Presentation by Mary Alice Annecharico, former CIO, Henry Ford Health System: Cyber Risk in Healthcare. Some of the issues discussed include Building a Culture of Confidentiality, Executive leadership engagement, Board of Director sponsorship, Institutional Stressors that encircle all cyber-risk issues, the Clinical mission, CMS cuts, Revenue downturns, budget cuts, availability of funding for priorities. Assessing and Managing Cyber-risk, etc.

1. Cyber-risk in Healthcare – Being Battle Ready
Mary Alice Annecharico
MS. RN, FHIMSS
Henry Ford Health System CIO, (Retired)
March 15, 2018
Henry Ford Innovations Series

2. Agenda
• Overview of HFHS
• Building a Culture of Confidentiality
• Executive leadership engagement
• Board of Director sponsorship
• Institutional Stressors encircle all cyber-risk issues – the Clinical
mission, CMS cuts, Revenue downturns, budget cuts, availability of
funding for priorities. Etc.
• Assessing and Managing Cyber-risk

3. , Dialysis, and Hospice

4. Who Makes up the Security Business?

5. A Recent CIO’s Perspectives
• We have created a culture of confidentiality, transparency, collaboration,
and improvement.
• A Traverse City, Michigan based research group concluded that the average
cost of a healthcare breach, worldwide, is in excess of $363 per exposed
personally identifiable record. In the U.S. healthcare industry, the average
cost was $398.
• There is something inherent in the human condition that says health
information is some of our most private information. The other risk piece is
the damage that could be done with personal information for identity and
medical identity theft.

7. According to The Advisory Board– Major Threat Vectors
What Is Henry
Ford Health
System Doing
to Address
these
Threats?

8. Perceived Threats
• Breach or data leakage
• Ransomware
• Credential stealing malware
• Malicious insiders (trusted access by employees)
• Wiper malware
• Denial of service attacks
• Website backdoors
• Theft of hardware, devices, etc. (physical theft)
• Supply chain integrity of software, hardware, devices, etc.
• Patient Safety with Medical device data integrity
• Fire, flash flood, or natural hazard

9. Circle Square | Digital Health Trends |Source: Accenture; Taking the Pulse Report

10. 2018 HIMSS Cybersecurity Survey Summary (1 of 3 HIMSS)
Threat actors responsible for recent significant security incidents have been
generally characterized as online scam artists (29.6%), negligent insiders (16.4%),
and hackers (15.9%)
Number /percent
• Online scam artist (e.g., phishing, spear phishing) 56 37.6%
• Negligent insider (well-meaning but negligent individuals with trusted access
who may facilitate or cause a data breach or other cyber incident)
31 20.8%
• Hacker (e.g., cybercriminal, script kiddie, or other bad actor)
30 20.1%
***
Initial point of compromise is most often e-mail (e.g., phishing e-mail) for recent
significant security incidents

11. HIMSS summary survey findings (2 of 3)
5 Biggest barriers for remediation and mitigation of cybersecurity
incidents: Personnel and financial resources
• lack of appropriate cybersecurity personnel (52.4%), ??
• lack of financial resources (46.6%),
• too many application vulnerabilities (28.6%),
• too many endpoints (27.5%), and
• too many emerging and new threats (27.0%)

12. Cyber Threat Intelligence Sources for Healthcare (3/3 HIMSS)
• Peers and Affiliated Security Advisories (word of mouth)
• US CERT alerts and bulletins
• HITRUST
• NIST National Vulnerability Database
• SANS resources
• Third party vendor (healthcare specific)
• FBI-DHS Joint Indicator Bulletins (JIBs)
• US DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
• US DHS and HHS National Cybersecurity and Communications Integration Center (NCCI
• National Health Information Sharing and Analysis Center (NH-ISAC)
• HIMSS resources (e.g., monthly healthcare and cross-sector cybersecurity reports, etc.)

13. Henry Ford’s Overall Approach

14. HFHS’ Comprehensive Approach to Managing Risk
• Centralized Network Security Services
• Security awareness and training program(s)
• Documented Cybersecurity policies and procedures
• Inventory of assets and access controls
• Physical security
• SOC Services * -Operating expense
• Engaging Leadership and the Board – an Imperative
• Monitoring evolving technologies that address security – e.g.,
blockchain

15. Service Organization – Team Processes
• Cybersecurity roles and responsibilities – members developed with core competencies and certification training
• Data Governance and Organization Structure
• Data Loss Prevention and Incident response -*
• Communication– Organizational website, departmental meetings and education, and Security Advisory;
annual mandatory education
• Risk Assessment, Planning and Management and Incident response
• Assess and Evaluate Risk: in Clinical (EHR and Medical devices), Business and Financial systems
• Third party risks – vendor assessments, contracts and internal threat posture prior to acquisitions
• Planned Penetration testing – servers, websites, databases, applications, workstations, mobile
devices, physical security
• Risk assessment and management with tabletop exercises
• Business continuity and disaster recovery

16. Assessment of Cyber Risk
Image from Novant Health

17. According to Deloitte’s Risk Assessment helped to
set the tone for managing risks.
Organizations Must:
Set risk appetite and drive focus purpose and
direction. Clearly articulate cyber risk appetite
and strategy.
Define the right balance between threat-centric
vs. compliance-centric programs. Fully integrate
cyber risk management into IT design, not
quality control.
Break down silos. Cyber risk is an enterprise-level
issue. Lack of information-sharing is a top
inhibitor for effective risk management.
Be creative about cyber risk awareness. Your
weakest link is the human factor. Prepare for
cyber attacks by conducting war games,
penetration tests, and exercising the cyber
incident response plans.
There is not enough talent to do everything in-
house, so take a strategic approach to sourcing
decisions.
Incentivize openness and collaboration. Build
strong relationships with partners, law
enforcement, regulators, and vendors.
CyberSecurity Health Plan Sector 2015

18. 18
• Cyber incidents are serious business crises that impact broader
business objectives for organizations across industries.
• The ability to promptly respond to and recover from cyber incidents
is a top issue for senior executives and board members.
• The need for speed to react to cyber incidents is critical to
organizations.
• Cyber incidents impacting consumer confidentiality and economic
stability are drawing increased regulatory scrutiny.
• The complexity of corporate eco-systems, including suppliers and
partners, increases the difficulty of recovery following cyber
incidents.
• Accurate and timely information and intelligence is critical in
making time-sensitive decisions to recover essential business
functions.
• Having an Incident Response plan is not enough – the plan must
be understood and exercised across the entire organization,
including business leaders.
The need to detect, respond and recover has
never been greater
Cyber security is more than a
technology problem.
For many health care
organizations, cyber incident
occurrences aren’t a question
of "if,” but "when.”
This reality makes developing
effective response strategies a
critical imperative for any
business.
Deloitte LLP

19. Security Frameworks
• NIST
• HITRUST
• Critical Security Controls
• ISO 7
• COBIT

20. Security Program Objectives
• Acts as a single True North
• Acts as a translation layer
• Reduces complexity
• Enables a proactive approach
• Addresses “root cause”
• Adds context
• Enables efficient management of limited resources
• Provides a sustainable approach
• Enables systematic risk mitigation
• Enables alignment with the business
Customers
Exceptional
Experience
Affordable,
Efficient Care
Safest Care &
Best Outcomes
Compassionate,
Commited
People

21. From Circle Square | Digital Health Trends | Black Book Resources
RECOGNIZING GLOBAL INTERESTS TO DEVELOP SOLUTIONS:

22. Circle Square | Digital Health Trends / Source

23. Circle Square | Digital Health Trends/ Source: Logos are linked to company websites and text boxes linked to story sources |

24. Why Do Investment Decisions Take SO Long?
• Lots of perceived extra steps
• Small Start Up and Vendors willingness to bring ideas to the market
• End User desires
• Due Diligence
• Security risk assessments
• Supply Chain involvement
• Governance Protocols for decision making
• Legal – Contract and Risk Reviews
• Patient Safety and Quality outcomes Assessments
• Integration Assessments – workflow is KING
• ROI and degree of Impact considerations
• Investment priorities with no Discretionary local funds

25. MS, RN, CIO, Retired
Q&A