Cybersecurity Challenges in Healthcare Doug Copley Beaumont Health & Michigan Healthcare Cybersecurity Council
Healthcare Headlines Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Understanding Healthcare Needs Patient Care Quality & Safety Real-time Access to Information, Regardless of Where it is Flow of Data Needs to be Seamless, to Patients, Providers and Payers Most Medical Devices Are Connected ipads, iphones, Tablets, etc. are Required
Healthcare Cyber Trends Healthcare data most valuable Phishing/email is easiest method of attack Cyber defense improving, but still lagging Medical facilities use credit cards nearly as much as retailers More are purchasing cyber insurance OCR and CMS doing more audits Fines being issued for lack of basics Likely we will get more regulations
Cyber Challenges Healthcare records are most valuable. Why? Typing passwords slows down patient care So much patient data flows outside the organizations daily So much access to patient data, a malicious insider is difficult to detect Medical device manufacturers
Connected Medical Devices 2007 Vice President Dick Cheney feared terrorists had the technology to send a fatal shock to his pacemaker, so he had his doctors disable its wireless capability.
Cyber Challenges Many systems are supported by remote vendors with privileged access Security education is difficult to prioritize for clinical staff (time away from patients) Security protections cost money What is a MU security risk assessment? Easier & quicker to share accounts instead of giving each staff member an account
Managing Cyber Risk Key is appropriately managing the risks Policies & procedures (administrative) Technology tools (technical) Control physical access (physical) Risk/Cost decision: Do we need to: Prevent it from happening? Detect & respond when it happens? Would it automatically get corrected? Do we get cyber insurance?
Practical Steps To Security 1. Have a Plan Decide on a framework (HiTrust, NIST, ISO, etc.) Build relationships with Compliance, Audit, Risk Prioritize efforts based on risk 2. Understand your environment Understand your business Users and equipment on the network Understand data flows, particularly off-network 3. Manage your vendors and business associates
Practical Steps To Security 4. Write easy-to-understand policies and EDUCATE 5. Leverage virtualization (Citrix for abstraction) 6. Manage the data on personal phones & tablets 7. Deploy SSO with badge readers Simpler & quicker for clinical users 8. Don t let insecure devices on your corporate network segment if needed, or leverage VDI (for example XP you can t eliminate)
Practical Steps To Security 9. Medical devices push vendors and use FDA guidance and partnerships as leverage 10.Blocking & tackling Awareness & Education make it relevant!! Strong HW, SW, medical device asset mgmt System scanning & PATCHING Log event monitoring & incident response Watch outbound, not just inbound activity Data loss prevention Restrictions on removable media
6-Step Security Cycle Perform a Risk Assessment Have an Incident Response Plan Ready Inventory Your PHI Implement Policies, Processes, and Technologies Develop a Security Strategy Train Employees (Source: Healthcare IT News)
Where to Begin Purpose of Risk Analysis Regulators expect a risk assessment to drive privacy and security safeguards. Key questions from the guidance: 1. Have you identified the e-phi within your organization? (create, receive, maintain or transmit) 2. What are the external sources of e-phi? (vendors, consultants) 3. What are the threats to systems that contain e-phi? Risk assessment results should help determine: 1. Appropriate personnel screening processes 2. Identify what data to backup and how 3. Decide whether to use encryption 4. Identify what data must be authenticated 5. Determine data transmission safeguards
Leverage Key Partnerships Build partnerships outside your organization In healthcare, key resources are: 1. Peer organizations non-profit and for-profit 2. State - Dept. of Community Health 3. State - Health Information Exchanges 4. State - Health & Hospital Association 5. HiTrust & NH-ISAC 6. Federal Health & Human Services 7. Federal FBI & InfraGard 8. Federal Homeland Security
Michigan Healthcare Cybersecurity Council (www.mihcc.org) Goals of MHCC efforts: Bring Michigan healthcare organizations together toward a common purpose To protect MI critical healthcare infrastructure To leverage public/private partnerships to improve healthcare cybersecurity preparedness Apply best practices and consistent protections to common challenges Deliver actionable materials all healthcare entities can use
MIHCC Participating Organizations
Questions?
Doug Copley doug.copley@mihcc.org Thank You!