Healthcare Information Security: What Healthcare Executives Need to Know

Russell Branzell, CHCIO, FCHIME, FACHE President and CEO College of Healthcare Information Management Executives AHA/Health Forum Leadership Summit, July 18, 2016

AEHIA, AEHIS and AEHIT were formed in 2014 with the goal of spreading professional development and best practices across the health IT landscape. Each association focuses on the unique needs of these roles while emphasizing the common skill of leadership that unites them.

Senior leaders in healthcare IT APPLICATIONS

Senior leaders in healthcare IT SECURITY

Senior leaders in healthcare IT TECHNOLOGY

threatmap.fortiguard.com

More than 98% of all processes are automated, more than 98% of all devices are networkable, more than 95% of patient information is digitized and accountable care/patient engagement rely on it.

Any outage, corruption of data, loss of information risks patient safety and care. Physician Alignment

BYOD

MU

Research Telemedicine

BAs

Patient Engage-ment HIPAA/HITEC H

HIEs ACOs

ICD-10 FISMA

&

Black markets will help attackers outpace defenders • Darknets will be more active, participants will be vetted, cryptocurrencies will be used, greater anonymity in malware, more encryption in communications and transactions • Hyperconnectivity will create greater opportunity for incidents • Exploitation of social networks and mobile devices will grow • More hacking for hire, as-a-service, and brokering RAND Corporation 2014

• 12 year old learning computers in middle school

• 28 year old in Oregon who believes in hacktivism

• 14 year old home schooled girl tired of social events

• 30 year old white hat who has a black hat background

• 15 year old in New Zealand just joined a defacement group • 32 year old researcher who finds vulnerabilities in systems • 16 year old in Tokyo learning programming in high school

• 35 year old employee who sees a target of opportunity

• 19 year old in college putting course work to work

• 37 year old rogue intelligence officer

• 20 year old fast food employee that is bored

• 39 year old disgruntled admin passed over

• 22 year old in Mali working in a carding ring

• 41 year old private investigator

• 24 year old black hat trying to hack whoever he can

• 44 year old malware author paid per compromised host

• 25 year old soldier in East European country

• 49 year old pharmacist in midlife crisis

• 26 year old contractor deployed over seas

• 55 year old nurse with a drug problem

• Theft - fraud & loss: nearly half of all breaches involve some form of theft or loss of a device not properly protected • Insider abuse: Nearly 15% of breaches in healthcare are carried out by knowledgeable insiders for identity theft or some form of fraud • Unintentional action: Almost 12% of breaches are caused by mistakes or unintentional actions such as improper mailings, errant emails, or facsimiles • Cyber attacks: There was almost a doubling of these types of attacks in 2014 • And, there are many, many others ….. Verizon 2014 Data Breach Investigations Report

& • Medical identity theft and fraud costs billions each year, affecting everyone • Healthcare directed attacks have increased more than 20% per year for the last three years • Identity theft comes in all forms and is costly – – – –

Insiders selling information to others Hackers exploiting systems Malware with directed payloads Phishing for the “big” ones

& • 68% of healthcare data breaches due to loss or theft of assets • 1 in 4 houses is burglarized, a B&E happens every 9 minutes, more than 20,000 laptops are left in airports each year….… • First rule of security: no one is immune • 138%: The % increase in records exposed in 2013 • 6 – 10%: The average shrinkage rate for mobile devices • Typical assets inventories are off by 60% “Unencrypted laptops and mobile devices pose significant risk to the security of patient information.” -Sue McAndrew, OCR

: , • It is estimated that more than half of all security incidents involve staff • 51% of respondents in a SANS study believe the negligent insider is the chief threat • 37% believe that security awareness training is ineffective. • Traditional audit methods & manual auditing is completely inadequate • Behavior modeling, pattern analysis and anomaly detection is what is needed

? • Most cybersecurity insurance only covers a fraction of large breach costs

• Insurance providers are looking to increase premiums and enhance underwriting provisions to avoid losses associated with large incidents • Additional exclusionary language • Right to investigate independently • Columbia Casualty vs. Cottage Health System

Discovery, Notification & Response

Civil Penalties

Criminal Penalties

VBP Payments Impacts

Business Disruption

Federal CAP/RA

Insurance

HCAPPS Score Impacts

ID Theft Monitoring

State Actions

Degradation of Brand/Image

Patient Confidence/Loyalty

Investigation/Review

Law Suit Defense

Distraction of Staff

Physician Alignment/Nurses and Staff Agreement

Lack of qualified personnel Lack of financial resources Volume and expanding types of threats Not enough cyber threat intelligence Too many software applications, devices, network touch points • Lack of effective tools • • • • •

• HC CISOs gave themselves an average maturity rating of 4.35 on a scale of 1-7 • Missing critical technologies to fight today’s threats • More than half spend less than 3% of their IT budget on protecting data • Almost half have a full time CISO or information security manager

• Implement continuous program of risk assessment and management

• Increase knowledge of threat actors • Maintain current environment • Improve detection and reaction capabilities • Implement data exfiltration controls • Enhance user education and accountability • Implement active vendor security management • Address long term challenges around medical devices • Plan for incidents

70% of Board Members feel they understand cyber risks 43% of CIO/CISOs think Boards are informed about threats to IT Board members do admit limited knowledge about cybersecurity Board members and IT security need to communicate more often It took major breaches like Target, Anthem and Community Health to get the Board’s attention • Boards are still in the dark concerning security risks and incidents • • • • •

… Be a leader Possess business acumen Be comfortable managing risk Be a team player Plan ahead Be an effective communication Understand and apply psychology/sociology • Be politically savvy • • • • • • •

Know privacy and security – its everyone’s job.

• Actively participate in the industry • Open and maintain a useful dialogue • Work on expanding awareness and education • Change perception

/ • Forester Research

• Symantec

• Fortinet

• Verizon 2014 Data Breach Investigations Report • Mac McMillan, CISM, CEO, CynergisTek, Inc.

• IBM • Ponemon Institute • RAND Corporation 2014 • Solutionary Annual Threat Reports

Healthcare Information Security: What Healthcare Executives Need to Know

Russell Branzell, CHCIO, FCHIME, FACHE President and CEO College of Healthcare Information Management Executives AHA/Health Forum Leadership Summit, July 18, 2016