DD
Uploaded byDan L. Dodson
221 views

Fortified Health Security - Horizon Report 2016

The document summarizes key cybersecurity issues facing the healthcare industry in 2016, as outlined in the Fortified Health Security Horizon Report. Three main points: 1) Ransomware attacks increased significantly in 2016, disrupting hospital operations and patient care. High-profile attacks on Hollywood Presbyterian Medical Center and MedStar Health highlighted the risks. 2) The Office for Civil Rights (OCR) increased its focus on HIPAA compliance in 2016 through expanded audits including business associates, investigations of smaller breaches, and unprecedented financial penalties totaling over $22.8 million, double the number of 2015 settlements. 3) Effective prevention of threats like ransomware requires a comprehensive "defense in depth"

Embed presentation

Download to read offline
Horizon Report THE STATE OF CYBERSECURITY IN HEALTHCARE fortifiedhealthsecurity.com | 615-600-4002 | 2555 Meridian Blvd Suite 250, Franklin, TN 37067
FROM COMPLIANCE TO CONFIDENCE II FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 President’s Message So far, 2016 has proved to be a very challenging environment for healthcare leaders when it comes to safeguarding sensitive patient data. Cybersecurity threats and malicious actors continued to wreak havoc across the spectrum of healthcare organizations. The number of hacking incidents in healthcare has trended upward over the last few years as adversaries have followed opportunity. It has become blatantly obvious that malicious actors have turned their focus away from the historically lucrative arenas like the financial industry and have been aggressively targeting healthcare data. But why? There are three main drivers: 1. First, healthcare providers are now digitized. The 2009 HITECH Act successfully spurred a tidal wave of electronic health record (EHR) implementations which significantly increased the amount of personal health information that is now digital. The speed to implement EHRs nationwide consumed most IT departments’ capital budgets and made it almost impossible for healthcare organizations to adequately protect electronic patient data at the same speed as the advancement in their environments. Many organizations now find themselves playing catch-up as it pertains to implementing a security program that addresses the technical and human aspects of protecting patient data. 2. Second,adversariesnowrealizethathealthcarenetworksareexploitablebecausetheytendtobelesssophisticated and are easier to compromise. 3. Third, medical records are reportedly defined as the most rewarding source of personal information because the information tends to be more complete, encompassing everything from medical insurance numbers to credit card numbers. The market value of medical information is worth 10 times more than credit card data on the black market (1). Due to the comprehensive nature of these records, they can be wielded in many forms from false tax returns to Medicare claims to patient misrepresentations. The bottom line is that bad actors are more focused on exploiting sensitive healthcare data than ever before. In turn, organizations need to take a depth and breadth approach to managing their cybersecurity posture. This year, the healthcare industry experienced an increase in the number of successful cyber-attacks on providers and a heightened focus on compliance from OCR. Couple this with the prevalence of ransomware, as well as tackling Business Associate risk, many leaders find themselves looking for a silver bullet. With no simple fix to this complex problem, it will take collaboration, investment and a comprehensive, ongoing approach to managing cybersecurity risk organization-wide in order to meet the rising challenge. Managing cyber risk is complicated, but it is most effective when led from the top, well-planned, and supported by data. Be the champion within your own organization and push to elevate the discussion of managing cybersecurity risk. My hope is that the Horizon Report builds awareness about threats and provides you valuable insight. We welcome your feedback and perspectives at horizonreport@fortifiedhealthsecurity.com. Enjoy. Regards, Dan L. Dodson (1) Source: Reuters — http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 “It’s no secret that healthcare is slow to embrace change. That slow pace of innovation means the industry is dangerously behind on understanding and mitigating risk.”
FROM COMPLIANCE TO CONFIDENCE III FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 2016 Year in Review While the industry has taken some positive steps as it pertains to safeguarding electronic Personal Health Information (ePHI), our adversaries have matured their tactics, held some of us ransom, and continued to exploit our environments throughout the past year. In just the first 10 months of 2016, the number of entities reporting major breaches caused by hacking has already increased 51% over the full year 2015. This has been a trend since 2012 and will likely continue. This is according to the “wall of shame” breach data kept by the Office of Civil Rights (OCR) which requires covered entities and business associates to report breaches containing unsecured protected health information affecting 500 or more individuals. On a positive note, the implementation of cybersecurity educational programs over the past few years by healthcare organizations has increased awareness and led to the reduction in the number of breaches caused by theft. For the third year in a row, the number of entities compromised due to theft has decreased. This year, only 18% of major breaches were caused by theft — down from an all-time high of 83% in 2009. 0 20 40 60 80 20162015201420132012201120102009 297K 900K 238K 1.7M 111.8M INDIVIDUALS AFFECTED 11.4M 92K “In just the first 10 months of 2016, the number of major breaches caused by hacking has already increased 51% over the full year 2015. This has been a trend since 2012 and will likely continue.” “For the third year in a row, the number of entities compromised due to theft has decreased.” PERCENTOFMAJORBREACHES THEFTASPERCENTOFINCIDENCES OF TOTAL INCIDENCES WERE THEFT 18%30% 38% 47% 57% 60% 66% 83% 0 20 40 60 80 100 20162015201420132012201120102009
FROM COMPLIANCE TO CONFIDENCE IV FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 While this is a step in the right direction, educational efforts for healthcare personnel must be enhanced as ransomware attacks increased in size and scope in 2016. These attacks provide external avenues for hackers to penetrate the network and perimeter defenses of healthcare organizations. In many cases, through phishing, hackers gain credentialed access to the organization’s sensitive patient data assets and subsequently encrypt and ransom data for money. Additionally, hackers have access to sophisticated scanning software that allows them to uncover vulnerabilities that may exist in an organization’s externally-facing web services. As an example, a simple SQL injection vulnerability found on an organization’s website may provide entry — and ultimately access — to the organization’s enterprise and patient data assets. Many organizations are identifying these potential vulnerabilities and evaluating their exploitability through advanced penetration testing in an effort to enhance their security posture. Beyond the increased threat of attacks, there were a number of relevant security issues that manifested themselves in 2016, including: The increased threat of ransomware More significant financial settlements with OCR than ever before A heightened focus on managing third-party risk Simple vulnerabilities may provide entry — and ultimately access — to the organization’s enterprise and patient data assets. Many organizations are identifying the exploitability of potential vulnerabilities through advanced penetration testing. “Many organizations are identifying these potential vulnerabilities and evaluating their exploitability through advanced penetration testing in an effort to enhance their security posture.”
FROM COMPLIANCE TO CONFIDENCE V FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 The Evolution of Ransomware The calendar pages of 2016 had just started to turn when ransomware made headlines across the country as hackers held hospital patient information hostage in hopes of big payments. This doesn’t represent a new approach to hacking, but the volume and severity of ransomware attacks in healthcare led us to label 2016 “The Year of the Ransom.”
FROM COMPLIANCE TO CONFIDENCE VI FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 THE ORIGINS OF RANSOMWARE But where did ransomware come from? Most believe that it is a new attack method, but ransomware has a long and storied past. The first known ransomware was the 1989 “AIDS” Trojan (also known as “PC Cyborg”) written by Joseph Popp. Basically, victims would receive a floppy disk (remember those?) labeled “AIDS Information Introductory Diskette” and, while booting, the malicious software would hide directories and encrypt the files on the C-drive. There was a pretty significant lull in activity until 2005 when a new type of ransomware was utilized: Misleading Apps. This malware exaggerated the impact of issues on the computer and required payment to “fix” the issues within the infected system. The evolution continued in 2008 when “Fake Anti-Virus” software was introduced; it would run fake scans claiming to find large numbers of threats and security issues on the computer. In 2011, we began to see “Locker” ransomware which would disable access and control of the computer, effectively locking up the computer from use. Today, we are seeing what most people recognize as ransomware: Crypto-ransomware. This is what we’ve seen in the news when the malware encrypts local and network file shares and databases. METHODS OF RESPONDING The total number of ransomware attacks is largely unknown because many go unreported or only interrupt the functionality of a few devices. However, the potential implication of these attacks are very severe and, in some instances, take heath systems offline for extended periods of time. Without effective controls and a sufficient backup program, you may be forced to pay. That was the case in February for Hollywood Presbyterian Medical Center when it was forced to pay $17,000 after a ransomware attack took the hospital offline for 10 days. The most unique part of this event was that they went public with the news. This immediately struck fear in the minds of healthcare executives, board members and patients across the country. It was less than a month later when MedStar, a health network of 10 Maryland hospitals, was struck by ransomware and required to move to downtime procedures consisting of paper orders and such while their IT environment was cleansed and restored. This incident reportedly forced MedStar to turn away patients and send them to neighboring facilities. The difference here is that MedStar did not pay the ransom but leveraged backups to restore their systems. “Without effective controls and a sufficient backup program, you may be forced to pay.” 1989 2005 2008 2011 TODAY Floppy Disk Trojan Misleading Apps Fake Anti-Virus Locker Ransomware Crypto-Ransomware
FROM COMPLIANCE TO CONFIDENCE VII FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 These two events played out in the public media but there are many other examples that didn’t hit headlines. Ransomware represents enormous risk to healthcare organizations because operations and patient care can be greatly impacted. This led the HHS Office for Civil Rights (OCR) to provide additional guidance in July of 2016. Specifically, OCR brought clarity to the question often asked by many Covered Entities and Business Associates: “If our organization is hit with ransomware, is the event considered a breach under HIPAA Rules?” (2) (3) OCR’s guidance is that a fact-specific determination must be made but, unless the CE or BA can demonstrate there is a “low probability that PHI has been compromised,” a breach of PHI is presumed to have occurred. In this event, the entity must comply with current breach notification protocols. This clarification by OCR was significant as it will likely prove to be difficult for most healthcare organizations to demonstrate “low probability” in the event they are breached via ransomware. BEST PRACTICES There are number of best practices that your organization should consider as it pertains to ransomware. The first step is for your entire organization to understand that this is more than an IT problem, so your plan must encompass every employee at your organization. The bottom line is Defense in Depth. The best prevention is taking proactive security measures around people, process and technology. As the greatest risk to an organization, the people aspect must be strictly focused on through an engaging and continuous security and awareness training program. The program should be metrics- based to ensure the program’s effectiveness can be measured and managed to drive results. Conducting regular phishing exercises is a cost effective way to measure the success of your program. As for process, every organization should create and test an effective disaster recovery, business continuity, incident response and breach notification program. Remember: Backups, Backups, Backups! The key here is to test these programs and plans proactively. The first time cross-functional teams meet should not be directly after the attack when it is time to act quickly. We have found that tabletop exercises are an effective method for testing the completeness of RANSOMWARE BEST PRACTICES: • Address ransomware across the entire organization • Implement proactive security measures around People, Process and Technology • Develop a metrics-based awareness training program • Create and test a disaster recovery, business continuity, incident response and breach notification program • Backups, backups, backups! • Don’t under-invest in managing technical point solutions Sources (1) http://www.hhs.gov/blog/2016/07/11/ your-money-or-your-phi.html (2) http://www.hhs.gov/sites/default/files/ RansomwareFactSheet.pdf “The best prevention is taking proactive security measures around people, process and technology.”
FROM COMPLIANCE TO CONFIDENCE VIII FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 these programs. Additionally, organizations should perform regular penetration testing, vulnerability assessments and maintain a comprehensive patch management program. To complete the depth and breadth approach, multiple technologies should be considered including Security Information & Event Monitoring (SIEM), Intrusion Prevention System/Intrusion Detection System, SPAM/Email Filters, Web Content Filters, Anti-Virus/Anti-Malware, NextGen Firewalls, Data Loss Prevention (DLP) and Vulnerability Scanning. Remember that many of these advanced technical solutions will require a level of expertise within your IT department, as many require configurations, monitoring, and ongoing management. You may end up disappointed if you don’t adequately support these technical solutions because your perceived value will end up much higher than the actual value to your security posture post-implementation. Simply put: buying technology is half the journey; don’t under-invest in managing your technical point solutions over time. OCR Update TheOfficeforCivilRights(OCR)madethreemajormovesin2016thataffectedhealthcareorganizations significantly, which included launching new audit protocol, levying the most settlements ever, and increasing focus on Business Associates. 1. Launched New Audit Protocol First, OCR began round two of their audit protocol in 2016 which expands their scope to include Business Associates (BAs) along with Covered Entities (CEs). As part of the program, OCR announced that it would dedicate more resources to investigate breaches of 500 records or fewer. Although in steep contrast to their previous work plan, OCR has, at times, investigated these types of breaches but only in unique cases and as resources permitted. This new direction is to encourage covered entities to take action addressing non-compliance with the HIPAA Security and Privacy Rules regardless of the size of the breach. OCR has already levied fines against organizations with a breach of fewer than 500 records. In June of 2016, the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to pay $650,000 in fines after a CHCS portable device with 412 patient records was stolen. A more sizable settlement was levied against the Triple-S Management Corporation in November of 2015. Triple-S has agreed to settle potential violations of the HIPAA Privacy and Security Rules in the sum of $3.5 million. OCR initiated investigations after receiving multiple breach notifications from Triple-S involving unsecured protected health information (PHI). “Simply put: buying technology is half the journey; don’t under- invest in managing your technical point solutions over time.”
FROM COMPLIANCE TO CONFIDENCE IX FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 2. Levied Unprecedented Number of Settlements Second, OCR has made more HIPAA violation settlements thus far in 2016 than any other year since 2009, totaling more financial penalties than the last four years combined. So far in 2016, 12 organizations have been penalized over $22.8 million dollars for HIPAA violations by the Office of Civil Rights (OCR). This is double the number of settlements reached in 2015 and a 268% increase in financial penalties over last year. This includes the largest settlement ever of $5.5 million whereby Advocate Health System agreed to a settle HIPAA violation claims related to three data breaches that occurred in 2013. We expect the level of oversight and severity of penalties to continue to rise over the next few years. Confirming this notion, OCR has stepped up their audit program and levied fines for smaller breaches. 3. Increased Focus on Business Associates Third, the lines of responsibility between Covered Entities (CE) and Business Associates (BA) continue to blur in the eyes of OCR. Or, at a minimum, if CEs don’t manage BA risk appropriately, they may face financial penalties in the event that their data is breached at one of their BAs. In March of 2016, there was a major settlement between OCR and North Memorial Health Care because they failed to implement a Business Associate Agreement with a major contractor. Furthermore, they failed to institute an organization-wide risk analysis program to address risks and vulnerabilities to protect patient information. This marked the first major incident whereby a covered entity faced significant financial penalties along with significant remediation requirements because of the actions of a business associate. A laptop was stolen from the car of a North Memorial Health Care BA employee’s car which contained 289,904 patient records and, due to their current business associate management process, they were forced to settle with OCR. This underscores the importance of business associate management. This risk is intensifying as Business Associates were responsible for 25% of the total number of individuals impacted by a reported breach year to date. Financial penalties coupled with the increase in attacks on BAs is a compelling reason for healthcare organizations to formally assess, audit and manage them more comprehensively. Business associate management is a critical element of any robust cybersecurity management program and will likely garner more attention in the coming years. It will come as no surprise to you that 2016 marked another year of vicious attacks. As healthcare leaders, we must balance fighting these adversaries through advanced technical solutions with educating our employee populations about cyber responsibility — all while maintaining an already strapped IT budget. The first step in building a successful cybersecurity risk management program is to elevate the discussion beyond IT to include every facet of the organization including the hospital board. The most successful organizations leverage data to drive these discussions, build the right case and demonstrate the importance of cyber risk. This often starts with an understanding of the overall significance of the threats facing your organization and analyzing the breach data which we will break down in the next section. “As healthcare leaders, we must balance fighting these adversaries through advanced technical solutions with educating our employee populations about cyber responsibility — all while maintaining an already strapped IT budget.”
FROM COMPLIANCE TO CONFIDENCE X FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 2016 Breach Data Review The state of cybersecurity and the anatomy of a breach in the healthcare industry has changed. Long gone are days when the primary driver of breaches was an employee mistakenly sending a file with hundreds or thousands of patient records to their personal email, or a laptop being stolen out of the back of a car. The landscape has changed. The industry has changed. The disclosure vectors have changed and the outlook is much more direct and detrimental. Breaches are deliberate and calculated. As of October 2016, a total of 256 entities had experienced a large breach this year, which is on pace to surpass the 270 breaches experienced in 2015. So far, a total of 14,401,029 patient health records have been compromised.
FROM COMPLIANCE TO CONFIDENCE XI FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 According to the OCR breach data, the number of entities that experienced a Hacking or Unauthorized Disclosure incident has trended upwards 406% and 304% respectively since 2011. Theft or loss as the cause of breach has trended downwards significantly with a decrease of 57% during the same time period. This data validates that, although awareness has risen, which has reduced theft or loss, the overall industry still has significant exposure to potential breaches. Healthcare has been targeted and breached more in the last two years than it is has since OCR began reporting data in 2009. This is alarming because our industry has been slow to implement industry-leading security technologies and effectively engage staff as well as senior management. We are now seeing the fallout of years of neglect — but there is light at the end of the tunnel. Historically, the majority of breaches were the result of inadvertent user error, whereas today we see the opposite. Loss, Theft or Improper Disposal represents 11% of all impacted individuals in 2016, down from an all-time high of 84% in 2010. 14.4M INDIVIDUALS AFFECTED 113.2M 12.7M 6.9M 2.8M 13.1M5.5M 134K 0 50 100 150 200 250 300 350 Other Improper Disposal Loss or Theft Unauthorized Access/Disclosure Hacking 20162015201420132012201120102009 2009 2010 2011 2012 2013 2014 2015 2016 62% 38% 11% 1% 6% 1% 10% 16% 3% 3% 3% 1% 11% 15% 15% 2% 3% 2% 32%84% 88% 14% 98% 79% 24% 59% 82% 37% Other Unauthorized Access/Disclosure Loss, Theft, Improper Disposal Hacking PERCENTOFINDIVIDUALSIMPACTED BYTYPEOFBREACHTOTALENTITIESINVOLVED INABREACH
FROM COMPLIANCE TO CONFIDENCE XII FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 The healthcare industry has done an impressive job improving its employee training to address the controllable human element of employees not understanding the impacts of mishandling or negligent handling of ePHI. The problem has now become a matter of lack of security tools, technologies and technical controls to combat the constant barrage of attacks and social engineering attempts. Healthcare organizations need to augment their normal security training that covers proper handling of ePHI to also address the nuisances of phishing, vishing and ransomware. Employees need to understand that their actions — even when not handling sensitive information — can result in a breach. Healthcare organizations need to deploy a constant and engaging cybersecurity educational process in order to keep security and proper computing hygiene at the forefront of each employee’s mind. Healthcare providers are by far the most targeted and attacked type of healthcare entity. This is not new. Healthcare providers have experienced the highest number of breaches every year since 2009. Furthermore, we have seen increases in the number of provider organizations compromised year-over-year since 2014. In 2016, healthcare providers represented the vast majority of entities involved in a breach and affected more individuals than health plans, clearing houses and business associates combined. Almost three-fourths (73%) of individuals affected this year were exposed by a provider organization breach. Providers have experienced 205 breaches to date, representing an increase of 6% over the full year 2015. This percentage increase will likely grow by year end. “Employees need to understand that their actions — even when not handling sensitive information — can result in a breach.” “Healthcare providers have experienced the highest number of breaches every year since 2009.” PERCENT OF INDIVIDUALS AFFECTED IN 2016 NUMBER OF ENTITIES AFFECTED IN 2016 73% 2% 25% Not Reported Business Associates Heathcare Provider Heathcare Clearing House Health Plan 205 16 2 33
FROM COMPLIANCE TO CONFIDENCE XIII FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 Business Associates breaches impacted 25% of the total number of individuals affected by a major breach. This is an increase from 3% in 2015 and represents a total of 16 business associates breached thus far this year. Health Plans experienced a decrease in the number of entities involved in 2016 from 62 in 2015 to 33. Given the size of the 2015 Anthem, Premera Blue Cross and Excellus breaches, with 99,800,000 patients impacted in total, Health Plans have impacted a significantly smaller number of people thus far in 2016 as compared to 2015. One trend that continued in 2016 is that a few incidences impacted the majority of individuals affected this year. For instance, 75% of records breached YTD (10,834,278) came as a result of the Top 5 breaches. CYBERSECURITY INSURANCE CLAIMS DENIED Last year, the first major breach occurred where a cybersecurity insurance company required a health system — which had an in force insurance policy at the time of an attack — to payback their insurance claim after it was determined that their underwriting application did not accurately represent their security controls. Although these events unfolded very publicly in 2015, this is a very important lesson and relevant for all healthcare organizations, as many organizations took steps in 2016 to incorporate cybersecurity insurance as part of their overall cybersecurity program. Purchasing cybersecurity insurance requires expert scrutiny as contracts are not standardized. Organizations should be careful when evaluating and selecting cyber insurance. This is certainly an area where seeking the advice of a professional insurance broker or security expert may prove to be useful. Furthermore, the criteria that your organization commits to as part of the application process must be embedded into your ongoing security management program to help ensure compliance with the policy. NAME OF COVERED ENTITY ENTITY TYPE INDIVIDUALS AFFECTED Banner Health Healthcare Provider 3,620,000 Newkirk Products, Inc. Healthcare Provider 3,466,120 21st Century Oncology Healthcare Provider 2,213,597 Valley Anesthesiology and Pain Consultants Healthcare Provider 882,590 Bon Secours Health System Incorporated Healthcare Provider 651,971
FROM COMPLIANCE TO CONFIDENCE XIV FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 Cybersecurity 2017 Outlook Many entities will evolve next year while others will continue to deprioritize cybersecurity. This is a mistake, given what is on the horizon for next year. We predict healthcare organizations can expect the following next year: • Double-Digit Increase in Breaches: As hackers become more advanced and better equipped, healthcare organizations will experience a 10-15% increase in the number of cybersecurity breaches in 2017. Ransomware attacks will increase. • Boards Will Keep Their Heads in the Sand and Hope for the Best: Some healthcare organization boards have already begun managing cybersecurity risk in the same manner as other business risks. Unfortunately, they often become engaged in cybersecurity risk management after a significant event. With that said, we predict that many Boards will be content to retain a reactive posture in dealing with cybersecurity concerns. The results will be costly. • Increase in Civil Litigation: Significant pressure from civil litigation, due to the breach of ePHI, using federal regulations, HIPAA/HITECH, as a standard of due care will be seen in 2017. Healthcare and cybersecurity are massive economic growth sectors, drawing the attention of both consumers and attorneys as litigation targets. As consumers have become more regulation-savvy and the legal lay of the land is better understood by attorneys, opportunities to file complaints will be seen exponentially increased over past years. • Budgets Won’t Be Big Enough: Given the threat landscape, we believe that most healthcare organizations will outspend their 2017 cybersecurity budgets by over 50%. Most organizations budget too little on cybersecurity and then experience overruns in an attempt to respond to emerging threats. • OCR Moves Towards a National Framework for Healthcare: The Office for Civil Rights will take steps to develop a national framework specific to the healthcare industry that is prescriptive in its requirements in order to guide CE and BA to the desired end result with regards to protecting sensitive data and ePHI. We feel that the OCR will finally adopt the HITRUST Alliance’s Common Security Framework (CSF) as the national standard or work directly the National Institute of Standards and Technology (NIST) in developing a new framework that meets the unique needs of the healthcare industry. It is time for healthcare to work to outpace cybersecurity threats. A proactive posture is a critical strategic investment. It is imperative that healthcare leaders realize that solving these problems will take the focus and strength of their entire organization. Much like long-term business goals and objectives, healthcare leaders need to develop strategic security roadmaps that will improve their posture over time. “It is imperative that healthcare leaders realize that solving these problems will take the focus and strength of their entire organization.”
FROM COMPLIANCE TO CONFIDENCE XV FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 Moving Forward So where do we go from here? Here is a list of six things you can do to increase your cybersecurity profile starting now: • EDUCATE THE BOARD Security begins and ends with executive buy-in. Invest time in making sure Boards are informed and involved in order to ensure that the appropriate resources are allocated to cybersecurity. • ENGAGE THE WHOLE ORGANIZATION Security is NOT an IT problem; it takes a village. Risk decreases as more people throughout the organization are empowered to identify and respond to threats. • CORRECTIVE ACTION PLANNING Develop and execute corrective action planning in order to remove vulnerabilities and improve overall cybersecurity posture. • MAKE SURE YOUR TECHNOLOGIES ARE WORKING IN CONCERT Be sure to leverage your investments in a comprehensive and collaborative manner that improves your efficiency and effectiveness. Make them work for you. • BE COMPLIANT WITH CYBER INSURANCE REQUIREMENTS Do not think of cyber insurance as a safety blanket. Active compliance with contractual requirements is key to a strong cybersecurity posture. • SEEK OBJECTIVE OUTSIDE PERSPECTIVES While a strong cybersecurity posture takes a village, consider input from experts outside your organization in order to contribute new perspectives on your efforts. We hope this Horizon Report starts you on your path “from compliance to confidence” as we say at Fortified Health Security. Developing a strong cybersecurity posture does take time, energy and teamwork, and we welcome your feedback and perspectives at horizonreport@fortifiedhealthsecurity.com.
FROM COMPLIANCE TO CONFIDENCE XVI FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 ABOUT FORTIFIED HEALTH SECURITY Fortified Health Security is a leader in information security, compliance and managed services, focused exclusively on helping healthcare professionals overcome operational and regulatory challenges everyday in regards to HIPAA, HITECH, and Meaningful Use. Founded in 2009, Fortified has established a heritage of excellence, compliance and innovation. Today, Fortified partners with healthcare organizations across the continuum, serving health systems, single hospital entities, physician practices, post acute providers, payors and business associates. www.fortifiedhealthsecurity.com. Ryan Patrick is a Vice President of Fortified Health Security where he focuses on increasing client security posture through driving collaboration between sales and operations teams. Prior to joining Fortified, he served as the Deputy Chief Information Officer for the New York State Division of Military and Naval Affairs and as a Director of a Security & Privacy healthcare IT consulting practice, in addition to working in the information security office for organizations such as MetLife and Memorial Sloan-Kettering Cancer Center. He currently holds an M.B.A. from Norwich University, the Certified Information Systems Security Professional (CISSP) certification and is a HITRUST Common Security Framework (CSF) certified practitioner. Dan L. Dodson is President of Fortified Health Security where he brings over 10 years’ experience in the healthcare and insurance industries — serving as both an operational leader and sales leader. Dan’s specific focus has been in aligning organizational strengths with client needs through the execution of relevant go-to-market strategies and solution development. Dan also serves as an Executive Vice President for Santa Rosa Consulting. Prior to joining Fortified, Dan was Senior Vice President at Hooper Holmes, Inc. (AMEX: HH), a company serving the health and wellness and life insurance industry. Prior to joining HH, Dan served as Global Healthcare Strategy Lead for Dell Services (formally Perot Systems) and has held numerous positions within various healthcare organizations including Covenant Health System and The Parker Group. Dan holds an M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University. ABOUT THE AUTHORSCONTACT US TO START ON THE PATH FROM COMPLIANCE TO CONFIDENCE. For more information, visit our website at: fortifiedhealthsecurity.com INQUIRIES 1 (615) 600-4002 sales@fortifiedhealthsecurity.com OFFICE 2555 Meridian, Suite 250 Franklin, TN 37067

More Related Content

PDF
Whitepaper | Cyber resilience in the age of digital transformation
byNexon Asia Pacific
 
PDF
Websense 2013 Threat Report
byKim Jensen
 
PDF
ISTR Internet Security Threat Report 2019
by- Mark - Fullbright
 
PDF
Threatsploit Adversary Report January 2019
byBriskinfosec Technology and Consulting Pvt Ltd
 
PDF
Adjusting Your Security Controls: It’s the New Normal
byPriyanka Aash
 
PDF
2013 Threat Report
byEnvision Technology Advisors
 
PDF
Istr number 23 internet security threat repor 2018 symantec
bySoluciona Facil
 
PDF
Breach level index_report_2017_gemalto
byJonas Mercier
 
Whitepaper | Cyber resilience in the age of digital transformation
byNexon Asia Pacific
 
Websense 2013 Threat Report
byKim Jensen
 
ISTR Internet Security Threat Report 2019
by- Mark - Fullbright
 
Threatsploit Adversary Report January 2019
byBriskinfosec Technology and Consulting Pvt Ltd
 
Adjusting Your Security Controls: It’s the New Normal
byPriyanka Aash
 
2013 Threat Report
byEnvision Technology Advisors
 
Istr number 23 internet security threat repor 2018 symantec
bySoluciona Facil
 
Breach level index_report_2017_gemalto
byJonas Mercier
 

What's hot

PDF
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
byAkshay Ajgaonkar
 
PDF
Istr19 en
byAnjoum .
 
PDF
2020 Data Breach Investigations Report (DBIR)
by- Mark - Fullbright
 
PPTX
Social Media & Cybersecurity
byYuda Saydun
 
PDF
IC3 2019 Internet Crime Report
by- Mark - Fullbright
 
PDF
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
bySymantec
 
PDF
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
byOilPriceInformationService
 
PDF
proofpoint-blindspots-visibility-white-paper
byKen Spencer Brown
 
PDF
Data Breach Insurance - Optometric Protector Plan
bysarahb171
 
PDF
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
byPwC France
 
PDF
Estado del ransomware en 2020
byiDric Soluciones de TI y Seguridad Informática
 
PDF
B istr main-report_v18_2012_21291018.en-us
byКомсс Файквэе
 
PDF
Symantec Intelligence Report
bySymantec
 
PDF
BLURRING BOUNDARIES
by- Mark - Fullbright
 
PDF
W verb68
byJames1280
 
PDF
CYREN_Q1_2015_Trend_Report
byChris Taylor
 
PDF
IRJET- Phishing and Anti-Phishing Techniques
byIRJET Journal
 
PDF
State of Internet 1H 2008
byKim Jensen
 
PPTX
Protecting Your Business, Cybersecurity, and working remotely during COVID-19
byArielMcCurdy
 
PDF
Proofpoint Q3 - 2017 Email Fraud Threat Report
byProofpoint
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
byAkshay Ajgaonkar
 
Istr19 en
byAnjoum .
 
2020 Data Breach Investigations Report (DBIR)
by- Mark - Fullbright
 
Social Media & Cybersecurity
byYuda Saydun
 
IC3 2019 Internet Crime Report
by- Mark - Fullbright
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
bySymantec
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
byOilPriceInformationService
 
proofpoint-blindspots-visibility-white-paper
byKen Spencer Brown
 
Data Breach Insurance - Optometric Protector Plan
bysarahb171
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
byPwC France
 
Estado del ransomware en 2020
byiDric Soluciones de TI y Seguridad Informática
 
B istr main-report_v18_2012_21291018.en-us
byКомсс Файквэе
 
Symantec Intelligence Report
bySymantec
 
BLURRING BOUNDARIES
by- Mark - Fullbright
 
W verb68
byJames1280
 
CYREN_Q1_2015_Trend_Report
byChris Taylor
 
IRJET- Phishing and Anti-Phishing Techniques
byIRJET Journal
 
State of Internet 1H 2008
byKim Jensen
 
Protecting Your Business, Cybersecurity, and working remotely during COVID-19
byArielMcCurdy
 
Proofpoint Q3 - 2017 Email Fraud Threat Report
byProofpoint
 

Viewers also liked

PDF
Article
byTheodora Cudritescu, BComm, MTax
 
PDF
FELIZ CUMPLEAÑOS, TOMMY
byAnnie NaRuz
 
PPTX
Non-cognitive Skills_CES_FF_161203_Final
byMichael M. Brownstein, M.B.A., Ed.M.
 
PPTX
Big data y Open Data -Linea de tiempo
byAllan Blanco
 
DOCX
Informe ejecitivo fase 2
byEdwin Alexander Paspuel Diaz
 
PDF
Sismicidad y vulcanismo en méxico
byDulce Alva
 
DOCX
Rodrigo prêmio phoenix de qualidade
byRodrigo Gonçalves Pereira
 
PDF
Molengeek : build up and empower Molenbeek
bySocialWorkplacesCom
 
PPTX
Ada #1 b3
byPedro Jimenez
 
PPTX
Personality and its traits
byAnsar Gill
 
PPTX
Di no a la violencia machista
byMarta Nieto
 
Article
byTheodora Cudritescu, BComm, MTax
 
FELIZ CUMPLEAÑOS, TOMMY
byAnnie NaRuz
 
Non-cognitive Skills_CES_FF_161203_Final
byMichael M. Brownstein, M.B.A., Ed.M.
 
Big data y Open Data -Linea de tiempo
byAllan Blanco
 
Informe ejecitivo fase 2
byEdwin Alexander Paspuel Diaz
 
Sismicidad y vulcanismo en méxico
byDulce Alva
 
Rodrigo prêmio phoenix de qualidade
byRodrigo Gonçalves Pereira
 
Molengeek : build up and empower Molenbeek
bySocialWorkplacesCom
 
Ada #1 b3
byPedro Jimenez
 
Personality and its traits
byAnsar Gill
 
Di no a la violencia machista
byMarta Nieto
 

Similar to Fortified Health Security - Horizon Report 2016

PDF
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
bySteve Fantauzzo
 
PPTX
Cyberattacks on Healthcare Systemss.pptx
byJoeOrlando16
 
PDF
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
byMOHAMMED YASER HUSSAIN
 
PDF
Cybersecurity Challenges in the Healthcare Industry.pdf
byMobibiz India
 
PDF
Infographic Protecting Patient Data
byFortinet
 
PDF
Infographic Protecting Patient Data
byMichael Chalmandrier-Perna
 
PDF
Cybersecurity in Healthcare - Looking at the security issues that impact the ...
bysara182573
 
PDF
Cybersecurity in Healthcare - Looking at the security issues that impact the ...
bysara182573
 
PDF
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...
byProtected Harbor
 
PDF
We Need to Prioritize Cybersecurity in 2020
byMatthew Doyle
 
PDF
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
byThe Lifesciences Magazine
 
PDF
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
bymosmedicalreview
 
PDF
Protected Harbor Data Breach Trend Report
byProtected Harbor
 
DOCX
Running head Information security threats 1Information secur.docx
bywlynn1
 
PDF
Why healthcare is the biggest target for cyberattacks-converted.pdf
byJohn David
 
PDF
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
byMatthew J McMahon
 
PDF
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
byHybrid Cloud
 
DOCX
Peer Review FormComplete the form by inserting your answer.docx
bytemplestewart19
 
PPTX
HHS Ransomware and Breach Guidance - Brad Nigh
byFRSecure
 
DOCX
1DSRT 736Healthcares Vulnerability to Ransomware Attack
byEttaBenton28
 
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
bySteve Fantauzzo
 
Cyberattacks on Healthcare Systemss.pptx
byJoeOrlando16
 
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
byMOHAMMED YASER HUSSAIN
 
Cybersecurity Challenges in the Healthcare Industry.pdf
byMobibiz India
 
Infographic Protecting Patient Data
byFortinet
 
Infographic Protecting Patient Data
byMichael Chalmandrier-Perna
 
Cybersecurity in Healthcare - Looking at the security issues that impact the ...
bysara182573
 
Cybersecurity in Healthcare - Looking at the security issues that impact the ...
bysara182573
 
Cybersecurity Risks of 3rd Party Cloud-Apps in 2022 Whitepaper by Protected H...
byProtected Harbor
 
We Need to Prioritize Cybersecurity in 2020
byMatthew Doyle
 
Best 3 Cyber Threats in Healthcare Organizations Today | The Lifesciences Mag...
byThe Lifesciences Magazine
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
bymosmedicalreview
 
Protected Harbor Data Breach Trend Report
byProtected Harbor
 
Running head Information security threats 1Information secur.docx
bywlynn1
 
Why healthcare is the biggest target for cyberattacks-converted.pdf
byJohn David
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
byMatthew J McMahon
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
byHybrid Cloud
 
Peer Review FormComplete the form by inserting your answer.docx
bytemplestewart19
 
HHS Ransomware and Breach Guidance - Brad Nigh
byFRSecure
 
1DSRT 736Healthcares Vulnerability to Ransomware Attack
byEttaBenton28
 

Fortified Health Security - Horizon Report 2016

  • 1.
    Horizon Report THE STATEOF CYBERSECURITY IN HEALTHCARE fortifiedhealthsecurity.com | 615-600-4002 | 2555 Meridian Blvd Suite 250, Franklin, TN 37067
  • 2.
    FROM COMPLIANCE TOCONFIDENCE II FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 President’s Message So far, 2016 has proved to be a very challenging environment for healthcare leaders when it comes to safeguarding sensitive patient data. Cybersecurity threats and malicious actors continued to wreak havoc across the spectrum of healthcare organizations. The number of hacking incidents in healthcare has trended upward over the last few years as adversaries have followed opportunity. It has become blatantly obvious that malicious actors have turned their focus away from the historically lucrative arenas like the financial industry and have been aggressively targeting healthcare data. But why? There are three main drivers: 1. First, healthcare providers are now digitized. The 2009 HITECH Act successfully spurred a tidal wave of electronic health record (EHR) implementations which significantly increased the amount of personal health information that is now digital. The speed to implement EHRs nationwide consumed most IT departments’ capital budgets and made it almost impossible for healthcare organizations to adequately protect electronic patient data at the same speed as the advancement in their environments. Many organizations now find themselves playing catch-up as it pertains to implementing a security program that addresses the technical and human aspects of protecting patient data. 2. Second,adversariesnowrealizethathealthcarenetworksareexploitablebecausetheytendtobelesssophisticated and are easier to compromise. 3. Third, medical records are reportedly defined as the most rewarding source of personal information because the information tends to be more complete, encompassing everything from medical insurance numbers to credit card numbers. The market value of medical information is worth 10 times more than credit card data on the black market (1). Due to the comprehensive nature of these records, they can be wielded in many forms from false tax returns to Medicare claims to patient misrepresentations. The bottom line is that bad actors are more focused on exploiting sensitive healthcare data than ever before. In turn, organizations need to take a depth and breadth approach to managing their cybersecurity posture. This year, the healthcare industry experienced an increase in the number of successful cyber-attacks on providers and a heightened focus on compliance from OCR. Couple this with the prevalence of ransomware, as well as tackling Business Associate risk, many leaders find themselves looking for a silver bullet. With no simple fix to this complex problem, it will take collaboration, investment and a comprehensive, ongoing approach to managing cybersecurity risk organization-wide in order to meet the rising challenge. Managing cyber risk is complicated, but it is most effective when led from the top, well-planned, and supported by data. Be the champion within your own organization and push to elevate the discussion of managing cybersecurity risk. My hope is that the Horizon Report builds awareness about threats and provides you valuable insight. We welcome your feedback and perspectives at horizonreport@fortifiedhealthsecurity.com. Enjoy. Regards, Dan L. Dodson (1) Source: Reuters — http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 “It’s no secret that healthcare is slow to embrace change. That slow pace of innovation means the industry is dangerously behind on understanding and mitigating risk.”
  • 3.
    FROM COMPLIANCE TOCONFIDENCE III FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 2016 Year in Review While the industry has taken some positive steps as it pertains to safeguarding electronic Personal Health Information (ePHI), our adversaries have matured their tactics, held some of us ransom, and continued to exploit our environments throughout the past year. In just the first 10 months of 2016, the number of entities reporting major breaches caused by hacking has already increased 51% over the full year 2015. This has been a trend since 2012 and will likely continue. This is according to the “wall of shame” breach data kept by the Office of Civil Rights (OCR) which requires covered entities and business associates to report breaches containing unsecured protected health information affecting 500 or more individuals. On a positive note, the implementation of cybersecurity educational programs over the past few years by healthcare organizations has increased awareness and led to the reduction in the number of breaches caused by theft. For the third year in a row, the number of entities compromised due to theft has decreased. This year, only 18% of major breaches were caused by theft — down from an all-time high of 83% in 2009. 0 20 40 60 80 20162015201420132012201120102009 297K 900K 238K 1.7M 111.8M INDIVIDUALS AFFECTED 11.4M 92K “In just the first 10 months of 2016, the number of major breaches caused by hacking has already increased 51% over the full year 2015. This has been a trend since 2012 and will likely continue.” “For the third year in a row, the number of entities compromised due to theft has decreased.” PERCENTOFMAJORBREACHES THEFTASPERCENTOFINCIDENCES OF TOTAL INCIDENCES WERE THEFT 18%30% 38% 47% 57% 60% 66% 83% 0 20 40 60 80 100 20162015201420132012201120102009
  • 4.
    FROM COMPLIANCE TOCONFIDENCE IV FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 While this is a step in the right direction, educational efforts for healthcare personnel must be enhanced as ransomware attacks increased in size and scope in 2016. These attacks provide external avenues for hackers to penetrate the network and perimeter defenses of healthcare organizations. In many cases, through phishing, hackers gain credentialed access to the organization’s sensitive patient data assets and subsequently encrypt and ransom data for money. Additionally, hackers have access to sophisticated scanning software that allows them to uncover vulnerabilities that may exist in an organization’s externally-facing web services. As an example, a simple SQL injection vulnerability found on an organization’s website may provide entry — and ultimately access — to the organization’s enterprise and patient data assets. Many organizations are identifying these potential vulnerabilities and evaluating their exploitability through advanced penetration testing in an effort to enhance their security posture. Beyond the increased threat of attacks, there were a number of relevant security issues that manifested themselves in 2016, including: The increased threat of ransomware More significant financial settlements with OCR than ever before A heightened focus on managing third-party risk Simple vulnerabilities may provide entry — and ultimately access — to the organization’s enterprise and patient data assets. Many organizations are identifying the exploitability of potential vulnerabilities through advanced penetration testing. “Many organizations are identifying these potential vulnerabilities and evaluating their exploitability through advanced penetration testing in an effort to enhance their security posture.”
  • 5.
    FROM COMPLIANCE TOCONFIDENCE V FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 The Evolution of Ransomware The calendar pages of 2016 had just started to turn when ransomware made headlines across the country as hackers held hospital patient information hostage in hopes of big payments. This doesn’t represent a new approach to hacking, but the volume and severity of ransomware attacks in healthcare led us to label 2016 “The Year of the Ransom.”
  • 6.
    FROM COMPLIANCE TOCONFIDENCE VI FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 THE ORIGINS OF RANSOMWARE But where did ransomware come from? Most believe that it is a new attack method, but ransomware has a long and storied past. The first known ransomware was the 1989 “AIDS” Trojan (also known as “PC Cyborg”) written by Joseph Popp. Basically, victims would receive a floppy disk (remember those?) labeled “AIDS Information Introductory Diskette” and, while booting, the malicious software would hide directories and encrypt the files on the C-drive. There was a pretty significant lull in activity until 2005 when a new type of ransomware was utilized: Misleading Apps. This malware exaggerated the impact of issues on the computer and required payment to “fix” the issues within the infected system. The evolution continued in 2008 when “Fake Anti-Virus” software was introduced; it would run fake scans claiming to find large numbers of threats and security issues on the computer. In 2011, we began to see “Locker” ransomware which would disable access and control of the computer, effectively locking up the computer from use. Today, we are seeing what most people recognize as ransomware: Crypto-ransomware. This is what we’ve seen in the news when the malware encrypts local and network file shares and databases. METHODS OF RESPONDING The total number of ransomware attacks is largely unknown because many go unreported or only interrupt the functionality of a few devices. However, the potential implication of these attacks are very severe and, in some instances, take heath systems offline for extended periods of time. Without effective controls and a sufficient backup program, you may be forced to pay. That was the case in February for Hollywood Presbyterian Medical Center when it was forced to pay $17,000 after a ransomware attack took the hospital offline for 10 days. The most unique part of this event was that they went public with the news. This immediately struck fear in the minds of healthcare executives, board members and patients across the country. It was less than a month later when MedStar, a health network of 10 Maryland hospitals, was struck by ransomware and required to move to downtime procedures consisting of paper orders and such while their IT environment was cleansed and restored. This incident reportedly forced MedStar to turn away patients and send them to neighboring facilities. The difference here is that MedStar did not pay the ransom but leveraged backups to restore their systems. “Without effective controls and a sufficient backup program, you may be forced to pay.” 1989 2005 2008 2011 TODAY Floppy Disk Trojan Misleading Apps Fake Anti-Virus Locker Ransomware Crypto-Ransomware
  • 7.
    FROM COMPLIANCE TOCONFIDENCE VII FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 These two events played out in the public media but there are many other examples that didn’t hit headlines. Ransomware represents enormous risk to healthcare organizations because operations and patient care can be greatly impacted. This led the HHS Office for Civil Rights (OCR) to provide additional guidance in July of 2016. Specifically, OCR brought clarity to the question often asked by many Covered Entities and Business Associates: “If our organization is hit with ransomware, is the event considered a breach under HIPAA Rules?” (2) (3) OCR’s guidance is that a fact-specific determination must be made but, unless the CE or BA can demonstrate there is a “low probability that PHI has been compromised,” a breach of PHI is presumed to have occurred. In this event, the entity must comply with current breach notification protocols. This clarification by OCR was significant as it will likely prove to be difficult for most healthcare organizations to demonstrate “low probability” in the event they are breached via ransomware. BEST PRACTICES There are number of best practices that your organization should consider as it pertains to ransomware. The first step is for your entire organization to understand that this is more than an IT problem, so your plan must encompass every employee at your organization. The bottom line is Defense in Depth. The best prevention is taking proactive security measures around people, process and technology. As the greatest risk to an organization, the people aspect must be strictly focused on through an engaging and continuous security and awareness training program. The program should be metrics- based to ensure the program’s effectiveness can be measured and managed to drive results. Conducting regular phishing exercises is a cost effective way to measure the success of your program. As for process, every organization should create and test an effective disaster recovery, business continuity, incident response and breach notification program. Remember: Backups, Backups, Backups! The key here is to test these programs and plans proactively. The first time cross-functional teams meet should not be directly after the attack when it is time to act quickly. We have found that tabletop exercises are an effective method for testing the completeness of RANSOMWARE BEST PRACTICES: • Address ransomware across the entire organization • Implement proactive security measures around People, Process and Technology • Develop a metrics-based awareness training program • Create and test a disaster recovery, business continuity, incident response and breach notification program • Backups, backups, backups! • Don’t under-invest in managing technical point solutions Sources (1) http://www.hhs.gov/blog/2016/07/11/ your-money-or-your-phi.html (2) http://www.hhs.gov/sites/default/files/ RansomwareFactSheet.pdf “The best prevention is taking proactive security measures around people, process and technology.”
  • 8.
    FROM COMPLIANCE TOCONFIDENCE VIII FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 these programs. Additionally, organizations should perform regular penetration testing, vulnerability assessments and maintain a comprehensive patch management program. To complete the depth and breadth approach, multiple technologies should be considered including Security Information & Event Monitoring (SIEM), Intrusion Prevention System/Intrusion Detection System, SPAM/Email Filters, Web Content Filters, Anti-Virus/Anti-Malware, NextGen Firewalls, Data Loss Prevention (DLP) and Vulnerability Scanning. Remember that many of these advanced technical solutions will require a level of expertise within your IT department, as many require configurations, monitoring, and ongoing management. You may end up disappointed if you don’t adequately support these technical solutions because your perceived value will end up much higher than the actual value to your security posture post-implementation. Simply put: buying technology is half the journey; don’t under-invest in managing your technical point solutions over time. OCR Update TheOfficeforCivilRights(OCR)madethreemajormovesin2016thataffectedhealthcareorganizations significantly, which included launching new audit protocol, levying the most settlements ever, and increasing focus on Business Associates. 1. Launched New Audit Protocol First, OCR began round two of their audit protocol in 2016 which expands their scope to include Business Associates (BAs) along with Covered Entities (CEs). As part of the program, OCR announced that it would dedicate more resources to investigate breaches of 500 records or fewer. Although in steep contrast to their previous work plan, OCR has, at times, investigated these types of breaches but only in unique cases and as resources permitted. This new direction is to encourage covered entities to take action addressing non-compliance with the HIPAA Security and Privacy Rules regardless of the size of the breach. OCR has already levied fines against organizations with a breach of fewer than 500 records. In June of 2016, the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to pay $650,000 in fines after a CHCS portable device with 412 patient records was stolen. A more sizable settlement was levied against the Triple-S Management Corporation in November of 2015. Triple-S has agreed to settle potential violations of the HIPAA Privacy and Security Rules in the sum of $3.5 million. OCR initiated investigations after receiving multiple breach notifications from Triple-S involving unsecured protected health information (PHI). “Simply put: buying technology is half the journey; don’t under- invest in managing your technical point solutions over time.”
  • 9.
    FROM COMPLIANCE TOCONFIDENCE IX FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 2. Levied Unprecedented Number of Settlements Second, OCR has made more HIPAA violation settlements thus far in 2016 than any other year since 2009, totaling more financial penalties than the last four years combined. So far in 2016, 12 organizations have been penalized over $22.8 million dollars for HIPAA violations by the Office of Civil Rights (OCR). This is double the number of settlements reached in 2015 and a 268% increase in financial penalties over last year. This includes the largest settlement ever of $5.5 million whereby Advocate Health System agreed to a settle HIPAA violation claims related to three data breaches that occurred in 2013. We expect the level of oversight and severity of penalties to continue to rise over the next few years. Confirming this notion, OCR has stepped up their audit program and levied fines for smaller breaches. 3. Increased Focus on Business Associates Third, the lines of responsibility between Covered Entities (CE) and Business Associates (BA) continue to blur in the eyes of OCR. Or, at a minimum, if CEs don’t manage BA risk appropriately, they may face financial penalties in the event that their data is breached at one of their BAs. In March of 2016, there was a major settlement between OCR and North Memorial Health Care because they failed to implement a Business Associate Agreement with a major contractor. Furthermore, they failed to institute an organization-wide risk analysis program to address risks and vulnerabilities to protect patient information. This marked the first major incident whereby a covered entity faced significant financial penalties along with significant remediation requirements because of the actions of a business associate. A laptop was stolen from the car of a North Memorial Health Care BA employee’s car which contained 289,904 patient records and, due to their current business associate management process, they were forced to settle with OCR. This underscores the importance of business associate management. This risk is intensifying as Business Associates were responsible for 25% of the total number of individuals impacted by a reported breach year to date. Financial penalties coupled with the increase in attacks on BAs is a compelling reason for healthcare organizations to formally assess, audit and manage them more comprehensively. Business associate management is a critical element of any robust cybersecurity management program and will likely garner more attention in the coming years. It will come as no surprise to you that 2016 marked another year of vicious attacks. As healthcare leaders, we must balance fighting these adversaries through advanced technical solutions with educating our employee populations about cyber responsibility — all while maintaining an already strapped IT budget. The first step in building a successful cybersecurity risk management program is to elevate the discussion beyond IT to include every facet of the organization including the hospital board. The most successful organizations leverage data to drive these discussions, build the right case and demonstrate the importance of cyber risk. This often starts with an understanding of the overall significance of the threats facing your organization and analyzing the breach data which we will break down in the next section. “As healthcare leaders, we must balance fighting these adversaries through advanced technical solutions with educating our employee populations about cyber responsibility — all while maintaining an already strapped IT budget.”
  • 10.
    FROM COMPLIANCE TOCONFIDENCE X FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 2016 Breach Data Review The state of cybersecurity and the anatomy of a breach in the healthcare industry has changed. Long gone are days when the primary driver of breaches was an employee mistakenly sending a file with hundreds or thousands of patient records to their personal email, or a laptop being stolen out of the back of a car. The landscape has changed. The industry has changed. The disclosure vectors have changed and the outlook is much more direct and detrimental. Breaches are deliberate and calculated. As of October 2016, a total of 256 entities had experienced a large breach this year, which is on pace to surpass the 270 breaches experienced in 2015. So far, a total of 14,401,029 patient health records have been compromised.
  • 11.
    FROM COMPLIANCE TOCONFIDENCE XI FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 According to the OCR breach data, the number of entities that experienced a Hacking or Unauthorized Disclosure incident has trended upwards 406% and 304% respectively since 2011. Theft or loss as the cause of breach has trended downwards significantly with a decrease of 57% during the same time period. This data validates that, although awareness has risen, which has reduced theft or loss, the overall industry still has significant exposure to potential breaches. Healthcare has been targeted and breached more in the last two years than it is has since OCR began reporting data in 2009. This is alarming because our industry has been slow to implement industry-leading security technologies and effectively engage staff as well as senior management. We are now seeing the fallout of years of neglect — but there is light at the end of the tunnel. Historically, the majority of breaches were the result of inadvertent user error, whereas today we see the opposite. Loss, Theft or Improper Disposal represents 11% of all impacted individuals in 2016, down from an all-time high of 84% in 2010. 14.4M INDIVIDUALS AFFECTED 113.2M 12.7M 6.9M 2.8M 13.1M5.5M 134K 0 50 100 150 200 250 300 350 Other Improper Disposal Loss or Theft Unauthorized Access/Disclosure Hacking 20162015201420132012201120102009 2009 2010 2011 2012 2013 2014 2015 2016 62% 38% 11% 1% 6% 1% 10% 16% 3% 3% 3% 1% 11% 15% 15% 2% 3% 2% 32%84% 88% 14% 98% 79% 24% 59% 82% 37% Other Unauthorized Access/Disclosure Loss, Theft, Improper Disposal Hacking PERCENTOFINDIVIDUALSIMPACTED BYTYPEOFBREACHTOTALENTITIESINVOLVED INABREACH
  • 12.
    FROM COMPLIANCE TOCONFIDENCE XII FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 The healthcare industry has done an impressive job improving its employee training to address the controllable human element of employees not understanding the impacts of mishandling or negligent handling of ePHI. The problem has now become a matter of lack of security tools, technologies and technical controls to combat the constant barrage of attacks and social engineering attempts. Healthcare organizations need to augment their normal security training that covers proper handling of ePHI to also address the nuisances of phishing, vishing and ransomware. Employees need to understand that their actions — even when not handling sensitive information — can result in a breach. Healthcare organizations need to deploy a constant and engaging cybersecurity educational process in order to keep security and proper computing hygiene at the forefront of each employee’s mind. Healthcare providers are by far the most targeted and attacked type of healthcare entity. This is not new. Healthcare providers have experienced the highest number of breaches every year since 2009. Furthermore, we have seen increases in the number of provider organizations compromised year-over-year since 2014. In 2016, healthcare providers represented the vast majority of entities involved in a breach and affected more individuals than health plans, clearing houses and business associates combined. Almost three-fourths (73%) of individuals affected this year were exposed by a provider organization breach. Providers have experienced 205 breaches to date, representing an increase of 6% over the full year 2015. This percentage increase will likely grow by year end. “Employees need to understand that their actions — even when not handling sensitive information — can result in a breach.” “Healthcare providers have experienced the highest number of breaches every year since 2009.” PERCENT OF INDIVIDUALS AFFECTED IN 2016 NUMBER OF ENTITIES AFFECTED IN 2016 73% 2% 25% Not Reported Business Associates Heathcare Provider Heathcare Clearing House Health Plan 205 16 2 33
  • 13.
    FROM COMPLIANCE TOCONFIDENCE XIII FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 Business Associates breaches impacted 25% of the total number of individuals affected by a major breach. This is an increase from 3% in 2015 and represents a total of 16 business associates breached thus far this year. Health Plans experienced a decrease in the number of entities involved in 2016 from 62 in 2015 to 33. Given the size of the 2015 Anthem, Premera Blue Cross and Excellus breaches, with 99,800,000 patients impacted in total, Health Plans have impacted a significantly smaller number of people thus far in 2016 as compared to 2015. One trend that continued in 2016 is that a few incidences impacted the majority of individuals affected this year. For instance, 75% of records breached YTD (10,834,278) came as a result of the Top 5 breaches. CYBERSECURITY INSURANCE CLAIMS DENIED Last year, the first major breach occurred where a cybersecurity insurance company required a health system — which had an in force insurance policy at the time of an attack — to payback their insurance claim after it was determined that their underwriting application did not accurately represent their security controls. Although these events unfolded very publicly in 2015, this is a very important lesson and relevant for all healthcare organizations, as many organizations took steps in 2016 to incorporate cybersecurity insurance as part of their overall cybersecurity program. Purchasing cybersecurity insurance requires expert scrutiny as contracts are not standardized. Organizations should be careful when evaluating and selecting cyber insurance. This is certainly an area where seeking the advice of a professional insurance broker or security expert may prove to be useful. Furthermore, the criteria that your organization commits to as part of the application process must be embedded into your ongoing security management program to help ensure compliance with the policy. NAME OF COVERED ENTITY ENTITY TYPE INDIVIDUALS AFFECTED Banner Health Healthcare Provider 3,620,000 Newkirk Products, Inc. Healthcare Provider 3,466,120 21st Century Oncology Healthcare Provider 2,213,597 Valley Anesthesiology and Pain Consultants Healthcare Provider 882,590 Bon Secours Health System Incorporated Healthcare Provider 651,971
  • 14.
    FROM COMPLIANCE TOCONFIDENCE XIV FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 Cybersecurity 2017 Outlook Many entities will evolve next year while others will continue to deprioritize cybersecurity. This is a mistake, given what is on the horizon for next year. We predict healthcare organizations can expect the following next year: • Double-Digit Increase in Breaches: As hackers become more advanced and better equipped, healthcare organizations will experience a 10-15% increase in the number of cybersecurity breaches in 2017. Ransomware attacks will increase. • Boards Will Keep Their Heads in the Sand and Hope for the Best: Some healthcare organization boards have already begun managing cybersecurity risk in the same manner as other business risks. Unfortunately, they often become engaged in cybersecurity risk management after a significant event. With that said, we predict that many Boards will be content to retain a reactive posture in dealing with cybersecurity concerns. The results will be costly. • Increase in Civil Litigation: Significant pressure from civil litigation, due to the breach of ePHI, using federal regulations, HIPAA/HITECH, as a standard of due care will be seen in 2017. Healthcare and cybersecurity are massive economic growth sectors, drawing the attention of both consumers and attorneys as litigation targets. As consumers have become more regulation-savvy and the legal lay of the land is better understood by attorneys, opportunities to file complaints will be seen exponentially increased over past years. • Budgets Won’t Be Big Enough: Given the threat landscape, we believe that most healthcare organizations will outspend their 2017 cybersecurity budgets by over 50%. Most organizations budget too little on cybersecurity and then experience overruns in an attempt to respond to emerging threats. • OCR Moves Towards a National Framework for Healthcare: The Office for Civil Rights will take steps to develop a national framework specific to the healthcare industry that is prescriptive in its requirements in order to guide CE and BA to the desired end result with regards to protecting sensitive data and ePHI. We feel that the OCR will finally adopt the HITRUST Alliance’s Common Security Framework (CSF) as the national standard or work directly the National Institute of Standards and Technology (NIST) in developing a new framework that meets the unique needs of the healthcare industry. It is time for healthcare to work to outpace cybersecurity threats. A proactive posture is a critical strategic investment. It is imperative that healthcare leaders realize that solving these problems will take the focus and strength of their entire organization. Much like long-term business goals and objectives, healthcare leaders need to develop strategic security roadmaps that will improve their posture over time. “It is imperative that healthcare leaders realize that solving these problems will take the focus and strength of their entire organization.”
  • 15.
    FROM COMPLIANCE TOCONFIDENCE XV FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 Moving Forward So where do we go from here? Here is a list of six things you can do to increase your cybersecurity profile starting now: • EDUCATE THE BOARD Security begins and ends with executive buy-in. Invest time in making sure Boards are informed and involved in order to ensure that the appropriate resources are allocated to cybersecurity. • ENGAGE THE WHOLE ORGANIZATION Security is NOT an IT problem; it takes a village. Risk decreases as more people throughout the organization are empowered to identify and respond to threats. • CORRECTIVE ACTION PLANNING Develop and execute corrective action planning in order to remove vulnerabilities and improve overall cybersecurity posture. • MAKE SURE YOUR TECHNOLOGIES ARE WORKING IN CONCERT Be sure to leverage your investments in a comprehensive and collaborative manner that improves your efficiency and effectiveness. Make them work for you. • BE COMPLIANT WITH CYBER INSURANCE REQUIREMENTS Do not think of cyber insurance as a safety blanket. Active compliance with contractual requirements is key to a strong cybersecurity posture. • SEEK OBJECTIVE OUTSIDE PERSPECTIVES While a strong cybersecurity posture takes a village, consider input from experts outside your organization in order to contribute new perspectives on your efforts. We hope this Horizon Report starts you on your path “from compliance to confidence” as we say at Fortified Health Security. Developing a strong cybersecurity posture does take time, energy and teamwork, and we welcome your feedback and perspectives at horizonreport@fortifiedhealthsecurity.com.
  • 16.
    FROM COMPLIANCE TOCONFIDENCE XVI FORTIFIED HEALTH SECURIT Y HORIZON REPORT: 2016 ABOUT FORTIFIED HEALTH SECURITY Fortified Health Security is a leader in information security, compliance and managed services, focused exclusively on helping healthcare professionals overcome operational and regulatory challenges everyday in regards to HIPAA, HITECH, and Meaningful Use. Founded in 2009, Fortified has established a heritage of excellence, compliance and innovation. Today, Fortified partners with healthcare organizations across the continuum, serving health systems, single hospital entities, physician practices, post acute providers, payors and business associates. www.fortifiedhealthsecurity.com. Ryan Patrick is a Vice President of Fortified Health Security where he focuses on increasing client security posture through driving collaboration between sales and operations teams. Prior to joining Fortified, he served as the Deputy Chief Information Officer for the New York State Division of Military and Naval Affairs and as a Director of a Security & Privacy healthcare IT consulting practice, in addition to working in the information security office for organizations such as MetLife and Memorial Sloan-Kettering Cancer Center. He currently holds an M.B.A. from Norwich University, the Certified Information Systems Security Professional (CISSP) certification and is a HITRUST Common Security Framework (CSF) certified practitioner. Dan L. Dodson is President of Fortified Health Security where he brings over 10 years’ experience in the healthcare and insurance industries — serving as both an operational leader and sales leader. Dan’s specific focus has been in aligning organizational strengths with client needs through the execution of relevant go-to-market strategies and solution development. Dan also serves as an Executive Vice President for Santa Rosa Consulting. Prior to joining Fortified, Dan was Senior Vice President at Hooper Holmes, Inc. (AMEX: HH), a company serving the health and wellness and life insurance industry. Prior to joining HH, Dan served as Global Healthcare Strategy Lead for Dell Services (formally Perot Systems) and has held numerous positions within various healthcare organizations including Covenant Health System and The Parker Group. Dan holds an M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University. ABOUT THE AUTHORSCONTACT US TO START ON THE PATH FROM COMPLIANCE TO CONFIDENCE. For more information, visit our website at: fortifiedhealthsecurity.com INQUIRIES 1 (615) 600-4002 sales@fortifiedhealthsecurity.com OFFICE 2555 Meridian, Suite 250 Franklin, TN 37067