10 Smart Ideas for. Keeping Data Safe. From Hackers

Transcription

1 Smart Ideas for Keeping Data Safe From Hackers HAVE YOU BEEN HACKED?

2 Agenda Introduction Background Ten Smart Ideas Conclusions Q&A

3 Recent Healthcare Data Breaches Institution Numbers Affected What Happened? Utah Department of Health 780,000 A weak password policy was in effect on a network server. Emory Healthcare 315, backup disks went missing due to an unlocked storage facility door. South Carolina Department of Health and Human Services 230, Excel spreadsheets were illegally copied. Multiple Incidents 55,600 Laptops stolen

4 Healthcare Data Breaches Summary Total breaches: 495 Total records: million Total cost: $4.1 billion Average size: 42,659 records Average cost: $8.27 million Average time to identify: days Average time to notify: days Source: Recent report from the Health Information Trust Alliance (HITRUST)

5 Key Patterns - Healthcare Industry Physical Theft and Loss (46%) Insider Misuse (15%) Miscellaneous Errors (12%) Others (10%) Point-of-Sale Intrusions (9%) Crimeware (3%) Web App Attacks (3%) Denial of Service Attacks (2%) Cyberespionage (< 1%) Payment Card Skimmers (< 1%) Source: Verizon Data Breach & Incident Report 2014

6 The Ramifications The Announcement: Once a breach is identified, if the breach involves more than 500 individuals, the organization must make the announcement and alert the media. The Coverage: This is not good PR. No hospital or healthcare organization wants to be in the news because of a data breach; unless it directly helped prevent one. The Fallout: Depending on the size of the breach, the reporting, analysis and review of the situation can be quite damaging. Remediation: Once a breach happens, healthcare organizations must scramble to ensure that this doesn t happen again.

7 Who Gains From Cyberespionage? Cybercriminals readily understand the value of corporate information. There are opportunities to gain from extortion and ransom campaigns as well as selling stolen data on the black market. Hacktivists focus on causing reputation damage and disruption to organizations that the hacktivists have issues with. They realize that a leak of confidential information about customers, suppliers or employees could lead to severe embarrassment and/or significant legal penalties. Cybermercenaries seek payment from anyone who will hire them including governments, protest groups, or businesses to steal specific information. Nation states (government agencies) or their contractors focus on collecting strategic information or disrupting industrial facilities in hostile countries.

8 Healthcare Vendors Scorecard Majority of healthcare vendors lack minimum security; illuminated by the fact that for their culture of security: 4% scored in the A high confidence grade range 16% scored in the B moderate confidence grade range 14% scored in the C indeterminate confidence grade range >58% scoring in the D grade range Including 8% scoring in the F grade range

9 Healthcare Vendors Scorecard Only 32% of vendors have security certifications such as FedRAMP, HITRUST, ISO 27001, SOC 1 (SSAE-16), SOC 2 and 3 Over 50% of vendors providing services to an average healthcare organization are small to medium sized businesses with <1,000 employees

10 Background Healthcare Vendors Healthcare and industry organizations don t hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data An average hospital s data is accessible by hundreds to thousands of vendors providing a wide range of services: from business services, consulting, claims processing and education to Electronic Health Record (EHR), healthcare and medical supplies technologies and products to network and security software Growing number of security incidents at companies attributed to partners and vendors which increased from 20% in 2010 to 28% in 2012

11 Background Healthcare Vendors Only 44% of organizations have a process for evaluating third parties before launch of business operations Only 31% include security provisions in contracts with external vendors and suppliers Vendor due diligence by healthcare organizations is not aligned with risks Effective third-party security risk management is expensive, time consuming, and resource intensive

12 Definitions Vulnerabilities aspects of IT infrastructure that can be potentially exploited, leading to unauthorized access, loss or exposure of sensitive data, disruption of services, failure to comply with regulatory requirements or other unwanted outcomes Malware malicious software or scripts designed to access or harm IT resources without owner s authorization Hacking intentional attempts to access or harm IT resources without authorization by thwarting logical security mechanisms

13 Blended Threats Phishing refers to seemingly in a course that contains links to malicious executables or websites Spear Phishing refers to phishing that is directed at specific companies or individuals Vishing a combination of voice and phishing Smishing - a combination of SMS and phishing Pharmaceutical Phishing - Rise in spam concerning health issues (including promotions for online pharmacies and counterfeit drugs) containing malware

14 Drive-by Downloads End-users visiting infected websites or installing what they mistakenly believe to be legitimate software Attackers are using search engine optimization (SEO) techniques to drive end-users to websites that are infected with malicious code Shortened URLs these guys malicious links and to exploit end-user trust through social engineering Anonymous proxy servers access Internet resources on behalf of the original requester International domain names opportunity to exploit malicious, mixed-character URLs that are visually indistinguishable

15 APTs Advanced Persistent Threats(APTs), which may involve any of the blended threats and/or drive-by downloads. The main implication of this term is that they involve human command-and-control, specific objectives, and skilled, well-funded attackers.

16 Data Classification Level Commercial Government Lowest Highest Not sensitive Not classified Non proprietary Public Proprietary Internal use only Confidential Restricted Highly confidential Unclassified Confidential Secret Top secret

17 #1: Encryption of Data Is a Must Data encryption is a key defense against breaches. That includes all information, whether it's stored digitally, on tape or on employees' mobile devices.

18 #2: Mobile Devices Are a Challenge In this era of bring-your-own-device (BYOD), with more people using mobile devices for work, the amount of sensitive data on these smartphones and tablets is increasing. Organizations need a strong mobile device management policy to protect these devices, whether they're corporateor employee-owned.

19 #3: Getting Rid of Old Information There is always some outdated and sensitive data whether related to the company, employees or customers that needs to be shed. Companies need a corporate policy that takes in account the secure destruction of such data.

20 #4: Keep an Eye on the Stored Data Regardless of where the data is stored locally, in the data center or in the cloud the company s IT professionals should always know how the information is being secured

21 #5: Disposing of IT Assets Just as with data, organizations need to have an end-of-life plan for assets that might hold sensitive information, to ensure that the information on the assets remains secure.

22 #6: Pay Attention to Passwords Weak passwords continue to be an easy avenue for cyber-thieves looking for information. Organizations must use complex passwords that are changed frequently. They also should use two-factor authentication when possible.

23 #7: Protect Against Viruses Companies need to ensure that their virus protection software is kept up-to-date.

24 #8: Don't Forget Firewalls Both firewalls and intrusion-detection software (possibly even intrusion prevention software) are key elements to the larger data protection effort.

25 #9: Privacy Should Be a Primary Concern An enterprise-wide policy aimed at protecting private information from unauthorized access or inadvertent disclosure is the best policy for keeping the data safe.

26 #10: Keeping a Focus on Employee Education Employees can be a source of problems and a key line of defense. Businesses need to ensure that workers are properly trained to treat information appropriately, and that all employees are up-to-date on the latest corporate policies and procedures.

27 Conclusions

28 Strategic Program Governance & Oversight The changing cybercrimes landscape and evolving threats and risk now calls for nimble, strategic, riskbased and methodical approaches to protecting data and responding to breaches The privacy and protection of PII is not only an issue of regulatory compliance. It is also a factor in competitive advantage, business positioning and strategy and requires oversight Privacy and Security regulations should influence business strategy, as the mismanagement of PII and weak privacy and security control can cripple an organization

29 Data Protection Conceptual Architecture Set Policy Deploy Controls Enforce & Monitor Controls

30 Deploy A Comprehensive IT Security Solution Vulnerability assessment Patch management Application controls that also include whitelisting and default deny functionality Device controls that help you to manage which devices are allowed to be connected to your systems/network Web controls that make it easy to manage, restrict, and audit access to web resources Zero-day defenses Data encryption Mobile security with mobile device management (MDM)

31 Contact Sumit Pal (609)