current state of privacy & security in...

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek

Current State of Privacy & Security in HealthcarePresented by:Mac McMillanCEO | CynergisTek, Inc.

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 2

• CEO CynergisTek, Inc.

• Recognized as one of the top 50 Leading

Health IT Experts of 2016

• Former Chair, HIMSS P&S Policy Task Force

• HIT Exchange Editorial Advisory Board

• HCPro Editorial Advisory Board

• Director of Security, DoD Agency

• Excellence in Government Fellow

• U.S. Marine Intelligence Officer, Retired

Today’s Presenter

Mac McMillanCEO - CynergisTek, Inc.

[email protected]

mailto:[email protected]


Cybersecurity

3


Theft & Loss

No change. Nearly half of all breaches involve some form of theft or loss of a device not properly protected.

4

Breaches in healthcare continue to be carried out by knowledgeable insiders for identity theft, tax fraud, and financial fraud.

Breaches caused by mistakes or unintentional actions such as improper mailings, errant emails, or facsimiles are still prevalent.

More than 30% of the breaches reported involved some form of hacking and represented nearly 99% of the records compromised.

Top Security Risks in Healthcare

Insider Abuse

Unintentional Action

Cyber Attacks


The Cyber Threat Spectrum

Hacktivism Crime Insiders Espionage Terrorism Warfare


Cyber Incidents

2009 - 2011 2012 - 2014 2015 2016 2017*

BCBS Tenn1.02M

Stolen HD

AvMed1.2MStolen

Laptops

NYC Health & Hospitals

1.7MStolen Backup Tapes

Advocate Medical4.03M

Computer Theft

Utah DHHS780K

HackingBoston

ChildrenHacktivism

Anonymous

Nemours1.6MLost

Backups

Health Net1.9M

Lost HD

Mn.PH1.3M

Hacking

CHS4.5M

Hacking

Anthem BCBS80M

Hacking

PremeraBCBS11M

Hacking

UCLA4.5M

Hacking

Beacon Health225K

Hacking

CareFirst1.1M

Hacking

Haley VA5 Days

Hacking

Titus 6 Days

Hacking

HPMC10 DaysHacking

Hurley6 Days

Hacking

St. Francis 6K

Extortion

Appalachian Regional Hospitals3 WeeksHacking

Orleans Medical

Clinic7K

Hacking

Banner Health 2.7M

Hacking

MultipleDDOS

Hacking

Evolving Healthcare Threat Landscape


The Cost of Insecurity

“Cybercrime damage costs will hit

$6 trillion annually by 2021” CSO Dec. 2016


• By the end of 2016, 99% of U.S. acute-care hospitals had adopted an EHR system, compared to 12% in 2009

• According to HHS, the healthcare industry suffered a record 92 privacy breaches attributed to hacking in the first 11 months of 2016, a 64% increase from 2015

• In 2016 there were nearly 300 reportable breaches involving inappropriate access by an insider or business partner

Modern Healthcare, Dec. 2016

8

Convergence


• Cyber extortion

• Cyber espionage

• Hacktivism

• Targeted attacks

• Cyber terrorism

• APTs & malware

9

The Stakes Are Higher

Motivated, Persistent & Disruptive


All threat centers agree;

• “Anti-virus systems are seeing or

recognizing less than 50% of the

malicious traffic across the net”

• The number of new variants of

malware jumped to well over 400

Million last year

• The number of “zero day” attacks

increased to more than one new

attack a week

• Moreover hackers are now using

“machine learning” technology to

enhance their chances of not being

detected

10

The Onslaught of Malware

“The perfect storm is brewing that will pummel our Nation’s public and private critical infrastructures with wave upon wave of devastating cyberattacks.” – ICIT

2016


Cyber espionage is being carried out by nation-state actors for political purposes• Large breaches such as Anthem,

Premera, Community Health Systems, UCLA are suspected cases of espionage

• A case example is the OPM intrusion presumed by a Chinese group that captured security clearance documents

• But…they are also targeting industrial control systems that control and manage critical infrastructure

Cyber Espionage: Intelligence

11


Hacktivism: Causes

Attacking for a cause

• U.S. government databases were breached in 2013 by Edward Snowden who released hundreds of classified documents in an “act of conscience”

• GhostShell attacked several U.S. universities in 2015 leaking sensitive information

• Anonymous hacked Boston Children’s and Hurley Medical Center for ideological reasons

• Pro ISIS group hacks hospital website


Targeted Attacks: Multiple Motivations

Typically nation-state attack groups

• “APTs are known for being highly sophisticated, using multiple vectors to attack a target network, and having unrelenting tenacity”

• Many attacks go undetected for considerable periods of time –estimated 280 days on average

• Phishing, zero day attacks, ransomware have increased dramatically since the end of 2015

“There is widespread agreement that advanced attacks are bypassing our traditional signature-based

security controls and persisting undetected on our systems for extended periods of time. The threat is

real. You are compromised; you just don’t know it.” –Gartner Inc., 2012


FBI Alert for Anon. FTP


• 8 months ago the “Shadow Brokers” leaked a gigabyte worth of

NSA weaponized software exploits.

• They continue to release access to more of these files.

• Multiple 0 Day attacks were included in these files.

• These tools can be used by anyone - complete, unredacted

computer code.

• Unpatched vulnerabilities in mainstream products: Cisco, Juniper,

Microsoft…

• Demonstrates the problem of anyone having access to this data.

Shadow Broker Hackers


• First appeared around 2005

• Two forms: Crypto ransomware(data) and Locker ransomware(system)

• Sophisticated attacks use:

• New asymmetric keys for each infection

• Industrial strength & private/public key encryption

• Privacy enabling services like TOR and Bitcoin for payments

• Indifferent to target, everyone is a target (home/business)

• Malvertising, spam email, downloaders/botnets & social engineering

Cyber Extortion: Money/Embarrassment

The United States is the largest target worldwide by a huge margin.

SOCs worldwide report as much as a 10X increase in ransomware attacks from

December to January with no abatement.

16


“The targeting of organizations

relating to population welfare

maybe part of an intelligence-

collection effort intended to

support the aims of China’s 12th

FYP, which launched in 2011.” It

could also be cyber terrorism or

disruption of critical services.

Healthcare as a Critical Infrastructure

Source: Crowdstrike 2015 Global Threat Report.


Ubiquitous Is The New Paradigm

• Smart phones

• I0T

• Social media

• POS systems

• Medical devices

• Removable media

(USBs)

• SPAM & email

• ApplicationsThreats are introduced from all directions, simple compliance strategies will not suffice, an

integrated set of controls is needed.

• Smart TVs

• CCTV cameras

• Environmental

systems

• Downloads

• Attachments

• Browsers

• Wearables

• Telehealth


The Mirai botnet attack has enabled unsophisticated

attackers to:

• Adversaries stifled free speech on the Internet

• Delivered 1.1 Tbps of traffic to French ISP

• Overwhelmed Dyn’s DNS systems in U.S.

• Hindered heat distribution in Finland

• Launched politically motivated attacks

• Disrupted on-line banking in Russia

The Mirai Effect


“There you are, I was tracking you.”

• The taxi-hailing commuter platform Uber had two breaches in 2014 that weren’t reported until 2015, gaining the ire of the New York SAG.

• What they did:

– First they allowed internal users access to riders’ PII and displayed it through a tracking system called “God View”.

– Second they had a breach of their riders’ data base that permitted a third party access to 50,000 riders’ PII on GitHub.

• The settlement requires Uber to employ encryption, better access controls and multi-factor authentication.

• Health Systems are partnering with Uber to help patients not miss appointments.

What are Vendors Doing with PHI?


• Insider threats have continued to

grow year over year since 2010

• Many CIOs recognize people with

elevated privileges are a big risk

• Contractors/service providers

have become a big concern

• Most pharmacy data thefts and

fraud are the work of insider

• Most feel awareness training is

failing

• Traditional compliance/rule

based auditing is failing

21

Human Nature WILL NOT Change

29%

71%

Insiders are Responsible for 90% of Security

Incidents

Malicious Unintentional


• Nearly half of all entities do

not have a full-time CISO or

information security

manager

• Current estimates place

shortage of CISOs at 1.5M

• Education & Training vehicles

increasing, but time still a

factor

• Short term reliance on

external support is critical

Short Term Demand Outpaces Supply


• HHS Security & Privacy guidance

does not fully address the important

controls outlined in federal guidance.

• HHS guidance does not fully align

with the NIST cybersecurity

framework.

• The HIPAA Security Rule covers only

19 of the 98 elements of the CSF.

• Being compliant with HIPAA does not

assure adequate protection of

information systems or patient

information.

23

Compliance as a Distraction


• Understanding the business

• Gain executive involvement

• Threat awareness

• The people investment

• The process investment

• The technology investment

• Partnering for success

• Meeting other mandates

24

Compliance as a Distraction


Questions?

Mac McMillan

[email protected]

512-402-8550

@mmcmillan07

Questions?

?

current state of privacy & security in...

Documents