Cybercrime and the Hidden Perils of Patient Data
-
Upload
stephen-cobb -
Category
Law
-
view
136 -
download
1
Transcript of Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
Stephen Cobb, CISSPSenior Security Researcher
Stephen CobbSr. Security Researcher, ESET North America
Stephen Cobb has been a CISSP since 1996 and has helped companies large and small to manage their information security, with a focus on emerging threats and data privacy issues. The author of several books and hundreds of articles on IT security, Cobb leads a San Diego based security research team for ESET North America.
Cybercrime risk and response• Information technology can improve
productivity and profitability in healthcare delivery, but IT comes with risks
• The risks inherent in patient data increase as cybercrime increases
• Non-compliance with regulations is not the only cybercrime liability
• There are proven methodologies to reduce risk
Ripped from the headlines…
It’s not your fault!• Yes, humans do make mistakes,
and there are acts of nature, and system failures
• But most of that can be mitigated• Criminal activity is harder to stop• The global trade in stolen data
makes any system that contains marketable data a target of criminal activity
How does cybercrime pay?1. Criminals steal PII to sell on the black market– Low risk, high reward
2. Different criminals buy the stolen data and commit fraud, e.g.
– Charge or debit credit/bank accounts– File fraudulent tax refunds– Make fraudulent wire transfers– Carry out more complex scams like billing fraud– Riskier than #1 but still safer than robbing banks
You are not alone
Patient Data Abuse 101
Cybercrime= low risk + high return
$-
$100,000,000
$200,000,000
$300,000,000
$400,000,000
$500,000,000
$600,000,000
$700,000,000
$800,000,000
$900,000,000
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
Bank robbery vs. Internet fraud
Cybercrime numbers: annual IC3 report on computer fraud cases.Mainly US, mainly those cases referred for investigation.
$ cyber fraudlosses
# of bank robberies
Cybercrime has created an efficient global market for data and tools
Specialization Modularity
Division of labor Standards
Markets
Black market structure
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
Tools of the trade: malicious code
This is a RAT’s eye view of an infected computer: • Remote Access Tool • As seen in the movie Blackhat• Access to your microphone,
webcam, files, passwords, and everything else…
Card data sold here• Carding sites• Just one example:– McDumpals
• Cards sold in “dumps”– Priced by – Freshness– Balance– Type– Location
Thanks to krebsonsecurity.com for screenshots
Not just credit card data
YOUR NAME, PHYSICAL ADDRESS, PHONE, EMAIL, EMPLOYER
YOUR DATE OF BIRTH,MEDICAL RECORD NUMBER,SOCIAL SECURITY NUMBER,DRIVER’S LICENSE DETAILS
YOUR INSURANCE PROVIDER,PLAN TYPE, PAYMENT INFO,CREDIT CARD, BANK ACCOUNT
PATIENT HISTORY, BLOOD TYPE,ALLERGIES, SYMPTOMS, MEDICAL CONDITIONS, PRESCRIPTIONS, GENETIC DATA
ELECTRONIC HEALTH RECORD L1: Basic personal: stolen to sell to spammers and for data mining, profiling, appending
L2: Non-public identifiers: sold for various kinds of identity theft such as tax ID fraud
L3: Financial data: sold for financial fraud, billing scams, theft of funds
L4: Medical data: sold for use in medical ID fraud, billing fraud, drug and servicetheft and abuse
A Tale of Medical Data Fraud
Nightmare scenario?• Your organization is
identified as the source of information that causes harm
• Tammy Wynette case: Pittsburgh Medical Center employee sold records to newspaper
How to respond?• Make sure everyone in your organization
is taking security seriously• But treat rules like HIPAA as a base line– Liability for breached data does not begin or
end with HIPAA• Negligence claims are heating up– Such claims are decided on the standard of
due care, what is reasonable– An organization may be held liable for actions
of an employee even if it is “HIPAA compliant”
The ABCs of Cybersecurity• Assess your assets, risks, resources• Build your policy• Choose your controls• Deploy controls• Educate employees, execs, vendors• Further assess, audit, test
A B C D E FF E D C B A
The top three strategies#1. Perform and document a risk assessment– It’s the basis of your security program– Your defense in case of a breach– And a hedge against fines!
Meaningful Use optometry clinic audit MN: Failed to perform a proper risk assessment.Failed to follow policies and procedures.Penalty: Initial incentive payments had to be repaid, plus 2 more years of payments totaling more than $40,000 put in doubt (just 3 ODs).
OCR hospital ePHI breach NY: Hospital failed to complete an accurate and thorough risk analysis identifying all systems that access ePHI.Penalty: Fined $4.8 million.
The top three strategies#2. Get an outside review of your security– Even with the best of intentions there can be
security gaps– Real world, healthcare company examples:• “We require passwords to be changed every six months”• The system allowed passwords to remain unchanged• “We delete access for all ex-employees”• Several dozens ex-employees still had access• “We use antivirus on all our endpoints”• But it was turned off in the HR department
Which of the following attack types have exploited your company in 2014?
2015 ISACA and RSA Conference Survey
Top 3 strategies: 4 key controls1. Strong authentication
Defeats many hacking attack strategies2. Encryption
Prevents loss from lost/stolen equipment3. Anti-malware
Stops infections, phishing, and more4. Backup
A strong defense against ransomware,data loss, natural and human disasters
Build your security policy• Security begins with policy• Policy begins with C-level buy-in• High-level commitment to protecting the
privacy and security of data• Then a set of policies that spell out the
protective measures
Choose the controls you will use to enforce your policies
• For example: – Policy: Only authorized employees can access
sensitive data – Controls: • Require identification and authentication of all
employees via unique user name and password• Limit access through application(s) by requiring
authentication• Log all access
Deploy controls and make sure they work
• Put control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam)
• Test control– Does it work technically?– Does it “work” with your work?– Can employees work it?
Educate employees, execs, vendors, partners, patients• Everyone needs to know – What the security policies are, and – How to comply with them through proper use of
controls• Pay attention to any information-sharing
relationships – Vendors, partners, even clients
• Be clear that failure to protect shared data has serious consequences
Further assess, audit, test…This is a process, not a project
• Re-assess security on a periodic basis• Stay up-to-date on emerging threats• Be vigilant around change– New vendor relationships– Employees departing – Hiring practices
Thank [email protected]