Discussing Information Security with Your C-Suite and ... · Common CFO Perspectives of Security and Risk Source: Health Care IT Advisor research and analysis. Potential Perspectives

Discussing Information Security with

Your C-Suite and Board of Directors How to Have Productive Discussions on Security and Risk

Health Care IT Advisor

Paul Tiao, Partner

Hunton and Williams

Ernie Hood, Senior Director, Research and Insights

The Advisory Board Company

Eric Banks, Chief Information Security Officer


2

2

3

4

1

Road Map

©2016 The Advisory Board Company • advisory.com

Why are the Board and C-Suite More Interested in

Information Security Now?

Preparation: Scouting the Risk Landscape

Understanding the Different Perspectives of the C-Suite

Crafting and Delivering the Message


3

Why Is the Board Interested in Information Security?

In a Word: Breaches

Source: Health Care IT Advisor research and analysis.

1) Ponemon Institute Fifth Annual Benchmark Study on

Privacy and Security of Healthcare Data, May 2015.

Health Care Other Industries

• 91% of health care organizations have

experienced a breach involving the loss or theft

of patient data in the past 24 months.1

• In a recent survey, of those reporting a breach,

40% reported having had more than 5 incidents

in the past two years.1

• RSA

• NSA

• Apple

• NASDAQ

• Google

• Sony

• Lockheed

• Target

• JP Morgan

Chase

• Sands Casino

• Home Depot

• Hollywood

Presbyterian (2016)

• Anthem & Premera

(2015)

• Partners Healthcare

(2015)

“The Wall of Shame” Health care breaches reported involving 500 or more patients:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

• Healthcare.gov (2014)

• Community Health Systems

(2014)

• Boston Children’s Hospital

(2014)

• Oregon Health & Science

University (2013)

• Crescent Healthcare

(Walgreen’s) (2013)

• Advocate Health Care (2013)

Some Health Care Breaches Reported in 2013-2015




4

Breaches are Expensive


1) Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2015. 2012 Cost of Cyber Crime Study: US, October 2012. Ponemon Institute.

2) NetDiligence 2015 Cyber Claims Study: http://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf

Economic Impacts Specific to

Health Care Industry1

Across All Industries2

• 85% of 2012 breaches cost more than $200,000

• Detection & escalation - $30,000 to $1.6 million

• Notification - $4,000 to $1.7 million

• Follow up response - $60,000 to $5.8 million

• Lost business estimates - $11,000 to $9.5 million

• Total estimate economic impact on a provider

organizations $2.1 million.

Costs Don’t Correlate to the Number of Records Lost

“…our policyholders have been surprised to find that the actual response costs generally

will be unique to the specifics of the breach. For example, we have breach incidents

involving less than 5,000 records, with remediation costs in six figures because of the

policyholders’ industry and the complexity of the breach.”

Non-Economic Impacts Like a Loss of Trust Can Be Significant Too!

Range Average

Forensics $1,250 - $4.9 million $262,000

Notification $14 to $15 million $568,000

Public

Relations

$4,000- $240,000 $46,000

Credit

Monitoring

$65 to $1.3 million $80,000

Legal Counsel $540 to $1 million $59,000

Thomas Kang

Senior Claims Specialist at ACE USA

http://netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_093015.pdf


5

Preparation Efforts Not Keeping Pace


1) Citrix 2015 Cyberthreat Defense Report: https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/2015-

cyberthreat-defense-report-north-america-and-europe.pdf 2) 2015 HIMSS Cybersecurity Survey 3) Ponemon Institute Fifth

Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2015.

Attacks Are Expected …But Prevention and Funding Efforts Lag

52% Of health care organizations

expect to be compromised by a

successful cyber attack in 20151 33%

Agree they have sufficient

resources to prevent or

quickly detect a data breach3

The magnitude of the threat against healthcare information has grown exponentially,

but the intention or spend in securing that information has not always followed.” Michael Ebert, Partner

KPMG, Cyber Security

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/2015-cyberthreat-defense-report-north-america-and-europe.pdf


















6

Threats Come From Internal and External Players

2015 HIMSS Survey Shows Negligent Employees Pose Significant Risks


1) 2015 HIMSS Cybersecurity Survey

Identifying and Detecting Security Incidents

• Half of surveyed organizations with an incident of internal origin say these incidents

were identified by their own internal security team.

• Heavy reliance on three main incident detection techniques: network monitoring,

monitoring of system activity logs, and monitoring user access logs.

External Threats Insider Threats

64% Of hospital respondents

report a security incident of

external origin


7

Increasingly Serious Threat Actors

Deep Pockets and Powerful Motivations


8

Major Information Security Risks


Poor Incident

Response

Preparedness

Weak Technical

Disaster Recovery and

Corporate Business

Continuity

Fragmented Identity

Management and

Access Control

Lack of Data

Encryption

Growth in the Internet

of Things and the

Consumerization of IT


9

Reduce the Likelihood of a Breach


Systematically identify and catalogue sensitive data

Maintain an up-to-date cybersecurity incident response plan

Develop written information security policies and procedures relating to administrative,

technical and physical safeguards for sensitive data

Develop a plan for managing risks associated with employee relationships

Develop a plan for controlling service provider relationships

Work with information technology vendors to deploy hardware and software tools

that strengthen information security

Develop training programs on cybersecurity for both IT and non-IT staff


10

Listen to the Data

You Can’t Afford Not to Prepare


1) http://www.politico.com/story/2015/06/health-care-spending-billions-

to-protect-the-records-it-spent-billions-to-install-118432

It Can Happen and Probably Has Happened to You

• 91% of health care organizations have experienced a data

breach per Ponemon survey

• Even high security and high tech firms like RSA, Lockheed

and Google have been breached

If It Happens It’ll Cost You

• Estimates range from $200,000 - $9 million with the

average total economic impact being $2.1 million

HIMSS Recommendation for Security Budgeting1

Percent of IT budget that HCOs should spend on security 10% Percent of IT budget that HCOs actually spend on security 3%

http://www.politico.com/story/2015/06/health-care-spending-billions-to-protect-the-records-it-spent-billions-to-install-118432



























11

2

3

4

1

Road Map


Why are the Board and C-Suite More Interested in Information Security Now?





12


Assessing Risk


1) Statement on Standards for Attestation Engagements 16 - an Auditing Standards

Board of the American Institute of Certified Public Accountants (AICPA) auditing

standard for service organizations, superseding SAS 70

2) Service Organization Controls - accounting standards from AICPA

Physical Office Assessment

(shredding, clean desk, access)

Security Governance Assessment

Data Center Assessments

(SSAE 161 SOC2 II Type 2)

Vendor/Partner Assessments

Infrastructure Assessment

(vulnerability detection/management)

Product Risk Assessments

Risk Assessment is *the* most important method for understanding the

information security risks within your environment.

Assessment Targets


13


Other Key Channels for Risk Discovery


Provide valuable

information

during product

team meetings,

during

architecture

reviews, and in

the hallway.

Employees

Vendor

notifications,

group

memberships,

and social

media surface

risks.

Industry

Clients’

assessments of

products or

services can

surface problem

areas previously

unknown or not

yet addressed.

Your Clients

Intrusion

prevention alerts,

perimeter

security, log

review, and

scanners help to

surface risks.

Technology

Helps predict

types of risks or

attacks based

on your specific

company

profile.

Threat Modeling


14


What Types of Risk Are You Looking For?


1) Personal Health Information

2) Personally Identifiable Information

3) Payment Card Information

4) Bring Your Own Device

Physical/Office Risks

• Multiple office locations

• Theft

• Location access

• Employee mistakes

• “Bad Leavers”

Data/Privacy Risks

• PHI1, PII2, PCI3, student

records, Intellectual Property

• Big Data

• Data sharing

• Federal/state/local

regulations

Process Risk

• Decentralized data

access control

• Backup and recovery

• Duplicated teams/efforts

External Risks

• Hackers

• Natural disasters

• Terrorism

• Partner/Vendor

mistakes and threats

Technology Risks

• Cloud storage

• Multiple data centers

• Multiple technology

platforms

• (Lack of) encryption

• Endpoints/BYOD4

• The Internet of Things

15

2

3

4

1

Road Map







16

Explore On An Individual Basis:

Knowledge and Interest of Key Leaders Vary

Create a Foundation for Future Discussion Through Private Meetings


Key Leaders

General attitude about

risk and security

Level of

knowledge

Concerns around

risk and security

Board

Chief

Executive

Officer

Chief

Financial

Officer

Chief

Medical

Officer

General

Counsel

Chief

Information

Officer

Understand the Different Perspectives of Your Leadership Before You Present to the

Board or C-Suite

One-on-one closed door meetings with key executives will provide a critical understanding of how

each views Information Security and risks to the organization

!


17

The View From the Boardroom

Common Board Members’ Perspectives on Security and Risk


Potential Perspectives of the Board

Board members mostly experience security through the audit committee.

• Uninformed or misinformed about cybersecurity threats,

vulnerabilities, and consequences

• Uninformed or misinformed about cybersecurity preparedness

• Focused on compliance instead of security

• Fearful of liability, focused on unproductive questions, and

uncertain about proper role

But the norm is shifting and concerns are growing.

Board awareness of cybersecurity risk and exposure is rapidly increasing. As a result, Boards

are more receptive to increasing their focus on cybersecurity.


18

The View From the CEO’s Chair

Common CEO Perspectives of Security and Risk


Potential Perspectives of the Chief Executive Officer

Often organizationally distant from cybersecurity and focused on other

priorities but wants it handled without his/her involvement.

• Uninformed or misinformed about the organization’s state of

cybersecurity risk and preparedness

• Insufficiently focused on ensuring or investing in appropriate

organizational reforms on cybersecurity

• Unaware of the importance of their leadership role in effecting

changes and monitoring progress in cybersecurity

• Insufficiently engaged with Board to manage risk and cybersecurity

But the rapidly growing number of cyber events has CEOs concerned about security.

CEOs can become a vital ally in driving cultural change and ensuring leadership engagement.


19

The View From Finance

Common CFO Perspectives of Security and Risk


Potential Perspectives of the Chief Financial Officer

May see security as an expense to be minimized as long as the financial

auditors are satisfied.

• Uninformed or misinformed about cybersecurity investments

• Insufficiently focused on cybersecurity resource needs

• Focused on compliance instead of security

• Perceives cybersecurity to be someone else’s responsibility

• Misinformed about the extent of insurance coverage for cyber events

But recent publicity about the cost of cyber events has lead to increasing interest levels

among CFOs.

The CFO is well positioned to provide needed resources for a security program.


20

The View From Clinicians

Common CMO Perspectives of Security and Risk


1) Chief Medical Officer

2) Chief Nursing Officer

3) Chief Medical Information Officer

4) Chief Nursing Information Officer

Potential Perspectives of the Chief Medical Officer

Often perceive security measures simply as a source of complaints from

physicians.

• Unaware or confused about cybersecurity risk

• More concerned with improving efficiency and protecting relationships

with physicians than strengthening security

But growing awareness of clinician liability has started to change attitudes toward

security measures.

CMO1s, CNO2s, CMIO3s, and CNIO4s can serve as valuable intermediaries explaining the need

for security measures to clinicians.


21

The View From Legal

Common General Counsel Perspectives of Security and Risk


Potential Perspectives of General Counsel

May expect the information security team to eliminate all risk.

• Uninformed or misinformed about cybersecurity risk

• Focused on regulatory or contractual compliance instead of

security

• Perceives cybersecurity to be someone else’s responsibility

• Sometimes not included in cybersecurity initiatives

But regulatory changes and new case law are increasing awareness among General

Counsels about cyber risk and responsibilities

The General Counsel is important for establishing the right security governance structure and

policies, and providing legal support on regulatory, contractual, and incident repsonse.


22

The View From Information Technology

Common CIO Perspectives of Security and Risk


1) Chief Information Officer

Potential Perspectives of the Chief Information Officer

Can see security measures as a barrier and a burden, slowing or even

preventing progress and a potential source of trouble.

• Aware of the risk, but often more supportive of security in theory

than in practice

• Often more focused on installing updated technology and reducing

cost than improving security

But changing awareness among C-suite members is leading to heightened level of

attention to security by CIO1s

The CIO is a key partner for defining and implementing cybersecurity measures.


23

Marshal Your C-Suite Allies

Build a Foundation with Private Meetings Before Presenting


Understand the different perspectives of your leadership before presenting to the Board

One-on-one, closed door meetings with key executives will provide a critical understanding of

how each views information security and risks to the organization.

Board CFO

General

Counsel

CMO

CEO

CIO

Leadership is Often Poorly Informed Awareness is Changing

• C-suite and Board member

attitudes vary but they are

often uninformed or

misinformed about

cybersecurity risk and

preparedness

• Frequently unclear about

what their role is or should

be in managing the cyber

risk of the organization

• C-suite and Board member

awareness of cyber risk is

growing

• Can be incredibly valuable

allies to your efforts if

approached thoughtfully

24

2

3

4

1

Road Map







25

A Framework for a Successful Discussion

Four Keys to Holding an Effective Discussion on Security


• Make sure you

understand the

organization’s current

state

• Hold private

meetings with key

leaders to

understand their

concerns and

perspectives

• Talk in business

terms and leverage

scenarios to illustrate

the organization’s

risk profile from

various threats

• Discuss

improvements made

to lower risk

• Provide

alternatives for

changing the

organization's risk

posture

• Acknowledge

trade-offs for each

alternative

• Provide examples of

various roles they

can play in

managing cyber risk.

• Ask for their

guidance and

assistance

Be Ready to Listen

!

Prepare in Advance Keep it Simple Be Clear About

Alternatives Discuss Roles


26

Be Prepared: Make Sure You Are Well Informed

Gather All the Information You Can About the Current State in Advance

Prepare in Advance


1) Health Information Trust Alliance

2) National Institute of Standards and Technology

3) International Organization for Standardization

• Evaluate standard security

frameworks like HITRUST1,

NIST2 and ISO3.

• Leverage what makes the most

sense for your organization.

Controls

Administrative Controls • Acceptable Use and Application Security policies

• Training and awareness

• Endpoint security guidelines

Physical Controls • Heavily-secured data centers

• Proximity cards

• Hard drive and paper shredding

Technical Controls • Intrusion Prevention Systems

• Consolidated logging

• Phishing email detection

• Mobile device management

• Full environment scanning

Services

Policy and Procedure Development and Management

Privacy and Information Security Awareness and Training

Comprehensive Risk Assessment and Evaluation

Application Security Evaluation

Acquisition and Partnership Assessment

Vendor Assessment

Data Classification and Destruction

Compliance Management (PCI, HIPAA, FERPA, internal

policies and procedures)

Intrusion Detection and Prevention

Network/Application Penetration Testing

Vulnerability Assessment and Remediation

Digital Forensic Investigation

Incident Triage, Evaluation and Management

Physical Security Consulting and Design

Industry Outreach and Partnerships


27

Examples Scenarios

Leverage Threat Scenarios To Illustrate Risk

Talk in Business Terms

Keep It Simple


For Each Scenario Discuss

Situation

How it might

happen?

Vulnerability

What weakness is

exploited?

Awareness

How would the

organization become

aware of the situation?

Response

What would the

incident response

look like?

Implications

What is the potential

impact on strategic

plans and operations?

Mitigations

What mitigations could be

used to reduce the risk?

What are the financial and

operational impacts of

those mitigations?

Improvements

What recent

improvements have

already been make that

may lower the risk?

• Stolen device

• Insider abuse

• Phishing

• Ransomware


28

Provide Choices

Let Them Lead by Outlining Alternatives Rather Than Mandates

Be Clear About Alternatives


Example Alternatives

Alternative A

Maintain current risk level

Alternative B

Moderate reduction in cyber risk by

addressing only major weaknesses or

largest threats

Alternative C

Focus on a specific area of improvement

such as education or incident response

Risk Reduction vs. Cost and Frustration

For each alternative provide estimates of:

• Risk reduction

• Cost

• Operational impact


29

Ask For Support and Guidance

Discuss Possible Roles for C-Suite and Board

Discuss Roles


Metrics

What information and metrics would the

Board and C-Suite like to see on a

recurring basis?

Board

Define

acceptable

levels of risk,

establish

urgency

CEO

Lead

organizational

reforms and

cultural changes,

oversee strategy

development

CFO

Ensure

appropriate

funding

CMO

Act as liaison to

medical staff

and arbiter of

tradeoffs

between risk

reduction and

operational

impact

General

Counsel

Ensure

appropriate

governance

and

compliance

with laws and

regulation

CIO

Enable

technical

counter

measures and

enforce

policies


30

Key Takeaways

Modern Cyber Risk Requires Engaged Leadership

Key Takeaways


Imperatives for an Effective C-Suite or

Board Discussion About Security

1

2

3

Preparation is key to

effective discussions

4

5

6

Start by understanding the current level of

the organization’s cyber risk.

Hold private meetings with key leaders to

explore their general attitude, level of

understanding and interest in cyber security.

Leverage scenarios to explain potential risks

and consequences using business terms

over technical jargon.

Provide alternatives rather than mandates.

Ask for guidance on such issues as risk

mitigation, roles and responsibilities and

metrics.

Recognize that attitudes among board and C-

suite members are changing and creating an

opportunity for new discussions on cyber risk.


31

We Can Help

Hunton & Williams

• Advice on new requirements, compliance, and rules in cybersecurity legislation and updating

Info Sec Policy

• Advice on participation in information sharing arrangements with private entities and government

agencies

• Assistance with changing or creating governance structures to address cybersecurity,

• Negotiating for the inclusion of appropriate security provisions in contracts with third party

vendors

• Handling dispute resolution with respect to private legal actions and enforcement actions by

regulators, the FTC and State Attorneys General

• Leading table top exercises for data breaches

• Playing a central role in breach response so as to protect legal posture

• Updating the incident response plan and ensuring proper protection of legal posture during

incident response


32

We Can Help

Publications

and Analytics

Best Practice Studies

Major best practice strategy

reports and briefings based on

member-driven program agenda

Whitepapers and Expert

Perspectives

Briefings and Insights for

executives centered around the

most pressing issues facing

health care leaders today

Benchmarking and Tools

Web-based surveys, interactive

tools – including calculators and

forecasters – and benchmarking

enabling members to compare

performance against peers

Presentations

and Interactions

Web-Based

Services

Expert

Support

National Meetings and Live

Webconferences

Educational intensives on

most urgent health care topics

available to your team on an

unlimited basis

On-Demand

Webconferences

Unlimited access to all online

archived Program

Webconferences

Private Label Webcasts

Web-enabled sessions to

present research to individual

members paired with

discussion

Advisory.com

Secured member website

providing online access to

research, services,

announcements

The Daily Briefing

Daily e-mail newsletter

summarizing breaking national

health care news

Program Insights

Regular program updates,

alerts, and expert perspectives

on events affecting hospital

strategy and operations

The Expert Center

Dedicated team to triage

member requests and

questions to ensure A+

member satisfaction

Facilitated Networking

Experts connect peers across

the membership for high-value

interactions upon request

Customized Service Plans

Senior leaders craft action-

oriented service plans to map

program resources to top

member priorities


Health Care IT Advisor

2445 M Street NW I Washington DC 20037

P 202.266.5600 I F 202.266.5700 advisory.com

Documents

Discussing Information Security with Your C-Suite and ... · Common CFO Perspectives of Security and Risk Source: Health Care IT Advisor research and analysis. Potential Perspectives