Healthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015

Transcription

1 Healthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Healthcare payers Technology is not the only agent of change. Innovations in business models and partnerships with a broadening range of care collaborators are generating new services and promoting growth. At the same time, mergers and acquisitions are creating synergies while compacting the industry through consolidation. Both will yield new opportunities and redefine the industry. Nowhere is the force of change more evident than in the US, where organizations are implementing electronic health records (EHRs) as a means to lower healthcare costs, modernize back-office systems, and speed payments. The real challenge, however, will be integrating disparate systems to seamlessly share EHR information with providers, payers, and patients. Doing so will help providers monitor and improve patient care, predict development of illnesses, boost patient engagement in their care, and enhance workflows among providers, care collaborators, and payers. With change comes challenge, however. More than ever, healthcare payers face a raft of issues that could impact the security of patient health data, sensitive corporate information, and regulatory compliance mandates. Most are boosting their investments in information security to address these evolutions, according to The Global State of Information Security Survey (GSISS) // 1

2 Technology advances like telemedicine, information sharing via mobile devices and social media, analytics are transforming how healthcare payers and providers interact with their patients, business partners, and regulators. The confluence of these technologies is also changing how organizations provide care and is helping create a marketplace in which consumers pay for healthcare by value rather than volume. GSISS 2015: Healthcare payers and providers results at a glance Click or tap each title to view data 5K 4,470 Incidents Sources of incidents Security spending 4K It will also expose more sensitive patient data to the Internet, which will increase information security risks. In part, that s because electronic data is inherently more vulnerable to large-scale compromise than paper-based information. Another factor is that troves of patient data contained in EHRs and healthcare information exchanges (HIEs) are increasingly tempting to cyber criminals. 3K 2,786 $ 0.8M $ 2.9M 3M 2M 1M A comprehensive identity-theft kit containing a health insurance record can be worth as much as $1,000 on the black market, and even partial health insurance credentials can fetch $20; stolen payment cards, by comparison, typically are sold for $1 each. 1 Average number of detected incidents Estimated total financial losses Medical records are more valuable because cybercriminals can use them to create an identity, as well as carry out sophisticated insurance fraud schemes. 1 Dell SecureWorks, Hackers Sell Health Insurance Credentials, Bank Accounts, SSNs and Counterfeit Documents, for over $1,000 Per Dossier, July 15, // 2

3 Technology advances like telemedicine, information sharing via mobile devices and social media, analytics are transforming how healthcare payers and providers interact with their patients, business partners, and regulators. The confluence of these technologies is also changing how organizations provide care and is helping create a marketplace in which consumers pay for healthcare by value rather than volume. It will also expose more sensitive patient data to the Internet, which will increase information security risks. In part, that s because electronic data is inherently more vulnerable to large-scale compromise than paper-based information. Another factor is that troves of patient data contained in EHRs and healthcare information exchanges (HIEs) are increasingly tempting to cyber criminals. GSISS 2015: Healthcare payers and providers results at a glance Click or tap each title to view data 50% 40% 30% 43% 39% 26% 24% Incidents 23% 24% Sources of incidents Security spending 5% A comprehensive identity-theft kit containing a health insurance record can be worth as much as $1,000 on the black market, and even partial health insurance credentials can fetch $20; stolen payment cards, by comparison, typically are sold for $1 each. 1 Current employees Former employees Hackers 2% Foreign nation-states Medical records are more valuable because cybercriminals can use them to create an identity, as well as carry out sophisticated insurance fraud schemes. 1 Dell SecureWorks, Hackers Sell Health Insurance Credentials, Bank Accounts, SSNs and Counterfeit Documents, for over $1,000 Per Dossier, July 15, // 3

4 Technology advances like telemedicine, information sharing via mobile devices and social media, analytics are transforming how healthcare payers and providers interact with their patients, business partners, and regulators. The confluence of these technologies is also changing how organizations provide care and is helping create a marketplace in which consumers pay for healthcare by value rather than volume. GSISS 2015: Healthcare payers and providers results at a glance Click or tap each title to view data 4M $ 4.0M Incidents 3.4% Sources of incidents 3.7% Security spending It will also expose more sensitive patient data to the Internet, which will increase information security risks. In part, that s because electronic data is inherently more vulnerable to large-scale compromise than paper-based information. Another factor is that troves of patient data contained in EHRs and healthcare information exchanges (HIEs) are increasingly tempting to cyber criminals. 3M 2M $ 2.4M 3% 2% 1% A comprehensive identity-theft kit containing a health insurance record can be worth as much as $1,000 on the black market, and even partial health insurance credentials can fetch $20; stolen payment cards, by comparison, typically are sold for $1 each. 1 Average annual IS budget IS spend as percentage of IT budget Medical records are more valuable because cybercriminals can use them to create an identity, as well as carry out sophisticated insurance fraud schemes. 1 Dell SecureWorks, Hackers Sell Health Insurance Credentials, Bank Accounts, SSNs and Counterfeit Documents, for over $1,000 Per Dossier, July 15, // 4

5 The increased volume and value of healthcare data comes at a time when governments have warned healthcare providers that their security lacks the maturity of industries like financial services and retail. Officials have also warned that malicious actors are more actively targeting patient data. The fastest-growing sources of security incidents Increase over 206% Our security survey results bear that out: Incidents among healthcare payers soared 60% over, an increase that was almost double that reported by all industries. (We define a security incident as any adverse incident that threatens some aspect of computer security.) These compromises come at a great cost: The estimated average financial losses as a result of security incidents ed to $2.9 million in, a head-turning 282% increase over the year before. 41% 68% 120% 126% While retailers are grappling with a rash of payment-card heists, healthcare payers report increases in theft of more valuable data. Activists/activist organizations/hacktivists Organized crime Information brokers Competitors This year, survey respondents say identity theft jumped 32%, and 20% say personally identifiable information (PII) was compromised. 32% 20% Foreign nation-states // 5

6 60% EHRs continue to drive security investment What trends drive security spending? 60% 53% 50% 44% 40% 40% 30% 31% 33% 27% 29% 27% 23% 25% 24% 17% Implementation of electronic health records (EHRs)/ public health records (PHRs) Data sharing via Health Information Exchanges Increased drive for outcomebased research and health analytics Data sharing via medical devices Data sharing via mobile devices Data sharing via social media Data sharing via telemedicine Recently, a major US hospital chain reported that personal records of several million patients were stolen. 2 While the total number of survey respondents who attribute security incidents to foreign nation-states is comparatively low, they are the fastest-growing source, increasing 206% over. This rise in incidents perpetrated by highly organized threat actors is part of a larger pattern we have seen: Data losses are shifting from accidental compromises (such as the use of an incorrect address for distribution of sensitive data) to more targeted and broader attacks by nation-states, organized crime, and activists/hacktivists. It s a troubling trend, but the good news is that many healthcare payers seem to be taking these threats seriously. Investment in information security increased 66% over, and spending on information technology is up 53%. While implementation of electronic records remains the primary driver for security spending, its influence is beginning to wane. 2 PwC, Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015, September 30, // 6

7 Companies are forming new business relationships to meet heightened consumer expectations. The need to invest in security will only increase as today s connected consumers expect access to complete medical records via health portals set up by hospitals, individual physicians, and payers. Consider the following: Consumer demand for electronic access to health records and changes in the traditional fee-for-service based payment model will demand that organizations forge new business associations between a range of healthcare payers, as well as invest in identity management technologies. Just as consumer healthcare behavior is evolving, so too are relationships among health companies. Increasingly, healthcare companies are forming new affiliations with a range of partners to meet changing customer demands. Payers are investing in analytics companies, physician group practices, and healthy food programs. These acquisitions are driving consolidation and convergence in the health industries. Drugstores are providing more care through in-store clinics that offer immunizations, wellness screening, and routine lab work like blood tests. As the industry focuses on population health management, which seeks to reduce medical interventions through entive care and targets hospitals traditional fee-forservice payment system, providers are altering business models to address increasing financial risks. And as health information exchanges and EHRs go online, even more third parties are involved in the digital flow of healthcare information. // 7

8 These shifts in relationships may increase compliance risks as new partners take on unfamiliar roles that are subject to increasingly stringent privacy regulations. Top 5 security challenges in 35% The Final Health Insurance Portability and Accountability Act (HIPAA) Rule, for instance, expands accountability to subcontractors of business associates, who are now required to comply with the HIPAA Privacy Rule and Security Rule, including the same provisions related to physical, administrative, and technical safeguards applicable to business associates. This creates additional burdens for business associates, but it also produces new cybersecurity risks by expanding the attack surface through sharing of more data. The risks are compounded when healthcare organizations execute business-associate agreements without adequate due diligence and monitoring of these third parties. Other organizations may more thoroughly evaluate business associates while ignoring other vendors that may also have trusted information to sensitive information. As one highprofile retailer breach last year so conclusively demonstrated, cyber adversaries can and will access sensitive data and networks via third-party vendors. For many healthcare payers, the HIPAA Final Rule may represent a challenge. We found, for instance, that only 54% of respondents conduct risk assessments on thirdparty vendors, and just 60% conduct compliance audits of third parties that handle personal data of customers and employees to ensure they can protect this information. Access control and identity management for end users Data leakage ention 30% Landmark privacy regulation will impact organizations operating in Europe. Cloud computing The European Union (EU) is on course in the coming months to adopt its biggest privacy-regulation overhaul in a generation. The new reform rules are expected to introduce extensive breach-notification requirements, give regulators the power to perform compulsory audits, and impose fines as high as 30% Encryption in storage and in transit 27% Regulatory requirements 5% of annual worldwide turnover. As a result, multimillion-euro penalties for non-compliance could become commonplace in the EU. 23% What s more, under the new regulation, the EU s classification of personal health information as sensitive could result in heightened obligations and scrutiny for organizations in the healthcare, pharmaceutical, and life sciences industries. // 8

9 The use of smartphones and tablets, both by employees and customers, to access protected healthcare data is likely to further elevate risks of compromise. Security strategies are often lacking Have a strategy for: 62% 58% 57% 55% 56% 47% N/A 53% N/A 44% Employee use of personal devices on the enterprise Social media Cloud computing Big Data The Internet Privacy rules, after all, apply when any protected health data is accessed and transmitted, whether from a centralized customer relationship management system or an individual physician s smartphone. Already, almost one in five (19%) respondents report compromise of mobile devices in the past year. Among healthcare providers, physicians who bring their own smartphones and tablets to the workplace are a particular concern. These devices may not be integrated with the workplace IT system, and that makes it difficult for the security function to monitor transmission of patient data. Given the risks, it seems surprising that 38% of respondents have no security strategy governing employee use of personal devices on the enterprise. Also consider that healthcare payers, thanks in large part to the implementation of EHRs and sensor-based health-monitoring devices, are swimming in a rapidly rising sea of data. Data analytics is likely to transform healthcare by helping predict and diagnose illness, monitor patient wellness, better understand customer preferences, and increase operational efficiencies. Big Data analytics also can help organizations model for and predict security incidents. Among healthcare payers and providers, 44% say they have Big Data analytics in place, and an additional 15% outsource analytics. The majority (58%) of those who have harnessed data analytics say it has enabled them to detect more incidents. To protect this trove of data, it s essential that organizations implement the proper security safeguards. Yet 47% of respondents do not have a security strategy for Big Data, and others lack important security tools and policies such data loss ention (40%) and an inventory of where personal data is collected, stored, and transmitted (36%). Implementation of security controls may be particularly challenging when the analytics is outsourced to a cloud services provider. // 9

10 The convergence of information, operational, and consumer technologies will bring great benefits and new risks. The Internet will introduce tremendous benefits for healthcare organizations and life-changing conveniences and wellness opportunities for consumers. It also will create a new world of security risks, a fact that many respondents seem to realize. In fact, 44% of healthcare payers say they have already implemented a security strategy for the convergence of information, operational, and consumer technologies; an additional 24% say they are working on a strategy. Nonetheless, many seem to be implementing these new technologies before they can be secured. The security implications are potentially colossal. Exponentially more personal information will be traversing more connected corporate ecosystems and personal networks of consumers, increasing risks to sensitive patient information. An effective security strategy should identify protected data, determine ownership, and define accountability before consumer and operational technologies are connected to the IT system. This is key because, unlike a stolen payment card number, consumers cannot simply request a new identity or health history once the information has been breached. Health information is also much more personal than a credit card number: Consumers may not be concerned in the long run if payment card data is leaked, but health conditions such as infectious diseases or the use of certain medications can be deeply personal. To determine what assets are high priority, healthcare payers should identify their most valuable assets and determine who owns responsibility for them. Assigning ownership and accountability will become increasingly challenging as more electronic data is shared among a new constellation of partners. Almost half (47%) of respondents say they have integrated consumer technologies such as wearable health-monitoring devices or operational systems like automated pharmacy systems with their IT ecosystem. Yet most have not taken precautions to help ensure the security of these IT-connected devices. Just more than one-third (34%) say they have contacted device manufacturers to understand security capabilities and risks, and 58% have performed a risk assessment of the technologies. Only 53% have implemented security controls. 62% 60% It s also an area in which there is great room for improvement: We found that just 62% of respondents have a program to identify sensitive assets, and fewer (60%) have an inventory of all third parties that handle personal data. // 10

11 Cybersecurity and privacy should be embedded in the organization s DNA, with a topdown commitment to security and ongoing employee training programs. This year s survey finds cause for some optimism. The number of healthcare organizations that have employee training programs (62%) and those that require employees to complete training on privacy practices and policies (73%) both increased over last year. Nonetheless, training should be universal, and accountability should cascade from the C-suite to every employee and third-party vendor and supplier. Top-down commitment and participation is essential. This year, 65% of healthcare payers say a senior executive communicates the importance of information security to the entire organization. That s a healthy gain from last year (58%) and demonstrates that the executive team is taking ownership of cyber risk. But ownership of risk also demands that senior executives proactively ensure that the Board of Directors understands how the organization will defend against and respond to cyber threats. We have heard much discussion about Board concern after the recent rash of retailer breaches, but our survey demonstrates that organizations clearly have not elevated security to a Board-level discussion. Consider, for instance, that only 25% of respondents say their Board of Directors participates in reviewing current security and privacy risks a crucial component of any effective security program. Just 24% are involved in security technologies and 32% participate in security policies. Slightly more, 36%, take a role in setting the security budget. How Boards participate in security Security in the new health economy A sweeping transformation of the health economy is well under way. Connected technologies, Big Data analytics, and electronic health records are combining to redefine consumer demands and business models. At the same time, sophisticated threat actors are devising new ways to compromise and steal digitized medical data. 40% 36% 32% 25% 24% 18% 15% Taken together, this inexorable shift will demand a rethink of information security. At the heart of this initiative should be a risk-based cybersecurity program to identify, manage, and respond to privacy and security threats. Overall security strategy Security budget Security policies Review of security and privacy risks Security technologies Review roles and responsibilities of security organization Review of security and privacy testing // 11

12 To have a deeper conversation about cybersecurity, please contact: Healthcare payers United States Jay Cline Principal, Risk Assurance jay.cline@us.pwc.com Mick Coady Principal, Health Industries mick.coady@us.pwc.com Joe Greene Principal, Health Industries joe.greene@us.pwc.com Peter Harries Principal, Health Industries peter.harries@us.pwc.com // PwC helps organisations and individuals create the value they re looking for. We re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. The Global State of Information Security is a registered trademark of International Data Group, Inc. // 12