A very incomplete history of medical data breaches



Similar documents
WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Stay ahead of insiderthreats with predictive,intelligent security

Cyber Security An Exercise in Predicting the Future

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

What Data? I m A Trucking Company!

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Middle Class Economics: Cybersecurity Updated August 7, 2015

Protecting Organizations from Cyber Attack

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

What s New with HIPAA? Policy and Enforcement Update

Managing the Unpredictable Human Element of Cybersecurity

Security Issues with Integrated Smart Buildings

Attachment A. Identification of Risks/Cybersecurity Governance

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Logging and Auditing in a Healthcare Environment

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Promoting a cyber security culture and demand compliance with minimum security standards;

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

What is Really Needed to Secure the Internet of Things?

Cybersecurity. Are you prepared?

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Information Security Services

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

SECURITY CONSIDERATIONS FOR LAW FIRMS

KEY STEPS FOLLOWING A DATA BREACH

Big Data and Security: At the Edge of Prediction

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

Aftermath of a Data Breach Study

Digital Identity in Healthcare: What's Coming Down the Pike. Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Bellevue University Cybersecurity Programs & Courses

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

MEDICAL DEVICE Cybersecurity.

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Understanding SCADA System Security Vulnerabilities

Cyber Adversary Characterization. Know thy enemy!

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

The Importance of Cyber Threat Intelligence to a Strong Security Posture

SMALL BUSINESS PRESENTATION

OCIE CYBERSECURITY INITIATIVE

Beazley presentation master

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Reducing Cyber Risk in Your Organization

Frequently Asked Questions. OPM Data Breach. Department of the Navy

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Getting real about cyber threats: where are you headed?

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

NATIONAL CYBER SECURITY AWARENESS MONTH

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Chairman Johnson, Ranking Member Carper, and Members of the committee:

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

September 20, 2013 Senior IT Examiner Gene Lilienthal

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Data Security Incident Response Plan. [Insert Organization Name]

Transcription:

An Expanding Threat Spectrum for Health Information Technologies: Starting a Conversation Herb Lin Stanford University A very incomplete history of medical data breaches Name Date Number of people affected Type of incident Ref Anthem 3/15 79 M Hacking/IT incident (1) SAIC 11/11 5 M Loss (backup tapes) (2) Community Health Systems 8/14 4.5 M Theft (3) UCLA 7/15 4.5 M Hacking/IT incident (4) Medical Informatics Engineering 7/15 4 M Hacking (5) 8/10/2015 2 1

Advocate Medical Group 8/13 4 M Theft of desktop computer (6) Xerox State Healthcare 9/14 2 M Unauthorized access/disclosure (7) Health Net IBM 4/11 1.9 M Loss of hard drives (8) GRM IMS 2/11 1.7 M Theft of backup tapes (9) AvMed 6/10 1.2 M Laptop with EMRs (10) All medical data breaches > 500 individuals since October 2009 https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 8/10/2015 3 Possible harms that result from data breaches Identity theft, loss of credit Inferred from the usual response: 12-24+ months of credit monitoring, fraud resolution and credit restoration services to affected individuals Other possible harms from data breaches Blackmail of victim Individual loss of privacy (and hence problems with family) Medical ID theft to fraudulently obtain medical services Ruined credit. Thief obtains expensive medical services in victim s name; victim and victim s policy are responsible. Loss of health coverage. Fraudulent claims max out victim s health-policy limits. Inaccurate records. Information in victim s medical record is inaccurate (e.g., false mental health, drug addiction, STD diagnoses; allergies ) Improper treatment for victim Ramifications for victim family (false positive drug test indicating addiction leading to CPS removing victim s children) Providers subject to possible malpractice claims/liability Risk to reputation of health care organization Risk of corporate blackmail through threats to reveal information 8/10/2015 4 2

Some industry observations about data breaches (HIMSS survey 2014) HIMSS survey of 297 health IT executives, 77% of whom work for hospitals or healthcare systems. 65% experienced a significant data security incident in the past year. 62% said breaches had limited impact on patient care or IT operations. Factors underlying security concerns Medical identity theft - 79% Deliberate insider breaches 65% Financial identity theft 51% The recent breaches in the healthcare industry have been a wakeup call that patient and other data are valuable targets and healthcare organizations need a laser focus on cybersecurity threats, said Lisa Gallagher, VP of HIMSS. 8/10/2015 5 Takeaways Lots of concern about cybersecurity. Main threat is data breaches, which have limited impact on health care operations. Mitigation of impact misaligned with concerns of industry (focus on financial identity theft where problems of greater concern are medical ID theft and snooping insiders). What else should we worry about? The entire C/I/A trilogy should be in play. medical devices Infrastructure EHR systems 8/10/2015 6 3

Medical devices Medical devices are often unprotected and unauthenticated, with hard-coded credentials Implantable defibrillators (e.g., Barnaby Jack) Insulin pumps (e.g., Jerome Radcliffe) Command links can change various operating parameters (e.g., dosage/strength, timing, alert frequency) 8/10/2015 7 IT-based hospital infrastructure Controls for refrigerated storage Temperature controls needed for proper storage of samples, drugs Temperature controls are computer-based Upper and lower temperature settings Shut-off Paging Hospital HVAC Positive pressure in various rooms Temperature control everywhere MRI/CT scanners False imaging Fetal monitoring Disable alarms Slow down so that events are missed 8/10/2015 8 4

EHR systems Denial of service Shut down hospital servers; prevent access to electronic records Integrity Alter correct medical information; Bad diagnoses Insert false/erroneous information; Falsified medical records (mental health, STDs) Cause bad orders to be given Wrong dosages and types of medication Change medical orders; 8/10/2015 9 Types of threats to cybersecurity Usual cyber threat to health information systems is exploitation cyberattack reveals private health information of Celebrity X ; cyberattack exposes medical records of 10,000 people. Usual bad guys: Paparrazi in cyberspace Celebrity chasers Criminals (compromise medical information for blackmail/extortion; obtain resellable medical goods) Insurance companies (very rarely they get their data legally) 8/10/2015 10 5

A new type of threat Consider hostile operation that is genuinely an attack Aimed at denying access or destroying or altering data or computer programs that store information or that run medical devices or instruments, EHR systems, health care infrastructure Harms provision of care Especially serious if coordinated with physical attack Smaller attack can harm public confidence in health care organizations or in entire system; Sick people afraid to get medical care Care providers afraid to rely on possibly-tainted records (but still probably accurate) 8/10/2015 11 New potential adversaries Individuals Those seeking to do harm to individual patients Personal motivations Political ( cause ) motivations Those seeking to harm care providers (e.g., thru malpractice lawsuits) Change providers of record to change compensation change billing so that Doc X is recorded as MD of record when Doc Y did all the work Patients themselves (e.g., drug addicts) Competitor care-providing organizations Terrorist groups Adversary nation states Resources available are much larger Money, time, hacker talent Intelligence services available (imagine agency-scale resources trying to penetrate electronic medical records system of a hospital no contest) 8/10/2015 12 6

Motivation Why would an adversary want to do that? Consider an attack against the DOD health care system. Cause chaos in military medical system (that also serves military families) Reduce efficiency of personnel on duty who will worry about families at home Loss of confidence in DOD electronic medical records Cause public panic Target records of key personnel to take them out of the fight (make them sick, throw suspicion on them) Consider a small attack on the civilian health care system Tampering with medical records/devices can be act of terror Asymmetric warfare against more powerful adversary American public unprepared for such an event 8/10/2015 13 Issues in maintaining security Beliefs about adversaries (Erwen and Merdinger) Adversaries only care about financial gain Adversaries are not technically adept to carry out an attack on medical devices Trade-offs of convenience vs security Remote access for care providers Patient convenience Authenticate access to implanted device by user, who might forget/lose credentials Authenticate access by serial number Security by obscurity (e.g., assumed ignorance of command protocols) Security by assumption (e.g., presumed benign environments, much like early days of Internet) Lack of forensic capabilities in medical devices 8/10/2015 14 7

Application/infrastructure mismatch (apps change rarely, infrastructure updated frequently for security fixes) The biggest vulnerability was the perception of IT health care professionals beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise. FBI Cyber division advisory, Apr 2014, PIN #: 140408-009 Lack of contextualized cybersecurity knowledge (insufficient expertise regarding operational dimension of health care) Blood type story HIMSS survey: top barrier to mitigating cybersecurity events was a lack of appropriate cybersecurity personnel 8/10/2015 15 Moving forward Developing closer working relationships between researchers and practitioners Acknowledging academic value of interdisciplinary work Sometimes deep problems in health care involve the application of long-understood technical knowledge Evolving from hard-to-change monolithic systems Respecting threat assessments that comes from outside the health care community Planning for rapid change in underlying IT infrastructure Managing the tension between needs for security and for usability/convenience Developing reporting channels for researchers to government and industry 8/10/2015 16 8

For more information or to provide feedback on these slides Herb Lin Center for International Security and Cooperation Hoover Institution Stanford University 650-497-8600 herblin@stanford.edu 8/10/2015 17 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information