Introduction in an interconnected world - PwC › en › riskassurance › publications › assets...

Healthcare: payers and providers

Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Introduction // 1

Introduction

Contacts

Security starts at the top

Prepping for the Internet of Things

Rising risks of mobility and Big Data

Consumers and partnerships drive change

Security incidents skyrocket

Healthcare cybersecurity challenges in an interconnected worldKey findings from The Global State of Information Security® Survey 2015

next

prev

Healthcare payers and providers

Technology is not the only agent of change.

Innovations in business models and partnerships with a broadening range of care collaborators are generating new services and promoting growth. At the same time, mergers and acquisitions are creating synergies while compacting the industry through consolidation. Both will yield new opportunities and redefine the industry.

Nowhere is the force of change more evident than in the US, where organizations are implementing electronic health records (EHRs) as a means to lower healthcare costs, modernize back-office systems, and speed payments. The real challenge, however, will be integrating disparate systems to seamlessly share EHR information with providers, payers, and patients. Doing so will help providers monitor and improve patient care, predict development of illnesses, boost patient engagement in their care, and enhance workflows among providers, care collaborators, and payers.

With change comes challenge, however. More than ever, healthcare payers and providers face a raft of issues that could impact the security of patient health data, sensitive corporate information, and regulatory compliance mandates. Most are boosting their investments in information security to address these evolutions, according to The Global State of Information Security® Survey (GSISS) 2015.



Introduction // 2

Introduction

Contacts






next

prev

3M

2M

1M

5K

4K

3K

Average number of detected incidents Estimated total financial losses

Incidents

Sources of incidents

Security spending

GSISS 2015: Healthcare payers and providers results at a glance➻ Click or tap each title to view data

2013

2,786

2014

4,470

2013

$0.8M

2014

$2.9M

Technology advances like telemedicine, information sharing via mobile devices and social media, and Big Data analytics are transforming how healthcare payers and providers interact with their patients, business partners, and regulators.

The confluence of these technologies is also changing how organizations provide care and is helping create a marketplace in which consumers pay for healthcare by value rather than volume.

It will also expose more sensitive patient data to the Internet, which will increase information security risks.

In part, that’s because electronic data is inherently more vulnerable to large-scale compromise than paper-based information. Another factor is that troves of patient data contained in EHRs and healthcare information exchanges (HIEs) are increasingly tempting to cyber criminals.

A comprehensive identity-theft kit containing a health insurance record can be worth as much as $1,000 on the black market, and even partial health insurance credentials can fetch $20; stolen payment cards, by comparison, typically are sold for $1 each.1

Medical records are more valuable because cybercriminals can use them to create an identity, as well as carry out sophisticated insurance fraud schemes.

1 Dell SecureWorks, Hackers Sell Health Insurance Credentials, Bank Accounts, SSNs and Counterfeit Documents, for over $1,000 Per Dossier, July 15, 2013

http://www.secureworks.com/resources/blog/general-hackers-sell-health-insurance-credentials-bank-accounts-ssns-and-counterfeit-documents/




Introduction // 3

2013

Introduction

Contacts






next

prev

Current employees Former employees

50%

40%

30%

Hackers Foreign nation-states

Incidents


Security spending

2013

43%

2014

39%

2013

26%

2014

24%

2014

24%

2013

23%

2%

2014

5%













Introduction // 4

Introduction

Contacts











next

prev

Average annual IS budget IS spend as percentage of IT budget


Incidents

Security spending

3M

2M

4M

3%

2%

1%

2013

$2.4M

2014

$4.0M

2013

3.4%

2014

3.7%








Security incidents skyrocket // 5

Introduction

Contacts





Officials have also warned that malicious actors are more actively targeting patient data.

Our security survey results bear that out: Incidents among healthcare payers and providers soared 60% over 2013, an increase that was almost double that reported by all industries. (We define a security incident as any adverse incident that threatens some aspect of computer security.) These compromises come at a great cost: The estimated average financial losses as a result of security incidents skyrocketed to $2.9 million in 2014, a head-turning 282% increase over the year before.

While retailers are grappling with a rash of payment-card heists, healthcare payers and providers report increases in theft of more valuable data.

Security incidents skyrocketThe increased volume and value of healthcare data comes at a time when governments have warned healthcare providers that their security lacks the maturity of industries like financial services and retail.

The fastest-growing sources of security incidentsIncrease over 2013

206%

126%120%

68%41%

Competitors

Foreign nation-states

Organized crime

Information brokers

Activists/activist organizations/hacktivists

This year, survey respondents say identity theft jumped 32%, and 20% say personally identifiable information (PII) was compromised.


next

prev

32% 20%



Security incidents skyrocket // 6

Recently, a major US hospital chain reported that personal records of several million patients were stolen.2 While the total number of survey respondents who attribute security incidents to foreign nation-states is comparatively low, they are the fastest-growing source, increasing 206% over 2013.

This rise in incidents perpetrated by highly organized threat actors is part of a larger pattern we have seen:

Data losses are shifting from accidental compromises (such as the use of an incorrect e-mail address for distribution of sensitive data) to more targeted and broader attacks by nation-states, organized crime, and activists/hacktivists.

EHRs continue to drive security investmentWhat trends drive security spending?

Data sharing via medical devices

Data sharing via mobile devices

Data sharing via social media

Data sharing via telemedicineImplementation of electronic health records (EHRs)/ public health records (PHRs)

Increased drive for outcome-based research and health analytics

Data sharing via Health Information Exchanges

50%

40%

60%

2013 2014 2013 2014 2013 2014 2013 2014 2013 2014

30%31%

33%

27%29% 27%

23%25%

17%

24%

Introduction

Contacts






60%

2013 2014

53%

44%

2013 2014

40%

next

prev

2 PwC, Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security® Survey 2015, September 30, 2014

It’s a troubling trend, but the good news is that many healthcare payers and providers seem to be taking these threats seriously. Investment in information security increased 66% over 2013, and spending on information technology is up 53%. While implementation of electronic records remains the primary driver for security spending, its influence is beginning to wane.

http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml%23

http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml%23



Consumers and partnerships drive change // 7



The need to invest in security will only increase as today’s connected consumers expect access to complete medical records via health portals set up by hospitals, individual physicians, and payers.

Consumer demand for electronic access to health records and changes in the traditional fee-for-service based payment model will demand that organizations forge new business associations between a range of healthcare payers and providers, as well as invest in identity management technologies.

Just as consumer healthcare behavior is evolving, so too are relationships among health companies. Increasingly, healthcare companies are forming new affiliations with a range of partners to meet changing customer demands.

Consumers and partnerships drive changeCompanies are forming new business relationships to meet heightened consumer expectations.

Consider the following:

Payers are investing in analytics companies, physician group practices, and healthy food programs. These acquisitions are driving consolidation and convergence in the health industries.

Drugstores are providing more care through in-store clinics that offer immunizations, wellness screening, and routine lab work like blood tests.

As the industry focuses on population health management, which seeks to reduce medical interventions through preventive care and targets hospitals’ traditional fee-for-service payment system, providers are altering business models to address increasing financial risks.

And as health information exchanges and EHRs go online, even more third parties are involved in the digital flow of healthcare information.

Introduction

Contacts




next

prev



Consumers and partnerships drive change // 8

These shifts in relationships may increase compliance risks as new partners take on unfamiliar roles that are subject to increasingly stringent privacy regulations.

The Final Health Insurance Portability and Accountability Act (HIPAA) Rule, for instance, expands accountability to subcontractors of business associates, who are now required to comply with the HIPAA Privacy Rule and Security Rule, including the same provisions related to physical, administrative, and technical safeguards applicable to business associates.

This creates additional burdens for business associates, but it also produces new cybersecurity risks by expanding the attack surface through sharing of more data. The risks are compounded when healthcare organizations execute business-associate agreements without adequate due diligence and monitoring of these third parties.

Other organizations may more thoroughly evaluate business associates while ignoring other vendors that may also have trusted information to sensitive information. As one high-profile retailer breach last year so conclusively demonstrated, cyber adversaries can—and will—access sensitive data and networks via third-party vendors.

For many healthcare payers and providers, the HIPAA Final Rule may represent a challenge. We found, for instance, that only 54% of respondents conduct risk assessments on third-party vendors, and just 60% conduct compliance audits of third parties that handle personal data of customers and employees to ensure they can protect this information.

Landmark privacy regulation will impact organizations operating in Europe.

The European Union (EU) is on course in the coming months to adopt its biggest privacy-regulation overhaul in a generation.

The new reform rules are expected to introduce extensive breach-notification requirements, give regulators the power to perform compulsory audits, and impose fines as high as



Introduction

Contacts




Top 5 security challenges in 2014

Encryption in storage and in transit

Regulatory requirements

Access control and identity management for end users

Cloud computing

Data leakage prevention

35%

30%

27%

23%

30%

next

prev

5% of annual worldwide turnover. As a result, multi-million-euro penalties for non-compliance could become commonplace in the EU.

What’s more, under the new regulation, the EU’s classification of personal health information as “sensitive” could result in heightened obligations and scrutiny for organizations in the healthcare, pharmaceutical, and life sciences industries.



Rising risks of mobility and Big Data // 9

Privacy rules, after all, apply when any protected health data is accessed and transmitted, whether from a centralized customer relationship management system or an individual physician’s smartphone.

Already, almost one in five (19%) respondents report compromise of mobile devices in the past year. Among healthcare providers, physicians who bring their own smartphones and tablets to the workplace are a particular concern. These devices may not be integrated with the workplace IT system, and that makes it difficult for the security function to monitor transmission of patient data.

Rising risks of mobility and Big DataThe use of smartphones and tablets, both by employees and customers, to access protected healthcare data is likely to further elevate risks of compromise.

Given the risks, it seems surprising that 38% of respondents have no security strategy governing employee use of personal devices on the enterprise.

Also consider that healthcare payers and providers, thanks in large part to the implementation of EHRs and sensor-based health-monitoring devices, are swimming in a rapidly rising sea of data. Data analytics is likely to transform healthcare by helping predict and diagnose illness, monitor patient wellness, better understand customer preferences, and increase operational efficiencies.

Big Data analytics also can help organizations model for and predict security incidents. Among healthcare payers and providers, 44% say they have Big Data analytics in place,

Security strategies are often lackingHave a strategy for:Rising risks of mobility

and Big Data


Introduction

Contacts




and an additional 15% outsource analytics. The majority (58%) of those who have harnessed data analytics say it has enabled them to detect more incidents.

To protect this trove of data, it’s essential that organizations implement the proper security safeguards.

Yet 47% of respondents do not have a security strategy for Big Data, and others lack important security tools and policies such data loss prevention (40%) and an inventory of where personal data is collected, stored, and transmitted (36%). Implementation of security controls may be particularly challenging when the analytics is outsourced to a cloud services provider.

Employee use of personal devices on the enterprise

Social media Cloud computing Big Data

2014

20142013

20142013

20142013

62%

58%

57%

55%

56%

47%

53%

The Internet of Things

2014

44%

N/A N/A

next

prev



Prepping for the Internet of Things // 10

The Internet of Things will introduce tremendous benefits for healthcare organizations and life-changing conveniences and wellness opportunities for consumers.

It also will create a new world of security risks, a fact that many respondents seem to realize.

In fact, 44% of healthcare payers and providers say they have already implemented a security strategy for the convergence of information, operational, and consumer technologies; an additional 24% say they are working on a strategy. Nonetheless, many seem to be implementing these new technologies before they can be secured.

Almost half (47%) of respondents say they have integrated consumer technologies such as wearable health-monitoring devices or operational systems like automated pharmacy systems with their IT ecosystem. Yet most have not taken precautions to help ensure the security of these IT-connected devices. Just more than one-third (34%) say they have contacted device manufacturers to understand security capabilities and risks, and 58% have performed a risk assessment of the technologies. Only 53% have implemented security controls.

Prepping for the Internet of ThingsThe convergence of information, operational, and consumer technologies will bring great benefits—and new risks.

The security implications are potentially colossal.

Exponentially more personal information will be traversing more connected corporate ecosystems and personal networks of consumers, increasing risks to sensitive patient information. An effective security strategy should identify protected data, determine ownership, and define accountability before consumer and operational technologies are connected to the IT system. This is key because, unlike a stolen payment card number, consumers cannot simply request a new identity or health history once the information has been breached.

Health information is also much more personal than a credit card number: Consumers may not be concerned in the long run if payment card data is leaked, but health conditions such as infectious diseases or the use of certain medications can be deeply personal.

To determine what assets are high priority, healthcare payers and providers should identify their most valuable assets and determine who owns responsibility for them. Assigning ownership and accountability will become increasingly challenging as more electronic data is shared among a new constellation of partners.



Introduction

Contacts




It’s also an area in which there is great room for improvement:

We found that just 62% of respondents have a program to identify sensitive assets, and fewer (60%) have an inventory of all third parties that handle personal data.

62% 60%

next

prev



Security starts at the top // 11

This year’s survey finds cause for some optimism.

The number of healthcare organizations that have employee training programs (62%) and those that require employees to complete training on privacy practices and policies (73%) both increased over last year. Nonetheless, training should be universal, and accountability should cascade from the C-suite to every employee and third-party vendor and supplier.

Top-down commitment and participation is essential. This year, 65% of healthcare payers and providers say a senior executive communicates the importance of information security to the entire organization. That’s a healthy gain from last year (58%) and demonstrates that the executive team is taking ownership of cyber risk.

Security starts at the topCybersecurity and privacy should be embedded in the organization’s DNA, with a top-down commitment to security and ongoing employee training programs.

But ownership of risk also demands that senior executives proactively ensure that the Board of Directors understands how the organization will defend against and respond to cyber threats. We have heard much discussion about Board concern after the recent rash of retailer breaches, but our survey demonstrates that organizations clearly have not elevated security to a Board-level discussion.

Consider, for instance, that only 25% of respondents say their Board of Directors participates in reviewing current security and privacy risks—a crucial component of any effective security program. Just 24% are involved in security technologies and 32% participate in security policies. Slightly more, 36%, take a role in setting the security budget.

How Boards participate in security

Security in the new health economy

A sweeping transformation of the health economy is well under way.

Connected technologies, Big Data analytics, and electronic health records are combining to redefine consumer demands and business models. At the same time, sophisticated threat actors are devising new ways to compromise and steal digitized medical data.

Taken together, this inexorable shift will demand a rethink of information security. At the heart of this initiative should be a risk-based cybersecurity program to identify, manage, and respond to privacy and security threats.



Introduction

Contacts




Review of security and privacy risks

Security technologies Review roles and responsibilities of security organization

Review of security and privacy testing

Overall security strategy

Security policiesSecurity budget

18%25%40% 36% 24% 15%32%

next

prev

Security starts at the top // 11



Contacts // 12

Jay ClinePrincipal, Risk Assurance612 596 [email protected]

Mick CoadyPrincipal, Health Industries 713 356 [email protected]

Joe Greene Principal, Health Industries 612 596 [email protected]

Peter HarriesPrincipal, Health Industries 602 750 [email protected]

ContactsTo have a deeper conversation about cybersecurity, please contact:

www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity

PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

United States

Contacts

Introduction






Healthcare payers and providers

next

prev

Introduction in an interconnected world - PwC › en › riskassurance › publications › assets...

Documents

Transcript of Introduction in an interconnected world - PwC › en › riskassurance › publications › assets...