Embed Size (px)
Citation preview
withum.com BE IN A POSITION OF STRENGTHSM
0100101001001010010001010010101001010101001000000100101001010101010010101010010100
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
0100101001001010010001010010101001010101001000000100 HAVE YOU BEEN HACKED? 01010000
0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
10 Smart Ideas for
Keeping Data Safe
From Hackers
withum.com BE IN A POSITION OF STRENGTHSM
Agenda
Introduction
Background
Ten Smart Ideas
Conclusions
Q&A
withum.com BE IN A POSITION OF STRENGTHSM
Recent Healthcare Data Breaches
Institution Numbers Affected What Happened?
Utah Department of Health 780,000 A weak password policy was in effect on a
network server.
Emory Healthcare 315,000 10 backup disks went missing due to an
unlocked storage facility door.
South Carolina
Department of Health and
Human Services
230,000 17 Excel spreadsheets were illegally copied.
Multiple Incidents 55,600 Laptops stolen
withum.com BE IN A POSITION OF STRENGTHSM
Healthcare Data Breaches Summary
• Total breaches: 495
• Total records: 21.12 million
• Total cost: $4.1 billion
• Average size: 42,659 records
• Average cost: $8.27 million
• Average time to identify: 84.78 days
• Average time to notify: 68.31 days Source: Recent report from the Health Information Trust Alliance (HITRUST)
withum.com BE IN A POSITION OF STRENGTHSM
Key Patterns - Healthcare Industry
• Physical Theft and Loss (46%)
• Insider Misuse (15%)
• Miscellaneous Errors (12%)
• Others (10%)
• Point-of-Sale Intrusions (9%)
• Crimeware (3%)
• Web App Attacks (3%)
• Denial of Service Attacks (2%)
• Cyberespionage (< 1%)
• Payment Card Skimmers (< 1%) Source: Verizon Data Breach & Incident Report 2014
withum.com BE IN A POSITION OF STRENGTHSM
The Ramifications
• The Announcement: Once a breach is identified, if the breach involves more than 500 individuals, the organization must make the announcement and alert the media.
• The Coverage: This is not good PR. No hospital or healthcare organization wants to be in the news because of a data breach; unless it directly helped prevent one.
• The Fallout: Depending on the size of the breach, the reporting, analysis and review of the situation can be quite damaging.
• Remediation: Once a breach happens, healthcare organizations must scramble to ensure that this doesn’t happen again.
withum.com BE IN A POSITION OF STRENGTHSM
Who Gains From Cyberespionage?
• Cybercriminals readily understand the value of corporate information.
There are opportunities to gain from extortion and ransom campaigns – as
well as selling stolen data on the black market.
• Hacktivists focus on causing reputation damage and disruption to
organizations that the hacktivists have issues with. They realize that a
leak of confidential information – about customers, suppliers or employees
– could lead to severe embarrassment and/or significant legal penalties.
• Cybermercenaries seek payment from anyone who will hire them –
including governments, protest groups, or businesses – to steal specific
information.
• Nation states (government agencies) – or their contractors – focus on
collecting strategic information or disrupting industrial facilities in hostile
countries.
withum.com BE IN A POSITION OF STRENGTHSM
Healthcare Vendors Scorecard
• Majority of healthcare vendors lack minimum
security; illuminated by the fact that for their culture
of security:
4% scored in the “A” high confidence grade range
16% scored in the “B” moderate confidence grade range
14% scored in the “C” indeterminate confidence grade
range
>58% scoring in the “D” grade range
Including 8% scoring in the “F” grade range
withum.com BE IN A POSITION OF STRENGTHSM
Healthcare Vendors Scorecard
• Only 32% of vendors have security certifications
such as FedRAMP, HITRUST, ISO 27001, SOC 1
(SSAE-16), SOC 2 and 3
• Over 50% of vendors providing services to an
average healthcare organization are small to
medium sized businesses with <1,000 employees
withum.com BE IN A POSITION OF STRENGTHSM
Background – Healthcare Vendors
• Healthcare and industry organizations don’t hold vendors accountable for minimum levels of security, these vendors establish an unlocked backdoor to sensitive healthcare data
• An average hospital’s data is accessible by hundreds to thousands of vendors providing a wide range of services: from business services, consulting, claims processing and education to Electronic Health Record (EHR), healthcare and medical supplies technologies and products to network and security software
• Growing number of security incidents at companies attributed to partners and vendors – which increased from 20% in 2010 to 28% in 2012
withum.com BE IN A POSITION OF STRENGTHSM
Background – Healthcare Vendors
• Only “44% of organizations have a process for
evaluating third parties before launch of business
operations”
• Only “31% include security provisions in contracts
with external vendors and suppliers”
• Vendor due diligence by healthcare organizations is
not aligned with risks
• Effective third-party security risk management is
expensive, time consuming, and resource intensive
withum.com BE IN A POSITION OF STRENGTHSM
Definitions
• Vulnerabilities – aspects of IT infrastructure that can be potentially exploited, leading to unauthorized access, loss or exposure of sensitive data, disruption of services, failure to comply with regulatory requirements or other unwanted outcomes
• Malware – malicious software or scripts designed to access or harm IT resources without owner’s authorization
• Hacking – intentional attempts to access or harm IT resources without authorization by thwarting logical security mechanisms
withum.com BE IN A POSITION OF STRENGTHSM
Blended Threats
• Phishing – refers to seemingly in a course email that
contains links to malicious executables or websites
• Spear Phishing – refers to phishing that is directed at
specific companies or individuals
• Vishing – a combination of “voice” and “phishing”
• Smishing - a combination of “SMS” and “phishing”
• Pharmaceutical Phishing - Rise in spam concerning
health issues (including promotions for online
pharmacies and counterfeit drugs) containing malware
withum.com BE IN A POSITION OF STRENGTHSM
Drive-by Downloads
• End-users visiting infected websites or installing what they mistakenly believe to be legitimate software
• Attackers are using search engine optimization (SEO) techniques to drive end-users to websites that are infected with malicious code
• Shortened URLs – these guys malicious links and to exploit end-user trust through social engineering
• Anonymous proxy servers – access Internet resources on behalf of the original requester
• International domain names – opportunity to exploit malicious, mixed-character URLs that are visually indistinguishable
withum.com BE IN A POSITION OF STRENGTHSM
APTs
• Advanced Persistent Threats(APTs), which may
involve any of the blended threats and/or drive-by
downloads. The main implication of this term is that
they involve human command-and-control, specific
objectives, and skilled, well-funded attackers.
withum.com BE IN A POSITION OF STRENGTHSM
Data Classification
Level Commercial Government
Lowest • Not sensitive
• Not classified
• Non–proprietary
• Public
• Unclassified
• Proprietary
• Internal use only
• Confidential
• Confidential • Secret
Highest • Restricted
• Highly confidential
• Top secret
withum.com BE IN A POSITION OF STRENGTHSM
#1: Encryption of Data Is a Must
Data encryption is a key defense
against breaches. That includes all
information, whether it's stored
digitally, on tape or on employees'
mobile devices.
withum.com BE IN A POSITION OF STRENGTHSM
#2: Mobile Devices Are a Challenge
In this era of bring-your-own-device (BYOD),
with more people using mobile devices for
work, the amount of sensitive data on these
smartphones and tablets is increasing.
Organizations need a strong mobile
device management policy to protect
these devices, whether they're corporate-
or employee-owned.
withum.com BE IN A POSITION OF STRENGTHSM
#3: Getting Rid of Old Information
There is always some outdated and sensitive data—
whether related to the company, employees or
customers—that needs to be shed.
Companies need a
corporate policy that
takes in account the
secure destruction of
such data.
withum.com BE IN A POSITION OF STRENGTHSM
01010010101010010101010100101010100100101000101001010010010101010010101001010100101000101010010
10100101001010010101010010101010100101010100100101000101001010010010101010010101001010100101000
10101001010100101001010010101010010101010100101010100100101000101001010010010101010010101001010
10010100010101001010100101001010010101010010101010100101010100100101000101001010010010101010010
10100101010010100010101001010100101001010010101010010101010100101010100100101000101001010010010
101010010101001010100101000101010010101001010
#4: Keep an Eye on the Stored Data
Regardless of where the data is—stored locally, in
the data center or in the cloud—the company’s IT
professionals should always
know how the information
is being secured.
withum.com BE IN A POSITION OF STRENGTHSM
#5: Disposing of IT Assets
Just as with data, organizations
need to have an end-of-life
plan for assets that might
hold sensitive information,
to ensure that the
information on the assets
remains secure.
withum.com BE IN A POSITION OF STRENGTHSM
#6: Pay Attention to Passwords
Weak passwords continue to be an easy avenue
for cyber-thieves looking for information.
Organizations must use complex passwords
that are changed frequently. They also should
use two-factor
authentication when
possible.
withum.com BE IN A POSITION OF STRENGTHSM
#7: Protect Against Viruses
Companies need to ensure that
their virus protection software
is kept up-to-date.
withum.com BE IN A POSITION OF STRENGTHSM
#8: Don't Forget Firewalls
Both firewalls and intrusion-detection
software (possibly even intrusion
prevention software) are key elements
to the larger data protection effort.
withum.com BE IN A POSITION OF STRENGTHSM
#9: Privacy Should Be a Primary Concern
An enterprise-wide policy
aimed at protecting
private information from
unauthorized access or
inadvertent disclosure is
the best policy for keeping
the data safe.
withum.com BE IN A POSITION OF STRENGTHSM
#10: Keeping a Focus on Employee Education
Employees can be a source of
problems and a key line of
defense. Businesses need to ensure
that workers are properly trained to
treat information appropriately, and
that all employees are up-to-date on
the latest corporate policies and
procedures.
withum.com BE IN A POSITION OF STRENGTHSM
Conclusions
withum.com BE IN A POSITION OF STRENGTHSM
Strategic Program Governance & Oversight
• The changing cybercrimes landscape and evolving threats and risk now calls for nimble, strategic, risk-based and methodical approaches to protecting data and responding to breaches
• The privacy and protection of PII is not only an issue of regulatory compliance. It is also a factor in competitive advantage, business positioning and strategy and requires oversight
• Privacy and Security regulations should influence business strategy, as the mismanagement of PII and weak privacy and security control can cripple an organization
withum.com BE IN A POSITION OF STRENGTHSM
Data Protection – Conceptual Architecture
Set Policy
Deploy Controls
Enforce & Monitor Controls
withum.com BE IN A POSITION OF STRENGTHSM
Deploy A Comprehensive IT Security Solution
• Vulnerability assessment
• Patch management
• Application controls – that also include whitelisting and default deny functionality
• Device controls – that help you to manage which devices are allowed to be connected to your systems/network
• Web controls – that make it easy to manage, restrict, and audit access to web resources
• Zero-day defenses
• Data encryption
• Mobile security with mobile device management (MDM)
