external threats to healthcare data joshua spencer, cphims, c | eh
TRANSCRIPT
External Threats to Healthcare Data
Joshua Spencer, CPHIMS, C|EH
Certified Ethical Hacker (C|EH) Cyber-security Researcher AVP & Chief Information Security Officer
UT Southwestern Medical Center
Joshua Spencer
Overview
Why do hackers want my healthcare data?
Who wants to steal it?
How do they do it?
What is the impact of a breach?
How do I protect against it?
Why do hackers want my healthcare data?
55%30%
10%
5%
Financial Fraud
Medical Identity Theft
Ideology\Fun
State Sponsored Attacks
*2014 Verizon Data Breach Investigations Report
*2015 CSID Medical Identity Theft Report
*2015 CSID Medical Identity Theft Report
Who are the external “hackers”?
*Dell Secureworks Healthcare Data Security Threats
5%
15%
80%
Advanced Persis-tant Threats (APT)
Script Kiddies
Industrialized Hack-ing Organizations
How am I being hacked?
40%
28%
17%
9%
4% 2%
Employee Phishing
Vendor Compromise
Website Hacking
Employee Internet Use
Employee Accident
On-location Hacking
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security
Employee receives
fraudulent email
reminding employee to
“Confirm their Recent
Promotion”User clicks link in email and logs into fake HR website
Hacker logs Into network
remotely using stolen
password
Hacker scans network and
steals databases
Hacker sells stolen
information on black market
to identity thieves
Hacker logs into employee email to send
fraudulent email to all
contacts
Employee Phishing
Employee receives fraudulent email
reminding employee to “Confirm their
Recent Promotion”
User clicks link in email and logs into
fake HR website
Hacker logs into network remotely
using stolen password
Hacker scans network and steals
databases
Hacker sells stolen information on black market to identity thieves
Hacker logs into employee email to
send fraudulent email to all contacts
Create and sell fraudulent
medical, Social Security and
State ID cards
Obtain prescriptions for
narcotics
Partner with illicit providers for fraudulent
Medicare billing
Employee Phishing
Vendor hacked
Hacker accesses customer databases
Hacker logs Into your network
remotely and steals databases
Hacker sells stolen information on black market to identity thieves
Hacker logs Into employee email to
send fraudulent email to all
contacts
VendorCompromise
Website had a
software flaw
discovered
Bug allows a hacker to bypass the login
Company fails to
apply the security update quickly enough
Hacker uses a
network of
infected computer
s to attack
website
Attack installs data
stealing program
Program scans for juicy data
(SSN)
Data sent to
attacker’s computers
Hacker sells
stolen information on black market to identity thieves
Computer now used to attack
other companie
s
Website Hacking
Employee’s
computer has a
software flaw
discovered
Employee visits a hacked website
Company fails to
apply the security update quickly enough
Attack installs data
stealing program
Program scans
network for juicy data (tax returns,
spreadsheets with SSN)
Data sent to
attacker’s computers
Hacker sells stolen information on black market to identity thieves
Computer now used to attack
other companies
Internet Use
How am I being successfully hacked?
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security
5%
27%
69%
Company Specific Attack
Healthcare Industry Attack
Untargeted Attack
What is the impact of a breach?
Consequences of a breach are much greater than most other industries
Incorrect medical records (blood type, allergies, conditions) causes patient safety risks
HIV status disclosure is much more emotionally damaging than a Home Depot purchase history
Can’t give patients a new identity like you can with Credit Cards
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats
What is the impact of a breach?
$398 per health record on average in the U.S. Does not factor in reputational damage
Increasing civil penalties from HHS, up to $1.5 million
Heavy scrutiny from media and regulators
80% of new patients screen their provider on search engines
Increasing use of “vendor scorecards” will hurt customer growth
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats
How do I protect my healthcare data?
Factor security into your 3rd party vendor evaluations
Hire or contract with Information Security specialists
Train employees on recognizing fraud
Know where your data is going
Backup your important data
Use two-factor authentication
Overview
Why do hackers want my healthcare data?
Who wants to steal it?
How do they do it?
What is the impact of a breach?
How do I protect against it?