Upload
dell-services
View
1.908
Download
3
Embed Size (px)
DESCRIPTION
A presentation from Dr. Andrew Litt on the challenge of securing patient data in a healthcare setting. Healthcare is one of the most vulnerable and also the most breached industries, here are simple steps to help improve your hospital's security position.
Citation preview
Healthcare Data Security: Surviving The Perfect Storm Andrew W. Litt, MD Health Informatics Scotland
Chief Medical Officer 20 September 2012
Healthcare
Serving more than 50% of U.S. hospitals providing care to 90 million Americans
Leading IT provider for 1st, 2nd and 3rd generation gene sequencing
13,000 employees worldwide.
300+ MDs, RNs and PhDs
Support for over 500 software, medical device and scientific instrument providers
#1 Worldwide Healthcare IT Services Vendor - Gartner
Serving 7of top 10 pharmaceutical companies
Managing over 5 Billion Medical Images in Cloud based Archive
Serving 100 insurance organizations supporting 65 million policy holders
Managing 14 billion security events a day
Dell Healthcare and Life Sciences by the numbers
Provide OEM services to 70+ Healthcare and Life Sciences software, medical device and scientific instrument providers
Managed 400 revenue cycle engagements, recovering $15 billion for customers over 7 years
2
Healthcare
Patient perspectives on sharing information
• 54% of patients would withhold information
• 38% would postpone seeking care
• 37% would travel substantial distances to avoid a hospital they don’t trust with their privacy
• 73% said serious breaches of PHI would reduce confidence in the quality of healthcare provided
• 97% said healthcare executives have a legal and ethical responsibility to protect their privacy
• 87% think health executives should lose their jobs over failure to act
Source: Fairwarning Report: Industry Best Practices for Patient Privacy in Electronic Health Records, April 2011 3
Healthcare
The evolving threat: A Perfect Storm
• Highly coordinated & motivated
• Well funded
• Enabled by unwitting users and malicious insiders
Embracing Technology and BYOD
Advanced Threats
Compliance Data Explosion
• Mobile device breaches are very costly
• Difficult to track devices
• Cause majority of reported breaches
• Data Explosion.
• HIEs, EHRs, ACO’s
• Complications for authenticating, encrypting, and protecting ePHI
• Increased enforcement and penalties
• Complex compliance requirements
4
5 Confidential 10/9/2012
Analysis of the Threat environment
Percentage of all healthcare providers that had at least one data breach in the past two years
Amount earmarked between 2011 and 2015 for attesting to meaningful use of EHR
$27 billion
65% Proportion of breaches reported involving mobile devices
60% Proportion of healthcare providers that have had 2 or more breaches in the past 2 years
$50 Black market value of a health record
18+ million Number of patients whose protected health information was breached between 2009 and 2011
96%
Healthcare 7
Healthcare Retail Financial Utilities Bus.
Utilities
Source: SecureWorks CTU attack data from May 2012. Bubble size = % of customers affected within industry.
Healthcare is under attack
Healthcare 8
Phishing &
Spear Phishing
Downloaders
Advanced Persistent Threats
Distributed Denial of Service Attacks
(DDoS)
Exploit Kits
Trojans
Web Application
Exploits
Wireless Network Hacking
Mobile Application and Other Exploits
Threats affecting healthcare and life sciences
Healthcare
Typical process of a breach
9
• Was this truly a breach?
• Begin investigation
• Insider threats • Third-party data
loss
Unencrypted Devices are Used to Access PHI
Realization and Remediation
Theft or Loss of Devices / Drives
• Often not targeting PHI specifically
Healthcare 10
• Credit monitoring services for affected patients
• Opportunity cost in staff time
• Notification to gov’t authorities
• Legal fees?
• Analysis of affected records
• Private investigators
• Soft costs – impact to reputation
After the breach
11
Mobile computing security
Healthcare 12
$100 million $1.7 billion Market for mobile devices in healthcare
2011 2014
$4.7 billion U.S. hospital spending on IT $6.8 billion
2 out of 5 physicians go online during patient consultations; mostly on handheld devices
63% of physicians are using personal devices for mobile health solutions not connected to their practice
86% of physicians are interested in accessing Electronic Medical Records from mobile devices
2% Mobile device usage compared to overall IT 25%
Source: TechTarget news
The mobile device market is thriving
Healthcare
• Increased efficiency of the healthcare provider when with the patient
• Real-time visibility into the patient’s condition
• Increased patient participation
• Integration with electronic medical records
• Reduced capital cost
• Reduced maintenance cost
• More free space
13
Benefits to mobile device usage for healthcare
Healthcare 14
Bring your own device – How to manage and maintain control and visibility in a disparate / heterogeneous environment
Encryption / Authorization Oversight
How to make sure the right people are accessing the right records
End point encryption
How to ensure the data is not locally stored vs level of risk
Loss of devices
Loss / theft management
Mobile device challenges
Healthcare 15
Smartphone viruses
Unmanaged devices
Internet, 3G, WiFi
Man-in-the-Middle Attacks
Compromised Devices and Open
Gateways
Lack of Awareness and Standard Policies
Social Media Vulnerabilities
Unprotected Corporate Data
IT Compliance Failures
SMS Attacks
X
X
X
Hospital
Clinics or Business Associates
Data Center
Mobile device risks originate from many areas
Healthcare 16
$0
$50
$100
$150
$200
$250
$300
Involving MobileDevices
Caused by SystemFailures
Attributed toNegligence
$258
$210 $196
$6.76 million average cost per organization. 58% of patients experience distrust of a provider following a breach
Sources: HITRUST Alliance: “An Analysis of Breaches Affecting 500 or More Individuals in Healthcare”, May 2010; Advisory Board Company.
Per Record Costs
Mobile device breach costs
Healthcare 17
Conduct a Risk Analysis
Implement Security Measures as Appropriate
Correct Identified Security Deficiencies as Part of an Overall
Risk Management Process
1 2
3
Three Key Components of Risk Assessment
Healthcare
Elements of a Risk Analysis
18
Identify where your patient
data is.
How are you protecting
patient data?
Confidential 19 10/9/2012
Anatomy of a Breach Massachusetts eHealth Collaborative
5 stages of response
1. Denial: Noooooooooooooooooooo!!! This is surely a nightmare and I’m going to wake up any minute.
2. Anger: How dare someone steal our property??!! Who the heck would leave a company laptop unattended in a parked car??!!
3. Bargaining: Are you sure it was OUR laptop?? Maybe it didn’t have any patient data on it?
20
5 stages of response
4. Depression: We’re doomed. Patients’ privacy may be exposed. Some may suffer real harm or embarrassment. They’re going to hate their providers, and their providers are going to hate us. Word will spread, trust in us will erode, we’ll struggle to get new business, we may get fined or sanctioned by state and/or federal authorities, we may get sued by providers or patients or both. My kids won’t go to college, I’ll lose my house, my parents will be disgraced.
5. Acceptance: OK, let’s get to work. We have an obligation to our customers, our board, and ourselves to affirmatively take responsibility for our errors, be transparent with all stakeholders, manage the process with operational excellence, and share our lessons learned so that others can hopefully learn from our blunders.
Source: http://www.histalkpractice.com/2011/12/03/first-hand-experience-with-a-patient-data-security-breach-12311/ By Micky Tripathi, President and CEO , Mass. eHealth Collaborative
21
Healthcare 22
Be Aware of ePHI (including 3rd Parties) • Staff education • Understanding of compliance requirements • Assume that all portable devices contain PHI
Mobile Device Security • Policies and procedures – properly manage BYOD policies • Full disk encryption
Compliance • Security Risk Analysis • Clear documentation of risk points • Incident response plan • Enable the organization to minimize future critical threats
Credentialing and Authorization • Automating lockdown of passwords and entitlements • Full disk encryption
Improving security posture
Healthcare 23
Build
Monitor
Test
Remediate
Build
Monitor
Test
Remediate
Build
Monitor
Test
Remediate
2. Security Infrastructure • Perimeter
• Firewall • IDS / IPS • Malware Detection
• Application
• Web Application Firewall • Identity Management • Access Management
• Endpoint
• Anti Virus • DLP (email, data) • Encryption + External
• Endpoint
• Anti Virus • DLP (email, data) • Encryption + External
3. Monitoring Program • 24x7 Monitoring
• Security Devices • Log Monitoring • Threat Protection
• Management
• NOT “set it and forget it” • Ongoing tuning • Software upgrade & patches
• Other Components
• Threat Intelligence • Incident Management
4. Testing Program • Scanning Platform
• Network Scanning • Web App Scanning • Compliance Scanning
• Testing Services
• Vulnerability Assessment • Penetration Testing
1. Initial Assessments • Security Architecture Assessment • Security Program Review • HIPAA Gap Analysis • Meaningful Use Risk Analysis
Build
Monitor
Test
Remediate
Building a comprehensive security program
Build
Monitor
Test
Remediate
Healthcare 24
Security Services Dell SecureWorks services let you focus on your core business so you can offload your resource-intensive security operations to certified experts with deep security & compliance knowledge
Network Security Dell Gateways and SonicWALL TZ/NSA firewalls secure your network against threats including intrusion, viruses and spam
Endpoint Security Dell KACE protects end points by identifying & remediating vulnerabilities across end nodes Trend Micro protects mobile users by blocking malware on PCs and laptops
Data Security Dell Data Protection controls unauthorized access with hardware encryption and user authentication
Internet
VPN
Dell SecureWorks
SonicWALL TZ/NSA
Dell KACE
Trend Micro Worry Free
Dell Data Protection – Authentication
Encryption
Dell 3rd
Party Secu
rity Partn
ers
Dell Security Services & Solutions enable organizations of all sizes to protect their IT assets, comply with regulations and reduce security costs
Security solution architecture
Healthcare
Innovation and Security enabled by Cloud platform
25
Cloud Archiving/Hosting Services
Encryption
Encryption
Community
PHR
Individuals
Providers
Healthcare 26
Data visibility
Endpoint access and encryption
Mobile device
strategy
Security strategy should support 4 critical areas
Security and risk
monitoring
Healthcare
27
Dell Healthcare
Information-driven Healthcare