insight into healthcare data breaches & protective measures · insight into healthcare data...
TRANSCRIPT
Insight Into Healthcare
Data Breaches &
Protective Measures 2017 AMC Healthcare Conference
Cheryl Lytle – UNC School of Medicine
Jon Sternstein - Stern Security
Cheryl Lytle
• UNC School of Medicine
• IT Security Specialist
Jon Sternstein
• Stern Security Founder & Principal Consultant
• Co-chair of NCHICA Privacy & Security Workgroup
• Former Healthcare Security Officer
Agenda
• Healthcare Data Breaches
• Breach Overview
• Recent Breaches
• Trends
• Protective Measures
• Case Studies
Healthcare Breaches
173,599,029
PHI For Sale on Dark Web Behavioral Health Center in Maine Breached in 2017
4229 Patients
Name, address, phone, employer, DOB, SSN, therapy notes
Mentions uses for the PHI
Listed as SOLD
How are breaches occurring?
• “Hacking”/IT Incident
• Unauthorized Access/Disclosure
• Improper Disposal
• Loss
• Theft
Patient Records Lost by Category 10/2009-5/2/2017
Source: HHS.gov
Data Compiled by Stern Security
Breaches by Year 1/1/2015-5/2/2017
Source: HHS.gov
Data Compiled by Stern Security
Ransomware Breaches
Ransomware Causes Breach Urology Austin
January 2017
Affected 279,663 Patients
Restored files from backup
Ransomware Breach Numbers First noted in 2016
Increased in 2017
Most likely underreported
Breaches by Business Associate 1/1/2015-5/15/2017
Source: HHS.gov
Data Compiled by Stern Security
References • HHS Ransomware Fact Sheet
https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
• Behavioral Health Center of Main Information for Sale on Dark Web https://www.databreaches.net/highly-confidential-psychotherapy-records-from-maine-center-listed-on-the-dark-web/
• Health & Human Services Data Breach List https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• Urology Austin Ransomware http://kxan.com/2017/03/24/ransomware-attack-on-urology-austin-gets-patient-information/
• Stern Security https://www.sternsecurity.com
UNC School of Medicine Data Protection
& Monitoring for Security Incidents
Cheryl Lytle
June 2017
• Policies/Standards/Guidelines
• Training, Training, Training
• Risk Assessments
• Tools
UNC Data Protection (Proactive)
Incident Definition
• A security incident is a warning that there may be a
threat to information or computer security. The warning
could also be that a threat has already occurred. Threats
or violations can be identified by unauthorized access to a
system.) (techopedia) Incidents can turn into breaches.
» Qualify an incident if sensitive information is involved
» Identify incidents for devices that are mission critical
» Remediate incidents that are a potential threat to the
University, as in recent WannaCry ransomware
» Incidents can be technical (e.g. malware investigations) or
non-technical (e.g. faxed wrong patient information).
6/12/2017 19
Standards/Policies/Guidelines
• Enforce Hard drive encryption for all laptops with PII
(other devices highly recommended)
» http://help.unc.edu/help/full-disk-encryption-
guidance/
• File level encryption - Strongly recommend
• Intrusion Preventions Systems
• Multi-Factor Authentication
• Additional restrictions for devices with sensitive
information stored or mission critical
» https://its.unc.edu/files/2014/02/STANDARD-
Information-Security-Controls.pdf
6/12/2017 20
Standards/Policies/Guidelines (highlights) (2)
• Vulnerability Management Standard
» https://its.unc.edu/files/2014/02/STANDARD-Vulnerability-
Management-20160218-PUBLICATION-VERSION.pdf
• Media disposal policy
» http://help.unc.edu/help/unc-chapel-hill-campus-standards-
for-electronic-media-disposal/#P22_3725
• Sensitive Data Remediation
» https://help.med.unc.edu/guide/sir
• Risk Assessments
» https://its.unc.edu/files/2014/02/STANDARD-Information-
Security-Controls.pdf
6/12/2017 21
Tools to Protect & Monitor Data
(Proactive)
• IPS alerts, receive daily/weekly listings
of alerts
• Receive Net Flow data alerts
• Receive SIEM alerts
• Use Vulnerability Management tool
»Web application scanning tool
• Identity Finder/O365/SharePoint DLP
6/12/2017 22
Where Tools/Policies Assist with Breaches
6/12/2017 23
• SIEM
•Vulnerability scanner
• File level Encryption
•user awareness
•Risk Assessments
•media disposal policy
•user awareness
•Risk Assessments
•Data Loss Prevention/Sensitive Data Remediation
•Encryption
• Secure Physical Access
•Risk Assessments
•Vulnerability scanner
•net flow-detection
• SIEM-detection
• IPS alerts-prevention
•user awareness
• firewall url filtering
• firewall in-line
•malware filtering
•Centrally Managed Antivirus
•Risk Assessments
Hacking/IT Incident
Loss/Theft
Unauthorized Access/Disclosure
Improper Disposal
Training, Training, Training
• Specific Training as needed
» Training for researchers, IRB studies (Institutional Review
Board)
» Training on Spear Phishing
» Training on how to protect Sensitive Information
» Go beyond policies
• Strongly encourage users not to store any SI on end point
devices, but on secure servers protected by additional controls.
• General Training required
» User Security Awareness Training
» HIPAA annual training
6/12/2017 24
Case Study
Background from User: A SOM user was on the Internet & a
pop-up error message appeared with audio. It instructed the
user to call an 888 number because confidential information
was being stolen. The user called the 888 number and
allowed them access to the computer and provided their
name and email address. The user thought this was “Go to
Assist”. After a few minutes, the user became suspicious
and called the SOM Tech Support. The user admitted there
was lots of SI on the computer.
-What steps and in what order should be taken?
6/12/2017 25
Case Study - what was done • We pulled the computer off network, but left it powered-on. Told user
not to touch computer
• We requested net flow data; and looked for high outbound of data to
unusual external IPS (network addresses).
• Went to computer, retrieved startup files, volatile memory
• Took screen snapshot of messages the user was getting on the
computer screen
• Retrieved hard drive, made forensic image
» Ran Identity Finder on hard drive
» Ran virus and malware scans on computer
• Informed Privacy Office of Possible Breach (Social Security numbers
were involved - PII as well as PHI, 30 day notification timeline
requirement )
6/12/2017 26
Case Study , continued
• Reviewed OS logs, determined if CITRIX (virtual machine)
was installed and reviewed logs for CITRIX
• Contacted CITRIX support to discuss product
characteristics
• Determined no data exfiltration occurred
• User had completed required HIPAA training
» Requested complete User Awareness training
» Requested to meet with managers regarding the
tremendous amount of SI stored on computer.
» SOM Tech Support met with the user and moved all the SI
off the desktop.
6/12/2017 27
Monitoring for Security Incidents
» SOM can receive an alert from central campus
• Via SCCM System Center Configuration Manager, targeted SI
group for malware not quarantined, only windows
• Our firewall has several functions other than traditional
firewalling,
» IPS alerts, URL filtering, in-line malware detection
» Internal Operations staff reviews
• Can receive a net flow Concern Index alert
» Self-reported malware/problem from a user
• Case study.
» Notified by external parties of unusual activity
(spamming as in Distributed Denial Of Service - DDOS)
• notification of unusual network activity
6/12/2017 28
WannaCry & Beyond
(Definition) • WannaCry 2.0 released May 12, 2017
• Ransomware, spread like a worm
• Based on NSA EternalBlue exploit which
takes advantage of an SMB1 (SMB-
Microsoft’s implementation of the common
internet file system (CIFS), Server Message
Block) vulnerability, Application Layer
Network protocol
• SMB1 (1992), deprecated in 2013
• WannaCry scans network and infects all
available targets. Encrypts 176 files types,
spreads everywhere
• Microsoft released patch March 14, 2017. 6/12/2017 29
WannaCry & Beyond
(What steps were done) • Cooperation and Communications for all
under the same network
» E.g. UNC School of Medicine has many users
that communicate with UNC Hospital staff
regularly.
» Determine what precautions should be put in
place. Determined shared tools/information.
• Ran Windows System Center Configuration
Manager (SCCM) to determine systems that
were compliant with the patch MS17-010
• Deployed IPS rules (internal and external) to
check for SMB attacks
6/12/2017 30
WannaCry & Beyond
(What steps should be taken) • University Vulnerability Management Tool
was also run to determine vulnerable
systems.
• Additional defenses include firewall controls
across VLANs. Almost none of our VLANs
permit SMB (TCP port 139/445) into them.
• The Hospital disabled incoming SMBv1 traffic
on the UNCHC firewall.
• For vulnerable systems, if unable to patch
automatically, support personnel were
deployed to patch the systems.
• Efforts were made to disable the old (1992)
SMB version and install a newer one.
6/12/2017 31
Non-Technical Incident Investigation
• Investigate completely if Sensitive Information Involved
• Always notify appropriate Privacy Office of Potential
Incident
• Incidents are not always technical or involve malware.
» May involve mishandling of paper documents
» May involve distributing or sharing PII/PHI with the wrong
recipients either by mistake or misuse
» Faxing, mailing/emailing, social media, lose or/theft, verbal
sharing are all potential incidents
6/12/2017 32
Example Scenario Incidents / Breaches
• USB thumb / hard drive found in classroom
• Video was viewed in training that contains SI
• Received notification of a Fax received that came to the
wrong location
• Received notification from health care professional laptop
was stolen
• Received notification that user received information from
colleague that contained PHI from a GMAIL account
• Healthcare professional emailed information by mistake on
a patient to those that should not have received it
6/12/2017 33
Hints for Scenarios
• Is there data encryption; either whole disk in transit or
at rest in a file or folder?
• Is SI involved?
6/12/2017 34
Questions?
6/12/2017 35
• Full Disk Encryption
http://help.unc.edu/help/full-disk-encryption-guidance/
• UNC Information Security Policy Summaries
http://help.unc.edu/help/information-security-policy-summaries/
• UNC Information Security Standards
https://its.unc.edu/files/2014/02/STANDARD-Information-Security-
Controls.pdf
• UNC Information Classifications
https://its.unc.edu/files/2016/01/STANDARD-Information-
Classification.pdf
• Reporting Spam or Phishing Emails
• https://help.unc.edu/help/recognizing-and-reporting-fraudulent-emails/
• Using 2-factor authentication with Duo
• https://help.unc.edu/help/duo/
6/12/2017 36
References
References • Identity Theft Protection Act
http://www.ncleg.net/EnactedLegislation/Statutes/PDF/ByArticle/Chapter_75/Articl
e_2A.pdf
• HIPAA Security Rule
https://www.hhs.gov/hipaa/for-
professionals/security/index.html?language=es
• FERPA (Family Educational Rights and Privacy Act)
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html?src=rn
• PCI Security Standards Council
https://www.pcisecuritystandards.org/pci_security/
• UNC procedures for reporting Spam
http://help.unc.edu/help/how-to-forward-suspect-phishing-spam-email-
messages-for-evaluation/
• Non-technical Breach http://www.wral.com/data-breach-may-involve-hundreds-
of-unc-health-prenatal-patients/16596295/
6/12/2017 37
Disclaimer
• This presentation was developed for educational and
informational purposes only and should not be construed
to be the views or policies of YOUR ORG.
• This presentation is not legal advice, and no warranties or
representations are made about its accuracy, currency, or
completeness.
• Attendees are responsible for seeking advice from their
own legal counsel and privacy officer.
6/12/2017 38