Cyber Security An Exercise in Predicting the Future

Transcription

1 Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I I

2 What is Cyber Security? Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack Merriam-Webster

3 How Do We Define Cyber Security in Healthcare? HIPAA Security Rule HITECH Breach Prevention PCI DSS Level of Sophistication

4 The Past Experience is simply the name we give our mistakes Oscar Wilde

5 The Past Data Breach Summary from September 2009 August 2014, impacting 500 or more individuals Total Reported Breaches: 1083 Involving a Business Associate: 310 (29%) Unauthorized Access/Disclosure 20% Unknown 1% Hacking/IT Incident 9% Theft 51% Loss 10% Other 9% Data Source:

6 The Past Data Breach Type % of Breach Type by Occurrence % of Individuals Affected Sum of Individuals Affected Hacking/IT Incident 9% 11% 3,636,888 Loss 10% 21% 7,232,870 Other 9% 3% 1,093,978 Theft 51% 51% 17,347,925 Unauthorized Access 20% 8% 2,527,422 Unknown 1% 6% 1,934,474 Total 100% 100% 33,773,557

7 The Past Over 30 Million Patient s Data

8 The Value of Protected Health Information PHI and Medical Records are valued at approximately $50 a patient record on the black market. Comparatively, credit card data is typically valued at $2 an account. Possible PHI Data Targets Social Security Number Identity theft Payment information Financial crime Tax Identification Number Tax fraud Beneficiaries Tax and financial fraud Diagnosis Information Marketing value and/or malicious intent Health insurance credentials Medical identity theft

9 The Future The future, according to some scientists, will be exactly like the past, only far more expensive. - John Sladeck

10

11 Welcome to the Future Healthcare Technology Trends Bring Your Own Devices (BYOD) Mobile Applications - Telemedicine Social Aspect Networked Medical Devices Big Data Cloud Computing Increasing Integration Points

12 Welcome to the Future Insurance Companies Companion Health Systems Reporting Services HIE ephi Patient Portal Outside Lab 3 rd Party Billing

13 Welcome to the Future Enhanced Medical Devices Insulin Pumps Wireless/Bluetooth Enable Surgical and anesthesia devices Ventilators Drug infusion pumps External defibrillators Patient monitors/telemetry systems Laboratory and analysis equipment

14 Cyber Security Risk Management Adopting a Security Framework

15 Cyber Security Risk Management Risk Threat Agent Likelihood Impact Intensity Duration Identify Protect Recover Detect Respond

16 Cyber Security Risk Management Brute Force Attack Encryption Negligent Insider Rogue Devices Compromised Websites Employee Training Two Factor Authentication Third Party Contractor Phishing Social Engineering Vulnerability Scanning Patch Management Portable Devices Malicious Code Intrusion Detection / Prevention Systems

17 Negligent Insiders An employee that hackers exploit in order to gain entry to systems or physical locations A vulnerability that has been used to execute some of the largest data breaches Security Control Considerations Employee training Security awareness programs Social engineering reviews

18 Third Party Contractor Risk Third parties typically have elevated access, and a large security footprint Remote access capabilities increase risk Out of sight out of mind Security Control Considerations Vendor due diligence Strong Business Associate Agreement (BAA) Strengthen control over access Monitor access Third party security audits

19 Portable Devices Increasing amount of mobile/potable devices receiving, transmitting, and storing protected health information Can be easier targets for hackers and thieves Security Control Considerations Encryption Workstation port security Mobile and portable security policies Physical security ephi

20 Malware Malware has increasingly become more affordable, and available, to cyber criminals Cyber criminals may use negligent insiders to gain access, but will use malware to help execute the cyber theft Security Control Considerations Network vulnerability assessments Intrusion detection / prevention systems Two factor authentication Security patch management

21 Paul Douglas, Consulting Manager Connect with me on LinkedIn!