0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 10 Smart Ideas for 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 Keeping Data Safe 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100 HAVE YOU BEEN HACKED? 01010000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
Agenda Introduction Background Ten Smart Ideas Conclusions Q&A
Recent Healthcare Data Breaches Institution Numbers Affected What Happened? Utah Department of Health 780,000 A weak password policy was in effect on a network server. Emory Healthcare 315,000 10 backup disks went missing due to an unlocked storage facility door. South Carolina Department of Health and Human Services 230,000 17 Excel spreadsheets were illegally copied. Multiple Incidents 55,600 Laptops stolen
Healthcare Data Breaches Summary Total breaches: 495 Total records: 21.12 million Total cost: $4.1 billion Average size: 42,659 records Average cost: $8.27 million Average time to identify: 84.78 days Average time to notify: 68.31 days Source: Recent report from the Health Information Trust Alliance (HITRUST)
Key Patterns - Healthcare Industry Physical Theft and Loss (46%) Insider Misuse (15%) Miscellaneous Errors (12%) Others (10%) Point-of-Sale Intrusions (9%) Crimeware (3%) Web App Attacks (3%) Denial of Service Attacks (2%) Cyberespionage (< 1%) Payment Card Skimmers (< 1%) Source: Verizon Data Breach & Incident Report 2014
The Ramifications The Announcement: Once a breach is identified, if the breach involves more than 500 individuals, the organization must make the announcement and alert the media. The Coverage: This is not good PR. No hospital or healthcare organization wants to be in the news because of a data breach; unless it directly helped prevent one. The Fallout: Depending on the size of the breach, the reporting, analysis and review of the situation can be quite damaging. Remediation: Once a breach happens, healthcare organizations must scramble to ensure that this doesn t happen again.
Who Gains From Cyberespionage? Cybercriminals readily understand the value of corporate information. There are opportunities to gain from extortion and ransom campaigns as well as selling stolen data on the black market. Hacktivists focus on causing reputation damage and disruption to organizations that the hacktivists have issues with. They realize that a leak of confidential information about customers, suppliers or employees could lead to severe embarrassment and/or significant legal penalties. Cybermercenaries seek payment from anyone who will hire them including governments, protest groups, or businesses to steal specific information. Nation states (government agencies) or their contractors focus on collecting strategic information or disrupting industrial facilities in hostile countries.
Healthcare Vendors Scorecard Majority of healthcare vendors lack minimum security; illuminated by the fact that for their culture of security: 4% scored in the A high confidence grade range 16% scored in the B moderate confidence grade range 14% scored in the C indeterminate confidence grade range >58% scoring in the D grade range Including 8% scoring in the F grade range
Healthcare Vendors Scorecard Only 32% of vendors have security certifications such as FedRAMP, HITRUST, ISO 27001, SOC 1 (SSAE-16), SOC 2 and 3 Over 50% of vendors providing services to an average healthcare organization are small to medium sized businesses with <1,000 employees
Background Healthcare Vendors Healthcare and industry organizations don t hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data An average hospital s data is accessible by hundreds to thousands of vendors providing a wide range of services: from business services, consulting, claims processing and education to Electronic Health Record (EHR), healthcare and medical supplies technologies and products to network and security software Growing number of security incidents at companies attributed to partners and vendors which increased from 20% in 2010 to 28% in 2012
Background Healthcare Vendors Only 44% of organizations have a process for evaluating third parties before launch of business operations Only 31% include security provisions in contracts with external vendors and suppliers Vendor due diligence by healthcare organizations is not aligned with risks Effective third-party security risk management is expensive, time consuming, and resource intensive
Definitions Vulnerabilities aspects of IT infrastructure that can be potentially exploited, leading to unauthorized access, loss or exposure of sensitive data, disruption of services, failure to comply with regulatory requirements or other unwanted outcomes Malware malicious software or scripts designed to access or harm IT resources without owner s authorization Hacking intentional attempts to access or harm IT resources without authorization by thwarting logical security mechanisms
Blended Threats Phishing refers to seemingly in a course email that contains links to malicious executables or websites Spear Phishing refers to phishing that is directed at specific companies or individuals Vishing a combination of voice and phishing Smishing - a combination of SMS and phishing Pharmaceutical Phishing - Rise in spam concerning health issues (including promotions for online pharmacies and counterfeit drugs) containing malware
Drive-by Downloads End-users visiting infected websites or installing what they mistakenly believe to be legitimate software Attackers are using search engine optimization (SEO) techniques to drive end-users to websites that are infected with malicious code Shortened URLs these guys malicious links and to exploit end-user trust through social engineering Anonymous proxy servers access Internet resources on behalf of the original requester International domain names opportunity to exploit malicious, mixed-character URLs that are visually indistinguishable
APTs Advanced Persistent Threats(APTs), which may involve any of the blended threats and/or drive-by downloads. The main implication of this term is that they involve human command-and-control, specific objectives, and skilled, well-funded attackers.
Data Classification Level Commercial Government Lowest Highest Not sensitive Not classified Non proprietary Public Proprietary Internal use only Confidential Restricted Highly confidential Unclassified Confidential Secret Top secret
#1: Encryption of Data Is a Must Data encryption is a key defense against breaches. That includes all information, whether it's stored digitally, on tape or on employees' mobile devices.
#2: Mobile Devices Are a Challenge In this era of bring-your-own-device (BYOD), with more people using mobile devices for work, the amount of sensitive data on these smartphones and tablets is increasing. Organizations need a strong mobile device management policy to protect these devices, whether they're corporateor employee-owned.
#3: Getting Rid of Old Information There is always some outdated and sensitive data whether related to the company, employees or customers that needs to be shed. Companies need a corporate policy that takes in account the secure destruction of such data.
#4: Keep an Eye on the Stored Data Regardless of where the data is stored locally, in the data center or in the cloud the company s IT professionals should always know how the information is being secured. 01010010101010010101010100101010100100101000101001010010010101010010101001010100101000101010010 10100101001010010101010010101010100101010100100101000101001010010010101010010101001010100101000 10101001010100101001010010101010010101010100101010100100101000101001010010010101010010101001010 10010100010101001010100101001010010101010010101010100101010100100101000101001010010010101010010 10100101010010100010101001010100101001010010101010010101010100101010100100101000101001010010010 101010010101001010100101000101010010101001010
#5: Disposing of IT Assets Just as with data, organizations need to have an end-of-life plan for assets that might hold sensitive information, to ensure that the information on the assets remains secure.
#6: Pay Attention to Passwords Weak passwords continue to be an easy avenue for cyber-thieves looking for information. Organizations must use complex passwords that are changed frequently. They also should use two-factor authentication when possible.
#7: Protect Against Viruses Companies need to ensure that their virus protection software is kept up-to-date.
#8: Don't Forget Firewalls Both firewalls and intrusion-detection software (possibly even intrusion prevention software) are key elements to the larger data protection effort.
#9: Privacy Should Be a Primary Concern An enterprise-wide policy aimed at protecting private information from unauthorized access or inadvertent disclosure is the best policy for keeping the data safe.
#10: Keeping a Focus on Employee Education Employees can be a source of problems and a key line of defense. Businesses need to ensure that workers are properly trained to treat information appropriately, and that all employees are up-to-date on the latest corporate policies and procedures.
Conclusions
Strategic Program Governance & Oversight The changing cybercrimes landscape and evolving threats and risk now calls for nimble, strategic, riskbased and methodical approaches to protecting data and responding to breaches The privacy and protection of PII is not only an issue of regulatory compliance. It is also a factor in competitive advantage, business positioning and strategy and requires oversight Privacy and Security regulations should influence business strategy, as the mismanagement of PII and weak privacy and security control can cripple an organization
Data Protection Conceptual Architecture Set Policy Deploy Controls Enforce & Monitor Controls
Deploy A Comprehensive IT Security Solution Vulnerability assessment Patch management Application controls that also include whitelisting and default deny functionality Device controls that help you to manage which devices are allowed to be connected to your systems/network Web controls that make it easy to manage, restrict, and audit access to web resources Zero-day defenses Data encryption Mobile security with mobile device management (MDM)
Contact Sumit Pal (609) 520-1188 spal@