THE COMPLEX RELATIONSHIP AMONG PRIVACY, SECURITY

AND ACCESS

Glenn E. Pearson, FACHEApril 6, 2017

Carolina Health Research Institute andResearch Hub at UNC’s Health Sciences Lab

The 4 Fronts of the Healthcare Technology Revolution1. Patient-Touching

– Diagnostic– Intervention– Implantables and Devices

2. Personalized Medicine– Clinical– Coordination

The 4 Fronts of the Healthcare Technology Revolution (cont.)3. Communications

– Between patients and providers– Among providers

4. Business Functions– Clinical applications– Standard business functions

Requirements for Adopting Technology■Usefulness

– It does something I care about

■Reliability– Consistency of function– Accuracy of underlying logic and algorithms

Requirements (cont.)

■ Trustworthiness– Regarding privacy– Regarding security

■Ease of Use– Work flow– Access

Recent Notorious Data Breaches■ Yahoo! – 1,000,000,000 accounts ■ LinkedIn – 165,000,000 accounts■ Target – 110,000,000 accounts■ DropBox – 68,000,000 accounts■ Home Depot – 54,000,000 credit cards compromised■ Sony Pictures Entertainment – Significant exposure of

their inner workings and data

Health Data Breaches Factoids

■ 8-½ times more data breaches in 2016 than in 2006

■ 87% of healthcare attorneys believe their clients at greater risk than other industries

■ At 78M records, March 2015 Anthem breach wins prize for largest single loss

SOURCE: Modern Healthcare – January 23, 2017 issueExtensive special report called “Building a Better Cyberdefense”

Total Number Healthcare Records Breached per Year

198

12.5

6.9

2.8

13.1

5.5

0.1

0 50 100 150 200 250

2015 (est.)

2014

2013

2012

2011

2010

2009

Breaches (In Millions)

SOURCE: healthmgttech.com, Nov/Dec 2015 – 2015 estimate extrapolated from actual 2015 data through June 26, 2015

Sources of Healthcare Data Breaches

31

39

40

43

45

0 5 10 15 20 25 30 35 40 45 50

Technical Systems Glitch

Third Party Snafu

Unintentional Employee Action

Lost or Stolen Computing Device

Criminal AttackPercentages

SOURCES: Healthcare and Cybersecurity: Increasing Threats Requires Increased Capabilities, KPMG, 2015 + Fifth Annual Benchmark Study on Privacy 7 Security of Healthcare Data, Ponemon Institute, 2016

Hackers’ Methods

■ Vulnerabilities in software■ Vulnerabilities caused by patches or

interfaces■ Connected medical devices and other parts

of IoT■ Luring users

How Employees Cause Breaches

■Disgruntled employees■Sloppy actions by employees

– Lured by phishing or other attacks– Lost laptops or other devices – “Shadow IT”

Steps for Developing Risk Mitigation Strategy

■Assess your level of risk exposure■Decide your level of risk tolerance■Align your resources■Get organizational buy-in■Manage accordingly

5 Risk Mitigation Actions

1. Invest in intelligent software – Detect unusual activities– Trigger immediate investigation and intervention

2. Increase budget allocation for cybersecurity

– Make sure have enough highly trained staff

SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017

5 Risk Mitigation Actions (cont.)

3. Develop processes to implement security patches for connected medical devices

– Newer vector for intrusion – Sometimes overlooked

4. Replace aging medical devices – Manufacturers sometimes stop supporting older

devices– Increases vulnerabilities over time

SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017

5 Risk Mitigation Actions (cont.)

5. Virtually separate devices from the rest of your network

– Having entire infrastructure connected allows more thorough penetration in the case of a breach

SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017

Beyond the IT Staff

■Executive leadership– Should be fully invested in supporting policies– Many don’t “get” IT

■ “Would You Rather Buy Healthcare Technology or Manage a Nuclear Power Plant?”

■ “I hope I can hold out for eight more years”

Beyond the IT Staff (cont.)

■Human Resources– Responsible to implement policies

■End Users– Must constantly be reminded

Policies Needed■ Passwords

– Complexity– Expiration– Repetition

■ Wi-Fi security■ Safe browsing practices■ Remote access■ Mobile devices■ Data retention

Background Reasons Why Clinicians May Not Use Tech

■Aversion to technology

■Doesn’t deliver what it promises

■ Interruption of workflow

Some Security Best Practices

■Complex passwords (upper and lower case, number, symbols) or randomly generated

■Requirement to frequently change PW■Not allowing repetition of formerly used

PW

Some Security Best Practices (cont.)■ Two-level authentication■Biometrics

– BUT my iPhone refuses to recognize me

■Short time outs■Prohibitions on BYOD

Summary Needs for Adoption

■ Patient and clinician assurances of privacy■ Adequate security measures to assure

privacy■ Reasonable policies that allow appropriate

access so authorized users actually use

Contact InformationGlenn E. Pearson, FACHEPearson Health Tech Insights, LLC660 Cross Fire RidgeMarietta, GA 30064

glenn@pearsonhti.com

(770) 861-6941