Larry Clinton of The Internet Security Alliance and some startling statistics about privacy security in the health care industry

Larry Clinton, the longtime head of the Internet Security Alliance spoke at last week’s PHI Protection Forum, the founding conference of the PHI Protection Network.

Larry’s keynote presentation focused on PHI Security and Privacy, and reminded me of the challenges facing underwriters of Cyber/Privacy coverage for health care organizations.

He spoke about the significant and ongoing attacks on our technology infrastructure and the theft of intellectual capital by state-sponsored actors, and about the need to defend against those attacks on a national level.

Larry also spoke at length about the theft and corruption of data ongoing at individual organizations and the ability of organizations to protect themselves from those threats – whether state sponsored or by criminal gangs (reminding us that the individual hobby hacker is far from the only threat).

He made some pointed observations about the state of the health care industry in its protection of Private Health Data, especially with regard to the implementation of Electronic Health Records.  EHR systems are vulnerable given industry practice & the skill level needed to exploit them is low.

(I have edited the following for clarity)

Citing an important study of the state of health care information security, PWC’s 2013 State of Info Security Survey data regarding health care organizations, Larry noted:

  • Most executives in the HC industry are confident in the effectiveness of their security practices. They believe their strategies are sound and many consider themselves to be leaders in the field
  • (And yet, only) 42% have a strategy & (are) proactive in executing it
  • 65% are confident their info sec practices are effective – that is DOWN 15% from 2009
  • Of the 4 key criteria of information security leadership, ONLY 6% RANK AS LEADERS
  • 60% do NOT have a policy for third parties to comply with privacy policies
  • 73% use mal code detection tools; DOWN 16%
  • 48% use tools to find unauthorized devices; DOWN 14%
  • 51% use intrusion detection tools; DOWN 19%
  • 48% use vulnerability scanning tools; DOWN 15%
  • 31% DON’T KNOW when info sec is part of major projects –ONLY 18% at project inception
  • 90% HC respondents say protecting employee & customer data is important – few know where the data is stored (43% have an accurate inventory of data)
  • Adopting new technology (is outpacing) security – new technology referring to cloud 28%, mobile 46%, soc media 45%, personal devices 51%

The reasons? As noted by Larry:

  • Lack of funding 53%
  • 20% top leadership “is an impediment to improved security.”
  • Only 43% report security breaches
  • Diminished budgets have resulted in degraded security programs, incidents are on the rise, new technologies are being adopted faster than safeguards
  • There are short-term economic incentives to be insecure (VoIP, use personal devices, the Cloud)
  • HC providers report lower $ loss from incidents but many do not perform thorough or consistent analysis to appraising those losses, e.g. only 33% consider damage to brand as a financial loss

I certainly understand the pressures on the health care industry – severe cost pressures, a focus on the patient above all, and rapidly evolving technology.

So – why am I posting this? Because in my research, I find that Health Care insureds are the most often cited target markets for standalone Cyber insurers.  And because I care about the quality of health care.

I ask – are Cyber insurers sufficiently equipped to assess the Cyber risks of the health care industry?  Considering the poor state of Cyber/Privacy security reported in PWC’s study – I sure hope so.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s