1) Cybersecurity incidents are common in healthcare, with 82% of hospitals reporting significant security incidents in the past year. Email remains the primary initial point of compromise, often through phishing. Email frequently contains sensitive patient information. 2) Several large healthcare data breaches in 2018 exposed the data of over 2 million patients total. Ransomware attacks were a factor in some of these breaches. 3) Cybersecurity frameworks provide a common language and methodology for managing risks. Frameworks like HITRUST and NIST CSF are complementary and organizations can leverage elements of both. Proper implementation and board involvement are important.

1. 1
Cybersecurity in Healthcare
Steven Goriah, DHA, CHCIO, FACHE, CISM
Vice President Information Technology
CISO
Westchester Medical Center Health Network

2. Cybersecurity in Healthcare

3. • 82 % of hospitals reported a significant security incidents in the
past 12 Months
• E-mail (e.g., phishing email) continues to be the most frequently
reported initial point of compromise (69%) n=166
• E-mail can contain a wealth of information, including sensitive
patient clinical and financial information
3
2019 HIMSS CYBERSECURITY SURVEY

4. LifeBridge Health
• The attack potentially breached the data of around 500,000 patients.
Health Management Concepts
• This ransomware attack fast became a full-blown data breach over
500,000 patients.
UnityPoint Health
• Two security breaches last year. The second compromised the data of
1.4 million patients.
4
Largest Healthcare Data Breaches of 2018

5. It’s all about Risk Management. Which is riskier?
“More people are killed every year by
pigs than by sharks, which shows you
how good we are at evaluating risk.”

6. How do we approach such a complex
situation for Healthcare?
6

7. What is the Role of a Framework?
• Provides a common language and systematic
methodology for managing cybersecurity risk.
• Includes activities to be incorporated in a
cybersecurity program that can be tailored to
meet any organization’s needs.
• Designed to complement, not replace, an
organization's cybersecurity program and risk
management processes.
7

8. • ISO 27000 Series
• CObIT 5
• NIST SP 800 Series
• HITRUST v9
Usable Cybersecurity Frameworks
(most popular of the more than 200 available)
8
HITURST
CSFcontains 149 security and privacy controls parsed
amongst 46 control objectives within 14 broad control
categories

9. 9
Choose a Suitable Framework Wisely

10. Choose a Framework (one or more) –
The Only Bad Choice is No Choice!
10

11. High-level HITRUST and NIST CSF Comparison
HITRUST NIST
Purpose A scalable, prescriptive and certifiable
framework specific created in response to
multiple compliance requirements, many of
which are subject to interpretation
In response to the President’s Executive Order
13636, Improving Critical Infrastructure
Cybersecurity (2013). It’s a framework – based on
existing standards, guidelines, and practices - for
reducing cyber risks to critical infrastructure
Industry Healthcare-specific Applies broadly across multiple industries
Objective A framework that can be leveraged to
communicate, compare and benchmark
cybersecurity AND can be used for
certification
A framework that can be leveraged to
communicate, compare, and benchmark cyber
security
Illustrative
Sources
ISO, HIPAA, NIST, CMS, MARS-E, IRS, PCI,
CSA-CCM, state laws, etc.
COBIT, NIST, ISA, CCS, ISO, HIPAA (new)
11

12. HITRUST CSF and NIST CsF
• HITRUST CSF and NIST CsF
are complementary
frameworks
• While an organization can
leverage either frameworks
on its own, there is value in
• Leveraging HITRUST as the HPH
standard and
• Using the NIST CsF being the
mechanism to communicate
maturity and comparison
between industries
12

13. 13
Comparison of ISO, NIST, and HITRUST
Footnotes on next page (published by HITRUST in 2014)

14. Implementation Advice
• Allow for flexibility in implementation and bring in concepts of
maturity models
• Reflect how your organization will implement core functions and
manage its risk
• Be progressive, building on previous tiers
• Define the characteristics at the organization level and determine
how a category will be implemented
14

15. Get the Board Involved
• Audit and Compliance Committee
• IT Subcommittee of the Board
• Finance Committee
15
but not too involved…

16. Keep the Reporting Simple But Consistent…
• Use terms that Board members can understand
• Should be easy enough to understand without explanations
• Provide the explanations
• Propose a model and get the Chair’s endorsement
• Use terms broad enough to accommodate evolving needs
• Avoid the temptation to change
• Use graphs and iconography that work in color and black & white
16

17. • Communicate, but test for comprehension at every step with every
stakeholder group
• Plan and ADJUST
• Clarify Roles and ADJUST
• Eliminate Ambiguity and ADJUST
• Embrace Accountability
• Execute and ADJUST
• Continue Praying
Be Deliberate
17
and ADJUST

18. Individual/Body CIO CMIO ISGC
Task
Support Implementation of EHR R A I
Engage physicians in information system selection/development A R C
Manage vendors R C I
Negotiate contracts R C I
Design clinical systems/review clinical processes C R I
Build clinical systems/change workflow processes R C I
Test clinical systems/workflow changes R C I
Validate (testing with users) clinical systems/workflow changes C R I
Develop training curriculum (design education tools and content) I R I
Deploy training (deliver education) R C I
Select end-user devices C R I
Govern Information Management activities A C R
Participate in Executive Leadership R I C
Report to the Institutional Board R C I
Participate in HIE activities C C R
Responsible for performance of task
Assists responsible person, may do bulk of work
Consulted - opinions are sought
Informed - kept up-to-date on progress
RACI Matrix for CIO, CMIO, and IS Governance Council (ISGC)
mm/dd/yyyy
Role Clarification and Responsibility is
Essential – RACI Diagram
18

19. • Many positive advances are occurring in healthcare cybersecurity
practices.
• Cybersecurity professionals have more resources and budget
available to help ensure that their organizations stay ahead of the
threats.
• Cybersecurity professionals feel empowered to drive change in
healthcare organizations
19
2019 HIMSS CYBERSECURITY SURVEY

20. 20
It’s critical to create a culture of privacy and security.

21. Thank You!
21