cyber risk in healthcare
play

Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan , Senior - PowerPoint PPT Presentation

Feb 08, 2024 •157 likes •498 views

Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan , Senior Healthcare Risk Management and Data Specialist James Penafiel , Underwriting Supervisor, Insurance Operations PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM CFPC Conflict of

  1. Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan , Senior Healthcare Risk Management and Data Specialist James Penafiel , Underwriting Supervisor, Insurance Operations PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  2. CFPC Conflict of Interest - 1 Faculty/Presenter Disclosure • Presenters: – Kopiha Nathan, Senior Healthcare Risk Management Specialist – Data Specialist – James Penafiel, Underwriting Supervisor, Insurance Operations • Relationships with commercial interests: – Grants/Research Support: None – Speakers Bureau/Honoraria: None – Consulting Fees: None – Other: HIROC insures AOHC and few AOHC members PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  3. CFPC Conflict of Interest - 2 Disclosure of Commercial Support • This program has received financial support from none in the form of none. • This program has received in-kind support from none in the form of none. • Potential for conflict(s) of interest: – Speakers have not received any payments or funding from any organizations. – AOHC and some of its members are Healthcare Insurance Reciprocal of Canada subscribers. Although no products are being sold, we do offer Liability insurance coverage for not-for- profit healthcare organizations. Our expertise in the sector enables us to provide educational presentations and share our knowledge and experience related to the content covered in the presentation. PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  4. CFPC Conflict of Interest - 3 Mitigating Potential Bias • We will not discuss details of any products sold by HIROC in this presentation. PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  5. Objectives • Identify and understand cyber risks impacting healthcare environment • Learn about strategies that can be employed by healthcare organizations to minimize cyber risk exposures • Understand how an AOHC member organization manage cyber risk 5 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  6. HIROC Disclosure • We are owned and governed by you – Healthcare orgs. – Employees, volunteers, boards – Midwives – MDs in leadership – Regulatory colleges – National associations • We are not-for-profit • We are passionate about patient safety 6 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  7. What is cyber risk? 7

  8. “…any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems. ” The Institute of Risk Management, 2014, p.8 8

  9. World Economic Forum, 2015

  10. Cyber risks and related losses • Privacy breach – lost or stolen laptop, tablets or USB keys, inadequate encryption practices and access controls, inappropriate use of e-mails and social media, etc. • Fraud or theft – social engineering scams(e.g. phishing emails, fraudulent calls, etc.), identity or information theft, etc. • Network breach or loss – hacking or virus attacks resulting in loss of network connection, critical information system failure, poor system reliability, data integrity issues, etc. • Indirect financial losses – cost of privacy breach notifications, look backs, recovery of systems or information, etc. • Compromised external relations – loss of reputation or public trust, Information and Privacy Commissioner order, media attention, etc. 10 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  11. Security incidents experienced by healthcare organizations * Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data Ponemon Institute Research Report, May 2015 (US) 11 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  12. Security threats healthcare organizations worry about the most * Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data Ponemon Institute Research Report, May 2015 (US) 12 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  13. Existing skepticism: “Could it happen to Canadian healthcare providers?” 13 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  14. Case Study 1 A phishing e-mail was sent to one of the finance staff members that had access to electronic banking. The e-mail contained banking details with a request for the staff member to perform certain activities online. The finance staff member acted on this by following the link in the e-mail to complete the activity. A month later, finance staff noticed a few questionable payroll transactions processed over the weekend. The staff immediately contacted the bank and confirmed that the account had been compromised. • ‘Phishing’ – social engineering • Internal education and staff awareness is key to preventing such losses • Segregation of duty in financial area is very important (2 stage banking authorization, by 2 individuals) 14 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  15. Case Study 2 A methadone clinic had a surveillance camera in the washroom to ensure urine samples provided were not tampered with. They had a simple wireless camera/receiver system installed that had three wireless cameras. Their receivers were connected to a single monitor with no recording devices attached. The images could only be monitored in real time by clinic staff. The system was not connected to a computer or internet. An individual pulled into the parking lot of the clinic and activated the back up camera in his vehicle and saw the images transmitted from the washroom. • IPC order was issued • The methadone Clinic disabled the system immediately and installed a closed circuit television cameras (CCTV) • College of Physicians of Ontario (CPSO) was notified about the breach • CPSO sent a memo to all clinics requesting them to dismantle the wireless surveillance camera 15 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  16. Case Study 3 An employee lost a USB key while walking from the main office building to the car. The employee reported the incident immediately and took a number of immediate steps to locate the missing memory stick. The USB key contained unencrypted confidential personal information of close to 85,000 patients who had received flu shots. In addition, it contained user IDs, passwords and security levels of the staff members who had access to a particular Data Collection System. • IPC order was issued: PHIPA Order HO-007 • Class Action: Rowlands v. Durham Region Health 2012 ONSC 3948 • Court approved a settlement whereby each class member would be compensated for demonstrable economic harm as determined by an adjudicator • Class counsel were awarded $500,000 for costs & disbursements 16 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  17. “… cyber threats are both a relatively new and constantly evolving source of risk, many organizations may not be as effective at managing cyber threat risk” Deloitte, 2013 17

  18. Risk management strategies - Governance • Security starts at the top – cyber risk should be part of the Integrated Risk Management (IRM) program • Build in accountability for information security across the organization from frontline to executive staff • Ensure the information security function is visible (Senior management accountability and board engagement) • Employ Privacy by design (PbD)* strategies when deploying new strategic projects, processes, systems and information technology solutions *Information and Privacy Commissioner of Ontario 18 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  19. Information Security Strategies Monitoring Operational Best Access & logging policies Privacy controls practices Strong Sensitive Application Network vendor(s) Information security security Business Physical Penetration continuity security tests Back-ups (DRP) Third party Cryptographic Legislative TRA, PIA, contracts controls compliance & OWASP PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  20. Risk controls - at minimum • Deploy appropriate anti-virus and firewall(s) solutions – monitor virus and threat notifications • Monitor and deploy security patches and upgrades in a timely manner • Design and implement user access controls based on individual’s roles/duties • Enforce strong password policy (e.g. minimum 9 characters long with one symbol, letter and number, avoid vulnerable words in the password, etc.) 20 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  21. Risk controls - at minimum • Minimize the use of portable storage devices and adopt encryption practices • Methodically clear out the data storage when donating, replacing, distributing and disposing owned and leased electronic devices • Turn on audit functions for all applications, servers, etc. and review/audit user access rights, audit logs of systems containing sensitive information and network access logs regularly • Proper physical security (i.e. authorized access to server room – access cards) should be in place 21 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

  22. Risk management strategies • Embed best information security practices into the organization’s culture and monitor compliance (i.e. policy/procedures/protocols and training) • Execute strong privacy, confidentiality and data sharing agreements with vendors, partners, third party service providers, etc. • Conduct Threat and Risk Assessment and Privacy Impact Assessment – on new systems as well as existing systems 22 PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2019 Healthcare conference Navigating the changing & challenging risk landscape David

2019 Healthcare conference Navigating the changing & challenging risk landscape David

Technology and Cyber 2019 Healthcare conference Navigating the changing & challenging risk landscape David Legassick AVP Head of Tech, Cyber and Life Science Technology risk perception shifting Common Exposures: The use of everyday

121 views • 8 slides
Healthy Approach to Cyber Security : For data-intensive healthcare, cyber security is integral to

Healthy Approach to Cyber Security : For data-intensive healthcare, cyber security is integral to

1 Healthy Approach to Cyber Security : For data-intensive healthcare, cyber security is integral to innovation Sallie Sweeney KPMG The healthcare industrys evolution toward a true value based system, assuming responsibility for complex

797 views • 10 slides
Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT

Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT

Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT ITY How cyber is becoming a key aspect of the ubiquity generation. CYBER SUMMIT More to come 3 2018 Deloitte Cyber Risk Services 4 2018

514 views • 19 slides
Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management Association Date: August 18, 2016 Agenda An Overview of Cyber Risk Exposures 1. Legal & Regulatory Trends 2. Marshs Cyber Risk Management

649 views • 31 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR

Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR

Presenting a live 90-minute webinar with interactive Q&A Data Breaches in Healthcare: Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR Investigations, Minimizing HIPAA Liability THURSDAY, MARCH 24, 2016

795 views • 76 slides
Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to prepare for Cyber Risk: 3 2 1 Understand the tech & Cyber insurance Focus on company interconnected risks culture 2 Policy: Protection &

774 views • 18 slides
Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics

Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics

Introduction Systemic Risk Cyber as systemic Conclusion Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics www.systemicrisk.ac.uk June 10 th 2016 Introduction Systemic Risk Cyber as systemic

351 views • 24 slides
Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino,

Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino,

Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino, CSG International Cindy Stevens, Colorado Springs Utilities Agenda What is Cyber Insurance Overview of Cyber Risk Quantifying Cyber

508 views • 23 slides
PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models

PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models

PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models Advisens Data Assets CYBER RISK MODELS Cyber Case Count over Time Cyber Cases Entered per Day Case Type Composition Total : 21,817 Distribution

967 views • 51 slides
CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview 1. What is at risk? 2. Global industry trends 3. BDO/AusCERT survey 4. Recent cyber case studies 5. Cyber risk mitigation strategies Page

481 views • 35 slides
Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at

Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at

Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of todays webinar Many Thanks to our Sponsor! About Advisen Advisen

530 views • 39 slides
in the Health Care Industry To More Effectively Manage Cyber Security Risk August 4, 2017 Secure

in the Health Care Industry To More Effectively Manage Cyber Security Risk August 4, 2017 Secure

Adopting Continuous Diagnostics and Mitigation (CDM) in the Health Care Industry To More Effectively Manage Cyber Security Risk August 4, 2017 Secure Ops vs Security Ops 1 Healthcare has HIPAA HITECH HITRUST So Why Should We

337 views • 13 slides
Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The Evolution of Cyber Insurance Is Cyber Risk Already Insured? Cyber And Data Protection Is Not Just An IT Issue Case Study Cyber Risk Stakeholders The

1.03k views • 8 slides
Cyber Risk Research at CCRS Jennifer Copic Research Assistant Cambridge Centre for Risk Studies

Cyber Risk Research at CCRS Jennifer Copic Research Assistant Cambridge Centre for Risk Studies

Cambridge Centre for Risk Studies Advisory Board Research Showcase 24 January 2017 Cyber Risk Research at CCRS Jennifer Copic Research Assistant Cambridge Centre for Risk Studies Largest Cyber Data Exfiltration Event: Yahoo August 2013

296 views • 18 slides
DEVONSHIRE COUNTY SANITATION DISTRICT HARBOR INDUSTRIAL SEWER MAINTENANCE DISTRICT SCENIC HEIGHTS

DEVONSHIRE COUNTY SANITATION DISTRICT HARBOR INDUSTRIAL SEWER MAINTENANCE DISTRICT SCENIC HEIGHTS

DEVONSHIRE COUNTY SANITATION DISTRICT HARBOR INDUSTRIAL SEWER MAINTENANCE DISTRICT SCENIC HEIGHTS COUNTY SANITATION DISTRICT Information on Proposed Sewer Service Rate Increases for Fiscal Years 2020-21 through 2022-23 To be Considered by the

409 views • 29 slides
Easy Stations Award Scheme organised by Railfuture East Anglia Presentation to Suffolk Rail

Easy Stations Award Scheme organised by Railfuture East Anglia Presentation to Suffolk Rail

Easy Stations Award Scheme organised by Railfuture East Anglia Presentation to Suffolk Rail Conference September 2016 By Philip Smart of Railfuture www.railfuture.org.uk @Railfuture Easy Stations Award Scheme key features Funded by

251 views • 8 slides
Coordinated Highways Action Response Team PANEL 3: EVENT RESPONSE TOOLS YOU CAN USE AT

Coordinated Highways Action Response Team PANEL 3: EVENT RESPONSE TOOLS YOU CAN USE AT

Coordinated Highways Action Response Team PANEL 3: EVENT RESPONSE TOOLS YOU CAN USE AT YOUR AGENCY Richard R. Dye CHART Systems Administrator Maryland State Highway Administration I-95 CORRIDOR COALITION SIGNIFICANT EVENTS RESPONSE

519 views • 24 slides
Covansys Technologies LLC A Trusted Partner in Wireless Network & IT Security Solutions The

Covansys Technologies LLC A Trusted Partner in Wireless Network & IT Security Solutions The

Covansys Technologies LLC A Trusted Partner in Wireless Network & IT Security Solutions The Demand for high bandwidth and stable reliable connectivity is on the rise. Enterprises are faced with challenge of meeting demand while remaining cost

350 views • 14 slides
DakotaLink Program - Dave Assistive Technology Program for Scherer the State of South Dakota

DakotaLink Program - Dave Assistive Technology Program for Scherer the State of South Dakota

DakotaLink DakotaLink Program - Dave Assistive Technology Program for Scherer the State of South Dakota DakotaLink is a program of the South Dakota Department SILC 06-24-15 of Human Services, Division of Rehabilitation Dave Scherer Patrick

430 views • 4 slides
Wastewater Department Denton City Council Department Presentation 1 Wastewater Department

Wastewater Department Denton City Council Department Presentation 1 Wastewater Department

Wastewater Department Denton City Council Department Presentation 1 Wastewater Department FTEs By Functional Area FTEs By Functional Area FY 2014-15 FY 2015-16 FY 2016-17 FY 2017-18 Actuals Actuals Budget Proposed Administration

440 views • 10 slides
Public Kick-Off Meeting Project Location Okeechobee Road (US 27/SR 25) from SR 997/Krome Avenue

Public Kick-Off Meeting Project Location Okeechobee Road (US 27/SR 25) from SR 997/Krome Avenue

July 12 th , 2012 Public Kick-Off Meeting Project Location Okeechobee Road (US 27/SR 25) from SR 997/Krome Avenue to NW 79th Avenue Miami-Dade County, FL 2 Project Purpose and Need Implement roadway improvements that will enhance safety

588 views • 27 slides
On the issue of LQG embedded control realization in a Maglev system MED2017 Kyriakos M.

On the issue of LQG embedded control realization in a Maglev system MED2017 Kyriakos M.

Introduction Sensor selection and FIL LQG Architecture Results analysis Conclusions and Future works On the issue of LQG embedded control realization in a Maglev system MED2017 Kyriakos M. Deliparaschos 1 , Konstantinos Michail 2 ,

507 views • 15 slides

More recommend