Small Business Development Opportunity: Healthcare CyberSecurity

Transcription

1 Small Business Development Opportunity: Healthcare CyberSecurity 1

2 TABLE OF CONTENT Sections Pages Healthcare Cybersecurity Background Issues 3 Market Analysis 5 Private Investment Activities 8 Health Technology Startup Development & Growth Process Market Analysis Business Model Business Plan Small Business Development Funding Options Small Business Innovation Research (SBIR) Maine Technology Institute (MTI) 9 10 About HealthTech Maine 13 2

3 Healthcare Cybersecurity Background Issues Healthcare Industry Problem Information security is one the most critical issues facing the healthcare industry. Cybersecurity, in fact, is a significant problem that seriously impacts the industry s patients, reputation and financial bottom line. Here are a few facts that demonstrate the harm: Medical records of more than 40 million Americans were breached in According to the Ponemon Institute, medical identity theft increased by nearly 22 percent, in 2014, which resulted an estimated $12 billion annual, unbudgeted cost to the healthcare industry. Between 2010 and 2014, approximately 37 million healthcare records were compromised in data breaches, but in the first 4 months of 2015 alone, more than 99 million healthcare records have been exposed through 93 separate attacks. For the first time, the majority of breach activity in healthcare has been a direct result of criminal behavior. 2 Data breaches cost the healthcare industry approximately $5.6 billion annually 3 A TransUnion Healthcare survey found that nearly seven out of 10 consumers would avoid a healthcare provider that has experienced a data breach. 4 In 2014, the FBI warned healthcare providers their cybersecurity systems are lax compared to other sectors, making them vulnerable to attacks by hackers searching for Americans' personal medical records and health insurance data. 5 1 Wedi- Cybersecurity Perspective on Cybersecurity in Healthcare HIMSS Cybersecurity Survey Executive Summary June 30, The Fourth Annual Benchmark Study on Patient Privacy and Data Security, Ponemon Institute 4 For healthcare companies, data security is a critical test, Gerry McCarthy, President of TransUnion Healthcare, July 17, FBI warns healthcare sector vulnerable to cyberattacks, Modern Healthcare, April 24 th

4 Why The Healthcare Industry Is An Attractive Target HealthTech Maine There are a number of reasons why hackers target healthcare organizations. Many hospitals, physician practices and health plans, for example, lack the security, governance or risk management to effectively detect, mitigate and prevent front-line cyber threats according to the Perspectives on Cybersecurity in Healthcare June 2015 report, produced by the Workgroup for Electronic Data Interchange (WEDI). Another more significant reason has to do with patient medical records: Hackers are able to get $20 per patient medical record, compared to $1 or $2 for an individual s credit card numbers on the black market. Finally, industry critics believe healthcare executives and decision makers have failed to regard cybersecurity as a strategic business priority in terms of spending the necessary money to protect their information systems; as noted in the WEDI report, Many healthcare organizations have not invested sufficiently in robust IT security measures that can protect and encrypt health data in electronic health record (EHR) systems, interfaces, repositories, databases, connected medical devices and personal devices. Healthcare Industry Response In responding to the growing threat of cybersecurity, the 2015 HIMSS Cybersecurity Survey reported, The majority of respondents (87 percent) also indicated that information security had increased as a business priority at their organizations over the past year, resulting in improvements to security posture, such as improvements to network security capabilities, endpoint protection, data loss prevention, disaster recovery and information technology (IT) continuity. The healthcare industry, at the same time, is expected to spend only $10 billion dollars worldwide by 2020, according to ABI Research, which represents less 10 percent of global spending on critical infrastructure security. Industry executives, in other words, recognize the seriousness of their problem, but they are not appropriating the necessary money to effectively combat the problem. The healthcare industry is also trying to recruit experienced cybersecurity professionals as a response. However, this strategy is providing to be a difficult challenge because of the shortage and pay demands of this talented group. Moreover, the healthcare industry must compete directly against other industries, e.g., finance and defense, which have a more successful track record of attracting and hiring cybersecurity professionals. 4

5 Market Analysis Cybersecurity Market Outlook According to market research firm Gartner, global spending on IT security is set to increase 8.2 percent in 2015 to $77 billion, and the world will spend $101 billion on information security in The online industry source, Cybersecurity Market Report, indicates the cyber security market will be worth $75.4 Billion in The cybersecurity market is estimated to grow to $ billion by 2019, at a Compound Annual Growth Rate (CAGR) of 10.3 percent from 2014 to 2019, according to a report from Markets and Markets. Cybersecurity for healthcare is still a small, fragmented market but the potential opportunities for expansion are large and will continue to grow as healthcare organizations increasingly come under cyberfire, says Michela Menting, ABI Research Digital Security Practice Director. Healthcare Industry Security Situation ABI Research s Cybersecurity Strategies for Critical Infrastructure Market Research: Hospitals, clinics, trusts, and insurers are constantly under attack from malicious online agents. And yet the industry spends very little on cybersecurity, comparatively to other regulated critical industries. The New England Journal of Medicine, Perspective, Cybersecurity in Health Care, July 31, 2014: Within the health care industry, 72% of recent malicious traffic, viruses, and similar attacks have been directed against hospitals, clinics, large group practices, and individual providers, with the remaining 28% being spread among provider organizations, health plans, pharmaceutical companies, and other entities. 5

6 A Compilation of Healthcare Industry Executive Survey Findings 2015 KPMG Healthcare Cybersecurity Survey: When asked about readiness in the face of a cyber-attack, 66 percent of execs at health plans said they were prepared, while only 53 percent of providers said they were ready. Malware, software designed to disrupt or gain access to private computer systems, is the most frequently reported line of attack during the past 12 to 24 months, according to 65 percent of survey respondents. Botnet attacks, where computers are hijacked to issue spam or attack other systems, and internal attack vectors, such as employees compromising security, were cited by 26 percent of respondents. The areas with the greatest vulnerabilities within an organization include external attackers (65 percent), sharing data with third parties (48 percent), employee breaches (35 percent), wireless computing (35 percent) and inadequate firewalls (27 percent) PwC Global State of Information SecuritySurvey 2015: When compared with last year, security spending over the next 12 months will? 62.19% Increase 25.61% Stay the same 12.2% Decrease 2015 Healthcare Tech Purchasing: Healthcare providers are on the lookout for better security products: Over 24% of the respondents are planning to make a purchase in Only 22% of hospital leaders are definitely renewing their existing product, which means there is an incredibly large replacement market in the world of data security HIMSS Cybersecurity Survey: 81% of respondents believe more innovative and advanced tools are needed to combat security threats. 6

7 Cybersecurity Market Snapshot Leading Industry Participating Companies IBM Intel Trend Micro Symantec Cisco Sophos Barracuda VMware Computer Sciences Corporation Security Market Segments The market is segmented into solutions such as identity and access management, risk and compliance management, encryption, data loss prevention, unified threat management, firewall, antivirus and antimalware, Intrusion Detection System (IDS)/Intrusion Prevention System (IPS), Security Information and Event Management (SIEM), disaster recovery, Distributed Denial of Service (DDoS) mitigation, and whitelisting. Healthcare Industry Landscape 2015 Healthcare Tech Purchasing report: The data security market currently has a few major power players and a lot of smaller contenders. There doesn t seem to be a vendor that is specifically dedicated to healthcare data security. Cisco is the largest vendor for hospitals with up to 500 beds McAfee leads among hospitals with beds VMware pulls into a tie with Cisco for hospitals with beds Most hospital executives at the largest facilities are unsure who they are currently using for data security 7

8 Private Investment Activity CB Insights reported that in the first half of 2015 investors poured in $1.2 billion into cybersecurity startups. In 2014, security startups brought in $2.3 billion in investor funding for the whole year. PrivCo, a private research firm, noted companies in the cybersecurity sector jumped by nearly 60 percent in early stage funding from 2012 to Cybersecurity Startups Acquiring Private Investment Company Technology Solution Description Bitglass Protenus Bitglass is a cloud security gateway that helps enterprises move to SaaS-based and mobile deployments securely. Their product detects inappropriate EMR access in real-time, with a focus on insider threats. By addressing unauthorized access at the moment of breach, the company s solution seeks to transform employee behavior to better protect patient privacy and minimize the risk of lawsuits, fines, and reputational damage. CloudLock CloudLock is a leading cloud data security company that provides enterprise class solutions designed to give organizations control over their data in the public cloud, without requiring invasive in-band technology, complicated overhead, or unanswered regulatory risk. E8 Security E8 Security helps enterprises analyze and detect advanced attacks and malicious insider activities. The company was founded by security experts (Google, Visa, Loglogic) with complementary skills and experience in threat modeling and big data. 8

9 Health Technology Startup Development & Growth Process A successful health technology startup development and growth process relies on entrepreneurs implementing three things: a thorough market analysis, a comprehensive business model and a practical business plan. These documents, in fact, provide health technology entrepreneurs with key information and data enabling the company to perform the following: (1) Develop a viable cybersecurity technology solution that meets an identified need; (2) Recognize and respond to the needs of potential buyers and users, e.g., hospitals, physician practices, or health plans; (3) Capture and utilize the company s competitive advantages; and (4) Articulate a cost-effective business operational strategy that results in keeping costs down, generating consistent revenues and earning profits. (2) Business Model (1) Market Analysis (3) Business Plan Your Health Technology Startup & Proposed Cybersecurity Solution: Incorporating and implementing a market analysis, a business model and a business plan to develop a novel cybersecurity solution and grow a successful small business. 9

10 Small Business Innovation Research (SBIR) Program Started at the National Science Foundation in 1982 and now includes eleven other participating federal agencies, SBIR is a small business development program. It encourages and enables health technology entrepreneurs to compete for research and development (R&D) non-dilutive seed capital to create market-driven novel medical technologies or healthcare IT solutions. The National Science Foundation (NSF) SBIR program offers small health technology startups the best opportunity to develop innovative cybersecurity technologies. Small health technology startups, through a competitive proposal submission process, can seek two rounds of SBIR R&D funding. The first round funding, $225,000, is used to determine the feasibility of a proposed cybersecurity technology concept; while the second round funding, $750,000, is used to produce a technology prototype. GigaShield USB Security Gigashield Inc., Dallas, TX NSF SBIR Funded Cybersecurity Projects Examples This Small Business Innovation Research (SBIR) project addresses the rapidly growing threats to endpoint security from attacks and data loss over USB. At present, virtually all USB security measures are located as software on the host or as a secured physical device. Neither of these approaches is truly capable of addressing the vulnerability as a whole - software solutions can be bypassed and a physical peripheral device cannot secure the data that is transmitted on the bus. The proposed technology is located next to the host, so it is capable of securing the entire bus. Our specific technical objectives include the construction of a security device capable of stopping representative attacks in the USB Threat Model that are not solved by existing solutions. Such a device would enable a disruptive improvement in the field of USB cybersecurity. The anticipated results for proposed project will be the development of the product for deployment to customers. The broader impact/commercial potential of this project would be a disruptive change to USB security. USB security has become critical for many organizations with secure networks, especially healthcare, financial, and defense institutions. 10

11 Immunizing Software Against Exploits and Malware Immunant, Inc., Irvine, CA HealthTech Maine The broader impact/commercial potential of this Small Business Innovation Research (SBIR) Phase I project will result from a reduced incidence of cyber-enabled crime and cyber-related industrial espionage. The company plans to accomplish this by transforming a unique, academically peer-reviewed idea into a production-grade software defense product. If successful, this project will produce robust and practical methods to automatically mitigate a broad class of software vulnerabilities that currently put millions of users and critical national infrastructure at risk. To accomplish these goals, the company will develop its capability to build state-ofthe-art software diversity solutions that are not only secure, but also practical and efficient. Specifically, the project will study and address challenges related to distribution and patching of diversified software as well as the need to hide the effects of diversity during automatic reporting of residual defects found in software after it has been released into production. The availability of practical software diversity techniques will open the door to industry adoption and offer software developers a cost-effective mechanism to improve product security. Security and Privacy: Passwords for Real People Neurocrypt, Bloomington, IN The broader impact/commercial potential of this Small Business Innovation Research (SBIR) Phase I project is to enable individuals and businesses to create and manage the plethora of passwords required by today's information infrastructure. The National Cyber Leap Year initiative identified the need to change the game in cybersecurity, increasing costs for attackers and easing the burdens of self-defense. A broader impact of the proposal is changing the game in favor of defenders, against password guessing or masquerade attacks. The company's technology builds on the human strengths of linguistic diversity and contextual memory to solve the core challenges of passwords: lack of entropy, reuse, and lack of contextualization. People are asked to create passwords without thinking of the domain name, the purpose, the word "password", or the keyboard in front of them. Thus people cannot secure their accounts. The high potential of commercial payback is the protection of personal and commercial assets. Aligning human behaviors and incentives is a promising approach in designing technologies to address social engineering - a problem that has proven intractable in the face of current education, awareness, and technological efforts. 11

12 Maine Technology Institute Maine health technology entrepreneurs, such as physicians, nurses, researchers, scientists, engineers, inventors and experienced healthcare professionals, are able to acquire Maine Technology Institute (MTI) grants to help grow a health technology startup and develop an innovative cybersecurity solution for the healthcare industry. For example, MTI offers TechStart $5,000 grants for startup and small business development activities. The TechStart grant is designed to help health technology entrepreneurs produce key strategic growth documents like a business plan. Startups can use a TechStart Grant to prepare a business plan The KickStarter $5,000 grant, for example, enables health technology startups to use the funding for the preparation and submission of a NSF Phase I SBIR proposal for the development of cybersecurity solutions. More specifically, the money can be used for hiring grant writers, subject matter experts, other consultants or purchasing market research reports needed to complete the proposal. Startups can use a Phase 0 KickStarter Grant to prepare a NSF SBIR Phase I Proposal 12

13 About HealthTech Maine HealthTech Maine is a private consulting firm providing small business development assistance to Maine's health technology entrepreneurs, such as physicians, nurses, researchers, scientists, inventors, engineers, technologists, and experienced healthcare professionals. In particular, we help health technology entrepreneurs formulate, start and build successful small health technology firms. We also help health technology entrepreneurs and eligible small businesses acquire Maine Technology Institute (MTI) and Small Business Innovation Research (SBIR) grants to produce innovative medical technologies or novel healthcare IT solutions for the U.S. and worldwide healthcare marketplaces. SBIR Proposal Development Service HealthTech Maine provides direct SBIR Phase I proposal development services. We work with clients to collect, analyze and apply the necessary information needed to complete each proposal section. We also work with successful, experienced National Science Foundation (NSF) and National Institutes of Health (NIH) SBIR Phase I proposal writers, editors and reviewers to ensure the proposal meet the standards for approval. Page 14 outlines our service approach and delivery process. Leadership & Experienced Professional HealthTech Maine was founded and developed by Mr. Darrell Williams, a Bates College graduate. Mr. Williams is an experienced small business development consultant and advisor. His professional experience includes providing consulting services to small Medical Technology and Healthcare IT firms. He has been involved in the SBIR program since From 1999 to 2004, Mr. Williams led US Small Business Administration (SBA) grant funded SBIR outreach activities for the Washington, DC metropolitan area. He is an award-winning US Small Business Administration (SBA) volunteer. Business Partners We partner with professionals who provide legal, marketing/public relations and proposal development services to our clients. For example, Dr. Laura Hales, Boston, MA -based Isis Group, provides consulting and communications services to the international scientific community. She is an experienced, successful National Science Foundation and National Institutes of Health SBIR Phase I proposal writer, editor and reviewer. She is also an established scientific and business consultant to start-up biotech companies and entrepreneurs. 13

14 Our Approach HealthTech Maine Business Development Assistance We help our clients with: Defining a technology concept that potentially solves a medical/healthcare problem Conducting market research and analysis for new technology development and small business growth Preparing business models and business plans that serve as small business strategic growth documents Preparing Small Business Innovation Research (SBIR) & Maine Technology Institute (MTI) grant proposals HealthTech Maine s business development services are based on: Maine Health Technology Startup Leadership involvement in SBIR program since 1999 Small business planning & market analysis experience, knowledge and skills Publisher of healthcare market segment briefs that illustrate industry small business development opportunities. Partnership with experienced, successful SBIR Phase I proposal writers, editors and reviewers Access to business, healthcare/medical industry and scientific/technical information databases and research materials used to prepare business growth documents, e.g., business plans, and grant proposals. Contact Person: Mr. Darrell Williams, (207) or Darrell@healthtechmaine.com. Contact Mr. Williams today and learn how HealthTech Maine can help you succeed. 14