Healthcare Data Security: Surviving The Perfect Storm Surviving The Perfect Storm Andrew W. Litt, MD HIPAA Summit West Chief Medical Officer October 11, 2012
Healthcare Data Security: Surviving The Perfect StormSurviving The Perfect Storm
Andrew W. Litt, MD HIPAA Summit West
Chief Medical Officer October 11, 2012
13,000 employees worldwide.
300+ MDs, RNs and PhDs
#1 Worldwide Healthcare IT Services Vendor - Gartner
Dell Healthcare and Life Sciences by the numbers
50% S i 7 f t 10 h ti l 100
Sciences by the numbers
Serving more than 50% of U.S.
hospitals providing care to 90million Americans
Serving 7of top 10 pharmaceutical companies
Serving 100 insurance organizations
supporting 65 million policy holders
Leading IT provider for 1st, 2nd and 3rd generation gene sequencing
Support for over 500 software, medical device
Managing over 5 Billion Medical Images in Cloud based Archive
and scientific instrument providers
Managing 14 billion Provide OEM services to 70+ Healthcare Managed 400 revenue cycleManaging 14 billion security events a day
Provide OEM services to 70+ Healthcare and Life Sciences software, medical device and scientific instrument providers
Managed 400 revenue cycle engagements, recovering $15 billion for customers over 7 years
Healthcare2
It’s all about TrustIt’s all about TrustIt s all about TrustIt s all about Trust
3
Patient perspectives on sharing information
• 54% of patients would withhold information
• 38% would postpone seeking carep p g
• 37% would travel substantial distances to avoid a hospital they don’t trust with their privacy
• 73% said serious breaches of PHI would reduce confidence in the quality of healthcare provided
• 97% said healthcare executives have a legal and ethical responsibility to protect their privacy
• 87% think health executives should lose their jobs over failure to act
HealthcareSource: Fairwarning Report: Industry Best Practices for Patient Privacy in Electronic Health Records, April 20114
The evolving threat: A Perfect Storm
Embracing Technology and BYOD
Advanced Threats ComplianceData
Explosion and BYODeatsExplosion
• Highly coordinated & motivated
• Well funded
• Enabled by unwitting users and
• Mobile device breaches are very costly
• Difficult to track devices
• Cause majority of reported breaches
• Data Explosion.
• HIE’s, HER, ACO’s
• C li i f h i i
• Increased enforcement and penalties
• Complex compliance requirementsy g
malicious insiders• Complications for authenticating,
encrypting, and protecting ePHI
Healthcare5
Analysis of the Threatyenvironment
6Confidential 10/11/2012
Percentage of all healthcare providers that had at least96% providers that had at least one data breach in the past two years
96%
$27 18+ millionAmount earmarked between 2011 and 2015 for attesting to
billion18+ million
Number of patients whose protected health information was breached between 2009 and 2011
gmeaningful use of EHR
65%60% $50Proportion of breaches reported involving mobile devices
Proportion of healthcare providers that have had 2 or more breaches in the past 2 years
Black market value of a health record
Healthcare is under attack
Healthcare Retail Financial UtilitiesBus.
Utilities
Healthcare8
Source: SecureWorks CTU attack data from May 2012. Bubble size = % of customers affected within industry.
Typical process of a breach
Unencrypted Devices are Used to Access PHI Realization and Theft or Loss of Devices / Used to Access PHI
RemediationDrives
• Was this truly a breach?• Begin investigation
• Insider threats• Third-party data loss
• Often not targeting PHI specifically Begin investigationy
Healthcare9
Anatomy of a BreachMassachusetts eHealthMassachusetts eHealthCollaborative
HealthcareConfidential10 10/11/2012
5 stages of response
1. Denial: Noooooooooooooooooooo!!! This is surely a nightmare and I’m going to wake up any g g g p yminute.
2 A H d l ??!! Wh2. Anger: How dare someone steal our property??!! Who the heck would leave a company laptop unattended in a parked car??!! p
3. Bargaining: Are you sure it was OUR laptop?? Maybe it did ’t h ti t d t it?didn’t have any patient data on it?
Healthcare11
5 stages of response
4. Depression: We’re doomed. Patients’ privacy may be exposed. Some may suffer real
harm or embarrassment. They’re going to hate their providers, and their providers are going to hate us. Word will spread, trust in us will erode, we’ll struggle to get new business, we may get fined or sanctioned by state and/or federal authorities, we may get sued by providers or patients or both My kids won’t go to college I’ll lose my house mypatients or both. My kids won t go to college, I ll lose my house, my parents will be disgraced.
5. Acceptance: OK, let’s get to work. We have an obligation to our customers, our board, p , g g , ,
and ourselves to affirmatively take responsibility for our errors, be transparent with all stakeholders, manage the process with operational excellence, and share our lessons learned so that others can hopefully learn from our blunders.
Healthcare
Source: http://www.histalkpractice.com/2011/12/03/first-hand-experience-with-a-patient-data-security-breach-12311/By Micky Tripathi, President and CEO , Mass. eHealth Collaborative
12
After the breach
• Credit monitoring services for affected patients
• O t it t i t ff ti• Opportunity cost in staff time
• Notification to gov’t authorities
• Legal fees?
• Analysis of affected records
• Private investigators
• Soft costs – impact to reputationp p
Healthcare13
Mobile computingsecuritysecurity
14
The mobile device market is thriving
2011 2014
$4.7 billion U.S. hospital spending on IT $6.8 billion
$100 million $1.7 billionMarket for mobile devices in healthcare
25%
2 out of 5 physicians go online during patient consultations; mostly on
2% Mobile device usage compared to overall IT 25%
2 out of 5 physicians go online during patient consultations; mostly on handheld devices
63% of physicians are using personal devices for mobile health solutions not connected to their practice
86% of physicians are interested in accessing Electronic Medical Records from mobile d i
Healthcare15
devices
Source: TechTarget news
Mobile device challenges
Bring your own device –How to manage and maintain control and visibility in a disparate / heterogeneous environmentheterogeneous environment
Encryption / Authorization OversightHow to make sure the right people are accessing the right recordsHow to make sure the right people are accessing the right records
End point encryptionHow to ensure the data is not locally stored vs level of riskHow to ensure the data is not locally stored vs level of risk
Loss of devicesL / th ft tLoss / theft management
Healthcare16
Mobile device risks originate from many areas
X
D t C t
Internet, 3G, WiFi
X
Data Center
S t h i
Man-in-the-Middle Attacks
X
Hospital
Smartphone viruses
Unmanaged devices
Compromised Devices and
Social Media Vulnerabilities
IT Compliance Failures
Clinics or Business Associates
Open Gateways
Lack of Awareness and Standard Policies
Unprotected Corporate Data
IT Compliance Failures
Healthcare17
SMS Attacks
Mobile device breach costs
$6.76 million average cost per organization.
58% of patients experience distrust of aPer Record Costs
�����
�����
$258
58% of patients experience distrust of a provider following a breach
Per Record Costs
�����
�����$258
$210 $196
����
�����
���
����
�� ����� ��� �� ���������������� � �������������
Healthcare18
������� ��� ���� !�� �����
Sources: HITRUST Alliance: “An Analysis of Breaches Affecting 500 or More Individuals in Healthcare”, May 2010; Advisory Board Company.
Healthcare Security Legislation
Healthcare19
Three Key Components of Risk Assessment
Conduct a Risk Analysis
Conduct a Risk Analysis11
Implement Security Measures as Appropriate
Implement Security Measures as Appropriate22
Correct Identified Security Correct Identified Security
2233 Deficiencies as Part of an Overall
Risk Management ProcessDeficiencies as Part of an Overall
Risk Management Process33Healthcare
20
Elements of a Risk Analysis
Identify whereIdentify where How are youHow are youIdentify where your patient
data is
Identify where your patient
data is
How are you protecting
patient data?
How are you protecting
patient data?data is.data is. patient data?patient data?
Healthcare21
Improving security posture
Be Aware of ePHI (including 3rd Parties)• Staff education• Understanding of compliance requirements• Assume that all portable devices contain PHI
Mobile Device Security• Policies and procedures – properly manage BYOD policies• Full disk encryption
Compliance• Security Risk Analysis• Clear documentation of risk points• Incident response plan• Enable the organization to minimize future critical threatsEnable the organization to minimize future critical threats
Credentialing and Authorization• Automating lockdown of passwords and entitlements• F ll di k ti
Healthcare22
• Full disk encryption
Building a comprehensive security program
1. Initial Assessments
• Security Architecture Assessment
• Security Program Review
• HIPAA Gap Analysis
• Meaningful Use Risk Analysis
Build
Monitor
Test
Build
Monitor
Test
2. Security Infrastructure
• Perimeter
• Firewall• Application
• Web Application Firewall
• Endpoint
• Anti Virus
• Meaningful Use Risk Analysis
Remediate
Remediate
Monitor
• IDS / IPS
• Malware Detection• Identity Management
• Access Management
• DLP (email, data)
• Encryption + External
• E d i t
3. Monitoring Program
• 24 7 M it i h
Build
Monitor
Test
Build Test
Remediate
• Endpoint
• Anti Virus
• DLP (email, data)
• Encryption + External
• 24x7 Monitoring
• Security Devices
• Log Monitoring
• Threat Protection
• Management
• NOT “set it and forget it”
• Ongoing tuning
• Software upgrade & patches
• Other Components
• Threat Intelligence
• Incident ManagementRemediate
Build
Monitor
Test
4. Testing Program
• Scanning Platform
• Network Scanning
• Web App Scanning
• Compliance Scanning
• Testing Services
• Vulnerability Assessment
• Penetration Testing
Healthcare23
Remediate
Compliance Scanning
Dell Security Services & Solutions enable organizations of all sizes to protect their IT assets,
Security solution architecture
Security ServicesDell SecureWorks services let you focus on your core business so you can offload your resource-intensive security operations to certified experts with deep security & compliance knowledge
Dell SecureWorks
y gcomply with regulations and reduce security costs
Network SecurityDell Gateways and SonicWALL TZ/NSA firewalls secure your network against threats including intrusion, viruses and spam
Endpoint Security
SonicWALL TZ/NSA
Endpoint Security Dell KACE protects end points by identifying & remediating vulnerabilities across end nodesTrend Micro protects mobile users by blocking malware on PCs and laptops
Dell 3rd Party
D t S it
Internet
VPN
Dell KACETrend Micro Worry Free
y Security PartnersData SecurityDell Data Protection controls unauthorized access with hardware encryption and user authentication
Dell Data Protection –Authentication
Encryption
s
Healthcare24
Encryption
Security strategy should support 4 critical areas
i ibiliMobile device
Data visibilitystrategy
Endpoint access and encryption
Security and risk it imonitoring
Healthcare25
Innovation and Security enabled by Cloud platformCloud platform
Cloud Archiving/Hosting Services
Encryption
Encryption
CommunityIndividuals
PHR
Healthcare26
Providers
Why do you want your data in the Cloud?
• Infrastructure Simplification• Disaster Recovery and
Data Protection
PACS B(i.e. AGFA)
Other Clinical ApplicationsPACS A(i.e. GE)
• Data Migration
• Capital cost Operating cost
Ti Ti 1• Clinical Workflow & Automation• Data Sharing and Information Exchange• Physician Access • P i l
Tier 1
Clinical Data Management
Tier 1 Tier 1
Clinical Collaboration• Patient control
M d
On Premise Clinical Archive
Dell Cloud Clinical Archive
Collaboration Portal
Object Storage
Managed Services
Security: HIPAA Compliant, Secure, SLA Based
Healthcare27
y p
Dell Healthcare:
Better informationBetter information
Better healthcareBetter healthcare
Healthcare28