Your SlideShare is downloading. ×
Perfect storm healthcare security presentation dr. andrew litt scotland se…
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Perfect storm healthcare security presentation dr. andrew litt scotland se…


Published on

A presentation from Dr. Andrew Litt on the challenge of securing patient data in a healthcare setting. Healthcare is one of the most vulnerable and also the most breached industries, here are simple …

A presentation from Dr. Andrew Litt on the challenge of securing patient data in a healthcare setting. Healthcare is one of the most vulnerable and also the most breached industries, here are simple steps to help improve your hospital's security position.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Healthcare Data Security: Surviving The Perfect StormAndrew W. Litt, MD Health Informatics ScotlandChief Medical Officer 20 September 2012
  • 2. Dell Healthcare and #1 Worldwide 13,000 employees worldwide.Life Sciences by the Healthcare IT Services Vendor - Gartner 300+ MDs, RNs andnumbers PhDsServing more than 50% Serving 7of top 10 Serving 100 insuranceof U.S. hospitals pharmaceutical organizations supporting companiesproviding care to 90 65 million policymillion Americans holdersManaging over 5 Billion Support for over 500 Leading IT provider forMedical Images in Cloud software, medical device 1st, 2nd and 3rdbased Archive and scientific generation gene instrument providers sequencingManaging 14 billion Provide OEM services to Managed 400 revenuesecurity events a day 70+ Healthcare and Life cycle engagements, Sciences software, medical device and scientific recovering $15 billion instrument providers for customers over 7 years2 Healthcare
  • 3. Patient perspectives on sharing information • 54% of patients would withhold information • 38% would postpone seeking care • 37% would travel substantial distances to avoid a hospital they don’t trust with their privacy • 73% said serious breaches of PHI would reduce confidence in the quality of healthcare provided • 97% said healthcare executives have a legal and ethical responsibility to protect their privacy • 87% think health executives should lose their jobs over failure to act Source: Fairwarning Report: Industry Best Practices for Patient Privacy3 in Electronic Health Records, April 2011 Healthcare
  • 4. The evolving threat: A Perfect Storm Embracing Data Advanced Technology Compliance Explosion Threats and BYOD  • Highly coordinated & • Mobile device breaches• Data Explosion. motivated are very costly • Increased enforcement and penalties • HIEs, EHRs, ACO’s • Well funded • Difficult to track devices • Complex compliance• Complications for • Enabled by unwitting • Cause majority of requirements authenticating, users and malicious reported breaches encrypting, and insiders protecting ePHI 4 Healthcare
  • 5. Analysis of the Threat environmentConfidential 5 10/9/2012
  • 6. Percentage of all healthcare 96% providers that had at least one data breach in the past two years $27 18+ million billion Number of patients whose protected health information wasAmount earmarked breached between 2009 and 2011between 2011 and 2015for attesting tomeaningful use of EHR 60% $50 65%Proportion of healthcare Black market value of a Proportion of breachesproviders that have had 2 or health record reported involvingmore breaches in the past 2 mobile devicesyears
  • 7. Healthcare is under attack Bus. Healthcare Retail Financial Utilities UtilitiesSource: SecureWorks CTU attack data from May 2012. Bubble size = % of customers affected within industry. Healthcare7
  • 8. Threats affecting healthcare and life sciences Phishing Downloaders Advanced & Persistent Threats Spear Phishing Distributed Denial Exploit Kits Trojans of Service Attacks (DDoS) Web Wireless Mobile Application Network Application and Exploits Hacking Other Exploits8 Healthcare
  • 9. Typical process of a breach Unencrypted Devices are Used Theft or Loss of Realization and to Access PHI Devices / Drives Remediation • Insider threats • Often not • Was this truly a • Third-party data targeting PHI breach? loss specifically • Begin investigation9 Healthcare
  • 10. After the breach• Credit monitoring services for affected patients• Opportunity cost in staff time• Notification to gov’t authorities• Legal fees?• Analysis of affected records• Private investigators• Soft costs – impact to reputation 10 Healthcare
  • 11. Mobile computingsecurity11
  • 12. The mobile device market is thriving 2011 2014 $4.7 billion U.S. hospital spending on IT $6.8 billion $100 million Market for mobile devices in healthcare $1.7 billion 2% Mobile device usage compared to overall IT 25% 2 out of 5 physicians go online during patient consultations; mostly on handheld devices 63% of physicians are using personal devices for mobile health solutions not connected to their practice 86% of physicians are interested in accessing Electronic Medical Records from mobile devices12 Healthcare Source: TechTarget news
  • 13. Benefits to mobile device usage for healthcare • Increased efficiency of the healthcare provider when with the patient • Real-time visibility into the patient’s condition • Increased patient participation • Integration with electronic medical records • Reduced capital cost • Reduced maintenance cost • More free space13 Healthcare
  • 14. Mobile device challenges Bring your own device – How to manage and maintain control and visibility in a disparate / heterogeneous environment Encryption / Authorization Oversight How to make sure the right people are accessing the right records End point encryption How to ensure the data is not locally stored vs level of risk Loss of devices Loss / theft management14 Healthcare
  • 15. Mobile device risks originate from many areas X Data Center Internet, X 3G, WiFi Hospital Man-in-the-Middle Attacks X Smartphone viruses Social Media Vulnerabilities Unmanaged devices Clinics or Business Associates Compromised Devices and Open IT Compliance Gateways Failures Unprotected Lack of Awareness Corporate Data and Standard Policies SMS Attacks15 Healthcare
  • 16. Mobile device breach costs $6.76 million average cost per organization. Per Record Costs 58% of patients experience$300 distrust of a provider following a breach$250 $258$200 $210 $196$150$100 $50 $0 Involving Mobile Caused by System Attributed to Devices Failures Negligence Sources: HITRUST Alliance: “An Analysis of Breaches Affecting 500 or More Individuals in16 Healthcare”, May 2010; Advisory Board Company. Healthcare
  • 17. Three Key Components of Risk Assessment1 Conduct a Risk Analysis 2 Implement Security Measures as Appropriate 3 Correct Identified Security Deficiencies as Part of an Overall Risk Management Process17 Healthcare
  • 18. Elements of a Risk Analysis Identify where How are you your patient protecting data is. patient data?18 Healthcare
  • 19. Anatomy of a BreachMassachusetts eHealthCollaborative 19 Confidential 10/9/2012
  • 20. 5 stages of response 1. Denial : Noooooooooooooooooooo!!! This is surely a nightmare and I’m going to wake up any minute. 2. Anger: How dare someone steal our property??!! Who the heck would leave a company laptop unattended in a parked car??!! 3. Bargaining: Are you sure it was OUR laptop?? Maybe it didn’t have any patient data on it?20
  • 21. 5 stages of response4. Depression: We’re doomed. Patients’ privacy may be exposed. Some may suffer real harm or embarrassment. They’re going to hate their providers, and their providers are going to hate us. Word will spread, trust in us will erode, we’ll struggle to get new business, we may get fined or sanctioned by state and/or federal authorities, we may get sued by providers or patients or both. My kids won’t go to college, I’ll lose my house, my parents will be disgraced.5. Acceptance: OK, let’s get to work. We have an obligation to our customers, our board, and ourselves to affirmatively take responsibility for our errors, be transparent with all stakeholders, manage the process with operational excellence, and share our lessons learned so that others can hopefully learn from our blunders. Source: By Micky Tripathi, President and CEO , Mass. eHealth Collaborative21
  • 22. Improving security posture Be Aware of ePHI (including 3rd Parties) • Staff education • Understanding of compliance requirements • Assume that all portable devices contain PHI Mobile Device Security • Policies and procedures – properly manage BYOD policies • Full disk encryption Compliance • Security Risk Analysis • Clear documentation of risk points • Incident response plan • Enable the organization to minimize future critical threats Credentialing and Authorization • Automating lockdown of passwords and entitlements • Full disk encryption22 Healthcare
  • 23. Building a comprehensive security program Monitor 1. Initial Assessments • Security Architecture AssessmentBuild Test • Security Program Review • HIPAA Gap Analysis • Meaningful Use Risk Analysis Remediate Monitor 2. Security Infrastructure • Perimeter • Application • EndpointBuild Test • Firewall • Web Application Firewall • Anti Virus • IDS / IPS • Identity Management • DLP (email, data) Monitor • Malware Detection • Access Management • Encryption + External Remediate Monitor Build Test 3. Monitoring Program • 24x7 Monitoring • Management • Endpoint Other Components • Security Devices • NOT “set it and forget it” • Anti Virus Threat IntelligenceBuild Test Remediate • Log Monitoring • Ongoing tuning • DLP (email, data) Incident Management • Threat Protection • Software upgrade & patches • Encryption + External Remediate Monitor 4. Testing Program • Scanning Platform • Testing Services • Network Scanning • Vulnerability AssessmentBuild Test • Web App Scanning • Penetration Testing • Compliance Scanning Remediate 23 Healthcare
  • 24. Security solution architecture Dell Security Services & Solutions enable organizations of all sizes to protect their IT assets, comply with regulations and reduce security costs Security Services Dell SecureWorks services let you focus on your core business so you can offload your resource- Dell SecureWorks intensive security operations to certified experts with deep security & compliance knowledge Network Security Dell Gateways and SonicWALL TZ/NSA firewalls secure your network against SonicWALL TZ/NSA threats including intrusion, viruses and spam Endpoint Security Dell KACE protects end points by identifying & remediating vulnerabilities across end nodes Dell 3rd Party Security Partners Trend Micro protects mobile users by blocking malware on PCs and laptops Internet Dell KACE Trend Micro Worry Free VPN Data Security Dell Data Protection controls unauthorized access with hardware encryption and user authentication Dell Data Protection – Authentication Encryption Healthcare24
  • 25. Innovation and Security enabled by Cloud platform Cloud Archiving/Hosting Services Encryption E n c r y p t i o Community Individuals n PHR Providers25 Healthcare
  • 26. Security strategy should support 4 critical areas Mobile Data device visibility strategy Endpointaccess and Securityencryption and risk monitoring 26 Healthcare
  • 27. Dell Healthcare Information- driven Healthcare27 Healthcare