Insight Into Healthcare

Data Breaches &

Protective Measures 2017 AMC Healthcare Conference

Cheryl Lytle – UNC School of Medicine

Jon Sternstein - Stern Security

Cheryl Lytle

• UNC School of Medicine

• IT Security Specialist

Jon Sternstein

• Stern Security Founder & Principal Consultant

• Co-chair of NCHICA Privacy & Security Workgroup

• Former Healthcare Security Officer

Agenda

• Healthcare Data Breaches

• Breach Overview

• Recent Breaches

• Trends

• Protective Measures

• Case Studies

Healthcare Breaches

173,599,029

PHI For Sale on Dark Web Behavioral Health Center in Maine Breached in 2017

4229 Patients

Name, address, phone, employer, DOB, SSN, therapy notes

Mentions uses for the PHI

Listed as SOLD

How are breaches occurring?

• “Hacking”/IT Incident

• Unauthorized Access/Disclosure

• Improper Disposal

• Loss

• Theft

Patient Records Lost by Category 10/2009-5/2/2017

Source: HHS.gov

Data Compiled by Stern Security

Breaches by Year 1/1/2015-5/2/2017

Source: HHS.gov

Data Compiled by Stern Security

Ransomware Breaches

Ransomware Causes Breach Urology Austin

January 2017

Affected 279,663 Patients

Restored files from backup

Ransomware Breach Numbers First noted in 2016

Increased in 2017

Most likely underreported

Breaches by Business Associate 1/1/2015-5/15/2017

Source: HHS.gov

Data Compiled by Stern Security

References • HHS Ransomware Fact Sheet

https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

• Behavioral Health Center of Main Information for Sale on Dark Web https://www.databreaches.net/highly-confidential-psychotherapy-records-from-maine-center-listed-on-the-dark-web/

• Health & Human Services Data Breach List https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

• Urology Austin Ransomware http://kxan.com/2017/03/24/ransomware-attack-on-urology-austin-gets-patient-information/

• Stern Security https://www.sternsecurity.com

Jon Sternstein

Stern Security

www.sternsecurity.com

919-886-7685

UNC School of Medicine Data Protection

& Monitoring for Security Incidents

Cheryl Lytle

June 2017

• Policies/Standards/Guidelines

• Training, Training, Training

• Risk Assessments

• Tools

UNC Data Protection (Proactive)

Incident Definition

• A security incident is a warning that there may be a

threat to information or computer security. The warning

could also be that a threat has already occurred. Threats

or violations can be identified by unauthorized access to a

system.) (techopedia) Incidents can turn into breaches.

» Qualify an incident if sensitive information is involved

» Identify incidents for devices that are mission critical

» Remediate incidents that are a potential threat to the

University, as in recent WannaCry ransomware

» Incidents can be technical (e.g. malware investigations) or

non-technical (e.g. faxed wrong patient information).

6/12/2017 19

Standards/Policies/Guidelines

• Enforce Hard drive encryption for all laptops with PII

(other devices highly recommended)

» http://help.unc.edu/help/full-disk-encryption-

guidance/

• File level encryption - Strongly recommend

• Intrusion Preventions Systems

• Multi-Factor Authentication

• Additional restrictions for devices with sensitive

information stored or mission critical

» https://its.unc.edu/files/2014/02/STANDARD-

Information-Security-Controls.pdf

6/12/2017 20

Standards/Policies/Guidelines (highlights) (2)

• Vulnerability Management Standard

» https://its.unc.edu/files/2014/02/STANDARD-Vulnerability-

Management-20160218-PUBLICATION-VERSION.pdf

• Media disposal policy

» http://help.unc.edu/help/unc-chapel-hill-campus-standards-

for-electronic-media-disposal/#P22_3725

• Sensitive Data Remediation

» https://help.med.unc.edu/guide/sir

• Risk Assessments

» https://its.unc.edu/files/2014/02/STANDARD-Information-

Security-Controls.pdf

6/12/2017 21

Tools to Protect & Monitor Data

(Proactive)

• IPS alerts, receive daily/weekly listings

of alerts

• Receive Net Flow data alerts

• Receive SIEM alerts

• Use Vulnerability Management tool

»Web application scanning tool

• Identity Finder/O365/SharePoint DLP

6/12/2017 22

Where Tools/Policies Assist with Breaches

6/12/2017 23

• SIEM

•Vulnerability scanner

• File level Encryption

•user awareness

•Risk Assessments

•media disposal policy

•user awareness

•Risk Assessments

•Data Loss Prevention/Sensitive Data Remediation

•Encryption

• Secure Physical Access

•Risk Assessments

•Vulnerability scanner

•net flow-detection

• SIEM-detection

• IPS alerts-prevention

•user awareness

• firewall url filtering

• firewall in-line

•malware filtering

•Centrally Managed Antivirus

•Risk Assessments

Hacking/IT Incident

Loss/Theft

Unauthorized Access/Disclosure

Improper Disposal

Training, Training, Training

• Specific Training as needed

» Training for researchers, IRB studies (Institutional Review

Board)

» Training on Spear Phishing

» Training on how to protect Sensitive Information

» Go beyond policies

• Strongly encourage users not to store any SI on end point

devices, but on secure servers protected by additional controls.

• General Training required

» User Security Awareness Training

» HIPAA annual training

6/12/2017 24

Case Study

Background from User: A SOM user was on the Internet & a

pop-up error message appeared with audio. It instructed the

user to call an 888 number because confidential information

was being stolen. The user called the 888 number and

allowed them access to the computer and provided their

name and email address. The user thought this was “Go to

Assist”. After a few minutes, the user became suspicious

and called the SOM Tech Support. The user admitted there

was lots of SI on the computer.

-What steps and in what order should be taken?

6/12/2017 25

Case Study - what was done • We pulled the computer off network, but left it powered-on. Told user

not to touch computer

• We requested net flow data; and looked for high outbound of data to

unusual external IPS (network addresses).

• Went to computer, retrieved startup files, volatile memory

• Took screen snapshot of messages the user was getting on the

computer screen

• Retrieved hard drive, made forensic image

» Ran Identity Finder on hard drive

» Ran virus and malware scans on computer

• Informed Privacy Office of Possible Breach (Social Security numbers

were involved - PII as well as PHI, 30 day notification timeline

requirement )

6/12/2017 26

Case Study , continued

• Reviewed OS logs, determined if CITRIX (virtual machine)

was installed and reviewed logs for CITRIX

• Contacted CITRIX support to discuss product

characteristics

• Determined no data exfiltration occurred

• User had completed required HIPAA training

» Requested complete User Awareness training

» Requested to meet with managers regarding the

tremendous amount of SI stored on computer.

» SOM Tech Support met with the user and moved all the SI

off the desktop.

6/12/2017 27

Monitoring for Security Incidents

» SOM can receive an alert from central campus

• Via SCCM System Center Configuration Manager, targeted SI

group for malware not quarantined, only windows

• Our firewall has several functions other than traditional

firewalling,

» IPS alerts, URL filtering, in-line malware detection

» Internal Operations staff reviews

• Can receive a net flow Concern Index alert

» Self-reported malware/problem from a user

• Case study.

» Notified by external parties of unusual activity

(spamming as in Distributed Denial Of Service - DDOS)

• notification of unusual network activity

6/12/2017 28

WannaCry & Beyond

(Definition) • WannaCry 2.0 released May 12, 2017

• Ransomware, spread like a worm

• Based on NSA EternalBlue exploit which

takes advantage of an SMB1 (SMB-

Microsoft’s implementation of the common

internet file system (CIFS), Server Message

Block) vulnerability, Application Layer

Network protocol

• SMB1 (1992), deprecated in 2013

• WannaCry scans network and infects all

available targets. Encrypts 176 files types,

spreads everywhere

• Microsoft released patch March 14, 2017. 6/12/2017 29

WannaCry & Beyond

(What steps were done) • Cooperation and Communications for all

under the same network

» E.g. UNC School of Medicine has many users

that communicate with UNC Hospital staff

regularly.

» Determine what precautions should be put in

place. Determined shared tools/information.

• Ran Windows System Center Configuration

Manager (SCCM) to determine systems that

were compliant with the patch MS17-010

• Deployed IPS rules (internal and external) to

check for SMB attacks

6/12/2017 30

WannaCry & Beyond

(What steps should be taken) • University Vulnerability Management Tool

was also run to determine vulnerable

systems.

• Additional defenses include firewall controls

across VLANs. Almost none of our VLANs

permit SMB (TCP port 139/445) into them.

• The Hospital disabled incoming SMBv1 traffic

on the UNCHC firewall.

• For vulnerable systems, if unable to patch

automatically, support personnel were

deployed to patch the systems.

• Efforts were made to disable the old (1992)

SMB version and install a newer one.

6/12/2017 31

Non-Technical Incident Investigation

• Investigate completely if Sensitive Information Involved

• Always notify appropriate Privacy Office of Potential

Incident

• Incidents are not always technical or involve malware.

» May involve mishandling of paper documents

» May involve distributing or sharing PII/PHI with the wrong

recipients either by mistake or misuse

» Faxing, mailing/emailing, social media, lose or/theft, verbal

sharing are all potential incidents

6/12/2017 32

Example Scenario Incidents / Breaches

• USB thumb / hard drive found in classroom

• Video was viewed in training that contains SI

• Received notification of a Fax received that came to the

wrong location

• Received notification from health care professional laptop

was stolen

• Received notification that user received information from

colleague that contained PHI from a GMAIL account

• Healthcare professional emailed information by mistake on

a patient to those that should not have received it

6/12/2017 33

Hints for Scenarios

• Is there data encryption; either whole disk in transit or

at rest in a file or folder?

• Is SI involved?

6/12/2017 34

Questions?

6/12/2017 35

• Full Disk Encryption

http://help.unc.edu/help/full-disk-encryption-guidance/

• UNC Information Security Policy Summaries

http://help.unc.edu/help/information-security-policy-summaries/

• UNC Information Security Standards

https://its.unc.edu/files/2014/02/STANDARD-Information-Security-

Controls.pdf

• UNC Information Classifications

https://its.unc.edu/files/2016/01/STANDARD-Information-

Classification.pdf

• Reporting Spam or Phishing Emails

• https://help.unc.edu/help/recognizing-and-reporting-fraudulent-emails/

• Using 2-factor authentication with Duo

• https://help.unc.edu/help/duo/

6/12/2017 36

References

References • Identity Theft Protection Act

http://www.ncleg.net/EnactedLegislation/Statutes/PDF/ByArticle/Chapter_75/Articl

e_2A.pdf

• HIPAA Security Rule

https://www.hhs.gov/hipaa/for-

professionals/security/index.html?language=es

• FERPA (Family Educational Rights and Privacy Act)

https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html?src=rn

• PCI Security Standards Council

https://www.pcisecuritystandards.org/pci_security/

• UNC procedures for reporting Spam

http://help.unc.edu/help/how-to-forward-suspect-phishing-spam-email-

messages-for-evaluation/

• Non-technical Breach http://www.wral.com/data-breach-may-involve-hundreds-

of-unc-health-prenatal-patients/16596295/

6/12/2017 37

Disclaimer

• This presentation was developed for educational and

informational purposes only and should not be construed

to be the views or policies of YOUR ORG.

• This presentation is not legal advice, and no warranties or

representations are made about its accuracy, currency, or

completeness.

• Attendees are responsible for seeking advice from their

own legal counsel and privacy officer.

6/12/2017 38