The State of Web and Mobile Application Security in Healthcare
|
|
- Anthony Sims
- 8 years ago
- Views:
Transcription
1 The State of Web and Mobile Application Security in Healthcare HIMSS Analytics study sheds light on where the industry stands, where it needs to go Produced in partnership with Featuring industry research by
2 The value of medical information, ramp-up in nation-state activity and complex bottoms-up culture is creating a perfect storm of cyberthreats targeting healthcare in 2016 and Chris Wysopal CTO & CISO Veracode 2 Given the widespread adoption of electronic health record (EHR) systems and health IT generally, healthcare organizations now are faced with the daunting challenge of securing these systems to keep patients safe, data secure and systems running efficiently. The problem: The detailed data in EHRs and other applications is a hot commodity, making organizations particularly vulnerable to cyberattacks. In fact, the number of breaches has grown from 2.7 million in 2012 to more than 94 million through the first half of 2015, according to the U.S. Department of Health and Human Services. Recent mega breaches have resulted in 78.8 million records being exposed at one health organization, 11 million at another and 4.5 million at a third. 1 This flurry of breaches can be attributed to the poor state of cybersecurity across the healthcare industry brought about by the rapidly expanding IT footprint, a bottoms-up culture where centralized security policies are difficult to enforce and the impact of a significant skills gap. These problems are compounded by the fact that healthcare data has become highly sought after by cybercriminals. The black-market value of information contained in healthcare records is significant: an individual healthcare record brings up to $50, 10 times as much as a stolen credit-card number. 2 Healthcare data is a lot more valuable than other types of data because it has all the components criminals need such as the patient s mother s maiden name, date of birth, billing information and diagnosis codes, among other sensitive data. Unlike simple creditcard data, criminals can use stolen healthcare data for a wide variety of activities, including committing insurance fraud, purchasing medical equipment and obtaining controlled substances. Donald Good, deputy assistant director of the Federal Bureau of Investigation s cyber division, recently told an audience at the HIMSS Connected Health Conference in Washington, D.C., that healthcare data contains a treasure trove of information for cybercriminals. For a number of years, folks I think realized there was a threat out there, but it wasn t as pervasive as it is today. It s not a question of whether or not you ve been compromised. You will be compromised at some point, said Good, who called the current cyberthreat environment the most dynamic and complex that we have ever seen. 3 Two-thirds of the provider organizations that participated in the 2015 HIMSS Cybersecurity Survey reported that they have experienced a security incident. What s troubling is the fact that most healthcare leaders seem surprised by how sophisticated and persistent cybercriminals can be. I don t think anyone was prepared for the level of cyber threats we re seeing, said Lisa Gallagher, vice president of technology solutions for HIMSS. What we saw in the most recent attacks made a lot of us rethink how secure our systems are. 4 The impact on healthcare providers is plain as we ve seen massive breaches that have led to a drop in provider credit ratings by leading firm Moody s. 5 What s even more disconcerting is the fact that security matters in healthcare might get worse before they get better, according to Chris Wysopal, CTO and CISO of Veracode. The value of medical information, ramp-up
3 in nation-state activity and complex bottoms-up culture is creating a perfect storm of cyberthreats targeting healthcare in 2016 and 2017, he said. With such threats looming, healthcare organizations need to up their security game. A new HIMSS survey, conducted on behalf of Veracode, of more than 200 healthcare IT executives working at provider organizations across the country reveals valuable insight into the state of application security in healthcare today. Results from The State of Web and Mobile Application Security in Healthcare specifically shed light on: Where organizations are in relation to application security The challenges that they face as they develop and implement application-security strategies Their plans regarding investments in application-security technologies and training Projected strategies related to the policies and programs needed to enforce web- and mobile-application security Fear of Application Vulnerabilities being Exploited is #1 Concern Not surprisingly, one of the top worries of healthcare organizations is how easily cyberattackers can exploit vulnerabilities in web, mobile and cloud-based applications. In fact, this worry ranked highest, over employee negligence/malicious insiders and phishing attacks on employees (see Figure 1). Data from actual code-level analysis of billions of lines of code conducted by Veracode shows that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. Given the large amount of sensitive data collected by healthcare organizations, this is quite concerning. In addition, healthcare fares worse than the vast majority of other industries when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated. The impact of such breaches weighs heavily on the minds of healthcare leaders as well, as survey respondents cited loss of life due to compromised networks or medical devices, brand damage due to theft of patient information and regulatory enforcement as their top three securityrelated fears (see Figure 2). Understanding the nature of security threats is the first step in creating an effective defense. According to The State of Web and Mobile Application Security in Healthcare, healthcare organizations most pressing threat motivators lie in identity theft/medical insurance fraud and theft of personal health information by nation states for espionage and/or extortion purposes. 1 Loss of life due to compromised networks or medical devices (pacemaker, drug pump, etc.) 2 Brand damage due to theft of sensitive patient information 3 Regulatory enforcement (HIPAA, PCI, etc.) 4 Costs of responding to breach (forensics, cleanup, credit reporting, etc.) 5 Class-action lawsuits following a breach 6 Loss of revenue due to downtime following a breach (e.g., Sony) 3
4 With all applications, there is the worry of the vulnerability being in the application itself. When the application was built, was it built with security in mind or was it an application that was designed quickly and security concerns were overlooked? Lee Kim, JD Director, Privacy & Security HIMSS 4 If you understand how the information can be used, then you quickly can understand how personal health information can be of a higher value than credit-card information to nation-state attackers, Wysopal pointed out. Credit-card information is not worth much on the black market. Criminals can make so much more money through identity theft and by extorting personal health information. Understanding how hackers gain access to data also is key to developing a solid defense. To start, leaders need to become cognizant of the risks associated with applications. Lee Kim, JD, director of privacy and security at HIMSS, pointed out. With all applications, there is the worry of the vulnerability being in the application itself, she said. When the application was built, was it built with security in mind or was it an application that was designed quickly and security concerns were overlooked? Leaders need to ask and get answers to these types of questions. Considering most applications are pieced together with open-sourced components and libraries, understanding the risks is essential. The Heartbleed vulnerability, for example, should serve as a wake-up call for the importance of understanding how an application is built. This 2014 vulnerability is still found in the commonly used opensource cryptography library OpenSSL. Any server or web site using a vulnerable version of OpenSSL is at risk of having a variety of data exposed including private keys, usernames and passwords, session cookies and other sensitive data from users connecting to the service. liability clauses into contracts with commercial-software vendors to lessen the risk of exposure from their software supply chain. And more than half are implementing standard frameworks such as SANS Institute Security Controls as a means to create a baseline security posture from which future improvements can be benchmarked (see Figure 3). In general, we are seeing an uptick in liability lawsuits where people are harmed from a breach either financially, reputational or physically, Wysopal said. These suits are popping up in a variety of industries. The most recent example is that of Wyndham Worldwide. For those unfamiliar with the case, the FTC alleged that the global hotel chain had violated Section 5 of the FTC Act by failing to employ reasonable data-security measures, including the use of vulnerable out-of-date software, 6 which in turn led to a breach involving sensitive customer information. According to the complaint, these failures resulted in more than $10 million of fraudulent charges on consumers credit and debit cards, as well as the transfer of hundreds of thousands of consumers account information to a website registered in Russia. Wyndham Worldwide argued these claims by challenging the FTC s authority to regulate companies data security standards. In December Healthcare Providers are Scared of Liability Liability over a breach is top of mind for healthcare providers and much activity is being planned to address their exposure should a breach occur. To meet liability requirements, 57 percent of survey respondents say they are increasing spending on external security assessments, such as code audits. Another 56 percent are inserting
5 All developers should receive training in application security, no matter what language they are developing in. Chris Wysopal CTO & CISO Veracode 2015, the courts ruled with the FTC, opening the door for further enforcement of such standards in other industries. 7 While the healthcare space is accustomed to legal action surrounding malpractice, liability tied to poor IT security is new and the challenge will be implementing systems that allow for due care to be followed in avoiding a breach. Action Needed Toward Due Care To ensure security, healthcare organizations need to invest in web- and mobile-application security initiatives. According to the HIMSS/Veracode survey results, 80 percent of the survey respondents do not have policies regarding the use of automated for governing controls to governing open-source components in applications. As healthcare organizations move toward using applications from third-party developers, they need to ensure that these applications properly protect data. Auditing applications, however, is a labor-intensive endeavor. The commonly used practice of manual penetration testing requires highly skilled professionals to spend days if not weeks looking for code vulnerabilities that could be exploited in the software. That s why 67 percent of organizations are turning to automated assessment of code, which is used to discover potential vulnerabilities, according to the HIMSS/Veracode survey results. When organizations build software applications, they need to make sure that security is a top concern. The people building the software are typically competent engineers who are building high-quality, high-performance software. However, unless they have received training in web- and mobile-application security, they are probably unaware that applications should be written in a certain way to eliminate vulnerability. All developers should receive training in weband mobile-application security, no matter what language they are developing in, Wysopal said. What s more, as healthcare professionals now use all kinds of mobile technologies, leaders need to pay close attention to the security of data touched by mobile applications. Encryption is used most frequently to secure data on mobile devices, as it is currently leveraged by 81 percent of organizations. In addition, some trailblazing organizations are taking their precautions a step further by tapping into a variety of best practices such as the use of mobiledevice management solutions (69 percent), participation in application blacklisting and/or whitelisting based on security/privacy ratings (39 percent) and the prohibition of personal devices from connecting to hospital networks (29 percent). Wysopal suggests that organizations also test medical devices and hold vendors accountable for security gaps. Many medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients. In August of 2015, the FDA and Department of Homeland Security issued a statement that strongly encouraged healthcare facilities to discontinue the use of Hospira s Symbiq infusion pump over software vulnerabilities that that could potentially put patients lives at risk. 7 You might think why would someone want to break into grandma s infusion pump? Wysopal posed. The Internet of Things is particularly an issue in the healthcare space where so many connected devices exist and offer criminals a pathway to collect data for use as ransom or more likely through which they can access the facility s network the device connects to. Push to Address Bottoms-Up Cultural Constraints One of the biggest challenges healthcare organizations face is addressing the fact that most of the power is held by the doctors themselves, rather than in a centralized manner. 5
6 This bottoms-up culture means that it becomes very difficult for a CISO to implement consistent controls across all business units and departments, resulting in serious vulnerability issues for the organization. Some healthcare organizations have already started to push to address this challenge by making security a top institutional priority, with 65 percent reporting investment in security technologies that enable governance policy enforcement; 51 percent investing in training initiatives to educate department heads about cybersecurity; and 44 percent pushing the CEO to be an advocate for central ITsecurity policy across all departments (see Figure 4). N=168; respondents could select more than 1 to see some changes, Wysopal said. 6 Despite the progress made, significant hurdles remain. What s most disconcerting, perhaps, is the fact that many organizational leaders have not yet upped their security investments. According to the survey respondents, the lack of budget and attention from senior management is the top challenge that organizations face when addressing weband mobile-application security. Until there are big breaches and something hits close to home, organizations typically stay away from making big investments in security. We have seen that in every industry. Healthcare is no exception. With a number of big breaches being reported in 2015, however, we will probably now start As healthcare organizations move in this direction and face web- and mobile-application security risks head on, they will need to make the monetary and time investments required to arrive at an understanding of the risks that cyberattackers pose to their organization. Then they will need to take action by developing application-security policies, supporting application-security training and implementing applicationsecurity technologies that can protect all of the electronic data that they have worked so hard to amass in recent years on behalf of delivering high-quality, more-efficient care. About Veracode: Veracode is a leader in securing web, mobile and third-party applications for the world s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market without compromising security. Veracode s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures. Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes 100 Most Valuable Brands. Learn more at on the Veracode blog and on Twitter. Copyright Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders. Produced by
CYBERSECURITY IN HEALTHCARE: A TIME TO ACT
share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity
More informationAnatomy of a Healthcare Data Breach
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
More informationSTATE OF SOFTWARE SECURITY
STATE OF SOFTWARE SECURITY Volume 6: Focus on Industry Verticals JUNE 2015 03 VERACODE State of Software Security Report, Volume 6: Focus on Industry Verticals CONTENTS Introduction by Chris Wysopal, Veracode
More informationAccess is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com
Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for
More informationCyber Insurance: How to Investigate the Right Coverage for Your Company
6-11-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)
More informationWHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.
WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY. A guide for IT security from BIOS The Problem SME s, Enterprises and government agencies are under virtually constant attack today. There
More informationMedical Information Breaches: Are Your Records Safe?
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
More information2015 VORMETRIC INSIDER THREAT REPORT
Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security HEALTHCARE EDITION #2015InsiderThreat RESEARCH BRIEF U.S. HEALTHCARE SPOTLIGHT ABOUT THIS RESEARCH
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationHow To Buy Cyber Insurance
10-26-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)
More informationHow-To Guide: Cyber Security. Content Provided by
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationSecurity for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape
White Paper Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape Financial services organizations have a unique relationship with technology: electronic data and transactions
More informationPRIVILEGED USERS AND DATA BREACHES: A MATCH MADE IN HEAVEN?
PRIVILEGED USERS AND DATA BREACHES: A MATCH MADE IN HEAVEN? SEPTEMBER 2014 Commissioned By: Contents Contents... 2 Executive Summary... 3 About the Respondents... 3 Data Breaches and Privileged Accounts...
More informationChoosing The Right Data Breach Response Services for Consumer Remediation
Choosing The Right Data Breach Response Services for Consumer Remediation Authored by Brian Lapidus, Managing Director, InfoSec Practice Leader Kroll When a data breach exposes personal information to
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationProtecting Your Data, Intellectual Property, and Brand from Cyber Attacks
White Paper Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks A Guide for CIOs, CFOs, and CISOs White Paper Contents The Problem 3 Why You Should Care 4 What You Can Do About It
More informationGlobal IT Security Risks
Global IT Security Risks June 17, 2011 Kaspersky Lab leverages the leading expertise in IT security risks, malware and vulnerabilities to protect its customers in the best possible way. To ensure the most
More informationHEALTH CARE AND CYBER SECURITY:
HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities kpmg.com 1 HEALTH CARE AND CYBER SECURITY EXECUTIVE SUMMARY Four-fifths of executives at healthcare providers and payers
More informationNational Cybersecurity Awareness Campaign
National Cybersecurity Awareness Campaign About Stop.Think.Connect. In 2009, President Obama issued the Cyberspace Policy Review, which tasked the Department of Homeland Security with creating an ongoing
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationAnatomy of a Hotel Breach
Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent
More informationReducing Risk. Raising Expectations. CyberRisk and Professional Liability
Reducing Risk. Raising Expectations. CyberRisk and Professional Liability Are you exposed to CyberRisk? Like nearly every other business, you have likely capitalized on the advancements in technology today
More informationLeveraging Privileged Identity Governance to Improve Security Posture
Leveraging Privileged Identity Governance to Improve Security Posture Understanding the Privileged Insider Threat It s no secret that attacks on IT systems and information breaches have increased in both
More information2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security
2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009
More informationWHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES
BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION IDT911 1 DEFINITIONS 1. Cyber Programs - Focuses on services and systems related to technology and their use in business. Risks addressed include
More informationTHE COST OF A DATA BREACH FOR HEALTHCARE ORGANIZATIONS
DATA SECURITY: THE COST OF A DATA BREACH FOR HEALTHCARE ORGANIZATIONS THE URGENCY OF IMPROVED SECURITY THE STORY OF A DATA BREACH S IMPACT SECURITY SUPPORT AND SERVICES SHARE THIS THE URGENCY OF IMPROVED
More informationHow to Justify Your Security Assessment Budget
2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice
More informationHow To Protect Your Organization From Insider Threats
Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security FINANCIAL SERVICES EDITION #2015InsiderThreat RESEARCH BRIEF US FINANCIAL SERVICES SPOTLIGHT ABOUT
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationData Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan
WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data
More informationAuditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement
Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Copyright Elevate Consult LLC. All Rights Reserved 1 Presenter Ray Guzman MBA, CISSP, CGEIT, CRISC, CISA Over 25
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationDATA BREACH: hy you should care!
DATA BREACH: hy you should care! Bob Gregg CEO Bob.gregg@idexpertscorp.com 1 Overview Defining the cyber security and Data breach problem The threat source- surprising Potential business impact No one
More informationI ve been breached! Now what?
I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have
More informationWhat the Biggest Data Breaches in Retail Have Taught Us about Cyber Security
What the Biggest Data Breaches in Retail Have Taught Us about Cyber Security With the holiday season upon us, much attention turns to the retail sector, which is expected to see unprecedented activity
More informationCONNECTED HEALTHCARE. Trends, Challenges & Solutions
CONNECTED HEALTHCARE Trends, Challenges & Solutions Trend > Remote monitoring and telemedicine are growing Digital technology for healthcare is accelerating. Changes are being driven by the digitization
More informationCybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015
Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationState of Security Survey GLOBAL FINDINGS
2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding
More informationVulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War
Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent
More informationHealthcare Information Security Today
Healthcare Information Security Today 2015 Survey Analysis: Evolving Threats and Health Info Security Efforts WHITE PAPER SURVEY BACKGROUND The Information Security Media Group conducts an annual Healthcare
More informationHCCA Compliance Institute 2013 Privacy & Security
HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session
More informationCyber Security Incident Response Program. Dr. Michael C. Redmond, PhD MBCP,FBCI,CEM,PMP,MBA
Cyber Security Incident Response Program Dr. Michael C. Redmond, PhD MBCP,FBCI,CEM,PMP,MBA World Economic Forum Global Technology Risks for 2015 According to the World Economic Forum s global risk perspectives
More information2012 Bit9 Cyber Security Research Report
2012 Bit9 Cyber Security Research Report Table of Contents Executive Summary Survey Participants Conclusion Appendix 3 4 10 11 Executive Summary According to the results of a recent survey conducted by
More informationPrivacy / Network Security Liability Insurance Discussion. January 30, 2013. Kevin Violette RT ProExec
Privacy / Network Security Liability Insurance Discussion January 30, 2013 Kevin Violette RT ProExec 1 Irrefutable Laws of Information Security 1) Information wants to be free People want to talk, post,
More informationLaw Firm Cyber Security & Compliance Risks
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
More informationHealthcare IT Trending Issues for 2015
Healthcare IT Trending Issues for 2015 January 2015 Contents Providers Start to Really Pay Attention to Privacy and Security... 3 Hospitals Take a New Interest in Upgrading Administrative Information Systems...
More information3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.
Cybersecurity: Minimizing Risk & Responding to Breaches March 5, 2015 Andy Chambers Michael Kelly Jimmie Pursell Scope of Problem Data Breaches A Daily Phenomenon Anthem JP Morgan / Chase Sony Home Depot
More informationRemarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the 10 th Annual Community Bankers Symposium Chicago November 7, 2014 Good morning, it s a pleasure to be here today and to have this opportunity
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationCyber Risk: Global Warning? by Cinzia Altomare, Gen Re
Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in
More informationINFORMATION SECURITY CYBER LIABILITY RISK MANAGEMENT. October 2013. Sponsored by:
2013 INFORMATION SECURITY CYBER LIABILITY RISK MANAGEMENT & October 2013 & INFORMATION SECURITY CYBER LIABILITY RISK MANAGEMENT: The Third Annual Survey on the Current State of and Trends in Information
More informationSMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015
SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory
More informationACE European Risk Briefing 2012
#5 ACE European Risk Briefing 2012 IT and cyber risk respondent profiles The research was carried out between 13 April and 3 May 2012. The sample comprised 606 European risk managers, CROs, CFOs, COOs
More informationThe Growing Threat of Medical Identity Fraud: A Call to Action. Presented by: Bill Barr, Development Coordinator, MIFA
The Growing Threat of Medical Identity Fraud: A Call to Action Presented by: Bill Barr, Development Coordinator, MIFA Agenda Review the challenge and cost of medical identity theft and resulting fraud
More informationIT Risk Management: Guide to Software Risk Assessments and Audits
IT Risk Management: Guide to Software Risk Assessments and Audits Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5
More informationHow To Find Out What People Think About Hipaa Compliance
Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationTHE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE
THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE Identity is the unique set of characteristics that define an entity or individual. Identity theft is the unauthorized use of an individual
More informationA BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper
A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively
More informationWhat is Penetration Testing?
White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking
More informationHow to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors
How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors July 2014 Executive Summary Data breaches cost organizations millions and sometimes even billions of dollars in
More informationAttack Intelligence: Why It Matters
Attack Intelligence: Why It Matters WHITE PAPER Core Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com A Proactive Strategy Attacks against your organization are more prevalent than ever,
More informationSMALL BUSINESS PRESENTATION
STOP.THINK.CONNECT NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION ABOUT STOP.THINK.CONNECT. In 2009, President Obama issued the Cyberspace Policy Review, which tasked the Department
More informationVerizon 2014 PCI Compliance Report
Executive Summary Verizon 2014 PCI Compliance Report Highlights from our in-depth research into the current state of PCI Security compliance. In 2013, 64.4% of organizations failed to restrict each account
More informationData Security. So many businesses leave their data exposed, That doesn t mean you have to. 2014 Computerbilities, Inc.
Data Security So many businesses leave their data exposed, That doesn t mean you have to. 2014 Computerbilities, Inc. Table of Contents: 1. Introduction 3 2. Cybersecurity: The loopholes in the system
More informationAnthem Hack, Cracked
Anthem Hack, Cracked Failed SIEM Deployment Jolts Industry Today, with so much finger-pointing and talk about Anthem Blue Cross, security failures, who s doing what and who s getting hacked, one of the
More informationTestimony of PETER J. BESHAR. Executive Vice President and General Counsel. Marsh & McLennan Companies
Marsh & McLennan Companies, Inc. 1166 Avenue of the Americas New York, NY 10036 +1 212 345 5000 Fax +1 212 345 4808 Testimony of PETER J. BESHAR Executive Vice President and General Counsel Marsh & McLennan
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationContinuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability
A Custom Technology Adoption Profile Commissioned By BitSight Technologies Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability Introduction As concerns around
More information$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP
David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!
More informationRemaining Secure in an Evolving Industry. White Paper
Remaining Secure in an Evolving Industry White Paper Remaining Secure in an Evolving Industry How Healthcare Organizations Can Manage Risk by Managing Data We live in interesting and exciting times. Our
More informationSymantec Cyber Security Services: A Recipe for Disaster
When On-The-Job Training Is a Recipe for Disaster How security simulation prepares IT staff for APTs, breaches and data leakages Contents Sometimes On-The-Job Training Is a Lousy Idea... 2 On-The-Job Training
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationSecurity Training Why It Benefits Your Organization and How to Make Your Case to Management
Security Training Why It Benefits Your Organization and How to Make Your Case to Management Author: Nick Murison Senior Security Consultant Foundstone Professional Services Introduction A major challenge
More informationBIG SHIFT TO CLOUD-BASED SECURITY
GUIDE THE BIG SHIFT TO CLOUD-BASED SECURITY How mid-sized and smaller organizations can manage their IT risks and meet regulatory compliance with minimal staff and budget. CONTINUOUS SECURITY TABLE OF
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationCombating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center
Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored. It takes an average
More informationFEELING VULNERABLE? YOU SHOULD BE.
VULNERABILITY ASSESSMENT FEELING VULNERABLE? YOU SHOULD BE. CONTENTS Feeling Vulnerable? You should be 3-4 Summary of Research 5 Did you remember to lock the door? 6 Filling the information vacuum 7 Quantifying
More informationCYBERCRIME AND THE HEALTHCARE INDUSTRY
CYBERCRIME AND THE HEALTHCARE INDUSTRY Access to data and information is fast becoming a target of scrutiny and risk. Healthcare professionals are in a tight spot. As administrative technologies like electronic
More informationDiscussion on Network Security & Privacy Liability Exposures and Insurance
Discussion on Network Security & Privacy Liability Exposures and Insurance Presented By: Kevin Violette Errors & Omissions Senior Broker, R.T. Specialty, LLC February, 25 2014 HFMA Washington-Alaska Chapter
More informationA Case for Managed Security
A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction
More informationManaging the Unpredictable Human Element of Cybersecurity
CONTINUOUS MONITORING Managing the Unpredictable Human Element of Cybersecurity A WHITE PAPER PRESENTED BY: May 2014 PREPARED BY MARKET CONNECTIONS, INC. 14555 AVION PARKWAY, SUITE 125 CHANTILLY, VA 20151
More informationSecurity strategies to stay off the Børsen front page
Security strategies to stay off the Børsen front page Steve Durkin, Channel Director for Europe, Q1 Labs, an IBM Company 1 2012 IBM Corporation Given the dynamic nature of the challenge, measuring the
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationRemarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014 It s a pleasure to be with you back home in Boston. I was here just six weeks ago
More informationCombating a new generation of cybercriminal with in-depth security monitoring
Cybersecurity Services Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored.
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationNETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES
NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES September, 2015 Derek E. Brink, CISSP, Vice President and Research Fellow IT Security and IT GRC Report Highlights p2 p4 p6 p7 SMBs need to adopt a strategy
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More information