putting data security at the … · putting data security at the top table ... healthcare is...
TRANSCRIPT
Putting data security at the top table
How healthcare organisations can manage information more safely
www.pwc.com/global-health
June 2013
PwC
Agenda
1. Findings from 16th annual CEO Survey
2. New ways of working together
3. Compliance and business risks
4. Increase in health hacking
5. Creating business value
6. What is stopping healthcare organisations from making their data more secure?
7. On the path to better data protection
2
PwC
4
24% of healthcare CEOs worry about their inability to protect intellectual property and customer data (versus 34% of the overall sample)
Source: PwC, ‘Dealing with disruption: How healthcare CEOs are creating resilient
organisations’ (February 2013).
Only
PwC
Yet healthcare respondents are confident in their security practices
5
42% of healthcare provider respondents say their organisation has a strategy in place and is proactive in executing it — exhibiting two distinctive attributes of a leader.
42%
26%
18%
14%
42%
24%
16% 17%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
We have an effective strategyin place and are proactive in
executing the plan
We are better at "getting thestrategy right" than we are at
executing the plan
We are better at "getting thingsdone" than we are at defining
an effective strategy
We do not have an effectivestrategy in place and are
typically in a reactive mode
2011 2012
Strategists
Firefighters Tacticians
Front-runners
Source: PwC, The Global State of Information Security® Survey 2013
PwC
A reality check on real leaders.
6
100%
6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
All healthcare provider respondents
Healthcare provider leaders
But are they really leaders? We measured healthcare provider respondents’ self-appraisal against four key criteria to define leadership. To qualify, they must:
• Have an overall information security strategy
• Employ a CISO or equivalent who reports to the “top of the house” (e.g., to the CEO, CFO, COO, or legal counsel)
• Have measured and reviewed the effectiveness of security within the past year
• Understand exactly what type of security events have occurred in the past year
The result? Our analysis found that 6% of healthcare provider respondents rank as leaders.
Source: PwC, The Global State of Information Security® Survey 2013
PwC
Since September 2009, in the US alone, there were
7
Source: PwC, ‘Dealing with disruption: How healthcare CEOs are creating resilient
organisations’ (February 2013).
571security breaches
affecting 500 patients
PwC
10
Fee for service
Fee for outcomes
The shift from the traditional fee-for-service model to value-based purchasing has huge implications for the healthcare industry
PwC
• New Generation Sales Targeting/Segmentation Models • Customer “Pull” Strategies – Multi-Channel • Closed Loop Marketing and Medical Interaction • Key Opinion Leader Management (Compliance)
• Customer Data Integration and Master Data • Social and Mobile deployment/provisioning • E-Marketing CoE • PHRs/EHR Longitudinal Data • Remote monitoring / telemedicine
• Negative public opinion • Patients demand medical
information • Adverse Event Management
• Social Media Services • DTC Channel Optimisation • Text-Mining Services • Access to outcomes-based data
• “Buy the Pipeline” – Pipeline Optimsation • Form Dynamic Alliances - B2B Exchange Models • Externalisation of R&D • R&D efficiency and effectiveness • Intellectual property risks in emerging markets
• “Plug and Play” partners – Federated Identity • Research/External Collaboration • Clinical Data Exchange and Analytics • On-demand /high-volume computing • In Silica Trials
• Patient longitudinal data • Consumer Directed Health Plans (CDHPs) • Healthy Lifestyle Incentives • Access to outcomes-based data
• EHR for Data Standardisation • Data Exchange Services • Compliance and diagnostic information • Master data and data integration
• Multi-national electronic submission • Regulation of promotional content • State-level regulation • Reimbursement regulations • Device/drug efficacy and safety • Data “abstraction” layer • Unified, standards-based integration • Enterprise document/content
management - Business Trends
- Technology Trends
Key
Patients
Providers
Patients
Payers Regulators
Pharma:
R&D, Co-Market,
Manufacturing
Evolving healthcare ecosystems are increasingly dependent on information exchange
11
PwC
As with many industries, healthcare is struggling to keep pace with the adoption of cloud computing, social networking, mobility, and use of personal devices. These new technologies often are not included in overall security plans even though they are widely used. In a recent survey, for instance, we found that 88% of consumers use a personal mobile device for both personal and work purposes.1
Technology adoption is moving faster than security implementation.
12
Source: PwC, The Global State of Information Security® Survey 2013 1 PwC, Consumer privacy: What are consumers willing to share? July 2012
21%
38% 35%
44%
28%
46% 45%
51%
0%
10%
20%
30%
40%
50%
60%
Cloud security strategy Mobile device security strategy Social media security strategy Security strategy for employeeuse of personal devices on the
enterprise2011 2012
PwC
Information security is complex and companies must assume a state of compromise
Heavy focus on identity
management – right people,
right place, right access
Focus on enhanced layers of
security, adoption of incremental
security solutions
Focus on security technology
for the perimeter
Tech
no
log
y R
elian
ce/C
om
ple
xit
y
Time
“Resilient Cyber Security”
“Inclusion &
Exclusion Security”
“Layered
Security”
“Perimeter
Security”
Assumed state of compromise
2010+ 2000s 1990s 1980s
• Significant and evolving cyber threats unlike ever before
• Highly skilled/motivated, and yet patient adversaries, including nation states
• Increasing speed of business, digital transformation, and hyper connectivity
across supply chain and to customers
• Massive consumerisation of IT and reliance on mobile technologies
• Increasing regulatory compliance requirements (e.g., SEC Cyber Guidance)
• Unprecedented collaboration with patients, partners, payers and providers
Clie
nt/S
erv
er
Com
puting
Perv
asiv
e
Consum
erisation
14
PwC
Regulations governing the protection of personal data are getting tougher
• January 2013, HIPAA is modified to extend privacy and security requirements United States
• January 2012: unveiled plans for a single set of rules that takes into account technological advances and to harmonise practices among member states.
European Union
• India, Malaysia, South Korea and Taiwan recently passed new cyber security laws. China published a draft national standard, that is still to be enshrined.
Asia
• 11 countries in Latin America have enacted data privacy legislation Latin America
15
PwC
Regulation and safeguarding of information are the top challenges for healthcare organisations
16
Healthcare providers identified the top five security issues they face this year. Given increased global regulation and regulatory audits of patient data, it comes as no surprise that regulatory requirements top the list.
24%
27%
35%
35%
35%
0% 5% 10% 15% 20% 25% 30% 35% 40%
EHR/PHR access controlsand identity management
Encryption in storage and intransit
Identity theft and loss ofpatient/individual information
Monitoring of access andinformation use
Regulatory requirements
Source: PwC, The Global State of Information Security® Survey 2013
PwC
Business risk themes include loss of IP and the potential for inadequate care
Information Risk Themes
Loss of Patient
and Employee
Sensitive
Information
Loss of sensitive
Clinical Trial
Information and IP
Internet
Distributed Denial
of Service
(DDOS)
Stolen Corporate
Sensitive
Information (drug
pipeline/emails)
Integrity of
Manufacturing
operations
Brand Damage Competitive
Disadvantage
Non-Compliance
with Applicable Regulations
Loss of Market Share Financial Loss
Operational Impairment
Potential Impact
Activists Unintentional and Malicious Insider
Hacker, Thief and Sophisticated
Malware
Malicious Collaborator/
Partner Nation States
Threats
exploit vulnerabilities resulting in …
causing…
17
PwC
Modern attacks are stealthy, persistent, and sophisticated
Phishing, Zero Day Attack,
Drive-by downloads
Malware Installed
Privilege Escalated
Multiple Systems Infected
Data Gathering
Sensitive Information
Stolen
Users fall victim to phishing,
removable media or drive-by
downloads containing Zero-day payload
Malware is covertly
installed on user’s
machine, malware
pulls additional malware
Attacker is able to
remotely control user’s
machine, where
attacker is able to elevate
privilege
Malware infection
spreads to other systems
or SCADA/PLC
devices; systems
become part of the
attacker command
and control apparatus
Sensitive data is prepared and staged for remote
transmission; User
credentials are harvested
Encryption used to
transmit sensitive
information to remote systems of attacker’s
choice
1 2 3 4 5 6
19
PwC
The most numerous category of reported security incidents – 50 or more per year – is the fastest growing among healthcare providers. The number of respondents that experienced 50 or more incidents in 2012 increased by 50% over the year before and 200% over 2010. One in five respondents do not know the number of incidents, an uncertainty that suggests ineffective security practices.
Reported security incidents are on the rise
20
23%
7% 4%
36%
31%
8% 8%
19%
31%
8%
12%
21%
0%
5%
10%
15%
20%
25%
30%
35%
40%
None 10-49 50 or more Do not know
2010 2011 2012
Source: PwC, The Global State of Information Security® Survey 2013
PwC
Security incidents attributed to current employees are at the highest level in years, as are those attributed to former workers. Also, more respondents point the finger at service providers/consultants/contractors this year.
Threats from insiders – including current and former employees – are increasing
21
32%
17%
6% 6%
36%
18%
6% 6%
36%
23%
12%
6%
39%
24%
11% 9%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Current employees Former employees Partners / suppliers Service providers / consultants/ contractors
2009 2010 2011 2012
Source: PwC, The Global State of Information Security® Survey 2013
PwC
Cyber Security is not just about blocking and tackling; it is also about creating business value
23
• Deploy services quickly • Improve user experience • Expand partner eco-systems • Embrace mobile users
Grow the business
• Automate security processes • Adopt cloud models • Expand virtualisation–securely • Improve collaboration
Improve efficiency
• Combat threats • Protect sensitive information • Govern solutions • Control access
Protect the business
PwC
A lack of adequate funding, both capital and operating, was cited by 53% of healthcare provider respondents as the primary roadblocks to effective security. One in five respondents say top leadership – the CEO, President, or Board – is an impediment to improved security.
Inadequate budget and other roadblocks
25
2012
Insufficient capital expenditure 27%
Insufficient operating expenditure 26%
Absence or shortage of in-house technical expertise 24%
Leadership – CEO, president, board or equivalent 20%
Lack of actionable vision or understanding 19%
Leadership – CIO or equivalent 10%
Leadership – CISO, CSO or equivalent 10%
Source: PwC, The Global State of Information Security® Survey 2013
PwC
How to be an Information Security Leader
1 IT Audit: Assess your current IT system for strengths and
weaknesses
Security is Strategic: Have an overall information security
strategy that includes employee user access and patch management policies, and have a process in place to review and prioritise information risks.
2
3 Manage Security Portfolio: Assess security
investments as a portfolio consisting of a) Keep-the-lights-on (KLO) , b) Strategic and, c) optional creating initiatives
PwC
How to be an Information Security Leader – con’t
Security is Everyone’s Business: Elevate information
security from an IT only to an enterprise-wide topic with commitment from business and operations. Communicate your data security policy to all employees and stakeholders
5
28
Risk Based: Understand the types and impact of security events
that have occurred in the past year; measure and review the effectiveness of security every year
6
4 Board-Level Visibility: The “top of the house” keeps
information security on the agenda and has visibility into the state of information security
PwC
For more information, please contact:
29
India Dr. Rana Mehta +91 124 330 6006 [email protected] Italy Andrea Fortuna +2 66 720 547 [email protected] Japan Yasushi Tabuchi +81 80 3710 4138 [email protected] Mexico José Alarcón +52 55 5263 6028 [email protected] Netherlands Otto Vermeulen +31 (0) 887926374 [email protected]
Australia Klaus Boehncke +61 2 8266 0626 [email protected] Canada William Falk +1 416 687 8486 [email protected] China/HK Mark Gilbraith +86 21 2323 2898 [email protected] Germany Robert Paffen +49 89 5790 6025 [email protected] Finland Karita Reijonsaari +358 (0) 9 22800 [email protected]
Cokky Hilhorst t+31 (0) 8879 27384 [email protected] Sweden Jon Arwidson +46 (0) 10 213 3102 [email protected] Switzerland Axel Timm +41 (0) 58 792 2722 [email protected] South Africa Diederik Fouche +27 11 797 4291 [email protected] United States Daniel Garrett +1 267 330 8202 [email protected]
Peter Harries +1 213 356 6760 [email protected] United Kingdom Sunil Patel +44 (0)207 212 3484 [email protected]
PwC
© 2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of
which is a separate legal entity. Please see www.pwc.com/structure for further details.
This content is for general information purposes only, and should not be used as a substitute for consultation with
professional advisors. PwC helps organisations and individuals create the value they’re looking for. We’re a network
of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax
and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.