Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January 2016. kpmg.com

Similar documents
HEALTH CARE AND CYBER SECURITY:

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

CA Technologies Healthcare security solutions:

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

Cyberprivacy and Cybersecurity for Health Data

Healthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management

How To Find Out What People Think About Hipaa Compliance

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

The Oracle Mobile Security Suite: Secure Adoption of BYOD

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cyber Governance Preparing for the Inevitable Perimeter Breach

Managing the Unpredictable Human Element of Cybersecurity

Nine Network Considerations in the New HIPAA Landscape

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Leveraging Privileged Identity Governance to Improve Security Posture

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

a new approach to IT security

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

How to stay competitive in a converging healthcare system kpmg.com

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

ALERT LOGIC FOR HIPAA COMPLIANCE

Preemptive security solutions for healthcare

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

WHITE PAPER. Data Protection for the Healthcare Industry

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Data Security: Fight Insider Threats & Protect Your Sensitive Data

A NEW APPROACH TO CYBER SECURITY

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Healthcare Information Security Today

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

HIPAA Reality Check: The Gap Between Execs and IT March 1, 2016

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Strengthen security with intelligent identity and access management

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

CYBER SECURITY, A GROWING CIO PRIORITY

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

HIPAA regulation: The challenge of integrating compliance and patient care

NATIONAL CYBER SECURITY AWARENESS MONTH

Cybersecurity The role of Internal Audit

RETHINKING CYBER SECURITY Changing the Business Conversation

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

Adopting a Cybersecurity Framework for Governance and Risk Management

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

PCI Compliance for Healthcare

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

Privilege Gone Wild: The State of Privileged Account Management in 2015

Solving the Security Puzzle

IBM Software Four steps to a proactive big data security and privacy strategy

Bridging the HIPAA/HITECH Compliance Gap

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Security Practices for Online Collaboration and Social Media

Privilege Gone Wild: The State of Privileged Account Management in 2015

Seven Things To Consider When Evaluating Privileged Account Security Solutions

10 Smart Ideas for. Keeping Data Safe. From Hackers

Data Breach and Senior Living Communities May 29, 2015

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Auditing Security: Lessons Learned From Healthcare Security Breaches

State of Security Survey GLOBAL FINDINGS

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Transcription:

Access is power Access management may be an untapped element in a hospital s cybersecurity plan January 2016 kpmg.com

Introduction Patient data is a valuable asset. Having timely access is critical for doctors and clinicians providing care and as a means of ensuring patient safety. However, there is another constituency that wants to get its hands on patient data: Cyber criminals. Access management and the accompanying processes, controls and technologies are about getting the right people the right access to the right information at the right time. Without it, none of the following would be possible: 99 Use of Electronic Health Records (EHRs) to take patients medical histories into account 99 Patient engagement with their own Personal Health Information (PHI) 99 Improved quality of care and real-time quality measurement 99 Sharing of patient data to coordinate care across settings 99 Cloud enablement, mobile health, telemedicine, and virtual care 99 Certain patient safety measures Hospitals are performing a difficult balancing act, however. On the one hand, they want to streamline access to patient data and allow data to be fluid throughout the organization in order to achieve the better outcomes demanded by law. On the other hand, all this increased access is raising the risk of data breaches, hacks and leakages cyber events that could put an organization s long-term financial and reputational health at risk. Hospitals are not blind to these risks. In the recent 2015 KPMG Healthcare Cybersecurity Survey, 44 percent of hospital respondents cited financial loss as their major concern in the event of a breach, while 39 percent said they were most concerned about damage to their reputations. *Report based on data from a quantitative survey of 223 U.S.-based healthcare executives, including chief information officers, technology officers, security officers, and chief compliance officers.

Access is a mixed blessing Although access is critical to raising quality and outcomes, it is important to remember that almost every major cyber event over the past decade has in some way or other targeted gaps around access controls and privileged user access. According to a recent HIMSS survey, 64 percent of respondents were attacked by an outside entity in the last year 1. And there is virtually no limit to the damage a data breach can cause. Once cyber-criminals gain privileged users credentials, they can escalate access and lie in wait for the data they want to steal or gain privileged access they don t warrant 2. Cyber-crimes can include: copying proprietary innovations and new uses of medical technology; holding medical devices hostage until a ransom is paid; and stealing increasingly valuable Personal Health Information (PHI). PHI often includes full medical records, social security numbers, credit card information, billing and insurance forms, and prescription details, all of which contain personal identifying information that can be used to perpetrate medical and financial identify theft. PHI in particular is sought after by criminals because the data cannot be as easily changed, thus giving it a value on the black market up to ten times that of credit card information. Hospitals are compelled both by law and self-interest to invest in and develop technologies that use patient data to improve connectivity, patient care and population health. However, they are not keeping pace with technologies and programs that protect that data from unauthorized access. In fact, technology solutions used in healthcare settings should be designed with security concepts and controls built into EHR software, clinical systems, medical devices, and mobile technology. Unfortunately, the burden of this usually falls to provider organizations themselves, which have historically been ill-equipped to address and integrate complex security and architectural requirements across so many disparate platforms. Astonishingly, only 52 percent of hospital administrators are prepared to handle a data leakage event, according to the KPMG survey. If left unaddressed, the risks will only escalate.

Safeguard the entry points It is not just irresponsible or malicious behavior that can cause a data breach. Legitimate, every-day actions of hospital employees can raise risks as well. For example, providers accessing patient records during a medical emergency might borrow another provider s privileged access, thus creating an entry point for a breach. Doctors might access patient records offsite via a computer or mobile phone. EHRs might be sent to another physician for a second opinion, creating an entry to the network. HIPAA-compliant texting between patients and physicians, telemedicine via smartphone and computers, remote monitoring software, and smart devices implanted into patients all represent attack vectors for cyber criminals, according to a recent report from the SANS Institute 4. Of course, these risks increase with the number of users seeking access. Respondents to the KPMG cyber survey broke down as follows: Thirty-nine percent had 1,000-5,000 employees, 20 percent had 5,000-10,000, and the largest organizations, which face the largest threats, had more than 10,000 employees. Hospital administrators seem to have a basic understanding of the level of risk they face from access-related issues. According to KPMG s cyber survey, hospitals stated that their biggest vulnerabilities were sharing information with others (47%), employee breaches (35%), and wireless computing. Healthcare organizations need to elevate access control protocols to the executive agenda. According to Cisco Systems: 44 percent Almost half (44 percent) of employees admit that they share work devices with others without supervision. 39 percent 39 percent of IT professionals reported dealing with an employee accessing unauthorized parts of a company s network or facility. 18 percent 18 percent of employees share passwords with co-workers 3. Access is power 3

Repercussions beyond IT Many hospital executives believe access management is simply an IT issue. In reality, data leakage and breaches due to poor access management controls can have repercussions throughout an organization. These events can lead to significant fines, loss of reputation and heightened regulatory and public scrutiny, all of which can cut into already thin profit margins. Financial damages from data breaches in the healthcare industry amount to $6 billion annually, with an average price tag of $2.1 million per organization, according to the recent Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data from the Ponemon Institute 5. Patients do not take data breaches in stride, as the damage to individuals can be all too real. Of those who have had their medical records stolen, 69 percent will have sensitive medical information disclosed, 44 percent will be at increased risk of financial identity theft, and 23 percent run a greater risk of medical identity theft, according to the Ponemon study 6. This last is particularly frightening. The average amount of money patients spend to restore credit and pay fraudulent healthcare charges is $13,500 7. The study further states that half of all patients would change healthcare providers if their medical records were compromised 8. And it can be challenging to comply with government mandates. For example, HIPAA s Minimum Necessary Requirement rule states that covered entities [must] take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose 9. The problem is that organizations have not put in the effort to specify what minimum necessary means for different users, thereby adding the risk of compliance violations to the risk of a breach.

Access management methodologies Some hospital administrators seem to believe that addressing these issues is as simple as creating policies about password sharing, immediately removing terminated employees from the network, and adding security software to wireless routers. However, this is not enough. Solutions need to be codified into company policies and protocols. Two of the most important steps hospitals should take are applying role-based access methodologies and tightening access entitlements. Many healthcare organizations have a large number of operational functions or roles with overlapping access. For example, there may be hundreds of hematology nurses, all of whom require the same access to the same type of information. Access allocation by role or function can help organizations quickly and effectively manage how access is provisioned to large groups at one time. Far too many organizations, particularly in healthcare, are only focused on limiting the number of privileged accounts they authorize for access. Cyber criminals can gain access to networks by compromising privileged users credentials and then using that access to extract large amounts of data. Therefore, it is important to have stringent controls in place to monitor these privileges across applications, servers, infrastructures, firewalls, routers, and more. And when it comes to managing those with more operational, back-office roles, including some vendors, organizations should institute entitlements that allow access to specific data but with tight restrictions, including proscribed uses and timeframes. Hospital administrators seem to understand the risks that come from third-party vendor access. Of the respondents to KPMG s cyber survey, 74 percent agree or strongly agree that third parties represent a significant risk to data security. And 84 percent of them evaluate third parties information security postures as part of their due diligence before entering into a business relationship. And yet, it is still alarming that only 35 percent have programs in place to protect against vulnerabilities stemming from vendor access to sensitive data, according to the survey. Access is power 5

An organizational Imperative In order to develop a robust, flexible and sustainable Access Management program, organizations must first spend time developing strong governance structures, effective controls, and efficient processes to support them. And this will require the participation of organizational functions beyond IT, especially the senior management team and community user groups. Roles and their related data requirements need to be mapped, which requires input from human resources and clinical teams. Rules and controls must be developed in a coordinated effort with staff responsible for legal, compliance and risk management issues. Clinical departments will need guidance on how to monitor and manage certain combinations of access privileges. And the entire process must be traceable so that, in the event of a breach, damage can be contained through a rapid audit of the system and access allocations. Ultimately, a wide range of stakeholders must buy into access management controls to ensure that the approach meets the needs of the business, both in terms of rigor and flexibility.

KPMG understands access management There are a number of potential technology solutions vying to capture the healthcare access management market. However, more than software is needed to protect an organization from cyber-attack. For example, KPMG s Cyber Solutions deliver additional value in terms of industry experience, data and analytics, audit traceability, connectivity back to the specific requirements of HIPAA and the Omnibus Rule, and, of course, deep identity access management software implementation experience. The challenge is that when applied to a poorly designed process a solution can accentuate and accelerate the risk. Therefore, we often advise our clients to begin by reaching for clarity on the process and strategy they intend to take. Only once these foundational elements are in place should they start thinking about how technology can be leveraged to improve efficiency and ongoing monitoring. A strong foundation for access management is not only about better security and compliance. It is about reaching better insights into clinical and business workflows that improve care. And once these have been identified, it becomes rather straightforward to search for inefficiencies, make more strategic investments in technology, and analyze how to safeguard organizational and patient data. 1. Weinstock, M. (2015).Cyber wars and the battle for patient care, Hospitals & Health Networks Magazine. 2. Hagerman, K. (2015).What s next for privileged access management? Healthcare IT News. 3. Kern, C. (2015).Best practices for privileged access management in healthcare, Health IT Outcomes. 4. Filkins, B. (2014). New threats drive improved practices: State of cybersecurity in healthcare organizations SANS Institute. 5. Ponemon Institute (2015).Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. 6. Ponemon Institute (2015).Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. 7. Ponemon Institute (2015).Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. 8. Landi, H. (2015).Data breaches could cost providers $305B in lost patient revenue, Healthcare Informatics. 9. U.S. Department of Health & Human Services (2015). Minimum Necessary Requirement, http://www.hhs.gov/ocr/privacy/hipaa/ understanding/coveredentities/minimumnecessary.html Access is power 7

Our perspective ECONOMIC PRESSURE REGULATORY REFORMS INTERMEDIARIES PROVIDERS CONSUMER New Business Models CENTRICITY PAYERS LIFE SCIENCE CONSUMERISM NEW ENTRANTS INFORMATION TECHNOLOGY BIG DATA About KPMG HCLS KPMG LLP is a leader in convergence, helping organizations across the healthcare and life science ecosystem work together in new ways to transform the business of healthcare. KPMG s Healthcare and Life Sciences practice, with more than 2,000 partners and professionals supported by a global network in 155 countries, offers a market-leading portfolio of tools and services focused on helping our clients adapt to regulatory change; design and implement new business models; leverage technology, and data analytics to guide them on the path to convergence.

Access is power 9

Contact: Michael Ebert Partner, Healthcare & Life Sciences T: 267-256-1686 E: mdebert@kpmg.com kpmg.com/socialmedia kpmg.com/app 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 531353

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information