Embed Size (px)
Citation preview
Cyber-Analytics: Creating Security Profiles using Predictive Analytics
Healthcare Data Breaches
2
• Nearly 90 percent of healthcare organizations were
slammed by a breach in the past two years
• 40% increase for 2016 over 2015
• 27 percent hacking and ransomware
• 23,695,069 patient records hacked
• 233 days to discover and344 days to report
• 2016 Dark Web market flooded causing price drop
• 9% healthcare organizations say they were hit with
two or more data breaches in the past two years
• 45% report more than five breaches
Source: Ponemon report, Modern Healthcare, Healthcare Informatics
• Why is this happening?
• Are there similarities between
breached organizations?
• Can we model those
similarities to provide some insight into prevention?
• How might we aggregate breach data to examine
the organizational factors associated with a
breach?
• Data mining and
analytical tools to
discover security,
exposure and
organizational effects
3
Cyber Analytics
4
Research Questions
1. What is the relationship between the level of
security and the likelihood of the occurrence of a
data breach?
2. What is the relationship between the level of
exposure and the likelihood of the occurrence of a
data breach?
3. What is the relationship between specific
organizational factors and the likelihood of the
occurrence of a data breach?
4. What is the relationships between level of
security, level of exposure, organizational factors
and the likelihood of the occurrence of a data
breach?
Developing Models from Standards
5
6
Associating Data
HIMSS Analytics Data
• 6600 Health Organizations
• Annual survey data
• Lots of information
• 65 tables
• 728 fields
DHHS Breach Data
• 500 or more reported
• 1905 data breaches since 2009
• Provider-State-Entity Type-#Affected-Date-BType
7
Work-in-Progress
• HIMSS Access database
• SQL queries to produce tables
• Converted into Excel
• DHHS .CSV spreadsheet
• Matches HAEntity-Provider unique
identifier
• Using R Logistic Regression
• Preliminary analysis shows significant
relationships
• Creating breach model
Impact of Training and Optimism on Personal Computer Security
Barbara Hewitt
Health Information Management
Garry White
Computer Information Systems
Agenda
Introduction
Literature
Research Question
Method
Findings
9
Introduction
Security breaches evolving
– Sophistication
– Costs
– Severity
– Impact
10
Introduction
Security breaches evolving
– Sophistication
– Costs
– Severity
– Impact
Concentrate on technological prevention measures
11
Introduction
Security breaches evolving
– Sophistication
– Costs
– Severity
– Impact
Concentrate on technological prevention measures\
BUT
12
Introduction
You are the weakest link
13
Past Research
14
Students with more education more security
breaches (White 2012, 2015)
Optimism
– Less likely to experience an event
– eliminates security fears (Lungu and Tabusca 2010)
Optimism bias
– More likely to experience negative event
– More likely to experience a positive event
– Prior research is mixed on whether education is a
predictor of optimism bias
– Confidence take more risk control over outcomes (Weinstein, 1980)
– Training may influence this
– Continued training loses its effect (Wolf, Haworth, and Pietron,
2011)
Hypothesis Model
15
Study
16
Demographic N Percent
Age 47.89
Total 875 87.5%
Male 446 51%
Female 429 49%
Education
Some High School 12 1%High school graduate or GED 194 22%Some college 208 24%Associate Degree 124 14%Bachelor Degree 225 26%Graduate Degree 94 11%Doctorate 18 2%
17
Demographic N Percent
Computer
professional/technician 55 6%Computer security professional 14 2%Computer user on the job 334 38%Do not use computer on the
job 106 12%Unemployed 366 42%
Computer and Security Training
18
Demographic N Percent
High School Computer Class 370 42%High School Security Class 461 53%College/University Computer
Class 280 32%College/University Security
Class 470 54%Training 299 34%
Breaches Experienced
19
0
Victim of identity theft 677 198
Computer "performance" problems due to a
virus/malware290 585
Data corruption or loss due to a virus/malware 534 341
PC controlled by hacker 730 145
Number of unauthorized accesses to your data 612 263
Internet became inaccessible due to virus/malware 506 369
Downloaded a virus/malware via an email address 558 317
Downloaded a file off the internet that contained a
virus/malware508 367
Victim of a phishing attack 681 194
Fallen to a hoax email 673 202
Experienced a privacy problem of social networks 643 245
Victim of denial of service attack 742 133
Preliminary Results
20
“positive” relations with education,
prevention/protection, and security incidents at
p <
.001.
H1 – As age increases, security incidents decreases
(less activity/usage as indicated by H 3)
H2 – age with optimism Mixed
H3 – as age increases there is less usage/activity
except for e-mail. As age increases, e-mail usage
increases. There is no relation with amount of time
using the Internet.
H4 – the more educated, the more optimism. However,
there are a few exceptions, mostly with Bias-general not
me.
H5 – generally more education, more activity. However,
amount of time has no relationship with education.
Mixed
Preliminary Results
21
H6 – The more education, the more security incidents
H7 –The more optimistic with technology, the more
security incidents.
Mixed
H8a – The more you do things on the Internet, the more
security incidents you have, especially if you visit an
untrusted site.
H8b The more you do things on the Internet, the more
security incidents you have, especially if you visit an
untrusted site.
H8c Amount of time using the Internet had an influence
security incidents.
Not
Sign
Summary
22
Education and Internet activities are determinants for
security incidents.
Education better recognize and aware of security
incidents.
Activities more opportunities for attack
Subjects are willing to take risks by accessing an
untrusted site.
Other Fun Facts
23
Visit an untrusted web site 50%
References
24
Chapin, J. R. (2001). Self-protective pessimism: Optimistic bias in reverse. North
American Journal of Psychology, 3(2).
Chapin, J. R., & Pierce, M. (2012). Optimistic bias, sexual assault, and fear. The
Journal of general psychology, 139(1), 19-28.
Chenoweth, T., Minch, R., & Gattiker, T. (2009). Application of protection
motivation theory to adoption of protective technologies. Paper presented at the
System Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on..
Lungu, I., & Tabusca, A. (2010). Optimizing anti-phishing solutions based on
user awareness, education and the use of the latest web security solutions.
Informatica Economica, 14(2), 27.
Trumbo, C., Meyer, M. A., Marlatt, H., Peek, L., & Morrissey, B. (2014). An
assessment of change in risk perception and optimistic bias for hurricanes
among Gulf Coast residents. Risk analysis, 34(6), 1013-1024.
Weinstein, N. D. (1980). Unrealistic optimism about future life events. Journal of
personality and social psychology, 39(5), 806.
Weinstein, N. D., & Klein, W. M. (1996). Unrealistic optimism: Present and
future. Journal of Social and Clinical Psychology, 15(1), 1-8.
White, G. L. (2012). Information Security Education Relationships on Incidents
and Preventions: Cyber Assurance Literacy Needs. Paper presented at the
Proceedings of the Information Systems Educators Conference ISSN.
White, G. L. (2015). Education and Prevention Relationships on Security
Incidents for Home Computers. Journal of Computer Information Systems,
55(3), 29-37.
Patient Access to Personal
Health Information: An
Update from the
Consumer’s Perspective
Patient Access to Health
Information
Patient engagement has been described as the “blockbuster drug of the 21st century”
Patient engagement requires information
Increased adoption of health information technology has made greater patient access to their health information possible
But is it working for the consumer?
Laws Impacting Patient Access to PHI
Under HIPAA patients have had the
right to see and obtain a copy of their
medical records
HIPAA has allowed providers to charge
a “reasonable” cost-based fee for
providing paper or electronic copies of
medical records
Effective September 23, 2013 patients
have the right to request their health
information in electronic form
Laws Impacting Patient Access to PHI
(continued)
HIPAA also provides:
Right to amend information in your
health records
Right to know how your personal health
information will be used and shared and
to limit who gets to see it
Right to limit marketing uses of
protected health information
2016 CMS Guidance
“Providing individuals with access to
their health information is a necessary
component of delivering health care
Although HIPAA permits limited fees,
entities should provide individuals with
copies of PHI free of charge
CMS will monitor whether fees are
creating a barrier and will take
enforcement action where necessary”
Research Approach
2016
Survey of healthcare
consumers on their
experience in access
their health information
2013
Survey of HIM
Leaders on
healthcare
organization
practices
involving patient
access
Results
2016
98% EHR
83% Portal
82% Use Portal
10% Charge for copies
2013
87% EHR
38% Portal
< 5% Use Portal
52% Charge for
electronic copies
65% Charge for
paper copies
2016 Results
Most respondents were satisfied (38%)
or very satisfied (53%) with the patient
portal
57% had requested copies of their
records in the past year
– 88% received them in the requested
format
– 54% received them in 1-15 days
– 10% were charged
60% maintain a PHR in paper or
electronic form
In conclusion
Complete results will be published in
Summer 2017 AHIMA Perspectives
Thank you to Drs. Diane Dolezel
and Alex McLeod
