Escalated Threats to PHI Require a New Approach to Privacy and Security Wednesday, March 2, 2016 Kurt J. Long, CEO & Founder, FairWarning, Inc. Robert Rost, IT Operations Director of Defensive Services, IT Security, Banner Health Dave Summitt, Director of Cyber Security Operations, H. Lee Moffitt Cancer Center and Research Institute
Conflict of Interest Kurt J. Long: Has no real or apparent conflicts of interest to report. Robert Rost: Has no real or apparent conflicts of interest to report. Dave Summitt: Has no real or apparent conflicts of interest to report.
Agenda Profile escalating internal and external threats in healthcare Feature privacy and security program challenges Review how to create a multi-layered privacy and security program Customer perspectives
Learning Objectives Highlight the escalating threats to healthcare Illustrate how these new threats are changing the way care providers need to approach privacy and security Explain how to develop a coordinated threat detection and threat response program Spotlight how new tools like data visualization, trending and analytics identify data breaches
How Benefits Were Realized for the Value of Health IT The risks to healthcare are escalating at a time when the industry is consolidating with the intent of reducing expenses in areas that are not directly related to patient care, like information security and privacy. Today s escalated information security threats including compromised user credentials, advanced persistent threats and nation-state espionage leave the entire healthcare industry vulnerable including patients, care institutions, physicians, clinicians and the vendors that serve the industry. Tomorrow s threats are still unknown. By creating an innovative and multi-layered approach to security and privacy, covered entities can protect patient data, prevent damage to their reputation, achieve compliance and save money. http://www.himss.org/valuesuite
Escalating Advanced Threats Rise of Cyber Threats to Healthcare Industry Foreign National Espionage IRS Tax Fraud Sale of Patient Data to Crime Rings Sale of Employee Data to Crime Rings Sale of Physician Data to Crime Rings Medical & Financial ID Theft Lost laptops, media, paper records Snooping 1 Patient Complaints Pre-2010 2011 2012 2013 2014 2015
What would happen if your EHR was taken hostage? Real and growing threat to healthcare in 2016 Attacks grew 113% in 2014 according to 2015 Symantec Internet Threat Report Why EHR? High value to the data, you need it, and you re likely to pay to get it back Doctors wouldn t have the vital information needed to treat patients. Records of patient and insurance payments would be lost, patient personal and credit card information would be compromised. HIPAA breach/ocr fines And so on
We are all patients And the long-term effects of a PHI breach have yet to be realized 91% of Healthcare organizations have had at least one data breach involving the loss of theft of patient data in the last two years Source: Forbes May 2015 As of November 2015, breaches impacted 119,959,229 patients. That s well over onethird of all United States citizens who have suffered an information breach through the healthcare industry. Source: Identity Theft Resource Center
How long does it take to discover a breach? On average hackers had access to victims environments for 205 days before they were discovered and 69% of victims learn from a third party that they are compromised* Source: Mandiant M:Trends 2015, View From the Front Lines Report
Insider threats are still very real Malicious Co-worker, Patient, Neighbor, & VIP Snooping Fraud/Medical ID Theft/ID Theft Inappropriate physician access Disgruntled employee Compromised Compromised user credentials from an outside source Negligent/Accidental Lost device Misuse of systems Log-in/Log-out failures
External attacks are getting more sophisticated. Old tactics will no longer work. Advanced persistent threats (APTs) Spear phishing Malware Nation state attacks Organized crime
How can you get ahead of a breach? Information security Data visualization Trending Analytics Finding the right talent or using Managed privacy & security services
Creating a multi-layered privacy and security program Critical elements: Qualified and expertly trained privacy and security staff Proper, multi-layered, multi-vendor, IT infrastructure leveraging bestof-breed security solutions Patient privacy monitoring using advanced technology Coordinated threat prevention/response framework Education programs that create a culture of privacy, security and compliance
Creating a modern threat prevention and response framework Source: FireEye Solution Brief
Managed Privacy & Security Services
A picture is worth a thousand rows of data Data visualization & trending depicts graphically what is happening to your data
Get your house in order HIPAA Audits: Phase 2 in Early 2016 The HHS Office for Civil Rights has announced that it will begin Phase 2 of its long-awaited audit program in early 2016 McGraw Discusses HIPAA Audits Slated for Early 2016 Source: HealthData Management October 2015
Banner Health One of the largest nonprofit hospital systems in the country Twenty-nine acute-care hospitals and health care facilities With more than 47,000 employees, Banner Health is the largest private employer in Arizona and third largest employer in the Northern Colorado front range area Mission: As the leading nonprofit provider of health care in every community we serve, Banner Health is deeply committed to our mission: To make a difference in people's lives through excellent patient care. Robert Rost, IT Operations Director of Defensive Services, IT Security Robert has over 10 years experience in Information Security and Risk. As the IT Operations Director over Defensive Services, he is responsible for detecting, managing & responding to IT Security incidents including managing vulnerability management & data protection programs.
Customer Perspective: Robert Rost, Banner Health A new approach is needed... because a lot of our security wheels will continue to give our companies & patients the same results. Source - http://www.socialmediatoday.com/
but Source - http://www.evilenglish.net
The Baby What works Leverage intelligence Do the basics Partnerships Plan the work. Work the plan. Mature Governance, Risk & Compliance Understand the business Embrace encryption Source - http://ladynicci.com Adapt to the threat & legislative landscapes
The Bath Water What Doesn t work Eat the entire elephant in one bite Supporting vendors that don t play nice or Automate (enough) Building unconnected product sprawl Develop meaningless metrics Overemphasizing protect controls Source - http://2.bp.blogspot.com Isolating information security risk from enterprise risk management Ignoring the OCR Audit Protocol
H. Lee Moffitt Cancer Center and Research Institute Founded in Tampa, FL in 1986 Third largest cancer center in the U.S. based on patient volume. MISSION: To contribute to the prevention and cure of cancer VISION: To transform cancer care through service, science and partnership Dave Summitt, Director of Cyber Security Operations With over 25 years of experience in information technology, his experience spans across federal and private sectors concentrating on information systems, network and engineering operations and over the last 10 years focusing on cyber-security initiatives.
Initiatives: H. Lee Moffitt Cancer Center and Research Institute Standing up a Security Operations Center Proactive monitoring (stopping problems before they become major) Incident response & management Combines traditional NOC Provide Organizational-wide Awareness Training Tailored to the audience Annual Cyber Security Incident Response table-top exercises Participate in threat sharing groups InfraGuard HITRUST CyberExchange CERT notifications Local security organizations
Why does it take so long to discover a breach? Because organizations do not understand their network Active monitoring doesn t exist Security staff doesn t have the correct or enough resources THIS NEEDS TO CHANGE Source: Mandiant M:Trends 2015, View From the Front Lines Report
How can you get ahead of a breach? Expanded Information security Data visualization Trending Analytics Finding the right talent or using Managed privacy & security services Training users & leaders must know and understand what they are up against Visibility Security personnel need to add to their responsibility to championing the need.
Questions Kurt J. Long, CEO & Founder FairWarning, Inc. Kurt@FairWarning.com Robert Rost, IT Operations Director of Defensive Services, IT Security Banner Health Robert.Rost@bannerhealth.com Dave Summitt, Director of Cyber Security Operations H. Lee Moffitt Cancer Center and Research Institute Dave.Summitt@moffitt.org