This document discusses cybersecurity challenges in healthcare. It begins with an agenda covering healthcare cybersecurity headlines, trends, unique issues, practical remedies, where to begin, and building security collaboratively. It then covers each agenda item in more detail. The document emphasizes that healthcare data is highly valuable to hackers and outlines trends like increasing ransomware attacks and data breaches. It describes unique challenges for healthcare like medical devices and real-time access needs. Practical steps are outlined like risk assessments, policies, access controls, and partnering with groups like state agencies and information sharing organizations.
1. Cybersecurity Challenges in Healthcare
Doug Copley – Beaumont Health& Michigan Healthcare
Cybersecurity Council
2. Take-Aways From This Session
1. Insight on specific cybersecurity
threats healthcare organizations face
on a daily basis
2. Practical advice for reducing the risk of
cybersecurity threats
3. A perspective on reaching outside your
organizational boundaries to reduce
cybersecurity risk & improve
preparedness
3. Agenda
Healthcare Cybersecurity Headlines1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
12. Recent Headlines
Nov. 13, 2015: OH Muhlenberg (Provider-KY)
84681 records – Hacking/IT Incident
Oct. 28, 2015: Children's Medical Clinics of East Texas
(Provider-TX) 16000 records – Unauthorized Access/Disclosure
Sep. 9, 2015: Excellus Health Plan (NY)
10,000,000 records – Hacking/IT Incident
13. Data Breach Visual
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
14. Agenda
Healthcare Cybersecurity Headlines1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Healthcare Industry Cybersecurity Trends
15. Healthcare Cyber Trends
• Healthcare data most valuable
• Phishing/email is easiest method of attack
• Cyber defense improving, but still lagging
• Medical facilities use credit cards nearly as
much as retailers
• More are purchasing cyber insurance
• OCR and CMS doing more audits
• Fines being issued for lack of “basics”
• Likely we will get more regulations
18. Agenda
Healthcare Cybersecurity Headlines1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Healthcare Industry Cybersecurity Trends
19. Understanding Healthcare Needs
• Patient Care
• Quality & Safety
• Real-time Access to
Information, Regardless of Where it is
• Flow of Data Needs to be Seamless, to
Providers, Payers and Patients
• iPads, iPhones, Tablets are Required
• Telemedicine
• Accountable Care & Revenue
20. Cyber Challenges
• Cyber education takes time from patients
• Typing passwords slows down patient care
• So much access to patient data, a
malicious insider is difficult to detect
• High volume of external data flows
• Networked medical devices
• Remote vendor support common
• EHR access from anywhere (required)
• Lack of maturity & high value of data
21. Connected Medical Devices
2007 – Vice
President Dick
Cheney feared
terrorists had the
technology to
send a fatal
shock to his
pacemaker, so he
had his doctors
disable its
wireless
capability.
22. Agenda
Healthcare Cybersecurity Headlines1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Healthcare Industry Cybersecurity Trends
23. Managing Cyber Risk
• Key is appropriately managing the risks
– Policies & procedures (administrative)
– Technology tools (technical)
– Control physical access (physical)
• Risk/Cost decision: Do we need to:
– Prevent it from happening?
– Detect & respond when it happens?
– Would it automatically get corrected?
– Do we get cyber insurance?
24. Practical Steps To Security
1. Have a Plan
– Decide on a framework (HiTrust, NIST, ISO, etc.)
– Build relationships with Compliance, Audit, Risk
– Prioritize efforts based on risk
2. Understand your environment
– Understand your business
– Users and equipment on the network
– Understand data flows, particularly off-network
3. Manage your vendors and business
associates
25. Practical Steps To Security
4. Write easy-to-understand policies and
EDUCATE
5. Leverage virtualization (Citrix for
abstraction)
6. Manage the data on personal phones &
tablets
7. Deploy SSO with badge readers
– Simpler & quicker for clinical users
8. Don’t let insecure devices on your corporate
network – segment if needed, or leverage
VDI (for example XP you can’t eliminate)
26. Practical Steps To Security
9. Medical devices… push vendors and use
FDA guidance and partnerships as leverage
10.Blocking & tackling
– Awareness & Education – make it relevant!!
– Strong HW, SW, medical device asset mgmt
– System scanning & PATCHING
– Event monitoring & incident response
• Watch outbound, not just inbound activity
– Data loss prevention
– Restrictions on removable media
27. Agenda
Healthcare Cybersecurity Headlines1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Healthcare Industry Cybersecurity Trends
28. 6-Step Security Cycle
Inventory Your PHI .
Perform a Risk
Assessment
Develop a Security
Strategy
(Source: Healthcare IT News)
Have an Incident
Response Plan Ready
Implement Policies,
Processes, and
Technologies
Train Workforce
29. Where to Begin
Regulators expect a risk assessment to drive privacy and security
safeguards. Key questions from the guidance:
1. Have you identified the e-PHI within your organization? (create,
receive, maintain or transmit)
2. What are the external sources of e-PHI? (vendors, consultants)
3. What are the threats to systems that contain e-PHI?
Risk assessment results should help determine:
1. Appropriate personnel screening processes
2. Identify what data to backup and how
3. Decide whether to use encryption
4. Identify what data must be authenticated
5. Determine data transmission safeguards
30. Agenda
Healthcare Cybersecurity Headlines1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Healthcare Industry Cybersecurity Trends
31. Building Security Without
Boundaries
• Resources are ALWAYS constrained
– Reason for risk-based prioritization
– Outsource if necessary, but commodity functions
• Encourage and reward innovation
– May increase productivity
– Can help improve morale
• Look for external funding
– Federal & State grants may be available
– May be able to participate in outside initiatives
32. Leverage Key Partnerships
Build partnerships outside your organization
In healthcare, key resources are:
1. Peer organizations – non-profit and for-profit
2. State - Dept. of Community Health
3. State - Health Information Exchanges
4. State - Health & Hospital Association
5. HiTrust & NH-ISAC
6. Federal – Health & Human Services
7. Federal – FBI & InfraGard
8. Federal – Homeland Security
33. Michigan Healthcare Cybersecurity
Council (www.mihcc.org)
Goals of MHCC efforts:
• Bring Michigan healthcare organizations together
toward a common purpose
• To protect MI critical healthcare infrastructure
• To leverage public/private partnerships to
improve healthcare cybersecurity preparedness
• Apply best practices and consistent protections to
common challenges
• Deliver actionable materials all healthcare entities
can use
35. Agenda
Healthcare Cybersecurity Headlines1
Healthcare Industry Cybersecurity Trends
Cybersecurity Issues Unique to Healthcare
Applying Practical Remedies to Reduce Risk
Where to Begin
Building Security Without Boundaries
Question & Answer
2
4
3
6
5
7
Healthcare Industry Cybersecurity Trends