Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net
What is Cyber Security? Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack Merriam-Webster
How Do We Define Cyber Security in Healthcare? HIPAA Security Rule HITECH Breach Prevention PCI DSS Level of Sophistication
The Past Experience is simply the name we give our mistakes Oscar Wilde
The Past Data Breach Summary from September 2009 August 2014, impacting 500 or more individuals Total Reported Breaches: 1083 Involving a Business Associate: 310 (29%) Unauthorized Access/Disclosure 20% Unknown 1% Hacking/IT Incident 9% Theft 51% Loss 10% Other 9% Data Source: www.hhs.gov
The Past Data Breach Type % of Breach Type by Occurrence % of Individuals Affected Sum of Individuals Affected Hacking/IT Incident 9% 11% 3,636,888 Loss 10% 21% 7,232,870 Other 9% 3% 1,093,978 Theft 51% 51% 17,347,925 Unauthorized Access 20% 8% 2,527,422 Unknown 1% 6% 1,934,474 Total 100% 100% 33,773,557
The Past Over 30 Million Patient s Data
The Value of Protected Health Information PHI and Medical Records are valued at approximately $50 a patient record on the black market. Comparatively, credit card data is typically valued at $2 an account. Possible PHI Data Targets Social Security Number Identity theft Payment information Financial crime Tax Identification Number Tax fraud Beneficiaries Tax and financial fraud Diagnosis Information Marketing value and/or malicious intent Health insurance credentials Medical identity theft
The Future The future, according to some scientists, will be exactly like the past, only far more expensive. - John Sladeck
Welcome to the Future Healthcare Technology Trends Bring Your Own Devices (BYOD) Mobile Applications - Telemedicine Social Aspect Networked Medical Devices Big Data Cloud Computing Increasing Integration Points
Welcome to the Future Insurance Companies Companion Health Systems Reporting Services HIE ephi Patient Portal Outside Lab 3 rd Party Billing
Welcome to the Future Enhanced Medical Devices Insulin Pumps Wireless/Bluetooth Enable Surgical and anesthesia devices Ventilators Drug infusion pumps External defibrillators Patient monitors/telemetry systems Laboratory and analysis equipment https://ics-cert.us-cert.gov/alerts/ics-alert-13-164-01
Cyber Security Risk Management Adopting a Security Framework
Cyber Security Risk Management Risk Threat Agent Likelihood Impact Intensity Duration Identify Protect Recover Detect Respond
Cyber Security Risk Management Brute Force Attack Encryption Negligent Insider Rogue Devices Compromised Websites Employee Training Two Factor Authentication Third Party Contractor Phishing Social Engineering Vulnerability Scanning Patch Management Portable Devices Malicious Code Intrusion Detection / Prevention Systems
Negligent Insiders An employee that hackers exploit in order to gain entry to systems or physical locations A vulnerability that has been used to execute some of the largest data breaches Security Control Considerations Employee training Security awareness programs Social engineering reviews
Third Party Contractor Risk Third parties typically have elevated access, and a large security footprint Remote access capabilities increase risk Out of sight out of mind Security Control Considerations Vendor due diligence Strong Business Associate Agreement (BAA) Strengthen control over access Monitor access Third party security audits
Portable Devices Increasing amount of mobile/potable devices receiving, transmitting, and storing protected health information Can be easier targets for hackers and thieves Security Control Considerations Encryption Workstation port security Mobile and portable security policies Physical security ephi
Malware Malware has increasingly become more affordable, and available, to cyber criminals Cyber criminals may use negligent insiders to gain access, but will use malware to help execute the cyber theft Security Control Considerations Network vulnerability assessments Intrusion detection / prevention systems Two factor authentication Security patch management
Paul Douglas, Consulting Manager 225.408.4421 pdouglas@pncpa.com Connect with me on LinkedIn!