AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
How to Use the NIST CSF to Recover from a Healthcare Breach
1. Recovering from a Healthcare Data Breach
with the NIST Cyber Security Framework
*Part 6 of the NIST CSF for Healthcare Webinar Series
Ken Durbin, CISSP
Strategist, CRM and Threat Intel
Symantec
17-October-2017
Axel Wirth, CPHIMS, CISSP, HCISPP
Distinguished Healthcare Architect
Symantec
Per capita cost is defined as the total cost of data breach divided by the size of the data breach in terms of the number of lost or stolen records.
Let me share some of the thoughts:
A lack of understanding at the senior management and board-level. Discussions at these levels are still missing the target because they are not conducted in a business context. They focus on just the technological risk like a virus, breach or attack—but not on what happens to care if there is a virus outbreak on the network, or what do you do about billing if you’ve had a breach. In their 2013 Global Risk Management Survey, Gartner found that most companies surveyed (not just healthcare) are not communicating risk management data effectively to their board.
And that’s dangerous, because of the growing interconnection between technology and business risks. No one can argue that we are entering a “digital economy” . . . although healthcare is lagging sectors like retail and the airlines. And since what we do is take care of people that interconnection is more critical than any other business. If you enter the wrong order at the corner restaurant someone gets the wrong lunch. Do that in a pharmacy and someone may never eat lunch again. And I promise not even to discuss medical devices here . . .
There is increasing pressure to disclose technology risk. Market and industry regulators (from the HHS Wall of Shame to Joint Commission to the FDA and initiatives in almost every state) now instruct the public about what providers are doing with patient information and how they do it and how well they do it. Transparency is a wonderful thing until it is your ugly stuff that’s on display.
Lack of visibility into key business relationships with third parties. And then there are those pesky Business Associates and sub-contractors. The number of Business Associates (and their Business Associates and subs), and technological exchanges of information (HIEs, ACOs, registries), has skyrocketed, which has increased the level of IT risk exponentially. With potentially 4 – 5 million Business Associates out there, it is much easier to not know what is going on and think the BAA or the Government will take care of it.
Now, these are kind of the big-ticket items. In fact, they aren’t even unique to healthcare. But healthcare unfortunately has a history of lagging technology and siloed approaches to business (or what we sometimes call care) - - both anathema to good enterprise risk management.
Lack of understanding at the highest levels is bad enough, but we have a more serious lack of understanding among the experts who perform the risk assessments. Risk assumes there is an asset - - something to protect. But we are still thinking of assets as “things”: devices, rooms, and pieces of paper. We don’t think of all those magnetic bits and bytes that we have carefully laid down on spinning disks or tape or jump drives or sent through wires or sometimes just the air - - no wires.
Total of 147 responses CIO, IT director
Other includes directors and managers of other departments/areas
Over one-third of participants are CIOs
Just over half (56.6%) of respondents have an IT leadership position (CIO, Director of IT and VP of IT) while 16.5% have a security leadership position (CISO, IT security officer and CSO)
The other category is made up of IT manager, analyst and other director positions