Agenda. The Face of Cybercrime Today 4/15/2015. Top Security Threat Trends in Healthcare and How You Can Learn from Incidents to Reduce Risk

Transcription

1 Top Security Threat Trends in Healthcare and How You Can Learn from Incidents to Reduce Risk Mac McMillan, FHIMSS, CISM, CEO/Co-Founder CynergisTek Dr. Cris V. Ewell, Ph.D., CISO Seattle Children s Mahmood Sher-Jan, CHPC, EVP/GM ID Experts April 19, 2015 Agenda Top Security Threat Trends in Healthcare Growing Regulatory Complexities Trends in Healthcare: Incidents & Breaches Keys to Being Prepared for Managing Incidents Real World Incident Response Cases Insights From Analysis of Real Incident Data Tools and Methodologies for Correlating Incidents and Managing Incident Response The Face of Cybercrime Today 12 y/o learning computers in middle school 14 y/o home schooled girl tired of social events 15 y/o in New Zealand just joined a defacement group 16 y/o in Tokyo learning programming in high school 19 y/o in college putting course work to work 20 y/o fast food employee that is bored 22 y/o in Mali working in a carding ring 24 y/o black hat trying to hack whoever he can 25 y/o soldier in East European country 26 y/o contractor deployed over seas 28 y/o in Oregon who believes in hacktivism 30 y/o white hat who has a black hat background 32 y/o researcher who finds vulnerabilities in systems 35 y/o employee who sees a target of opportunity 37 y/o rouge intelligence officer 39 y/o disgruntled admin passed over 41 y/o private investigator 44 y/o malware author paid per compromised host 49 y/o pharmacist in midlife crisis 55 y/o nurse with a drug problem 10/7/14 slide 3 1

2 Accidents, Mistakes & Deliberate Acts 4M medical records maintained on four workstations Physician loses laptop with psychiatric patients records Neurologic institute accidentally s 10,000 patient records to 200 patients Phishing/hacking nets nearly $3M from six healthcare entities University reports laptop with patient information stolen out of a student s car Vendor sells hospital s X-rays (films) to third party Resident loses track of USB with over 500 orthopedic patients information Portable electronic device with patient data stolen from hospital Physician has laptop stolen from vacation home 2200 physicians victims of ID theft/tax fraud Printers returned to leasing company compromise thousands of patient records Health System reports third stolen laptop with 13,000 patient records 400 hospitals billings delayed as clearinghouse hit with ransomware Physician robbed at gun point, phone and computer taken, thief demands passwords International hacking group uses phishing, then steals information on almost 80M people And, on and on it goes The Emergent Threat Black Hat 2014 Snatching passwords w/ Google Glass Screen scraping VDI anonymously Compromising AD through Kerberos Remote attacks against cars Memory scraping for credit cards Compromising USB controller chips Cellular compromise through control code Free cloud botnets for malware Mobile device compromise through MDM flaws Cryptographic flaws and a Rosetta Stone 10/7/14 slide 5 Black Market Driven Darknets will be more active, participants will be vetted, cryptocurrencies will be used, greater anonymity in malware, more encryption in communications and transactions Black markets will help attackers outpace defenders Hyperconnectivity will create greater opportunity for incidents Exploitation of social networks and mobile devices will grow More hacking for hire, as-a-service, and brokering 2

3 Increased Reliance Physician Alignment BYOD Business Associates Health Information Exchanges Meaningful Use Patient Engagement Telemedicine Supply Chain Big Data Research Accountable Care Organization Ingestibles More than 98% of all processes are automated, more than 98% of all devices are networkable, more than 95% of all patient information is digitized, accountable care/patient engagement rely on it. The enterprise is critical to delivering healthcare. Any outage, corruption of data, loss of information risks patient safety and care. 10/7/14 slide 7 Insider Abuse: Trust, But Verify It is estimated that more than half of all security incidents involve staff 51% of respondents in a SANS study believe the negligent insider is the chief threat 37% believe that security awareness training is ineffective Traditional audit methods & manual auditing is completely inadequate Behavior modeling, pattern analysis and anomaly detection is what is needed 10/7/14 slide 8 Questionable Supply Chains Greater due diligence in vetting vendors Security requirements in contracting should be SLA based Particular attention to cloud, SaaS, infrastructure support, critical service providers Life cycle approach to data protection Detailed breach and termination provisions 10/7/14 slide 9 3

4 Devices Threaten Safety & Information In June 2013 the DHS tested 300 devices from 40 vendors, ALL failed. In response the FDA issued guidance for manufacturers and consumers addressing design, implementation and radio frequency considerations. Yes, Terrorists could have hacked Dick Cheney s heart. The Washington Post October 21, /7/14 slide 10 Malware & Persistent Threats 3.4 million BotNets active 20-40% of recipients in phishing exercises fall for scam 26% of malware delivered via HTML, one in less than 300 s infected Malware analyzed was found undetectable by nearly 50% of all antivirus engines tested As of April 2014 Microsoft no longer provides patches for WN XP, WN 2003 and WN 2000, NT, etc. EOL systems still prevalent in healthcare networks Hardening, patching, configuration, change management all critical 10/7/14 slide 11 Objective testing and assessment K M M M FBI alert warns healthcare not prepared Mobility & Data Medical staff are turning to their mobile devices to communicate because its easier, faster, more efficient Sharing lab or test results, locating another physician for a consult, sharing images of wounds and radiology images, updating attending staff on patient condition, getting direction for treatment, locating a specialist and collaborating with them, transmitting trauma information or images to EDs, prescribing or placing orders Priority placed on the data first and the device second Restrict physical access where possible, encrypt the rest 10/7/14 slide 12 4

5 ID Theft & Fraud Medical Identity theft increased 21.7% in 2014, Ponemon Institute US CERT estimates 47% of cybercrime aimed at healthcare More than 70% of identity theft and fraud were committed by knowledgeable insiders physicians, nurses, pharmacy techs, admissions, billing, etc. Healthcare directed attacks have increased more than 20% a year for the last three years running Insiders selling information to others Hackers exploiting systems Malware with directed payloads Phishing for the big ones 10/7/14 slide 13 Theft & Losses Thriving 68% of healthcare data breaches due to loss or theft of assets 1 in 4 houses is burglarized, a B&E happens every 9 minutes, more than 20,000 laptops are left in airports each year First rule of security: no one is immune 138%: the % increase in records exposed in 2013 Unencrypted laptops and mobile devices 6 10%: the average shrinkage rate for pose significant risk to the security of mobile devices patient information. Sue McAndrew, Typical assets inventories are off by 60% OCR 10/7/14 slide 14 No increase in budget for defenses Sophistication of attack hardest element to defeat Organizations suffering a targeted attack Hacking & Other Cyber Criminals Targeted Attacks I feel like I am a targeted class, and I want to know what this institution is doing about it! -Anonymous Doctor Defenses are not keeping pace Three most common attacks: spear phishing, Trojans & Malvertising APTs, phishing, water cooler attacks, fraud, etc. Most organizations can t detect or address these threats effectively An advanced incident response capability is required Results in loss of time, dollars, downtime, reputation, litigation, etc. Conduct independent risk assessments regularly 10/7/14 slide 15 5

6 More Compliance OIG shifts focus to funds recovery OCR s permanent audit program will resume in FY 2015 with new capabilities Improvements and automation in reporting and handling complaints Meaningful Use audits are evolving in scope and impact The FTC remains committed to enforcement of privacy and security States continue to create new laws Florida Information Protection Act New Jersey Health Insurers Encryption Law SB1353 seeks to establish common framework for security and create universal requirement for notification. When organizations tell consumers they will protect their personal information, the FTC can and will take enforcement action to ensure they live up to these promises. 10/7/14 slide 16 Agenda Top Security Threat Trends in Healthcare Growing Regulatory Complexities Trends in Healthcare: Incidents & Breaches Keys to Being Prepared for Managing Incidents Real World Incident Response Cases Insights From Analysis of Real Incident Data Tools and Methodologies for Correlating Incidents and Managing Incident Response Today s Regulatory Complexity 47 state + 3 territory breach notification laws Differ with respect to: Definitions Risk of harm Safe harbor Exemptions Timing Content Notice to regulators, agencies, etc. A plethora of federal laws & other standards HIPAA Omnibus Final Rule GLBA, PCI 6

7 Stages of Omnibus Breach Notification Rule Compliance ANGER 2009: Risk of Harm Backlash & Fury The Interim Final Rule Era Denial Risk of Harm Revisited Bargaining Harm Test Advocates vs. Opponents Acceptance 2013: Final Breach Notification Rule Growing Regulatory Complexity Proposed Federal Breach Notification Laws The Personal Data Notification and Protection Act You may wish to go back to 47 state laws! - McDonald Hopkins PLC Proposed State Laws and Amendments Indiana (SB 413) Tentative Effective Date 7/15 New Mexico (HB 217) Passed House on 2/19 New Hampshire Education Data Privacy Bills (HB 322, HB 507, HB 520) Maryland (SB 548) Tentative Effective Date 10/1/15 Montana (HB 74) Tentative Effective Date 10/1/15 Wyoming (SF 35) Tentative Effective Date 7/1/15 Michigan (SB 33) Education Data Disclosure Reporting Bill What security threats is your organization most concerned about? 75% 70% % 29% 40% 41% 32% 33% 6% 5% 26% 13% 40% 39% 19% 12% 23% 13% 15% 16% 15% 2% Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April

8 Has your organization suffered a data breach involving the loss or theft of patient data in the past 24 months? % 39% 36% 33% 40% 38% 16% 16% 9% 10% 6% 12% No Yes, 1 breach Yes, 2 to 5 breaches Yes, more than 5 breaches Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April How the data breach was discovered? % 58% 44% 46% 47% 52% 35% 36% 26% 26% 23% 30% 18% 19% 26% 5% 12% 10% 6% 7% 5% Accidental Loss prevention Patient complaint Law enforcement Legal complaint Employee detected Audit/assessment Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April Nature of the breach % 46% 42% 45% 40% 39% 41% 42% 43% 49% 46% 31% 32% 31% 33% 12% 12% 14% 7% 8% 8% Unintentional employee action Intentional nonmalicious employee action Technical systems glitch Criminal attack Malicious insider Third party snafu Lost or stolen computing device Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April

9 Agenda Top Security Threat Trends in Healthcare Growing Regulatory Complexities Trends in Healthcare: Incidents & Breaches Keys to Being Prepared for Managing Incidents Real World Incident Response Cases Insights From Analysis of Real Incident Data Tools and Methodologies for Correlating Incidents and Managing Incident Response Incident Response: What are the things we should be considering? Keys to being prepared for managing incidents, including dealing with media and information dissemination. Tools and methodologies for correlating incidents and managing incidents Real world cases What are the basics? 9

10 Have a Plan Remember this is not just a privacy or security issue Incident Response Process Overall Process 10

11 Define accountability Designated Official Type of Incident Privacy Officer PHI Chief Information Security ephi, PII, or other information related Officer IS incidents Corporate Compliance Corporate compliance issues Officer Research Integrity Officer Research compliance issues Incident Management Team Chief Information Officer Chief Information Security Officer Chief Medical Officer Corporate Compliance Officer Privacy Officer Risk Management General Counsel General Counsel President Research Integrity Officer VP Human Resources Marketing & Communications Leaders from affected departments Document and Review Show your work The burden of proof has shifted You need to show that the information has a low probability of compromise 11

12 Breach Review Besides a incident management process 12

13 Complete asset inventory Do you know what you have on the internet? Who knew? 13

14 What would happen if you had to disconnect from the internet? Could you communicate without ? Too much information? How often do our meeting announcements include the passwords or codes for the meeting? 14

15 Daily Safety Brief Seattle Children s huddles at the start of the every day to maintain situational awareness of immediate problems impacting safety and quality of patient care What about outside communication? Crisis Communication Plan Assemble the team Gather and confirm as much information as possible Identify key internal and external audiences who need to be informed Develop simple and concise key messages Develop and implement a plan to communicate to key audiences Assess ongoing communications Do not speculate 15

16 Questions to consider What is currently known about the issue? What needs to be done now to take care of any affected patient, family member, or member of the public? Now do we avoid a repetition of the incident? When, where, and how did the incident happen? Who was involved in the incident? What other sources of information can be accessed? Questions to consider What is the worst case scenario? What are the short/long term implications? Who will be affected? Who needs to know the status of the situation? What steps should be taken to protect and support any involved provider or staff member? How will key audiences be impacted? Potential communication mediums Phone calls and Notifications to internal audiences News conferences Written statements In-person and phone interviews Website bulletins and updates Twitter and Facebook posts On the ground staff messages they can use with patients, families, etc. 16

17 Well trained professionals Well trained professionals You can not do this alone 17

18 Example Cases Case background The help desk receives a call from one of the Clinical Psychologist. She is requesting a password reset. The user reveals that she suspects that there is a key logger program installed on her personal laptop. The help desk reset the user s password and turned the case over to the information security department. Significant Events Time Event Day 1 15:31:21 Installation of eblaster key logger program Day 3 Activity from 12.XXX.XXX.XXX (04:36:20 04:41:00) 4 minutes 04:36:20 40 seconds OWA Authentication for userid XXXX (04:36) Activity from 76.XXX.XXX.XXX (08:07:45 08:07:49) 4 seconds 08:07:45 NO OWA Authentication Activity from 76.XXX.XXX.XXX (08:27:03 08:30:35) 3 minutes 08:27:03 32 seconds OWA Authentication for userid XXXX (08:27) Activity from 76.XXX.XXX.XXX (13:50:16 13:54:33) 4 minutes 13:50:16 17 seconds OWA Authentication for userid XXXX (13:52) Activity from 12.XXX.XXX.XXX (16:30:02 16:59:10) 29 minutes 16:30:02 8 seconds OWA Authentication for userid XXXX (16:30, 16:35, 16:41, 16:47) KEY Important Events Authorized OWA Activity Unauthorized OWA Activity MB in overall size and included 1891 individual s in 41 different folders 18

19 The problem Based on incidents and regular walkthroughs we saw increased evidence of PHI issues with: Visible spaces Printing and faxing Disposal Awareness Campaign Cover it up or turn it over. If you leave the immediate area, cover up or turn over the PHI so no information is visible Know where it s going. Check destination when printing or faxing Shred it or park it. If you find papers on printer, fax or another location, find a Shred-It bin or place in a PHI deposit here container. Sign examples 19

20 Agenda Top Security Threat Trends in Healthcare Growing Regulatory Complexities Trends in Healthcare: Incidents & Breaches Keys to Being Prepared for Managing Incidents Real World Incident Response Cases Insights From Analysis of Real Incident Data Tools and Methodologies for Correlating Incidents and Managing Incident Response Paper Plays a Big Role in Healthcare PHI Incidents 1 ID Experts Data Analysis Paper PHI/PII Incidents 1 (Proportion %) 2% 0% Verbal/Visual 8% 5% Paper Record 8% 11% Misdirected Mail, 43% Misdirected Fax/Ad Hoc Manual Misdirected Fax Automated File(s) Electronic 29% Paper Record, 31% Prescription Order/Label Label (Medical Device/Prescription/Room) Paper 63% Paper Sub Categories Paper vs. Other Categories 1 ID Experts RADAR Data Analysis 20

21 Electronic PHI/PII Incidents 1 (Proportion %) Online Portal Verbal/Visual 8% 1% 2% 2% 2% 2% 2% 1% Electronic Medical Record Application PDA 5% Records/Files Electronic 29% 6% , 42% Laptop Network Server 7% Storage Device (tape,disk, etc.) Paper 63% 8% Desktop FTP Site Electronic vs. Other Categories 1 ID Experts RADAR Data Analysis 8% 12% Electronic Sub Categories Network Access Posted Online (social media) Decommissioned Office Machines PHI/PII Data Controls 1 (Proportion %) 7% 0% 0% 93% Information was in plain text Information was under physical safeguard Information was statistically de identified Information was redacted 1% 1% 0% 0% 6% 4% 6% 30% 14% 17% 21% No controls were present on electronic data Data is identifiable or recipient has ability to re identify Password protected & password was not compromised Encrypted to NIST standard; key was not compromised Encrypted but evidence of access with valid credentials Information was encrypted; key was not compromised Password protected & password was compromised Information was statistically deidentified Encrypted; unsure of encryption key's security Information was redacted Paper Incidents Electronic Incidents 1 ID Experts RADAR Data Analysis Incident Cause or Intent 1 (Proportion %) 3% 7% 6% 9% 4% Unauthorized Access Theft of Information Unintentional Intentional Non Malicious 14% 43% Unauthorized Use Hacking/Malware 87% Intentional Malicious Exposure of Information Unknown 27% All Incidents Intentional Malicious Incidents 1 ID Experts Data Analysis 21

22 3% 1% Returned without written 4/15/2015 Incident Recipient Types 1 (Proportion %) 2% 1% 0% Employee 17% 46% Covered Entity Business Associate Federal Agency Authorized 19% Health Plan Sponsor OHCA Unauthorized 81% 34% Authorized Recipients All Recipients 1 ID Experts RADAR Data Analysis Incident Recipient Types 1 (Proportion %) 1% 1% 1% 0% 0% 1% Patient/Insured Member 2% 2% 3% Member of General Public 5% 24% Covered Entity Employee Unknown 11% Relative/Household Member Business Associate 12% Unauthorized Recipients 81% 15% 22% 1 ID Experts RADAR Data Analysis Vendor (non covered entity or BA) Employer of Patient Another patient's family member Hacker Attorney or Lawyer Federal Agency Health Plan Sponsor OHCA Data Risk Mitigation 1 (Proportion %) 5% 7% 14% 43% assurance Returned w/o written assurance; Obligated to safeguard PHI/PII. Provided written assurance and will not be further used or disclosed Risk Mitigated, 69% No or Unknown, 31% 27% Confirmed use of information as permitted Data Risk Mitigation Scope Data Risk Mitigation Frequency 1 ID Experts Data Analysis 22

23 Data Risk Mitigation 1 (Proportion %) 0% 6% 5% Unable to retrieve No or Unknown, 31% 20% Confirmed viewing or acquisition Risk Mitigated, 69% 69% Confirmed improper use Destroyed but unsure of backup copy Data Risk Mitigation Frequency Reason for Inability to Mitigate Risk 1 ID Experts Data Analysis Notification Frequency by Incident Category Electronic Incidents Paper Incidents 17% 22% 4% 10% 79% Mandatory Voluntary None 68% Mandatory Voluntary None Notification Frequency by Industry Insurance / Financial Hospital 18% 21% 7% 1% 75% Mandatory Voluntary 78% Mandatory Voluntary None None 23

24 Notification Frequency by Industry Business Associate Pharmacy 2% 21% 60% 19% Mandatory Mandatory 98% Voluntary Voluntary None None Notification Frequency by Business Associates (BA) BA Notification 2% BA Risk Assessment Outcome 4% 10% Mandatory High Risk 98% Voluntary 86% Med Risk None Low Risk Know your incidents 24

25 Incident Response Complexity Event Incident Data Breach 10/7/14 slide 73 Incident Response Life Cycle Containmen Detection Analysis Common Sources of Detection: IDPSs PI I SIEMs or File Integrity Checking PH Anti-virus & spam I OS & App. Logs Network Logs Yes People Regulatory Assessment No t & Eradicatio n No Breach Breach Regulatory Burden of Proof Documentation Post- Incident Activity Based upon NIST Computer Security Incident Handling Guide Regulatory Compliance -- Incident Notificati on Incident Risk Assessment is Complex 25

26 Compliance Challenges Complaints About Current Incident Assessment Process 100% 79% 80% 60% 48% 40% 23% 20% 0% Lack of Inability to Difficult to use consistency scale Organizations struggle to effectively manage incidents. A recent Ponemon study found: Only 35% of respondents are using automated processes Almost half say they are not in compliance with federal rule Lack of consistency is top complaint with current process 4th Annual Benchmark Study on Patient Privacy and Data Security, Ponemon Institute, March /7/14 slide 76 Incident Risk Assessment Needs Consistency & Automation Most incidents have subtle but relevant aspects Multiple regulations Multiple factors & time critical Security Incidents Are any of the incidents a (reportable) breach? Data Breach Y / N? 10/7/14 slide 77 RADAR Incident Response Management Platform - Federal Laws (HIPAA/HITECH, GLBA) - State & Territorial Laws - International Laws 26

27 In Conclusion 1. Regulatory environment is complex and getting more complex 2. Prepare and practice for real world incident scenarios Follow the rules Know the rules 3. Use the right tools designed for threat intelligence, incident correlation and response management Prove it! 10/7/14 slide 79 27