Publications


The following abstracts are a collection of some of Richard’s recent cybersecurity healthcare & regulatory compliance white papers and other publications. Titles link to the full documents.


A Lifeline: Patient Safety & Cybersecurity. 2019 Public-Private Analytic Exchange Program. US Department of Homeland Security - July 2019

Healthcare information is unique and personal to us all. Indeed, the patient is at the center of healthcare, as it would not exist if the patient did not exist. Bits and bytes in today’s digital world have real significance when it comes to patient care as patient lives are on the line. Any disruption,corruption, or leak of data may significantly alter the course of patient care for affected patients—with the potential for adverse consequences. As a result, patient safety is directly tied to cybersecurity in today’s digital world.

Yet, many people within the healthcare sector have not made the connection between patient safety and cybersecurity. Relatively little is known about the impact on patient safety as a result of lax cybersecurity. Yet, the loss of even a single patient’s life as a result of lax cybersecurity would be one person too many. Computers can be replaced, but people cannot.

Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database - Jan 2019

In mid 2018 a successful cyber attack was conducted by a nation state against the IT systems of SingHealth that leaked the medical records of 1.5 million Singapore residents including the Prime Mister and several other VIPs. A lengthy investigation by local and globally renowned experts blamed the attack's success on a lack of basic security hygiene coupled with ill-trained IT staff.

The Singapore Government Committee of Inquiry (COI) was convened in 2018 to inquire into the events and contributing factors leading to the cyber attack on Singapore Health Services Private Limited (SingHealth)’s patient database system between 27 June and 4 July 2018.

This is the 454-page public report of the investigation.

The Digitization of the Healthcare Industry: Using Technology to Transform Care - Sept 2016

Over the past few years, few industries have seen such dramatic changes as in healthcare. On the one hand, the healthcare sector is strong and growing, with a value of $3.2 trillion in the United States. With the dust finally settling on the Affordable Care Act, more than 10 million newly insured Americans are bringing significant revenues to an industry shifting to more retail-like business, clinical, and operating models.

On the other hand, few sectors are experiencing such disruption. The new business models are more vulnerable to competition, increasing the pressure to reduce costs and meet stringent customer demands. Many are moving to risk-sharing, pay-for-value plans. In fact, a new task force of providers, insurers, and employers has committed to shifting 75 percent of business into contracts with incentives for health outcomes, quality, and cost management by 2020. And companies must continue to secure the most valuable data on earth - electronic medical records - from a black market willing to pay top dollar for healthcare information.

Security in Healthcare: Bolstering Connectivity and Protecting Patients - April 2016

Connectivity and the Internet of Things (IoT) are pushing the boundaries of healthcare treatment. Medical professionals can access patient data and real-time health status in a way that can dramatically enhance their understanding of the progression of a disease and improve their response to patient health incidents. Medical equipment can automatically identify system failures and even generate maintenance tickets. Remote treatment allows doctors and patients to communicate no matter where they are.

But this connectivity comes at a price. More devices and more communication increase the opportunities for attackers to breach defenses. On the one hand, the healthcare industry has been resistant to changes because it fears that interfering with critical systems could harm patients. On the other hand, not investing in security may not only affect patient healthcare if systems are disrupted but also injure well-being if their private records are stolen.

Combating Cybercrime in the Healthcare Industry - April 2015

Healthcare security breaches are making headlines with escalating frequency. Consequently, the need to safeguard personal health information (PHI) and other nonpublic data looms more urgent with each passing day. Yet, healthcare organizations are unable to respond. They’re currently starved of cash, thanks largely to declining Medicare and insurance reimbursements as well as the growing trend to pay by results rather than pay by procedures.

While recent developments shine an unsettling public spotlight on healthcare crime, to security experts in the industry, the concern goes far deeper than the mainstream news. A vast number of breaches aren’t even reported. In fact, 80 percent of medical record thefts remain unnoticed for months, and sometimes years, according to Cisco® Security healthcare expert Richard Staynings.

CIO Barometer - Healthcare and Cybersecurity: The Pressure is on - January 2014

As major security breaches continue to top the news, governments and organizations respond with new regulations, increased oversight and stiffer penalties. Public tolerance is slipping, too. Simultaneously, increased demand for mobility and expanding supply chains, along with a desire to link IT systems to industrial control systems, adds to risk. Cybersecurity has taken center stage for healthcare CIOs, evidenced by responses to CSC’s 2013 CIO Barometer survey.

The fifth annual CIO Barometer represents the views of more than 680 IT man- agers, directors and officers working for organizations spread across 18 countries. For those operating in the healthcare sector, cybersecurity consistently appeared as a priority and challenge, regardless of whether the subject was innovation, management or cost.

The Cyber Threat to Healthcare - June 2013

Healthcare is undergoing a fundamental transformation in the way that the industry operates and does business. This is equally true for healthcare payers, providers and life sciences organizations. Growing regulatory requirements for payers and providers to move to electronic medical records, new coding, telehealth and telemedicine, and secure electronic communications is combining with downward price pressure from government, insurance and consumers to force all aspects of healthcare to be leaner and more efficient while at the same time more secure. “Do more with less”, is the message coming from all sides.

At the same time, the life sciences and pharmaceutical industry is coming under increasing pressure as lucrative US and European patents expire or are ignored by generic manufacturers overseas, often with the support or blessing of their national governments and court systems. The re-formulation or re-branding of patents has essentially been killed off and governments from all countries are forcing down drug prices anyway they can, thus eating into profits and research and development funds.

There has also been a major change in the risks that the healthcare industry faces and the dramatic rise in the cyber risk over the past few years. If you didn’t realize it, this Cybersecurity risk now out-weights all other risks COMBINED to the Healthcare industry!

New Healthcare, New risks. CSC World - Spring/Summer 2013

The healthcare industry is venturing into a world of tremendous opportunity — and tremendous risk. By linking systems and medical devices to the Internet, adopting electronic health records and implementing regulatory reforms, the industry is drastically improving healthcare for all of us. But the changes are also creating a health IT landscape fraught with security challenges.

New Data Breach Rules Have Big Impact - February 2013

The Omnibus Final Rule on HIPAA and HITECH amendments was published on January 25, 2013. It makes sweeping changes in a number of areas which, while they appear to be minor, may have a major impact not only on HIPAA “covered entities” but also on business associates and their subcontractors who may have access to, or a need to use Personal Health Information (PHI.) This white paper seeks to address only one primary change – “How does the new rule impact information security incident response and data breach notification?”

How Hospitals Can Immunize Against Hackers, CSC World Magazine - Winter 2013

Cybercrime and data breaches are among the most commonly cited worries keeping healthcare CIOs awake at night. Recent surveys show that roughly three-quarters of healthcare organizations have suffered some kind of data breach or security incident in the past 12 months.

Hospitals and other healthcare organizations need to broaden their focus on compliance and pursue a robust, integrated, enterprise-type approach to securing data and other key assets. Under the U.S. Health Information Technology for Economic and Clinical Health Act, hospitals and other organizations can be fined up to $1.5 million per year for serious security incidents.

Doing it Right - Getting a Jump on Privacy and Security - July 2012

New data sources, changing regulations, and tighter enforcement of privacy and security rules are requiring healthcare leaders to be vigilant about protecting sensitive health information. More data are coming from more sources than ever before, including remote monitoring, mobile devices, and social media. Additionally, the stakes are higher as new enforcement efforts take effect and the HIPAA audit program reaches its stride.

From Cyber Compliance to Cyber Confidence - November 2012

Cyber crime and data breaches are among the most commonly cited things that keep healthcare CIOs up at night. Given the level of preparedness that many organizations have today, this is not surprising.

Recent surveys show that roughly three quarters of healthcare organizations have suffered some kind of data breach or security incident in the past 12 months. Among small healthcare organizations (with 250 employees or fewer), the figure is an astonishing 91%. According to the Department of Health and Human Services, over 19 million people have had their health information compromised since the breach notification rule went into effect just a few years ago.

What’s New in HIPAA Compliance: Key Steps to Completing the Meaningful Use Risk Assessment - August 2011

Privacy and security have become mission-critical for hospitals. Achieving full HIPAA compliance and satisfying the Meaningful Use Risk Assessment requirement may sound daunting, but it is very much a goal within reach.

Privacy and security have become mission-critical issues for hospital executives now that the proposed changes to the HIPAA regulations are about to be finalized and the risk assessment requirement for the electronic health record (EHR) incentive program is in full force. Organizations can no longer think of privacy and security as a set of disjointed or poorly-enforced HIPAA requirements. The new requirements extend to the activities of covered entities, as well as those of their business associates, and the rules are being strongly enforced. The Office for Civil Rights (OCR) has already assumed a more active role in investigating entities that have experienced breaches and privacy incidents, in some cases issuing million-dollar plus fines.

Microsoft MITS Compliance Planning Guide - August 2006

The Management of Information Technology Security (MITS) standard is an Operational Security Standard promulgated by Treasury Board Secretariat (TBS) that identifies a minimum baseline standard of care for IT Security within the Government of Canada (GoC). All GoC departments and agencies must comply with MITS by December 2006. This Microsoft MITS Compliance Planning Guide is designed to help IT managers and other key stakeholders within the GoC understand how Microsoft products and services can help them comply with many of the mandatory requirements identified in the MITS standard.

Microsoft Regulatory Compliance Planning Guide - June 2006

The Regulatory Compliance Planning Guide helps you understand what you need to do to comply with various regulations. The guide shows how various regulations drive specific requirements for specific IT controls. The guide also shows the Microsoft software and solutions that can help address those control requirements. This guide covers a variety of regulations, including the ever-popular Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and European Union Data Protection Directive (EUDPD).