2015 PHI Protection Network Forum - A Time “Before Target and After Target”

It is 10:33 am the day after attending the third annual PPN Forum in Orange, California on February 19, 2015. I am sitting in seat 26D at the back of Alaska fight 587 traveling home and reflecting on the highlights of the forum. The key message at the forum was that mega data breaches starting with Target in December of 2013 through the recent breach of up of to 80 million members of Anthem has created a “window of opportunity” for PHI Protectors to advance their cause of better PHI security.

Here are a few highlights from the day…

Dick Wolfe recognized with the first “PHI Hero” Award: The morning started with us honoring Dick Wolfe, a good friend and colleague with the first “PHI Hero” Award. Dick made a significant contribution to the protection of health information before his passing last November. Dick’s daughter, Melissa Johnson, was there to accept the award on her father’s behalf and said how much she really appreciated hearing about the important work her father did during his 30 year career and understanding how important his role was to protecting our health information.

Average Persistent Threat: Larry Clinton, President of the Internet Security Alliance set the tone for the conference highlighting the challenge PHI Protectors have in healthcare with investment down and the challenge of advanced persistent threats becoming the “Average Persistent Threat”. It is now commonplace for cyber criminals to use sophisticated methods and tools to attack and breach an organization’s security defenses. He said there are now only two kinds of organizations - those that know they have been breached and those that don’t know they have been breached. The reality is every organization is at risk of cyber-attack and breach of sensitive personal data, intellectual property, and other trade secrets.

Delineation now exists in time before the Target breach and after the Target breach: JD Sherry, VP Technology and Solutions from Trendmicro, asked each panelist which Looney Tune character best represented their role? The panelists all agreed it was the Wile E. Coyote because no matter what he tried, the Road Runner always got away. The bad guys always seem one step ahead of the good guys regardless of effort or technology they implement. JD asked how their jobs had changed over the past 24 months. A key point made by this panel was “we now refer to time as Before Target and After Target”. Dustin Wilcox, CISO at Centene said before Target, he met with his executive team for 15 minutes once a quarter, but after the Target breach, his board members and executives began calling him at home asking questions about how to avoid a Target-type breach and giving him the necessary resources to implement security initiatives faster.

Value of A Cyber Insurance Policy: David Finn, Health IT Officer from Symantec led his panel on a discussion of the legal and regulatory issues and consequences. The panelists highlighted the benefit cyber liability insurance can have in mitigating the financial impact of a breach. Kim Holmes, VP Product Development at One Beacon said one big mistake entities make is believing that their current general liability insurance policy covers cyber risk. Sean Hoar, Partner at Davis Wright Tremaine cautioned about knowing what is covered and what is not and whether the policy had specified vendors you had to use as part of the coverage. He commented that if if you already have a relationship with an attorney or breach services provider, the policy may exclude you from using them. Andrew Serwin also talked about when to use attorney client privilege to protect confidential information and suggested considering invoking this protection when doing a risk assessment in case this information discloses cyber risks an organization decides to accept.

4 Threats are Big Data, cloud, mobile, social media: Greg Bassett, VP of Service Delivery at Clearwater Compliance introduced his panel by stating the value of a information in a patient health record is worth 20 to 50 times of a social security number on the black market. Big Data, cloud computing, mobile (BYOD), and social media are what is keeping security and privacy professionals up at night. And on top of all of this risk, is “risk of the unknown.” Jerry Sto. Tomas, CISO Allergan, shared a story about a recent hostile takeover attempt to create a possible security breach. The panel shared that there is a shortage of security professionals available for hire in the market, creating more opportunity for risk.

What I Learned from Chinese Hackers: This panel focused on approaches to protecting PHI and was led by James Christiensen, VP of Risk from Accuvant. Eric Cornelius, Director of Critical Infrastructure and Industrial Control Systems at Cylance shared what he learned from hackers who use existing tools to breach a network. He said Chinese hackers will use the standard utilities that come prepackaged with Microsoft to gain access to a secure network. He also said that with zero additional investment, an entity could use these same free tools and do a better job of detecting a breach. Chris Strand, Sr. Director of Compliance at Bit9 and Stephen Bono, Principal at Security Evaluators also talked about the need to focus on the basics in cyber security - people, process, and tools.

San Diego Health Connect is proof there is value in sharing health information: Good news was shared by Dan Chavez, General Manager of San Diego Health Connect, a health information utility that connects providers, patient and Health Information Exchanges (HIE). Dan believes that the success his health information exchange is based on creating a platform with federated data that improves health quality outcomes. He stressed that all the stakeholders including major provider systems, government agencies, and business associates agreed to play by the same rules, which fosters information exchange without competition.

The common enemy between doctors and CISOs is the compliance officer: When Dr. Jay Smith was asked how PHI Protectors could do a better job engaging doctors in compliance; he said that the enemy is the compliance officer. But he followed up with the sentiment of “give them a role and voice at the table and they will come.” Ray Ribble, Managing Partner at All Medical Solutions asked his panel to suggest ways PHI Protectors could get involved with efforts inside and outside of their organizations after the conference, which lead to a discussion about engaging with alliances such as the Medical Identity Fraud Alliance, NIST, and ISACS.

Thank you again to the sponsors, speakers, and attendees for making this a wonderful information sharing and networking event. Please join the conversation on the LinkedIn Group and participate in the ongoing dialogue. As our panelists said, we have a tremendous window of opportunity now to make an impact -- patient privacy and security is about all of us.