Predictive Analytics to Reduce Data Breach Risk
Thursday, March 3, 2016
John Houston, Vice President, Privacy & Information Security and Assistant Counsel, UPMC
Kurt J. Long, CEO & Founder, FairWarning, Inc.
Conflict of Interest John Houston:
Has no real or apparent conflicts of interest to report.
Kurt J. Long:
Has no real or apparent conflicts of interest to report.
Agenda
• Escalating threats and security risks in healthcare
• Creating a multi-layered privacy and security program
• Leveraging predictive analytics
• Creating a modern threat detection/threat response organization
• Privacy and security program challenges
Learning Objectives
• Explain how to create an innovative and modern security program
• Illustrate how a predictive analytics approach to security can help to identify anomalies in patterns to help prevent a breach
• Explain techniques to dramatically reduce the time it takes to identify a breach should it occur, before too much damage has been done
• Describe a multi-vendor scenario
• Design very specific steps healthcare organizations can take on how to assess their risk posture using multiple vendors
Patients put their lives in the hands of not only the doctors
they select, but in the medical institutions they trust.
“Do no harm” should extend to all aspects of care –
including electronic health data.
By creating an innovative and multi-layered approach to
security and privacy, covered entities can protect patient
data, prevent damage to their reputation, achieve
compliance and save money.
As an industry, we need to do better at preventing
breaches and decreasing the time it takes to discover
them should they occur.
By securing electronic health records and protecting
patient privacy, providers can ultimately ensure
compliance and gain better patient trust --ultimately
leading to better overall patient outcomes.
http://www.himss.org/ValueSuite
How Benefits Were Realized for the Value of Health IT
Escalating Advanced Threats
´1
Lost laptops, media, paper
records
Patient Complaints
Snooping
Medical & Financial ID Theft
2015 2013 2011
IRS Tax Fraud
2012 2014 Pre-2010
Sale of Patient Data
to Crime Rings
Sale of Physician
Data
to Crime Rings
Sale of Employee
Data
to Crime Rings
Rise of Cyber Threats
to Healthcare Industry
Foreign
National
Espionage
Overall Risks from a Breach
• Diminished patient care
• Financial loss
• Reputation loss
• Data integrity loss
• Fraud:
– Id theft
– Medical id theft
– Tax fraud
– CMS fraud
– Money laundering
• Blackmail/Extortion
Now imagine your EHR was held hostage?
• Real and growing threat to healthcare in 2016
• Attacks grew 113% in 2014 according to 2015 Symantec Internet Threat Report
• Why EHR? High value to the data, you need it, and you’re likely to pay to get it back
• Doctors wouldn’t have the vital information needed to treat patients.
• Records of patient and insurance payments would be lost, patient personal and credit card information would be compromised.
• HIPAA breach/OCR fines
• And so on …
We are all patients … And the long-term effects of a PHI breach have yet to be realized
91% of Healthcare organizations have had
at least one data breach involving the loss
of theft of patient data in the last two years Source: Forbes May 2015
As of November 2015, breaches impacted
119,959,229 patients. That’s well over one-
third of all United States citizens who have
suffered an information breach through the
healthcare industry. Source: Identity Theft Resource Center
How long does it take to discover a breach?
On average hackers had access to victims’ environments for 205 days before they were discovered and 69% of victims learn from a third party that they are compromised*
Source: Mandiant M:Trends 2015, View From the Front Lines Report
The lines are blurring between internal and external breaches
How do you identify an internal breach vs and external breach?
• You can’t!
• You need multi-layer threat detection and response
• Different solutions at different layers
What do you even look for? • Need to understand how to investigate
• All comes down to analytics
• Most organizations aren’t doing this AND don’t know what to look for
Creating a multi-layered privacy and security program
Critical elements:
• Qualified and expertly trained privacy and security staff
• Proper, multi-layered, multi-vendor, IT infrastructure leveraging best-
of-breed security solutions
• Patient privacy monitoring – using advanced technology
• Coordinated threat prevention/response framework
• Education programs that create a culture of privacy, security and
compliance
How can you get ahead of a breach?
• Managed privacy & security services
• Information security
• Data visualization
• Trending
• Analytics
Managed Privacy & Security Services
Information Security
• Coordinated threat detection and response
• Internal threat detection needs to coordinate with external SIEMs
• Faster more coordinated detection
• Improve patient privacy
Creating a modern threat prevention and response framework
Source: FireEye Solution Brief
A picture is worth a thousand rows of data
Data visualization & trending depicts graphically what is happening to your data
Visual Analytics for Advanced Threats
• Imagine a phishing scam where a nation state gets access to credential and downloads thousands of records
• Access patient demographics after hours
• Benchmark users’ activity by self / peers
• Recognize specific events / actions
Statistical Analysis of User Behavior and Trending
• Statistical analysis of a
user’s behavior relative to
themselves
• Statistical analysis of
user’s behavior relative to
their peers
• Trending comparisons
over time
Leveraging predictive analytics to find a breach
• Using data to protect data
• Looking at patterns and statistics
• Multiple sources of information
Creating a modern threat detection/threat response organization
How do you leverage multiple technologies to break through the noise to create a modern threat detection/threat response organization?
• Big data
• SIEM
• Identity management
• Patient privacy monitoring
Modern threat detection and
response program
Big data
SIEM
Patient privacy
monitoring
Identity Management
Patients put their lives in the hands of not only the doctors
they select, but in the medical institutions they trust.
“Do no harm” should extend to all aspects of care –
including electronic health data.
By creating an innovative and multi-layered approach to
security and privacy, covered entities can protect patient
data, prevent damage to their reputation, achieve
compliance and save money.
As an industry, we need to do better at preventing
breaches and decreasing the time it takes to discover
them should they occur.
By securing electronic health records and protecting
patient privacy, providers can ultimately ensure
compliance and gain better patient trust --ultimately
leading to better overall patient outcomes.
http://www.himss.org/ValueSuite
A Summary of How Benefits Were Realized for the Value of Health IT
Questions
John Houston, Vice President, Privacy & Information Security and
Assistant Counsel, UPMC
Kurt J. Long, CEO & Founder, FairWarning, Inc.