Predictive Analytics to Reduce Data Breach Risk

Thursday, March 3, 2016

John Houston, Vice President, Privacy & Information Security and Assistant Counsel, UPMC

Kurt J. Long, CEO & Founder, FairWarning, Inc.

Conflict of Interest John Houston:

Has no real or apparent conflicts of interest to report.

Kurt J. Long:

Has no real or apparent conflicts of interest to report.

Agenda

• Escalating threats and security risks in healthcare

• Creating a multi-layered privacy and security program

• Leveraging predictive analytics

• Creating a modern threat detection/threat response organization

• Privacy and security program challenges

Learning Objectives

• Explain how to create an innovative and modern security program

• Illustrate how a predictive analytics approach to security can help to identify anomalies in patterns to help prevent a breach

• Explain techniques to dramatically reduce the time it takes to identify a breach should it occur, before too much damage has been done

• Describe a multi-vendor scenario

• Design very specific steps healthcare organizations can take on how to assess their risk posture using multiple vendors

Patients put their lives in the hands of not only the doctors

they select, but in the medical institutions they trust.

“Do no harm” should extend to all aspects of care –

including electronic health data.

By creating an innovative and multi-layered approach to

security and privacy, covered entities can protect patient

data, prevent damage to their reputation, achieve

compliance and save money.

As an industry, we need to do better at preventing

breaches and decreasing the time it takes to discover

them should they occur.

By securing electronic health records and protecting

patient privacy, providers can ultimately ensure

compliance and gain better patient trust --ultimately

leading to better overall patient outcomes.

http://www.himss.org/ValueSuite

How Benefits Were Realized for the Value of Health IT

Escalating Advanced Threats

´1

Lost laptops, media, paper

records

Patient Complaints

Snooping

Medical & Financial ID Theft

2015 2013 2011

IRS Tax Fraud

2012 2014 Pre-2010

Sale of Patient Data

to Crime Rings

Sale of Physician

Data

to Crime Rings

Sale of Employee

Data

to Crime Rings

Rise of Cyber Threats

to Healthcare Industry

Foreign

National

Espionage

Overall Risks from a Breach

• Diminished patient care

• Financial loss

• Reputation loss

• Data integrity loss

• Fraud:

– Id theft

– Medical id theft

– Tax fraud

– CMS fraud

– Money laundering

• Blackmail/Extortion

Now imagine your EHR was held hostage?

• Real and growing threat to healthcare in 2016

• Attacks grew 113% in 2014 according to 2015 Symantec Internet Threat Report

• Why EHR? High value to the data, you need it, and you’re likely to pay to get it back

• Doctors wouldn’t have the vital information needed to treat patients.

• Records of patient and insurance payments would be lost, patient personal and credit card information would be compromised.

• HIPAA breach/OCR fines

• And so on …

We are all patients … And the long-term effects of a PHI breach have yet to be realized

91% of Healthcare organizations have had

at least one data breach involving the loss

of theft of patient data in the last two years Source: Forbes May 2015

As of November 2015, breaches impacted

119,959,229 patients. That’s well over one-

third of all United States citizens who have

suffered an information breach through the

healthcare industry. Source: Identity Theft Resource Center

How long does it take to discover a breach?

On average hackers had access to victims’ environments for 205 days before they were discovered and 69% of victims learn from a third party that they are compromised*

Source: Mandiant M:Trends 2015, View From the Front Lines Report

The lines are blurring between internal and external breaches

How do you identify an internal breach vs and external breach?

• You can’t!

• You need multi-layer threat detection and response

• Different solutions at different layers

What do you even look for? • Need to understand how to investigate

• All comes down to analytics

• Most organizations aren’t doing this AND don’t know what to look for

Creating a multi-layered privacy and security program

Critical elements:

• Qualified and expertly trained privacy and security staff

• Proper, multi-layered, multi-vendor, IT infrastructure leveraging best-

of-breed security solutions

• Patient privacy monitoring – using advanced technology

• Coordinated threat prevention/response framework

• Education programs that create a culture of privacy, security and

compliance

How can you get ahead of a breach?

• Managed privacy & security services

• Information security

• Data visualization

• Trending

• Analytics

Managed Privacy & Security Services

Information Security

• Coordinated threat detection and response

• Internal threat detection needs to coordinate with external SIEMs

• Faster more coordinated detection

• Improve patient privacy

Creating a modern threat prevention and response framework

Source: FireEye Solution Brief

A picture is worth a thousand rows of data

Data visualization & trending depicts graphically what is happening to your data

Visual Analytics for Advanced Threats

• Imagine a phishing scam where a nation state gets access to credential and downloads thousands of records

• Access patient demographics after hours

• Benchmark users’ activity by self / peers

• Recognize specific events / actions

Statistical Analysis of User Behavior and Trending

• Statistical analysis of a

user’s behavior relative to

themselves

• Statistical analysis of

user’s behavior relative to

their peers

• Trending comparisons

over time

Leveraging predictive analytics to find a breach

• Using data to protect data

• Looking at patterns and statistics

• Multiple sources of information

Creating a modern threat detection/threat response organization

How do you leverage multiple technologies to break through the noise to create a modern threat detection/threat response organization?

• Big data

• SIEM

• Identity management

• Patient privacy monitoring

Modern threat detection and

response program

Big data

SIEM

Patient privacy

monitoring

Identity Management

Patients put their lives in the hands of not only the doctors

they select, but in the medical institutions they trust.

“Do no harm” should extend to all aspects of care –

including electronic health data.

By creating an innovative and multi-layered approach to

security and privacy, covered entities can protect patient

data, prevent damage to their reputation, achieve

compliance and save money.

As an industry, we need to do better at preventing

breaches and decreasing the time it takes to discover

them should they occur.

By securing electronic health records and protecting

patient privacy, providers can ultimately ensure

compliance and gain better patient trust --ultimately

leading to better overall patient outcomes.

http://www.himss.org/ValueSuite

A Summary of How Benefits Were Realized for the Value of Health IT

Questions

John Houston, Vice President, Privacy & Information Security and

Assistant Counsel, UPMC

HoustonJ@upmc.edu

Kurt J. Long, CEO & Founder, FairWarning, Inc.

Kurt@FairWarning.com