don’t be the next victim! paul johnson, senior manager risk advisory services wipfli llp
TRANSCRIPT
Don’t Be the Next Victim!Don’t Be the Next Victim!
Paul Johnson, Senior Manager Risk Advisory Services
Wipfli LLP
Agenda
2
• Threat landscape• Latest attacks & breaches• Recent regulatory activities• NIST cybersecurity framework• Countermeasures• Q&A
Notable Data Breaches & Vulnerabilities
3
Business Has Changed
4
Big DataMobile apps
Compliance
BYOD
Outsourcing
Threats Have Changed$
5
2013 cost of cybercrime Increase in mobile malware
Percentage of investigation due to web application exploit
investigations
Investigations that involved outsourced
provider
400%
63%
48%
+500B
HHS-OCR Data Breach List is Growing…
6
Verizon 2014 Data Breach Report
7
Breach Detection Concerns205 days – Median number of days that hackers were present on a victim’s network before being discovered. Longest presence: 2,982 days.
69% - Victims notified by external entity (e.g. law enforcement)
Source: Mandiant M-Trends 2015
8
How Do Attacks Occur
9
• 52% used some form of hacking
• 76% exploited weak or stolen credentials
• 40% incorporated malware • 35% involved physical attacks • 29% employed social tactics • 13% involve privilege misuse
Ransomware – Manufacturing Company
1. Employee clicked on e-mail from UPS.
2. Network outage – all data was encrypted.
3. President contacted demanding $300 ransom using Bitcoin as payment method.
4. All backups were encrypted because system was not set up properly.
5. Ransom was up to $3,000 after 72 hours passed.
10
- Targeted Hacking Attack
11
Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and obtained personal information from current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.
– System administrator’s security credentials were compromised.
– Phishing attacks and malware were likely used in the attack.
– Database was the main target of reconnaissance efforts.
- Targeted Hacking Attack
12
Marking another high-profile data breach, hackers broke into UCLA Health System's computer network and may have accessed sensitive information on as many as 4.5 million patients, hospital officials said..
The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.
The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.
http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html
- Computer Theft
13
Sunglo Home Health Services notified customers/patients of a data breach when their facility was broken into and stole one of their company lap tops. The laptop contained patient information including Social Security Numbers and personal health information.
Currently the company does not know the number of affected patients.
Veterans Affairs Hospital, SD – Insecure Disposal
14
The VA Hot Springs hospital notified patients of a data breach when files containing their Social Security numbers along with additional personal information were thrown in a trash bin without being shredded.
The incident took place in May and the 1,100 patients that were affected were not notified until July 29, 2015. Reportedly, an employee discarded a box of patient files in a dumpster. The box of files was found two days later by another employee who removed them from the trash.
– Insider Breach
15
UC Irvine Medical Center has notified patients of a data breach when an employee reviewed patient records without authorization.
The information this individual may have gained access to included names, dates of birth, gender, medical record numbers, height, weight, Medical Center account number, allergy information, home addresses, medical documentation, diagnoses, test orders/results, medications, employment status, and names of your health plan and employer.
What does all this mean?
16
Threat landscape is changing with the adoption of newer technologies.
Health Information has become a valuable commodity.
Attacks are becoming more numerous and sophisticated.
Healthcare organizations face steep challenges to keep pace with protecting against with emerging threats.
HIPAA – OCR Audits
17
OCR Audit Program FactsBooz Allen Hamilton: Developed audit protocols.KPMG: Performed trial program audits.PWC: Evaluating audit program results and feedback for future improvements.Phase 1 audits occurred between 2011 – 2012.Phase 2 audits have been postponed (starting up this fall).
Phase 2 – OCR Audits
18
Have selected a pool of covered entities eligible for audit. Health care providers selected through National Provider
Identifier (NPI) database. Clearinghouses & Health Plans from external databases
(e.g., AHIP). Random selection used when possible within types. Wide range (e.g., group health plans, physicians and
group practices, behavioral health, dental, hospitals, laboratories).
Phase 2 – Pre-Audit Survey
19
Questions address size measures, location, services, best contacts.
OCR will conduct address verification with entities this spring.
Entities will receive link to on‐line screening “pre‐survey” this summer.
OCR plans to contact 550‐800 entities. OCR will use results of survey to select a projected 350
covered entities and 50 business associates to audit (BA pool determined by audited covered entities).
Important Note: OCR will most likely contact a C-level individual in the organization.
Phase 2 – Projected Entities to be Audited
20
Phase 2 – Audit Expectations
21
Phase 2 – Audit Expectations
22
Covered EntitiesWill target source of a high number of compliance failures in the pilot audits:
• Risk Analysis/Assessments
• Breach notification (content and timeliness of notifications)
• Privacy Rule – patient notice of privacy practices and access to PHI
Business Associates
•Risk Analysis/Assessment and risk management
•Breach reporting to covered entities
OCR isn’t the only one to be concerned with…
23
State Attorney Generals (provided training by OCR). Food and Drug Administration (medical device audits). Centers for Medicare and Medicaid Services (Meaningful
Use audits). Whistleblowers. Class Action Lawsuits. Federal Trade Commission.
Regulatory Landscape – Wrap up
24
Phase 2 - OCR Audits are starting. They will not be friendly audits!
Others are getting into the enforcement game.
As the frequency and severity of healthcare data breaches continue to increase, so will the scrutiny of healthcare organization’s privacy and security practices.
NIST Cybersecurity Framework
25
Executive Order 13636 - February 12, 2013Information Sharing and Collaboration
Develop a baseline framework of cybersecurity standards and best practices - National Institute of Standards and Technology (NIST).Establish consultative process.Identify high priority infrastructure.Incentives for voluntary participation.Review / assess regulatory requirements.Incorporate privacy and civil liberties.
NIST Cybersecurity Framework
26
NIST Cybersecurity Framework
27
Five Key Functions
Identify: Understand digital resources and associated risks.
Protect: Processes & technology designed to reduce risk.
Detect: Enabling rapid detection to reduce exposure to risk.
Respond: Taking action to stop or remediate an attack.
Recover: Ensure business continuity or restoration after security event.
NIST Cybersecurity Framework - Tiers
28
4 Levels of Cyber Risk Management Sophistication
Tier 1 (Partial) Management processes not formalized and ad hoc. Viewed as "something that IT handles,“ little to no collaboration on issues with external organizations.
Tier 2 (Risk Informed) Management is of high-level concern but still mostly in IT department. Initial policy created and considers role in the larger industry response to risk.
Tier 3 (Repeatable) Coherent policies and practices understood and implemented across the organization. Connected to larger industry effort to address risk and benefits from shared information.
Tier 4 (Adaptive) Management is continuously improving by applying lessons learned from personal and 3rd-party experiences. Has made risk management part of corporate culture and actively contributes risk information to larger industry efforts.
NIST Cybersecurity Framework in Action
29
How to Use the NIST Cybersecurity Framework
30
1. Prioritize and Scope – Business mission and priorities.
2. Orient – System and assets, regulatory requirements, risk approach.
3. Create a Current Profile.4. Conduct a Risk Assessment.5. Create a Target Profile.6. Determine, Analyze and Prioritize Gaps.7. Implement Action Plan.
Last Word about the NIST Cybersecurity Framework
31
Framework is quickly being adopted across a variety of industries.
Can serve as a dashboard for communicating with senior management and business partners.
Detailed controls frameworks (e.g., NIST 800-53, HITRUST) map to the NIST Cybersecurity Framework.
Countermeasures
32
Countermeasures will focus on the four (4) categories of threats:
– Physical Theft and Loss.
– Web Attacks & Crimeware.
– Miscellaneous Errors.
– Insider and Privilege Misuse.
Countermeasures – Physical Theft and Loss
33
• Keep track of your assets– Laptops
– Desktops
– Servers
– Portable media
– Other
34
Countermeasures – Physical Theft and Loss
• Use encryption and authentication when possible:– Use strong passwords
that change periodically.
– Use PINs for devices that support it.
– Use AES 256-bit encryption or better.
35
Countermeasures – Physical Theft and Loss• Be aware of
surroundings.
• Keep possession of sensitive devices at all times (e.g., cell phones).
• Lockdown devices in public areas.
• Use tracking software.
36
Countermeasures – Physical Theft and Loss• Review business partner
controls for physical security:
– What do their policies and procedures say?
– What are their safeguards?
– Who reviews them?
– Will they report any losses to you in a timely manner?
37
Countermeasures – Web Attacks & Crimeware• Browser considerations:
– Update browsers regularly.
– Disable Java when possible.
– Update the device OS as well!
38
Countermeasures – Web Attacks & Crimeware• Use these security
programs:– Firewall– Intrusion detection/prevention– Malware detection/prevention– Spam filter– Web content filter
• Keep them current!
39
Countermeasures – Web Attacks & Crimeware
• Use two-factor authentication• Passwords:
– Do not re-use passwords.– Use complex passwords.– Change them regularly.– Use a password keeper.
• Use multiple e-mail accounts. • Social media – don’t overshare.
40
Countermeasures – Web Attacks & Crimeware
• Consider single purpose devices for critical functions (e.g., wire transfer, ACH transactions, Internet banking).
• Consider which mobile devices to use for which activities based on threat targets.
• Monitor key systems and network traffic for suspicious changes in configuration or behavior.
41
Countermeasures – Web Attacks & Crimeware
• Train your staff:
– Latest threats and how to spot them.
– Countermeasures deployed.
– How to report potential incidents.
42
Countermeasures – Miscellaneous Errors• Turn on egress firewall
rules.• Look for data
exfiltration (e.g., data loss prevention tools).
• Lock down ports on your computers.
43
Countermeasures – Miscellaneous Errors• Ensure strong change
controls for web technologies:– Test security controls for
each change.– Periodic search for
sensitive information.– Employ oversight controls
for publishing(verifying data publishedis appropriate).
44
Countermeasures – Miscellaneous Errors• Spot check mailings:
– Does sensitive information show through the mailing envelope address window?
45
Countermeasures – Miscellaneous Errors• Proper disposal of:
– Hard drives.– Portable media.– Paper.– Other devices
(e.g., tablets,mobile phones, printers, scanners,copiers, iPods, others?)
46
Countermeasures – Insider & Privilege Misuse• Keep track of your data:
– Application list.
– Electronic and physical documents/locations.
– Devices storing it.
47
Countermeasures – Insider & Privilege Misuse• Review user access
permissions regularly: – Terminated users.
– Transfers.
– Business partner access.
– Inactive users.
• Consider separation of duties.
48
Countermeasures – Insider & Privilege Misuse
• Watch for suspicious activity:– Review access logs.
– Look for data exfiltration.
– Review privileged access.
• Publish anonymous results of audits.
Last Word about Countermeasures
49
• Consider this list your tool box:– Determine what is appropriate for your unique
environment.
– Consider other controls as well based on threats applicable to you.
– You likely won’t be able to completely eliminate a threat, nor should you.
• This is a risk management process!
– References• http://www.counciloncybersecurity.org/critical-controls
• http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure
Session Wrap-up
50
In this session we discussed…
– Threat landscape.
– Latest attacks & breaches.
– Recent regulatory activities.
– NIST cybersecurity framework.
– Countermeasures.
Disclaimer
52
This information is provided solely for general guidance and informational purposes and does not create a business or professional services relationship. Accordingly, this information is provided with the understanding that the authors and publishers are not herein engaged in rendering legal, accounting, tax, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional accounting, tax, legal, or other competent advisers. Before making any decision or taking any action, you should obtain appropriate professional guidance.