Data Breaches and Securing Healthcare Humans James Tarala, The SANS Institute

Transcription

1 Data Breaches and Securing Healthcare Humans James Tarala, The SANS Institute

2 Problem Statement Data breaches & disclosures are becoming more common PrivacyRights.org (updated weekly) Just a small sample (organization/records breached): JP Morgan Chase Dairy Queen US Investigation Services The UPS Store Community Health Systems Albertsons Grocery Stores SuperValue Stores University of California Santa Barbara Vibram USA

3 FBI Annual Internet Crime Complaints

4 Ponemon Statistics (2013) The average cost of a data breach is over $5 million per breach Healthcare breaches cost 71% more to address than the national average

5 /wepdwu Types of Healthcare Breaches (2013)

6 Top Causes of Breaches (2013) Becker's Hospital Review reported the following as the top 5 causes of data breaches for healthcare organizations in 2013: 1. Stolen laptops 2. Information inappropriately accessed by employees 3. Unsecured transmissions or employee mistakes 4. Misplaced files or electronic storage 5. Scams or online hacking

7 Comprehensive Assurance We have already discussed technical methods of preventing and detecting data breaches But are technical solutions enough? Comprehensive assurance programs include: Technical solutions Physical protections Governance controls

8 Whose job is it to protect data? Some say the responsibility is IT s alone Some say it is the responsibility of management / leadership Some say it is the responsibility of end users The answer is yes this is a partnership we all share together Defense in depth principles suggest that if one set of controls fails, that others will be there to fill the gap

9 Understanding the Why Therefore if we hope to protect our organization s valued information, we need to engage the help of the workforce Education is a crucial piece of this effort Healthcare workers need to understand: How data breaches effect the patients they care for The effects of breaches on their employer What they can do to help protect this information Assurance is more than simply a burden, it supports the mission

10 Educational Opportunities There are numerous opportunities every year to educate data owners & workforce members to their responsibilities Partnering with workforce members through education must be more than an annual check box Certainly take advantage of traditional opportunities Awareness videos / presentations Newsletters / campaigns Phishing / experiential learning But focus on embedding security into the organization s DNA

11 Resources for Healthcare Remember, you don t need to re-invent the wheel This is an issue most organizations are working through A few resources to consider: The SANS Institute Secure the Human Program The National Initiative for Cybersecurity Education (NICE) The Council on CyberSecurity And remember, this is more than teaching people to use good passwords everyone needs to understand their role

12 In Summary Technical controls are simply once piece to an overall information assurance program Securing information assets is a partnership between business / data owners and technology professionals Data owners need to understand their responsibilities to govern the protection of their information End users need to understand their responsibilities to partner with technology & business owners to protect data Education & awareness is a key component to this process

13 Further Questions James Tarala Blog: Blog: Resources for further study: The SANS Institute Secure the Human Program The National Initiative for Cybersecurity Education (NICE) The Council on CyberSecurity