Predictive Analytics to Reduce Data Breach Risk Thursday, March 3, 2016

Transcription

1 Predictive Analytics to Reduce Data Breach Risk Thursday, March 3, 2016 John Houston, Vice President, Privacy & Information Security and Assistant Counsel, UPMC Kurt J. Long, CEO & Founder, FairWarning, Inc.

2 Conflict of Interest John Houston: Has no real or apparent conflicts of interest to report. Kurt J. Long: Has no real or apparent conflicts of interest to report.

3 Agenda Escalating threats and security risks in healthcare Creating a multi-layered privacy and security program Leveraging predictive analytics Creating a modern threat detection/threat response organization Privacy and security program challenges

4 Learning Objectives Explain how to create an innovative and modern security program Illustrate how a predictive analytics approach to security can help to identify anomalies in patterns to help prevent a breach Explain techniques to dramatically reduce the time it takes to identify a breach should it occur, before too much damage has been done Describe a multi-vendor scenario Design very specific steps healthcare organizations can take on how to assess their risk posture using multiple vendors

5 How Benefits Were Realized for the Value of Health IT Patients put their lives in the hands of not only the doctors they select, but in the medical institutions they trust. Do no harm should extend to all aspects of care including electronic health data. By creating an innovative and multi-layered approach to security and privacy, covered entities can protect patient data, prevent damage to their reputation, achieve compliance and save money. As an industry, we need to do better at preventing breaches and decreasing the time it takes to discover them should they occur. By securing electronic health records and protecting patient privacy, providers can ultimately ensure compliance and gain better patient trust --ultimately leading to better overall patient outcomes.

6 Escalating Advanced Threats Rise of Cyber Threats to Healthcare Industry Foreign National Espionage IRS Tax Fraud Sale of Patient Data to Crime Rings Sale of Employee Data to Crime Rings Sale of Physician Data to Crime Rings Medical & Financial ID Theft Lost laptops, media, paper records Snooping 1 Patient Complaints Pre

7 Overall Risks from a Breach Diminished patient care Financial loss Reputation loss Data integrity loss Fraud: Id theft Medical id theft Tax fraud CMS fraud Money laundering Blackmail/Extortion

8 Now imagine your EHR was held hostage? Real and growing threat to healthcare in 2016 Attacks grew 113% in 2014 according to 2015 Symantec Internet Threat Report Why EHR? High value to the data, you need it, and you re likely to pay to get it back Doctors wouldn t have the vital information needed to treat patients. Records of patient and insurance payments would be lost, patient personal and credit card information would be compromised. HIPAA breach/ocr fines And so on

9 We are all patients And the long-term effects of a PHI breach have yet to be realized 91% of Healthcare organizations have had at least one data breach involving the loss of theft of patient data in the last two years Source: Forbes May 2015 As of November 2015, breaches impacted 119,959,229 patients. That s well over onethird of all United States citizens who have suffered an information breach through the healthcare industry. Source: Identity Theft Resource Center

10 How long does it take to discover a breach? On average hackers had access to victims environments for 205 days before they were discovered and 69% of victims learn from a third party that they are compromised* Source: Mandiant M:Trends 2015, View From the Front Lines Report

11 The lines are blurring between internal and external breaches How do you identify an internal breach vs and external breach? You can t! You need multi-layer threat detection and response Different solutions at different layers

12 What do you even look for? Need to understand how to investigate All comes down to analytics Most organizations aren t doing this AND don t know what to look for

13 Creating a multi-layered privacy and security program Critical elements: Qualified and expertly trained privacy and security staff Proper, multi-layered, multi-vendor, IT infrastructure leveraging bestof-breed security solutions Patient privacy monitoring using advanced technology Coordinated threat prevention/response framework Education programs that create a culture of privacy, security and compliance

14 How can you get ahead of a breach? Managed privacy & security services Information security Data visualization Trending Analytics

15 Managed Privacy & Security Services

16 Information Security Coordinated threat detection and response Internal threat detection needs to coordinate with external SIEMs Faster more coordinated detection Improve patient privacy

17 Creating a modern threat prevention and response framework Source: FireEye Solution Brief

18 A picture is worth a thousand rows of data Data visualization & trending depicts graphically what is happening to your data

19 Visual Analytics for Advanced Threats Imagine a phishing scam where a nation state gets access to credential and downloads thousands of records Access patient demographics after hours Benchmark users activity by self / peers Recognize specific events / actions

20 Statistical Analysis of User Behavior and Trending Statistical analysis of a user s behavior relative to themselves Statistical analysis of user s behavior relative to their peers Trending comparisons over time

21 Leveraging predictive analytics to find a breach Using data to protect data Looking at patterns and statistics Multiple sources of information

22 Creating a modern threat detection/threat response organization How do you leverage multiple technologies to break through the noise to create a modern threat detection/threat response organization? Big data SIEM Identity management Patient privacy monitoring Big data Identity Management Modern threat detection and response program SIEM Patient privacy monitoring

23 A Summary of How Benefits Were Realized for the Value of Health IT Patients put their lives in the hands of not only the doctors they select, but in the medical institutions they trust. Do no harm should extend to all aspects of care including electronic health data. By creating an innovative and multi-layered approach to security and privacy, covered entities can protect patient data, prevent damage to their reputation, achieve compliance and save money. As an industry, we need to do better at preventing breaches and decreasing the time it takes to discover them should they occur. By securing electronic health records and protecting patient privacy, providers can ultimately ensure compliance and gain better patient trust --ultimately leading to better overall patient outcomes.

24 Questions John Houston, Vice President, Privacy & Information Security and Assistant Counsel, UPMC Kurt J. Long, CEO & Founder, FairWarning, Inc.