The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance Committee Ascension Health - Michigan Market Board President and CEO CareTech Solutions Jeff Bell CISSP, GSLC, CPHIMS, ACHE Manager, Cybersecurity and Privacy PwC 1
Disclosure Please note that the views expressed by the conference speakers do not necessarily reflect the views of the American Hospital Association, the Center for Healthcare Governance, or PricewaterhouseCoopers LLP. Presentation includes partial content from Cybersecurity: What the Board of Directors Needs to Ask, IIARF Research Report, The Institute of Internal Auditors Research Foundation: Permission has been obtained from the copyright holder, The Institute of Internal Auditors Research Foundation to publish this reproduction, which is the same in all material respects, as the original unless approved as changed. No parts of this document may be reproduced, stored in any retrieval system, or transmitted in any form, or by any means electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of IIARF. 2
Learning Objectives 1. Identify current healthcare privacy and cybersecurity threats and risks 2. Assess the readiness of healthcare providers, business associates, leadership and trustees to respond to current cybersecurity threats 3. Explain the role of the board in managing cybersecurity risks in the context of enterprise risk management 4. Explain the value of a cybersecurity framework for healthcare and hospital governance and enterprise risk management 3
Why is Cybersecurity a Board Oversite Issue? Financial / reputational loss at a level relevant to the Board s fiduciary responsibility to sustain corporate mission Data breach laws make response costly / fines Class-action lawsuits are costly Consideration of cyber liability insurance Cybersecurity incidents disrupt operations Attackers include nation-states and organized crime targeting theft of trade secrets and economic sabotage Risks of disruption of industrial controls (smart buildings) Threat to medical devices 4 US cybersecurity: Progress stalled, Key findings from the 2015 US State of Cybercrime Survey, PwC, July 2015
How Boards Participate in Security Data from The Global State of Information Security Survey 2015 40% 36% 32% 25% Overall security strategy Security budget Security policies Review of security & privacy risks 24% 18% 15% Security technologies Review roles & responsibilities of security organization Review of security & privacy testing 5 The Global State of Information Security Survey 2015, http://www.pwc.com/gsiss2015, PwC
2015: The Rise of Criminal Attacks on Healthcare Data for the first time, criminal attacks are the number-one cause of healthcare data breaches. Criminal attacks on healthcare organizations are up 125% compared to 5 years ago. In fact, 45% of healthcare organizations say the root cause of the data breach was a criminal attack, and 12% say it was due to a malicious insider. 6 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Sponsored by ID Experts Independently conducted by Ponemon Institute LLC, May 2015
Healthcare Data Breaches Are Costly 90% had a data breach in the past 2 years, 40% had more than 5 Average economic impact due to data breaches is 2.1 million dollars / healthcare organization and 1 million dollars / business associate organizations over 2 years Criminal attacks are now the #1 cause of data breaches 56% of healthcare organizations and 59% of business associates don t believe their incident response process has adequate funding and resources 7 www.hhs.gov/ocr
Healthcare Data Breaches Are Costly Data breaches in healthcare are the most expensive to remediate In the U.S. healthcare industry, the average cost was $398 per record Average cost across all industries: $154 per record 8 http://www-03.ibm.com/security/data-breach/
FBI Cyber Division: Private Industry Notification Cyber actors will likely increase cyber intrusions again health care systems to include medical devices due to Mandatory transition from paper to electronic health records (EHR) Lax cybersecurity standards A higher financial payout for medical records in the black market The healthcare industry is not technically prepared to combat cybercriminals basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs) 9
Healthcare Cybersecurity Risks: Cybercrime & Hacking Until the recently, cybercriminals didn't have healthcare data in their sight. Now healthcare data is considered a top criminal target by the FBI 2 42.5% of breaches identified in 2014 were in the medical/healthcare industry. Leading cause: Hacking incidents. 3 Cybercrime is a clear, present, and permanent danger. While it s a permanent condition, however, the actors, threats, and techniques are very dynamic. Tom Ridge CEO of Ridge Global 1 st Secretary of the US Department of Homeland Security 1 10 1 US cybercrime: Rising risks, reduced readiness - Key findings from the 2014 US State of Cybercrime Survey, PwC 2 James Trainor, deputy assistant director of the FBI, Cyber Division (speaking at HIMSS15, April 2015) 3 Identity Theft Resource Center: http://www.idtheftcenter.org/itrc-surveys-studies/2014databreaches.html
What Makes Healthcare Data So Valuable to Cybercriminals? Healthcare records are a rich set of data: Financial, medical, family, and personal data Healthcare data can be used to: Obtain healthcare services Obtain drugs or medical devices Insurance fraud Financial fraud (open financial accounts) A healthcare record can be worth $50 to $1,000 Credit card data typically sells for $1 each Healthcare fraud detection is poor 11 Managing cyber risks in an interconnected world, Key findings from The Global State of Information Security Survey 2015, PwC
Healthcare Cybersecurity Risks: Medical Identity Theft More than 2.3 million Americans have been victims How victims learn of the crime: Hospital invoice Collection letter Insurance statement Errors in health record Credit report Difficult for victims to prove the theft 65% of victims spent money to resolve: Average cost: $13,453 Incorrect medical records could jeopardize safety 12 Fifth Annual Study on Medical Identity Theft, Sponsored by the Medical Identity Fraud Alliance, Independently conducted by Ponemon Institute LLC, February 2015 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Sponsored by ID Experts, Independently conducted by Ponemon Institute LLC, May 2015 See also: Medical Identity Fraud Alliance: http://medidfraud.org/
Healthcare Cybersecurity Risks: Insider Threats Insiders refers to your workforce who are trusted with access to your systems They make mistakes They violate policies (snooping, shortcuts) A few have criminal intentions Huge problem in healthcare! Solutions Security awareness training Monitor / manage / discipline Access controls Data Leak Prevention User Activity Monitoring 13
Healthcare Cybersecurity Risks: Third Party Risks Third parties were the #2 cause of breaches in 2014 1 Healthcare providers need to manage third party risks Evaluate whether third parties have access to PHI Evaluate the level of risk For high-risk third parties evaluate the security program Before contracting Ongoing Contract terms to manage third party risks 14 1 Identity Theft Resource Center: http://www.idtheftcenter.org/itrc-surveys-studies/2014databreaches.html
15 Healthcare Cybersecurity Risks: Medical Device Vulnerabilities
Recent Breaches & Settlement Agreements May 20, 2015 1,100,000 June 10, 2015 August 18, 2014 May 5, 2015 3,900,000 4,500,000 4,500,000 March 17, 2015 11,000,000 Breaches due to hackers Anthem is the largest healthcare data breach in US history Medical Informatics Engineering is an EMR vendor with some very large customers 16 March 15, 2015 78, 800,000 patient records
Recent Breaches & Settlement Agreements June 14, 2014 34,000 Est. cost: $13.5M November 30, 2011 900 Settlement agreement: $1.7M SRMH: Stolen unencrypted USB drive Concentra: Stolen unencrypted laptop March 4, 2014 15,000 Est. cost: $6M Third-party: Transcriptionist lacked technical safeguards on server Patient records accessible on Internet 17
Recent Breaches & Settlement Agreements March 3, 2012 2,743 patient records Settlement agreement: $150K September 24, 2010 Settlement agreements: $3.5M NYP 6,800 $1.5M CUMC ACMHS: Due to malware, fined for unpatched / unsupported systems NYP / CUMC: Server data accessible on the Internet due to lack of technical safeguards - Server installed and managed by a physician, not an IT professional 18
Five Guiding Principles for the Board 1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise-wide management framework with adequate staffing and budget. 5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. 19 Cyber-Risk Oversight Executive Summary, Director s Handbook Series 2014 Edition [National Association of Corporate Directors (NACD) in collaboration with AIG and Internet Security Alliance (ISA); Washington, DC; 2014]
Principle 1: Approach Not Just an IT Issue Board must assume role of fourth line of defense to protect against cyber risks within the whole organization 20 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Principle 1: Approach Not Just an IT Issue Board must require an internal audit for a comprehensive report that covers all domains of cybersecurity Conducted by internal audit staff or external security program Board must monitor whether risk levels are improving or deteriorating and must evaluate the adequacy / severity of the pace of improvement / deterioration 21 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Principle 2: Legal Implications Board must understand cyber risks associated with thirdparty service providers IT outsourcing Business process outsourcing Cloud solution SOC 1 and SOC 2 assurance reports performed Chain of trust Agreements with providers that cover responsibility Agreements with any downstream providers of that thirdparty provider Note: HIPAA mandates Business Associate Agreements and Business Associate Compliance, but this is not enough. 22 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Principle 2: Legal Implications Understand what constitutes a data breach and what notifications are required by state and federal law HIPAA/HITECH breach notification requirements In which states does the organization conduct business? Are there states where the data breach and privacy laws may be stricter than others (e.g., Mass. and Cali. are perceived to be strict )? What constitutes a data breach in those states? What are the reporting requirements? Under some state laws, if breached data is encrypted, reporting is not required or is minimized Board should be made aware of all major data breaches and security incidents 23 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Principle 2: Legal Implications Federal Breach Notification (Omnibus rule of 2013) Covered Entities must report security breaches directly to individuals Without unreasonable delay and in no case later than 60 days following the discovery If the individual cannot be contacted notice must be posted on the hospital website or notify local media Large security breaches (500 or more records) must be reported to the U.S. Department of Health and Human Services and prominent media outlets HHS will post all large breaches to their website Small breaches (under 500 records) must be reported to HHS annually 24
Principle 2: Legal Implications an acquisition, access, use or disclosure of [PHI] in a manner not permitted under [the HIPAA Privacy rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrate that there is a low probability that the [PHI] has been compromised based on a risk assessment of at least the four following factors: 1. Nature and extent of the PHI 2. The unauthorized person who used or received the PHI 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated Safe harbor (no breach) if the data was properly encrypted or destroyed 25
Principle 3: Discuss with Experts Board should take time to meet with the Chief Information Security Officer (CISO) Understand key issues from CISO s perspective Discuss security strategy and current projects Identify roadblocks (e.g., budget, political agenda, arrogance) Understand data breaches occurring within the industry Verify that management has established relationships with local and national authorities Annual meetings with local FBI FBI actively involved in cybersecurity (Infragard formed in 1996) 26 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Principle 4: Enterprise-Wide Management Framework Board must require management to communicate the enterprise risk management organization structure and provide staffing and budget details Enterprise risk management comprised of several risks: Operational, credit, regulatory, legal, medical errors / liability, cybersecurity Board should review security budget metrics What percentage of the total revenue is the IT budget? What percentage of the IT budget is the security budget? How many security dollars being spent per employee within the organization? Beyond corporate IT, what other departments maintain security budgets? 27 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Principle 5: Avoiding & Accepting Risks Board should meet with the Chief Risk Officer (CRO) or equivalent annually to review all risks that were avoided and accepted Be aware of decisions made in the Risk Acceptance Report Board must verify that cyber insurance coverage is sufficient Ask management to provide cost per record of a data breach Understand the impact of a major data breach 28 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Six Questions the Board Should Ask 1. Does the organization have a security framework? 2. What are the top risks the organization has related to cybersecurity? 3. How are employees made aware of their role relating to cybersecurity? 4. Are external and internal threats considered when planning cybersecurity activities? 5. How is security governance managed within the organization? 6. In the event of a serious breach, has management developed a robust response protocol? 29 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Six Questions the Board Should Ask 1. Does the organization have a security framework? HIPAA / HITECH, HITRUST (healthcare) PCI-DSS for credit card acceptance The National Institute of Standards and Technology (NIST) Cybersecurity Framework President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in Feb. 2013 ISO 27001, NIST 800-53, COBIT 30 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
HIPAA Requires A Risk-Based Approach to Security Protect against any reasonably anticipated threats or hazards 164.306(a) Conduct a risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [ephi] held by the covered entity 164.308(a)(1)(ii)(A) Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level 164.308(a)(1)(ii)(B) 31
National Institute of Standards & Technology (NIST) Cybersecurity Framework Identify: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy Protect: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures Detect: Anomalies and Events, Security Continuous Monitoring, Detection Processes Respond: Response Planning, Communications, Analysis, Mitigation, Improvements Recover: Recovery Planning, Improvements, Communications 32 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
NIST Cybersecurity Framework FRAMEWORK CORE Framework Core: a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. 33 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
NIST Cybersecurity Framework Framework Implementation Tiers: Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework. These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. Tier 1 Tier 2 Tier 3 Tier 4 Partial Risk Informed Repeatable Adaptive Risk management is ad hoc, with limited awareness of risks and no collaboration with others Risk management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities Formal policies for risk management processes and programs are in place enterprise-wide, with partial external collaboration Risk management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration 34 Why you should adopt the NIST Cybersecurity Framework, PwC, May 2014
NIST Cybersecurity Framework Framework Profile: ( Profile ) represents the [security] outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile (the as is state) with a Target Profile (the to be state). The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations. 35 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
NIST Cybersecurity Framework Benefits of using the Cybersecurity Framework: Improve cybersecurity: The NIST Framework core is up to date in terms of cyber threats / risks / effective controls with an emphasis on Detect, Respond, Recover not just Protect. It is much more up to date and comprehensive than the HIPAA rule. Reduce legal exposure: This process can demonstrate due care in case of a breach and federal / state investigation or even law suit. The NIST Framework is founded on a presidential order and represents best practices. Improve collaboration and communication of security posture with executives and others 36 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
Six Questions the Board Should Ask 2. What are the top risks the organization has related to cybersecurity? Potential areas of risk (examples): Bring your own device (BYOD) and smart devices Cloud computing Outsourcing critical business controls to third parties (and lack of controls around third-party services) Disaster recovery and business continuity Hacking / malware / Advanced Persistent Threats Insider risks Medical device vulnerabilities 37 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Six Questions the Board Should Ask 3. How are employees made aware of their role relating to cybersecurity? Security awareness training program Review and annual test for employees Communication plan from CEO or other top executive 38 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Six Questions the Board Should Ask 4. Are external and internal threats considered when planning cybersecurity activities? 39 US cybercrime: Rising risks, reduced readiness: Key findings from the 2014 US State of Cybercrime Survey, PwC Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Six Questions the Board Should Ask 5. How is security governance managed within the organization? 1 st Line of Defense IT operations function Implements policies and standards Day-to-day monitoring of networks and infrastructure 2 nd Line of Defense Perform majority of governance functions related to cybersecurity Headed by CISO, who defines policies, standards, and technical configurations Ensure that IT performs monitoring, reporting, and tracking 3 rd Line of Defense Internal audit ensures that 1 st and 2 nd lines of defense are functioning as designed 40 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Six Questions the Board Should Ask 6. In the event of a serious breach, has management developed a robust response protocol? Incident response program / team / skills / tools Crisis management program Crisis management team and their responsibilities 41 Cybersecurity: What the Board of Directors Needs to Ask, Copyright 2015 by The Institute of Internal Auditors Research Foundation, ( IIARF ) strictly reserved. No parts of this material may be reproduced in any form without the written permission of IIARF.
Board of Directors Responsibility A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole. -Tom Horton, Directors & Boards 42
The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Questions? Jim Giordano Vice Chairman & Chair of Finance Committee Ascension Health - Michigan Market Board President and CEO CareTech Solutions Jeff Bell CISSP, GSLC, CPHIMS, ACHE Manager, Cybersecurity and Privacy PwC 43