Data Breaches and Securing Healthcare Humans Kelli Tarala, Enclave Security

Transcription

1 Data Breaches and Securing Healthcare Humans Kelli Tarala, Enclave Security

2 Data Breaches and Securing Healthcare Humans Problem Statement Data breaches & disclosures are becoming more common PrivacyRights.org (updated weekly) Just a small sample (organization/records breached): Anthem CareFirst BlueCross BlueShield UMass Memorial Medical Group, Inc. Community Health Systems Children's National Medical Center Premera Blue Cross Alexian Brothers Medical Center

3 Data Breaches and Securing Healthcare Humans Healthcare Incidents Ponemon Fifth Annual Privacy and Security and of Healthcare Data Report

4 Data Breaches and Securing Healthcare Humans What are we worried about? Ponemon Fifth Annual Privacy and Security and of Healthcare Data Report

5 Data Breaches and Securing Healthcare Humans Incident: Improper Disposal Kentucky: Medical Records from Defunct Medical Office, June boxes filled with medical records containing patient information, SS Numbers, and credit card numbers stuffed in a dumpster at Rent-A-Space. Paperwork from a radiology office closed in the early 2000s.

6 Data Breaches and Securing Healthcare Humans Incident: Phishing Attack Indiana: Employees at Hospital system noticed irregularity, June 2015 Internal forensic team discovers breach Potentially 220,000 patients affected Employee boxes were accessed as far back as November 2013 PII stored in

7 Data Breaches and Securing Healthcare Humans Incident: Ransomware Employee receives from trusted source

8 Data Breaches and Securing Healthcare Humans Incident: Ransomware All medical images are encrypted until payment is made.

9 Data Breaches and Securing Healthcare Humans Whose job is it to protect data? Some say the responsibility is IT s alone Some say it is the responsibility of management / leadership Some say it is the responsibility of end users The answer is yes this is a partnership we all share together Defense in depth principles suggest that if one set of controls fails, that others will be there to fill the gap

10 Data Breaches and Securing Healthcare Humans Understanding the Why Therefore if we hope to protect our organization s valued information, we need to engage the help of the workforce Education is a crucial piece of this effort Healthcare workers need to understand: How data breaches effect the patients they care for The effects of breaches on their employer What they can do to help protect this information Assurance is more than simply a burden, it supports the mission

11 Understanding the Why Data Breaches and Securing Healthcare Humans

12 Hook, line, and sinker: A human factors investigation of phishing susceptibility Christopher B. Mayhorn, Ph.D. North Carolina State University Department of Psychology Chris_Mayhorn@ncsu.edu

13 Surveys Examples of Different Methodologies used to Study Phishing at NCSU Kelley, C. M., Hong, K. W., Mayhorn, C. B., & Murphy-Hill, E. (2012). Something smells phishy: Exploring definitions, consequences, and reactions to phishing. Proceedings of the Human Factors and Ergonomics Society 56th Annual Meeting. Santa Monica, CA: Human Factors and Ergonomics Society. Tembe, R., Zielinska, O., Liu, Y., Hong, K. W., Murphy-Hill, E., Mayhorn, C. B., & Ge, X. (2014). Phishing in international waters: exploring cross-cultural differences in phishing conceptualizations between Chinese, Indian, and American samples. Proceedings of HotSoS: Symposium and Bootcamp on the Science of Security. Raleigh, NC. Experiments Hong, K. W., Kelley, C. M., Mayhorn, C. B., & Murphy-Hill, E. (2013). Keeping up with the Joneses: Assessing phishing susceptibility in an task. Proceedings of the Human Factors and Ergonomics Society 57th Annual Meeting. Santa Monica, CA: Human Factors and Ergonomics Society. Zielinska, O., Tembe, R., Hong, K. W., Xe, G., Murphy-Hill, E. & Mayhorn, C. B. (2014). One Phish, Two Phish, How to Avoid the Internet Phish: Analysis of Training Strategies to Detect Phishing s. Proceedings of the Human Factors and Ergonomics Society 57th Annual Meeting. Santa Monica, CA: Human Factors and Ergonomics Society.

14 Kelley, C. M., Hong, K. W., Mayhorn, C. B., & Murphy-Hill, E. (2012). Something smells phishy: Exploring definitions, consequences, and reactions to phishing. Participants: 155 from M Turk Procedure: Results: Informed consent Demographics questionnaire Survey comprised of 28 questions on various aspects of phishing Computer usage & risk profile questionnaires Debriefing statement Almost all participants reported experiencing a phishing attempt with 22% of attempts successful. Phishers often pose as members of organizations rather than family members or friends and attacks typically occur via . Consequences of phishing attacks go beyond financial loss with many participants reporting social ramifications such as embarrassment and erosion of trust.

15 Phishers are getting creative...attacks are no longer obvious I applied for a part time job through Craigslist and had to do a credit check to successfully apply. I thought it was OK since lots of employers now do credit checks. I entered my social and lots of other information By next week I had several pings in my credit report of suspicious activity. Someone had taken out a credit card in my name and also tried to get a loan. I was scared, honestly, that someone could use my information in that way. I was also angry Phishing communications often sound too good to be true and include exciting or unbelievable offers. Phishing attacks often use a strong pitch, and attempt to elicit a feeling of urgency to get stuff done now, by using a limited time offer or high pressure tactics in an attempt to get victims to act quickly.

16 Who is most susceptible? Cognitive factors such as attentional vigilance to cues in the computing environment serve as a key component in avoiding phishing (Downs, Holbrook, & Cranor, 2006; Vishwanath et al., 2011). Users who fall prey to phishing tend to haphazardly rely on perceptual cues such as the layout of a webpage or on social cues such as whether or not the sender of an is known (Jagatic, Johnson, Jakobsson, & Menczer, 2007). Users try to ascertain the veracity of cues to determine whether they can trust the sender prior to making a security-related decision (Workman, 2008). Users may not be able to accurately identify trust seals such as Verisign and they have difficulty in discerning fake from real domain names (Wogalter & Mayhorn, 2008).

17 Tembe, R., Zielinska, O., Liu, Y., Hong, K. W., Murphy-Hill, E., Mayhorn, C. B., & Ge, X. (2014). Phishing in international waters: exploring crosscultural differences in phishing conceptualizations between Chinese, Indian, and American samples. Participants: 164 from U.S., India, China Recruiting was a mix of M Turk (U.S. & India) and Snowball sampling (China) Procedure: Similar to Previous Survey Study Results: Chronological age and education used as covariates to isolate the effects of these factors. Instances of phishing success varied by nationality with 9% of Chinese, 14% of U.S., and 31% of Indian respondents reporting previous phishing victimization Chinese and American respondents reported engaging online protective behaviors (e.g., noticing padlock icon, etc.) more than Indian respondents. Results discussed in the context of collectivist versus individualist society.

18 Hong, K. W., Kelley, C. M., Mayhorn, C. B., & Murphy-Hill, E. (2013). Keeping up with the Joneses: Assessing phishing susceptibility in an task. Participants: 53 Undergraduate Students Procedure: Results: Informed consent (online) Self-report surveys and questionnaires (online) Experimental assessment of phishing via task (laboratory) Battery of cognitive tests administered (laboratory) Debriefing statement Disconnect observed between participants attitudes and behavior as measured in the Bob Jones task. Specifically, approximately 92% of participants misclassified phishing s even though 89% indicated they were confident of their ability to identify phishing s. Individual differences such as gender, dispositional trust, and personality appear to be associated with the ability to correctly categorize s as either legitimate or phishing

19 Can you tell if this is legitimate?

20 Hierarchical Regression Analyses to Predict Phishing Detection Model β R 2 R 2 Δ F p Impulsivity/Personality Items: Model 1 Extraversion Anxiety Reservation Calmness Ability to keep emotions under control Trust/Distrust Items: Model 2 Extraversion Anxiety Reservation Calmness Ability to keep emotions under control Trust what people say Believe others have good intentions General distrust Behavioral Measures Items: Model 3 Extraversion Anxiety Reservation Calmness Ability to keep emotions under control Trust what people say Believe others have good intentions General distrust Lost money, was never reimbursed Completely read phishing message <.001

21 Zielinska, O., Tembe, R., Hong, K. W., Xe, G., Murphy-Hill, E. & Mayhorn, C. B. (2014). One Phish, Two Phish, How to Avoid the Internet Phish: Analysis of Training Strategies to Detect Phishing s. Participants: 96 from M Turk Experimental Design: 2 (Time: Before vs After Training) X 3 (Training Type: Control, Vignettes of Loss, Trust) Procedure:

22 Ratio of Correctly Identified s

23 Current and Future Directions Better Training Helping novices think like experts Approach borrowed from Naturalistic Decision Making (Klein, 1999) Mental models of cybersecurity explored in Pathfinder study (Zielinska et al., under review) Technological Innovation Building smarter systems Attention allocation to system rather than user Tailored warning systems (Wogalter & Mayhorn, 2005)

24 Conclusions Phishing is an important problem that demands attention from researchers and practitioners. Individual differences are important in understanding who is susceptible and most at-risk. Next step: Intervention!

25 Acknowledgements This research was supported by a grant from the National Security Agency. Special thanks to Emerson Murphy-Hill.

26 Take Away Messages Within the healthcare domain, data breaches can occur for a variety of reasons. Understanding the vulnerability of the human in the loop is critical. Data protection is everyone s responsibility! Education and training are viable approaches to reducing the likelihood of data breaches.

27 Data Breaches and Securing Healthcare Humans Chris Mayhorn Further Questions Kelli Tarala