Embed Size (px)
Citation preview
Escalated Threats to PHI Require a New Approach to Privacy and Security
Wednesday, March 2, 2016
Kurt J. Long, CEO & Founder, FairWarning, Inc.
Robert Rost, IT Operations Director of Defensive Services, IT Security, Banner Health
Dave Summitt, Director of Cyber Security Operations, H. Lee Moffitt Cancer Center and Research Institute
Conflict of Interest
Kurt J. Long:
Has no real or apparent conflicts of interest to report.
Robert Rost:
Has no real or apparent conflicts of interest to report.
Dave Summitt:
Has no real or apparent conflicts of interest to report.
Agenda
• Profile escalating internal and external threats in
healthcare
• Feature privacy and security program challenges
• Review how to create a multi-layered privacy and
security program
• Customer perspectives
Learning Objectives
• Highlight the escalating threats to healthcare
• Illustrate how these new threats are changing the way care providers need
to approach privacy and security
• Explain how to develop a coordinated threat detection and threat response
program
• Spotlight how new tools like data visualization, trending and analytics
identify data breaches
http://www.himss.org/ValueSuite
How Benefits Were Realized for the Value of Health IT
The risks to healthcare are escalating at a time when the industry
is consolidating with the intent of reducing expenses in areas that
are not directly related to patient care, like information security and
privacy.
Today’s escalated information security threats including
compromised user credentials, advanced persistent threats and
nation-state espionage leave the entire healthcare industry
vulnerable including patients, care institutions, physicians,
clinicians and the vendors that serve the industry. Tomorrow’s
threats are still unknown.
By creating an innovative and multi-layered approach to security
and privacy, covered entities can protect patient data, prevent
damage to their reputation, achieve compliance and save money.
Escalating Advanced Threats
´1
Lost laptops, media, paper
records
Patient Complaints
Snooping
Medical & Financial ID Theft
2015 2013 2011
IRS Tax Fraud
2012 2014 Pre-2010
Sale of Patient Data
to Crime Rings
Sale of Physician
Data
to Crime Rings
Sale of Employee
Data
to Crime Rings
Rise of Cyber Threats
to Healthcare Industry
Foreign
National
Espionage
What would happen if your EHR was taken hostage?
• Real and growing threat to healthcare in 2016
• Attacks grew 113% in 2014 according to 2015 Symantec Internet Threat Report
• Why EHR? High value to the data, you need it, and you’re likely to pay to get it back
• Doctors wouldn’t have the vital information needed to treat patients.
• Records of patient and insurance payments would be lost, patient personal and credit card information would be compromised.
• HIPAA breach/OCR fines
• And so on …
We are all patients … And the long-term effects of a PHI breach have yet to be realized
91% of Healthcare organizations have had
at least one data breach involving the loss
of theft of patient data in the last two years Source: Forbes May 2015
As of November 2015, breaches impacted
119,959,229 patients. That’s well over one-
third of all United States citizens who have
suffered an information breach through the
healthcare industry. Source: Identity Theft Resource Center
How long does it take to discover a breach?
On average hackers had access to victims’ environments for 205 days before they were discovered and 69% of victims learn from a third party that they are compromised*
Source: Mandiant M:Trends 2015, View From the Front Lines Report
Insider threats are still very real • Malicious
– Co-worker, Patient, Neighbor, & VIP Snooping
– Fraud/Medical ID Theft/ID Theft
– Inappropriate physician access
– Disgruntled employee
• Compromised
– Compromised user credentials from an outside source
• Negligent/Accidental
– Lost device
– Misuse of systems
– Log-in/Log-out failures
External attacks are getting more sophisticated. Old tactics will no longer work.
• Advanced persistent threats (APTs)
• Spear phishing
• Malware
• Nation state attacks
• Organized crime
How can you get ahead of a breach?
• Information security
• Data visualization
• Trending
• Analytics
• Finding the right talent or using Managed privacy & security services
Creating a multi-layered privacy and security program
Critical elements:
• Qualified and expertly trained privacy and security staff
• Proper, multi-layered, multi-vendor, IT infrastructure leveraging best-
of-breed security solutions
• Patient privacy monitoring – using advanced technology
• Coordinated threat prevention/response framework
• Education programs that create a culture of privacy, security and
compliance
Creating a modern threat prevention and response framework
Source: FireEye Solution Brief
Managed Privacy & Security Services
A picture is worth a thousand rows of data
Data visualization & trending depicts graphically what is happening to your data
Get your house in order …
HIPAA Audits: Phase 2 in Early 2016
• The HHS Office for Civil Rights has announced that it will begin Phase 2 of its long-awaited audit program in early 2016
• McGraw Discusses HIPAA Audits Slated for Early 2016 Source: HealthData Management October 2015
Banner Health • One of the largest nonprofit hospital systems in the country
• Twenty-nine acute-care hospitals and health care facilities
• With more than 47,000 employees, Banner Health is the largest private employer in Arizona and third largest employer in the Northern Colorado front range area
• Mission: As the leading nonprofit provider of health care in every community we serve, Banner Health is deeply committed to our mission: “To make a difference in people's lives through excellent patient care.”
• Robert Rost, IT Operations Director of Defensive Services, IT Security
– Robert has over 10 years’ experience in Information Security and Risk. As the IT Operations Director over Defensive Services, he is responsible for detecting, managing & responding to IT Security incidents including managing vulnerability management & data protection programs.
Customer Perspective: Robert Rost, Banner Health
A new approach is needed...
…because a lot of our
security “wheels” will
continue to give our
companies & patients the
same results.
Source - http://www.socialmediatoday.com/
Source - http://www.evilenglish.net
…but
“The Baby” – What works
Do the basics
“Plan the work. Work
the plan.”
Understand the
business
Mature Governance,
Risk & Compliance
Partnerships
Embrace encryption
Leverage intelligence
Adapt to the threat & legislative landscapes
Source - http://ladynicci.com
“The Bath Water” – What Doesn’t work
“Eat the entire
elephant in one bite”
Building unconnected
product sprawl
Overemphasizing
protect controls
Isolating information security risk
from enterprise risk management
Supporting vendors that
don’t “play nice” or
Automate (enough)
Develop meaningless
metrics
Ignoring the OCR
Audit Protocol Source - http://2.bp.blogspot.com
H. Lee Moffitt Cancer Center and Research Institute • Founded in Tampa, FL in 1986
• Third largest cancer center in the U.S. based on patient volume.
• MISSION: To contribute to the prevention and cure of cancer
• VISION: To transform cancer care through service, science and partnership
• Dave Summitt, Director of Cyber Security Operations
– With over 25 years of experience in information technology, his experience
spans across federal and private sectors concentrating on information
systems, network and engineering operations and over the last 10 years
focusing on cyber-security initiatives.
Initiatives: H. Lee Moffitt Cancer Center and Research Institute
• Standing up a Security Operations Center
– Proactive monitoring (stopping problems before they become major)
– Incident response & management
– Combines traditional NOC
• Provide Organizational-wide Awareness Training
– Tailored to the audience
• Annual Cyber Security Incident Response table-top exercises
• Participate in threat sharing groups
– InfraGuard
– HITRUST CyberExchange
– CERT notifications
– Local security organizations
Why does it take so long to discover a breach? • Because organizations do not understand their network
• Active monitoring doesn’t exist
• Security staff doesn’t have the correct or enough resources
Source: Mandiant M:Trends 2015, View From the Front Lines Report
THIS NEEDS TO CHANGE
How can you get ahead of a breach? Expanded
• Information security
• Data visualization
• Trending
• Analytics
• Finding the right talent or using Managed privacy & security services
• Training – users & leaders must know and understand what they are up against
• Visibility – Security personnel need to add to their responsibility to championing the need.
Questions
Kurt J. Long, CEO & Founder
FairWarning, Inc.
Robert Rost, IT Operations Director of Defensive Services, IT Security
Banner Health
Dave Summitt, Director of Cyber Security Operations
H. Lee Moffitt Cancer Center and Research Institute
