited
without express written consent from The Kiran Consortium Group, LLC.
Copyright 2015. All rights reserved.
Cybersecurity: Are You Prepared for Tomorrow?
2
• Introduction
• What We
Know
• A Path
Forward
• Bibliography
• Contact
Introduction
© 2015 The Kiran Consortium Group, LLC 3
Introduction
© 2015 The Kiran Consortium Group, LLC
Over the last two years, an increasing number of
instances of hacking into organizations across
industries has become our modern, digital reality.
4
Cybersecurity: Are You Prepared for Tomorrow?
Now, more than ever,
healthcare executives must
elevate cybersecurity to an
enterprise-level, strategic
initiative. It will require a
relentless commitment to
on-going governance,
vigilance and proactive
approaches.
Introduction
© 2015 The Kiran Consortium Group, LLC
Let’s begin with a definition.
5
Cybersecurity: Are You Prepared for Tomorrow?
“Cybersecurity encompasses a
broad range of practices, tools and
concepts related closely to those
of information and operational
technology security. Cybersecurity
is distinctive in its inclusion of the
offensive use of information
technology to attack adversaries.” [1]
One other element not mentioned by the
Gartner definition, but is found in another
definition mentions the “user’s assets” in
context with cybersecurity. [2]
Gartner, Inc., the world's leading information technology research and advisory company, developed this
definition in 2013:
Introduction
© 2015 The Kiran Consortium Group, LLC
The definition is further clarified as follows:
6
Cybersecurity: Are You Prepared for Tomorrow?
Gartner, Inc. further advises:
"Security leaders should use the term "cybersecurity" to designate only
security practices related to the combination of offensive and
defensive actions involving or relying upon information technology
and/or operational technology environments and systems.“ [3]
We believe the relationship between cybersecurity and the assets of
every healthcare organization is critical to the current executive
conversation and will inform Board level communication, the
enterprise-wide, strategic plan and implementation of appropriate
tactical measures to safeguard organizational data.
Why discuss cybersecurity now?
Introduction
Presentation
Goals:
7
Cybersecurity: Are You Prepared for Tomorrow?
© 2015 The Kiran Consortium Group, LLC
What is not included in
this presentation:
1) a technical view and
solutions for cybersecurity,
2) A technical view of privacy
and security, and/or
3) reference or endorsement
of any specific solution(s)
and/or service(s) to
anticipate or remediate
breaches.
What We Have Learned to Date
Across Industries and In
Healthcare
Increase Healthcare Executive
Engagement on Cybersecurity
Executive Approach to Integrate
Cybersecurity Into Strategic,
Management
Goals
and Mitigate
Potential Risk
8 © 2015 The Kiran Consortium Group, LLC
What
We
Know
What We Know
9 © 2015 The Kiran Consortium Group, LLC
Data breaches are a
global phenomenon
increasing in number
and magnitude over
time.
• From 2005 through 2011, the
Business Sector was listed in
first place with 34.4 % of
breaches. [4]
• In 2012, the Medical and
Healthcare Sectors replaced
Business as the industry with
the greatest number of
breaches at 26.4 %. [4]
• In 2014, the Medical and
Healthcare Sectors breaches
rose to 42.5 % when
compared to all industries. [4] 2011
2012
2013
2014
2015
Note: Bubble
diagram
only includes
those
breaches
that
impacted
greater than
30,000
records. [5]
What We Know
10 © 2015 The Kiran Consortium Group, LLC
Experts warn 2015
could be 'Year of the
Healthcare Hack‘ February 11, 2015 [6]
Pharma and Biotech
Firms Hacked December 2, 2014 [12]
Anthem Hacking Points
to Security Vulnerability
of Health Care Industry February 5, 2015 [14]
Healthcare Sector
Security Efforts Needs
a Shot in the Arm May 12, 2015 [8]
Implantable Devices:
Medical Devices Open to
Cyber Threats April 8, 2015 [13]
Concern for medical and healthcare cybersecurity is widespread.
Epidemic of Healthcare
Cyberattacks Requires
Action, Says WEDI June 25, 2015 [7]
Hospitals Battle Data
Breaches With a
Cybersecurity SOS February 10, 2015 [10]
GAO To Release
HealthCare.Gov
Cybersecurity
Report in 2015 April 24, 2015 [11]
Lesson From the Anthem
Hack: Cybersecurity
Must Extend Beyond
Encryption February 11, 2015 [9]
Cyber attacks and breaches,
2014 -2015: [X]
Airlines
Communications Firms
Entertainment Industry
Financial Services (includes Banks)
Hotels
Insurance Companies
Internet Service Providers
Mobile Applications Firms
Oil
Restaurants
Retailers
Social Media
Technology Firms / Contractors
U.S. Government
What We Know
11 © 2015 The Kiran Consortium Group, LLC
The magnitude of select healthcare data breaches (Part I):
78.8 / 80 M [15, 14]
1.1 M [16, 17]
11.0 M [16]
0.250 M [16]
0.150 M [16]
2015 The Office of Civil Rights requires
breaches of 500 or more records to be
reported. Approximately 137 data
breaches have been reported from
January 1 through June 15, 2015.
Cyber attacks and breaches,
2014 -2015: [X]
Airlines
Communications Firms
Entertainment Industry
Financial Services (includes Banks)
Hotels
Insurance Companies
Internet Service Providers
Mobile Applications Firms
Oil
Restaurants
Retailers
Social Media
Technology Firms / Contractors
U.S. Government
What We Know
12 © 2015 The Kiran Consortium Group, LLC
The magnitude of select healthcare data breaches (Part II):
2014 4.5 M [18, 10]
2013
2011 2010
4.9 M [20] Source of Breach: Lost back-up tapes
Source of Breach: Heartbleed software bug
Source of Breach: Theft of 4 computers
containing unencrypted medical records 4 M [20]
1.9 M [20] Source of Breach:
Vendor lost drives
1.1 M [20]
Source of Breach:
Malware attack
Source of Breach:
Unencrypted back-
up tapes stored in
a cabinet lost
during remodeling
1.1 M [20]
Source of Breach: 57 hard drives removed
from servers in Chattanooga office
1 M [20]
What We Know
Varied types of healthcare data breaches :
Researchers conduct a review
of data from HHS breaches
database, 2010-2013: [21, 22]
Nearly 1,000 larger
breaches occurred
More than 29 M individual
health records breached
More than 50 % of breaches
resulted from loss or theft
of laptops, thumb drives,
and paper records
Hacking accounted for 27%
of 2013 breaches
The largest breaches reports to HHS
from, 2010-2013: [23]
Range of top 50 breaches equals
48,752 to 78.8 M records
Sources of breaches (as specified by
organization):
Hacked Network Server = 12
Unauthorized Access = 8
Theft of Server = 1
Theft of Desk Top = 5
Theft of Laptop = 5
Theft of Hard Drives = 4
Theft of Back-Up Tapes = 1
Stolen Hardware = 1
Stolen Records & Hardware = 1
Missing Hard Drive = 1
Missing Storage Disks = 1
Missing Server = 1
Malware Attack = 1
Record Theft = 1
Information Theft = 1
Hacked Computer = 1
E-Mail Hacked = 2
Improper Disposal = 1
Exposed Information = 1
Other = 1
13 © 2015 The Kiran Consortium Group, LLC
What We Know
14 © 2015 The Kiran Consortium Group, LLC
2014:
Total Average Cost of Data Breach = $ 3.8 M
2013: Total Average Cost of Data Breach = $ 3.5 M
Study
“…found that healthcare was most
at risk for costly breaches, with an
average cost per record lost or
stolen as high as $ 363, more than
twice the average for all sectors of $154.” [24]
Financial impact of data breaches: [24]
What We Know
© 2015 The Kiran Consortium Group, LLC
Risk Ranking for Information Assets in Health
Care Systems (Top 5 Risks) • Electronic Health Record (61%)
• Infrastructure (middleware, network) (45%)
• Personal Health Records (42%)
• Patient Portals (36%)
• Corporate Assets / Intellectual Property (33%)
Survey: Assessing potential risk for breaches: [25]
Risk for Mobile Devices in Health Care Systems
(Top 5 Risks) • Lack of Awareness of Security Policies (73.9%)
• Insecure or Unprotected Endpoints (73.3%)
• Lost or Stolen Device (70.3%)
• Corrupt, Hacked or Malicious Applications (58.2%)
• Insecure Wireless Use (49.7%)
Per Cent of Budget
Allocated for Security • IT Budget is 4-6%: 13%
• IT Budget is 1-3%: 14%
• Unsure of IT Budget Allocation To Security: 47%
15 Note: There are numerous surveys in the industry
that can be reviewed as background information.
What We Know
Survey: Cybercrime by Industry: [25]
16 © 2015 The Kiran Consortium Group, LLC
What We Know
Report: Cybersecurity Impacts on Healthcare Enterprises:
17 © 2015 The Kiran Consortium Group, LLC
“1. Despite years of effort, and tens of billions of dollars spent annually, the global economy is
still not sufficiently protected against cyberattacks, and the risk is getting worse. The potential
impact is enormous: cyberattacks could materially slow the pace of technology and business
innovation, with as much as $3 trillion in aggregate impact. • “Healthcare systems are rapidly digitizing their operations and services to meet patient needs, reduce costs, and increase
competitiveness. A rise in cyberattacks could slow adoption of newer technologies ranging from electronic health records to
more sophisticated medical devices and solutions (e.g., telemedicine, connected infusion pumps, and robotic surgery).
• “…high proportion of the healthcare executives … interviewed believe… sophistication or pace of cyberattacks will increase
quickly, and all … agreed attackers’ capabilities will likely outpace the capabilities of their organization.”
“2. CIOs and other enterprise technology executives agreed on seven practices they should put in
place to improve their organization’s resilience … “ • “…. most underdeveloped…56% healthcare respondents believe[e]… their company spends insufficiently on cybersecurity.”
“3. Given its cross-functional, high-stakes nature, cybersecurity is an issue requiring leadership
at the CEO level; progress toward cyber resiliency can only be achieved with active engagement
from the senior members of the management team. “ • “… impact of data loss or compromised quality could be massive. Not only could it result in reputational damage and high costs
(including HIPAA fines), but it could also effectively shut down the organization.”
• “Healthcare executives are more worried about insider/employee threats than are leaders in any other industry – 41% of the
healthcare executives rating those threats as one of the top two risks likely to have a strategic and negative impact on their
bottom line.”
• “… effort should be a company-wide initiative, not just a set of technical solutions. (e.g., frontline personnel should be educated
about the value of information assets). “
McKinsey and the World Economic Forum publish a 2014 report, “Risk and Responsibility
in a Hyperconnected World”. Their 3 healthcare cybersecurity findings are as follows: [26]
“We are focused on
raising awareness to
make sure folks are
incorporating
cybersecurity into their
risk management
programs.” Chantal Worzala
Director of Policy
American Hospital Association
“…the association believes everyone should
take cybersecurity seriously and incorporate it
into a larger risk management program.
“Every organization, no matter what size, can
do a great deal to reduce their risk and prevent
attacks from happening,” …while cautioning
hospitals not to focus exclusively on patient
information protection. …Thinking about the
HIPAA privacy and security rules is
important, but not the whole picture. Any of
your systems that are connected to the Internet
can potentially allow a source of invasion into
your organization.” Lawrence Holmes
Assistant General Counsel
American Hospital Association
What We Know
Professional Societies: Cybersecurity and Risk [10]
18 © 2015 The Kiran Consortium Group, LLC
What We Know
Healthcare Providers: Cybersecurity and Risk
19 © 2015 The Kiran Consortium Group, LLC
How might your organization be impacted
by risks associated with cybersecurity?
o Interruption of Business Operations
o Remediation Costs
o Community Good Will [10]
o Trust, Consumer and Clinician
o Potential Law Suits
o Financial Fines (Breach notification to
Department of Justice)
o Professional Reputation, Corporate or
Individual Provider
o Assets (e.g. Medical Devices, Hardware,
Mobile Devices, etc.)
o Intellectual Property
What We Know
20 © 2015 The Kiran Consortium Group, LLC
2015:
Cybersecurity
predictions
across
industries [27]
Note: “ …forward-looking articles from 17 organisations and assigned the resulting
130 predictions to a number of emergent categories to produce the graph:”
“One thing about
cybersecurity is certain: it's
no longer sufficient for
organic[z]actions simply to
guard the network perimeter
with a firewall and install
antivirus software on
endpoints. CSOs and CISOs
need to continually monitor
the evolving threat
landscape, and to replace
an "if we get hacked"
mindset with a "when we
get hacked" one.” [27]
What We Know
21 © 2015 The Kiran Consortium Group, LLC
April 8, 2014: The Federal Bureau of Investigation issues
a “private industry notification” (PIN) specifically to the
healthcare industry.
Government Guidance to the Healthcare Industry (Part I):
"The healthcare industry is
not as resilient to cyber
intrusions compared to the
financial and retail sectors,
therefore the possibility of
increased cyber intrusions
is likely." [28]
What We Know
22 © 2015 The Kiran Consortium Group, LLC
October 23, 2014: The Food and Drug Administration
issues a position to the healthcare industry regarding
medical devices and the threat of cyber attacks.
Government Guidance to the Healthcare Industry (Part II):
“..To mitigate and manage cybersecurity
threats, the FDA recommends that medical
device manufacturers and health care facilities
take steps to assure that appropriate safeguards
are in place to reduce the risk of failure due to
cybersecurity threats, which could be caused by
the introduction of malware into the medical
equipment or unauthorized access to
configuration settings in medical devices and
hospital networks. …” [29]
A Path Forward
© 2015 The Kiran Consortium Group, LLC 23
24 © 2015 The Kiran Consortium Group, LLC
A Path Forward
Refresh your cybersecurity efforts
Healthcare executives and their organizations have been focused on
privacy and security for many years. Given the growing number and
frequency of cyber attacks, refreshing your enterprise cybersecurity
efforts is timely. Here are a few recommendations for this effort:
o Board of Directors
Education and Governance
o Executive Team
Engagement and Oversight
o Enterprise-wide Culture of
Awareness
o Investment, and
o Cyber Insurance
25 © 2015 The Kiran Consortium Group, LLC
A Path Forward
1. Strategic Planning Challenges
2. Cybersecurity 3. Assess the Impact of Advances in
Technology and Big Data
4. Shareholder Activism
5. The Return of M&A
6. Risk Management 7. Ensure Appropriate Board Composition
8. Explore New Trends in Reducing
Corporate Health Care Costs
9. Executive Compensation
10. Maintain Robust Compliance Programs
“Cybersecurity is not an IT issue.
It’s a business issue.” [30]
“Cybersecurity is “the foremost
issue on directors’ minds right
now because it is tied into the risk
structure of the organization.” [30]
The Anthem breach, due to its magnitude, started all industries
talking about cybersecurity at the Board of Director level:
[31]
26 © 2015 The Kiran Consortium Group, LLC
A Path Forward
Solution: ‘”What we see works most
effectively as boards are pushing
into this area [cybersecurity] is
working collaboratively with
executives in the organization to
work through what’s important and
settle on a series of
communications and metrics on
governance for cybersecurity.’’ [30]
Additional information: “Educating the Board”, eight specific tips
on how best to address cybersecurity. See citation [30].
Solution: Identify Board members that will participate on two committees:
Cybersecurity and Audit.
27 © 2015 The Kiran Consortium Group, LLC
A Path Forward
Solution: “Given its cross-functional, high-stakes nature, cybersecurity is an
issue requiring leadership at the CEO level…” [26]
Solution: The Chief Information Officer and
Chief Information Security Officer
should work with the Executive
team to determine the information
that will be regularly reported to
this group. Given the business
risks posed by cyber attacks, this
information is critical to all executives across the enterprise.
28 © 2015 The Kiran Consortium Group, LLC
A Path Forward
Solution: o All Executives have a stake in
working toward the prevention
of cyber attacks – either from
within the organization or from
external sources.
o Risk mitigation will require
executives from all service
lines to be active participants
and advocates of cyber crime
prevention.
o Data is a corporate asset and
any threat is a strategic as well
as tactical imperative.
McKinsey Report:
41 % of healthcare executives
indicated that are most
concerned about insider or
employee cyber threats [ 26]
A Path Forward
29 © 2015 The Kiran Consortium Group, LLC
Solution: o Education for the entire
healthcare organization will
stress the importance of
security and the impact of
potential cyber attacks (e.g.
password protection, unauthorized
access to information, theft, impacts on
organization from cyber attacks, etc.).
Solution: o Healthcare organizations can find various types of
cybersecurity materials on the HHS website, www.healthit.gov
(e.g. “Top 10 Tips for Cybersecurity in Health Care”). [32]
A Path Forward
30 © 2015 The Kiran Consortium Group, LLC
Benchmark:
Regardless of industry, the
level of cybersecurity
investment within an
Information Technology
budget ranges from 1-3 %. [25]
Note: Cybersecurity is not just a technical solution, investment towards related cybersecurity efforts may be allocated across the enterprise based
on the executive team’s assessment as to those areas that will be underwritten in the budget.
Point of Reference: Over last 3 years, 76 % of healthcare breaches resulted
from loss or theft while hacking accounted for 23 % of breaches. [33]
Solution: o Assess current requirements to support enterprise-wide
cybersecurity efforts. Determine budget levels accordingly.
A Path Forward
31 © 2015 The Kiran Consortium Group, LLC
For your reference: Insurance Benchmarks [34]
Annual Revenue: $ 100 M
Aggregate Limit: Between $ 1 M and $ 4 M
Retention: $ 25,000 to $ 100,000
Annual Revenue: $ 500 M to $ 600 M
Aggregate Limit: Between $ 5 M and $ 10 M
Retention: $ 50,000 to $ 250,000
Annual Revenue: $ 1 B
Aggregate Limit: Between $ 10 M and $ 15 M
Retention: $ 100,000 to $ 1 M
Example [34]
Health System with 7 hospitals, 8 long-term
care facilities and 6 assisted living sites
Cyber Policy Coverage: $ 8 M - $ 10 M
Policy Cost: $ 100,000
Example [35]
Anthem
Cyber Policy Coverage: $ 150 M - $ 200 M
Policy Cost: $ 10 M (primary) and $ 10 M
(self-retention)
Solution: o Review existing insurance coverage.
Update policy coverage, as necessary.
A Path Forward
32 © 2015 The Kiran Consortium Group, LLC
Cyber insurance can provide basic
coverage for liability, regulatory
fines or penalties as well as
business disruption coverage. In
addition, other related expenses
can be available under expanded
coverage: • “Legal costs,
• Costs related to a class action lawsuit,
• Costs related to forensics and investigation,
• Public relations costs,
• System monitoring costs,
• Credit monitoring,
• Identity theft repair for victims of the breach,
• Staffing budget for the hospital call center to
handle increased inquiries in the aftermath
of the breach,” [34]
• Computer forensics, etc.
“[Adam Greene] recommends that hospitals look into
purchasing cyber insurance policies to protect themselves
from the potential damage of attacks, which, according to
one industry survey, cost an average of $2.4
million to address. ‘Cyberattacks are often excluded
from general insurance policies, but can be ruinous to
large organizations if there are breaches’”. [10]
Adam Greene
Health Care Attorney
Davis Wright Tremaine
33 © 2015 The Kiran Consortium Group, LLC
A Path Forward
In summary….
Cybersecurity has been elevated to the status of national
importance. On February 12, 2013, President Obama issued
Executive Order 13636, “Improving Critical Infrastructure
Cybersecurity”. [36]
As a result, the
National Institute of
Standards and
Technology (NIST),
an agency of the U.S.
Department of
Commerce, is tasked
with working “with
stakeholders to
develop a voluntary
framework – based
on existing standards,
guidelines, and
practices - for
reducing cyber risks
to critical
infrastructure”. [37]
34 © 2015 The Kiran Consortium Group, LLC
A Path Forward
In summary….
© 2015 The Kiran Consortium Group, LLC
Bibliography
35
© 2015 The Kiran Consortium Group, LLC
Presentation: Cover Page
Graphic found on cover page is found on Bing.
https://www.bing.com/images/search?q=Glass+breaking&view=detailv2&&&id=DBAFEE1F65397FE5A123E7A52513714C3D20DC70&selectedInde
x=26&ccid=Zv42OKj3&simid=608020834029275732&thid=JN.rPvNENhW6H3Suq5pV%2blShw&ajaxhist=0
Table of Contents
Graphic found on cover page is found on Bing.
https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=C6B1B522DD2188294DDACC8878E8E479DC7A7807&selectedInde
x=3&ccid=Qdwh7gau&simid=608011612734295082&thid=JN.eHWRwslnXbm2xQfOX0960A&ajaxhist=0
Introduction
Page 3 Graphic is found on Bing: http://farm8.staticflickr.com/7445/11076044155_ff4b859b92_z.jpg
Page 4 Graphic is found on Bing:
https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=334BAF7B27A696389C51F7E1FBEDA132F75D8B
3E&selectedIndex=32&ccid=t6LH2bgi&simid=608020357293868390&thid=JN.uPRVrt9M277hEtZKnK5NmA&ajaxhist=0
Page 5 Graphic is found on Bing:
https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=DE81F539D27E1A2F70C7A26BA07E6EE2D
8173C73&selectedIndex=935&ccid=2XfZkeeA&simid=607989377695549723&thid=JN.7jGsCLT0mYnxiMTfDOzvFw&ajaxhist=0
[1] Andrew Walls, Earl Perkins and Juergen Weiss, authors of the definition Gartner, Inc. has established for
Cybersecurity in a report issued on June 7, 2013. https://www.gartner.com/doc/2510116/definition-cybersecurity
[2] The ITU is the United Nations specialized agency for information and communication technologies
(ICTs). While this is not common reference material, they have uniquely identified the relationship between
Cybersecurity and a “users assets”. http://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.aspx
Entire definition is found on the following page.
Bibliography
36
© 2015 The Kiran Consortium Group, LLC
Introduction (continued)
Page 6 [2] Continued
Their definition is as follows (Overview of cybersecurity):
“Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk
management approaches, actions, training, best practices, assurance and technologies that can be used to
protect the cyber environment and organization and user’s assets. Organization and user’s assets include
connected computing devices, personnel, infrastructure, applications, services, telecommunications
systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity
strives to ensure the attainment and maintenance of the security properties of the organization and user’s
assets against relevant security risks in the cyber environment. The general security objectives comprise the
following:
- Availability,
- Integrity, which may include authenticity and non-repudiation, [and]
- Confidentiality”
[3] Franscella, Joe. “Cybersecurity vs. Cyber Security: When, Why and How to Use the Term”, Infosec
Island , July 17, 2013.
http://www.infosecisland.com/blogview/23287-Cybersecurity-vs-Cyber-Security-When-Why-and-How-to-Use-the-Term.html
“First, let’s tackle the when and why; we’ll move onto the how later…
In June, Gartner (@Gartner_inc) acknowledged that there is confusion in the market over how the term should be used, prompting
the firm to publish “Definition: Cybersecurity” (note, Gartner uses the single-word form). In it, analysts Andrew Walls, Earl Perkins
and Juergen Weiss wrote that “Use of the term ‘cybersecurity’ as a synonym for information security or IT security confuses
customers and security practitioners, and obscures critical differences between these disciplines.” To help set the record straight,
the team defined the term:
"Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational
technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack
adversaries."
Additionally, Gartner advised:
"Security leaders should use the term "cybersecurity" to designate only security practices related to the combination of offensive
and defensive actions involving or relying upon information technology and/or operational technology environments and systems."
Bibliography
37
© 2015 The Kiran Consortium Group, LLC
What We Know
Page 8: Graphic is found on Bing:
https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=008EB29055FD82E20
A43504673746150287D7BB1&selectedIndex=11&ccid=csPUwyrR&simid=608013519700100824&thid=JN.O
ZEhTe5yVao%2fEDwtds5FdA&ajaxhist=0
Page 9: [4] “Identity Theft Resource Center Breach Report Hits Record High in 2014” , IT Theft Center, January 12,
2015. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html
[5] “World's Biggest Data Breaches (Selected losses greater than 30,000 records )”, updated June 13,
2015. Source: DataBreaches.net, IdTheftCentre, press reports / Research: Miriam Quick, Ella Hollowood,
Christian Miles, Dan Hampson.
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Page 10: [6] Humer, Caroline and Finkle, Jim. “Experts warn 2015 could be 'Year of the Healthcare Hack‘”, Reuters ,
February 11, 2015 at1:29pm EST.
http://www.reuters.com/article/2015/02/11/us-usa-healthcare-cybersecurity-analysis-idUSKBN0LF22H20150211
[7] Slabodkin , Greg. “Epidemic of Healthcare Cyberattacks Requires Action, Says WEDI”, Health Data
Management, June 25, 2015 at 7:54am ET. http://www.healthdatamanagement.com/news/Epidemic-of-
Healthcare-Cyberattacks-Requires-Action-Says-WEDI-50770-1.html?utm_campaign=daily-
jun%2025%202015&utm_medium=email&utm_source=newsletter&ET=healthdatamanagement%3Ae4631750%3A4223235a%3A&st
[8] Iasiello, Emilio. “Healthcare Sector Security Efforts Needs a Shot in the Arm”, Dark Matters, May 12,
2015. http://darkmatters.norsecorp.com/2015/05/12/healthcare-sector-security-efforts-needs-a-shot-in-the-arm/
[9] Conn, Joseph. “Lesson from the Anthem hack: Cybersecurity must extend beyond encryption”, Modern
Healthcare, February 11, 2015. http://www.modernhealthcare.com/article/20150211/NEWS/302119936
Bibliography
38
© 2015 The Kiran Consortium Group, LLC
What We Know (continued)
Page 10: (continued)
[10] Taylor, Mark. “Hospitals Battle Data Breaches With a Cybersecurity SOS”, Hospitals & Health
Networks, February 10, 2015. http://www.hhnmag.com/Magazine/2015/Feb/fea-hospital-cybersecurity
[11] “GAO To Release HealthCare.gov Cybersecurity Report in 2015”, iHealthbeat, April 24, 2015.
http://www.ihealthbeat.org/articles/2015/4/24/gao-to-release-healthcaregov-cybersecurity-report-in-2015
[12] Grens, Kerry. “Pharma and Biotech Firms Hacked”, The Scientist, December 2, 2014.
http://www.the-scientist.com/?articles.view/articleNo/41566/title/Pharma-and-Biotech-Firms-Hacked/
[13] Freedman, Anne. “Implantable Devices: Medical Devices Open to Cyber Threats”, Risk&Insurance,
April 8, 2015. http://www.riskandinsurance.com/implantable-devices-medical-devices-open-to-cyber-threats/
[14] Abelson, Reed and Goldstein, Matthew. “Anthem Hacking Points to Security Vulnerability of Health
Care Industry”, The New York Times, February 5, 2015.
http://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html
Page 11: Graphic is found on Bing:
https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=C287BF2A2DE8F26794B2CF8DB9214BA5A40E01
E4&selectedIndex=8&ccid=o1oqu2QA&simid=608003155949128516&thid=JN.Yvp4OjhtfSZNGuSd8TUxFQ&ajaxhist=0
[14] Abelson, Reed and Goldstein, Matthew. “Anthem Hacking Points to Security Vulnerability of Health
Care Industry”, The New York Times, February 5, 2015.
http://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html
[15] Wilde Mathews, Anna and Yadron, Danny. “Health Insurer Anthem Hit by Hackers”, The Wall Street
Journal, updated Feb. 4, 2015 at 9:39 p.m. ET.
http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720
Bibliography
39
© 2015 The Kiran Consortium Group, LLC
What We Know (continued)
Page 11: (continued)
[16] Peters, Sara and Chickowski, Ericka. “Healthcare Breaches Like Premera First Stage Of Bigger
Attacks?”, InformationWeek Dark Reading, 3/18/2015 at 02:40 PM.
http://www.darkreading.com/healthcare-breaches-like-premera-first-stage-of-bigger-attacks/d/d-id/1319520
[17] Goedert, Joseph. “Cyber Attack Hits CareFirst BCBS”, Health Data Management, May 20, 2015 at
6:45pm ET.
http://www.healthdatamanagement.com/news/cyber-attack-hits-care-first-bcbs-50543-1.html?utm_campaign=daily-
may%2021%202015&utm_medium=email&utm_source=newsletter&ET=healthdatamanagement%3Ae4416363%3A4223235a%3A&st=email
Note: If you are interested in researching healthcare breaches, visit the Office of Civil Rights web
site at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf .
“Breaches Affecting 500 or More Individuals
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health
information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users
to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has
investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected
health information to the Secretary. The following breaches have been reported to the Secretary…”
Page 12: [18] Huddleston, Jr., Tom. “Premera Blue Cross reveals cyberattack that affected 11 million customers”,
Fortune, March 17, 2015 at 7:18 PM EDT. http://fortune.com/2015/03/17/premera-blue-cross-hacking-breach/
[10] Taylor, Mark. “Hospitals Battle Data Breaches With a Cybersecurity SOS”, Hospitals & Health
Networks, February 10, 2015. http://www.hhnmag.com/Magazine/2015/Feb/fea-hospital-cybersecurity
[20] Williams, Nia. “Big healthcare breaches affected millions before Anthem's hack”,
Modern Healthcare, February 10, 2015. http://www.modernhealthcare.com/article/20150210/BLOG/302109995
Bibliography
40
© 2015 The Kiran Consortium Group, LLC
What We Know (continued)
Page 13: [21] “Researchers Find Health Data Breaches Are Steadily Increasing”, iHealthbeat, April 15, 2015.
http://www.ihealthbeat.org/articles/2015/4/15/researchers-find-health-data-breaches-are-steadily-increasing
[22] Vincent Liu, MD, MS; Mark A. Musen, MD, PhD and Timothy Chou, PhD. “Data Breaches of Protected
Health Information in the United States” , The Journal of the American Medical Association, April 14, 2015,
JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252.
http://jama.jamanetwork.com/article.aspx?articleid=2247135
[23] Jayanthi, Akanksha. “50 biggest data breaches in healthcare”, Becker’s Hospital Review, June 25,
2015. http://www.beckershospitalreview.com/healthcare-information-technology/50-biggest-data-breaches-in-healthcare.html
Page 14: [24] “Cost of data breaches increasing to average of $3.8 million, study says”,
Reuters, May 27, 2015 at 6:03am EDT .
http://www.reuters.com/article/2015/05/27/us-cybersecurity-ibm-idUSKBN0OC0ZE20150527
If you would like a copy of the report cited, it can be downloaded at
http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf
“2014 Cost of Data Breach Study: Global Analysis”, benchmark research sponsored by IBM and
independently conducted by Ponemon Institute LLC. Report releases in May, 2014.
Page 15: [25] Filkins, Barbara. “New Threats Drive Improve Practices: State of Cybersecurity in Health Care
Organizations, SANS, December, 2014. https://www.sans.org/reading-room/whitepapers/analyst/threats- drive-improved-
practices-state-cybersecurity-health-care-organizations-35652
Graphic is found on Bing: https://www.bing.com/images/search?q=Business+Risk&view=detailv2&&&id=A153C313CBC274E67687C4DAFDC8E54ACC74A
F34&selectedIndex=30&ccid=yzbS4UEO&simid=608027976578566801&thid=JN.lmNCwprrGbvPVWOQjDsKHA&ajaxhist=0
Bibliography
41
© 2015 The Kiran Consortium Group, LLC
What We Know (continued)
Page 16: [25] Filkins, Barbara. “New Threats Drive Improve Practices: State of Cybersecurity in Health Care
Organizations, SANS, December, 2014, graph from page 27. https://www.sans.org/reading-
room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
Page 17: [26] Kayyali, Basel. “Risk and responsibility in a hyperconnected world”, McKinsey Healthcare,
July, 2014. http://healthcare.mckinsey.com/risk-and-responsibility-hyperconnected-world
Page 18: [10] Taylor, Mark. “Hospitals Battle Data Breaches With a Cybersecurity SOS”, Hospitals & Health
Networks, February 10, 2015. http://www.hhnmag.com/Magazine/2015/Feb/fea-hospital-cybersecurity
Page 19: Graphic is found on Bing:
https://www.bing.com/images/search?q=Business+Risk&view=detailv2&&&id=1480943C7595C8B67AD1AAF759839E706F1C1BF
A&selectedIndex=28&ccid=ebptr96c&simid=608002524597125757&thid=JN.NPGcOkxHQbHTgxQm87eefg&ajaxhist=0
[10] Taylor, Mark. “Hospitals Battle Data Breaches With a Cybersecurity SOS”, Hospitals & Health
Networks, February 10, 2015. http://www.hhnmag.com/Magazine/2015/Feb/fea-hospital-cybersecurity
Page 20: [27] McLellan, Charles. “Cybersecurity in 2015: What to expect”, ZDNet, February 2, 2015 at 16:34
GMT. http://www.zdnet.com/article/cybersecurity-in-2015-what-to-expect/
Note: “ …forward-looking articles from 17 organisations and assigned the resulting 130 predictions to a
number of emergent categories to produce the graph below:”
2015 Security predictions from: Blue Coat, Damballa, FireEye, Fortinet, Forrester, Gartner, IDC, ImmuniWeb,
Kaspersky Lab, Lancope, McAfee, Neohapsis, Sophos, Symantec, Trend Micro, Varonis Systems, Websense.
Image: Charles McLellan/ZDNet
Page 21: [28] Finkle, Jim. “Exclusive: FBI warns healthcare sector vulnerable to cyber attacks”, Reuters, April 23,
2014 at 3:15pm EDT.
http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423
Bibliography
42
© 2015 The Kiran Consortium Group, LLC
What We Know (continued)
Page 21: Graphic is found on Bing
https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=929734216DCF1611B798AA73F7EE00EBF1D87C
18&selectedIndex=87&ccid=4PBUCVT7&simid=608034178493711929&thid=JN.1732Xo0Gz8sSmo3iIanniA&ajaxhist=0
Page 22: Graphic is found on Bing: https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=135B5DDD3EAF9AC6318DABF108EBBC6F
A5DCDA43&selectedIndex=212&ccid=qK%2bHYNVP&simid=608052406336030125&thid=JN.GccHoyuyfgECQad1D9GT1w&ajax
hist=0
[29] FDA. “Cybersecurity”, October 23, 2014
http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/ConnectedHealth/ucm373213.htm
A Path Forward
Page 23: Graphic is found on Bing:
https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=325803234F8EF2F203FD6C6F3FD98DDBC3D1910C&sel
ectedIndex=10&ccid=YsoxOrSF&simid=608034419014896124&thid=JN.U8GGS1y4wekie2iD3lPUHw&ajaxhist=0
Page 24: Graphic is found on Bing:
https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=325803234F8EF2F203FD6C6F3FD98DDBC
3D1910C&selectedIndex=10&ccid=YsoxOrSF&simid=608034419014896124&thid=JN.U8GGS1y4wekie2iD3lPUHw&ajaxhist=0
Page 25: [30] Overby, Stephanie. “Boards on Cyber Alert”, CIO, May 1, 2015, pp. 20-25 and quotes are found on
page 23.
[31] Akin Gump Strauss Hauer & Feld LLP. “Top 10 Topics for directors in 2015” To access this report:
http://cdn.akingump.com/images/content/3/4/v2/34387/CORPORATE-ALERT-121214-v6.pdf
Bibliography
43
© 2015 The Kiran Consortium Group, LLC
A Path Forward (continued)
Page 26: [30] Overby, Stephanie. “Boards on Cyber Alert”, CIO, May 1, 2015, pp. 20-25 and quote is found on
page 25.
If you are interested in additional information about “Educating your Board – Tips”, refer to page 22 of this
reference.
Graphic is found on Bing: https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=DDC055C59068A698C97E82AF39D7638E8C7DA8D2&se
lectedIndex=14&ccid=rOmAljjn&simid=608010994260574356&thid=JN.d2yB3NtelkX8KrttKylChg&ajaxhist=0
Page 27: [26] Kayyali, Basel. “Risk and responsibility in a hyperconnected world”, McKinsey Healthcare,
July, 2014. http://healthcare.mckinsey.com/risk-and-responsibility-hyperconnected-world
Graphic is found on Bing: https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=9D5A11F64213F1DCB1533C7E4D1AAFC79
2BA332E&selectedIndex=211&ccid=9g9w0ftn&simid=608000033509476020&thid=JN.9sxcQJ7ukkuvFa7CjPxgOQ&ajaxhist=0
Page 28: [26] Kayyali, Basel. “Risk and responsibility in a hyperconnected world”, McKinsey Healthcare,
July, 2014. http://healthcare.mckinsey.com/risk-and-responsibility-hyperconnected-world
Graphic is found on Bing: https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=43811957DE47026CA22C53750FF8EF371A31F5F
0&selectedIndex=93&ccid=Qj5lxKLB&simid=608030450461967113&thid=JN.k4ceOkD6p9ujriUWE2k63Q&ajaxhist=0
Page 29: [32] Department of Health and Human Services (HHS) web site www.healthit.gov
The document, “Top 10 Tips for Cybersecurity in Health Care” , is found at
http://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf
Privacy and Security games are also found through HHS:
http://www.healthit.gov/providers-professionals/privacy-security-training-games
Bibliography
44
© 2015 The Kiran Consortium Group, LLC
A Path Forward (continued)
Page 29: (continued)
[32] “…the Office of the National Coordinator for Health Information Technology (ONC) continues to develop
educational resources around health care cybersecurity and risk management. A few examples include:
• “Cybersecure” Training Games (see boxes at right)
• A website on Mobile Device Privacy and Security, loaded with videos, tips, and other educational
materials
• The Security Risk Assessment (SRA) Tool, which helps guide small health care practices through the
process of conducting a risk analysis as required by the HIPAA Security Rule
• Videos on Contingency Planning and Emergency Preparedness
• Top 10 Tips for Cybersecurity in Health Care
Graphic is found on Bing: https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=1D91785E2D06539C0BE609E5C1A04567C747F370&selectedIn
dex=79&ccid=GIzxYaNX&simid=608009396540083981&thid=JN.OFXJTBSBDPUNn8P2MNQoCg&ajaxhist=0
Page 30: [25] Filkins, Barbara. “New Threats Drive Improve Practices: State of Cybersecurity in Health Care
Organizations, SANS, December, 2014, page 23. https://www.sans.org/reading-
room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
[33] “68% of Healthcare Data Breaches Due to Device Loss”, Security Magazine, December 1, 2014.
http://www.securitymagazine.com/articles/85960-of-healthcare-data-breaches-due-to-device-loss
Graphic is found on Bing: https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=3162112BDDF8F88EA6B276065BC07730AA5AB4
9E&selectedIndex=92&ccid=F0o3lcTy&simid=608013824649400283&thid=JN.ppVJBCRG2lL0k85Z60Ax9w&ajaxhist=0
Bibliography
45
© 2015 The Kiran Consortium Group, LLC
A Path Forward (continued)
Page 31: [34] Weiner, Lena J. “Cybersecurity Insurance Basics for Healthcare Organizations”, HealthLeaders Media
, June 8, 2015.
http://www.healthleadersmedia.com/print/TEC-317181/Cybersecurity-Insurance-Basics-for-Healthcare-Organizations
[35] Greenwald, Judy. “AIG unit leads Anthem's cyber coverage”, Business Insurance, February 6, 2015.
http://www.businessinsurance.com/article/20150206/NEWS06/150209857
Graphic is found on Bing: https://www.bing.com/images/search?q=Business-
Insurance&view=detailv2&&&id=7422002F621E8DEF8CF8E152739E9F5002F0E55B&selectedIndex=97&ccid=I9EwwYUK&simid
=608027572855181100&thid=JN.sV2O6bm5mAW4d0k%2bDV13Pg&ajaxhist=0
Page 32: [34] Weiner, Lena J. “Cybersecurity Insurance Basics for Healthcare Organizations”, HealthLeaders Media
, June 8, 2015.
http://www.healthleadersmedia.com/print/TEC-317181/Cybersecurity-Insurance-Basics-for-Healthcare-Organizations
[10] Taylor, Mark. “Hospitals Battle Data Breaches With a Cybersecurity SOS”, Hospitals & Health
Networks, February 10, 2015. http://www.hhnmag.com/Magazine/2015/Feb/fea-hospital-cybersecurity
Graphic is found on Bing: https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=15866417AD1FD5EC4564B53436245A7BD
EA7C613&selectedIndex=1&ccid=f7RPWMH0&simid=608029136209185191&thid=JN.d3QOep%2bkkcwlTOkrUPIZ8g&ajaxhist=0
Page 33: [36] Press Release for Executive Order: President Obama issued Executive Order 13636 -- Improving
Critical Infrastructure Cybersecurity on February 12, 2013 https://www.whitehouse.gov/the-press-
office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
Bibliography
46
© 2015 The Kiran Consortium Group, LLC
A Path Forward (continued)
Page 33: (continued)
[37] Web site of the National Institute of Standards and Technology (NIST). Specific information regarding
the framework developed by NIST. http://www.nist.gov/cyberframework/
Page 34: Graphic is found on Bing:
https://www.bing.com/images/search?q=Business+Risk&view=detailv2&&&id=17D67E920347208BB7CAD47F184D8B5B73F3FB
07&selectedIndex=4&ccid=X%2bXM7Bhc&simid=608043623136955140&thid=JN.RUfTLRwid%2bQbimjmrBcl%2bw&ajaxhist=0
Bibliography
47
48 © 2015 The Kiran Consortium Group, LLC
Lucy Mancini Newell, MBA, FHIMSS
Managing Partner
Cell Phone: 224.388.6376
Corporate Phone No: 1.800.678.8524
Web Site: www.Kiran-Consortium.com
Other Thought Leadership Materials Are
Found On Our Web Site.
E-Mail Address:
Contact Information