View
0
Download
0
Category
Preview:
Citation preview
4/15/2015
1
Top Security Threat Trends in Healthcare and How You Can Learn
from Incidents to Reduce Risk
Dr. Cris V. Ewell, Ph.D., CISO Seattle Children’s
April 19, 2015
Mahmood Sher-Jan, CHPC, EVP/GM ID Experts
Mac McMillan, FHIMSS, CISM, CEO/Co-Founder CynergisTek
Agenda
• Top Security Threat Trends in Healthcare • Growing Regulatory Complexities• Trends in Healthcare: Incidents & Breaches• Keys to Being Prepared for Managing Incidents• Real World Incident Response Cases• Insights From Analysis of Real Incident Data• Tools and Methodologies for Correlating Incidents
and Managing Incident Response
10/7/14 | slide 3
• 12 y/o learning computers in middle school• 14 y/o home schooled girl tired of social events• 15 y/o in New Zealand just joined a
defacement group• 16 y/o in Tokyo learning programming in high
school• 19 y/o in college putting course work to work• 20 y/o fast food employee that is bored• 22 y/o in Mali working in a carding ring• 24 y/o black hat trying to hack whoever he can• 25 y/o soldier in East European country
• 26 y/o contractor deployed over seas• 28 y/o in Oregon who believes in hacktivism• 30 y/o white hat who has a black hat
background• 32 y/o researcher who finds vulnerabilities in
systems• 35 y/o employee who sees a target of
opportunity• 37 y/o rouge intelligence officer• 39 y/o disgruntled admin passed over• 41 y/o private investigator• 44 y/o malware author paid per compromised
host• 49 y/o pharmacist in midlife crisis• 55 y/o nurse with a drug problem
The Face of Cybercrime Today
4/15/2015
2
Accidents, Mistakes & Deliberate Acts
• 4M medical records maintained on four workstations• Physician loses laptop with psychiatric patients records • Neurologic institute accidentally emails 10,000 patient records to 200 patients• Phishing/hacking nets nearly $3M from six healthcare entities • University reports laptop with patient information stolen out of a student’s car• Vendor sells hospital’s X-rays (films) to third party• Resident loses track of USB with over 500 orthopedic patients information• Portable electronic device with patient data stolen from hospital• Physician has laptop stolen from vacation home • 2200 physicians victims of ID theft/tax fraud• Printers returned to leasing company compromise thousands of patient records• Health System reports third stolen laptop with 13,000 patient records• 400 hospitals billings delayed as clearinghouse hit with ransomware• Physician robbed at gun point, phone and computer taken, thief demands passwords• International hacking group uses phishing, then steals information on almost 80M people• And, on and on it goes…
10/7/14 | slide 5
The Emergent ThreatBlack Hat 2014
• Snatching passwords w/ Google Glass
• Screen scraping VDI anonymously
• Compromising AD through Kerberos
• Remote attacks against cars
• Memory scraping for credit cards
• Compromising USB controller chips
• Cellular compromise through control code
• Free cloud botnets for malware
• Mobile device compromise through MDM flaws
• Cryptographic flaws and a Rosetta Stone
Black Market Driven
• Darknets will be more active, participants will be vetted, cryptocurrencies will be used, greater anonymity in malware, more encryption in communications and transactions
• Black markets will help attackers outpace defenders• Hyperconnectivity will create greater opportunity for incidents• Exploitation of social networks and mobile devices will grow• More hacking for hire, as-a-service, and brokering
4/15/2015
3
10/7/14 | slide 7
Increased RelianceMore than 98% of all processes are automated, more than 98% of all devices are networkable, more than 95% of all patient information is digitized, accountable care/patient engagement rely on it. The enterprise is critical to delivering healthcare. Any outage, corruption of data, loss of information risks patient safety and care.
BYOD
Physician Alignment
Business Associates
Patient Engagement
Big Data
Accountable Care
Organization
Meaningful Use
Supply Chain
Research
Telemedicine
Ingestibles
Health Information Exchanges
10/7/14 | slide 8
Insider Abuse: Trust, But Verify• It is estimated that more than half of all
security incidents involve staff• 51% of respondents in a SANS study believe
the negligent insider is the chief threat• 37% believe that security awareness training
is ineffective• Traditional audit methods & manual auditing
is completely inadequate• Behavior modeling, pattern analysis and
anomaly detection is what is needed
10/7/14 | slide 9
Questionable Supply Chains
• Greater due diligence in vetting vendors• Security requirements in contracting
should be SLA based• Particular attention to cloud, SaaS,
infrastructure support, critical service providers
• Life cycle approach to data protection• Detailed breach and termination
provisions
4/15/2015
4
10/7/14 | slide 10
Devices Threaten Safety & Information
In June 2013 the DHS tested 300 devices from 40 vendors, ALL failed. In response the FDA issued guidance for manufacturers and consumers addressing design, implementation and radio frequency considerations. “Yes, Terrorists could have hacked
Dick Cheney’s heart.”‐The Washington PostOctober 21, 2013
10/7/14 | slide 11
• 3.4 million BotNets active • 20-40% of recipients in phishing
exercises fall for scam• 26% of malware delivered via HTML,
one in less than 300 emails infected• Malware analyzed was found
undetectable by nearly 50% of all anti-virus engines tested
• As of April 2014 Microsoft no longer provides patches for WN XP, WN 2003 and WN 2000, NT, etc.
• EOL systems still prevalent in healthcare networks
• Hardening, patching, configuration, change management…all critical
• Objective testing and assessment
Malware & Persistent Threats
“FBI alert warns healthcare not prepared”
2006 200K 2008
17M
2013 73M
2014 100M
10/7/14 | slide 12
Mobility & Data• Medical staff are turning to their mobile devices to
communicate because its easier, faster, more efficient…
• Sharing lab or test results, locating another physician for a consult, sharing images of wounds and radiology images, updating attending staff on patient condition, getting direction for treatment, locating a specialist and collaborating with them, transmitting trauma information or images to EDs, prescribing or placing orders
• Priority placed on the data first and the device second• Restrict physical access where possible, encrypt the
rest
4/15/2015
5
10/7/14 | slide 13
ID Theft & Fraud• Medical Identity theft increased 21.7% in 2014,
Ponemon Institute• US CERT estimates 47% of cybercrime aimed at
healthcare• More than 70% of identity theft and fraud were
committed by knowledgeable insiders – physicians, nurses, pharmacy techs, admissions, billing, etc.
• Healthcare directed attacks have increased more than 20% a year for the last three years running• Insiders selling information to others• Hackers exploiting systems• Malware with directed payloads• Phishing for the “big” ones
10/7/14 | slide 14
Theft & Losses Thriving• 68% of healthcare data breaches due to loss
or theft of assets• 1 in 4 houses is burglarized, a B&E happens
every 9 minutes, more than 20,000 laptops are left in airports each year…
• First rule of security: no one is immune• 138%: the % increase in records exposed in
2013• 6 – 10%: the average shrinkage rate for
mobile devices• Typical assets inventories are off by 60%
“Unencrypted laptops and mobile devices pose significant risk to the security of patient information.” ‐Sue McAndrew, OCR
10/7/14 | slide 15
• Defenses are not keeping pace• Three most common attacks: spear
phishing, Trojans & Malvertising• APTs, phishing, water cooler attacks,
fraud, etc. • Most organizations can’t detect or
address these threats effectively• An advanced incident response
capability is required• Results in loss of time, dollars,
downtime, reputation, litigation, etc.• Conduct independent risk assessments
regularly
Hacking & Other Cyber Criminals
0 50 100
Organizations suffering atargeted attack
Sophistication of attackhardest element to defeat
No increase in budget fordefenses
Targeted Attacks
“I feel like I am a targeted class, and I want to know what this institution is doing about it!” -Anonymous Doctor
4/15/2015
6
10/7/14 | slide 16
More Compliance• OIG shifts focus to funds recovery• OCR’s permanent audit program will resume in FY
2015 with new capabilities• Improvements and automation in reporting and
handling complaints• Meaningful Use audits are evolving in scope and
impact• The FTC remains committed to enforcement of
privacy and security• States continue to create new laws
• Florida Information Protection Act• New Jersey Health Insurers Encryption Law
SB1353 seeks to establish common framework for security and create universal requirement for notification.
When organizations tell consumers they will protect their personal information, the FTC can and will take enforcement action to ensure they live up to these promises.
Agenda
• Top Security Threat Trends in Healthcare • Growing Regulatory Complexities• Trends in Healthcare: Incidents & Breaches• Keys to Being Prepared for Managing Incidents• Real World Incident Response Cases• Insights From Analysis of Real Incident Data• Tools and Methodologies for Correlating Incidents
and Managing Incident Response
Today’s Regulatory Complexity
• 47 state + 3 territory breach notification laws• Differ with respect to:
• Definitions
• Risk of harm
• Safe harbor
• Exemptions
• Timing
• Content
• Notice to regulators, agencies, etc.
• A plethora of federal laws & other standards• HIPAA Omnibus Final Rule
• GLBA, PCI
4/15/2015
7
Stages of “Omnibus Breach Notification Rule” Compliance
AcceptanceAcceptance2013: Final Breach Notification Rule
BargainingHarm Test Advocates vs. Opponents
DenialDenialThe Interim Final Rule Era Risk of Harm Revisited
ANGER2009: “Risk of Harm” Backlash & Fury
Growing Regulatory Complexity • Proposed Federal Breach Notification Laws
• The Personal Data Notification and Protection Act • “You may wish to go back to 47 state laws!”- McDonald Hopkins PLC
• Proposed State Laws and Amendments• Indiana (SB 413) Tentative Effective Date 7/15• New Mexico (HB 217) Passed House on 2/19• New Hampshire Education Data Privacy Bills (HB 322, HB 507, HB 520)
• Maryland (SB 548) Tentative Effective Date 10/1/15• Montana (HB 74) Tentative Effective Date 10/1/15• Wyoming (SF 35) Tentative Effective Date 7/1/15• Michigan (SB 33) Education Data Disclosure Reporting Bill
What security threats is your organization most concerned about?
29%32% 33%
6%
70%
26%
40%
19%
13% 15% 15%
34%
40% 41%
5%
75%
13%
39%
12%
23%
16%
2%
2014 2013
Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April 2015.
4/15/2015
8
Has your organization suffered a data breach involving the loss or theft of patient data in the past
24 months?
9%
12%
39% 40%
10%
16%
36%38%
6%
16%
33%
45%
No Yes, 1 breach Yes, 2 to 5 breaches Yes, more than 5 breaches
2014 2013 2012
Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April 2015.
How the data breach was discovered?
23%
5%
30%
6%
18%
44%
69%
26%
12%
35%
7%
19%
46%
58%
26%
10%
36%
5%
26%
47%
52%
Accidental Loss prevention Patient complaint Law enforcement Legal complaint Employee detected Audit/assessment
2014 2013 2012
Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April 2015.
Nature of the breach
40%
7%
31%
45%
12%
39%
43%46%
8%
32%
40%
12%
41%
49%
42%
8%
31%33%
14%
42%
46%
Unintentionalemployee action
Intentional non‐malicious employee
action
Technical systemsglitch
Criminal attack Malicious insider Third‐party snafu Lost or stolencomputing device
2014 2013 2012
Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute, April 2015.
4/15/2015
9
Agenda
• Top Security Threat Trends in Healthcare • Growing Regulatory Complexities• Trends in Healthcare: Incidents & Breaches• Keys to Being Prepared for Managing Incidents• Real World Incident Response Cases• Insights From Analysis of Real Incident Data• Tools and Methodologies for Correlating Incidents
and Managing Incident Response
• Keys to being prepared for managing incidents, including dealing with media and information dissemination.
• Tools and methodologies for correlating incidents and managing incidents
• Real world cases
Incident Response: What are the things we should be
considering?
What are the basics?
4/15/2015
10
• Remember – this is not just a privacy or security issue
Have a Plan
Incident Response Process
Overall Process
4/15/2015
11
Define accountability
Designated Official Type of Incident
Privacy Officer PHI
Chief Information Security Officer
ePHI, PII, or other information related IS incidents
Corporate Compliance Officer
Corporate compliance issues
Research Integrity Officer Research compliance issues
• Chief Information Officer• Chief Information Security
Officer• Chief Medical Officer• Corporate Compliance Officer• Privacy Officer• Risk Management• General Counsel
Incident Management Team
• General Counsel
• President
• Research Integrity Officer
• VP Human Resources
• Marketing & Communications
• Leaders from affected departments
• Show your work• The burden of proof has
shifted• You need to show that the
information has a low probability of compromise
Document and Review
4/15/2015
12
Breach Review
Besides a incident management process …
4/15/2015
13
Complete asset inventory
Do you know what you have on the internet?
Who knew?
4/15/2015
14
What would happen if you had to disconnect from the internet?
Could you communicate without email?
• How often do our meeting announcements include the passwords or codes for the meeting?
Too much information?
4/15/2015
15
• Seattle Children’s huddles at the start of the every day to maintain situational awareness of immediate problems impacting safety and quality of patient care
Daily Safety Brief
What about outside communication?
• Assemble the team• Gather and confirm as much information
as possible• Identify key internal and external
audiences who need to be informed• Develop simple and concise key
messages• Develop and implement a plan to
communicate to key audiences• Assess ongoing communications• Do not speculate
Crisis Communication Plan
4/15/2015
16
• What is currently known about the issue?• What needs to be done now to take care of any
affected patient, family member, or member of the public?
• Now do we avoid a repetition of the incident?• When, where, and how did the incident
happen?• Who was involved in the incident?• What other sources of information can be
accessed?
Questions to consider
• What is the worst case scenario?• What are the short/long term
implications?• Who will be affected? Who needs to
know the status of the situation? • What steps should be taken to protect
and support any involved provider or staff member?
• How will key audiences be impacted?
Questions to consider
• Phone calls and email• Notifications to internal audiences• News conferences• Written statements• In-person and phone interviews• Website bulletins and updates• Twitter and Facebook posts• On the ground staff messages they can
use with patients, families, etc.
Potential communication mediums
4/15/2015
17
Well trained professionals
Well trained professionals
You can not do this alone …
4/15/2015
18
Example Cases
• The help desk receives a call from one of the Clinical Psychologist. She is requesting a password reset.
• The user reveals that she suspects that there is a key logger program installed on her personal laptop.
• The help desk reset the user’s password and turned the case over to the information security department.
Case background
Significant Events
Day 3
04:36:20Activity from 12.XXX.XXX.XXX (04:36:20 – 04:41:00) –4 minutes 40 seconds OWA Authentication for userid XXXX (04:36)
08:07:45Activity from 76.XXX.XXX.XXX (08:07:45 – 08:07:49) – 4 seconds NO OWA Authentication
08:27:03Activity from 76.XXX.XXX.XXX (08:27:03 – 08:30:35) – 3 minutes 32 seconds OWA Authentication for userid XXXX (08:27)
13:50:16Activity from 76.XXX.XXX.XXX (13:50:16 – 13:54:33) – 4 minutes 17 seconds OWA Authentication for userid XXXX (13:52)
16:30:02Activity from 12.XXX.XXX.XXX (16:30:02 – 16:59:10) – 29 minutes 8 seconds OWA Authentication for userid XXXX (16:30, 16:35, 16:41, 16:47)
Time EventDay 115:31:21 Installation of eBlaster key logger program
KEYImportant EventsAuthorized OWA ActivityUnauthorized OWA Activity
Email - 133MB in overall size and included 1891 individual emails in 41 different folders
4/15/2015
19
• Based on incidents and regular walkthroughs – we saw increased evidence of PHI issues with:• Visible spaces• Printing and faxing• Disposal
The problem …
• Cover it up or turn it over. If you leave the immediate area, cover up or turn over the PHI so no information is visible
• Know where it’s going. Check destination when printing or faxing
• Shred it or park it. If you find papers on printer, fax or another location, find a Shred-It bin or place in a “PHI deposit here” container.
Awareness Campaign
Sign examples
4/15/2015
20
Agenda
• Top Security Threat Trends in Healthcare • Growing Regulatory Complexities• Trends in Healthcare: Incidents & Breaches• Keys to Being Prepared for Managing Incidents• Real World Incident Response Cases• Insights From Analysis of Real Incident Data• Tools and Methodologies for Correlating Incidents
and Managing Incident Response
Paper Plays a Big Role in Healthcare PHI Incidents
1ID Experts Data Analysis
Paper PHI/PII Incidents1(Proportion %)
1ID Experts RADAR Data Analysis
Electronic29%
Paper63%
Verbal/Visual8%
Misdirected Mail, 43%
Paper Record, 31%
11%
8%
5%
2% 0%
Paper Record
Misdirected Fax/Ad‐HocManual
Misdirected Fax ‐Automated
File(s)
Prescription Order/Label
Label (MedicalDevice/Prescription/Room)
Paper Sub‐Categories Paper vs. Other Categories
4/15/2015
21
Electronic PHI/PII Incidents1(Proportion %)
1ID Experts RADAR Data Analysis
Electronic29%
Paper63%
Verbal/Visual8%
Email, 42%
12%8%
8%
7%
6%
5%
2%2%
2%
2%2%
1%
1%
Online Portal
Electronic Medical Record
Application
PDA
Records/Files
Laptop
Network Server
Storage Device (tape,disk, etc.)
Desktop
FTP Site
Network Access
Posted Online (social media)
Decommissioned OfficeMachines
Electronic vs. Other Categories Electronic Sub‐Categories
PHI/PII Data Controls1(Proportion %)
1ID Experts RADAR Data Analysis
93%
7%
0% 0%
Information was in plaintext
Information was underphysical safeguard
Information wasstatistically de‐identified
Information was redacted
30%
21%17%
14%
6%
6%4%
1%1% 0%
0%No controls were present onelectronic dataData is identifiable or recipienthas ability to re‐identifyPassword protected & passwordwas not compromisedEncrypted to NIST standard; keywas not compromisedEncrypted but evidence of accesswith valid credentialsInformation was encrypted; keywas not compromisedPassword protected & passwordwas compromisedInformation was statistically de‐identifiedEncrypted; unsure of encryptionkey's securityInformation was redacted
Paper Incidents Electronic Incidents
Incident Cause or Intent1(Proportion %)
1ID Experts Data Analysis
All Incidents Intentional Malicious Incidents
87%
7%6%
Unintentional
Intentional Non‐Malicious
Intentional Malicious
43%
27%
14%
9%
4%
3%
Unauthorized Access
Theft of Information
Unauthorized Use
Hacking/Malware
Exposure of Information
Unknown
4/15/2015
22
Incident Recipient Types1(Proportion %)
1ID Experts RADAR Data Analysis
All RecipientsAuthorized Recipients
46%
34%
17%
2%1% 0%
Employee
Covered Entity
Business Associate
Federal Agency
Health Plan Sponsor
OHCA
Unauthorized 81%
Authorized19%
Incident Recipient Types1(Proportion %)
1ID Experts RADAR Data Analysis
Unauthorized Recipients81%
24%
22%
15%
12%
11%
5%
3%2%
2%
1%
1% 1% 1% 0%0%
Patient/Insured Member
Member of General Public
Covered Entity
Employee
Unknown
Relative/Household Member
Business Associate
Vendor (non‐covered entity or BA)
Employer of Patient
Another patient's family member
Hacker
Attorney or Lawyer
Federal Agency
Health Plan Sponsor
OHCA
Data Risk Mitigation1(Proportion %)
1ID Experts Data Analysis
Data Risk Mitigation Scope
No or Unknown, 31%
Risk Mitigated,
69%
43%
27%
14%
7%
5%
3% 1%
Returned without writtenassurance
Returned w/o writtenassurance; Obligated tosafeguard PHI/PII.
Provided writtenassurance and will not befurther used or disclosed
Confirmed use ofinformation as permitted
Data Risk Mitigation Frequency
4/15/2015
23
Data Risk Mitigation1(Proportion %)
1ID Experts Data Analysis
Reason for Inability to Mitigate Risk
No or Unknown, 31%
Risk Mitigated, 69%
Data Risk Mitigation Frequency
69%
20%
6%5%
0%
Unable to retrieve
Confirmed viewing oracquisition
Confirmed improper use
Destroyed but unsure ofbackup copy
Notification Frequency by Incident Category
17%
4%
79%
Electronic Incidents
Mandatory
Voluntary
None
22%
10%
68%
Paper Incidents
Mandatory
Voluntary
None
Notification Frequency by Industry
18%
7%
75%
Insurance / Financial
Mandatory
Voluntary
None
21%
1%
78%
Hospital
Mandatory
Voluntary
None
4/15/2015
24
Notification Frequency by Industry
2%
98%
Business Associate
Mandatory
Voluntary
None
21%
19%60%
Pharmacy
Mandatory
Voluntary
None
Notification Frequency by Business Associates (BA)
2%
98%
BA Notification
Mandatory
Voluntary
None
4%
10%
86%
BA Risk Assessment Outcome
High Risk
Med Risk
Low Risk
Know your incidents
4/15/2015
25
10/7/14 | slide 73
Incident Response Complexity
Event Incident Data Breach
Incident Response Life Cycle
Detection Analysis
Containment &
Eradication
Post-Incident Activity
PII or PHI
Regulatory Assessment
No
No Breach
Breach
Common Sources of Detection:• IDPSs• SIEMs• File Integrity Checking• Anti-virus & spam• OS & App. Logs• Network Logs• People Yes
Regulatory Compliance
--Incident
Notification
Based upon NIST 800-61Computer Security Incident Handling Guide
Regulatory Burden of Proof Documentation
Incident Risk Assessment is Complex
4/15/2015
26
10/7/14 | slide 76
Compliance Challenges
Organizations struggle to effectively manage incidents. A recent Ponemon study found:• Only 35% of respondents are
using automated processes• Almost half say they are not
in compliance with federal rule
• Lack of consistency is top complaint with current process
79%
48%
23%
0%
20%
40%
60%
80%
100%
Lack ofconsistency
Inability toscale
Difficult to use
Complaints About Current Incident Assessment Process
4th Annual Benchmark Study on Patient Privacy and Data Security, Ponemon Institute, March 2014
10/7/14 | slide 77
Incident Risk Assessment Needs Consistency & Automation
Security Incidents
Multiple regulationsMultiple factors& time critical
Data BreachY / N?
Are any of the incidents a (reportable)
breach?
Most incidents have subtle but relevant aspects
RADAR® Incident Response Management Platform
• - Federal Laws (HIPAA/HITECH, GLBA)
- State & Territorial Laws
- International Laws
4/15/2015
27
10/7/14 | slide 79
In Conclusion
1. Regulatory environment is complex and getting more complex
2. Prepare and practice for real world incident scenarios
3. Use the right tools designed for threat intelligence, incident correlation and response management
Know the rules
Follow the rules
Prove it!
Recommended