Information Security Office

• Bryan Johnson | CISO

• iso@dds.ca.gov

What do these have in common?

Breaches NOT IF BUT WHEN!

“42% of businesses had to deal with a data breach last year, and they cost $1.23 million on average…”. — K. Labs, 2018

“31% of global data breaches led to employees getting laid off from their jobs”... — K. Labs, 2018

Potential or Actual Which one is not like the others?

Name of Covered Entity State Covered Entity Type

Individuals Affected

Breach Submission

Date Type of Breach

Location of Breached

Information

Business Associate Present

AccuDoc Solutions, Inc. NC Business Associate 2,652,537 11/27/2018

Hacking / IT Incident

Network Server Yes

Iowa Health System d/b/a UnityPoint Health IA

Business Associate 1,421,107 7/30/2018

Hacking / IT Incident Email Yes

Employees Retirement System of Texas TX Health Plan 1,248,263 10/15/2018

Unauthorized Access /

Disclosure Other No

CA Department of Developmental Services CA Health Plan 582,174 4/6/2018 Burglary Paper/Films No

CNO Financial Group, Inc. IN Health Plan 566,217 10/25/2018

Unauthorized Access /

Disclosure Other No

Where to begin?

Privacy Training

Information Security (technical)

Security Awareness Training

Privacy Understanding the data we use…

What is secure, what is insecure

What are the OCR Exceptions

1. Name 2. Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code) 3. All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of

death, and exact age if over 89) 4. Telephone numbers 5. FAX number 6. Social Security number 7. Medical record number 8. Health plan beneficiary number 9. Account number 10. Online Account – User Name or Email Address, in combination with a password or security question and answer 11. Certificate/license number 12. Any vehicle or other device serial number 13. Device identifiers or serial numbers 14. Web URL 15. IP address 16. Finger or voice prints 17. Photographic images 18. Any other unique identifying number, characteristic, or code (e.g. UCI ) 19. Vehicle license plate number (effective January 2016)

NOTE: In California unauthorized disclosure of an individual’s “Name” and any other “notice-triggering” data element (in blue, underlined & bold) is considered a reportable breach.

Note: Item #19 Vehicle license plate number is not a Federal personal individual identifying data element.

19 Individual Identifiers

Comparison of Secured versus Unsecured PHI

Encrypt It’s the only authorized way to prevent a

breach!

It’s cheap to deploy!

Consequences!

Technical Controls These are often the simplest to put in place to help minimize the risk to our organizations.

Cyber Attacks

• The number of unique “cyberincidents” in the 2nd quarter of 2018 was 47% higher than the number from a year previous. 54% are targeted, rather than part of mass campaigns. • Positive Technologies

• Socially engineered malware provides the No. 1 method of attack.

• Ransomware Increasing • In 2017 the FBI’s Internet Crime Complaint Center

received 1,783 ransomware complaints that cost victims over $2.3M. These represent only the attacks reported.

Email is the # 1 Method for Hackers to Infiltrate Your Computer / Network

Email filters have a 10 – 15% failure rate!

I’m in! heh, heh, heh!

Sample of Phishing Email

Actual address of Chase Privacy Operations

Sense of Urgency

Link can either load malware or take you to fake website asking for sensitive information

Spoofing (CEO Fraud) Cybercriminals spoof company email accounts and impersonate executives.

Then they to try and fool an employee into executing things like:

Unauthorized wire transfers Sending out confidential tax information Making gift card purchases and sending gift card number and PIN# to hacker.

Also make messages seem “Urgent”

Advanced Threat

Protection

Threat Vectors – wireless keyboards

• KeySniffer

• Attacker can see all keystrokes a victim types, such as login, password, credit card numbers, etc. – in clear text

• Can hack from hundreds of feet away using less that $100 of equipment

• Wireless keyboard manufacturers affected: HP, Toshiba, Kensington, Radio Shack, etc.

• Solution

• Switch to wired or Bluetooth enabled keyboards with strong encryption

• AES 128+

Bad USB Attack (Cable Injectors)

USB cable that injects keystrokes – cable becomes “Hit Device”

Could be what looks like a charging cable (USB to micro USB cable)

• When plugged in, keystrokes are injected that cause the computer to become “controlled” by a remote hacker

• Can be triggered by time, Bluetooth, GSM, etc. or by immediate engagement

Other “Hit Devices”:

Weaponized Mice

• Giveaways or gifts, door prizes, etc. Capable of infecting the computer

EPP End Point Protection

Staff Training

Securing The Human

80% of breaches originate from simple mistakes.

What’s new @ DDS

• Bryan – Chief Information Security Officer (CISO)

• Beth – Privacy Officer (PO)

• Nate – Security Engineering (Tech Sec Officer)

Existing ISO Staff

• Graeme Cook – Security Training

• John Hansen – Security Training

• Andrew Fong – Security Operations

We’ve Grown

New Security Staff

The Curriculum Security Awareness 101 – (45min)

Privacy Training – (45min)

Information Security (Risk Mitigation / Technical Controls / Physical) – (45min)

Security Awareness 101

What is Information Security

Why it is important to protect our information assets

How do we protect them

What is an Incident or Data Breach

• How do they happen

• Intentional

• Unintentional

• How to prevent them

• What to do if they occur

Privacy Training

What is Privacy

What information is protected under Privacy laws

HIPAA, CA Consumer Privacy Act of 2018, FISMA

How these laws affect us

Rights, responsibilities and consequences

Data breaches

What is a data breach?

How they happen

How to prevent them

What to do if there is a breach

Information Security - Technical

What is Information Security

What is risk

How do we assess risk

• Information System Security Plans (ISSPs)

How do we mitigate risk

• Administrative controls

• Policies, Regulations, Training, Security Awareness program

• Logical controls

• Access, IPS/IDS, proxy servers, firewalls, routers

• Physical controls

• Fences, lighting, door locks, securing computing devices and confidential documents

Available Training Dates

• DDS ISO Staff will be available…

• Beginning this summer (July 2019)

Contact DDS ISO ( iso@dds.ca.gov )

Cleanup Items Technical Bulletins

- TB479 – RC Contacts

- TB747 – Breach Reporting

Thank You to the following RC’s:

• South Central Los Angeles

• Westside

• Valley Mountain

• San Gabriel/Pomona

• East Bay

• Far Northern

• San Andreas

• Orange County

• Redwood Coast

• North Bay

Questions?