4/15/2015

1

Top Security Threat Trends in Healthcare and How You Can Learn

from Incidents to Reduce Risk

Dr. Cris V. Ewell, Ph.D., CISO Seattle Children’s

April 19, 2015

Mahmood Sher-Jan, CHPC, EVP/GM ID Experts

Mac McMillan, FHIMSS, CISM, CEO/Co-Founder CynergisTek

Agenda

• Top Security Threat Trends in Healthcare • Growing Regulatory Complexities• Trends in Healthcare: Incidents & Breaches• Keys to Being Prepared for Managing Incidents• Real World Incident Response Cases• Insights From Analysis of Real Incident Data• Tools and Methodologies for Correlating Incidents

and Managing Incident Response

4/15/2015

2

10/7/14 | slide 3

• 12 y/o learning computers in middle school• 14 y/o home schooled girl tired of social events• 15 y/o in New Zealand just joined a

defacement group• 16 y/o in Tokyo learning programming in high

school• 19 y/o in college putting course work to work• 20 y/o fast food employee that is bored• 22 y/o in Mali working in a carding ring• 24 y/o black hat trying to hack whoever he can• 25 y/o soldier in East European country

• 26 y/o contractor deployed over seas• 28 y/o in Oregon who believes in hacktivism• 30 y/o white hat who has a black hat

background• 32 y/o researcher who finds vulnerabilities in

systems• 35 y/o employee who sees a target of

opportunity• 37 y/o rouge intelligence officer• 39 y/o disgruntled admin passed over• 41 y/o private investigator• 44 y/o malware author paid per compromised

host• 49 y/o pharmacist in midlife crisis• 55 y/o nurse with a drug problem

The Face of Cybercrime Today

Accidents, Mistakes & Deliberate Acts

• 4M medical records maintained on four workstations• Physician loses laptop with psychiatric patients records • Neurologic institute accidentally emails 10,000 patient records to 200 patients• Phishing/hacking nets nearly $3M from six healthcare entities • University reports laptop with patient information stolen out of a student’s car• Vendor sells hospital’s X-rays (films) to third party• Resident loses track of USB with over 500 orthopedic patients information• Portable electronic device with patient data stolen from hospital• Physician has laptop stolen from vacation home • 2200 physicians victims of ID theft/tax fraud• Printers returned to leasing company compromise thousands of patient records• Health System reports third stolen laptop with 13,000 patient records• 400 hospitals billings delayed as clearinghouse hit with ransomware• Physician robbed at gun point, phone and computer taken, thief demands passwords• International hacking group uses phishing, then steals information on almost 80M people• And, on and on it goes…

4/15/2015

3

10/7/14 | slide 5

The Emergent ThreatBlack Hat 2014

• Snatching passwords w/ Google Glass

• Screen scraping VDI anonymously

• Compromising AD through Kerberos

• Remote attacks against cars

• Memory scraping for credit cards

• Compromising USB controller chips

• Cellular compromise through control code

• Free cloud botnets for malware

• Mobile device compromise through MDM flaws

• Cryptographic flaws and a Rosetta Stone

Black Market Driven

• Darknets will be more active, participants will be vetted, cryptocurrencies will be used, greater anonymity in malware, more encryption in communications and transactions

• Black markets will help attackers outpace defenders• Hyperconnectivity will create greater opportunity for incidents• Exploitation of social networks and mobile devices will grow• More hacking for hire, as-a-service, and brokering

4/15/2015

4

10/7/14 | slide 7

Increased RelianceMore than 98% of all processes are automated, more than 98% of all devices are networkable, more than 95% of all patient information is digitized, accountable care/patient engagement rely on it. The enterprise is critical to delivering healthcare. Any outage, corruption of data, loss of information risks patient safety and care.

BYOD

Physician Alignment

Business Associates

Patient Engagement

Big Data

Accountable Care 

Organization

Meaningful Use

Supply Chain

Research

Telemedicine

Ingestibles

Health Information Exchanges

10/7/14 | slide 8

Insider Abuse: Trust, But Verify• It is estimated that more than half of all

security incidents involve staff• 51% of respondents in a SANS study believe

the negligent insider is the chief threat• 37% believe that security awareness training

is ineffective• Traditional audit methods & manual auditing

is completely inadequate• Behavior modeling, pattern analysis and

anomaly detection is what is needed

4/15/2015

5

10/7/14 | slide 9

Questionable Supply Chains

• Greater due diligence in vetting vendors• Security requirements in contracting

should be SLA based• Particular attention to cloud, SaaS,

infrastructure support, critical service providers

• Life cycle approach to data protection• Detailed breach and termination

provisions

10/7/14 | slide 10

Devices Threaten Safety & Information

In June 2013 the DHS tested 300 devices from 40 vendors, ALL failed. In response the FDA issued guidance for manufacturers and consumers addressing design, implementation and radio frequency considerations. “Yes, Terrorists could have hacked 

Dick Cheney’s heart.”‐The Washington PostOctober 21, 2013

4/15/2015

6

10/7/14 | slide 11

• 3.4 million BotNets active • 20-40% of recipients in phishing

exercises fall for scam• 26% of malware delivered via HTML,

one in less than 300 emails infected• Malware analyzed was found

undetectable by nearly 50% of all anti-virus engines tested

• As of April 2014 Microsoft no longer provides patches for WN XP, WN 2003 and WN 2000, NT, etc.

• EOL systems still prevalent in healthcare networks

• Hardening, patching, configuration, change management…all critical

• Objective testing and assessment

Malware & Persistent Threats

“FBI alert warns healthcare not prepared”

2006 200K 2008 

17M

2013 73M

2014 100M

10/7/14 | slide 12

Mobility & Data• Medical staff are turning to their mobile devices to

communicate because its easier, faster, more efficient…

• Sharing lab or test results, locating another physician for a consult, sharing images of wounds and radiology images, updating attending staff on patient condition, getting direction for treatment, locating a specialist and collaborating with them, transmitting trauma information or images to EDs, prescribing or placing orders

• Priority placed on the data first and the device second• Restrict physical access where possible, encrypt the

rest

4/15/2015

7

10/7/14 | slide 13

ID Theft & Fraud• Medical Identity theft increased 21.7% in 2014,

Ponemon Institute• US CERT estimates 47% of cybercrime aimed at

healthcare• More than 70% of identity theft and fraud were

committed by knowledgeable insiders – physicians, nurses, pharmacy techs, admissions, billing, etc.

• Healthcare directed attacks have increased more than 20% a year for the last three years running• Insiders selling information to others• Hackers exploiting systems• Malware with directed payloads• Phishing for the “big” ones

10/7/14 | slide 14

Theft & Losses Thriving• 68% of healthcare data breaches due to loss

or theft of assets• 1 in 4 houses is burglarized, a B&E happens

every 9 minutes, more than 20,000 laptops are left in airports each year…

• First rule of security: no one is immune• 138%: the % increase in records exposed in

2013• 6 – 10%: the average shrinkage rate for

mobile devices• Typical assets inventories are off by 60%

“Unencrypted laptops and mobile devices pose significant risk to the security of patient information.”   ‐Sue McAndrew, OCR

4/15/2015

8

10/7/14 | slide 15

• Defenses are not keeping pace• Three most common attacks: spear

phishing, Trojans & Malvertising• APTs, phishing, water cooler attacks,

fraud, etc. • Most organizations can’t detect or

address these threats effectively• An advanced incident response

capability is required• Results in loss of time, dollars,

downtime, reputation, litigation, etc.• Conduct independent risk assessments

regularly

Hacking & Other Cyber Criminals

0 50 100

Organizations suffering atargeted attack

Sophistication of attackhardest element to defeat

No increase in budget fordefenses

Targeted Attacks

“I feel like I am a targeted class, and I want to know what this institution is doing about it!” -Anonymous Doctor

10/7/14 | slide 16

More Compliance• OIG shifts focus to funds recovery• OCR’s permanent audit program will resume in FY

2015 with new capabilities• Improvements and automation in reporting and

handling complaints• Meaningful Use audits are evolving in scope and

impact• The FTC remains committed to enforcement of

privacy and security• States continue to create new laws

• Florida Information Protection Act• New Jersey Health Insurers Encryption Law

SB1353 seeks to establish common framework for security and create universal requirement for notification.

When organizations tell consumers they will protect their personal information, the FTC can and will take enforcement action to ensure they live up to these promises. 

4/15/2015

9

Agenda

• Top Security Threat Trends in Healthcare • Growing Regulatory Complexities• Trends in Healthcare: Incidents & Breaches• Keys to Being Prepared for Managing Incidents• Real World Incident Response Cases• Insights From Analysis of Real Incident Data• Tools and Methodologies for Correlating Incidents

and Managing Incident Response

Today’s Regulatory Complexity

• 47 state + 3 territory breach notification laws• Differ with respect to:

• Definitions

• Risk of harm

• Safe harbor

• Exemptions

• Timing

• Content

• Notice to regulators, agencies, etc.

• A plethora of federal laws & other standards• HIPAA Omnibus Final Rule

• GLBA, PCI

4/15/2015

10

Stages of “Omnibus Breach Notification Rule” Compliance

AcceptanceAcceptance2013: Final Breach Notification Rule

BargainingHarm Test Advocates vs. Opponents

DenialDenialThe Interim Final Rule Era Risk of Harm Revisited

ANGER2009:  “Risk of Harm” Backlash & Fury

Growing Regulatory Complexity • Proposed Federal Breach Notification Laws

• The Personal Data Notification and Protection Act • “You may wish to go back to 47 state laws!”- McDonald Hopkins PLC

• Proposed State Laws and Amendments• Indiana (SB 413) Tentative Effective Date 7/15• New Mexico (HB 217) Passed House on 2/19• New Hampshire Education Data Privacy Bills (HB 322, HB 507, HB 520)

• Maryland (SB 548) Tentative Effective Date 10/1/15• Montana (HB 74) Tentative Effective Date 10/1/15• Wyoming (SF 35) Tentative Effective Date 7/1/15• Michigan (SB 33) Education Data Disclosure Reporting Bill

4/15/2015

11

What security threats is your organization most concerned about?

29%32% 33%

6%

70%

26%

40%

19%

13% 15% 15%

34%

40% 41%

5%

75%

13%

39%

12%

23%

16%

2%

2014 2013

Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April 2015.

Has your organization suffered a data breach involving the loss or theft of patient data in the past

24 months?

9%

12%

39% 40%

10%

16%

36%38%

6%

16%

33%

45%

No Yes, 1 breach Yes, 2 to 5 breaches Yes, more than 5 breaches

2014 2013 2012

Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April 2015.

4/15/2015

12

How the data breach was discovered?

23%

5%

30%

6%

18%

44%

69%

26%

12%

35%

7%

19%

46%

58%

26%

10%

36%

5%

26%

47%

52%

Accidental Loss prevention Patient complaint Law enforcement Legal complaint Employee detected Audit/assessment

2014 2013 2012

Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April 2015.

Nature of the breach

40%

7%

31%

45%

12%

39%

43%46%

8%

32%

40%

12%

41%

49%

42%

8%

31%33%

14%

42%

46%

Unintentionalemployee action

Intentional non‐malicious employee

action

Technical systemsglitch

Criminal attack Malicious insider Third‐party snafu Lost or stolencomputing device

2014 2013 2012

Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April 2015.

4/15/2015

13

Agenda

• Top Security Threat Trends in Healthcare • Growing Regulatory Complexities• Trends in Healthcare: Incidents & Breaches• Keys to Being Prepared for Managing Incidents• Real World Incident Response Cases• Insights From Analysis of Real Incident Data• Tools and Methodologies for Correlating Incidents

and Managing Incident Response

• Keys to being prepared for managing incidents, including dealing with media and information dissemination.

• Tools and methodologies for correlating incidents and managing incidents

• Real world cases

Incident Response: What are the things we should be

considering?

4/15/2015

14

What are the basics?

• Remember – this is not just a privacy or security issue

Have a Plan

4/15/2015

15

Incident Response Process

Overall Process

4/15/2015

16

Define accountability

Designated Official  Type of Incident

Privacy Officer PHI

Chief Information Security Officer

ePHI, PII, or other information related IS incidents

Corporate Compliance Officer

Corporate compliance issues

Research Integrity Officer Research compliance issues

• Chief Information Officer• Chief Information Security

Officer• Chief Medical Officer• Corporate Compliance Officer• Privacy Officer• Risk Management• General Counsel

Incident Management Team

• General Counsel

• President

• Research Integrity Officer

• VP Human Resources

• Marketing & Communications

• Leaders from affected departments

4/15/2015

17

• Show your work• The burden of proof has

shifted• You need to show that the

information has a low probability of compromise

Document and Review

Breach Review

4/15/2015

18

Besides a incident management process …

4/15/2015

19

Complete asset inventory

Do you know what you have on the internet?

4/15/2015

20

Who knew?

What would happen if you had to disconnect from the internet?

4/15/2015

21

Could you communicate without email?

• How often do our meeting announcements include the passwords or codes for the meeting?

Too much information?

4/15/2015

22

• Seattle Children’s huddles at the start of the every day to maintain situational awareness of immediate problems impacting safety and quality of patient care

Daily Safety Brief

What about outside communication?

4/15/2015

23

• Assemble the team• Gather and confirm as much information

as possible• Identify key internal and external

audiences who need to be informed• Develop simple and concise key

messages• Develop and implement a plan to

communicate to key audiences• Assess ongoing communications• Do not speculate

Crisis Communication Plan

• What is currently known about the issue?• What needs to be done now to take care of any

affected patient, family member, or member of the public?

• Now do we avoid a repetition of the incident?• When, where, and how did the incident

happen?• Who was involved in the incident?• What other sources of information can be

accessed?

Questions to consider

4/15/2015

24

• What is the worst case scenario?• What are the short/long term

implications?• Who will be affected? Who needs to

know the status of the situation? • What steps should be taken to protect

and support any involved provider or staff member?

• How will key audiences be impacted?

Questions to consider

• Phone calls and email• Notifications to internal audiences• News conferences• Written statements• In-person and phone interviews• Website bulletins and updates• Twitter and Facebook posts• On the ground staff messages they can

use with patients, families, etc.

Potential communication mediums

4/15/2015

25

Well trained professionals

Well trained professionals

4/15/2015

26

You can not do this alone …

Example Cases

4/15/2015

27

• The help desk receives a call from one of the Clinical Psychologist. She is requesting a password reset.

• The user reveals that she suspects that there is a key logger program installed on her personal laptop.

• The help desk reset the user’s password and turned the case over to the information security department.

Case background

Significant Events

Day 3

04:36:20Activity from 12.XXX.XXX.XXX (04:36:20 – 04:41:00) –4 minutes 40 seconds OWA Authentication for userid XXXX (04:36)

08:07:45Activity from 76.XXX.XXX.XXX (08:07:45 – 08:07:49) – 4 seconds NO OWA Authentication

08:27:03Activity from 76.XXX.XXX.XXX (08:27:03 – 08:30:35) – 3 minutes 32 seconds OWA Authentication for userid XXXX (08:27)

13:50:16Activity from 76.XXX.XXX.XXX (13:50:16 – 13:54:33) – 4 minutes 17 seconds OWA Authentication for userid XXXX (13:52)

16:30:02Activity from 12.XXX.XXX.XXX (16:30:02 – 16:59:10) – 29 minutes 8 seconds OWA Authentication for userid XXXX (16:30, 16:35, 16:41, 16:47)

Time EventDay 115:31:21 Installation of eBlaster key logger program

KEYImportant EventsAuthorized OWA ActivityUnauthorized OWA Activity

Email - 133MB in overall size and included 1891 individual emails in 41 different folders

4/15/2015

28

• Based on incidents and regular walkthroughs – we saw increased evidence of PHI issues with:• Visible spaces• Printing and faxing• Disposal

The problem …

• Cover it up or turn it over. If you leave the immediate area, cover up or turn over the PHI so no information is visible

• Know where it’s going. Check destination when printing or faxing

• Shred it or park it. If you find papers on printer, fax or another location, find a Shred-It bin or place in a “PHI deposit here” container.

Awareness Campaign

4/15/2015

29

Sign examples

Agenda

• Top Security Threat Trends in Healthcare • Growing Regulatory Complexities• Trends in Healthcare: Incidents & Breaches• Keys to Being Prepared for Managing Incidents• Real World Incident Response Cases• Insights From Analysis of Real Incident Data• Tools and Methodologies for Correlating Incidents

and Managing Incident Response

4/15/2015

30

Paper Plays a Big Role in Healthcare PHI Incidents

1ID Experts Data Analysis

Paper PHI/PII Incidents1(Proportion %)

1ID Experts RADAR Data Analysis

Electronic29%

Paper63%

Verbal/Visual8%

Misdirected Mail, 43%

Paper Record, 31%

11%

8%

5%

2% 0%

Paper Record

Misdirected Fax/Ad‐HocManual

Misdirected Fax ‐Automated

File(s)

Prescription Order/Label

Label (MedicalDevice/Prescription/Room)

Paper Sub‐Categories Paper vs. Other Categories

4/15/2015

31

Electronic PHI/PII Incidents1(Proportion %)

1ID Experts RADAR Data Analysis

Electronic29%

Paper63%

Verbal/Visual8%

Email, 42%

12%8%

8%

7%

6%

5%

2%2%

2%

2%2%

1%

1%

Online Portal

Electronic Medical Record

Application

PDA

Records/Files

Laptop

Network Server

Storage Device (tape,disk, etc.)

Desktop

FTP Site

Network Access

Posted Online (social media)

Decommissioned OfficeMachines

Electronic vs. Other Categories Electronic Sub‐Categories

PHI/PII Data Controls1(Proportion %)

1ID Experts RADAR Data Analysis

93%

7%

0% 0%

Information was in plaintext

Information was underphysical safeguard

Information wasstatistically de‐identified

Information was redacted

30%

21%17%

14%

6%

6%4%

1%1% 0%

0%No controls were present onelectronic dataData is identifiable or recipienthas ability to re‐identifyPassword protected & passwordwas not compromisedEncrypted to NIST standard; keywas not compromisedEncrypted but evidence of accesswith valid credentialsInformation was encrypted; keywas not compromisedPassword protected & passwordwas compromisedInformation was statistically de‐identifiedEncrypted; unsure of encryptionkey's securityInformation was redacted

Paper Incidents Electronic Incidents

4/15/2015

32

Incident Cause or Intent1(Proportion %)

1ID Experts Data Analysis

All Incidents Intentional Malicious Incidents

87%

7%6%

Unintentional

Intentional Non‐Malicious

Intentional Malicious

43%

27%

14%

9%

4%

3%

Unauthorized Access

Theft of Information

Unauthorized Use

Hacking/Malware

Exposure of Information

Unknown

Incident Recipient Types1(Proportion %)

1ID Experts RADAR Data Analysis

All RecipientsAuthorized Recipients

46%

34%

17%

2%1% 0%

Employee

Covered Entity

Business Associate

Federal Agency

Health Plan Sponsor

OHCA

Unauthorized 81%

Authorized19%

4/15/2015

33

Incident Recipient Types1(Proportion %)

1ID Experts RADAR Data Analysis

Unauthorized Recipients81%

24%

22%

15%

12%

11%

5%

3%2%

2%

1%

1% 1% 1% 0%0%

Patient/Insured Member

Member of General Public

Covered Entity

Employee

Unknown

Relative/Household Member

Business Associate

Vendor (non‐covered entity or BA)

Employer of Patient

Another patient's family member

Hacker

Attorney or Lawyer

Federal Agency

Health Plan Sponsor

OHCA

Data Risk Mitigation1(Proportion %)

1ID Experts Data Analysis

Data Risk Mitigation Scope

No or Unknown, 31%

Risk Mitigated, 

69%

43%

27%

14%

7%

5%

3% 1%

Returned without writtenassurance

Returned w/o writtenassurance; Obligated tosafeguard PHI/PII.

Provided writtenassurance and will not befurther used or disclosed

Confirmed use ofinformation as permitted

Data Risk Mitigation Frequency

4/15/2015

34

Data Risk Mitigation1(Proportion %)

1ID Experts Data Analysis

Reason for Inability to Mitigate Risk

No or Unknown, 31%

Risk Mitigated, 69%

Data Risk Mitigation Frequency

69%

20%

6%5%

0%

Unable to retrieve

Confirmed viewing oracquisition

Confirmed improper use

Destroyed but unsure ofbackup copy

Notification Frequency by Incident Category

17%

4%

79%

Electronic Incidents

Mandatory

Voluntary

None

22%

10%

68%

Paper Incidents

Mandatory

Voluntary

None

4/15/2015

35

Notification Frequency by Industry

18%

7%

75%

Insurance / Financial

Mandatory

Voluntary

None

21%

1%

78%

Hospital

Mandatory

Voluntary

None

Notification Frequency by Industry

2%

98%

Business Associate

Mandatory

Voluntary

None

21%

19%60%

Pharmacy

Mandatory

Voluntary

None

4/15/2015

36

Notification Frequency by Business Associates (BA)

2%

98%

BA Notification

Mandatory

Voluntary

None

4%

10%

86%

BA Risk Assessment Outcome

High Risk

Med Risk

Low Risk

Know your incidents

4/15/2015

37

10/7/14 | slide 73

Incident Response Complexity

Event Incident Data Breach

Incident Response Life Cycle

Detection Analysis

Containment &

Eradication

Post-Incident Activity

PII or PHI

Regulatory Assessment

No

No Breach

Breach

Common Sources of Detection:• IDPSs• SIEMs• File Integrity Checking• Anti-virus & spam• OS & App. Logs• Network Logs• People Yes

Regulatory Compliance

--Incident Notificati

on

Based upon NIST 800-61Computer Security Incident Handling Guide

Regulatory Burden of Proof Documentation

4/15/2015

38

Incident Risk Assessment is Complex

10/7/14 | slide 76

Compliance Challenges

Organizations struggle to effectively manage incidents. A recent Ponemon study found:• Only 35% of respondents are

using automated processes• Almost half say they are not

in compliance with federal rule

• Lack of consistency is top complaint with current process

79%

48%

23%

0%

20%

40%

60%

80%

100%

Lack ofconsistency

Inability toscale

Difficult to use

Complaints About Current Incident Assessment Process

4th Annual Benchmark Study on Patient Privacy and Data Security, Ponemon Institute, March 2014

4/15/2015

39

10/7/14 | slide 77

Incident Risk Assessment Needs Consistency & Automation

Security Incidents

Multiple regulationsMultiple factors& time critical

Data BreachY / N?

Are any of the incidents a (reportable)

breach?

Most incidents have subtle but relevant aspects

RADAR® Incident Response Management Platform

• - Federal Laws (HIPAA/HITECH, GLBA)

- State & Territorial Laws

- International Laws

4/15/2015

40

10/7/14 | slide 79

In Conclusion

1. Regulatory environment is complex and getting more complex

2. Prepare and practice for real world incident scenarios

3. Use the right tools designed for threat intelligence, incident correlation and response management

Know the rules

Follow the rules

Prove it!