Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
THE COMPLEX RELATIONSHIP AMONG PRIVACY, SECURITY
AND ACCESS
Glenn E. Pearson, FACHEApril 6, 2017
Carolina Health Research Institute andResearch Hub at UNC’s Health Sciences Lab
The 4 Fronts of the Healthcare Technology Revolution1. Patient-Touching
– Diagnostic– Intervention– Implantables and Devices
2. Personalized Medicine– Clinical– Coordination
The 4 Fronts of the Healthcare Technology Revolution (cont.)3. Communications
– Between patients and providers– Among providers
4. Business Functions– Clinical applications– Standard business functions
Requirements for Adopting Technology■Usefulness
– It does something I care about
■Reliability– Consistency of function– Accuracy of underlying logic and algorithms
Requirements (cont.)
■ Trustworthiness– Regarding privacy– Regarding security
■Ease of Use– Work flow– Access
Recent Notorious Data Breaches■ Yahoo! – 1,000,000,000 accounts ■ LinkedIn – 165,000,000 accounts■ Target – 110,000,000 accounts■ DropBox – 68,000,000 accounts■ Home Depot – 54,000,000 credit cards compromised■ Sony Pictures Entertainment – Significant exposure of
their inner workings and data
Health Data Breaches Factoids
■ 8-½ times more data breaches in 2016 than in 2006
■ 87% of healthcare attorneys believe their clients at greater risk than other industries
■ At 78M records, March 2015 Anthem breach wins prize for largest single loss
SOURCE: Modern Healthcare – January 23, 2017 issueExtensive special report called “Building a Better Cyberdefense”
Total Number Healthcare Records Breached per Year
198
12.5
6.9
2.8
13.1
5.5
0.1
0 50 100 150 200 250
2015 (est.)
2014
2013
2012
2011
2010
2009
Breaches (In Millions)
SOURCE: healthmgttech.com, Nov/Dec 2015 – 2015 estimate extrapolated from actual 2015 data through June 26, 2015
Sources of Healthcare Data Breaches
31
39
40
43
45
0 5 10 15 20 25 30 35 40 45 50
Technical Systems Glitch
Third Party Snafu
Unintentional Employee Action
Lost or Stolen Computing Device
Criminal AttackPercentages
SOURCES: Healthcare and Cybersecurity: Increasing Threats Requires Increased Capabilities, KPMG, 2015 + Fifth Annual Benchmark Study on Privacy 7 Security of Healthcare Data, Ponemon Institute, 2016
Hackers’ Methods
■ Vulnerabilities in software■ Vulnerabilities caused by patches or
interfaces■ Connected medical devices and other parts
of IoT■ Luring users
How Employees Cause Breaches
■Disgruntled employees■Sloppy actions by employees
– Lured by phishing or other attacks– Lost laptops or other devices – “Shadow IT”
Steps for Developing Risk Mitigation Strategy
■Assess your level of risk exposure■Decide your level of risk tolerance■Align your resources■Get organizational buy-in■Manage accordingly
5 Risk Mitigation Actions
1. Invest in intelligent software – Detect unusual activities– Trigger immediate investigation and intervention
2. Increase budget allocation for cybersecurity
– Make sure have enough highly trained staff
SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017
5 Risk Mitigation Actions (cont.)
3. Develop processes to implement security patches for connected medical devices
– Newer vector for intrusion – Sometimes overlooked
4. Replace aging medical devices – Manufacturers sometimes stop supporting older
devices– Increases vulnerabilities over time
SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017
5 Risk Mitigation Actions (cont.)
5. Virtually separate devices from the rest of your network
– Having entire infrastructure connected allows more thorough penetration in the case of a breach
SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017
Beyond the IT Staff
■Executive leadership– Should be fully invested in supporting policies– Many don’t “get” IT
■ “Would You Rather Buy Healthcare Technology or Manage a Nuclear Power Plant?”
■ “I hope I can hold out for eight more years”
Beyond the IT Staff (cont.)
■Human Resources– Responsible to implement policies
■End Users– Must constantly be reminded
Policies Needed■ Passwords
– Complexity– Expiration– Repetition
■ Wi-Fi security■ Safe browsing practices■ Remote access■ Mobile devices■ Data retention
Background Reasons Why Clinicians May Not Use Tech
■Aversion to technology
■Doesn’t deliver what it promises
■ Interruption of workflow
Some Security Best Practices
■Complex passwords (upper and lower case, number, symbols) or randomly generated
■Requirement to frequently change PW■Not allowing repetition of formerly used
PW
Some Security Best Practices (cont.)■ Two-level authentication■Biometrics
– BUT my iPhone refuses to recognize me
■Short time outs■Prohibitions on BYOD
Summary Needs for Adoption
■ Patient and clinician assurances of privacy■ Adequate security measures to assure
privacy■ Reasonable policies that allow appropriate
access so authorized users actually use
Contact InformationGlenn E. Pearson, FACHEPearson Health Tech Insights, LLC660 Cross Fire RidgeMarietta, GA 30064
(770) 861-6941