TKCG - Cybersecurity Are You Prepared for Tomorrow 070815 FINAL LMN

Cybersecurity:

Are You Prepared for Tomorrow?

July 8, 2015 © 2015 The Kiran Consortium Group, LLC

Table of Contents

Reproduction of this presentation in part or in its entirety is prohibited

without express written consent from The Kiran Consortium Group, LLC.

Copyright 2015. All rights reserved.

Cybersecurity: Are You Prepared for Tomorrow?

2

• Introduction

• What We

Know

• A Path

Forward

• Bibliography

• Contact

Introduction

© 2015 The Kiran Consortium Group, LLC 3

Introduction

© 2015 The Kiran Consortium Group, LLC

Over the last two years, an increasing number of

instances of hacking into organizations across

industries has become our modern, digital reality.

4


Now, more than ever,

healthcare executives must

elevate cybersecurity to an

enterprise-level, strategic

initiative. It will require a

relentless commitment to

on-going governance,

vigilance and proactive

approaches.

Introduction


Let’s begin with a definition.

5


“Cybersecurity encompasses a

broad range of practices, tools and

concepts related closely to those

of information and operational

technology security. Cybersecurity

is distinctive in its inclusion of the

offensive use of information

technology to attack adversaries.” [1]

One other element not mentioned by the

Gartner definition, but is found in another

definition mentions the “user’s assets” in

context with cybersecurity. [2]

Gartner, Inc., the world's leading information technology research and advisory company, developed this

definition in 2013:

Introduction


The definition is further clarified as follows:

6


Gartner, Inc. further advises:

"Security leaders should use the term "cybersecurity" to designate only

security practices related to the combination of offensive and

defensive actions involving or relying upon information technology

and/or operational technology environments and systems.“ [3]

We believe the relationship between cybersecurity and the assets of

every healthcare organization is critical to the current executive

conversation and will inform Board level communication, the

enterprise-wide, strategic plan and implementation of appropriate

tactical measures to safeguard organizational data.

Why discuss cybersecurity now?

Introduction

Presentation

Goals:

7



What is not included in

this presentation:

1) a technical view and

solutions for cybersecurity,

2) A technical view of privacy

and security, and/or

3) reference or endorsement

of any specific solution(s)

and/or service(s) to

anticipate or remediate

breaches.

What We Have Learned to Date

Across Industries and In

Healthcare

Increase Healthcare Executive

Engagement on Cybersecurity

Executive Approach to Integrate

Cybersecurity Into Strategic,

Management

Goals

and Mitigate

Potential Risk

8 © 2015 The Kiran Consortium Group, LLC

What

We

Know

What We Know


Data breaches are a

global phenomenon

increasing in number

and magnitude over

time.

• From 2005 through 2011, the

Business Sector was listed in

first place with 34.4 % of

breaches. [4]

• In 2012, the Medical and

Healthcare Sectors replaced

Business as the industry with

the greatest number of

breaches at 26.4 %. [4]

• In 2014, the Medical and

Healthcare Sectors breaches

rose to 42.5 % when

compared to all industries. [4] 2011

2012

2013

2014

2015

Note: Bubble

diagram

only includes

those

breaches

that

impacted

greater than

30,000

records. [5]

What We Know


Experts warn 2015

could be 'Year of the

Healthcare Hack‘ February 11, 2015 [6]

Pharma and Biotech

Firms Hacked December 2, 2014 [12]

Anthem Hacking Points

to Security Vulnerability

of Health Care Industry February 5, 2015 [14]

Healthcare Sector

Security Efforts Needs

a Shot in the Arm May 12, 2015 [8]

Implantable Devices:

Medical Devices Open to

Cyber Threats April 8, 2015 [13]

Concern for medical and healthcare cybersecurity is widespread.

Epidemic of Healthcare

Cyberattacks Requires

Action, Says WEDI June 25, 2015 [7]

Hospitals Battle Data

Breaches With a

Cybersecurity SOS February 10, 2015 [10]

GAO To Release

HealthCare.Gov

Cybersecurity

Report in 2015 April 24, 2015 [11]

Lesson From the Anthem

Hack: Cybersecurity

Must Extend Beyond

Encryption February 11, 2015 [9]

Cyber attacks and breaches,

2014 -2015: [X]

Airlines

Communications Firms

Entertainment Industry

Financial Services (includes Banks)

Hotels

Insurance Companies

Internet Service Providers

Mobile Applications Firms

Oil

Restaurants

Retailers

Social Media

Technology Firms / Contractors

U.S. Government

What We Know


The magnitude of select healthcare data breaches (Part I):

78.8 / 80 M [15, 14]

1.1 M [16, 17]

11.0 M [16]

0.250 M [16]

0.150 M [16]

2015 The Office of Civil Rights requires

breaches of 500 or more records to be

reported. Approximately 137 data

breaches have been reported from

January 1 through June 15, 2015.

Cyber attacks and breaches,

2014 -2015: [X]

Airlines

Communications Firms

Entertainment Industry

Financial Services (includes Banks)

Hotels

Insurance Companies

Internet Service Providers

Mobile Applications Firms

Oil

Restaurants

Retailers

Social Media

Technology Firms / Contractors

U.S. Government

What We Know


The magnitude of select healthcare data breaches (Part II):

2014 4.5 M [18, 10]

2013

2011 2010

4.9 M [20] Source of Breach: Lost back-up tapes

Source of Breach: Heartbleed software bug

Source of Breach: Theft of 4 computers

containing unencrypted medical records 4 M [20]

1.9 M [20] Source of Breach:

Vendor lost drives

1.1 M [20]

Source of Breach:

Malware attack

Source of Breach:

Unencrypted back-

up tapes stored in

a cabinet lost

during remodeling

1.1 M [20]

Source of Breach: 57 hard drives removed

from servers in Chattanooga office

1 M [20]

What We Know

Varied types of healthcare data breaches :

Researchers conduct a review

of data from HHS breaches

database, 2010-2013: [21, 22]

Nearly 1,000 larger

breaches occurred

More than 29 M individual

health records breached

More than 50 % of breaches

resulted from loss or theft

of laptops, thumb drives,

and paper records

Hacking accounted for 27%

of 2013 breaches

The largest breaches reports to HHS

from, 2010-2013: [23]

Range of top 50 breaches equals

48,752 to 78.8 M records

Sources of breaches (as specified by

organization):

Hacked Network Server = 12

Unauthorized Access = 8

Theft of Server = 1

Theft of Desk Top = 5

Theft of Laptop = 5

Theft of Hard Drives = 4

Theft of Back-Up Tapes = 1

Stolen Hardware = 1

Stolen Records & Hardware = 1

Missing Hard Drive = 1

Missing Storage Disks = 1

Missing Server = 1

Malware Attack = 1

Record Theft = 1

Information Theft = 1

Hacked Computer = 1

E-Mail Hacked = 2

Improper Disposal = 1

Exposed Information = 1

Other = 1


What We Know


2014:

Total Average Cost of Data Breach = $ 3.8 M

2013: Total Average Cost of Data Breach = $ 3.5 M

Study

“…found that healthcare was most

at risk for costly breaches, with an

average cost per record lost or

stolen as high as $ 363, more than

twice the average for all sectors of $154.” [24]

Financial impact of data breaches: [24]

What We Know


Risk Ranking for Information Assets in Health

Care Systems (Top 5 Risks) • Electronic Health Record (61%)

• Infrastructure (middleware, network) (45%)

• Personal Health Records (42%)

• Patient Portals (36%)

• Corporate Assets / Intellectual Property (33%)

Survey: Assessing potential risk for breaches: [25]

Risk for Mobile Devices in Health Care Systems

(Top 5 Risks) • Lack of Awareness of Security Policies (73.9%)

• Insecure or Unprotected Endpoints (73.3%)

• Lost or Stolen Device (70.3%)

• Corrupt, Hacked or Malicious Applications (58.2%)

• Insecure Wireless Use (49.7%)

Per Cent of Budget

Allocated for Security • IT Budget is 4-6%: 13%

• IT Budget is 1-3%: 14%

• Unsure of IT Budget Allocation To Security: 47%

15 Note: There are numerous surveys in the industry

that can be reviewed as background information.

What We Know

Survey: Cybercrime by Industry: [25]


What We Know

Report: Cybersecurity Impacts on Healthcare Enterprises:


“1. Despite years of effort, and tens of billions of dollars spent annually, the global economy is

still not sufficiently protected against cyberattacks, and the risk is getting worse. The potential

impact is enormous: cyberattacks could materially slow the pace of technology and business

innovation, with as much as $3 trillion in aggregate impact. • “Healthcare systems are rapidly digitizing their operations and services to meet patient needs, reduce costs, and increase

competitiveness. A rise in cyberattacks could slow adoption of newer technologies ranging from electronic health records to

more sophisticated medical devices and solutions (e.g., telemedicine, connected infusion pumps, and robotic surgery).

• “…high proportion of the healthcare executives … interviewed believe… sophistication or pace of cyberattacks will increase

quickly, and all … agreed attackers’ capabilities will likely outpace the capabilities of their organization.”

“2. CIOs and other enterprise technology executives agreed on seven practices they should put in

place to improve their organization’s resilience … “ • “…. most underdeveloped…56% healthcare respondents believe[e]… their company spends insufficiently on cybersecurity.”

“3. Given its cross-functional, high-stakes nature, cybersecurity is an issue requiring leadership

at the CEO level; progress toward cyber resiliency can only be achieved with active engagement

from the senior members of the management team. “ • “… impact of data loss or compromised quality could be massive. Not only could it result in reputational damage and high costs

(including HIPAA fines), but it could also effectively shut down the organization.”

• “Healthcare executives are more worried about insider/employee threats than are leaders in any other industry – 41% of the

healthcare executives rating those threats as one of the top two risks likely to have a strategic and negative impact on their

bottom line.”

• “… effort should be a company-wide initiative, not just a set of technical solutions. (e.g., frontline personnel should be educated

about the value of information assets). “

McKinsey and the World Economic Forum publish a 2014 report, “Risk and Responsibility

in a Hyperconnected World”. Their 3 healthcare cybersecurity findings are as follows: [26]

http://www.mckinsey.com/~/media/McKinsey/dotcom/Insights/Business Technology/Risk and responsibility in a hyperconnected world Implications for enterprises/Risk and responsibility in a hyperconnected world Implications for enterprises.ashx



“We are focused on

raising awareness to

make sure folks are

incorporating

cybersecurity into their

risk management

programs.” Chantal Worzala

Director of Policy

American Hospital Association

“…the association believes everyone should

take cybersecurity seriously and incorporate it

into a larger risk management program.

“Every organization, no matter what size, can

do a great deal to reduce their risk and prevent

attacks from happening,” …while cautioning

hospitals not to focus exclusively on patient

information protection. …Thinking about the

HIPAA privacy and security rules is

important, but not the whole picture. Any of

your systems that are connected to the Internet

can potentially allow a source of invasion into

your organization.” Lawrence Holmes

Assistant General Counsel

American Hospital Association

What We Know

Professional Societies: Cybersecurity and Risk [10]


What We Know

Healthcare Providers: Cybersecurity and Risk


How might your organization be impacted

by risks associated with cybersecurity?

o Interruption of Business Operations

o Remediation Costs

o Community Good Will [10]

o Trust, Consumer and Clinician

o Potential Law Suits

o Financial Fines (Breach notification to

Department of Justice)

o Professional Reputation, Corporate or

Individual Provider

o Assets (e.g. Medical Devices, Hardware,

Mobile Devices, etc.)

o Intellectual Property

What We Know


2015:

Cybersecurity

predictions

across

industries [27]

Note: “ …forward-looking articles from 17 organisations and assigned the resulting

130 predictions to a number of emergent categories to produce the graph:”

“One thing about

cybersecurity is certain: it's

no longer sufficient for

organic[z]actions simply to

guard the network perimeter

with a firewall and install

antivirus software on

endpoints. CSOs and CISOs

need to continually monitor

the evolving threat

landscape, and to replace

an "if we get hacked"

mindset with a "when we

get hacked" one.” [27]

What We Know


April 8, 2014: The Federal Bureau of Investigation issues

a “private industry notification” (PIN) specifically to the

healthcare industry.

Government Guidance to the Healthcare Industry (Part I):

"The healthcare industry is

not as resilient to cyber

intrusions compared to the

financial and retail sectors,

therefore the possibility of

increased cyber intrusions

is likely." [28]

What We Know


October 23, 2014: The Food and Drug Administration

issues a position to the healthcare industry regarding

medical devices and the threat of cyber attacks.

Government Guidance to the Healthcare Industry (Part II):

“..To mitigate and manage cybersecurity

threats, the FDA recommends that medical

device manufacturers and health care facilities

take steps to assure that appropriate safeguards

are in place to reduce the risk of failure due to

cybersecurity threats, which could be caused by

the introduction of malware into the medical

equipment or unauthorized access to

configuration settings in medical devices and

hospital networks. …” [29]

A Path Forward

© 2015 The Kiran Consortium Group, LLC 23


A Path Forward

Refresh your cybersecurity efforts

Healthcare executives and their organizations have been focused on

privacy and security for many years. Given the growing number and

frequency of cyber attacks, refreshing your enterprise cybersecurity

efforts is timely. Here are a few recommendations for this effort:

o Board of Directors

Education and Governance

o Executive Team

Engagement and Oversight

o Enterprise-wide Culture of

Awareness

o Investment, and

o Cyber Insurance


A Path Forward

1. Strategic Planning Challenges

2. Cybersecurity 3. Assess the Impact of Advances in

Technology and Big Data

4. Shareholder Activism

5. The Return of M&A

6. Risk Management 7. Ensure Appropriate Board Composition

8. Explore New Trends in Reducing

Corporate Health Care Costs

9. Executive Compensation

10. Maintain Robust Compliance Programs

“Cybersecurity is not an IT issue.

It’s a business issue.” [30]

“Cybersecurity is “the foremost

issue on directors’ minds right

now because it is tied into the risk

structure of the organization.” [30]

The Anthem breach, due to its magnitude, started all industries

talking about cybersecurity at the Board of Director level:

[31]


A Path Forward

Solution: ‘”What we see works most

effectively as boards are pushing

into this area [cybersecurity] is

working collaboratively with

executives in the organization to

work through what’s important and

settle on a series of

communications and metrics on

governance for cybersecurity.’’ [30]

Additional information: “Educating the Board”, eight specific tips

on how best to address cybersecurity. See citation [30].

Solution: Identify Board members that will participate on two committees:

Cybersecurity and Audit.


A Path Forward

Solution: “Given its cross-functional, high-stakes nature, cybersecurity is an

issue requiring leadership at the CEO level…” [26]

Solution: The Chief Information Officer and

Chief Information Security Officer

should work with the Executive

team to determine the information

that will be regularly reported to

this group. Given the business

risks posed by cyber attacks, this

information is critical to all executives across the enterprise.


A Path Forward

Solution: o All Executives have a stake in

working toward the prevention

of cyber attacks – either from

within the organization or from

external sources.

o Risk mitigation will require

executives from all service

lines to be active participants

and advocates of cyber crime

prevention.

o Data is a corporate asset and

any threat is a strategic as well

as tactical imperative.

McKinsey Report:

41 % of healthcare executives

indicated that are most

concerned about insider or

employee cyber threats [ 26]

A Path Forward


Solution: o Education for the entire

healthcare organization will

stress the importance of

security and the impact of

potential cyber attacks (e.g.

password protection, unauthorized

access to information, theft, impacts on

organization from cyber attacks, etc.).

Solution: o Healthcare organizations can find various types of

cybersecurity materials on the HHS website, www.healthit.gov

(e.g. “Top 10 Tips for Cybersecurity in Health Care”). [32]

A Path Forward


Benchmark:

Regardless of industry, the

level of cybersecurity

investment within an

Information Technology

budget ranges from 1-3 %. [25]

Note: Cybersecurity is not just a technical solution, investment towards related cybersecurity efforts may be allocated across the enterprise based

on the executive team’s assessment as to those areas that will be underwritten in the budget.

Point of Reference: Over last 3 years, 76 % of healthcare breaches resulted

from loss or theft while hacking accounted for 23 % of breaches. [33]

Solution: o Assess current requirements to support enterprise-wide

cybersecurity efforts. Determine budget levels accordingly.

A Path Forward


For your reference: Insurance Benchmarks [34]

Annual Revenue: $ 100 M

Aggregate Limit: Between $ 1 M and $ 4 M

Retention: $ 25,000 to $ 100,000

Annual Revenue: $ 500 M to $ 600 M


Retention: $ 50,000 to $ 250,000

Annual Revenue: $ 1 B


Retention: $ 100,000 to $ 1 M

Example [34]

Health System with 7 hospitals, 8 long-term

care facilities and 6 assisted living sites

Cyber Policy Coverage: $ 8 M - $ 10 M

Policy Cost: $ 100,000

Example [35]

Anthem

Cyber Policy Coverage: $ 150 M - $ 200 M

Policy Cost: $ 10 M (primary) and $ 10 M

(self-retention)

Solution: o Review existing insurance coverage.

Update policy coverage, as necessary.

A Path Forward


Cyber insurance can provide basic

coverage for liability, regulatory

fines or penalties as well as

business disruption coverage. In

addition, other related expenses

can be available under expanded

coverage: • “Legal costs,

• Costs related to a class action lawsuit,

• Costs related to forensics and investigation,

• Public relations costs,

• System monitoring costs,

• Credit monitoring,

• Identity theft repair for victims of the breach,

• Staffing budget for the hospital call center to

handle increased inquiries in the aftermath

of the breach,” [34]

• Computer forensics, etc.

“[Adam Greene] recommends that hospitals look into

purchasing cyber insurance policies to protect themselves

from the potential damage of attacks, which, according to

one industry survey, cost an average of $2.4

million to address. ‘Cyberattacks are often excluded

from general insurance policies, but can be ruinous to

large organizations if there are breaches’”. [10]

Adam Greene

Health Care Attorney

Davis Wright Tremaine


A Path Forward

In summary….

Cybersecurity has been elevated to the status of national

importance. On February 12, 2013, President Obama issued

Executive Order 13636, “Improving Critical Infrastructure

Cybersecurity”. [36]

As a result, the

National Institute of

Standards and

Technology (NIST),

an agency of the U.S.

Department of

Commerce, is tasked

with working “with

stakeholders to

develop a voluntary

framework – based

on existing standards,

guidelines, and

practices - for

reducing cyber risks

to critical

infrastructure”. [37]


A Path Forward

In summary….


Bibliography

35


Presentation: Cover Page

Graphic found on cover page is found on Bing.

https://www.bing.com/images/search?q=Glass+breaking&view=detailv2&&&id=DBAFEE1F65397FE5A123E7A52513714C3D20DC70&selectedInde

x=26&ccid=Zv42OKj3&simid=608020834029275732&thid=JN.rPvNENhW6H3Suq5pV%2blShw&ajaxhist=0

Table of Contents

Graphic found on cover page is found on Bing.

https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=C6B1B522DD2188294DDACC8878E8E479DC7A7807&selectedInde

x=3&ccid=Qdwh7gau&simid=608011612734295082&thid=JN.eHWRwslnXbm2xQfOX0960A&ajaxhist=0

Introduction

Page 3 Graphic is found on Bing: http://farm8.staticflickr.com/7445/11076044155_ff4b859b92_z.jpg

Page 4 Graphic is found on Bing:

https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=334BAF7B27A696389C51F7E1FBEDA132F75D8B

3E&selectedIndex=32&ccid=t6LH2bgi&simid=608020357293868390&thid=JN.uPRVrt9M277hEtZKnK5NmA&ajaxhist=0

Page 5 Graphic is found on Bing:

https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=DE81F539D27E1A2F70C7A26BA07E6EE2D

8173C73&selectedIndex=935&ccid=2XfZkeeA&simid=607989377695549723&thid=JN.7jGsCLT0mYnxiMTfDOzvFw&ajaxhist=0

[1] Andrew Walls, Earl Perkins and Juergen Weiss, authors of the definition Gartner, Inc. has established for

Cybersecurity in a report issued on June 7, 2013. https://www.gartner.com/doc/2510116/definition-cybersecurity

[2] The ITU is the United Nations specialized agency for information and communication technologies

(ICTs). While this is not common reference material, they have uniquely identified the relationship between

Cybersecurity and a “users assets”. http://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.aspx

Entire definition is found on the following page.

Bibliography

36


Introduction (continued)

Page 6 [2] Continued

Their definition is as follows (Overview of cybersecurity):

“Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk

management approaches, actions, training, best practices, assurance and technologies that can be used to

protect the cyber environment and organization and user’s assets. Organization and user’s assets include

connected computing devices, personnel, infrastructure, applications, services, telecommunications

systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity

strives to ensure the attainment and maintenance of the security properties of the organization and user’s

assets against relevant security risks in the cyber environment. The general security objectives comprise the

following:

- Availability,

- Integrity, which may include authenticity and non-repudiation, [and]

- Confidentiality”

[3] Franscella, Joe. “Cybersecurity vs. Cyber Security: When, Why and How to Use the Term”, Infosec

Island , July 17, 2013.

http://www.infosecisland.com/blogview/23287-Cybersecurity-vs-Cyber-Security-When-Why-and-How-to-Use-the-Term.html

“First, let’s tackle the when and why; we’ll move onto the how later…

In June, Gartner (@Gartner_inc) acknowledged that there is confusion in the market over how the term should be used, prompting

the firm to publish “Definition: Cybersecurity” (note, Gartner uses the single-word form). In it, analysts Andrew Walls, Earl Perkins

and Juergen Weiss wrote that “Use of the term ‘cybersecurity’ as a synonym for information security or IT security confuses

customers and security practitioners, and obscures critical differences between these disciplines.” To help set the record straight,

the team defined the term:

"Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational

technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack

adversaries."

Additionally, Gartner advised:

"Security leaders should use the term "cybersecurity" to designate only security practices related to the combination of offensive

and defensive actions involving or relying upon information technology and/or operational technology environments and systems."

Bibliography

37

https://twitter.com/Gartner_inc


What We Know

Page 8: Graphic is found on Bing:

https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=008EB29055FD82E20

A43504673746150287D7BB1&selectedIndex=11&ccid=csPUwyrR&simid=608013519700100824&thid=JN.O

ZEhTe5yVao%2fEDwtds5FdA&ajaxhist=0

Page 9: [4] “Identity Theft Resource Center Breach Report Hits Record High in 2014” , IT Theft Center, January 12,

2015. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html

[5] “World's Biggest Data Breaches (Selected losses greater than 30,000 records )”, updated June 13,

2015. Source: DataBreaches.net, IdTheftCentre, press reports / Research: Miriam Quick, Ella Hollowood,

Christian Miles, Dan Hampson.

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Page 10: [6] Humer, Caroline and Finkle, Jim. “Experts warn 2015 could be 'Year of the Healthcare Hack‘”, Reuters ,

February 11, 2015 at1:29pm EST.

http://www.reuters.com/article/2015/02/11/us-usa-healthcare-cybersecurity-analysis-idUSKBN0LF22H20150211

[7] Slabodkin , Greg. “Epidemic of Healthcare Cyberattacks Requires Action, Says WEDI”, Health Data

Management, June 25, 2015 at 7:54am ET. http://www.healthdatamanagement.com/news/Epidemic-of-

Healthcare-Cyberattacks-Requires-Action-Says-WEDI-50770-1.html?utm_campaign=daily-

jun%2025%202015&utm_medium=email&utm_source=newsletter&ET=healthdatamanagement%3Ae4631750%3A4223235a%3A&st

=email

[8] Iasiello, Emilio. “Healthcare Sector Security Efforts Needs a Shot in the Arm”, Dark Matters, May 12,

2015. http://darkmatters.norsecorp.com/2015/05/12/healthcare-sector-security-efforts-needs-a-shot-in-the-arm/

[9] Conn, Joseph. “Lesson from the Anthem hack: Cybersecurity must extend beyond encryption”, Modern

Healthcare, February 11, 2015. http://www.modernhealthcare.com/article/20150211/NEWS/302119936

Bibliography

38

http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html





http://www.databreaches.net/

http://www.idtheftcenter.org/






















http://www.healthdatamanagement.com/news/Epidemic-of-Healthcare-Cyberattacks-Requires-Action-Says-WEDI-50770-1.html?utm_campaign=daily-jun 25 2015&utm_medium=email&utm_source=newsletter&ET=healthdatamanagement:e4631750:4223235a:&st=email






















http://darkmatters.norsecorp.com/2015/05/12/healthcare-sector-security-efforts-needs-a-shot-in-the-arm/



















http://www.modernhealthcare.com/article/20150211/NEWS/302119936

http://www.modernhealthcare.com/article/20150211/NEWS/302119936


What We Know (continued)

Page 10: (continued)

[10] Taylor, Mark. “Hospitals Battle Data Breaches With a Cybersecurity SOS”, Hospitals & Health

Networks, February 10, 2015. http://www.hhnmag.com/Magazine/2015/Feb/fea-hospital-cybersecurity

[11] “GAO To Release HealthCare.gov Cybersecurity Report in 2015”, iHealthbeat, April 24, 2015.

http://www.ihealthbeat.org/articles/2015/4/24/gao-to-release-healthcaregov-cybersecurity-report-in-2015

[12] Grens, Kerry. “Pharma and Biotech Firms Hacked”, The Scientist, December 2, 2014.

http://www.the-scientist.com/?articles.view/articleNo/41566/title/Pharma-and-Biotech-Firms-Hacked/

[13] Freedman, Anne. “Implantable Devices: Medical Devices Open to Cyber Threats”, Risk&Insurance,

April 8, 2015. http://www.riskandinsurance.com/implantable-devices-medical-devices-open-to-cyber-threats/

[14] Abelson, Reed and Goldstein, Matthew. “Anthem Hacking Points to Security Vulnerability of Health

Care Industry”, The New York Times, February 5, 2015.

http://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html


https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=C287BF2A2DE8F26794B2CF8DB9214BA5A40E01

E4&selectedIndex=8&ccid=o1oqu2QA&simid=608003155949128516&thid=JN.Yvp4OjhtfSZNGuSd8TUxFQ&ajaxhist=0

[14] Abelson, Reed and Goldstein, Matthew. “Anthem Hacking Points to Security Vulnerability of Health

Care Industry”, The New York Times, February 5, 2015.


[15] Wilde Mathews, Anna and Yadron, Danny. “Health Insurer Anthem Hit by Hackers”, The Wall Street

Journal, updated Feb. 4, 2015 at 9:39 p.m. ET.

http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720

Bibliography

39

http://www.hhnmag.com/Magazine/2015/Feb/fea-hospital-cybersecurity


















http://www.riskandinsurance.com/implantable-devices-medical-devices-open-to-cyber-threats/




































































[16] Peters, Sara and Chickowski, Ericka. “Healthcare Breaches Like Premera First Stage Of Bigger

Attacks?”, InformationWeek Dark Reading, 3/18/2015 at 02:40 PM.

http://www.darkreading.com/healthcare-breaches-like-premera-first-stage-of-bigger-attacks/d/d-id/1319520

[17] Goedert, Joseph. “Cyber Attack Hits CareFirst BCBS”, Health Data Management, May 20, 2015 at

6:45pm ET.

http://www.healthdatamanagement.com/news/cyber-attack-hits-care-first-bcbs-50543-1.html?utm_campaign=daily-

may%2021%202015&utm_medium=email&utm_source=newsletter&ET=healthdatamanagement%3Ae4416363%3A4223235a%3A&st=email

Note: If you are interested in researching healthcare breaches, visit the Office of Civil Rights web

site at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf .

“Breaches Affecting 500 or More Individuals

As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health

information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users

to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has

investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected

health information to the Secretary. The following breaches have been reported to the Secretary…”

Page 12: [18] Huddleston, Jr., Tom. “Premera Blue Cross reveals cyberattack that affected 11 million customers”,

Fortune, March 17, 2015 at 7:18 PM EDT. http://fortune.com/2015/03/17/premera-blue-cross-hacking-breach/



[20] Williams, Nia. “Big healthcare breaches affected millions before Anthem's hack”,

Modern Healthcare, February 10, 2015. http://www.modernhealthcare.com/article/20150210/BLOG/302109995

Bibliography

40





















http://www.healthdatamanagement.com/news/cyber-attack-hits-care-first-bcbs-50543-1.html?utm_campaign=daily-may 21 2015&utm_medium=email&utm_source=newsletter&ET=healthdatamanagement:e4416363:4223235a:&st=email


















http://fortune.com/2015/03/17/premera-blue-cross-hacking-breach/














http://www.modernhealthcare.com/article/20150210/BLOG/302109995

http://www.modernhealthcare.com/article/20150210/BLOG/302109995



Page 13: [21] “Researchers Find Health Data Breaches Are Steadily Increasing”, iHealthbeat, April 15, 2015.

http://www.ihealthbeat.org/articles/2015/4/15/researchers-find-health-data-breaches-are-steadily-increasing

[22] Vincent Liu, MD, MS; Mark A. Musen, MD, PhD and Timothy Chou, PhD. “Data Breaches of Protected

Health Information in the United States” , The Journal of the American Medical Association, April 14, 2015,

JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252.

http://jama.jamanetwork.com/article.aspx?articleid=2247135

[23] Jayanthi, Akanksha. “50 biggest data breaches in healthcare”, Becker’s Hospital Review, June 25,

2015. http://www.beckershospitalreview.com/healthcare-information-technology/50-biggest-data-breaches-in-healthcare.html

Page 14: [24] “Cost of data breaches increasing to average of $3.8 million, study says”,

Reuters, May 27, 2015 at 6:03am EDT .

http://www.reuters.com/article/2015/05/27/us-cybersecurity-ibm-idUSKBN0OC0ZE20150527

If you would like a copy of the report cited, it can be downloaded at

http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf

“2014 Cost of Data Breach Study: Global Analysis”, benchmark research sponsored by IBM and

independently conducted by Ponemon Institute LLC. Report releases in May, 2014.

Page 15: [25] Filkins, Barbara. “New Threats Drive Improve Practices: State of Cybersecurity in Health Care

Organizations, SANS, December, 2014. https://www.sans.org/reading-room/whitepapers/analyst/threats- drive-improved-

practices-state-cybersecurity-health-care-organizations-35652

Graphic is found on Bing: https://www.bing.com/images/search?q=Business+Risk&view=detailv2&&&id=A153C313CBC274E67687C4DAFDC8E54ACC74A

F34&selectedIndex=30&ccid=yzbS4UEO&simid=608027976578566801&thid=JN.lmNCwprrGbvPVWOQjDsKHA&ajaxhist=0

Bibliography

41



















http://www.beckershospitalreview.com/healthcare-information-technology/50-biggest-data-breaches-in-healthcare.html


























Organizations, SANS, December, 2014, graph from page 27. https://www.sans.org/reading-

room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652

Page 17: [26] Kayyali, Basel. “Risk and responsibility in a hyperconnected world”, McKinsey Healthcare,

July, 2014. http://healthcare.mckinsey.com/risk-and-responsibility-hyperconnected-world

Page 18: [10] Taylor, Mark. “Hospitals Battle Data Breaches With a Cybersecurity SOS”, Hospitals & Health



https://www.bing.com/images/search?q=Business+Risk&view=detailv2&&&id=1480943C7595C8B67AD1AAF759839E706F1C1BF

A&selectedIndex=28&ccid=ebptr96c&simid=608002524597125757&thid=JN.NPGcOkxHQbHTgxQm87eefg&ajaxhist=0



Page 20: [27] McLellan, Charles. “Cybersecurity in 2015: What to expect”, ZDNet, February 2, 2015 at 16:34

GMT. http://www.zdnet.com/article/cybersecurity-in-2015-what-to-expect/

Note: “ …forward-looking articles from 17 organisations and assigned the resulting 130 predictions to a

number of emergent categories to produce the graph below:”

2015 Security predictions from: Blue Coat, Damballa, FireEye, Fortinet, Forrester, Gartner, IDC, ImmuniWeb,

Kaspersky Lab, Lancope, McAfee, Neohapsis, Sophos, Symantec, Trend Micro, Varonis Systems, Websense.

Image: Charles McLellan/ZDNet

Page 21: [28] Finkle, Jim. “Exclusive: FBI warns healthcare sector vulnerable to cyber attacks”, Reuters, April 23,

2014 at 3:15pm EDT.

http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423

Bibliography

42

http://healthcare.mckinsey.com/risk-and-responsibility-hyperconnected-world



















http://www.zdnet.com/article/cybersecurity-in-2015-what-to-expect/

























Page 21: Graphic is found on Bing

https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=929734216DCF1611B798AA73F7EE00EBF1D87C

18&selectedIndex=87&ccid=4PBUCVT7&simid=608034178493711929&thid=JN.1732Xo0Gz8sSmo3iIanniA&ajaxhist=0

Page 22: Graphic is found on Bing: https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=135B5DDD3EAF9AC6318DABF108EBBC6F

A5DCDA43&selectedIndex=212&ccid=qK%2bHYNVP&simid=608052406336030125&thid=JN.GccHoyuyfgECQad1D9GT1w&ajax

hist=0

[29] FDA. “Cybersecurity”, October 23, 2014

http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/ConnectedHealth/ucm373213.htm

A Path Forward


https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=325803234F8EF2F203FD6C6F3FD98DDBC3D1910C&sel

ectedIndex=10&ccid=YsoxOrSF&simid=608034419014896124&thid=JN.U8GGS1y4wekie2iD3lPUHw&ajaxhist=0


https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=325803234F8EF2F203FD6C6F3FD98DDBC

3D1910C&selectedIndex=10&ccid=YsoxOrSF&simid=608034419014896124&thid=JN.U8GGS1y4wekie2iD3lPUHw&ajaxhist=0

Page 25: [30] Overby, Stephanie. “Boards on Cyber Alert”, CIO, May 1, 2015, pp. 20-25 and quotes are found on

page 23.

[31] Akin Gump Strauss Hauer & Feld LLP. “Top 10 Topics for directors in 2015” To access this report:

http://cdn.akingump.com/images/content/3/4/v2/34387/CORPORATE-ALERT-121214-v6.pdf

Bibliography

43




A Path Forward (continued)

Page 26: [30] Overby, Stephanie. “Boards on Cyber Alert”, CIO, May 1, 2015, pp. 20-25 and quote is found on

page 25.

If you are interested in additional information about “Educating your Board – Tips”, refer to page 22 of this

reference.

Graphic is found on Bing: https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=DDC055C59068A698C97E82AF39D7638E8C7DA8D2&se

lectedIndex=14&ccid=rOmAljjn&simid=608010994260574356&thid=JN.d2yB3NtelkX8KrttKylChg&ajaxhist=0



Graphic is found on Bing: https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=9D5A11F64213F1DCB1533C7E4D1AAFC79

2BA332E&selectedIndex=211&ccid=9g9w0ftn&simid=608000033509476020&thid=JN.9sxcQJ7ukkuvFa7CjPxgOQ&ajaxhist=0



Graphic is found on Bing: https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=43811957DE47026CA22C53750FF8EF371A31F5F

0&selectedIndex=93&ccid=Qj5lxKLB&simid=608030450461967113&thid=JN.k4ceOkD6p9ujriUWE2k63Q&ajaxhist=0

Page 29: [32] Department of Health and Human Services (HHS) web site www.healthit.gov

The document, “Top 10 Tips for Cybersecurity in Health Care” , is found at

http://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf

Privacy and Security games are also found through HHS:

http://www.healthit.gov/providers-professionals/privacy-security-training-games

Bibliography

44






















[32] “…the Office of the National Coordinator for Health Information Technology (ONC) continues to develop

educational resources around health care cybersecurity and risk management. A few examples include:

• “Cybersecure” Training Games (see boxes at right)

• A website on Mobile Device Privacy and Security, loaded with videos, tips, and other educational

materials

• The Security Risk Assessment (SRA) Tool, which helps guide small health care practices through the

process of conducting a risk analysis as required by the HIPAA Security Rule

• Videos on Contingency Planning and Emergency Preparedness

• Top 10 Tips for Cybersecurity in Health Care

Graphic is found on Bing: https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=1D91785E2D06539C0BE609E5C1A04567C747F370&selectedIn

dex=79&ccid=GIzxYaNX&simid=608009396540083981&thid=JN.OFXJTBSBDPUNn8P2MNQoCg&ajaxhist=0


Organizations, SANS, December, 2014, page 23. https://www.sans.org/reading-

room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652

[33] “68% of Healthcare Data Breaches Due to Device Loss”, Security Magazine, December 1, 2014.

http://www.securitymagazine.com/articles/85960-of-healthcare-data-breaches-due-to-device-loss

Graphic is found on Bing: https://www.bing.com/images/search?q=Cyber+Threats&view=detailv2&&&id=3162112BDDF8F88EA6B276065BC07730AA5AB4

9E&selectedIndex=92&ccid=F0o3lcTy&simid=608013824649400283&thid=JN.ppVJBCRG2lL0k85Z60Ax9w&ajaxhist=0

Bibliography

45

http://www.healthit.gov/newsroom/about-onc

http://www.healthit.gov/providers-professionals/privacy-security-training-games

http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

http://www.healthit.gov/providers-professionals/security-risk-assessment-tool

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

http://www.healthit.gov/providers-professionals/security-risk-assessment-videos

http://www.healthit.gov/emergency-ready

http://www.healthit.gov/emergency-ready

http://www.healthit.gov/providers-professionals-newsroom/top-10-tips-cybersecurity-health-care





















Page 31: [34] Weiner, Lena J. “Cybersecurity Insurance Basics for Healthcare Organizations”, HealthLeaders Media

, June 8, 2015.

http://www.healthleadersmedia.com/print/TEC-317181/Cybersecurity-Insurance-Basics-for-Healthcare-Organizations

[35] Greenwald, Judy. “AIG unit leads Anthem's cyber coverage”, Business Insurance, February 6, 2015.

http://www.businessinsurance.com/article/20150206/NEWS06/150209857

Graphic is found on Bing: https://www.bing.com/images/search?q=Business-

Insurance&view=detailv2&&&id=7422002F621E8DEF8CF8E152739E9F5002F0E55B&selectedIndex=97&ccid=I9EwwYUK&simid

=608027572855181100&thid=JN.sV2O6bm5mAW4d0k%2bDV13Pg&ajaxhist=0

Page 32: [34] Weiner, Lena J. “Cybersecurity Insurance Basics for Healthcare Organizations”, HealthLeaders Media

, June 8, 2015.




Graphic is found on Bing: https://www.bing.com/images/search?q=cybersecurity+images&view=detailv2&&&id=15866417AD1FD5EC4564B53436245A7BD

EA7C613&selectedIndex=1&ccid=f7RPWMH0&simid=608029136209185191&thid=JN.d3QOep%2bkkcwlTOkrUPIZ8g&ajaxhist=0

Page 33: [36] Press Release for Executive Order: President Obama issued Executive Order 13636 -- Improving

Critical Infrastructure Cybersecurity on February 12, 2013 https://www.whitehouse.gov/the-press-

office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

Bibliography

46






































[37] Web site of the National Institute of Standards and Technology (NIST). Specific information regarding

the framework developed by NIST. http://www.nist.gov/cyberframework/


https://www.bing.com/images/search?q=Business+Risk&view=detailv2&&&id=17D67E920347208BB7CAD47F184D8B5B73F3FB

07&selectedIndex=4&ccid=X%2bXM7Bhc&simid=608043623136955140&thid=JN.RUfTLRwid%2bQbimjmrBcl%2bw&ajaxhist=0

Bibliography

47


Lucy Mancini Newell, MBA, FHIMSS

Managing Partner

Cell Phone: 224.388.6376

Corporate Phone No: 1.800.678.8524

Web Site: www.Kiran-Consortium.com

Other Thought Leadership Materials Are

Found On Our Web Site.

E-Mail Address:

[email protected]

Contact Information

http://www.kiran-consortium.com/



mailto:[email protected]





Documents

TKCG - Cybersecurity Are You Prepared for Tomorrow 070815 FINAL LMN