BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the

international BDO network of independent member firms.

CYBERSECURITY IN HEALTHCAREAN OVERVIEW OF THE RECENTLY RELEASED HHS’S HEALTH

INDUSTRY CYBERSECURITY PRACTICES (HICP) GUIDANCE.

February 11, 2019

2

With you today….

KEVIN OLVERAHealthcare Audit

Partner

+1 214 665-0742

kolvera@bdo.com

GANESH RAMASWAMYRisk Advisory Services

Managing Director

+1 214 908-2744

gramaswamy@bdo.com

3

Cybersecurity in Healthcare - Agenda

• Overview of Cybersecurity challenges in Healthcare

• Background of HICP guidance

• Key takeaways

• Questions and open discussion

4

Cybersecurity in Healthcare

• Overview of Cybersecurity challenges in Healthcare

• Background of HICP guidance

• Key takeaways

• Questions and open discussion

5

Background: Legal Basis

Cybersecurity Act of 2015

Health Care Industry Cybersecurity (HCIC) Task Force (2017) Report*

HICP Guidance (2018)**

Reference:

* HCIC Report on Improving Cybersecurity in the Health Care Industry, June 2017

** Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, December 2018

6

Nature of Health Care Industry Landscape

A mosaic of organizations and players

❑ Large health systems & single physician practices; public & private payers; for-profit, charity, &

academic institutions; device manufacturers & service providers

Serving a wide spread and diverse population

❑ Varied ability to pay, medical needs, and security awareness

Geographical diversity

❑ Rural, sub-urban, urban, & mobile

An unique culture: “open” and “sharing”

❑ Generally in line with the primary mission of the industry, but contradicts information security and

privacy needs

Relatively slow to embrace digitization

❑ Generally data was kept “in-house” for security purposes; recent subsidies for HER, data exchanges and

cloud adoption increases the risk

❑ Emerging online self-service and access through mobile & wearable devices

❑ Increased connectivity (IOT) and volume of data (big-data)

Multiplicity of Regulatory Actors

❑ OCR, CMS, FDA, ONC, ASPR, FTC

7

Health Care Ecosystem

Source: https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf

8

Health Care Regulatory Landscape

Source: https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf

9

HCIC Task Force Imperatives

Released in 2017, provided six high-level imperatives and recommendations for the Healthcare

industry:

1. Define and streamline leadership, governance, and expectations

❑ Create cybersecurity leadership role within HHS

❑ Consistent and consensus based cybersecurity framework

❑ Harmonize existing and future laws (state and other jurisdiction)

❑ Identify scalable best practices

❑ Explore potential conflicts with other Healthcare laws

2. Increase the security and resilience of medical devices and IT

❑ Secure legacy systems

❑ Improve manufacturing & development transparency

❑ Increase adoption and rigor of secure development

❑ Strong authentication for access and identity management

❑ Strategically reduce attack surface

❑ MedCERT team to handle emergency response

3. Develop workforce capacity necessary to prioritize and ensure cybersecurity awareness

❑ Identify cybersecurity leadership role

❑ Establish model for resourcing cybersecurity workforce with qualified individuals

❑ Create MSSP models to support small and medium-sized provider

❑ Evaluate options to migrate patient records and legacy systems to secure environments

10

HCIC Task Force Imperatives (contd.)

4. Increase readiness through cybersecurity awareness and education

❑ Develop executive cybersecurity education programs for executives and BoD

❑ Establish cybersecurity hygiene posture for risk management in secure and sustainable fashion

❑ Establish conformity assessment model (based on NIST Baldrige Cybersecurity excellence

builder)

❑ Increase outreach of cybersecurity across federal, state, local, and private entities

❑ Provide patients with information to manage security and privacy of their personal health

information

5. Identify mechanisms to protect R&D efforts and IP from attacks/exposure

❑ Develop guidance for industry and academia for risk management

❑ Pursue research into protecting healthcare big data sets

6. Improve information sharing of threats, risks, and mitigations

❑ Tailor information sharing for easier consumption by small and medium size organizations

❑ Broaden the scope and depth of information sharing

❑ Encourage annual readiness exercise

❑ Provide security clearance mechanism for Healthcare community members

11

Cybersecurity in Healthcare

• Overview of Cybersecurity challenges in Healthcare

• Background of HICP guidance

• Key takeaways

• Questions and open discussion

12

Approach and Goals of HICP Guidance

Approach to the HICP guidance:

❑ Examine current cybersecurity threats affecting HPH sector

❑ Identify specific weakness that leads to increased vulnerability

❑ Provide practices that experts consider as most effective to mitigate the risks

Three “core” goals:

❑ Cost effectiveness in reducing the risk for a range of organizations

❑ Support voluntary adoption and implementation

❑ Ensure the content is actionable, practical, and relevant to all stakeholder of size

and resource affordability

Not a one-size-fits-all approach

Addressed for awareness of all personnel (i.e., executives, health care

practitioners, providers, delivery organizations).

13

Approach and Goals of HICP Guidance (Contd.)

Structure

❑ Main Document: Addresses current threats and raises awareness

❑ Technical Volume 1: Ten practices and sub-practices for small health care

organizations. Intended for IT and/or IT security personnel and serves to guide the

organization on what to ask of their service providers.

❑ Technical Volume 2: Ten practices and sub-practices for medium-sized and large

healthcare organizations

❑ Resource and Template Volume: Provides additional resources and supplements

Main document explores the most impactful five threats

Technical Volumes detail the ten practices to mitigate the five threats.

14

Selecting the Correct Volume and Fit

Generally the guidance is

clear for small practices

For medium and large

practices, it is recommended

that:

❑ Medium-size organizations

start with medium

organization sub-practices

and also consider adopting

sub-practices of large

organizations

❑ Large-size organizations

review both medium and

large organization sub-

practices *Source: https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

15

Cybersecurity in Healthcare

• Overview of Cybersecurity challenges in Healthcare

• Background of HICP guidance

• Key takeaways

• Questions and open discussion

16

Key Takeaways: The Five Threats

E-mail phishing attacks

❑ Vulnerabilities: Lack of awareness, lack of IT resources and sender validation tools

❑ Impact: Loss of reputation, patient care and safety, data confidentiality

Ransomware attacks

❑ Vulnerabilities: lack of back-up, anti-phishing tools, patching, detection tools, security controls

❑ Impact: Service disruption, patient care and safety, expensive recovery, data confidentiality

Loss or theft of equipment of data

❑ Vulnerability: Lack of inventory controls, encryption, physical security, awareness, vendor

management, end-of-life processes

❑ Impact: Lost productivity, damage to reputation, improper access to PHI

Insider, accidental or intentional data loss

❑ Vulnerability: Accidental disclosure, lack of monitoring, logging , auditing, and technical controls

❑ Impact: Reportable incidents, financial loss, incorrect patient treatment due to data integrity

issues

Attacks against connected medical devices that may affect patient safety

❑ Vulnerability: Inadequate patching processes and legacy systems, heterogeneity and lack of

security profile for all devices

❑ Impact: Operational impact, compromise of patient safety or care

17

Key Takeaways: The Ten Practices to Mitigate Threats

Practice #1: E-mail Protection Systems

❑ Data Elements: Passwords & PHI

❑ Risk Mitigation: Email Phishing, ransomware, insider data loss

❑ Small: Email configuration, education, phishing simulation

❑ Medium: Basic email protection, multi-factor authentication, email encryption, workforce

education

❑ Large: Advanced and next-gen tools, digital signatures, analytics driven education

Practice #2: Endpoint Protection Systems

❑ Data Elements: Passwords & PHI

❑ Risk Mitigation: Ransomware, theft or loss of equipment/ data

❑ Small & Medium: Basic end-point protection

❑ Large: Automated endpoint provisioning, mobile device management, Host-based IDS/IPS,

endpoint detection response, application whitelisting, micro-segmentation/ virtualization

Practice #3: Identity and Access Management (IAM)

❑ Data Elements: Passwords

❑ Risk Mitigation: Ransomware, theft or loss of equipment/ data, attack on connected devices

❑ Small: Basic access management

❑ Medium: Identity and access management procedures, multi-factor authentication

❑ Large: Federated identity management, Authorization, access governance, single-sign on

18

Key Takeaways: The Ten Practices to Mitigate Threats (contd.)

Practice #4: Data Protection and Loss Prevention

❑ Data Elements: Passwords & PHI

❑ Risk Mitigation: Ransomware, insider data loss, loss of data/ equipment

❑ Small: Policies and procedures

❑ Medium: Data classification, use procedures, data security, backup, DLP

❑ Large: Advanced DLP and data flow mapping

Practice #5: Asset Management

❑ Data Elements: Passwords & PHI

❑ Risk Mitigation: Ransomware, insider data loss, loss of data/ equipment, attack on

interconnected devices

❑ Small: Inventory, procurement, and decommissioning

❑ Medium: Inventory of endpoints and servers, procurement, secure storage, decommissioning

❑ Large: Automated discovery and maintenance, integrated Network Access Control

Practice #6: Network Management

❑ Data Elements: PHI

❑ Risk Mitigation: Ransomware, insider data loss, loss of data/ equipment, attack on

interconnected devices and patient safety

❑ Small: Network segmentation, physical security & guest access, intrusion prevention

❑ Medium: Network profiles and firewalls; segmentation, IPS, web proxy, physical security

❑ Large: Additional segmentation, perimeter monitoring, anomalous network monitoring and

analytics, sandboxing/malware execution, network access control

19

Key Takeaways: The Ten Practices to Mitigate Threats (contd.)

Practice #7: Vulnerability Management

❑ Data Elements: PHI

❑ Risk Mitigation: Ransomware, insider data loss, attack against connected devices

❑ Small: Vulnerability management

❑ Medium: Host/ server and web app scanning, system placement & data classification,

change management

❑ Large: Penetration testing, remediation planning

Practice #8: Security Operations Center (“SOC”)Operations and Incidence

Response

❑ Data Elements: PHI

❑ Risk Mitigation: Phishing, ransomware, loss or theft of data/equipment, insider data loss,

attack against connected devices and patient safety

❑ Small: Incident response, ISAC/ISAO participation

❑ Medium: SOC operations, incident response, information sharing (ISACs/ISAOs)

❑ Large: Advanced SOC & information sharing, incent response plan, baselining network

traffic, user behavior analytics, deception technologies

20

Key Takeaways: The Ten Practices to Mitigate Threats (contd.)

Practice #9: Medical Device Security

❑ Data elements: PHI

❑ Risk Mitigation: Attack against connected devices and patient safety

❑ Small: Medical device security

❑ Medium: Endpoint protection, IAM, medical device, IT asset & network management

❑ Large: Vulnerability management, SOC & incidence response, procurement and security evaluation,

contacting FDA

Practice #10: Cybersecurity Policies

❑ Pervasive risk mitigator for all data elements and risks for all types of organizations

21

Cybersecurity in Healthcare

• Overview of Cybersecurity challenges in Healthcare

• Background of HICP guidance

• Key takeaways

• Questions and open discussion

22

Questions ?

23

Resources/ References

https://www.bdo.com/insights/business-financial-

advisory/implementing-threat-based-cybersecurity-to-secure

https://www.bdo.com/industries/healthcare/overview