Internal Audit’s Role Will Be Key in the GDPR Journey

 

By Jeff Sanchez, Managing Director
Technology Consulting


Andrew Struthers-Kennedy, Managing Director
Technology Audit

 

Over the next nine months, organizations will spend billions of dollars to comply with the General Data Protection Regulation, or GDPR — a European data protection and privacy regulation with the potential to be as disruptive to companies that conduct any kind of personal data exchange with the EU as the financial reforms created by the Sarbanes-Oxley Act were back in 2002. For starters, it is estimated that over the next year, companies in Europe will hire 28,000 data protection officers (DPOs) — one of the requirements of the GDPR. And that’s just one of the changes companies will have to make.

Protiviti held a popular webinar last month to discuss what GDPR is, how it will affect companies and how companies should prepare for this significant change. Scott Giordano of Robert Half Legal and Jeff Sanchez provided an overview of the regulation in a previous post. Here, we want to focus on GDPR’s implication for internal audit specifically. Two-thirds of the attendees at our webinar were from the internal audit function — not a surprise, as this is the group that will be providing assurance over the new controls once they are implemented, and is well positioned to provide guidance during their design and implementation.

The effects of this new law will be felt across all organizational departments, affecting policies, procedures, marketing, analytics, vendor contracts and customer transactions, among other things. The internal audit function, by virtue of its deep departmental access, compliance and risk knowledge, and board-level credibility, can play a significant role in both preparing for the change and monitoring compliance after the law is enforced, beginning May 25, 2018.

Between now and May 2018, internal audit can play a key role in guiding company strategy, serving as a strategic partner, helping the DPO, raising awareness of the new law, talking about potential risks, identifying gaps in the company’s compliance program, and helping to drive change within the organization.

Results from participants in Protiviti’s GDPR webinar

The majority of attendees we polled during the webinar (66 percent) said their companies are still in the early planning and discovery phase — conducting privacy risk assessments, identifying applicable laws, mapping data and trying to understand requirements. This is an area where internal audit can make a big difference.

Once the risks and compliance requirements have been identified, internal audit can add value by facilitating a gap analysis. With roughly a quarter of companies at this stage, common gaps we have seen so far include:

  • General lack of awareness related to the GDPR requirements (in particular among customer-facing functions, e.g., sales)
  • Lack of comprehensive inventory of personal data and mechanisms for how such data is being captured, stored, processed, and transmitted
  • Poor data mapping, or a lack of priority in privacy design
  • CRM systems not designed to accommodate the rights of data subjects
  • Third-party contracts that don’t reflect new regulatory requirements, and insufficient vendor management
  • Historical data that may not meet GDPR consent requirements
  • Insufficient accountability in data security and privacy across all users and applications
  • Security vulnerabilities during data processing
  • Slow or insufficient breach reporting and communication

Only after the requirements and compliance gaps have been identified can the organization begin to implement changes and move toward compliance. Our polling questions revealed that j ustone in ten companies has made it to this phase. Internal audit can add value here by helping to shape a compliance roadmap and advising on appropriate practices to meet the requirements of GDPR.

Of course, after the regulation takes effect, internal audit will play a pivotal role in assessing the compliance posture of an organization, testing the compliance framework and the timely reporting of data breaches, challenging management assumptions and making sure the organization is truly compliant. Data protection, specifically related to GPDR, might well be a focus point for all integrated audits that are conducted.

Companies and their internal audit departments should not underestimate the effort involved in complying with this law. The cost of complying is estimated at more than $1 million for 17 percent of U.S. companies, with larger companies likely to see higher costs. Now is the time to raise awareness among all functions that will be affected, inventory personal data, review data policies thoroughly, conduct a risk assessment and identify gaps, and engage with vendors. As with any business initiative of this scope, proper governance and oversight (including executive sponsorship and a dedicated steering committee) is going to be key to the success of the GDPR program.

For more information, we strongly encourage you to watch our free archived webinar, subscribe to our blog to be part of future discussions, and try to attend a roundtable near you. It’s not too late to start, but that won’t be the case for long.

GDPR: Strict New EU Data Privacy Rules Have Global Reach

 

By Jeff Sanchez, Managing Director
Security and Privacy

and Scott Giordano, Director
Robert Half Legal – Data Protection Practice

 

European regulators are giving individuals new rights to control how their personal data is used. A new law, the General Data Protection Regulation (GDPR), scheduled to become effective May 25, 2018, is the most important change in data regulation to come from European Union (EU) regulators in 20 years. It introduces strict new rules for the protection of the personal data of EU citizens, and applies to any company that collects or processes such data. Organizations with customers or employees in the EU should prepare now to avoid big fines and potential legal liability.

We’ve been getting a lot of interest in this topic and will be doing our best to keep you advised and informed on this important change so that you can be prepared when the regulation becomes effective. Not surprisingly, given the scope of change this regulation will require, our GDPR webinar on July 18 was very well attended. Below is an overview of part of that discussion.

GDPR expands the scope of previous EU regulations to include any data processor or data controller that processes the personal data of EU residents. It mandates data portability, imposes stricter conditions for consent and data retention, and dramatically increases fines and penalties for violations.

U.S. companies, take note: Compliance with GDPR is going to require some heavy lifting. The regulation only allows data transfer between countries with “adequate” data protection laws. Currently, the United States does not meet this requirement, which means U.S. companies will have to employ data transfer mechanisms (such as Privacy Shield) if they want to continue doing business — even online — with EU data subjects.

Other notable changes include:

  • A requirement that EU citizens must specifically “opt in,” or grant permission for their data to be captured. Under the GDPR, consent may be revoked at any time, and implicated data must be erased.
  • The mandatory appointment of a data privacy officer (DPO) in some circumstances.
  • 72-hour breach notification requirements (common in the U.S. but not in Europe until now).

Companies will feel these changes throughout their functional areas, but particularly in their legal, IT security, business, sales, data collection and marketing departments. There are no exceptions: GDPR applies to companies of all sizes, regardless of whether data is kept in-house or in the cloud. GDPR applies to existing customer data, not just new customers.

What will this sweeping change cost? We estimate the cost of compliance to be in excess of $1 million for companies with more than 10,000 employees. The cost of not complying, however, is even higher, with the penalty cap raised from 500,000 euros to 20 million euros or 4 percent of annual global revenue, whichever is greater. In addition, consumers will be allowed to claim compensation for damages resulting from breaches of their personal data.

There are several steps companies should be taking now to ensure that they will comply with GDPR by the 2018 deadline. Protiviti has been working with many companies to develop a roadmap to compliance. In addition to appointing a DPO, we recommend:

  • Inventorying all personal data
  • Conducting a data protection impact assessment
  • Identifying compliance gaps
  • Protecting personal data by design and by default
  • Developing a framework for GDPR compliance

We will be discussing these preparations both here on The Protiviti View and in future publications. Bookmark our website or subscribe to follow us here to stay abreast of developments.

Internal audit is uniquely suited to help organizations assess compliance, determine scope and recommend changes. We will be exploring internal audit’s role in this transition in more depth in a follow up post.

It is hard to overestimate the impact of GDPR, which has the potential to do for data privacy what Sarbanes-Oxley did for financial regulation. This is not a matter of updating a few policies. There will be need for changes to applications, as well as changes to contracts and third-party relationships. And we haven’t even touched on data portability.

If you haven’t yet begun the assessment process, there is still time, but the window of doing so comfortably is closing.

Protiviti will be holding a series of roundtable discussions in major cities around the United States. We encourage you to attend one if you can. Details are available on our website.

Security and Privacy in Financial Services: Q&A Addressing Top Concerns

 

By Ed Page, Managing Director
Technology Consulting, Financial Services

and Andrew Retrum, Managing Director
Security and Privacy

 

Global cybersecurity risk has never been higher, especially at financial institutions, which are often targeted for their high-value information. Earlier this year, Protiviti published its 2017 IT Security and Privacy Survey, which found a strong correlation between board engagement and effective information security, along with a general need to improve data classification, policies and vendor risk management.

We sat down with our colleagues Scott Laliberte, Managing Director in our Cybersecurity practice, and Adam Hamm, Managing Director, Risk and Compliance, to discuss how these overall findings compared to those specific to the financial services segment, and why the financial services industry differed from the general population in some aspects. We outlined the comparisons in a recently published white paper. What follows is a sampling of some of the questions we addressed, with a brief summary of the answers. For a more detailed analysis and more data specific to the industry, we recommend downloading the free paper from our website.

Q: What are the top IT security and privacy-related challenges facing financial services firms today?

A: Disruptive technologies, third party risk, shadow IT — systems and solutions built and used inside the organization without explicit organizational approval — and data classification, are top concerns, not only for FSI firms but for survey respondents generally.

Data classification is a particularly challenging and important issue for the financial services industry — both from security and compliance perspective. We often talk about “crown jewels” — data that warrants greater protection due to its higher value. Establishing effective data classification and data governance are multi-year efforts for most institutions, and they must be consistently managed and refreshed. And, the difficulty of these efforts are compounded by the unique complexity of financial systems. Naturally, financial services forms are slightly ahead in the data classification game than their counterparts in other industries, due to their more acute awareness and ongoing and focused efforts, but they still have a long way to go.

Q: Boards of directors of financial firms are more engaged and have a higher understanding of information security risks affecting their business compared to other industries. What does this tell you about the level of board engagement at financial institutions?

A: Financial institutions are being attacked and breached more often than companies in other industries due to the high value of their information. As a result, regulators have been pushing boards at financial services firms to become more aware of and involved in cyber risk management. The Gramm-Leach-Bliley Act (GLBA), as well as guidance from the Federal Financial Institutions Examination Council (FFIEC), both encourage regular cyber risk reporting to the board and management. The New York Department of Financial Services similarly requires that CISOs at insurance companies provide a report to the board on the cyber program and material cyber risks of the company, at least annually. As we noted in the beginning, our survey found a strong correlation between board engagement and cybersecurity maturity in all organizations — so the higher involvement of financial services firms’ boards bodes well for their companies’ cybersecurity, provided directors get actively engaged with management on this topic.

Q: Over half of financial services respondents to the survey said they were “moderately confident” they could prevent a targeted external attack by a well-funded attacker. Is this an accurate assessment of most financial institutions?

A: Given that the probability of a cyber attack on a financial institution has become a matter of “when,” rather than “if,” we would not expect any institution to have a high — or even moderate — degree of confidence. It may be a measure of false confidence that so many organizations think they can prevent an attack. The onus is now on firms to assume that an attack is likely, and be prepared to limit its impact.

Q: Most financial services respondents indicated that they were working with more big data for business intelligence compared to last year. What should firms be concerned about with regard to their growing use of big data?

A: Big data includes both structured and unstructured data, which is more difficult to classify. Firms may also be dealing with new technologies with different security characteristics as well as more data distributed in the cloud. All of these factors complicate data management for financial institutions. As financial institutions rely more on big data, it is critical that they know what data to protect, its location and all of the places it might travel over its lifecycle in the system. Just as important is the need to control access to data and to protect the integrity of that data as more users interact with it for a growing number of reasons.

Q: More and more firms are using third parties to access better services and more advanced technology, but are financial institutions doing enough to counter new risks arising from third parties, such as partnerships with fintech companies?

A: Financial institutions are digital businesses, with more and more capabilities provided via mobile devices and through partnerships with financial technology, or fintech, companies. Many fintechs are small startup organizations that may lack the rigor and discipline of a traditional financial services firm. While innovation is necessary to compete in today’s fast-paced world, organizations need to take appropriate steps to ensure there are appropriate controls in place, and test those controls to minimize risk from third parties.

The full paper goes into significantly more detail on these and other questions than the abstract provided here, and presents the perspective of both security and risk and compliance experts. Let us know if you find it helpful.

Life Sciences, Pharmaceutical and Medical Device Companies Need to Trust Less and Question More to Keep High-Value Data Safe

 

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Scot Glover, Managing Director
San Francisco Life Sciences Practice Leader

 

Life sciences, pharmaceutical and medical device companies possess sensitive, high-value data that cybercriminals, hacktivists, unscrupulous competitors and other malicious actors aim to steal or otherwise expose. Personally identifiable information (PII), such as employee data and information about clinical trial participants, is a prime target for compromise. So, too, is intellectual property (IP), like drug formulas, proprietary software and manufacturing processes.

Adversaries are finding success with their campaigns: According to a 2016 study by the Ponemon Institute, which included pharmaceutical and medical device businesses, 90 percent of healthcare organizations (an all-inclusive category for all sectors participating in the survey) have suffered a data breach in the past two years. Ponemon estimates that those incidents cost the healthcare industry US$6.2 billion.

There are other cyber risks, too, that can be even more damaging. The recent, massive WannaCry ransomware attack, for example, shows how the interconnectedness of healthcare systems, and weak security practices, can put both organizations and patients at risk. The malware also affected Windows-based radiology devices at two U.S. hospitals, according to reports. The attackers took advantage of known vulnerabilities in the devices’ software. Many devices across the healthcare system use old software that is difficult to update, which means they are ripe for malicious actors to exploit.

Time to move cybersecurity from “top concern” to “top business priority”

Although cybersecurity is, and has been, a top concern for leadership at life sciences, pharmaceutical and medical device companies and their stakeholders, most of these businesses aren’t doing enough to ensure PII, IP and other vital data, and their critical systems and devices, are protected. There are several reasons for this, including:

  • Too much trust: Companies often outsource key critical functions, such as research and development, marketing studies and patient data analysis. Unfortunately, many companies feel that the risk of a data breach or hack is also outsourced to the business partner, and that the collaborative agreements they’ve established with their commercial or academic partners or contracted research organizations somehow guarantee security.
  • Lack of insight: Businesses may not dig deeply enough into their collaboration networks or supply chains when conducting cyber assessments to identify security gaps and other risks.
  • Too few resources: Many organizations in the industry are small and in startup mode, and therefore operate very lean. They devote most of their time and budget to research and development, which leaves them with little or no funding to put toward enhancing their cybersecurity. Also, many of these businesses rely on cost-effective and easy-to-access technology tools to store and share information, which means information could be exposed to malicious hackers if the tools are not configured and secured properly.

To improve cybersecurity, life sciences, pharmaceutical and medical device companies must stop viewing the issue as a top concern and treat it as a top business priority. As a starting point, these organizations should seek to answer the following questions:

  1. What information do we share with our strategic partners electronically and how is that data protected while in transit or stored? More companies than ever before, big and small, are now working with contract resource organizations (CROs). These CROs exchange sensitive and confidential data over electronic networks continuously, and the potential for loss, compromise or theft of PII or IP is high. Cybercriminals often will target the security weaknesses of third parties to gain access to a targeted company, using tactics such as phishing. Another risk area: Many businesses are relying on third-party vendors, i.e., cloud providers, to manage and store their data.
  2. How are our strategic partners handling our information physically at the research site? This question relates to the earlier point about companies’ lack of insight into their collaboration network. Organizations must understand how their information might be exposed in a lab environment or at a research site. The theft, by an insider, of a researcher’s notebook with details about a new drug formula or a medical device in development could spell the end for a company whose entire value is tied up in that irreplaceable IP.

Medical device companies have a third question they should consider (although, so too should the organizations and patients relying on these devices):

  1. What is the risk that our products could be hacked and/or controlled by malicious actors? The potential for medical device compromise is no longer in the realm of science fiction. And there were warnings that this would become a reality even as the Internet of Things was emerging. Back in 2014, for instance, the U.S. Federal Bureau of Investigation (FBI) issued a report warning that cyber attacks against healthcare systems and medical devices were likely to increase as more healthcare records were digitized and more medical devices were connected to the Internet.

Life sciences, pharmaceutical and medical device companies must think more critically about, and build a better understanding of, their cyber risk exposure and know what digital assets malicious actors would be most likely to target. When it comes to cybersecurity, these businesses would do well to trust less and question more. Failure to do so can put not only their brands and reputations at risk but their entire business — as well as, potentially, the lives of their patients.

Data-Rich Manufacturing Demands Cybersecurity of the Supply Chain, Too

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Tony Abel, Managing Director
Supply Chain

 

Few manufacturers would disagree with the view that the Internet of Things, big data integration and other advances in technology are boosting productivity, streamlining supply and distribution channels, and improving product support. But the WannaCry ransomware attack unleashed on businesses, governments and hospitals across the globe last month and the most recent attack this week delivered a sobering reminder that those digital-driven innovations carry very real risk.

That’s especially true for supply chains. Competition and efficiency demands increasingly compel manufacturers to enlist third-party vendors to produce components for an end product, meaning proprietary information and specification data is sent digitally across the globe, ready for cybercriminals to steal and exploit. One recent survey of 1,400+ supply chain professionals found that data security/IT incidents ranked as the most critical risk to supply chains.

Cyber attacks are likely to grow in frequency and severity, according to our recent Flash Report discussing the WannaCry ransomware event. In the report, we highlighted the need for companies to not only adopt a cyber defense, but also to continuously evaluate and improve it to protect against evolving threats. We noted, again, that many organizations continue to ignore cybersecurity – or at best are inadequately addressing it.

Opaque Supply Chains

It makes sense that businesses that are underprepared in their own cyber defenses have even less insight into the cybersecurity of their suppliers. But clearly they should. According to a 2016 presentation given by cyber supply chain risk management specialist Jon Boyens, a program manager with the National Institute of Science and Technology (NIST), 80 percent of all information breaches occur within the supply chain, and almost 60 percent of companies do not have processes for assessing the cyber security of their vendors. Similarly, more than seven out of 10 organizations lack full visibility into their supply chains.

Even more alarming, NIST anticipated that cyber attacks and data breaches would cause nearly half of the manufacturing supply chain disruptions in the next couple of years. Such incidents are costly. NIST estimated that 55 percent of the disruptions incur more than $25 million in damages per incident. In addition, supply chain breaches that steal or alter data could result in substandard products, the loss of intellectual property, and backdoor access into the manufacturer’s systems, all of which could further tarnish an organization’s brand and diminish its value.

Samsung’s recent bout with the flawed batteries that sparked fires in its Galaxy Note 7 phones illustrates the potential damage to a company’s reputation and bottom line. Samsung ultimately identified specifications provided to its suppliers as the culprit, but not before the company took a $5.3 billion hit to earnings and lost consumer trust. How much worse would it have been if a cyber criminal altered the specifications intentionally?

Supplier Checklist

The good news is that manufacturers can mitigate supply chain risks by ensuring that their third-party vendors are pursuing similar cybersecurity efforts as their own. Here are a few fundamental questions that we recommend focusing on when assessing supply chain IT risk:

  • Does the supplier’s culture promote cybersecurity and ransomware awareness throughout the organization? What kind of training are its employees receiving to recognize and address threats?
  • What cyber defenses are in place, and are they sufficient to counter the latest malware threats? Is the supplier up to date on indicators of compromise for recent attacks?
  • How frequently does the supplier conduct cyber risk assessments? Is the regimen sufficient to keep up with the rapidly evolving threats, and does it include defenses to block operational disruptions? Does the supplier consider the risks in its own supply chain (e.g., Tier 2 and Tier 3 suppliers)?
  • Does the supplier have an effective response plan? How often is it updated, and how often does the organization conduct threat simulations as part of its cybersecurity training?

Sound Agreements Needed

Manufacturers and suppliers seeking to reduce supply chain risk also should review contracts to ensure compliance. Items for each party to consider include:

  • Are the supplier’s cybersecurity obligations spelled out clearly in the contract, and does the language extend to the supplier’s subcontractors?
  • Does the contract include assurances that the supplier has the infrastructure to uphold its end of the contract?
  • Who are the executives or managers executing the contract for the supplier? Are they the most appropriate personnel in regards to understanding cybersecurity threats and the supplier’s ability to meet its obligations?

As cyber threats continue to escalate, it is important for manufacturers to gain visibility into their supply chains in order to assess their overall risk-mitigation and response capabilities. The ideas outlined here represent basic but critical actions organizations should be implementing as they strive to secure the increasing amount of sensitive data shared in the production and sourcing processes.

EU Payments Directive Opens Door to Open Banking

By Bernadine Reese, Managing Director
Risk and Compliance, Protiviti UK

 

 

 

The second European Payment Services Directive (PSD2) is scheduled to become law on January 13, 2018. Heralded as a way to make it faster, easier and less expensive for consumers to pay for goods and services, it also forces European banks to share customer data and payment infrastructure with third-party service providers and disruptive new competitors known as fintechs.

For better or worse, banks will soon have to comply with the law. Their only choice lies in whether to embrace this disruption and use it as the catalyst for an “open banking” business model, or succumb to the competitive threat.

The European Parliament adopted PSD2 in October 2015 to promote innovation (especially by third-party providers), enhance payment security and standardise payment systems across Europe. Its practical effects would be to:

  • Regulate fintechs that fall within the wider definition of what is regulated in payment services
  • Limit transaction fees and rebates
  • Require banks to open their payment infrastructure and customer data to third-party financial service providers; and
  • Provide new protections to consumers and users of payment services.

In practical terms, PSD2 would create an open banking environment where banks would be required to share a customer’s personal financial data, at the customer request, with any regulated account information service provider (AISP), while the bank still retains responsibility for the risk and compliance aspects of the customer and his or her data. This will be done through an application programming interface (API) that complies with a set of technical standards set forth by PSD2.

For sure, this expanded access and consolidation of data increases existing risks (i.e., fraud) and poses new potential risks to the current business model of certain institutions such as banks, but it bring opportunities as well — particularly for challenger banks, and for traditional banks that choose to do more than the bare minimum PSD2 compliance. Perhaps a bit surprisingly, the prevailing sentiment — even among some bankers — is one of excitement and optimism.

Time will tell what innovations and unintended consequences PSD2 will create. In the most likely scenario, the financial services industry will see a dramatic rise in mobile technology driven by APIs. In the future, banks wishing to remain competitive will use API to build an “ecosystem” with not just payment providers but merchants, so they would remain their customers’ “everyday bank.” The use of APIs in financial services has been hampered by privacy rules and the private ownership of data and infrastructure. PSD2 clears those hurdles.

Consider this small sampling of possibilities:

  • Account aggregation, which provides consumers with an overview of all accounts held across different institutions, without having to log into multiple proprietary customer portals.
  • Automated balances sweeping across multiple accounts to maximise interest payments and minimise debit balances.
  • “Marketplace” banks that offer lowest-cost services for loans, overdrafts and foreign currency transfers.
  • Credit decisions based on actual data by any institution and not just the institution currently providing bank account services — increasing choice and competition.
  • Payment facilities for the Internet of Things, such as, say, a self-replenishing refrigerator authorized to “shop” on the owner’s behalf, or a car that can pay for fuel or recharge without the customer leaving the vehicle.

There will be winners and losers. Potentially the biggest winners will be consumers and entities making and receiving payments within the European Economic Area. Cost and lack of competition in the existing payment space has been a concern for European regulators, and the opening up is likely to drive costs down for banks and consumers alike as competition increases.

An issue I deliberately did not mention here is data security and the safeguards built into PSD2 to ensure that personally identifiable data is protected. This is a topic for a discussion of its own right, and we will be covering the security aspect of PSD2 here on this blog and elsewhere. In the meantime, you can bet that PSD2 will be front and center, when the European financial services industry gathers June 26-28 in Copenhagen for Money 20/20. I hope to see you there!

John Harvie, Business Performance Improvement, Protiviti UK and Justin Pang, Risk and Compliance, Protiviti UK contributed to this content.

Critical Condition: Cybersecurity in Healthcare

By Adam Brand, Director,
IT Security and Privacy

 

 

 

On June 2, the Health Care Industry Cybersecurity Task Force issued a draft of its Report on Improving Cybersecurity in the Health Care Industry, an analysis of how to strengthen patient safety and data security in an increasingly connected world.

The Congressional report, which sums up the state of healthcare cybersecurity to be in “critical condition,” may shock outsiders, but should come as no surprise to those in the industry, who are well-aware of the challenges and have been awaiting the report as a preview of potential future government regulatory action.

The report lists six imperatives, along with several recommendations and action items. The recommendations bring to the forefront several issues facing the healthcare industry — most notably the risk to patient safety. That’s a departure from the traditional focus on privacy and data protection, and suggests a regulatory gap that needs to be addressed quickly.

The release of this report could not have been timelier, coming on the heels of the debilitating worldwide “WannaCry” ransomware attack that forced hospitals in England to cancel surgeries. Last week we published a flash report that takes a deeper look into the Task Force’s document.

We think that organizations should not wait for the government to initiate solutions. Instead, healthcare providers and medical device makers should proactively increase efforts to bolster cybersecurity to avoid potentially overreaching or misaligned legislation.

In our flash report, we recommend that healthcare providers consider the following actions, tied to key themes of the report:

THEME: (providers) Existing efforts are not enough and patient safety is at risk.
ACTION: Expand cybersecurity efforts to include patient safety.

Healthcare leaders should note the emphasis on patient safety and ensure their cybersecurity program has fully addressed risks that could result in patient safety issues, not just a data breach.

THEME: (providers) Legacy devices are a significant problem.
ACTION: Create a concrete plan for legacy devices.

Develop a plan to phase out or update insecure legacy devices and operating systems, ideally over the next five years, and implement compensating controls such as network segmentation, enhanced monitoring and application whitelisting in the next 12 months to help address the near-term risk.

THEME: (providers) Lack of standard cybersecurity practices.
ACTION: Start formally aligning to a cybersecurity framework.

The report recommends that the Department of Health and Human Services (HHS) develop a health-care specific framework based on the minimum standard of security provided by the NIST Cybersecurity Framework and the HIPAA Security Rule. Health care organizations should begin now to think about how they would align their controls to the NIST CSF standard.

THEME: (manufacturers) Lack of cybersecurity focus; software development lifecycle (SDLC) gaps.
ACTION: Expand cybersecurity efforts, focus on SDLC.

Manufacturers should use the report as an opportunity to determine whether their medical device security program is adequate, given the increased attention on this area and the risks highlighted in the report. Specifically, manufacturers should be able to demonstrate clear security inclusion from new product model requirements through product retirement.

THEME: (manufacturers) Legacy systems are a hot-button issue.
ACTION: Increase activities for reducing numbers of in-use legacy devices.

To avoid negative impacts, manufacturers should work with healthcare providers to reduce the number of potentially compromised medical devices, through customer education and incentives.

THEME: (manufacturers) Minimum cybersecurity standards for medical devices.
ACTION: Work with industry peers to develop a standard.

We anticipate that future FDA device approvals will be contingent on meeting minimum cybersecurity standards. With the typical device development process of five to seven years, manufacturers need to collaborate now to get ahead of regulations and avoid business disruption.

The task force took a year to complete its report, and the result is a very thorough look at the challenges facing healthcare security today. Healthcare providers and medical device manufacturers would be well-served by a careful review of the report to determine how the adoption of these recommendations might affect their organizations.

Download the Protiviti flash report here.