Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Discussing Information Security with
Your C-Suite and Board of Directors How to Have Productive Discussions on Security and Risk
Health Care IT Advisor
Paul Tiao, Partner
Hunton and Williams
Ernie Hood, Senior Director, Research and Insights
The Advisory Board Company
Eric Banks, Chief Information Security Officer
The Advisory Board Company
2
2
3
4
1
Road Map
©2016 The Advisory Board Company • advisory.com
Why are the Board and C-Suite More Interested in
Information Security Now?
Preparation: Scouting the Risk Landscape
Understanding the Different Perspectives of the C-Suite
Crafting and Delivering the Message
©2016 The Advisory Board Company • advisory.com
3
Why Is the Board Interested in Information Security?
In a Word: Breaches
Source: Health Care IT Advisor research and analysis.
1) Ponemon Institute Fifth Annual Benchmark Study on
Privacy and Security of Healthcare Data, May 2015.
Health Care Other Industries
• 91% of health care organizations have
experienced a breach involving the loss or theft
of patient data in the past 24 months.1
• In a recent survey, of those reporting a breach,
40% reported having had more than 5 incidents
in the past two years.1
• RSA
• NSA
• Apple
• NASDAQ
• Sony
• Lockheed
• Target
• JP Morgan
Chase
• Sands Casino
• Home Depot
• Hollywood
Presbyterian (2016)
• Anthem & Premera
(2015)
• Partners Healthcare
(2015)
“The Wall of Shame” Health care breaches reported involving 500 or more patients:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• Healthcare.gov (2014)
• Community Health Systems
(2014)
• Boston Children’s Hospital
(2014)
• Oregon Health & Science
University (2013)
• Crescent Healthcare
(Walgreen’s) (2013)
• Advocate Health Care (2013)
Some Health Care Breaches Reported in 2013-2015
©2016 The Advisory Board Company • advisory.com
4
Breaches are Expensive
Source: Health Care IT Advisor research and analysis.
1) Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2015. 2012 Cost of Cyber Crime Study: US, October 2012. Ponemon Institute.
2) NetDiligence 2015 Cyber Claims Study: http://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf
Economic Impacts Specific to
Health Care Industry1
Across All Industries2
• 85% of 2012 breaches cost more than $200,000
• Detection & escalation - $30,000 to $1.6 million
• Notification - $4,000 to $1.7 million
• Follow up response - $60,000 to $5.8 million
• Lost business estimates - $11,000 to $9.5 million
• Total estimate economic impact on a provider
organizations $2.1 million.
Costs Don’t Correlate to the Number of Records Lost
“…our policyholders have been surprised to find that the actual response costs generally
will be unique to the specifics of the breach. For example, we have breach incidents
involving less than 5,000 records, with remediation costs in six figures because of the
policyholders’ industry and the complexity of the breach.”
Non-Economic Impacts Like a Loss of Trust Can Be Significant Too!
Range Average
Forensics $1,250 - $4.9 million $262,000
Notification $14 to $15 million $568,000
Public
Relations
$4,000- $240,000 $46,000
Credit
Monitoring
$65 to $1.3 million $80,000
Legal Counsel $540 to $1 million $59,000
Thomas Kang
Senior Claims Specialist at ACE USA
©2016 The Advisory Board Company • advisory.com
5
Preparation Efforts Not Keeping Pace
Source: Health Care IT Advisor research and analysis.
1) Citrix 2015 Cyberthreat Defense Report: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/2015-
cyberthreat-defense-report-north-america-and-europe.pdf 2) 2015 HIMSS Cybersecurity Survey 3) Ponemon Institute Fifth
Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2015.
Attacks Are Expected …But Prevention and Funding Efforts Lag
52% Of health care organizations
expect to be compromised by a
successful cyber attack in 20151 33%
Agree they have sufficient
resources to prevent or
quickly detect a data breach3
The magnitude of the threat against healthcare information has grown exponentially,
but the intention or spend in securing that information has not always followed.” Michael Ebert, Partner
KPMG, Cyber Security
©2016 The Advisory Board Company • advisory.com
6
Threats Come From Internal and External Players
2015 HIMSS Survey Shows Negligent Employees Pose Significant Risks
Source: Health Care IT Advisor research and analysis.
1) 2015 HIMSS Cybersecurity Survey
Identifying and Detecting Security Incidents
• Half of surveyed organizations with an incident of internal origin say these incidents
were identified by their own internal security team.
• Heavy reliance on three main incident detection techniques: network monitoring,
monitoring of system activity logs, and monitoring user access logs.
External Threats Insider Threats
64% Of hospital respondents
report a security incident of
external origin
©2016 The Advisory Board Company • advisory.com
7
Increasingly Serious Threat Actors
Deep Pockets and Powerful Motivations
©2016 The Advisory Board Company • advisory.com
8
Major Information Security Risks
Source: Health Care IT Advisor research and analysis.
Poor Incident
Response
Preparedness
Weak Technical
Disaster Recovery and
Corporate Business
Continuity
Fragmented Identity
Management and
Access Control
Lack of Data
Encryption
Growth in the Internet
of Things and the
Consumerization of IT
©2016 The Advisory Board Company • advisory.com
9
Reduce the Likelihood of a Breach
Source: Health Care IT Advisor research and analysis.
Systematically identify and catalogue sensitive data
Maintain an up-to-date cybersecurity incident response plan
Develop written information security policies and procedures relating to administrative,
technical and physical safeguards for sensitive data
Develop a plan for managing risks associated with employee relationships
Develop a plan for controlling service provider relationships
Work with information technology vendors to deploy hardware and software tools
that strengthen information security
Develop training programs on cybersecurity for both IT and non-IT staff
©2016 The Advisory Board Company • advisory.com
10
Listen to the Data
You Can’t Afford Not to Prepare
Source: Health Care IT Advisor research and analysis.
1) http://www.politico.com/story/2015/06/health-care-spending-billions-
to-protect-the-records-it-spent-billions-to-install-118432
It Can Happen and Probably Has Happened to You
• 91% of health care organizations have experienced a data
breach per Ponemon survey
• Even high security and high tech firms like RSA, Lockheed
and Google have been breached
If It Happens It’ll Cost You
• Estimates range from $200,000 - $9 million with the
average total economic impact being $2.1 million
HIMSS Recommendation for Security Budgeting1
Percent of IT budget that HCOs should spend on security 10% Percent of IT budget that HCOs actually spend on security 3%
11
2
3
4
1
Road Map
©2016 The Advisory Board Company • advisory.com
Why are the Board and C-Suite More Interested in Information Security Now?
Preparation: Scouting the Risk Landscape
Understanding the Different Perspectives of the C-Suite
Crafting and Delivering the Message
©2016 The Advisory Board Company • advisory.com
12
Preparation: Scouting the Risk Landscape
Assessing Risk
Source: Health Care IT Advisor research and analysis.
1) Statement on Standards for Attestation Engagements 16 - an Auditing Standards
Board of the American Institute of Certified Public Accountants (AICPA) auditing
standard for service organizations, superseding SAS 70
2) Service Organization Controls - accounting standards from AICPA
Physical Office Assessment
(shredding, clean desk, access)
Security Governance Assessment
Data Center Assessments
(SSAE 161 SOC2 II Type 2)
Vendor/Partner Assessments
Infrastructure Assessment
(vulnerability detection/management)
Product Risk Assessments
Risk Assessment is *the* most important method for understanding the
information security risks within your environment.
Assessment Targets
©2016 The Advisory Board Company • advisory.com
13
Preparation: Scouting the Risk Landscape
Other Key Channels for Risk Discovery
Source: Health Care IT Advisor research and analysis.
Provide valuable
information
during product
team meetings,
during
architecture
reviews, and in
the hallway.
Employees
Vendor
notifications,
group
memberships,
and social
media surface
risks.
Industry
Clients’
assessments of
products or
services can
surface problem
areas previously
unknown or not
yet addressed.
Your Clients
Intrusion
prevention alerts,
perimeter
security, log
review, and
scanners help to
surface risks.
Technology
Helps predict
types of risks or
attacks based
on your specific
company
profile.
Threat Modeling
©2016 The Advisory Board Company • advisory.com
14
Preparation: Scouting the Risk Landscape
What Types of Risk Are You Looking For?
Source: Health Care IT Advisor research and analysis.
1) Personal Health Information
2) Personally Identifiable Information
3) Payment Card Information
4) Bring Your Own Device
Physical/Office Risks
• Multiple office locations
• Theft
• Location access
• Employee mistakes
• “Bad Leavers”
Data/Privacy Risks
• PHI1, PII2, PCI3, student
records, Intellectual Property
• Big Data
• Data sharing
• Federal/state/local
regulations
Process Risk
• Decentralized data
access control
• Backup and recovery
• Duplicated teams/efforts
External Risks
• Hackers
• Natural disasters
• Terrorism
• Partner/Vendor
mistakes and threats
Technology Risks
• Cloud storage
• Multiple data centers
• Multiple technology
platforms
• (Lack of) encryption
• Endpoints/BYOD4
• The Internet of Things
15
2
3
4
1
Road Map
©2016 The Advisory Board Company • advisory.com
Why are the Board and C-Suite More Interested in Information Security Now?
Preparation: Scouting the Risk Landscape
Understanding the Different Perspectives of the C-Suite
Crafting and Delivering the Message
©2016 The Advisory Board Company • advisory.com
16
Explore On An Individual Basis:
Knowledge and Interest of Key Leaders Vary
Create a Foundation for Future Discussion Through Private Meetings
Source: Health Care IT Advisor research and analysis.
Key Leaders
General attitude about
risk and security
Level of
knowledge
Concerns around
risk and security
Board
Chief
Executive
Officer
Chief
Financial
Officer
Chief
Medical
Officer
General
Counsel
Chief
Information
Officer
Understand the Different Perspectives of Your Leadership Before You Present to the
Board or C-Suite
One-on-one closed door meetings with key executives will provide a critical understanding of how
each views Information Security and risks to the organization
!
©2016 The Advisory Board Company • advisory.com
17
The View From the Boardroom
Common Board Members’ Perspectives on Security and Risk
Source: Health Care IT Advisor research and analysis.
Potential Perspectives of the Board
Board members mostly experience security through the audit committee.
• Uninformed or misinformed about cybersecurity threats,
vulnerabilities, and consequences
• Uninformed or misinformed about cybersecurity preparedness
• Focused on compliance instead of security
• Fearful of liability, focused on unproductive questions, and
uncertain about proper role
But the norm is shifting and concerns are growing.
Board awareness of cybersecurity risk and exposure is rapidly increasing. As a result, Boards
are more receptive to increasing their focus on cybersecurity.
©2016 The Advisory Board Company • advisory.com
18
The View From the CEO’s Chair
Common CEO Perspectives of Security and Risk
Source: Health Care IT Advisor research and analysis.
Potential Perspectives of the Chief Executive Officer
Often organizationally distant from cybersecurity and focused on other
priorities but wants it handled without his/her involvement.
• Uninformed or misinformed about the organization’s state of
cybersecurity risk and preparedness
• Insufficiently focused on ensuring or investing in appropriate
organizational reforms on cybersecurity
• Unaware of the importance of their leadership role in effecting
changes and monitoring progress in cybersecurity
• Insufficiently engaged with Board to manage risk and cybersecurity
But the rapidly growing number of cyber events has CEOs concerned about security.
CEOs can become a vital ally in driving cultural change and ensuring leadership engagement.
©2016 The Advisory Board Company • advisory.com
19
The View From Finance
Common CFO Perspectives of Security and Risk
Source: Health Care IT Advisor research and analysis.
Potential Perspectives of the Chief Financial Officer
May see security as an expense to be minimized as long as the financial
auditors are satisfied.
• Uninformed or misinformed about cybersecurity investments
• Insufficiently focused on cybersecurity resource needs
• Focused on compliance instead of security
• Perceives cybersecurity to be someone else’s responsibility
• Misinformed about the extent of insurance coverage for cyber events
But recent publicity about the cost of cyber events has lead to increasing interest levels
among CFOs.
The CFO is well positioned to provide needed resources for a security program.
©2016 The Advisory Board Company • advisory.com
20
The View From Clinicians
Common CMO Perspectives of Security and Risk
Source: Health Care IT Advisor research and analysis.
1) Chief Medical Officer
2) Chief Nursing Officer
3) Chief Medical Information Officer
4) Chief Nursing Information Officer
Potential Perspectives of the Chief Medical Officer
Often perceive security measures simply as a source of complaints from
physicians.
• Unaware or confused about cybersecurity risk
• More concerned with improving efficiency and protecting relationships
with physicians than strengthening security
But growing awareness of clinician liability has started to change attitudes toward
security measures.
CMO1s, CNO2s, CMIO3s, and CNIO4s can serve as valuable intermediaries explaining the need
for security measures to clinicians.
©2016 The Advisory Board Company • advisory.com
21
The View From Legal
Common General Counsel Perspectives of Security and Risk
Source: Health Care IT Advisor research and analysis.
Potential Perspectives of General Counsel
May expect the information security team to eliminate all risk.
• Uninformed or misinformed about cybersecurity risk
• Focused on regulatory or contractual compliance instead of
security
• Perceives cybersecurity to be someone else’s responsibility
• Sometimes not included in cybersecurity initiatives
But regulatory changes and new case law are increasing awareness among General
Counsels about cyber risk and responsibilities
The General Counsel is important for establishing the right security governance structure and
policies, and providing legal support on regulatory, contractual, and incident repsonse.
©2016 The Advisory Board Company • advisory.com
22
The View From Information Technology
Common CIO Perspectives of Security and Risk
Source: Health Care IT Advisor research and analysis.
1) Chief Information Officer
Potential Perspectives of the Chief Information Officer
Can see security measures as a barrier and a burden, slowing or even
preventing progress and a potential source of trouble.
• Aware of the risk, but often more supportive of security in theory
than in practice
• Often more focused on installing updated technology and reducing
cost than improving security
But changing awareness among C-suite members is leading to heightened level of
attention to security by CIO1s
The CIO is a key partner for defining and implementing cybersecurity measures.
©2016 The Advisory Board Company • advisory.com
23
Marshal Your C-Suite Allies
Build a Foundation with Private Meetings Before Presenting
Source: Health Care IT Advisor research and analysis.
Understand the different perspectives of your leadership before presenting to the Board
One-on-one, closed door meetings with key executives will provide a critical understanding of
how each views information security and risks to the organization.
Board CFO
General
Counsel
CMO
CEO
CIO
Leadership is Often Poorly Informed Awareness is Changing
• C-suite and Board member
attitudes vary but they are
often uninformed or
misinformed about
cybersecurity risk and
preparedness
• Frequently unclear about
what their role is or should
be in managing the cyber
risk of the organization
• C-suite and Board member
awareness of cyber risk is
growing
• Can be incredibly valuable
allies to your efforts if
approached thoughtfully
24
2
3
4
1
Road Map
©2016 The Advisory Board Company • advisory.com
Why are the Board and C-Suite More Interested in Information Security Now?
Preparation: Scouting the Risk Landscape
Understanding the Different Perspectives of the C-Suite
Crafting and Delivering the Message
©2016 The Advisory Board Company • advisory.com
25
A Framework for a Successful Discussion
Four Keys to Holding an Effective Discussion on Security
Source: Health Care IT Advisor research and analysis.
• Make sure you
understand the
organization’s current
state
• Hold private
meetings with key
leaders to
understand their
concerns and
perspectives
• Talk in business
terms and leverage
scenarios to illustrate
the organization’s
risk profile from
various threats
• Discuss
improvements made
to lower risk
• Provide
alternatives for
changing the
organization's risk
posture
• Acknowledge
trade-offs for each
alternative
• Provide examples of
various roles they
can play in
managing cyber risk.
• Ask for their
guidance and
assistance
Be Ready to Listen
!
Prepare in Advance Keep it Simple Be Clear About
Alternatives Discuss Roles
©2016 The Advisory Board Company • advisory.com
26
Be Prepared: Make Sure You Are Well Informed
Gather All the Information You Can About the Current State in Advance
Prepare in Advance
Source: Health Care IT Advisor research and analysis.
1) Health Information Trust Alliance
2) National Institute of Standards and Technology
3) International Organization for Standardization
• Evaluate standard security
frameworks like HITRUST1,
NIST2 and ISO3.
• Leverage what makes the most
sense for your organization.
Controls
Administrative Controls • Acceptable Use and Application Security policies
• Training and awareness
• Endpoint security guidelines
Physical Controls • Heavily-secured data centers
• Proximity cards
• Hard drive and paper shredding
Technical Controls • Intrusion Prevention Systems
• Consolidated logging
• Phishing email detection
• Mobile device management
• Full environment scanning
Services
Policy and Procedure Development and Management
Privacy and Information Security Awareness and Training
Comprehensive Risk Assessment and Evaluation
Application Security Evaluation
Acquisition and Partnership Assessment
Vendor Assessment
Data Classification and Destruction
Compliance Management (PCI, HIPAA, FERPA, internal
policies and procedures)
Intrusion Detection and Prevention
Network/Application Penetration Testing
Vulnerability Assessment and Remediation
Digital Forensic Investigation
Incident Triage, Evaluation and Management
Physical Security Consulting and Design
Industry Outreach and Partnerships
©2016 The Advisory Board Company • advisory.com
27
Examples Scenarios
Leverage Threat Scenarios To Illustrate Risk
Talk in Business Terms
Keep It Simple
Source: Health Care IT Advisor research and analysis.
For Each Scenario Discuss
Situation
How it might
happen?
Vulnerability
What weakness is
exploited?
Awareness
How would the
organization become
aware of the situation?
Response
What would the
incident response
look like?
Implications
What is the potential
impact on strategic
plans and operations?
Mitigations
What mitigations could be
used to reduce the risk?
What are the financial and
operational impacts of
those mitigations?
Improvements
What recent
improvements have
already been make that
may lower the risk?
• Stolen device
• Insider abuse
• Phishing
• Ransomware
©2016 The Advisory Board Company • advisory.com
28
Provide Choices
Let Them Lead by Outlining Alternatives Rather Than Mandates
Be Clear About Alternatives
Source: Health Care IT Advisor research and analysis.
Example Alternatives
Alternative A
Maintain current risk level
Alternative B
Moderate reduction in cyber risk by
addressing only major weaknesses or
largest threats
Alternative C
Focus on a specific area of improvement
such as education or incident response
Risk Reduction vs. Cost and Frustration
For each alternative provide estimates of:
• Risk reduction
• Cost
• Operational impact
©2016 The Advisory Board Company • advisory.com
29
Ask For Support and Guidance
Discuss Possible Roles for C-Suite and Board
Discuss Roles
Source: Health Care IT Advisor research and analysis.
Metrics
What information and metrics would the
Board and C-Suite like to see on a
recurring basis?
Board
Define
acceptable
levels of risk,
establish
urgency
CEO
Lead
organizational
reforms and
cultural changes,
oversee strategy
development
CFO
Ensure
appropriate
funding
CMO
Act as liaison to
medical staff
and arbiter of
tradeoffs
between risk
reduction and
operational
impact
General
Counsel
Ensure
appropriate
governance
and
compliance
with laws and
regulation
CIO
Enable
technical
counter
measures and
enforce
policies
©2016 The Advisory Board Company • advisory.com
30
Key Takeaways
Modern Cyber Risk Requires Engaged Leadership
Key Takeaways
Source: Health Care IT Advisor research and analysis.
Imperatives for an Effective C-Suite or
Board Discussion About Security
1
2
3
Preparation is key to
effective discussions
4
5
6
Start by understanding the current level of
the organization’s cyber risk.
Hold private meetings with key leaders to
explore their general attitude, level of
understanding and interest in cyber security.
Leverage scenarios to explain potential risks
and consequences using business terms
over technical jargon.
Provide alternatives rather than mandates.
Ask for guidance on such issues as risk
mitigation, roles and responsibilities and
metrics.
Recognize that attitudes among board and C-
suite members are changing and creating an
opportunity for new discussions on cyber risk.
©2016 The Advisory Board Company • advisory.com
31
We Can Help
Hunton & Williams
• Advice on new requirements, compliance, and rules in cybersecurity legislation and updating
Info Sec Policy
• Advice on participation in information sharing arrangements with private entities and government
agencies
• Assistance with changing or creating governance structures to address cybersecurity,
• Negotiating for the inclusion of appropriate security provisions in contracts with third party
vendors
• Handling dispute resolution with respect to private legal actions and enforcement actions by
regulators, the FTC and State Attorneys General
• Leading table top exercises for data breaches
• Playing a central role in breach response so as to protect legal posture
• Updating the incident response plan and ensuring proper protection of legal posture during
incident response
©2016 The Advisory Board Company • advisory.com
32
We Can Help
Publications
and Analytics
Best Practice Studies
Major best practice strategy
reports and briefings based on
member-driven program agenda
Whitepapers and Expert
Perspectives
Briefings and Insights for
executives centered around the
most pressing issues facing
health care leaders today
Benchmarking and Tools
Web-based surveys, interactive
tools – including calculators and
forecasters – and benchmarking
enabling members to compare
performance against peers
Presentations
and Interactions
Web-Based
Services
Expert
Support
National Meetings and Live
Webconferences
Educational intensives on
most urgent health care topics
available to your team on an
unlimited basis
On-Demand
Webconferences
Unlimited access to all online
archived Program
Webconferences
Private Label Webcasts
Web-enabled sessions to
present research to individual
members paired with
discussion
Advisory.com
Secured member website
providing online access to
research, services,
announcements
The Daily Briefing
Daily e-mail newsletter
summarizing breaking national
health care news
Program Insights
Regular program updates,
alerts, and expert perspectives
on events affecting hospital
strategy and operations
The Expert Center
Dedicated team to triage
member requests and
questions to ensure A+
member satisfaction
Facilitated Networking
Experts connect peers across
the membership for high-value
interactions upon request
Customized Service Plans
Senior leaders craft action-
oriented service plans to map
program resources to top
member priorities
The Advisory Board Company
Health Care IT Advisor
2445 M Street NW I Washington DC 20037
P 202.266.5600 I F 202.266.5700 advisory.com