Healthcare Data Security:    Surviving The Perfect StormAndrew W. Litt, MD      Health Informatics ScotlandChief Medical O...
Dell Healthcare and #1 Worldwide                       13,000 employees                                                   ...
Patient perspectives on sharing information    • 54% of patients would withhold information    • 38% would postpone seekin...
The evolving threat: A Perfect Storm                                                   Embracing    Data                  ...
Analysis of the Threat                    environmentConfidential       5       10/9/2012
Percentage of all healthcare   96%                  providers that had at least                        one data breach in ...
Healthcare is under attack                                                                                                ...
Threats affecting healthcare and life sciences        Phishing         Downloaders        Advanced           &            ...
Typical process of a breach    Unencrypted    Devices are Used     Theft or Loss of   Realization and    to Access PHI    ...
After the breach• Credit monitoring services for  affected patients• Opportunity cost in staff time• Notification to gov’t...
Mobile computingsecurity11
The mobile device market is thriving        2011                                                                       201...
Benefits to mobile device usage for healthcare     • Increased efficiency of the healthcare provider       when with the p...
Mobile device challenges            Bring your own device –                How to manage and maintain control and         ...
Mobile device risks originate from many areas                                                X                            ...
Mobile device breach costs                                                                             $6.76 million avera...
Three Key Components of Risk Assessment1     Conduct a     Risk Analysis                     2                         Imp...
Elements of a Risk Analysis Identify where           How are you  your patient             protecting    data is.         ...
Anatomy of a BreachMassachusetts eHealthCollaborative 19   Confidential   10/9/2012
5 stages of response     1. Denial :   Noooooooooooooooooooo!!!                    This is surely a nightmare and         ...
5 stages of response4. Depression:                      We’re doomed. Patients’ privacy may be exposed.                   ...
Improving security posture       Be Aware of ePHI (including 3rd Parties)       • Staff education       • Understanding of...
Building a comprehensive security program               Monitor                                  1. Initial Assessments   ...
Security solution architecture                   Dell Security Services & Solutions enable organizations of all sizes to p...
Innovation and Security enabled by Cloud platform                             Cloud Archiving/Hosting Services            ...
Security strategy should support 4 critical areas                                           Mobile   Data                 ...
Dell Healthcare  Information- driven Healthcare27                   Healthcare
Upcoming SlideShare
Loading in...5
×

Perfect storm healthcare security presentation dr. andrew litt scotland se…

2,002

Published on

A presentation from Dr. Andrew Litt on the challenge of securing patient data in a healthcare setting. Healthcare is one of the most vulnerable and also the most breached industries, here are simple steps to help improve your hospital's security position.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,002
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Perfect storm healthcare security presentation dr. andrew litt scotland se…

  1. 1. Healthcare Data Security: Surviving The Perfect StormAndrew W. Litt, MD Health Informatics ScotlandChief Medical Officer 20 September 2012
  2. 2. Dell Healthcare and #1 Worldwide 13,000 employees worldwide.Life Sciences by the Healthcare IT Services Vendor - Gartner 300+ MDs, RNs andnumbers PhDsServing more than 50% Serving 7of top 10 Serving 100 insuranceof U.S. hospitals pharmaceutical organizations supporting companiesproviding care to 90 65 million policymillion Americans holdersManaging over 5 Billion Support for over 500 Leading IT provider forMedical Images in Cloud software, medical device 1st, 2nd and 3rdbased Archive and scientific generation gene instrument providers sequencingManaging 14 billion Provide OEM services to Managed 400 revenuesecurity events a day 70+ Healthcare and Life cycle engagements, Sciences software, medical device and scientific recovering $15 billion instrument providers for customers over 7 years2 Healthcare
  3. 3. Patient perspectives on sharing information • 54% of patients would withhold information • 38% would postpone seeking care • 37% would travel substantial distances to avoid a hospital they don’t trust with their privacy • 73% said serious breaches of PHI would reduce confidence in the quality of healthcare provided • 97% said healthcare executives have a legal and ethical responsibility to protect their privacy • 87% think health executives should lose their jobs over failure to act Source: Fairwarning Report: Industry Best Practices for Patient Privacy3 in Electronic Health Records, April 2011 Healthcare
  4. 4. The evolving threat: A Perfect Storm Embracing Data Advanced Technology Compliance Explosion Threats and BYOD  • Highly coordinated & • Mobile device breaches• Data Explosion. motivated are very costly • Increased enforcement and penalties • HIEs, EHRs, ACO’s • Well funded • Difficult to track devices • Complex compliance• Complications for • Enabled by unwitting • Cause majority of requirements authenticating, users and malicious reported breaches encrypting, and insiders protecting ePHI 4 Healthcare
  5. 5. Analysis of the Threat environmentConfidential 5 10/9/2012
  6. 6. Percentage of all healthcare 96% providers that had at least one data breach in the past two years $27 18+ million billion Number of patients whose protected health information wasAmount earmarked breached between 2009 and 2011between 2011 and 2015for attesting tomeaningful use of EHR 60% $50 65%Proportion of healthcare Black market value of a Proportion of breachesproviders that have had 2 or health record reported involvingmore breaches in the past 2 mobile devicesyears
  7. 7. Healthcare is under attack Bus. Healthcare Retail Financial Utilities UtilitiesSource: SecureWorks CTU attack data from May 2012. Bubble size = % of customers affected within industry. Healthcare7
  8. 8. Threats affecting healthcare and life sciences Phishing Downloaders Advanced & Persistent Threats Spear Phishing Distributed Denial Exploit Kits Trojans of Service Attacks (DDoS) Web Wireless Mobile Application Network Application and Exploits Hacking Other Exploits8 Healthcare
  9. 9. Typical process of a breach Unencrypted Devices are Used Theft or Loss of Realization and to Access PHI Devices / Drives Remediation • Insider threats • Often not • Was this truly a • Third-party data targeting PHI breach? loss specifically • Begin investigation9 Healthcare
  10. 10. After the breach• Credit monitoring services for affected patients• Opportunity cost in staff time• Notification to gov’t authorities• Legal fees?• Analysis of affected records• Private investigators• Soft costs – impact to reputation 10 Healthcare
  11. 11. Mobile computingsecurity11
  12. 12. The mobile device market is thriving 2011 2014 $4.7 billion U.S. hospital spending on IT $6.8 billion $100 million Market for mobile devices in healthcare $1.7 billion 2% Mobile device usage compared to overall IT 25% 2 out of 5 physicians go online during patient consultations; mostly on handheld devices 63% of physicians are using personal devices for mobile health solutions not connected to their practice 86% of physicians are interested in accessing Electronic Medical Records from mobile devices12 Healthcare Source: TechTarget news
  13. 13. Benefits to mobile device usage for healthcare • Increased efficiency of the healthcare provider when with the patient • Real-time visibility into the patient’s condition • Increased patient participation • Integration with electronic medical records • Reduced capital cost • Reduced maintenance cost • More free space13 Healthcare
  14. 14. Mobile device challenges Bring your own device – How to manage and maintain control and visibility in a disparate / heterogeneous environment Encryption / Authorization Oversight How to make sure the right people are accessing the right records End point encryption How to ensure the data is not locally stored vs level of risk Loss of devices Loss / theft management14 Healthcare
  15. 15. Mobile device risks originate from many areas X Data Center Internet, X 3G, WiFi Hospital Man-in-the-Middle Attacks X Smartphone viruses Social Media Vulnerabilities Unmanaged devices Clinics or Business Associates Compromised Devices and Open IT Compliance Gateways Failures Unprotected Lack of Awareness Corporate Data and Standard Policies SMS Attacks15 Healthcare
  16. 16. Mobile device breach costs $6.76 million average cost per organization. Per Record Costs 58% of patients experience$300 distrust of a provider following a breach$250 $258$200 $210 $196$150$100 $50 $0 Involving Mobile Caused by System Attributed to Devices Failures Negligence Sources: HITRUST Alliance: “An Analysis of Breaches Affecting 500 or More Individuals in16 Healthcare”, May 2010; Advisory Board Company. Healthcare
  17. 17. Three Key Components of Risk Assessment1 Conduct a Risk Analysis 2 Implement Security Measures as Appropriate 3 Correct Identified Security Deficiencies as Part of an Overall Risk Management Process17 Healthcare
  18. 18. Elements of a Risk Analysis Identify where How are you your patient protecting data is. patient data?18 Healthcare
  19. 19. Anatomy of a BreachMassachusetts eHealthCollaborative 19 Confidential 10/9/2012
  20. 20. 5 stages of response 1. Denial : Noooooooooooooooooooo!!! This is surely a nightmare and I’m going to wake up any minute. 2. Anger: How dare someone steal our property??!! Who the heck would leave a company laptop unattended in a parked car??!! 3. Bargaining: Are you sure it was OUR laptop?? Maybe it didn’t have any patient data on it?20
  21. 21. 5 stages of response4. Depression: We’re doomed. Patients’ privacy may be exposed. Some may suffer real harm or embarrassment. They’re going to hate their providers, and their providers are going to hate us. Word will spread, trust in us will erode, we’ll struggle to get new business, we may get fined or sanctioned by state and/or federal authorities, we may get sued by providers or patients or both. My kids won’t go to college, I’ll lose my house, my parents will be disgraced.5. Acceptance: OK, let’s get to work. We have an obligation to our customers, our board, and ourselves to affirmatively take responsibility for our errors, be transparent with all stakeholders, manage the process with operational excellence, and share our lessons learned so that others can hopefully learn from our blunders. Source: http://www.histalkpractice.com/2011/12/03/first-hand-experience-with-a-patient-data-security-breach-12311/ By Micky Tripathi, President and CEO , Mass. eHealth Collaborative21
  22. 22. Improving security posture Be Aware of ePHI (including 3rd Parties) • Staff education • Understanding of compliance requirements • Assume that all portable devices contain PHI Mobile Device Security • Policies and procedures – properly manage BYOD policies • Full disk encryption Compliance • Security Risk Analysis • Clear documentation of risk points • Incident response plan • Enable the organization to minimize future critical threats Credentialing and Authorization • Automating lockdown of passwords and entitlements • Full disk encryption22 Healthcare
  23. 23. Building a comprehensive security program Monitor 1. Initial Assessments • Security Architecture AssessmentBuild Test • Security Program Review • HIPAA Gap Analysis • Meaningful Use Risk Analysis Remediate Monitor 2. Security Infrastructure • Perimeter • Application • EndpointBuild Test • Firewall • Web Application Firewall • Anti Virus • IDS / IPS • Identity Management • DLP (email, data) Monitor • Malware Detection • Access Management • Encryption + External Remediate Monitor Build Test 3. Monitoring Program • 24x7 Monitoring • Management • Endpoint Other Components • Security Devices • NOT “set it and forget it” • Anti Virus Threat IntelligenceBuild Test Remediate • Log Monitoring • Ongoing tuning • DLP (email, data) Incident Management • Threat Protection • Software upgrade & patches • Encryption + External Remediate Monitor 4. Testing Program • Scanning Platform • Testing Services • Network Scanning • Vulnerability AssessmentBuild Test • Web App Scanning • Penetration Testing • Compliance Scanning Remediate 23 Healthcare
  24. 24. Security solution architecture Dell Security Services & Solutions enable organizations of all sizes to protect their IT assets, comply with regulations and reduce security costs Security Services Dell SecureWorks services let you focus on your core business so you can offload your resource- Dell SecureWorks intensive security operations to certified experts with deep security & compliance knowledge Network Security Dell Gateways and SonicWALL TZ/NSA firewalls secure your network against SonicWALL TZ/NSA threats including intrusion, viruses and spam Endpoint Security Dell KACE protects end points by identifying & remediating vulnerabilities across end nodes Dell 3rd Party Security Partners Trend Micro protects mobile users by blocking malware on PCs and laptops Internet Dell KACE Trend Micro Worry Free VPN Data Security Dell Data Protection controls unauthorized access with hardware encryption and user authentication Dell Data Protection – Authentication Encryption Healthcare24
  25. 25. Innovation and Security enabled by Cloud platform Cloud Archiving/Hosting Services Encryption E n c r y p t i o Community Individuals n PHR Providers25 Healthcare
  26. 26. Security strategy should support 4 critical areas Mobile Data device visibility strategy Endpointaccess and Securityencryption and risk monitoring 26 Healthcare
  27. 27. Dell Healthcare Information- driven Healthcare27 Healthcare
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×