why the health care industry is a favorite target for … · • situational factors vary degree of...
TRANSCRIPT
Why the Health Care Industry Is a Favorite Target for Hackers
A P R I L 2 2 , 2 0 1 8
RAPIDLY
EVOLVING
CYBERTHREATS
Motivational Shifts
ADDITIVE MOTIVATION PROGRESSION LINE
HACKTIVISTS NATION-STATESFRAUDSTERS
THEFT DISRUPTION DESTRUCTION
EVOLUTION OF HACKERS & THEIR MOTIVATIONS
Traditional• Thrill seekers
• Pioneers
• Teenagers
Current• Terrorists
• Hacktivists
• Organized crime
• State-sponsored
• Hacking as a business model
EVOLUTION OF HACKERS & THEIR MOTIVATIONS
Old tactics• Highly sophisticated technical attacks
• Required advanced training, intelligence
Current tactics• Social engineering
• Understanding of human nature & psychology
• Social media, phone & email are primary tools
• They let us do most of the work for them
CHARACTERISTICS
Some May Surprise You
• Skilled
• Persistent
• Practical
• Difficult to detect
• Work well in teams
• Not arrogant
• Patient
TOP
CYBERCRIMES
• Business email compromise
• Ransomware
• Corporate account takeover
• Identity theft
• Theft of sensitive data
• Theft of intellectual property
• Denial of service
EXAMPLES FROM THE NEWS
2016
Breach of data for 34,000 patients
2016
Breach of data for 3.7 million patients
2017
Ransomware canceled operations
in Pennsylvania-
based health care system
Ransomware attack that limited
internal web services;
prompted internal state of
emergency
2016
THE WEAKEST LINK IS …
YOU! (& ME)
• Human attributes exploited by hackers
▪ Distracted
▪ Overworked
▪ Compartmentalized
▪ Disengaged
▪ Trusting
▪ Naive
▪ Hurried
• Situational factors vary degree of these weaknesses &
hackers know how to capitalize on them
▪ Attacks come on Friday afternoons
▪ Attacks come at month-, quarter-, fiscal-ends
▪ Attacks come just before holidays or days off
▪ Attacks tailored to current events, news, sports, etc.
EXAMPLE: BUSINESS EMAIL COMPROMISE
• Hospital controller receives email from “CFO” requesting all employee W-2s
pursuant to an IRS inquiry
• Numerous employees contacted by real IRS about issues with their returns, or
why they submitted two returns
• Needs it today (received in the afternoon)
• Controller puts it all together into one PDF, alphabetized
• Hacker responds, telling her “this is more than I had hoped for”
• Compromised W-2 information sold on the underground market
“FOOTPRINTING”
• Hackers monitor high-level employees via corporate website,
media & their personal social media
• Fake emails sent for purposes of reading “out-of-office” replies
• Learn their lingo, travel patterns, associations & when they take
vacations
• Follow executives, steal mobile devices, set up fake hotspots near
them
• Will strike when executives are out of pocket
MANAGING EMAIL COMPROMISE RISK
• #1 tactic – increase training & awareness
• Verify requests for info or $ via phone, keep contacts in offline format
• Double check email addresses, links & attachments
• Limit number of employees authorized to handle PII or send wires
• Watch for sense of urgency, consequence or “favors”
• Slow it down
• Watch disclosing too much on social media, email replies & websites
• Two-factor authentication is a pain … but it works
THE STORY …
✓ Executive of large industrial conglomerate was “footprinted” by hackers through social media, corporate postings & email replies
✓ Followed when on vacation; tablet was stolen when left unattended
Executive
Footprinting
✓ Tablet was not protected with a passcode
✓ Linked to corporate email account
✓ Executive didn’t disclose to IT until a barrage of phishing incidents began
✓ Two weeks elapsed from theft to disclosure
✓ Elements of Equifax & Target incidents
Missteps
THE FALLOUT …
✓ Personally identifiable information (PII) of dozens of high-ranking employees
✓ Personal tax return & SSN of executive & family
✓ Strategic plans, including acquisition/takeover plans deemed “highly confidential”
✓ Trade secret information related to formulas, production processes, etc.
✓ Personal website username/password information
✓ Password-protected documents – with password for those documents provided in the “next email”
✓ Lingo used to request/authorize wire transfers
✓ Worse yet: communication lingo & patterns, identification of employees responsible for wire transfers & holding sensitive information, etc.
Contents of
Account
✓ Incident response plan brought into action
✓ All email account credentials changed
✓ Wire transfer protocols suspended – went to manual auth.
✓ Corporate account access credentials changed
✓ Law enforcement, external counsel, insurance notified
✓ Forensic preservation/investigation of affected assets
✓ Notification to affected parties; provided monitoring
Immediate
Actions
✓ Ironically, the executive did not fire himself for not taking cybersecurity more seriously …
✓ Full IT risk audit was performed, including penetration testing (“stress testing”)
✓ Training provided to executives & employees in key areas on cybersecurity awareness & habits
✓ New policies created/enforced related to personal device usage
Others
THE EPILOGUE …
RANSOMWARE
The Threat
• U.S. government interagency report: there have been
4,000 daily attacks since early 2016 (300% increase over
2015)
• Exploits human & technical weakness to gain access to
infrastructure to deny organization its own data
• Malicious software (malware) infects systems & encrypts
user data
• HIPAA Security Rule requires
▪ Conducting risk analysis to identify threats & vulnerabilities;
remediate gaps
▪ Implementing procedures to guard against & detect malware
▪ Training users to detect & report malware
▪ Implementing access controls to limit access to ePHI to only
those persons or software programs requiring access
RANSOMWARE
Medical Devices
• Bayer confirmed reports of WannaCry affecting
U.S. health care providers’ equipment
▪ Bayer’s infected devices included
• Computed tomography (CT) scanner
• Magnetic resonance imaging (MRI) scanner
▪ Sources believed attack was caused by outdated software
& neglected updates
• FDA inspects St. Jude equipment after Abbott’s
2017 purchase determining that the following
devices are susceptible to attacks
▪ Implantable cardioverter defibrillators (ICD)
▪ Cardiac resynchronization therapy defibrillators (CRTD)
CASE STUDY
Midsize hospital sustained two consecutive ransomware attacks, which greatly disrupted access to patient records. After the first attack, hardware & software upgrades were identified; however, budgetary constraints delayed their purchase. There was no formal incident response plan
After the second attack, the hospital hired a consultant to perform a forensic evaluation of the attack, verify its extent & eradicate
malware from the IT environment. Also, the hospital had a cybersecurity assessment performed to identify vulnerabilities
The hospital needed to pay the ransom; however, eventually it was able to evaluate & purge the malware. The assessment successfully identified additional improvements to strengthen cybersecurity controls
Issue
Solution
Results
MANAGING RANSOMWARE RISK
• #1 tactic – increase training & awareness
• Patch management
• IT risk assessment or audit will draw out potential weaknesses
• Backup policy should include special class of “essential operating items.”
These should be backed up daily
• Backup & recovery process should be tested before an event (Denver
example)
• Paying the ransom will only encourage future attempts
• But … many organizations stockpiling some bitcoin, just in case. Banks also
holding as a service to their customers
WHY ARE
HEALTH CARE
PROVIDERS SO
VULNERABLE?
• Given the quantity & variety of personally
identifiable information (PII), cyber risk is
inherently high
• Spending priority is often given to the
organization’s mission rather than to “back office”
▪ Challenging to recruit & retain expensive resources
▪ Infrastructure improvements may not be robust
• Heavy reliance on third-party service providers
• Reputational risk is critical
POTENTIAL BREACH IMPACTS
Negative
publicity
Regulatory
sanctions
Refusal
to share personal
information
Damage
to brand
Regulator
scrutiny
Legal
liability
Fines
Damaged
patient
relationships
Damaged
employee
relationships
Deceptive or
unfair trade
charges
!
Diversion of
resources
Lost productivity
DARK WEB
PRICING
Credit Cards Price (2012–2014) Current Price
Visa & Mastercard $4 $7
Visa & Mastercard with
Track 1 & Track 2 data
$23 (V); $35 (MC) $30
Premium American
Express
$28 $30
Bank account credentials $15,000 for 500 $15,000 for 500
Email Accounts Price (2012–2014) Current Price
Popular email (Gmail,
Hotmail, Yahoo)
$100 per 100,000 $100 per 100,000
Corporate email N/A $500 per mailbox
IP address of email user $90 $90
WHAT DRIVES
COST OF
BREACHES?
Source: 2016 Ponemon Institute Cost of a Data Breach Study
INTERESTING
STATISTICS
• Timing
▪ In 93% of breaches, it took attackers minutes or
less to compromise systems (Adobe products
easiest to hack; Mozilla the most difficult)
▪ In 83% of cases, it took weeks or more to
discover an incident occurred
▪ Attackers take easiest route (63% leveraged
weak, default or stolen passwords)
▪ 95% of breaches were made possible by nine
patterns, including poor IT support processes,
employee error & insider/privilege misuse of
access
REGULATORY RESPONSE OVER TIME
1934
SEC Act
1996
HIPAA
2000
CFR 17 Part 248
Brokers
Consumer
Protection
2003
California
Data Breach
Law
2010
Massachusetts
Breach
Notification Law
1974
Family
Educational Rights
and Privacy Act
(FERPA)
1999
Gramm-
Leach-Bliley
Act
2001
Cybersecurity
Enhancement
Act2006
PCI DSS
2009
HITECH
2018
General Data
Protection Regulation
(GDPR)
2013
HIPAA
(Omnibus)
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)• Covers
▪ Health care providers/payors
▪ Health care clearinghouses
▪ Employers who administer their own health plans
▪ Business process outsourcers/cloud providers that serve the health care market
• Protected health information (PHI)
▪ Covered entities may only use or disclose PHI as permitted
• Enforced by HHS Office for Civil Rights
▪ State attorneys general
• Introduced
▪ HIPAA (1996), HITECH (2009) & The Omnibus Rule (2013)
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
• Covers
▪ Businesses accepting credit & debit card payments
▪ “Card Present” transactions (card swipes)
▪ “Card Not Present” transactions (e-commerce)
• Cardholder data
▪ Storing, processing & transmitting by “merchants”
• Enforced by
▪ Credit card brands
▪ “Acquiring Bank” responsible for processing payment transactions
• Introduced
▪ PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa,
Mastercard, Discover, American Express, JCB), created the PCI DSS in 2006; updated on
three-year cycle
GENERAL DATA PROTECTION REGULATION (GDPR)• Covers
▪ Personal data of European Union citizens & those living/traveling in EU
• Data privacy impact assessment (DPIA)
▪ Systematic description of planned processing operation & purposes of
processing, including where applicable, legitimate interest pursued by
organization
▪ Assessment of necessity & proportionality of processing operations in relation to
purposes
▪ Assessment of risks to rights & freedoms of data subjects likely to result from
processing
▪ Measures planned to address risks, including safeguards, security measures &
mechanisms to ensure protection of personal data & demonstrate compliance
with GDPR
• Enforced by
▪ GDPR supervisory authorities (SA) of EU (deadline: May 25, 2018)
CYBER RISK OVERSIGHT
WHAT DO HOSPITAL BOARDS WANT TO KNOW?
What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets?
Do we think there is adequate protection in place for our corporate “crown jewels” if someone wanted to do damage? If not, what would it take to feel comfortable that our assets were protected?
Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker?
Are we considering cybersecurity aspects of our major business decisions, e.g., mergers & acquisitions, partnerships, new product launches, in a timely fashion?
Source: National Association of Corporate Directors (NACD), 2016–2017 NACD Public Company Governance Survey
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
Organizations need to understand & approach cybersecurity as enterprisewide risk management issue, not just IT issue
Source: Cyber-Risk Oversight 2017, Director’s Handbook Series
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
Understand legal implications of cyber risks as they relate to their organization’s specific circumstances
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
Have adequate access to cybersecurity expertise &
discussions about why cyber risk management should be
given regular & adequate time on the board meeting agenda
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
Set expectation that management will establish an
enterprisewide cyber risk management framework with
adequate staffing & budget
FIVE PRINCIPLES OF CYBER RISK OVERSIGHT
Include identification of which risks to avoid, accept, mitigate
or transfer through insurance, as well as specific plans
associated with each approach
CYBER INSURANCE
• Traditional fraud/loss policies may not cover cyber events
• Contact your insurance provider to see what is offered
• When planning coverage, ask about various scenarios
• Many insurers require incident response plans & proper protections
before they will pay
• Many insurers require a forensic or law enforcement report of the
incident, performed by a third party
• Remember, insurance companies are not in the business of
insuring negligence
ASSESSING YOUR CYBERSECURITY PROGRAM
NIST CYBERSECURITY FRAMEWORK (NIST CSF)
• Background
▪ Published February 12, 2014, by the National Institute of Standards & Technology (NIST)
▪ Voluntary federal framework (not a set of standards) for critical infrastructure services
▪ Provides common language for organizations to assess, communicate & measure improvement security posture
• Controls
▪ High-level controls provide framework of “what” but not “how”
▪ Five functions, 22 control categories, 98 key controls derived from industry best practice & standards
▪ Contains four maturity tier ratings
NIST CYBERSECURITY FRAMEWORK
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management
Strategy
Access Control
Awareness & Training
Data Security
Information Protection Processes
Maintenance
Protective Technology
Anomalies & Events
Security Continuous Monitoring
Response Planning
Detection Processes
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
Framework
Categories
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
FRAMEWORK BENEFITS
• Comprehensive in scope
• Intuitive
• Risk-based – allows the organization to prioritize remediation
activities depending on the organization’s risk appetite &
cybersecurity control maturity desired
• Commonly accepted standard – provides basis of consistent
assessment in the future
CALL TO ACTION
• Perform a framework-based, cybersecurity assessment that
allows the organization to determine the organization’s assets
to protect, compliance requirements & cyber readiness of
current protections
• Remediation activities should be prioritized & scheduled over
time, based on level of risk
• Build a robust breach response plan that is practiced &
updated regularly
Questions?
