Cyber Risk in Healthcare Industry- Are you Protected?

MAJOR CYBER ATTACKS IN HEALTHCARE INDUSTRY
Copyright 2017 by EC-Council. All Rights Reserved. Reproduction is Strictly
Prohibited. Compliant Resilient Competitive
AvMed, Inc.
1,2 M victims
2009, U.S.
BlueCross
BlueShield of Tennessee
1 M victims
2009, U.S.
North Bronx
Healthcare Network
1,7 M victims
2010, U.S.
The Nemours
Foundation
1 M victims
2011, U.S.
TRICARE
Management
Activity
4,9 M victims
2011, U.S.
Health Net, Inc.
1,9 M victims
2011, U.S.
Advocate
Medical Group
4 M victims
2013, U.S.
Community Health
Systems
4,5 M victims
2014, U.S.
Anthem, Inc.
80 M victims
2015, U.S.
Banner Health
3,62 M victims
2016, U.S.
Newkirk Products
Inc
3,47 M victims
2016, U.S.
21 Century
Oncology Holdings
2,21 M victims
2016, U.S.
More than 150,000*
victims of cyber
breaches in healthcare
sector in January 2017,
U.S. (*HHS)
25 breaches affecting
500+ individuals were
recorded by HHS in
January 2017 in U.S.

Partnering With
EC-Council
World’s Largest Cyber Security Consulting, Professional Training &
Certification Body

CYBER RISK IN HEALTHCARE INDUSTRY
is an estimated cost for cyberattacks against
hospitals, clinics and doctors in the U.S. healthcare
industry (Ponemon Institute).
$6
billion
$200-400
83%
It has already been two years since hackers shifted their main focus from BFSI
sector to healthcare industry aggressively targeting hospitals all over the world,
while U.S. is experiencing the most severe threat.
The FBI warned
the healthcare industry
that cyber-criminals would be
directing more attention
their way.
News.security-intelligence,
2015
Copyright 2017 by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Compliant Resilient Competitive
of recorded breaches in 2016 were in the medical and
healthcare industries (Identity Theft Resource Center).
6
The healthcare sector
is the most vulnerable
industry to cyber-attacks
and data breaches.
ICO, Data security incident
trends, 2016
of the U.S. population (143+ M people) have become
victims of cyber breaches in healthcare industry in 5 years
(U.S. Department of Health and Human Services, 2015).
45%
per one record (client profile) is an estimates cost to
remediate a healthcare breach (Vasco).

• Inability to operate
• Financial losses
• Damage to reputation
3. SYSTEMS’ BREAKDOWN
• Health risk
• Identity theft
• Financial fraud
2. UNAUTHORISED CHANGES IN DATA BASES
OUTCOME OF CYBER ATTACKS IN HEALTHCARE INDUSTRY
1. LOSS OF CUSTOMERS’ DATA
(Security number, insurance ID, credit card
number, passport, address, biometric data,
medical history, etc.)
FOR HOSPITALS:FOR PATIENTS:
65%
of people would avoid
healthcare provides that
experience a data breach.
Among adults below 35 years
the statistic is 73%.
(TransUnionHealthcare, 2015)
It is a primary responsibility of
the management to prevent
the industry from cyber breaches
and to protect its patients from
physical, financial and mental
damages caused
by cyber attacks.
(Cancelled operations, outpatient appointments
and diagnostic procedures, etc.)
(Prescription of wrong medications and treatments, etc.)

HEALTHCARE DATA BREACHES - IMPACT
~90% of healthcare organizations had a data
breach in the past 2 years according to Ponemon’s
research.
45% of them had more than 5 data breaches.
(Ponemon Institute LLC Ponemon Institute
Research Report. Sixth Annual Benchmark Study
on Privacy & Security of Healthcare Data, 2016).
$3,7M
$1,1M
$0,9M
$0,6M
$0,6M
$0,5M
$0,4M
Lost brand
value
Breach
notification
Forensics
Lawsuits
HIPPA
settlement
fine
Lost revenue
Post-breach
clean-up
AVERAGE COSTS OF A DATA BREACH
IN THE U.S. HEALTHCARE INDUSRTY*
*Protenus ‘Cost of a Breach: A Business Case for Proactive Privacy Analytics”

WHERE CYBER RISKS LIE FOR HEALTHCARE INDUSTRY
9
SaaS
Insider
Threats
Data
Bases
File
Server
Compliance
Patient Data
Applications
Network IntrusionSocial Engineering
Unauthorized Access
Espionage
Malware
Phishing Attacks
Ransomware
Network Attack
Hospital

The healthcare industry is holding
the #1 spot in a lack of qualified
cyber security professionals.
Job Market Intelligence:
Cybersecurity Jobs, 2015
Ensuring that the healthcare C-suites have necessary cybersecurity skills is the
only way to create a strong data security approach. It is vital for a healthcare
provider to maintain cyber security awareness and most up-to-date cyber
security skills among all employees.
Last year the Department of
Health and Human Services
awarded $87 million to 1,310
health centers across the U.S. to
upgrade their IT systems and
cyber security skills.
13
of healthcare providers have no human resources dedicated
to cyber security (Healthcare Information & Management
Systems Society, 2016).
58%
‘’There is a rising demand for
cybersecurity professionals with
skills pertinent to healthcare’’
(Healthcare-informatics.com, 2015).
‘’A cybersecurity skills shortage
may eventually affect the healthcare
industry’’ (McAfee’s Hacking the
Skills Shortage, 2016).
CYBER SECURITY SKILL GAP IN THE HEALTHCARE SECTOR

Cyber Security
Awareness,
Upskilling and
Training
Compliance with
Regulations
(HIPPA and PCI)
Coverage of Cyber
Security Gaps in the
Infrastructure
Cyber Security
Risk Assessment
EC-COUNCIL APPROACH FOR HEALTHCARE INDUSTRIES

WE BUILD CORE HANDS-ON ON INFORMATION SECURITY
SKILLS FOR ALL LEVELS AND DEPARTMENTS
Copyright 2017 by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Compliant Resilient Competitive
CyberSecurityexperience,knowledgeandskills
For Information security Officers,
Information Security Decision Makers
For various specialties, Computer Forensics, Pen
Testing, Mobile Forensics
For Information Security Officers, Pen Testers, Information
System Security Auditors, Information Security Auditors,
Incidents Handlers, Persons responsible for defending
systems, networks and application
For various specialties, Forensics Investigators,
Incident Handlers, Disaster Recovery Professional
For Network Administrator, Network Engineer, CND
Analyst, Network Defense Technician, Network Security
Analyst, Security Operators, anyone who is in network
operations
For end-users: anyone who uses the
Internet extensively to work

EC-Council Global Services (EGS) is the
consultation arm of the EC-Council
Group.
• EGS is an advisory firm that provides
customized and tailored solutions to
complex challenges in Corporate
Information Security.
• EGS is vendor-agnostic and
technology-solutions market
independent entity.
• EGS is based in Malaysia and has
an outstanding local team supported
globally.
IDENTIFY
1.Cyber
Security Posture
Assessment
2.Security
Strategy and
Transformation
3.Vendor Risk
Management
PROTECT
IT Governance
IT Risk
Assessment
ISO 27001
Advisory
PCI-DSS
Advisory
Managed
Security
Services
Identity &
Access
Management
Training
Data Privacy
DETECT
Vulnerability
Assessment &
Penetration
Testing
Secure Code
Review
Secure
Software
Development
Lifecycle
Cloud Security
Software
License
Compliance
Revenue
Assurance
RESPOND
Security
Incident and
Event
Management
(SIEM)
Security
Operations
(SOC)
RECOVER
Business
Continuity
Management
Disaster
Recovery
Planning
Forensics
Services
OUR INFORMATION SECURITY CONSULTING AND
ADVISORY SERVICES

HIPAA SECURITY AND PRIVACY
 HIPAA is the Health Insurance Portability and Accountability
Act, a federal law that…
• Protects the privacy of a patient’s personal and health
information (PII & PHI)
• Provides for electronic and physical security of personal and
health information
• Simplifies billing and other transactions
 Covered entities must protect an individual’s personal and
health information that:
• Is created, kept, filed, used or shared
• Is written, spoken, or electronic
EC-COUNCIL’S DETAILED
HIPAA METHODOLGY AND
OFFERING IS PROVIDED IN
APPENDIX A TOWARDS THE
END OF THE DOCUMENT

ABOUT
EC-COUNCIL
World’s Largest Cyber Security Consulting, Professional Training &
Certification Body

ICECC
International Council of E-Commerce
Consultants
EC-Council Group
ECCU
EC-Council University
Division of Academic Education
ECC
EC-Council Training & Certification
Division of Professional Workforce Development
EGS
EC-Council Global Services
Division of Corporate Consulting & Advisory
Services
EGE
EC-Council Global Events
Division of Conferences, Forums, Summits,
Workshops & Industry Awards
ECF
EC-Council Foundation
Non-Profit Organization for Cyber Security
Awareness Increase.
16+ YEARS EXPERIENCE
40+ TRAINING & CERTIFICATION PROGRAMS
145+ COUNTRIES
350+ SUBJECT MATTER EXPERTS
700+ TRAINING PARTNERS WORLDWIDE
3000 TOOLS & TECHNOLOGIES
150,000 CERTIFIED MEMBERS
EC-Council is known as
worlds’ largest technical
certification body. It is also
famous for being a creator of
Certified Ethical Hacker and
LPT standards.
Some of the finest
organizations around the
world such as the U.S. Army,
U.S. Navy, DoD, the FBI,
Microsoft, IBM, and the United
Nations have trusted ECC to
develop and advance their
security infrastructure.
WE ARE
INFORMATION
SECURITY
EC-COUNCIL AT A GLANCE
WE WROTE
THE STANDARDS
Compliant Resilient CompetitiveCopyright 2017 by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Critical Information Security
Skill Development Solutions

WE BUILD CORE HANDS-ON ON INFORMATION
SECURITY SKILLS FOR ALL LEVELS AND DEPARTMENTS
• Often 70% Of An Organization's InfoSec Challenges Are Addressed By Just Investing In Upskilling
Their Staff With The Information Security Hands-on Skills.

EC-Council HIPAA Offering
Appendix A

HEALTHCARE BUSINESS CONCERNS
1. Protect patient records
2. Maintain compliance with HIPAA standards for retention, recoverability & security
3. Healthcare data is stored in cloud hosted SaaS solutions
4. Secure Communication about patient information
5. Business partner/vendor integration
6. Protect employee healthcare records
7. Provide training to employees
8. Avoid fines from the government
9. Maintain brand and reputation
10. Minimize customer loss

WHY HIPAA STANDARDS?
 Collaboration
Engage with business partners, suppliers, and customers
 Speed
Deploy faster by integrating with existing systems
 Agility
Adapt to changing business needs faster
 Accessibility
Data available and useable today, tomorrow,
years from now
 Cost
Reduce acquisition and operating costs
 Protection
Provide a standard level of protection around
protected health information (PHI)

HEALTHCARE – WHAT DO WE HAVE TO OFFER?
1. Training and development for IT, Risk, Compliance and Security teams.
2. HIPAA Security and Privacy Assessment
3. Hospital Physical Security Assessment
4. IT GAP Analysis
5. Employee Training
6. Data Loss Prevention
7. Policy Development
8. Healthcare Application Security Test
9. HIPAA HHS Audit Readiness Assessment

EXAMPLE USE CASES FOR DATA PROTECTION NEEDS
 Accounting departments needs to:
Share encrypted files with customers
 Legal departments needs to:
Block all staff from saving data to USB flash drives
Share encrypted data on CDs / DVDs
Shared cloud storage
 Retail organizations needs to:
Block unauthorized software from work computers
Prevent all data from being transferred via any port or
connection to customers over insecure channels
 Hospitals needs to:
Allow select usage of doctors’ smartphones
Log all data exchanged between devices and hospital network for compliance

WHERE IS YOUR CORPORATE PROTECTED DATA?
 Convenience and storage
USB flash drives, CDs, DVDs, Bluetooth-enabled devices, etc.
Devices used for transferring and storage of data, music, pictures, etc.
Everything is kept in email
 More mobile data, more data to lose
Users retain everything by default
Users transfer data between endpoint devices and corporate network
Mobility increases risk of theft and accidental loss of data
 Prevent a data breach
Monitor and enforce data loss prevention on removable media, mobile disks
and connections
Control device usage and log activity

COMPLIANCE: HISTORICALLY COSTLY & DIFFICULT
TO IMPLEMENT
 Enforcement
Policy compliance required manual user &
administrator intervention
 User Training
New deployments required additional training due
to significant user impact
 Administrative Burden
Differing management interfaces & demands for
enrollment administration
 Patch Management
Each application creates an additional patch
burden when updated
 Mobile / Online applications
Each application is a point solution without
common administration & policy
 Integration
Lack of common integration & configuration
with existing infrastructure

DATA PROTECTION IMPLEMENTATION CHALLENGES
 Corporate access to data
Employee dismissal cannot result in data loss
 Central deployment, management, & updates
How can thousands of distributed users be tracked and managed?
Software installation can be uncontrolled
 Initial & ongoing management cost
Constrained by existing IT resources
Can compliance grow with the business?
 User experience
What additional user processes are required?
Cannot rely on users to make security decisions
Non-disruptive implementation is essential

HIPAA SECURITY ASSESSMENTS
POLICY AND PROCESS
(Security Posture Creation)
ASSESSMENT
(Security Posture Maintenance)
SECURITY POLICY DEVELOPMENT VULNERABILITY
SECURITY STRATEGY
GAP ANALYSIS
(Where you are vs. Where you need to be)
TEMPORARY CSO
AUDIT & COMPLIANCE
(HIPPA, PCI, SOX, etc.)
ROADMAP STRATEGY WEB APPLICATION
EMPLOYEE AWARENESS TRAINING SUPPLIER SECURITY

QUESTIONS FOR YOUR HOSPITAL OR CLINIC
 Security architecture
Can the compliance framework provide an encryption
platform that can expand to accommodate additional
applications?
 Comprehensive protection
Can the compliance solution comprehensively protect
sensitive data without tremendous administrative overhead
or changes to user behavior?
 Security management
Can the compliance framework be efficiently managed by
using an integrated management processes?
 Application risk
What other applications / products will need to be installed /
deployed as part of the total enterprise framework strategy?

DO YOU NEED TO INVEST IN INFORMATION SECURITY
TRAINING, CONSULTING AND ADVISORY
 Does the organization allow removable devices such as CDs, USB drives, etc.?
 Is there a corporate policy on information security and HIPAA Privacy and Security?
 Do you want to keep track of where and how confidential data is transferred onto portable
media?
 Do you have a lot of users who work offline / are disconnected from the corporate
network?
 How do you protect data within/leaving your enterprise (laptops, email, servers, mobile)?
 What are the consequences if data is stolen or compromised?
Company brand damage?
Lost customers?
Regulatory fines?
 How do you control access to information based on the different roles within the
organization, for example across-departments, with contractors, etc?

CONTACT US
MARK MERRILL
Executive Sales & Business Development
| Global Services
EC-Council Global Services:
An EC-Council Division
markm@altselli.com
Web:
http://www.eccouncil.org
http://www.eccgs.com
US Cell : +1.(817).821.4200

Cyber Risk in Healthcare Industry- Are you Protected?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Cyber Risk in Healthcare Industry- Are you Protected?

Similar to Cyber Risk in Healthcare Industry- Are you Protected? (20)

Recently uploaded

Recently uploaded (20)

Cyber Risk in Healthcare Industry- Are you Protected?