White Paper. Data Breach Mitigation in the Healthcare Industry
|
|
- Rosamund Alexander
- 8 years ago
- Views:
Transcription
1 White Paper Data Breach Mitigation in the Healthcare Industry Thursday, October 08, 2015
2 Table of contents 1 Executive Summary 3 2 Personally Identifiable Information & Protected Health Information Medical Identity Theft and the Cost to Remediate 5 3 The Data Breach Problem 6 4 The PII, Data Storage, Usage and Access Problem Personally Identifiable Information in BI and Operations How PII Data is Stored Data Usage and Access 8 5 Clarity s Approach Strategy & In Depth Analysis Methodology Architectural Considerations & Designs Legacy Data Stores 10 6 Outcomes 11 7 About the Author 12 8 About Clarity Solution Group 13 Proprietary Clarity Solution Group, LLC 2
3 1 Executive Summary For the healthcare industry, the risk of being the target of a malicious data breach is higher than ever before. Since the U.S. Department of Health and Human Services started tracking unauthorized data breaches of Personally Identifiable Information (PII) and Protected Health Information (PHI) in 2009 there have been over 1200 major data breaches with over 135,000,000 individual records or health records lost or stolen. 1 In a recent poll, more than 90% of healthcare organizations responding to a survey claim they have been part of a data breach that exposed patient data within the past two years. 2 The healthcare industry as a whole lags far behind the retail and financial industries when it comes to cyber security. Even with the industry spending billions of dollars to catch up to the more advanced industries, the approaches and mitigation attempts to secure data from outside intruders may not be enough to avoid loss of these records. This paper outlines the technical designs that the healthcare industry as a whole and individual organizations must accept and drive toward in order to properly and safely secure the data of their patients and to ensure that the medical identity of these patients remains out of the hands of cyber criminals and those who would use this information for nefarious means. Keeping criminals from obtaining the data is the best case scenario, but securing, masking, normalizing and encrypting the data internally and keeping it so that all the data does not exist in one place for all users can ensure that those with malicious intent cannot tell a story with the data they obtain illegally. 1 Breaches Affecting 500 or More Individuals, HHS.gov. 2 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute. Proprietary Clarity Solution Group, LLC 3
4 2 Personally Identifiable Information & Protected Health Information In U.S. privacy laws and related language, Personally Identifiable Information (PII) is any information that can be used on its own or in collaboration with other information to identify, contact or locate a single person. Similar to PII, Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to an individual, as defined by the HIPAA Privacy Rule. The major differences between PII and PHI are that PII is a legal definition of any information that can be used to uniquely identify an individual and PHI identifiers are a subset of PII that can be used to identify an individual related to a medical record. Within the classifications of what is considered PHI/PII, there are certain attributes which when either standing alone or combined with a minimal amount of other identifiers can be used to identify or give one the means to tell a story about an individual. These are sometimes referred to as Major Identifiers. Some of the major identifiers used in the health care industry with regards to PII/PHI include: First Name Last Name Social Security Number Home Address Date of Birth The Value of Health Records and the Cost of Identity Theft According to a recent study, the cost of data breaches in the healthcare industry as a whole are costing healthcare providers and insurers up to 6 billion dollars per year. The average cost of being part of a data breach is over 2.1 million dollars per healthcare organization. 3 The average cost of a healthcare breach worldwide is $363 per exposed record in contrast with an average cost of $398 per record in the U.S. alone. For comparison purposes, the average cost per record stolen in other industries comes in at $154. It should come as no surprise that a data breach in the healthcare industry would come in at double the average cost of other industries. Black market prices for medical records and health history can be worth ten times the value of PII from data breaches in other verticals. Whereas a stolen credit card number is worth roughly a dollar on the black market, a medical record is worth, on average, between ten and fifty dollars, with some specific records being valued at thousands of dollars. Why would a criminal care about a medical record when they can make actual purchases with a pilfered credit card? 3 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute. Proprietary Clarity Solution Group, LLC 4
5 2.1 Medical Identity Theft and the Cost to Remediate Aside from the first and last name, billing address, and potential billing information that may be obtained within a medical record the record also contains policy and account numbers, birth date, insurance and policy numbers, social security numbers and diagnosis codes that are related to the patient/member. So while this information can be used for traditional identity theft to make purchases, it is even more valuable to utilize this information to conduct medical fraud. This fraud can be extremely profitable and harder to detect. Medical identity theft is many times undetected for years by a patient, insurer or provider. Criminals use these medical records to buy medical equipment or prescription drugs which are then resold or they utilize insurance information coupled with false or stolen provider numbers and file false claims with healthcare payers. In some cases, fraudsters create fake credentials based on stolen records and obtain expensive healthcare which then is billed to the real member. The financial identity theft can lead to overages in medical expenses and denial of services or claims due to these medical procedures that were procured under false identity. Not only does this contain the hassle of having to clear up financial obligations and burdens, but there is a life threatening risk that the member s health record is contaminated with someone else s medical history and diagnoses. If this false data is not properly identified by the patient or medical care professional there can be life threatening consequences caused by incorrect bio-metrical data or prescription information or allergies. There is also the looming threat of having one s personal health information available. There can be negative stigmas associated with certain diagnoses or procedures. Unlike financial identity theft, there is no canceling or reissuing of cards that will clear this information from being out there. If the data is breached and the medical history leaked, it is out there forever. Insurers and providers lag behind other industries in identifying and fixing health records and helping identity theft victims manage the consequences of identity theft. As of 2014 many medical identity theft victims reported that they spent on average $13,500 to restore their credit, reimburse and clear up healthcare claims and correct inaccuracies in their health care records. 4 4 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute. Proprietary Clarity Solution Group, LLC 5
6 3 The Data Breach Problem The healthcare industry and its organizations are being targeted by cyber criminals like never before. With the large amount of records taken in the Premera Blue Cross and Anthem Health cyberattacks in 2015, cyberattacks and intentional criminal activity have officially surpassed employee or insider negligence actions as the number one cause of data breach in healthcare organizations. Medical records are often more easily obtained than traditional bank, financial services and retail operations as these entities have been stepping up their online security for many years to stay ahead of hackers. With all of the major attacks occurring and the healthcare industry being a top target for criminals and internal breachers, half of all healthcare organizations have little to no confidence that they can identify whether or not they have had patient/member data taken. Even with billions spent on preventing cyberattacks and unwanted external exposure as well as remedies in the case of a malicious breach, the industry and all the patients they serve are still at risk from exposure and identity theft. Only 50% of organizations have procedures and policies in place to effectively prevent and detect unauthorized access. 5 Cyberattacks may make up the majority of data breaches, but cybersecurity alone will not fully protect patients and members from identity theft. Lost or stolen computing devices containing identifying information and medical records and employee mistakes such as lost print out or PHI information being improperly disposed of make up nearly the same percentage of data breach reasons as malicious attacks. In fact, healthcare organizations are almost twice as likely to respond that they have concerns with employee negligence being a cause for breach as they are with cyber attackers. Besides negligence, cyber hacks, and phishing scams to steal employee passwords healthcare organizations have to deal with malicious insiders who have access to the data (in some cases whether they need access or not). Internal technical security initiatives can help prevent some of these reasons for breach and help log who accessed what data, but it cannot 100% safeguard PII/PHI data by itself. How else can an organization protect its members from identity theft in the inevitable case that someone gets access to personal health records? 5 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute. Proprietary Clarity Solution Group, LLC 6
7 4 The PII, Data Storage, Usage and Access Problem 4.1 Personally Identifiable Information in BI and Operations Healthcare payers and providers rely on personally identifiable information for not only reporting, but in order to match customers internally throughout time and externally in order to match up the same patient / member as they relate to third party services. Most of the current and legacy reporting and operational systems in place in healthcare organizations today were built around personally identifiable information. Major Identifiers such as Social Security numbers, names, and date of birth are used to tie a member s history together. While these identifiers were never intended by the SSA to be used to identify an individual, they are so slowly changing that they were natural candidates to be used to identify a person across a multitude of systems within one organization. Unfortunately these systems that utilized these major identifiers for matching and identification are now the systems that are most at risk and easily targets for hackers. Due to the propagation of these major identifiers throughout host systems and the fact that these systems were built around PII in many cases, it is extremely hard for stewards of these systems to reengineer to remove or replace these identifiers without a major impact to performance and stability of legacy operating and BI systems. At this point in time, many healthcare organizations have implemented tokenization by assigning an arbitrary internal identifier to an individual in order to track this person s activity in an easier way. Tokens such a patient number and healthcare ID are widely used internally within organizations across systems. While this way to track a member over time could be applied in data security, in many instances it is only a supplement to the current structures for ease of use. The underlying major identifiers that are tied to these surrogate numbers are often still exposed in the same structures where the unique identifier resides. Furthermore, many systems are designed so that patients may not have continuity across their tokens if there is ever a break in coverage or a change in information, making reporting on BI difficult, therefore forcing the identity matching to be performed using the major identifiers noted earlier. 4.2 How PII Data is Stored Throughout the healthcare industry s landscape, much of this PII and PHI data is located in multiple marts and stored in almost every single operational system and potentially in multiple tables per systems wherever membership or patient data exists. Given the current landscape and the emphasis on protecting data sensitive data, many organizations are trying to get away from this propagation of PII, however due to the years of this data not being considered a risk many of these organizations are in no position to identify where all of the data resides let alone address how to remedy how the data should be stored to enable security and performance. Proprietary Clarity Solution Group, LLC 7
8 4.3 Data Usage and Access As stated earlier, employee negligence is the greatest concern for healthcare organizations, however many organizations have reporting and operational environments were all PII data is exposed to all users of that data. Even without malicious intentions being factored in, allowing all employees to have access to all data, whether they need that data to perform their work tasks or not allows for more risk of exposure in the event of a data breach. A user having a password stolen via a phishing scam or just having that user be negligent to best practices on data security such as leaving a laptop open or downloading data to an unencrypted machine means that a user that had no need for that data in the first place can be the reason for a healthcare organization to end up on the Human Health & Services Wall of Shame. The same approach for data access to users can apply to operational applications and BI reporting data stores. In many cases the underlying tables contain all of the data about all of the members/patients, even if that data is not actually necessary to complete the functional of the operation system or if the data mart that feeds a certain user group has no need for member birth date or social security number. Once again in the event of a data breach, having all of these identifying attributes in one place, easily accessible under one log in allows fraudsters to tell a story with someone else s data, leading to identity theft and in some cases, irreparable harm. Proprietary Clarity Solution Group, LLC 8
9 5 Clarity s Approach 5.1 Strategy & In Depth Analysis Methodology A full assessment of all pertinent data sources would first be performed of all systems where personal identifiers and PHI information exist. This would allow for a high level overview of the health organization s IT architecture as a whole and will serve as the foundation for the strategy to identify and prioritize where the most information lives and assess which systems are at greatest risk of a data breach. A risk assessment will be performed to determine which identifying attributes are of the greatest risk in the event of a breach. Combinations and locations of these major identifiers will be documented and a strategic decision will have to be reached how best to remove or better secure these identifiers. Once a strategic approach is agreed upon and mapped out a more tactical method will be applied to each of the IT systems where identifying information exists. Full profiling of each of these sources will be performed in order to better understand and fully document where all PII information exists. Impact analysis will follow to determine all extracts, stored procedures, ETL jobs, reports, etc. and to identify the downstream impacts of modifying data architecture. A strategy to modify these impacted jobs will then have to be developed. Interviews with the business community and consumers of any and all data affected will have to be performed. A partnership with the teams in charge of data security and access should be forged so that any enterprise wide initiatives around security or data security are accounted for in any designs and releases. 5.2 Architectural Considerations & Designs The architectural designs to protect PII and PHI have to take into account the ability to minimize and secure data, while still ensuring that data continues to be readily available for reasonable business needs and analytical purposes. In the case of highly de-normalized data structures with multiple identifiers available, segmentation of this data may be applied. Certain identifiers can be removed from underlying tables and replaced with a token that allows for the tracking of a member throughout time to establish continuity, if desired. In the case that tokenization and unique identification are not established at an organization, a program to implement this should be considered for not only security purposes, but also for accuracy in tracking membership over time and if there are ever changes to customer data. Once this unique identifier is established and validated, the identifying information can be removed as desired and replaced with this meaningless token. Aggregated analytics can be performed as before, but with secure data. Data that can be used to identify individuals but is also useful for reporting can be altered to still allow analytics, but with better security measures in place. An example of this is birth date. Birth date may be useful to an analytics team trying to group members by age, however, having the birth date readily available can also be a cause for concern, as birth date is commonly used as a validation question to Proprietary Clarity Solution Group, LLC 9
10 confirm identity. The member Date of Birth could be transformed during ETL to be age banded, or have birth year if that is useful for analytics. This is just one example of how attributes can be altered to be secure but still be readily available for business purposes. In the case where more detailed information containing PII or PHI is necessary, encryption and decryption views can be applied with appropriate security measures taken into account. Examples of this could include extracts that need Social Security numbers, or specific birthdates coupled with first and last name. 5.3 Legacy Data Stores Another consideration around data security is in regards to legacy data stores and IT systems. Identifying information lives throughout many legacy systems and in some cases these legacy systems are not utilized or used for a minor amount of reporting/operations. Patching and security processes are not properly applied in some cases and the data is considered out of sight out of mind, but the data contained within these tables contain the same PII as modern systems and can be used maliciously if they fall into the wrong hands. An approach should be developed at the enterprise level on how to decommission, archive and encrypt legacy data stores so that identifying information is not set to open security and is not unencrypted in the instance of a data breach. This data can be secured and removed from data access, but still retained in a secure matter in order to meet legal obligations for data retention. In the special instance where this data needs to be accessed for any purpose, the data can be temporarily restored and decrypted and put into a temporary space with special security granted to the users who need to access this data. The data should then once again be decommissioned, archived, and re-encrypted and special security be stripped from the users once the special case analysis has been completed. Proprietary Clarity Solution Group, LLC 10
11 6 Outcomes Clarity s extensive background in the Healthcare & Life Sciences industry coupled with its exclusive focus on data and analytics led to the current approach we leverage to assess and mitigate any of the data storage design and user access faults that can lead to problems in the event of a breach. Healthcare organizations should begin to look at their own internal IT systems and evaluate data risk and how it can better protect its members and patients. Clarity s implementation experience has led us to believe that a clearly defined strategy, approach and implementation allows for performance while leveraging techniques to better secure data. To learn more about Clarity s approach to data breach risk mitigation, please contact us at info@clarity-us.com. Proprietary Clarity Solution Group, LLC 11
12 7 About the Author Kevin Knoll Senior Consultant at Clarity Solution Group Kevin Knoll brings years of delivering reporting and analytics solutions with a specialization in Healthcare and Life Sciences. Kevin has been key in delivering data strategies and full lifecycle implementation for healthcare payers and major players within the pharmaceutical industry. Before joining Clarity Solution Group, Kevin worked in finance with a background in healthcare and manufacturing, later becoming a consultant in the financial consolidation space and with a heavy background in government, pharmaceuticals, manufacturing and non-profit organizations. Proprietary Clarity Solution Group, LLC 12
13 8 About Clarity Solution Group Clarity Solution Group is the largest on-shore consulting company in the US whose sole focus is data and analytics. Clarity delivers enterprise-scale solutions with boutique focus, helping Fortune 1000 clients leverage data to drive superior business outcomes. For more information, visit Proprietary Clarity Solution Group, LLC 13
CYBERSECURITY IN HEALTHCARE: A TIME TO ACT
share: TM CYBERSECURITY IN HEALTHCARE: A TIME TO ACT Why healthcare is especially vulnerable to cyberattacks, and how it can protect data and mitigate risk At a time of well-publicized incidents of cybersecurity
More informationCYBERCRIME AND THE HEALTHCARE INDUSTRY
CYBERCRIME AND THE HEALTHCARE INDUSTRY Access to data and information is fast becoming a target of scrutiny and risk. Healthcare professionals are in a tight spot. As administrative technologies like electronic
More informationProactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID
Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation By Marc Ostryniec, vice president, CSID The increase in volume, severity, publicity and fallout of recent data breaches
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationCYBERCRIME AND THE HEALTHCARE INDUSTRY
CYBERCRIME AND THE HEALTHCARE INDUSTRY Executive Summary Healthcare professionals are in a tight spot. As administrative technologies like Electronic Health Records (EHRs) and patient and provider portals
More informationData Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked
Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed
More informationCompromises in Healthcare Privacy due to Data Breaches
Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA
More informationCyber Security Protecting critical health care information
OnTrend APRIL 2016 ISSUE Cyber Security Protecting critical health care information The trend Cyber Security As health care data security breaches proliferate, putting members data at risk for fraud or
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationHealthcare Information Security Today
Healthcare Information Security Today 2015 Survey Analysis: Evolving Threats and Health Info Security Efforts WHITE PAPER SURVEY BACKGROUND The Information Security Media Group conducts an annual Healthcare
More information2015 CENTRI Data Breach Report:
INDUSTRY REPORT 2015 CENTRI Data Breach Report: An Analysis of Enterprise Data Breaches & How to Mitigate Their Impact P r o t e c t y o u r d a t a Introduction This industry report attempts to answer
More informationHealthcare Utilizing Trusted Identity Credentials
Healthcare Utilizing Trusted NextgenID - Headquarters 10226 San Pedro Ave, Suite 100 San Antonio, TX 78216 (210) 530-9991 NextgenID - Washington DC 13454 Sunrise Valley Drive, Suite 430 Herndon, VA 20171
More informationMedical Information Breaches: Are Your Records Safe?
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
More informationBEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security
BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationI ve been breached! Now what?
I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have
More informationAnatomy of a Healthcare Data Breach
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
More informationOakland Family Services - Was Your Email Hacked?
Oakland Family Services Information Breach FAQs 1. What happened? An unauthorized individual remotely gained access to the email account of one Oakland Family Services employee July 14, 2015 resulting
More informationCYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS
CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become
More informationDATA SECURITY HACKS, HIPAA AND HUMAN RISKS
DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015 AGENDA 2015 The Year of the Healthcare
More informationWhite Paper #6. Privacy and Security
The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America
More informationTransforming the Customer Experience When Fraud Attacks
Transforming the Customer Experience When Fraud Attacks About the Presenters Mike Young, VP, Product Team, Everbank Manages consumers and business banking products, as well as online and mobile banking
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More informationThe High Price of Medical Identity Theft and Fraud
The High Price of Medical Identity Theft and Fraud Some Quick Facts 3 times more likely to be ID fraud victim if credit/debit card breached 1 New ID fraud victim every 2 seconds 2 Few adults are familiar
More informationWho Controls Your Information in the Cloud?
Who Controls Your Information in the Cloud? threat protection compliance archiving & governance secure communication Contents Who Controls Your Information in the Cloud?...3 How Common Are Information
More informationThe Growing Threat of Medical Identity Fraud: A Call to Action. Presented by: Bill Barr, Development Coordinator, MIFA
The Growing Threat of Medical Identity Fraud: A Call to Action Presented by: Bill Barr, Development Coordinator, MIFA Agenda Review the challenge and cost of medical identity theft and resulting fraud
More informationHealthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council
Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council Presented by Doug Copley, Chairman Michigan Healthcare Cybersecurity Council Mr. Chairman and Committee Members,
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationStopping the Flow of Health Care Fraud with Technology, Data and Analytics
White Paper and New Ways to Fight It Stopping the Flow of Health Care Fraud with Technology, Data and Analytics January 2014 Health care costs are rising and everyone is being affected, including patients,
More informationALERT LOGIC FOR HIPAA COMPLIANCE
SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationAccess is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com
Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com Introduction Patient data is a valuable asset. Having timely access is critical for
More informationFinding a Cure for Medical Identity Theft
Finding a Cure for Medical Identity Theft A look at the rise of medical identity theft and what small healthcare organizations are doing to address threats October 2014 www.csid.com TABLE OF CONTENTS SUMMARY
More informationTHE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE
THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE Identity is the unique set of characteristics that define an entity or individual. Identity theft is the unauthorized use of an individual
More informationHow To Stop A Cybercriminal From Stealing A Credit Card Data From A Business Network
2012 Payment Card Threat Report The second annual study of unencrypted payment card storage Automated Attacks and Card Data Handling In 2011, data breaches increased 42% and as such, last year was reported
More informationSafeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security
Safeguard Your Hospital Six Proactive Best Practices to Improve Healthcare Data Security April 2015 A Piece of Paper Can t Cause that Much Harm. Or Can It? Imagine a piece of paper arriving at ABC Hospital
More informationWhere Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things
Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things aisa.org.a u aisa.org.a u Rebecca Herold, CEO The Privacy Professor 1 rebeccaherold@rebeccaherold.com Agenda Technology
More informationData Security in Development & Testing
Data Security in Development & Testing Sponsored by Micro Focus Independently conducted by Ponemon Institute LLC Publication Date: July 31, 2009 Ponemon Institute Research Report Data Security in Development
More informationChoosing The Right Data Breach Response Services for Consumer Remediation
Choosing The Right Data Breach Response Services for Consumer Remediation Authored by Brian Lapidus, Managing Director, InfoSec Practice Leader Kroll When a data breach exposes personal information to
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationWhite Paper: Are there Payment Threats Lurking in Your Hospital?
White Paper: Are there Payment Threats Lurking in Your Hospital? With all the recent high profile stories about data breaches, payment security is a hot topic in healthcare today. There s been a steep
More information2015 VORMETRIC INSIDER THREAT REPORT
Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security HEALTHCARE EDITION #2015InsiderThreat RESEARCH BRIEF U.S. HEALTHCARE SPOTLIGHT ABOUT THIS RESEARCH
More informationTHE COST OF A DATA BREACH FOR HEALTHCARE ORGANIZATIONS
DATA SECURITY: THE COST OF A DATA BREACH FOR HEALTHCARE ORGANIZATIONS THE URGENCY OF IMPROVED SECURITY THE STORY OF A DATA BREACH S IMPACT SECURITY SUPPORT AND SERVICES SHARE THIS THE URGENCY OF IMPROVED
More informationCritical Issues in Fraud Analytics
Critical Issues in Fraud Analytics ISACA - 2015 Presenter: Charles Faircloth, JD, CIG Faircloth Fraud Consulting Critical Issues in Fraud Analytics Introduction 1) Factors that drive fraud 2) Current fraud
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationA BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper
A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationCombating Identity Theft: Tips to Reduce Your Cybersecurity Risks. September 16, 2015
Combating Identity Theft: Tips to Reduce Your Cybersecurity Risks September 16, 2015 Current Cyber Threat Cyber criminals are not only targeting businesses, but individuals Stolen personally identifiable
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationPrivacy Rights Clearing House
10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights
More informationVerizon 2014 PCI Compliance Report
Executive Summary Verizon 2014 PCI Compliance Report Highlights from our in-depth research into the current state of PCI Security compliance. In 2013, 64.4% of organizations failed to restrict each account
More informationThe High Price of Medical Identity Theft and Fraud. Ann Patterson Medical Identity Fraud Alliance
The High Price of Medical Identity Theft and Fraud The High Price of Medical Identity Theft and Fraud Ann Patterson Medical Identity Fraud Alliance Medical Identity Theft Primer Includes theft of Protected
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationThe Importance of Perimeter Security
REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach
More informationThe 2014 Bitglass Healthcare Breach Report
The 2014 Bitglass Healthcare Breach Report Is Your Data Security Due For a Physical? BITGLASS REPORT Executive Summary When hackers break into U.S. hospital health records to steal patient data, it s a
More informationCYBERSPACE SECURITY CONTINUUM
CYBERSPACE SECURITY CONTINUUM A People, Processes, and Technology Approach to Meeting Cyber Security Challenges in the 21 st Century 1 InterAgency Board 1550 Crystal Drive Suite 601, Arlington VA 22202
More informationITAR Compliance Best Practices Guide
ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations
More informationAftermath of a Data Breach Study
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
More informationWorkspace-as-a-Service Defining Security and Mobility for Healthcare. vertiscale.com
Workspace-as-a-Service Defining Security and Mobility for Healthcare vertiscale.com Workspace-as-a-Service Defining Security and Mobility for Healthcare Introduction The healthcare industry continues to
More informationOverview. Figure 1 - Penetration testing screenshot examples showing (i) PACS image and (ii) breached Electronic Health Record system
Contents Overview... 3 Why Should We Hack Our Own Systems?... 4 Healthcare is a Soft Target... 4 How About Those Compliance Requirements... 5 Breach Avoidance: Compliance Is Not Enough... 6 Supporting
More informationThree Steps to Help Manage Security Alert Overload
BEST PRACTICES GUIDE Patient Privacy Protection Three Steps to Help Manage Security Alert Overload Patient Privacy Protection 2 How many security alerts does your healthcare organization generate every
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationTOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY
TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY An Inside Job Cyberthreats to your business are usually blamed on outsiders nefarious programmers writing malicious code designed to pilfer your
More informationTHE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY
THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY BY DR. BRIAN MCELYEA AND DR. EMILY DARRAJ Approved for Public Release: Case # 16-0276 NORTHROP GRUMMAN WHITE PAPER 2016 Northrop Grumman
More information90% of health insurers surveyed have had a data breach 3. 72% increase in cyberattacks against healthcare companies occurred between 2013 and 2014 4
Health Savings Account (HSA) Data security and employee benefits providers by Elon Ginzburg, Information Security Officer, Wells Fargo Wholesale Banking Information security is a critical corporate responsibility.
More information2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP
2010 AICPA Top Technology Initiatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter Partner-in-Charge, Habif,
More informationImpact of Data Breaches
Research Note Impact of Data Breaches By: Divya Yadav Copyright 2014, ASA Institute for Risk & Innovation Applicable Sectors: IT, Retail Keywords: Hacking, Cyber security, Data breach, Malware Abstract:
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationUnderstanding Professional Liability Insurance
Understanding Professional Liability Insurance Definition Professional liability is more commonly known as errors & omissions (E&O) and is a form of liability insurance that helps protect professional
More informationSOLUTION BRIEF. Next Generation APT Defense for Healthcare
SOLUTION BRIEF Next Generation APT Defense for Healthcare Overview Next Generation APT Defense for Healthcare Healthcare records with patients personally identifiable information (PII) combined with their
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationMarch 22, 2013. Tennessee State Employees Association 627 Woodland Street Nashville, TN 37206
March 22, 2013 March 22, 2013 Tennessee State Employees Association 627 Woodland Street Nashville, TN 37206 InfoArmor is pleased to present the Tennessee State Employees Association (TSEA) with the following
More informationThe Hidden Dangers of Public WiFi
WHITEPAPER: OCTOBER 2014 The Hidden Dangers of Public WiFi 2 EXECUTIVE SUMMARY 4 MARKET DYNAMICS 4 The Promise of Public WiFi 5 The Problem with Public WiFi 6 MARKET BEHAVIOR 6 Most People Do Not Protect
More informationInformation Security Incident Management Guidelines
Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of
More informationCyber Risk: Global Warning? by Cinzia Altomare, Gen Re
Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in
More informationCollateral Effects of Cyberwar
Your texte here. Collateral Effects of Cyberwar by Ilia Kolochenko for Geneva Information Security Day 9 th of October 2015 Quick Facts and Numbers About Cybersecurity In 2014 the annual cost of global
More informationSMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015
SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory
More informationThe Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015
The Department of Health and Human Services Privacy Awareness Training Fiscal Year 2015 Course Objectives At the end of the course, you will be able to: Define privacy and explain its importance. Identify
More informationProofpoint HIPAA Breach Report:
Proofpoint HIPAA Breach Report: An Analysis of HITECH Breach Notifications and Settlements, Q1 2013 Healthcare Industry Update threat protection compliance archiving & governance secure communication Contents
More informationData Breaches and Trade Secrets: What to Do When Your Client Gets Hacked
Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked R. Mark Halligan, FisherBroyles, LLP Andreas Kaltsounis, Stroz Friedberg Amy L. Carlson, Stoel Rives LLP Moderated by David A. Bateman,
More informationData Breach Lessons Learned. June 11, 2015
Data Breach Lessons Learned June 11, 2015 Introduction John Adams, CISM, CISA, CISSP Associate Director Security & Privacy 410.707.2829 john.adams@protiviti.com Powerful Insights. Proven Delivery. Kevin
More informationState of Security Survey GLOBAL FINDINGS
2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding
More informationLIGC-ACC Presentation November 9, 2015
Bryan Frank, DDIS Info Sec Corp, panelist Jennifer M. Mone, Deputy General Counsel, Hofstra University, panelist Keith J. Frank, Partner, Forchelli, Curto, Deegan, Schwartz, Mineo & Terrana,. LLP, moderator
More information2H 2015 SHADOW DATA REPORT
2H 20 SHADOW DATA REPORT Shadow Data Defined: All potentially risky data exposures lurking in cloud apps, due to lack of knowledge of the type of data being uploaded and how it is being shared. Shadow
More informationHow To Protect Your Organization From Insider Threats
Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security FINANCIAL SERVICES EDITION #2015InsiderThreat RESEARCH BRIEF US FINANCIAL SERVICES SPOTLIGHT ABOUT
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationSOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness
SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper Safeguarding data through increased awareness November 2015 1 Contents Executive Summary 3 Introduction 4 Martime Security 5 Perimeters Breached
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Pam Townley, AVP / Eastern Zonal Manager AIG Professional Liability Division Jennifer Bolling, Account Executive Gallagher Management Liability Division
More informationINDUSTRY OVERVIEW: HEALTHCARE
ii IBM MSS INDUSTRY OVERVIEW: HEALTHCARE RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: OCTOBER 7, 2014 BY: JOHN KUHN, SENIOR THREAT RESEARCHER iii TABLE OF CONTENTS EXECUTIVE OVERVIEW/KEY FINDINGS...
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationCards at School. Why Banks View Campuses as High Risk Customers. Payments
Cards at School Why Banks View Campuses as High Risk Customers Dennis W. Reedy, CTP, Managing Director, Treasury Operations, Indiana University Walter Conway, Walter Conway Associates, LLC Accepting credit
More information9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500
INFO 1500 9. Information Assurance and Security, Protecting Information Resources 11. ecommerce and ebusiness Janeela Maraj Tutorial 9 21/11/2014 9. Information Assurance and Security, Protecting Information
More informationHFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY
HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity
More informationSecuring Today s Healthcare Enterprise Systems Time to Rethink Your Cybersecurity Strategy
As seen in Securing Today s Healthcare Enterprise Systems Time to Rethink Your Cybersecurity Strategy Adam Hesse, Inc. Published June 26, 2015 Anyone following today s headlines is aware that cyberattacks
More informationcase study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:
The Computerworld Honors Program Summary developed the first comprehensive penetration testing product for accurately identifying and exploiting specific network vulnerabilities. Until recently, organizations
More information