Larry’s keynote presentation focused on PHI Security and Privacy, and reminded me of the challenges facing underwriters of Cyber/Privacy coverage for health care organizations.
He spoke about the significant and ongoing attacks on our technology infrastructure and the theft of intellectual capital by state-sponsored actors, and about the need to defend against those attacks on a national level.
Larry also spoke at length about the theft and corruption of data ongoing at individual organizations and the ability of organizations to protect themselves from those threats – whether state sponsored or by criminal gangs (reminding us that the individual hobby hacker is far from the only threat).
He made some pointed observations about the state of the health care industry in its protection of Private Health Data, especially with regard to the implementation of Electronic Health Records. EHR systems are vulnerable given industry practice & the skill level needed to exploit them is low.
(I have edited the following for clarity)
Citing an important study of the state of health care information security, PWC’s 2013 State of Info Security Survey data regarding health care organizations, Larry noted:
- Most executives in the HC industry are confident in the effectiveness of their security practices. They believe their strategies are sound and many consider themselves to be leaders in the field
- (And yet, only) 42% have a strategy & (are) proactive in executing it
- 65% are confident their info sec practices are effective – that is DOWN 15% from 2009
- Of the 4 key criteria of information security leadership, ONLY 6% RANK AS LEADERS
- 60% do NOT have a policy for third parties to comply with privacy policies
- 73% use mal code detection tools; DOWN 16%
- 48% use tools to find unauthorized devices; DOWN 14%
- 51% use intrusion detection tools; DOWN 19%
- 48% use vulnerability scanning tools; DOWN 15%
- 31% DON’T KNOW when info sec is part of major projects –ONLY 18% at project inception
- 90% HC respondents say protecting employee & customer data is important – few know where the data is stored (43% have an accurate inventory of data)
- Adopting new technology (is outpacing) security – new technology referring to cloud 28%, mobile 46%, soc media 45%, personal devices 51%
The reasons? As noted by Larry:
Lack of funding 53%
20% top leadership “is an impediment to improved security.”
Only 43% report security breaches
Diminished budgets have resulted in degraded security programs, incidents are on the rise, new technologies are being adopted faster than safeguards
There are short-term economic incentives to be insecure (VoIP, use personal devices, the Cloud)
HC providers report lower $ loss from incidents but many do not perform thorough or consistent analysis to appraising those losses, e.g. only 33% consider damage to brand as a financial loss
I certainly understand the pressures on the health care industry – severe cost pressures, a focus on the patient above all, and rapidly evolving technology.
So – why am I posting this? Because in my research, I find that Health Care insureds are the most often cited target markets for standalone Cyber insurers. And because I care about the quality of health care.
I ask – are Cyber insurers sufficiently equipped to assess the Cyber risks of the health care industry? Considering the poor state of Cyber/Privacy security reported in PWC’s study – I sure hope so.