Healthcare GRC and Social Engineering

There is some debate over whether or not the CHS, Anthem and Premera data breaches were the result of "sophisticated" attacks. The jury is still out, but cautious journalists are using quotation marks to indicate that this explanation is not universally accepted. Regardless of the sophistication of these attacks, attacks they certainly are, and healthcare organizations should be prepared for the onslaught to continue, because healthcare data breaches are so lucrative. They have to assume they are being targeted by criminal hackers for fun and profit.

Maybe former Intel CEO Andrew S. Grove's book title got it right: only the paranoid survive. Perhaps healthcare organizations could learn from their corporate antitheses, the tobacco companies, who have many enemies, but are protected by a culture of hardened security.

There is certainly room for technological solutions to help manage risk, but we must recognize that the most frequent cause of data breaches is human behavior. (According to a Verizon data breach report, about 76% of network intrusions involve weak credentials -- bad passwords.) The biggest risk to the security of your data is your people. No amount of monitoring using sophisticating technology can protect your data from bad decisions by people on your network.

Let's not forget the subtitle of Grove's book: How to Exploit the Crisis Points that Challenge Every Company and Career. The threat to data is also an opportunity to establish a culture of data governance. In such a culture, the value of data is recognized, and human behavior is shaped by this recognition.

Human behavior is a critical factor, because social engineering is how malware and other created vulnerabilities find their way into your network. It is essential that your systems have malware protection, but it is equally important that your people know what not to click.

A strong governance, risk management and compliance (GRC) culture fights social engineering with social engineering.

If healthcare organizations can learn to fend off the cyber attackers, they will be in a better position to fend off the lawyers bearing class action law suits.

Pentagon EHR System Upgrade Contract Said to Be Worth $11 Billion

The U.S. Department of Defense has narrowed the field to three contenders for the estimated $11 billion upgrade to the DoD EHR:

• Computer Sciences Corp., HP, and Allscripts
• Cerner, Leidos, and Accenture Federal
• IBM, Epic, and Impact Advisors

The winning EHR company will certainly benefit greatly, both from the DoD, and in the healthcare sphere in general, but I'm sure the other two will also benefit from the vote of confidence on their ability to deliver EHR capable of achieving Meaningful Use.

Numerous challenges have been noted by the bidders:

• Interoperability - Allscripts senior vice presi dent, sales, Dean Mericka says interoperability will lead to personalized precision medicine and improved telemedicine.
• DoD mission and culture - Cerner Federal VP and general manager Travis Dalton notes that the task goes far beyond bringing a set of tools. The winning vendor will have to adapt to the DoD's culture, philosophy and mission.
• Scalability - Epic U.S. federal and global services executive Leslie Karls indicates the scalability of the solution is key.

Those are just the EHR perspectives. The IT and infrastructure challenges present a whole other level of difficulties.

Read more at FierceEMR.

New Case Study - Redevco B.V.

Established in 1999 to manage the real estate investment activities of the venerable Dutch C&A fashion retail chain, Redevco B.V.'s portfolio includes 450 properties at top locations in major cities across Europe, with tenants including many major national and multinational retail companies.
Redevco implemented the APOS Publisher solution to handle invoice publishing after they started creating the invoices in Web Intelligence instead of Desktop Intelligence.

Check out the new APOS case study on Redevco to find out how they re-engineered their invoicing workflow with APOS Publisher.

Was the Anthem Data Breach "Sophisticated"?

Anthem CEO Joseph R. Swedish apologized to Anthem members immediately after the December 2014 data breach was made public, saying "Anthem was the target of a very sophisticated external cyber attack." Swedish continued, in what may become a model for such apologies:

Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.

It's a nice trick to have the CEO of a major healthcare payer -- a man whose total compensation package for fiscal 2013 was $16,979,927 -- come across as one of us, just another victim of cybercrime.

But was the Anthem hack really a sophisticated attack?

Dan Munro at Forbes quotes security analyst Ken Westin:

Because it was clearly pre-meditated and because the attackers spent time identifying the vulnerabilities, it definitely qualifies as well executed, but once the initial intrusion was successful, they didn’t have too far to look. By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time.

There is some speculation that the initial breach at Anthem occurred much earlier than the December 2014 public announcement, perhaps as early as April 2014, and that it was a result of the Heartbleed Bug.

Munro also discusses the earlier CHS and Sony hacks, noting that they too were described as sophisticated or "unprecedented" attacks, and that numerous security analysts had thrown cold water on those descriptions. Let's face it: no board of directors is going to say that they were victims of an attack that a five-year-old could have perpetrated. The PR front likely bears little resemblance to what is going on behind closed doors, where damage is being assessed, and governance, risk management and compliance are being reassessed.

There are always the nagging questions: What should you have known? When should you have known it? Did you exercise due diligence?

I once heard an auditor defined as the person who walks onto a battlefield after the battle is over and bayonets the wounded. I'm not sure that's an apt description of an auditor, but it's a pretty good description of the audited. 

Anthem Data Breach and Due Diligence

Anthem is the second-largest health insurance company in the US, and when they reported being hacked recently, it was estimated that the healthcare information (and identities) of 1 in 4 Americans was compromised -- that's more than 80 million. To put that in perspective, in the decade previous to this breach, the HHS "wall of shame" identifies approximately 40 million identities compromised in breaches. The Anthem breach compromises twice as many identities as all other breaches combined.

The breach was detected on Jan. 27 and announced on Feb. 4. By Feb. 6, there had already been four lawsuits launched against anthem, alleging they "did not take adequate and reasonable measures to ensure its data systems were protected."

I mentioned in an earlier post that healthcare data breaches are quite lucrative for the criminal elements perpetrating or benefitting from them. I should also mention that data breaches in general are quite expensive to the organizations breached as well.

One estimate has Anthem on the hook for $100 million to $200 million just to fix vulnerabilities and/or damage done. However, costs may be much higher depending on whether Anthem can demonstrate due diligence. Most security experts regard data breaches as inevitable, but the investigation of data breaches by regulatory authorities will judge whether Anthem did their best to prevent the breach, and to minimize its impact. If they didn't, HIPAA enforcement come into play. A finding against Anthem by the HHS Office for Civil Rights (OCR) could also open the door to more lawsuits.

In May, 2013, a study sponsored by Symantec and carried out by Ponemon Institute LLC estimated the cost of data breaches in the US to be approximately $188 per identity compromised. I'll let you do the math on that with regard to the Anthem data breach. Let's hope they can find economies of scale.

Of course, performing due diligence and demonstrating due diligence to an auditor are two different things. Whatever your regulatory requirements are, will you be ready for the auditor?

Migration Webinar Today - Web Intelligence Update

When: Wednesday, October 15, 2014, 10 am / 4 pm EDT
Guest Presenter: Gregory Botticchio, Solution Manager, SAP

Our migration webinar series continues as SAP's Gregory Botticchio joins us to to provide an update on the latest news for Web Intelligence in SAP BusinessObjects BI 4.1. Gregory will discuss new and incremental features, and provide glimpse into coming capabilities. Join us to learn about:

• Performance improvements
• New customization capabilities
• Enhanced core capabilities

Register for this webinar...
Learn about other webinars in this series...

Webinar Today - Agile BI Platform Management at HP Enterprise Services

When: Oct. 1, 2014, 2 pm EDT - Today
Guest Presenter: Niladri Chowdhury, HP Enterprise Services
Register for the webinar. All registrants will receive a link to this and other recorded webinars.

Agility is now the defining quality for BI platform management, because the agile enterprise has become the norm, and an enterprise can only be as agile as its least agile component -- like the weakest link in a chain.

Niladri Chowdhury joins us today to discuss agile BI platform management at HP Services, an enterprise that specializes in helping other enterprises achieve agility. The "Always on" enterprise integrates mobility, connectivity and interactivity. "Always on" means 24/7, and if your business team is making decisions around the clock, your BI platform has to deliver on the same basis.

BI is central to enterprise decision making, but increasing volume and complexity make it increasingly difficult for BI platform managers and administrators to deliver on BI's promises. Everyone has heard the story of the frog in a pot of water that is slowly brought to a boil. The frog doesn't notice the increasing heat and is boiled alive. Being a BI platform manager can feel like that.

What's to be done? You can stand still and lower service levels; you can add resources; or you can look at strategies for achieving agile BI platform management. Join us today to see how HP Enterprise Services is employing the third option with the help of APOS well managed BI solutions.