Tech Refresh - Cybersecurity in Healthcare
1 like463 views
1) Cybersecurity incidents are common in healthcare, with 82% of hospitals reporting significant security incidents in the past year. Email remains the primary initial point of compromise, often through phishing. Email frequently contains sensitive patient information. 2) Several large healthcare data breaches in 2018 exposed the data of over 2 million patients total. Ransomware attacks were a factor in some of these breaches. 3) Cybersecurity frameworks provide a common language and methodology for managing risks. Frameworks like HITRUST and NIST CSF are complementary and organizations can leverage elements of both. Proper implementation and board involvement are important.
Tech Refresh - Cybersecurity in Healthcare
- 1. 1 Cybersecurity in Healthcare Steven Goriah, DHA, CHCIO, FACHE, CISM Vice President Information Technology CISO Westchester Medical Center Health Network
- 3. • 82 % of hospitals reported a significant security incidents in the past 12 Months • E-mail (e.g., phishing email) continues to be the most frequently reported initial point of compromise (69%) n=166 • E-mail can contain a wealth of information, including sensitive patient clinical and financial information 3 2019 HIMSS CYBERSECURITY SURVEY
- 4. LifeBridge Health • The attack potentially breached the data of around 500,000 patients. Health Management Concepts • This ransomware attack fast became a full-blown data breach over 500,000 patients. UnityPoint Health • Two security breaches last year. The second compromised the data of 1.4 million patients. 4 Largest Healthcare Data Breaches of 2018
- 5. It’s all about Risk Management. Which is riskier? “More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.”
- 6. How do we approach such a complex situation for Healthcare? 6
- 7. What is the Role of a Framework? • Provides a common language and systematic methodology for managing cybersecurity risk. • Includes activities to be incorporated in a cybersecurity program that can be tailored to meet any organization’s needs. • Designed to complement, not replace, an organization's cybersecurity program and risk management processes. 7
- 8. • ISO 27000 Series • CObIT 5 • NIST SP 800 Series • HITRUST v9 Usable Cybersecurity Frameworks (most popular of the more than 200 available) 8 HITURST CSFcontains 149 security and privacy controls parsed amongst 46 control objectives within 14 broad control categories
- 9. 9 Choose a Suitable Framework Wisely
- 10. Choose a Framework (one or more) – The Only Bad Choice is No Choice! 10
- 11. High-level HITRUST and NIST CSF Comparison HITRUST NIST Purpose A scalable, prescriptive and certifiable framework specific created in response to multiple compliance requirements, many of which are subject to interpretation In response to the President’s Executive Order 13636, Improving Critical Infrastructure Cybersecurity (2013). It’s a framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure Industry Healthcare-specific Applies broadly across multiple industries Objective A framework that can be leveraged to communicate, compare and benchmark cybersecurity AND can be used for certification A framework that can be leveraged to communicate, compare, and benchmark cyber security Illustrative Sources ISO, HIPAA, NIST, CMS, MARS-E, IRS, PCI, CSA-CCM, state laws, etc. COBIT, NIST, ISA, CCS, ISO, HIPAA (new) 11
- 12. HITRUST CSF and NIST CsF • HITRUST CSF and NIST CsF are complementary frameworks • While an organization can leverage either frameworks on its own, there is value in • Leveraging HITRUST as the HPH standard and • Using the NIST CsF being the mechanism to communicate maturity and comparison between industries 12
- 13. 13 Comparison of ISO, NIST, and HITRUST Footnotes on next page (published by HITRUST in 2014)
- 14. Implementation Advice • Allow for flexibility in implementation and bring in concepts of maturity models • Reflect how your organization will implement core functions and manage its risk • Be progressive, building on previous tiers • Define the characteristics at the organization level and determine how a category will be implemented 14
- 15. Get the Board Involved • Audit and Compliance Committee • IT Subcommittee of the Board • Finance Committee 15 but not too involved…
- 16. Keep the Reporting Simple But Consistent… • Use terms that Board members can understand • Should be easy enough to understand without explanations • Provide the explanations • Propose a model and get the Chair’s endorsement • Use terms broad enough to accommodate evolving needs • Avoid the temptation to change • Use graphs and iconography that work in color and black & white 16
- 17. • Communicate, but test for comprehension at every step with every stakeholder group • Plan and ADJUST • Clarify Roles and ADJUST • Eliminate Ambiguity and ADJUST • Embrace Accountability • Execute and ADJUST • Continue Praying Be Deliberate 17 and ADJUST
- 18. Individual/Body CIO CMIO ISGC Task Support Implementation of EHR R A I Engage physicians in information system selection/development A R C Manage vendors R C I Negotiate contracts R C I Design clinical systems/review clinical processes C R I Build clinical systems/change workflow processes R C I Test clinical systems/workflow changes R C I Validate (testing with users) clinical systems/workflow changes C R I Develop training curriculum (design education tools and content) I R I Deploy training (deliver education) R C I Select end-user devices C R I Govern Information Management activities A C R Participate in Executive Leadership R I C Report to the Institutional Board R C I Participate in HIE activities C C R Responsible for performance of task Assists responsible person, may do bulk of work Consulted - opinions are sought Informed - kept up-to-date on progress RACI Matrix for CIO, CMIO, and IS Governance Council (ISGC) mm/dd/yyyy Role Clarification and Responsibility is Essential – RACI Diagram 18
- 19. • Many positive advances are occurring in healthcare cybersecurity practices. • Cybersecurity professionals have more resources and budget available to help ensure that their organizations stay ahead of the threats. • Cybersecurity professionals feel empowered to drive change in healthcare organizations 19 2019 HIMSS CYBERSECURITY SURVEY
- 20. 20 It’s critical to create a culture of privacy and security.
- 21. Thank You! 21