Critical Issues in Fraud Analytics

Transcription

1 Critical Issues in Fraud Analytics ISACA Presenter: Charles Faircloth, JD, CIG Faircloth Fraud Consulting Critical Issues in Fraud Analytics Introduction 1) Factors that drive fraud 2) Current fraud risks Data breach fraud Mobile & connected device fraud 3) Fraud Analytics Limits Parameters of presentation: Specifically covers: Short horizon factors Important for: CIOs CISOs System administrators IT managers

2 Focus of this review: Fraud & fraud analytics in healthcare Health care primary target of fraud Critical areas of security risk & liability: Fraud by data breach Mobile & connected device fraud Has wide application - all types businesses & agencies Part 1: Factors that Drive Fraud Provides references/review frameworks: Normal IT operations Fraud incidents Note: This review is not legal advice or counsel. - consult with your attorney. Introduction: Fraud in General Fraud earliest reported urban crimes 3 Factors Drive Fraud: Opportunity Pressure Rationalization Code of Hammurabi - 1,754 BC Fraud - is a hidden crime Uses deception to steal funds/data Data breach fraud (worldwide): $3.5 trillion plus - lost revenue Healthcare fraud (US): 10% total costs - $30 billion plus FRAUD Rationalization

3 Factor 1 - Opportunity Opportunities for fraud 2 categories: Security weaknesses Position advantage Security weaknesses: More mobile devices/apps - More problems. Healthcare behind in: Anti-fraud & HIPPA security standards IEEE published 1 st security standards (2015) Security weaknesses endemic to IT Keeps CISOs employed & CEOs up at night! Internal & external security weakness: External fraud security weaknesses - more publicity Internal weakness - far more costly Due to position advantage Position advantage: Increased opportunity for fraud - position of perpetrator Internal example: CIO sells proprietary information to competitor. External example: Criminal hacker buys list of credit card numbers Commits multiple frauds at a point of sale.

4 Largest fraud losses: Healthcare: Due to combination of: Systemic security weakness (e.g., mutable audit trail) + IT administrator with position advantage Exchange trading: Combination of: Security weaknesses + Employee with position advantage between: Trading & Back-office trade execution Fraud Factor 2 - Pressure Usually financial pressure, brought on by: Gambling - drug use - negative life events (e.g., divorce, bankruptcy) Pressure - human resource issue Managers must be aware of employees: Life events Performance changes Decreasing internal fraud pressure Steps to counter pressures: Conduct background checks at acceptable levels Before grant administrator/higher-system privileges Require: Administrators submit credit reports At standard intervals & change of position Employees report: Civil suits criminal arrests & incidents service of process debt collection at work place Fraud Factor 3 - Rationalization The human capacity for denial and rationalization is always shocking, but never surprising. David Levy, PhD, Humor in Psychotherapy Lectures Pepperdine University (2007)

5 Part 2: Current Fraud Risks Data Breach Fraud Data breach fraud - General Methods of data breach changing In healthcare (and most IT industries) In leading method data breach in healthcare: Criminal system attack Surpassed: Employee negligence - lost laptops for 1 st time Reference: Fifth Annual Benchmark Study on the Privacy & Security of Healthcare Data Ponemon Institute (2015) FBI Stats - Data breach fraud According to FBI: Criminals target healthcare databases because they contain in one place: PII - Personal identification information PCI - Personal credit information PHI - Protected health information Ask yourself - 2 critical questions Critical question 1: Do you have PII, PCI or PHI on your system? If answered is yes - know that: PII / PCI / PHIs - primary targets of data fraud Across all enterprises Most easily monetized data

6 Critical question - 2 How secure is your data? Criminals constantly work : to keep pace with data technology Data Breach - Fraud pays How much is your data worth to criminals? How is it monetized? FBI statistics - fraud monetization (2015): Credit cards: $ $1.00 (each) Healthcare data records: $60 - $70 (each) Criminals obtain: Name, DOB, SS, Policy, etc. Do the math: How many healthcare records do you have? 1,000-10, ,000 $60,00 - $600,000 - $6 million Total the number of records in your system - Calculate the huge financial temptation to criminals Ka-ching! Billions of dollars - Very tempting Stolen data is quickly sold on the Internet: To criminal organizations Using masking sites such as Tor In a few minutes: Your data - sold & resold All over the planet

7 Your stolen data - Used & Reused Criminals use your stolen data: To commit more frauds: Identity theft Tax fraud Medical device fraud Prescription fraud Other crimes Part 2: Current Fraud Risks Mobile/Connected Device Fraud Mobile/Connected Device Fraud In healthcare & other large organizations that collect data Mobile & connected device devices create: New data security & liability risks. Connected devices rapidly in greater use Mobile devices (e.g., cell phones) universally used Healthcare - Connected Devices Connected devices in healthcare: Bluetooth-enabled insulin pump connected with a wireless internal glucose monitor Pump delivers insulin to a diabetic patient using data from the monitor without human direction (except monitoring)

8 M/CD - Risks Risk for mobile/connected devices - similar Connected devices have additional risk They preform actions automatically without direct human intervention. M/CD - Proactive security To ensure a STRONG anti-fraud program: 1) Address fraud issues via contract provisions with all IT vendors 2) Develop & enforce a written mobile/connected device policy 3) Install mobile/connected device management software 4) Create, update, audit incident plans for all M/CD 5) Integrate personnel management, training, compliance audits M/CD - 6 critical questions Make sure you can answer YES to all these questions Do your M/CD devices: 1) Store & transmit data securely? 2) Accept software security updates to address new risks? 3) Avoid creating unauthorized access points of data? 4) Detect & avoid a new way or path to data theft? 5) Connect to institution's IT infrastructure so data are secure? 6) Have secure APIs - software and device connections? M/CD - 4 Anti-fraud actions Once you can answer YES to all 6 security questions: Implement these 4 recommended anti-fraud actions - to mitigate fraud opportunities & weaknesses in M/CD Require all IT vendor contracts include: 1) Data encryption 2) Authorized device-only networks 3) Physical security training and measures 4) Increased credential & password protection

9 M/CD - Data encryption Healthcare providers (and other organizations) : Should require IT vendors agreements ensure Data traffic of devices and applications be encrypted when communicating with: 1) The provider s private network, 2) Any outsourced providers and 3) Any cloud systems. M/CD - Provider audits Vendor contracts must allow provider to audit to: 1) Verify data transmitted in appropriate level of encryption 2) Ensure encryption works on your network 3) Test & retest your data encryption Authorized device-only networks Require that IT contracts allow: A single mobile or connected device to collect only data required for its intended operation Only grant access to data generated by single devices: By authorized and authenticated individuals, who need to handle the information Physical security - training & measures Device physical security - CRITICAL 5 effective steps - Ensure that: 1) Devices prevent data storage media accessed/removed 2) Devices difficult to take apart & display signs of tampering. 3) Data cannot be removed from device (otherwise security for transmitted data useless) 4) Train personnel in physical security procedures 5) Test & audit employee physical security awareness.

10 Credential & password protection 2 steps to increase credential & password security: (after setup - before critical data used & transmitted) 1) Require vendors change default passwords/usernames to meet organizational standards 2) All passwords/usernames - random & unassociated (Much more secure against hackers) 3 direct anti-fraud actions 1) Develop & train using written M/CD policy 2) Install mobile/connected device management software 3) Create, update & audit incident plans for M/CD MC/D - Written policy Your M/CD policy should at minimum provisions for: Purpose Applicability Appropriate use Management software (MDM) For organizations with multiple employees: MDM is a key component in device security MDM will ensure: Control of M/CD access to your infrastructure Securely manage data usage Securely manage internal/external movement Control M/CD application management features

11 Incident plans Important part - comprehensive risk management strategy Your incident plan should designate: Unit roles & authority with contact info attached Flowcharting recommended (in addition to written plan) Can t quickly respond - if haven t assessed weaknesses Document all incidents - no matter how minor Audit devices singly Final system considerations M/CD networks must NOT be configured to allow: Credentials & passwords be exposed in network traffic Audit at standard intervals Vendor contracts should require: Connected devices regularly updated: With improved security Testing/verification of updates before being put into use (Usually standard contract language - be sure to check) Part 3: Fraud Analytics Limits Fraud Analytics Limits Specific vs. Bulk data collection In 2014, President Obama tasked Director of National Intelligence: Determine feasibility of software targeting specific data transmissions (Instead of using bulk collection of data transmissions) ODNI referred to National Academy of Sciences Research Council. The Research Council s answer - in short - was NO: (Targeted collection could not replace bulk collection. ) Led to: renewed debate over the extension of Patriot Act in (2015)

12 Fraud Analytics Limits - Targeted data Many problems with targeted data: Too limited targeted view Wrong target source Loss of possibly valuable data over time Lack of context Lack of analytic resources Research Council recommends: Continuing use of bulk collection Apply automated use controls - prevent privacy breaches Fraud Analytics Limits - Targeted sourcing If targeted sourcing of: Very large/mutable telecom databases is insufficient - Then targeted fraud analytics of large datasets share the same problems. Credit, healthcare, insurance, government & others Using fraud analytics on large datasets should be aware of the limits of analytic tools. References Fraud analytics are like a searchlight They brightly illuminate the focal point Just beyond the beam - it is dark Slide: 6 - "Fraud Statistics." Fraud Statistics. CAIF Coalition Against Insurance Fraud, Web. 01 June < Slide: 9 - Landwehr, Carl, and Tom Haigh. "Building Code for Medical Device Software Security." IEEE Cybersecurity Initiative. Institute of Electrical and Electronic Engineers, Mar Web. 04 June < Slide: 16 - "Criminal Attacks Are Now Leading Cause of Data Breach in Healthcare, According to Ponemon Study." Ponemon Institute/ID Experts, Inc., 06 May Web. 01 June < Slide: 17 - "FBI Health Care Fraud Release Collection." FBI. 17 June Web. 01 June < Slide: 28 - Tannenbaum, William A. "Healthcare's 'Internet of Things' Should Be the 'Security of Things'" Healthcare IT News. 19 May Web. 01 June < Slide: 35 - Rosciam, Michael, CPA. "Moving Violations: 3 Steps for Taming Mobile Threats." Thomas, Howell, Ferguson, PA., Web. 01 June < Slide: 40 - "New Report Says No Technological Replacement Exists for Bulk Data Collection;." National-Academies.org. Office of the Director of National Intelligence, 15 Jan Web. 01 June 2015 < RecordID=19414>.

13 Focusing on Fraud for over 25 Years Charles Faircloth, JD, CIG Principal & Founder ffc fraudconsult.com PowerPoint by: Maximize Your Image Elizabeth Woodsmall