Tag Archives: nist

Avoiding Data Breaches in Healthcare

While the largest number of data breaches occur at healthcare providers’ sites, such as hospitals and physician offices, healthcare plans account for the greatest number of health plan member records stolen over the past seven years, according to a study published in JAMA.

This is attributable to extremely large breaches of electronic systems. While these centralized databases offer a wealth of health records that can be used to improve healthcare, it’s important to balance the risks of being hacked against the benefits.

These breaches represent one area where health plan organizations must focus their attention to overcome an increasingly complex regulatory and risk management environment. A fully equipped health information management platform has become a vital requirement for health plan organizations seeking to improve care, member outcomes and ROI.

Balancing Risks of Data-Sharing

While better policies and procedures and the use of encryption have helped reduce easily preventable breaches, more must be done to protect member privacy and mitigate associated costs.

Health data breaches cost the U.S. healthcare industry an estimated $6.2 billion, and 70% of businesses that have experienced ransomware attacks in their workplace have paid to have stolen data returned.

Attackers have learned how to monetize healthcare data, with the number of attack points continuing to rise with the use of mobile medical- and health-related apps and with electronic health records (EHR) become increasingly embedded in clinical settings.

Given all this, health plans should seek a technology-enabled platform that optimizes operational viability, helps to improve member outcomes at reduced costs and ensures data security and privacy. The first step is to look for a vendor that has earned Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) certification.

See also: VPNs: How to Prevent a Data Breach  

Understanding HITRUST Benefits

As healthcare data shifts from local infrastructure to the cloud, the ability to control and secure data weakens, creating substantial challenges for health plans and hospitals that need to assess third-party vendors and ensure that data complies with HIPAA and other regulations.

HITRUST sprang from the belief that information security should be the core of the broad adoption of health information systems and exchanges.

HITRUST CSF certification can be used by all organizations to guide them in selecting and implementing the appropriate controls to protect the systems that create, access, store or exchange personal health and financial information. Certification gives organizations detail and clarity related to information security controls tailored to the healthcare industry.

Certification also carries two key advantages: First, it’s designed to examine regulations. During the certification process, an independent assessor uses the HITRUST framework and then submits work papers to HITRUST for scoring and quality assurance. This ensures providers a level of consistency from one assessment to another.

Second, HITRUST performs a gap analysis, which providers can request to help them further assess a vendor’s security posture, which saves substantial resources.

HITRUST CSF certification also includes these benefits:

  1. Cross references the requirements from legislative, regulatory, HIPAA, NIST, ISO, state laws and others for one comprehensive framework
  2. Provides a framework that prepares organizations for new regulations and security risks once introduced
  3. Ensures compliance and security protection to clients
  4. Assures payers working with vendors that the platform is compliant, private and secure and meets the necessary requirements of HITRUST CSF certification
  5. Means a third-party assessed the platform and attests to its compliance with globally recognized standards, regulations and business requirements, ensuring data security, privacy and compliance

Full-spectrum, end-to-end Platform

Health plans should look for an integrated risk-adjustment optimization and quality improvement platform that has HITRUST CSF certification as validation of a commitment to improving the health of healthcare and providing innovative solutions for health plans across the country.

They should offer a platform that provides health plans and provider groups with a comprehensive risk adjustment solution that plays an integral role in helping health plans and risk-bearing entities improve measured quality.

HITRUST CSF provides a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Leveraging nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA and COBIT to ensure a comprehensive set of baseline security controls, HITRUST CFS normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance.

HITRUST CSF, the most widely adopted security framework in the U.S. healthcare industry, continues to improve and update its framework ensuring that organizations are prepared when new regulations and security risks are introduced.

See also: Unclaimed Funds Can Lead to Data Breaches  

Furthermore, the certified solution should combine risk adjustment and quality improvement services and provide real-time visibility and reporting for risk adjustment analytics, medical record retrieval, HEDIS abstraction, risk adjustment coding, claims and data validation, prospective health assessments, clinical abstraction, member engagement/outreach and provider education. It should also be designed to integrate risk adjustment and quality services to deliver fully transparent insights.

Success in value-based approaches pivots around delivering on total member health, cost and quality rather than relying on the traditional model of maximizing relative value units, revenue and downstream referrals.

The right full-spectrum, end-to-end approach to care empowers health plans and providers to identify gaps in care and manage plan members more productively. Consequently, plan members reap the greatest benefit by being guided toward more preventive care and self-management early in the care process and their information and privacy remain protected.

What if You Had a Cyber Risk Score?

There have been three major global cyberattacks in the last six months. These attacks have caused extensive system damage and monetary loss. Some companies affected remain crippled weeks or months after the attack. Will this rate of “one every other month” continue? Nobody knows, of course. But, as a recent Wall Street Journal op-ed suggests, ransomware will remain the dominant attack method of choice, and the problem “isn’t going anywhere.” The article claims that “cybercriminals launch hundreds of millions of attacks daily across the globe, and recent studies have found that as many as 60% involve ransomware.” Why? Because they are easy, and they work.

Without a robustly secured network, it is impossible for most entities to withstand a targeted or random cyberattack. So most companies, big or small, generally enlist the help of third-party vendors, which traffic a multitude of software products, modules or platforms to keep cybercriminals from exploiting vulnerabilities. But, because nothing is fail-safe, companies must still consider buying insurance to protect against the staggering potential of loss that a global cyberattack can cause.

See also: Why Buy Cyber and Privacy Liability. . .  

Cyber is no different from other risks that an organization could be exposed to (e.g., fire, burglary, flooding, power failure, strikes and liability issues). Businesses have to consider insurance against cyber-attacks and the relating financial consequences. This kind of insurance policy is known as Cyber Liability Insurance Coverage, or CLIC. With the estimated annual costs to the global economy from cybercrime estimated between $375 billion and $575 billion in 2014 alone and the average cost of a corporate data breach at more than $3 million per incident, it is understandable why cyber insurance is catching on.

Still, there seems to leave a lot of room for error, rounding or otherwise, in a market where U.S. insurers wrote approximately $1.3 billion in cyber coverage last year. This is expected to reach $14 billion by 2022. There is industry data that shows insurance premiums could range from $800 to $1,200 for SMEs/SMBs with revenues of $100,000 to $500,000 (on the low end) to more than $100,000 for SMEs/SMBs with revenues in the millions. Allianz SE, the largest insurer in the world, expects these premiums to skyrocket by 2025. Furthermore, the Insurance Information Institute estimates that the third-largest risk for companies worldwide is cybercrime, not in the least due to cyber attacks such as WannaCry and Petya/NotPetya.

As it stands right now, insurance companies have limited resources to address the growing number of CLIC applicants. There are the obvious factors that come into play when calculating an insurance premium: the nature of the business, the vulnerability (attractiveness for cyber crooks) of the data, the size of the company and the amount of revenues, etc. But pinpointing the exact risk is still evolving. Currently, insurers mostly rely on questionnaires or third-party onsite assessments to estimate the cybersecurity posture of applicants, which is time-consuming and expensive. Because this branch of insurance is not mature enough, there is a lack of specialized and qualified personnel that have the experience and expertise to perform cyber risk assessments. In many cases, the onsite assessments are conducted by junior staff members of the insurer and junior security consultants using non-standardized methods.

My guess is that insurance companies still don’t know exactly what they are insuring and what to charge, because there are still inefficiencies in the market. There are conflicting definitions of what exactly makes a system “secure” and what constitutes a threatening vulnerability that must be decided upon. Knowledge still has to be gained to determine how to manage risk. Most insurance companies are large enough to have a staff of security officers and to use third-party vendors to protect themselves from cyber vulnerabilities. But what to do about assessing insurance candidates?

The good news is that there is progress being made where advanced simulation can help assess the various attack vectors that are being used today. The value of such a CLIC assessment would derive from being able to put an aggregate “risk score” on an insurance candidate. The score would be based on known and acceptable risk calculating methods such as NIST, CVSS3 and DREAD. It would be provided to each applicant based on the results from a simulated assessment done on its network, testing all its security controls.

See also: How Data Breaches Affect More Than Cyberliability  

The value from such technology comes from insurers being able to know within a few hours if they should provide coverage to an applicant based on demonstrated risk, how much coverage to provide the applicant without putting the insurers at risk and how much in premiums to charge based on an accepted risk score provided after the assessment. Providing a uniform score for cyber insurance applicants reduces the exposure level for insurers, possibly saving millions of dollars and could even lead to revenue growth by raising premium prices to match the risk level.

Best Practices for Cyber Threats

All any company decision-maker needs to do is pay heed to the intensifying regulatory environment to understand that network security has become a mission-critical operational issue.

Consider that the Colorado Division of Securities is implementing 90 pages of new rules to clarify what financial “broker-dealers” and investment advisers must do to protect information stored electronically.

That’s on top of the New York State Department of Financial Services enforcing new cybersecurity rules for financial services firms that wish to do business in the Empire State. And, of course, Europe is rolling out new privacy rules known as the General Data Protection Regulation, which will affect more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses.

See also: How to Anticipate Cyber Surprises  

I recently sat down with Edric Wyatt, security analyst at CyberScout, to discuss the first step any organization — of any size and in any sector — can take to increase its security maturity. His answer: Get cozy with the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. (Full disclosure: CyberScout underwrites ThirdCertainty.) And let’s not overlook looming compliance standards covering data privacy and security, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).

Here are a few takeaways from our discussion:

NIST is foundational. NIST 800 is composed of Uncle Sam’s own computer security policies, procedures and guidelines, which have been widely implemented in the Department of Homeland Security, the Department of Defense and most big federal agencies. New York state’s new rules for financial firms incorporate the NIST framework, and the U.S. Food and Drug Administration, likewise, refers to the NIST framework in guidance for medical device manufactures.

NIST is aggressive. Derived from extensive public and private research, NIST 800 exists as a public service. It lays out cost-effective steps to improve any organization’s digital security posture. Implementation materials are available at no cost to organizations of all types and sizes, small- and medium-sized companies, educational institutions and state and local government agencies.

NIST is flexible. At the end of the day, the NIST series guides organizations to shaping security policies and security controls that are flexible, adaptable — and effective. One vital component is senior management buy-in. New policies can and should be implemented and tweaked in a methodical, measurable manner and should be championed by senior leaders. The goal should not be just tightening security, Wyatt says, but also making one’s organization more reliably productive. A continual feedback loop can help keep controls alive and vital, Wyatt says.

See also: Cyber Challenges Under NIST’s Framework  

This article originally appeared on ThirdCertainty.

Can Your Health Device Be Hacked?

What seemed like a farfetched scenario out of Hollywood four years ago is now yet another reality that security experts have been warning about.

In the screen version, the U.S. vice president is assassinated on the TV show “Homeland” after a hacker takes control of his pacemaker and stops his heart—making it look like a heart attack.

In real life, the U.S. Food and Drug Administration recently released a safety warning that St. Jude Medical implantable cardiac devices and their remote transmitters contain security vulnerabilities. An unauthorized party could use the vulnerabilities to “modify programming commands” on the device that could result in rapid battery draining or “administration of inappropriate pacing or shocks.”

Coincidentally, the warning came on the heels of an FDA document addressing this very issue: At the end of December, the agency released its guidance for the post-market management of medical device cybersecurity.

The guidance is similar to a previously issued one for premarket design and development. Both are nonbinding.

The FDA can take action against products that violate the Food, Drug and Cosmetic Act, which could include devices that pose serious risks of injury or death and lack remediation. Outside of that, it’s unclear what, if anything, the FDA would do about lower-level risks that are not being mitigated.

See also: Your Social Posts: Hackers Love Them  

Enforcement or not, there’s plenty of skepticism about the influence the document will have on device manufacturers. Security experts call it a good first step—emphasis on “first.”

But they are not convinced that the guidance will motivate the industry to make medical devices more secure.

“Absent of serious crises or patient deaths, I’m not optimistic that this document will get the attention of many companies building medical devices,” says John Dickson, a principal with the security firm Denim Group Ltd., who formerly served at the Air Force Information Warfare Center.

The guidance “emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices.”

Among other things, the FDA recommends that manufacturers:

  • Follow the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security, which is widely used in many industries
  • Implement a risk-management program for identifying and assessing vulnerabilities
  • Act on information about vulnerabilities and deploy patches quickly.

A big problem to crack

Dickson says that the sheer number of devices in circulation—potentially millions, registered to some 6,500 to 7,000 manufacturers—creates a major problem.

“Most of the medical device companies are just trying to get the capability to work well—and here comes (a problem) they really didn’t consider before,” he says.

The embedded sensors and devices were designed for a long lifespan and, in many cases, not intended to be upgraded.

“If those devices cannot receive software updates at some time in their lifespan, they will be vulnerable, so the risk is enormous,” says Hamilton Turner, chief technology officer at mobile-security vendor OptioLabs.

The industry has been slow to react.

Ashton Mozano, chief technology officer at Circadence, a “next-generation” provider of cybersecurity training, says that some of the device vulnerabilities have been known for as long as a decade. But the response has not been like in airline or automotive safety, where “there’s a whole community that gets up in arms” when there’s a faulty or dangerous product.

“We don’t really see that in cyberspace yet. The medical device industry, as well as the IoT realm, have been essentially isolated from that level of widespread global scrutiny,” Mozano says.

The FDA began warning about the problem a few years ago. The guidance certainly indicates the agency’s interest in cybersecurity is growing. Unfortunately, the FDA may not be in the best position to address the problem.

“They’re not in the best situation to have the knowledge and skill set … to mandate regulations for the cyber industry,” Mozano says. “They don’t want to overregulate.”

Plenty of gaps to be filled

The FDA defines patient harm as physical injury, damage to health or death. Other types of harm—such as loss of personal health information—is excluded from the FDA’s scope.

Turner thinks that’s an oversight. He says that data taken from a device can sometimes include information about the operating environment, including secure Wi-Fi access that could be used to access the network and cause patient harm.

“Ignoring loss of data in a security context can lead to some very serious repercussions,” he says.

Long-term execution of the guidance also is questionable. Mozano says there needs to be “a clear assignment of roles and responsibilities throughout the entire vertical and horizontal supply chain.” And, there needs to be better leadership and a more systematic, step-by-step implementation, he says.

The FDA could take a page from the automotive industry, where rankings by third-party evaluators such as JD Powers influence buying decisions. This would not only motivate manufacturers to protect their reputation but also put some of the power into the hands of the users.

See also: When Hackers Take the Wheel  

“This could be more effective than having draconian regulations,” Mozano says.

The industry sentiment seems to be that scenarios à la TV’s “Homeland” are still far-fetched. Even the Department of Homeland Security said the vulnerability in St. Jude’s devices would have required “an attacker with high skill.”

But Dickson emphasizes that what was science fiction as recently as two years ago is now becoming a major problem. After all, not too long ago “people said political campaigns were too sophisticated to hack.”

“Given the widespread and ubiquitous nature of medical devices, the fact that a more sophisticated attacker could do this means it will happen at some point,” he says. “As the sophistication goes down the chain, there’ll be more automation to do it. At this point, nobody has figured out how to automatically attack, but that will happen.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.

IT Security: A Major Threat for Insurers

As the insurance industry changes in response to continued digitalization, IT leaders must continue to maintain and improve their ability to protect confidential data and customer information. While technological advances can streamline processes, they can also open the door for potential risks. Modern digital systems and procedures must be completely secure for agents and insureds to trust them, and to protect the companies from liability.

In a recent Novarica study, we found that insurers are enhancing security capabilities across the board. Nearly half of those we spoke to are enhancing capabilities in intrusion detection, application security and data encryption. Fewer insurers are enhancing their intrusion detection capabilities in 2017 than in 2016, but they remain among the most basic elements of IT security, and a critical component in ensuring a rapid response to any breaches. Most insurers have also already put in place application security measures to prevent security gaps, though this is an area that needs continual investment to stay current against evolving threats. And larger insurers are more likely than mid-sized insurers to be planning enhancements for data encryption capabilities. However, some midsize insurers are planning to pilot and launch encryption capabilities, in part due to encryption requirements within the New York State cybersecurity law and NAIC cybersecurity draft.

See also: 10 Cyber Security Predictions for 2017

Carriers still plan to enhance audits and procedures, but the volume focus has dropped somewhat in this area due to high investment in 2016, when many insurers adopted NIST for the first time. IT security is as much a matter of practices and monitoring as it is of technology. In fact, from a CIO resource perspective, audits and procedures are often more expensive than technology. Processes need to be created to evaluate all aspects of security management and determine the process maturity. These processes need to be independently validated through a combination of sampling, gathering statistics from tools and holding discussions with people responsible for those procedures.

We also see some activity when it comes to security frameworks and regulations. Insurers are preparing for new regulations, with some taking a “wait and see” approach to recently loosened New York State cybersecurity regulations. However, the New York State regulations or the NAIC cybersecurity model law will be replicated across all of the states over the next two to three years. Carriers need to monitor the developments in this area and ensure compliance to minimize fines and reputational damage.

In terms of frameworks, we see a slight increase in the adoption rate for NIST, from 60% to 70%, and a lower rate of 60% for SSE-CMM. NIST is a framework that uses business drivers to guide cybersecurity activities, and supplements activities related to SSE-CMM, as it covers all aspects of an organization’s processes. SSE-CMM assesses an organization’s maturity with regard to secure software development. Many insurers seem to prefer NIST over the SSE-CMM framework, and very few insurers are relying on other formal frameworks like COBIT, ITIL and the NYS regulation framework.

While more insurers choose to adopt NIST over other frameworks, adoption of formal frameworks is growing across the board. To ensure data protection across the enterprise, insurers can rely on frameworks to assess security risks. The organization must ensure that the software it builds or that is built on its behalf is secure and does not open up a security exposure. One good way to determine if the process of software development creates secure applications is to look at the security maturity of that process. The SSE-CMM is the way to assess this, but it does not go far enough. A full risk management framework needs to be applied to the firm to augment its other operational risk assessments. The NIST framework, developed in 2014, is becoming the standard for all insurers to assess digital and operational security risks in a structured way and to develop a road map to improve their cyber-security practices.

See also: Paradigm Shift on Cyber Security  

Most large insurers have a mature IT security function, with a dedicated organization led by a chief information security officer. But for smaller companies, dedicating resources and building competency in this area can be challenging. What is more, IT security is still seen as a lower priority for CIOs and mid-level managers. Less than 10% of an insurer’s IT budget is typically focused on security. In some cases, especially in mid-sized and small carriers, basic capabilities like penetration testing, ethical hacking programs and mandatory security training are lacking. Additionally, many carriers do not have a dedicated security executive like a CISO. Insurers must ensure that they understand their challenges and options, prioritize their investments and plan their responses to security incidents.