External Threats to Healthcare Data

Joshua Spencer, CPHIMS, C|EH

Certified Ethical Hacker (C|EH) Cyber-security Researcher AVP & Chief Information Security Officer

UT Southwestern Medical Center

Joshua Spencer

Overview

Why do hackers want my healthcare data?

Who wants to steal it?

How do they do it?

What is the impact of a breach?

How do I protect against it?

Why do hackers want my healthcare data?

55%30%

10%

5%

Financial Fraud

Medical Identity Theft

Ideology\Fun

State Sponsored Attacks

*2014 Verizon Data Breach Investigations Report

*2015 CSID Medical Identity Theft Report

*2015 CSID Medical Identity Theft Report

Who are the external “hackers”?

*Dell Secureworks Healthcare Data Security Threats

5%

15%

80%

Advanced Persis-tant Threats (APT)

Script Kiddies

Industrialized Hack-ing Organizations

How am I being hacked?

40%

28%

17%

9%

4% 2%

Employee Phishing

Vendor Compromise

Website Hacking

Employee Internet Use

Employee Accident

On-location Hacking

*2014 Ponemon Benchmark Study on Patient Privacy and Data Security

Employee receives

fraudulent email

reminding employee to

“Confirm their Recent

Promotion”User clicks link in email and logs into fake HR website

Hacker logs Into network

remotely using stolen

password

Hacker scans network and

steals databases

Hacker sells stolen

information on black market

to identity thieves

Hacker logs into employee email to send

fraudulent email to all

contacts

Employee Phishing

Employee receives fraudulent email

reminding employee to “Confirm their

Recent Promotion”

User clicks link in email and logs into

fake HR website

Hacker logs into network remotely

using stolen password

Hacker scans network and steals

databases

Hacker sells stolen information on black market to identity thieves

Hacker logs into employee email to

send fraudulent email to all contacts

Create and sell fraudulent

medical, Social Security and

State ID cards

Obtain prescriptions for

narcotics

Partner with illicit providers for fraudulent

Medicare billing

Employee Phishing

Vendor hacked

Hacker accesses customer databases

Hacker logs Into your network

remotely and steals databases

Hacker sells stolen information on black market to identity thieves

Hacker logs Into employee email to

send fraudulent email to all

contacts

VendorCompromise

Website had a

software flaw

discovered

Bug allows a hacker to bypass the login

Company fails to

apply the security update quickly enough

Hacker uses a

network of

infected computer

s to attack

website

Attack installs data

stealing program

Program scans for juicy data

(SSN)

Data sent to

attacker’s computers

Hacker sells

stolen information on black market to identity thieves

Computer now used to attack

other companie

s

Website Hacking

Employee’s

computer has a

software flaw

discovered

Employee visits a hacked website

Company fails to

apply the security update quickly enough

Attack installs data

stealing program

Program scans

network for juicy data (tax returns,

spreadsheets with SSN)

Data sent to

attacker’s computers

Hacker sells stolen information on black market to identity thieves

Computer now used to attack

other companies

Internet Use

How am I being successfully hacked?

*2014 Ponemon Benchmark Study on Patient Privacy and Data Security

5%

27%

69%

Company Specific Attack

Healthcare Industry Attack

Untargeted Attack

What is the impact of a breach?

Consequences of a breach are much greater than most other industries

Incorrect medical records (blood type, allergies, conditions) causes patient safety risks

HIV status disclosure is much more emotionally damaging than a Home Depot purchase history

Can’t give patients a new identity like you can with Credit Cards

*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats

What is the impact of a breach?

$398 per health record on average in the U.S. Does not factor in reputational damage

Increasing civil penalties from HHS, up to $1.5 million

Heavy scrutiny from media and regulators

80% of new patients screen their provider on search engines

Increasing use of “vendor scorecards” will hurt customer growth

*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats

How do I protect my healthcare data?

Factor security into your 3rd party vendor evaluations

Hire or contract with Information Security specialists

Train employees on recognizing fraud

Know where your data is going

Backup your important data

Use two-factor authentication

Overview

Why do hackers want my healthcare data?

Who wants to steal it?

How do they do it?

What is the impact of a breach?

How do I protect against it?