THE COMPLEX RELATIONSHIP AMONG PRIVACY, SECURITY
AND ACCESS
Glenn E. Pearson, FACHEApril 6, 2017
Carolina Health Research Institute andResearch Hub at UNC’s Health Sciences Lab
The 4 Fronts of the Healthcare Technology Revolution1. Patient-Touching
– Diagnostic– Intervention– Implantables and Devices
2. Personalized Medicine– Clinical– Coordination
The 4 Fronts of the Healthcare Technology Revolution (cont.)3. Communications
– Between patients and providers– Among providers
4. Business Functions– Clinical applications– Standard business functions
Requirements for Adopting Technology■Usefulness
– It does something I care about
■Reliability– Consistency of function– Accuracy of underlying logic and algorithms
Requirements (cont.)
■ Trustworthiness– Regarding privacy– Regarding security
■Ease of Use– Work flow– Access
Recent Notorious Data Breaches■ Yahoo! – 1,000,000,000 accounts ■ LinkedIn – 165,000,000 accounts■ Target – 110,000,000 accounts■ DropBox – 68,000,000 accounts■ Home Depot – 54,000,000 credit cards compromised■ Sony Pictures Entertainment – Significant exposure of
their inner workings and data
Health Data Breaches Factoids
■ 8-½ times more data breaches in 2016 than in 2006
■ 87% of healthcare attorneys believe their clients at greater risk than other industries
■ At 78M records, March 2015 Anthem breach wins prize for largest single loss
SOURCE: Modern Healthcare – January 23, 2017 issueExtensive special report called “Building a Better Cyberdefense”
Total Number Healthcare Records Breached per Year
198
12.5
6.9
2.8
13.1
5.5
0.1
0 50 100 150 200 250
2015 (est.)
2014
2013
2012
2011
2010
2009
Breaches (In Millions)
SOURCE: healthmgttech.com, Nov/Dec 2015 – 2015 estimate extrapolated from actual 2015 data through June 26, 2015
Sources of Healthcare Data Breaches
31
39
40
43
45
0 5 10 15 20 25 30 35 40 45 50
Technical Systems Glitch
Third Party Snafu
Unintentional Employee Action
Lost or Stolen Computing Device
Criminal AttackPercentages
SOURCES: Healthcare and Cybersecurity: Increasing Threats Requires Increased Capabilities, KPMG, 2015 + Fifth Annual Benchmark Study on Privacy 7 Security of Healthcare Data, Ponemon Institute, 2016
Hackers’ Methods
■ Vulnerabilities in software■ Vulnerabilities caused by patches or
interfaces■ Connected medical devices and other parts
of IoT■ Luring users
How Employees Cause Breaches
■Disgruntled employees■Sloppy actions by employees
– Lured by phishing or other attacks– Lost laptops or other devices – “Shadow IT”
Steps for Developing Risk Mitigation Strategy
■Assess your level of risk exposure■Decide your level of risk tolerance■Align your resources■Get organizational buy-in■Manage accordingly
5 Risk Mitigation Actions
1. Invest in intelligent software – Detect unusual activities– Trigger immediate investigation and intervention
2. Increase budget allocation for cybersecurity
– Make sure have enough highly trained staff
SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017
5 Risk Mitigation Actions (cont.)
3. Develop processes to implement security patches for connected medical devices
– Newer vector for intrusion – Sometimes overlooked
4. Replace aging medical devices – Manufacturers sometimes stop supporting older
devices– Increases vulnerabilities over time
SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017
5 Risk Mitigation Actions (cont.)
5. Virtually separate devices from the rest of your network
– Having entire infrastructure connected allows more thorough penetration in the case of a breach
SOURCE: “A smarter anti-hack defense,” Modern Healthcare, January 23, 2017
Beyond the IT Staff
■Executive leadership– Should be fully invested in supporting policies– Many don’t “get” IT
■ “Would You Rather Buy Healthcare Technology or Manage a Nuclear Power Plant?”
■ “I hope I can hold out for eight more years”
Beyond the IT Staff (cont.)
■Human Resources– Responsible to implement policies
■End Users– Must constantly be reminded
Policies Needed■ Passwords
– Complexity– Expiration– Repetition
■ Wi-Fi security■ Safe browsing practices■ Remote access■ Mobile devices■ Data retention
Background Reasons Why Clinicians May Not Use Tech
■Aversion to technology
■Doesn’t deliver what it promises
■ Interruption of workflow
Some Security Best Practices
■Complex passwords (upper and lower case, number, symbols) or randomly generated
■Requirement to frequently change PW■Not allowing repetition of formerly used
PW
Some Security Best Practices (cont.)■ Two-level authentication■Biometrics
– BUT my iPhone refuses to recognize me
■Short time outs■Prohibitions on BYOD
Summary Needs for Adoption
■ Patient and clinician assurances of privacy■ Adequate security measures to assure
privacy■ Reasonable policies that allow appropriate
access so authorized users actually use
Contact InformationGlenn E. Pearson, FACHEPearson Health Tech Insights, LLC660 Cross Fire RidgeMarietta, GA 30064
(770) 861-6941