Critical Condition: Cybersecurity in Healthcare

By Adam Brand, Director,
IT Security and Privacy




On June 2, the Health Care Industry Cybersecurity Task Force issued a draft of its Report on Improving Cybersecurity in the Health Care Industry, an analysis of how to strengthen patient safety and data security in an increasingly connected world.

The Congressional report, which sums up the state of healthcare cybersecurity to be in “critical condition,” may shock outsiders, but should come as no surprise to those in the industry, who are well-aware of the challenges and have been awaiting the report as a preview of potential future government regulatory action.

The report lists six imperatives, along with several recommendations and action items. The recommendations bring to the forefront several issues facing the healthcare industry — most notably the risk to patient safety. That’s a departure from the traditional focus on privacy and data protection, and suggests a regulatory gap that needs to be addressed quickly.

The release of this report could not have been timelier, coming on the heels of the debilitating worldwide “WannaCry” ransomware attack that forced hospitals in England to cancel surgeries. Last week we published a flash report that takes a deeper look into the Task Force’s document.

We think that organizations should not wait for the government to initiate solutions. Instead, healthcare providers and medical device makers should proactively increase efforts to bolster cybersecurity to avoid potentially overreaching or misaligned legislation.

In our flash report, we recommend that healthcare providers consider the following actions, tied to key themes of the report:

THEME: (providers) Existing efforts are not enough and patient safety is at risk.
ACTION: Expand cybersecurity efforts to include patient safety.

Healthcare leaders should note the emphasis on patient safety and ensure their cybersecurity program has fully addressed risks that could result in patient safety issues, not just a data breach.

THEME: (providers) Legacy devices are a significant problem.
ACTION: Create a concrete plan for legacy devices.

Develop a plan to phase out or update insecure legacy devices and operating systems, ideally over the next five years, and implement compensating controls such as network segmentation, enhanced monitoring and application whitelisting in the next 12 months to help address the near-term risk.

THEME: (providers) Lack of standard cybersecurity practices.
ACTION: Start formally aligning to a cybersecurity framework.

The report recommends that the Department of Health and Human Services (HHS) develop a health-care specific framework based on the minimum standard of security provided by the NIST Cybersecurity Framework and the HIPAA Security Rule. Health care organizations should begin now to think about how they would align their controls to the NIST CSF standard.

THEME: (manufacturers) Lack of cybersecurity focus; software development lifecycle (SDLC) gaps.
ACTION: Expand cybersecurity efforts, focus on SDLC.

Manufacturers should use the report as an opportunity to determine whether their medical device security program is adequate, given the increased attention on this area and the risks highlighted in the report. Specifically, manufacturers should be able to demonstrate clear security inclusion from new product model requirements through product retirement.

THEME: (manufacturers) Legacy systems are a hot-button issue.
ACTION: Increase activities for reducing numbers of in-use legacy devices.

To avoid negative impacts, manufacturers should work with healthcare providers to reduce the number of potentially compromised medical devices, through customer education and incentives.

THEME: (manufacturers) Minimum cybersecurity standards for medical devices.
ACTION: Work with industry peers to develop a standard.

We anticipate that future FDA device approvals will be contingent on meeting minimum cybersecurity standards. With the typical device development process of five to seven years, manufacturers need to collaborate now to get ahead of regulations and avoid business disruption.

The task force took a year to complete its report, and the result is a very thorough look at the challenges facing healthcare security today. Healthcare providers and medical device manufacturers would be well-served by a careful review of the report to determine how the adoption of these recommendations might affect their organizations.

Download the Protiviti flash report here.

Fintech Perspective: Balancing Speed to Market With Sound Risk Management



Christopher Monk, Managing Director
Business Performance Improvement


Tyrone Canaday, Managing Director
Technology Consulting


As financial institutions develop innovative technology, in-house or by partnering with fintech companies, they need to carefully consider regulatory requirements for both third-party risk management and information security. Protiviti hosted a Fintech Innovation webinar on April 5, which addressed the need for banks and other financial institutions to balance sound third-party risk management with the desire for ensuring speed-to-market for new products and services in a bid to remain competitive in today’s marketplace. The attendees primarily consisted of traditional financial services companies (81 percent) – mainly banking organizations and some insurers. Fintech companies represented seven percent of the audience.

We want to highlight some of the results of the polling questions submitted during the webinar because they give insight into the current state of fintech innovation and the areas banking firms are most concerned about as they work to achieve a balance between innovation and sound risk management.

The collaboration is not without challenges. Of those saying they are facing challenges with their third-party risk management programs (a large majority), one-third consider coordinating activities and workflow between different groups in the organization responsible for managing parts of third-party risk, such as the business (the first line of defense), the vendor management office, procurement and the compliance and information security functions, to be the most difficult. Seventeen percent of respondents highlighted the difficulty in gaining coverage of all of the organization’s third parties across all of the lines of business in the enterprise. Other issues include understanding and keeping up to date with all of the evolving regulations, and managing the workload by enhancing the efficiency and scalability of the third-party risk management process.

Most significantly, almost half (44 percent) of all respondents indicated that their organization does not track the risks associated with fintech companies and other vendors effectively.

Addressing the challenges

For institutions that are just beginning their innovation journey, a good starting point is to ensure they understand what their current capabilities are, including those for actively managing third-party risks as well as data security and privacy risks. From there, firms can then begin to consider pushing forward with developing innovative products using a structured research and development (R&D) lifecycle. By layering the two efforts together, firms can ensure third-party considerations are addressed throughout the process, and the level of risk management rigor and scrutiny is increased as they progress through the R&D gates.

During our webinar, Protiviti experts guided attendees through the many ways in which fintech companies are disrupting the marketplace and offered a new third-party risk management framework that can help manage the risks inherent with partnering with smaller, startup firms and launching new technology products and services. You can access the free recorded version here, and we recommend a full listen.

For even more detail on how traditional financial institutions can balance the need for speed-to-market for new products with the need for information security and risk management compliance as best practices, refer to our newly published white paper: Enabling Speed of Innovation Through Effective Third-Party Risk Management.

Paul Kooney of Protiviti’s Security and Privacy practice contributed to this content.

Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance




Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

Your Personal Information Is Not Personal Anymore – So Who’s Guarding It?

Scott Laliberte (2014)

By Scott Laliberte, Managing Director
IT Security and Privacy



We live in an age of great convenience enabled by technology. Snap a photo of your check on your smartphone to make a deposit, simple. Rollover an IRA from your home office, easy. Change the password on your bank account from the airport, no problem.

What is less apparent to consumers of these services is the risks they may be assuming by making use of these conveniences. And while few of us have the wish to give up our conveniences, we’d better be ready to demand the best processes and technologies available to protect us from the risk of fraud and identity theft.

For businesses, meeting demands for enhanced personal identity protection can be costly, and it introduces new inconveniences to their customers – something of which businesses are always conscious. It helps when consumers realize the value of better security, and even demand it, despite the potential costs and inconveniences. We are all familiar with the annoyance of forgetting our password and having to jump through a half a dozen hoops to get it back – but at least we recognize it’s our own interest that demands it.

Businesses are limited to just a few options when they want to confirm the identity of a consumer: These are things the consumer knows, things the consumer has, and things the consumer is. For instance, a consumer knows her password, date of birth, social security number, and the answers to several secret questions, like make of car or mother’s maiden name. Some of these are easy to guess; all are easy for a hacker to store and reuse: If one breach reveals the customer’s password and secret question responses for one site, hackers are smart enough to “replay” this information to hack other sites. Things the consumer has, like her cell phone, are harder for hackers to obtain. Adding an “out of band” element to authentication – like texting a PIN to the phone to authorize a logon to a website – protects customers even when hackers have other identifying data. Finally, things the customer is offer strong protection as well (though they also may be subject to replay or other issues). Biometrics, such as fingerprints and retina scans, are two methods in this category right now.

These are the kinds of protections businesses must now routinely offer and customers must demand, or at least reward with their patronage those businesses that offer them.

Here are some suggestions for businesses that wish to add themselves to the category of companies with strong, responsible customer identity protection:

  • Offer enhanced security features but allow your customers to opt in. Not all consumers will be willing to take on more complex authentication to protect their identities against theft. Some simply don’t care, and the complexity may drive them away.
  • Consider how fees might offset the costs of enhanced protection, and also how fees might affect customer loyalty. Monitor how these services are priced by other players in your industry.
  • Develop your in-house knowledge of the changing cybersecurity landscape and expedite development of your expertise in areas that are affecting your business the most.
  • Educate your consumers so they can recognize the value of the enhanced security you offer to protect them against significant losses – and why the added inconvenience is a minor hassle compared to the syphoning of their 401k, for example.
  • Employ advanced fraud analytics to monitor for suspicious activities and high-risk transactions.

From the consumers’ perspective, the following actions should help us to become partners in the effort to protect their own identity:

  • Sign up for identity theft protection services. These services monitor credit inquiries and can protect against thieves using stolen personal information to apply for credit in your name. While they may not be able to detect activity directed at your 401k, HSA, or other financial accounts, these services may provide support to resolve problems resulting from identity theft and some even offer insurance against loss.
  • Monitor financial statements promptly to ensure all transactions are valid.
  • Change passwords often; don’t reuse passwords on other sites. Vary your secret questions; choose questions with answers that are the hardest to guess (e.g., the name of your best friend in high school is harder to guess than your favorite color).
  • Welcome enhanced security features like out-of-band authentication (such as a PIN texted to your phone) and biometrics (using your fingerprint or iris) – especially for high-risk transactions such as changes to key account information (password, email, address) or transfers of money.
  • Vote with your wallet: Gravitate toward businesses that offer enhanced security features. Encourage your established providers, via survey responses and direct requests, to offer enhanced security features, and be prepared to pay for them – perhaps in higher fees; certainly in inconvenience.

Businesses will continue to benefit from offering convenient online features to their customers, as a way of achieving customer loyalty and competitive advantage. Consumers will come to expect faster, secure, seamless services as platforms and technology allow. Businesses and consumers alike will do well to stay informed about how to protect consumer data in this evolving landscape. As long as identity theft continues to reward hackers, they’ll keep looking for ways to circumvent security measures. We need to evolve our security techniques to keep up with the ever-changing threats from cybercriminals.

Fintech Faultline: Customer Experience Versus Security and Fraud

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, gets underway this weekend (Oct. 23-26). Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.


jason-goldbergBy Jason Goldberg, Director
Financial Services Business Performance Improvement



Financial technology, or fintech, firms are disrupting the financial services industry with their nimble structure and innovative payment, banking and wealth management services. Unburdened by legacy core systems, regulatory scrutiny and complex processes, emerging fintech companies innovate from day one, creating optimal customer experiences that are difficult for traditional financial institutions to match.

New entrants are significantly improving the customer experience in the person-to-person (P2P) payment sector, for example, by allowing transfer of funds with just a couple of taps on a smartphone. Despite the popularity of these payment apps, however, there is growing concern from consumers and regulators that some emerging fintech firms, in their haste to get ahead of their more-established competition, may not have focused enough on security and privacy controls.

We examine this dichotomy in a new Protiviti paper, Balancing Customer Experience with Security and Fraud Controls. But I wanted to whet your appetite with a small example.

A governing dynamic long known to established financial institutions is that success (or failure) brings regulatory scrutiny. The Consumer Financial Protection Bureau (CFPB) sent a strong signal earlier this year when it levied a $100,000 fine against a fintech company for failing to employ reasonable and appropriate measures to protect consumer data from unauthorized access, and for not encrypting some sensitive personal information. While the monetary value of the fine was not significant, it was an overture for other fintech firms to be more mindful of their practices.

This example should serve as a lesson for traditional financial institutions as they seek to partner with emerging fintech companies or emulate some of the more successful practices of these tech-savvy upstarts. The lesson is that innovation needs to be balanced with security, fraud, risk and compliance requirements from the earliest design phases of any technology transformation project.

Control functions such as risk, compliance and security are perceived to have an adversarial relationship with innovators, who sometimes sidestep compliance in favor of speed to market. And yet, it is critical to embed these checks and balances from the earliest planning stages of product design. The key is finding a balance between the two.

Despite their inexperience, emerging fintech companies may have an easier time of this, because of a cultural bias against silos and for collaboration. Traditional financial institutions may need to work harder to break down established mindsets and find security and compliance people who think more like innovators.

That’s really the crux of the matter. As traditional financial institutions seek to transform to answer customer demands around nimble and innovative experiences, it is important for them to remember that the transformation also requires changes to organizational mindset, processes and, of course, technology. A holistic focus on customer experience, with a balanced and integrated (not layered) security and fraud approach, will drive powerful customer relationships. Customers and the security of their transactions are at the heart of the financial services industry and, in that regard at least, established players still have the advantage.

Internal Audit and the Internet of Things

Jordan Reed MD HoustonBy Jordan Reed, Managing Director
Internal Audit and Financial Advisory



Depending on whom you ask, the business disruptor known as the Internet of Things (IoT) is either the launch pad for an indispensable digital future, or a Pandora’s box of unfathomable risks that have only begun to present themselves. Either way, that’s a lot to lay on a technology trend that only 13 percent of consumers had even heard of, as recently as 2014.

As with most disruptive change that has come before, the IoT poses both opportunities and threats. The internal audit function, as the line of defense tasked with scanning the horizon to ensure that emerging risks are known and accounted for in strategic plans and control frameworks, must now consider both the industry implications and the specific organizational challenges.

Small wonder it ranks among the top five priorities in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey. Judging by the packed house for our June 1 webinar on this topic, a number of you agree. We crammed a lot into that hour, and I’ll only be able to whet your appetite here. But here’s a taste, and some questions to take back to your organization.

To be clear, IoT is the term used to describe the online exchange of data gathered from uniquely identifiable objects, animals and people, without human-to-human, or human-to-computer, interaction.

This is the world of wearable technology — fitness trackers, heart monitors, insulin pumps, and other “smart” devices, like remote home thermostats. It exists primarily in the cloud, and also includes engine sensors, diagnostic controls and transdermal, and even ingestible, medical devices.

Risks, of course, include personal privacy, data security, system integrity and more. Conversely, companies face the risk of failing to adapt to a fundamental shift in the competitive environment. But there are also opportunities for risk mitigation through advances in predictive analytics and continuous auditing.

The archived version of the webinar offers a rich and informative discussion, with many good questions from our audience, who felt the content was timely and pertinent. In the meantime, here are some questions for internal auditors to take back to their organizations:

  • How is IoT deployed in our organization today? Who owns IoT or the respective components of IoT?
  • Have we considered the risks associated with our IoT presence? How have those risks been quantified and controlled?
  • Do we know what data is collected, stored, and analyzed? Have we assessed potential legal, privacy and security implications?
  • Do we have contingency plans for internet-connected “things” that are hijacked or modified for unintended purposes?
  • To what extent are third parties acting on our behalf? Do we have the right processes and SLAs in place to appropriately monitor those third parties?
  • What role does IoT play in our current strategy as an organization? How are we measuring the achievement related to any goals associated with strategic objectives?
  • What is the risk of not considering or further leveraging IoT possibilities? Are we using data analytics to its full potential?

This risk is clear and present. Disruptive innovations that once may have taken a decade or more to transform an industry are now occurring much faster. To stay ahead of the disruption curve, internal audit must quickly discern the vital signs of change and the related implications to the business model of their organization.

The IoT and the related risks will continue to evolve and we will continue to track those risks and developments here on our blog and in upcoming publications, so check here and on our website often.

Internal Audit at a Tipping Point and Ten-Year Trends

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.


Brian Christensen - Protiviti PHX 2012_Low ResBy Brian Christensen
Internal Audit Global Practice Leader




In the tenth year of our Internal Audit Capabilities and Needs Survey, we believe internal audit has arrived at a tipping point. The issue is no longer whether or not your function is evolving, but rather how quickly and effectively it is transforming for the future toward a more strategic, collaborative and data-driven operation while maintaining the highest performance quality. As an additional insight for our readers, our latest annual survey this year includes 10-year trend data to illustrate top priorities and how they have evolved, dating back to when we began conducting the survey in 2007.

Here are the most significant changes our trend data revealed:

  • Tech versus technique. The most apparent difference between 2016 and 2007 is that all of the priorities in 2016 are tied to data and technology, while all of the priorities of 2007 were tied to technique – from mastery of the COSO Enterprise Risk Management Framework to compliance with international reporting standards.
  • Agile versus rigid. In 2007, mastery of the highly structured Six Sigma project management methodology was one of the top technical needs in our survey results. In 2016, that same level of priority is being placed on less-structured, agile methodologies, reflecting the increasingly dynamic nature of risks today.
  • Big Data versus information. Data security/information security emerged as a top concern in our 2008 survey. Back then, the primary focus was on protecting trade secrets and intellectual property. Today, it is more about data utilization. And although the phrase “Big Data” has yet to appear among internal audit’s top priorities, it is represented on the list in 2016 as the Internet of Things – a growing trend that promises to disrupt everything, from demand planning to health care.
  • External versus internal. At the time of our first survey, all of the top capabilities and needs were focused internally, and many centered on the internal audit function’s emergent role in enterprise risk management. In the past three years, almost all of the top capabilities and needs reflect strategic responses to external threats and a changing risk landscape.
  • Consultant versus constable. This outward-turning focus is indicative of the internal audit profession’s growing focus on strategic risk management and consultative value creation. Practitioners have long talked about moving away from the traditional policing and compliance role. This changing perspective is strong evidence of the progress that has been made along those lines.

One important observation from this year’s survey: We have, without a doubt, entered the age of the Internet of Things – an era of machine-to-machine communication where the amount of data in the world has entered an exponential upward climb. The threat window from misuse of this data has narrowed to real time. And the only way to even begin to manage such a risk is to invest in and master data analytics. This is mission-critical.

Internal audit knows that. Year after year, for the past five years, we’ve seen data analysis technologies show up in our surveys as a critical deficiency. An optimistic interpretation of this trend would be that the profession is attuned to this critical threat and it therefore weighs heavily on the minds of respondents. A less optimistic interpretation is that internal audit lacks either the knowledge or the resources, or both, needed to deal with a recognized threat.

The reality, in our experience, is that data analytic capabilities in a majority of internal audit departments have not kept pace with the speed of risk. The tipping point, however, has been reached. This risk is on the run, and unless we, as a profession, act now to aggressively address this deficiency, there is a substantial risk of failure. It’s not often we are given such an imperative. Now is one of those times.

What do you think it will take to meet the challenge? Please share in the comments.

The full survey report, video, podcast and infographic can be accessed here.