Healthcare Data Security: Surviving The Perfect Storm Andrew W. Litt, MD Health Informatics Scotland

Chief Medical Officer 20 September 2012

Healthcare

Serving more than 50% of U.S. hospitals providing care to 90 million Americans

Leading IT provider for 1st, 2nd and 3rd generation gene sequencing

13,000 employees worldwide.

300+ MDs, RNs and PhDs

Support for over 500 software, medical device and scientific instrument providers

#1 Worldwide Healthcare IT Services Vendor - Gartner

Serving 7of top 10 pharmaceutical companies

Managing over 5 Billion Medical Images in Cloud based Archive

Serving 100 insurance organizations supporting 65 million policy holders

Managing 14 billion security events a day

Dell Healthcare and Life Sciences by the numbers

Provide OEM services to 70+ Healthcare and Life Sciences software, medical device and scientific instrument providers

Managed 400 revenue cycle engagements, recovering $15 billion for customers over 7 years

2

Healthcare

Patient perspectives on sharing information

• 54% of patients would withhold information

• 38% would postpone seeking care

• 37% would travel substantial distances to avoid a hospital they don’t trust with their privacy

• 73% said serious breaches of PHI would reduce confidence in the quality of healthcare provided

• 97% said healthcare executives have a legal and ethical responsibility to protect their privacy

• 87% think health executives should lose their jobs over failure to act

Source: Fairwarning Report: Industry Best Practices for Patient Privacy in Electronic Health Records, April 2011 3

Healthcare

The evolving threat: A Perfect Storm

• Highly coordinated & motivated

• Well funded

• Enabled by unwitting users and malicious insiders

Embracing Technology and BYOD

Advanced Threats

Compliance Data Explosion

• Mobile device breaches are very costly

• Difficult to track devices

• Cause majority of reported breaches

• Data Explosion.

• HIEs, EHRs, ACO’s

• Complications for authenticating, encrypting, and protecting ePHI

• Increased enforcement and penalties

• Complex compliance requirements

4

5 Confidential 10/9/2012

Analysis of the Threat environment

Percentage of all healthcare providers that had at least one data breach in the past two years

Amount earmarked between 2011 and 2015 for attesting to meaningful use of EHR

$27 billion

65% Proportion of breaches reported involving mobile devices

60% Proportion of healthcare providers that have had 2 or more breaches in the past 2 years

$50 Black market value of a health record

18+ million Number of patients whose protected health information was breached between 2009 and 2011

96%

Healthcare 7

Healthcare Retail Financial Utilities Bus.

Utilities

Source: SecureWorks CTU attack data from May 2012. Bubble size = % of customers affected within industry.

Healthcare is under attack

Healthcare 8

Phishing &

Spear Phishing

Downloaders

Advanced Persistent Threats

Distributed Denial of Service Attacks

(DDoS)

Exploit Kits

Trojans

Web Application

Exploits

Wireless Network Hacking

Mobile Application and Other Exploits

Threats affecting healthcare and life sciences

Healthcare

Typical process of a breach

9

• Was this truly a breach?

• Begin investigation

• Insider threats • Third-party data

loss

Unencrypted Devices are Used to Access PHI

Realization and Remediation

Theft or Loss of Devices / Drives

• Often not targeting PHI specifically

Healthcare 10

• Credit monitoring services for affected patients

• Opportunity cost in staff time

• Notification to gov’t authorities

• Legal fees?

• Analysis of affected records

• Private investigators

• Soft costs – impact to reputation

After the breach

11

Mobile computing security

Healthcare 12

$100 million $1.7 billion Market for mobile devices in healthcare

2011 2014

$4.7 billion U.S. hospital spending on IT $6.8 billion

2 out of 5 physicians go online during patient consultations; mostly on handheld devices

63% of physicians are using personal devices for mobile health solutions not connected to their practice

86% of physicians are interested in accessing Electronic Medical Records from mobile devices

2% Mobile device usage compared to overall IT 25%

Source: TechTarget news

The mobile device market is thriving

Healthcare

• Increased efficiency of the healthcare provider when with the patient

• Real-time visibility into the patient’s condition

• Increased patient participation

• Integration with electronic medical records

• Reduced capital cost

• Reduced maintenance cost

• More free space

13

Benefits to mobile device usage for healthcare

Healthcare 14

Bring your own device – How to manage and maintain control and visibility in a disparate / heterogeneous environment

Encryption / Authorization Oversight

How to make sure the right people are accessing the right records

End point encryption

How to ensure the data is not locally stored vs level of risk

Loss of devices

Loss / theft management

Mobile device challenges

Healthcare 15

Smartphone viruses

Unmanaged devices

Internet, 3G, WiFi

Man-in-the-Middle Attacks

Compromised Devices and Open

Gateways

Lack of Awareness and Standard Policies

Social Media Vulnerabilities

Unprotected Corporate Data

IT Compliance Failures

SMS Attacks

X

X

X

Hospital

Clinics or Business Associates

Data Center

Mobile device risks originate from many areas

Healthcare 16

$0

$50

$100

$150

$200

$250

$300

Involving MobileDevices

Caused by SystemFailures

Attributed toNegligence

$258

$210 $196

$6.76 million average cost per organization. 58% of patients experience distrust of a provider following a breach

Sources: HITRUST Alliance: “An Analysis of Breaches Affecting 500 or More Individuals in Healthcare”, May 2010; Advisory Board Company.

Per Record Costs

Mobile device breach costs

Healthcare 17

Conduct a Risk Analysis

Implement Security Measures as Appropriate

Correct Identified Security Deficiencies as Part of an Overall

Risk Management Process

1 2

3

Three Key Components of Risk Assessment

Healthcare

Elements of a Risk Analysis

18

Identify where your patient

data is.

How are you protecting

patient data?

Confidential 19 10/9/2012

Anatomy of a Breach Massachusetts eHealth Collaborative

5 stages of response

1. Denial: Noooooooooooooooooooo!!! This is surely a nightmare and I’m going to wake up any minute.

2. Anger: How dare someone steal our property??!! Who the heck would leave a company laptop unattended in a parked car??!!

3. Bargaining: Are you sure it was OUR laptop?? Maybe it didn’t have any patient data on it?

20

5 stages of response

4. Depression: We’re doomed. Patients’ privacy may be exposed. Some may suffer real harm or embarrassment. They’re going to hate their providers, and their providers are going to hate us. Word will spread, trust in us will erode, we’ll struggle to get new business, we may get fined or sanctioned by state and/or federal authorities, we may get sued by providers or patients or both. My kids won’t go to college, I’ll lose my house, my parents will be disgraced.

5. Acceptance: OK, let’s get to work. We have an obligation to our customers, our board, and ourselves to affirmatively take responsibility for our errors, be transparent with all stakeholders, manage the process with operational excellence, and share our lessons learned so that others can hopefully learn from our blunders.

Source: http://www.histalkpractice.com/2011/12/03/first-hand-experience-with-a-patient-data-security-breach-12311/ By Micky Tripathi, President and CEO , Mass. eHealth Collaborative

21

Healthcare 22

Be Aware of ePHI (including 3rd Parties) • Staff education • Understanding of compliance requirements • Assume that all portable devices contain PHI

Mobile Device Security • Policies and procedures – properly manage BYOD policies • Full disk encryption

Compliance • Security Risk Analysis • Clear documentation of risk points • Incident response plan • Enable the organization to minimize future critical threats

Credentialing and Authorization • Automating lockdown of passwords and entitlements • Full disk encryption

Improving security posture

Healthcare 23

Build

Monitor

Test

Remediate

Build

Monitor

Test

Remediate

Build

Monitor

Test

Remediate

2. Security Infrastructure • Perimeter

• Firewall • IDS / IPS • Malware Detection

• Application

• Web Application Firewall • Identity Management • Access Management

• Endpoint

• Anti Virus • DLP (email, data) • Encryption + External

• Endpoint

• Anti Virus • DLP (email, data) • Encryption + External

3. Monitoring Program • 24x7 Monitoring

• Security Devices • Log Monitoring • Threat Protection

• Management

• NOT “set it and forget it” • Ongoing tuning • Software upgrade & patches

• Other Components

• Threat Intelligence • Incident Management

4. Testing Program • Scanning Platform

• Network Scanning • Web App Scanning • Compliance Scanning

• Testing Services

• Vulnerability Assessment • Penetration Testing

1. Initial Assessments • Security Architecture Assessment • Security Program Review • HIPAA Gap Analysis • Meaningful Use Risk Analysis

Build

Monitor

Test

Remediate

Building a comprehensive security program

Build

Monitor

Test

Remediate

Healthcare 24

Security Services Dell SecureWorks services let you focus on your core business so you can offload your resource-intensive security operations to certified experts with deep security & compliance knowledge

Network Security Dell Gateways and SonicWALL TZ/NSA firewalls secure your network against threats including intrusion, viruses and spam

Endpoint Security Dell KACE protects end points by identifying & remediating vulnerabilities across end nodes Trend Micro protects mobile users by blocking malware on PCs and laptops

Data Security Dell Data Protection controls unauthorized access with hardware encryption and user authentication

Internet

VPN

Dell SecureWorks

SonicWALL TZ/NSA

Dell KACE

Trend Micro Worry Free

Dell Data Protection – Authentication

Encryption

Dell 3rd

Party Secu

rity Partn

ers

Dell Security Services & Solutions enable organizations of all sizes to protect their IT assets, comply with regulations and reduce security costs

Security solution architecture

Healthcare

Innovation and Security enabled by Cloud platform

25

Cloud Archiving/Hosting Services

Encryption

Encryption

Community

PHR

Individuals

Providers

Healthcare 26

Data visibility

Endpoint access and encryption

Mobile device

strategy

Security strategy should support 4 critical areas

Security and risk

monitoring

Healthcare

27

Dell Healthcare

Information-driven Healthcare