Cybercrime and the Hidden Perils of Patient Data

Stephen Cobb, CISSPSenior Security Researcher

Stephen CobbSr. Security Researcher, ESET North America

Stephen Cobb has been a CISSP since 1996 and has helped companies large and small to manage their information security, with a focus on emerging threats and data privacy issues. The author of several books and hundreds of articles on IT security, Cobb leads a San Diego based security research team for ESET North America.

Cybercrime risk and response• Information technology can improve

productivity and profitability in healthcare delivery, but IT comes with risks

• The risks inherent in patient data increase as cybercrime increases

• Non-compliance with regulations is not the only cybercrime liability

• There are proven methodologies to reduce risk

Ripped from the headlines…

It’s not your fault!• Yes, humans do make mistakes,

and there are acts of nature, and system failures

• But most of that can be mitigated• Criminal activity is harder to stop• The global trade in stolen data

makes any system that contains marketable data a target of criminal activity

How does cybercrime pay?1. Criminals steal PII to sell on the black market– Low risk, high reward

2. Different criminals buy the stolen data and commit fraud, e.g.

– Charge or debit credit/bank accounts– File fraudulent tax refunds– Make fraudulent wire transfers– Carry out more complex scams like billing fraud– Riskier than #1 but still safer than robbing banks

You are not alone

Patient Data Abuse 101

Cybercrime= low risk + high return

$-

$100,000,000

$200,000,000

$300,000,000

$400,000,000

$500,000,000

$600,000,000

$700,000,000

$800,000,000

$900,000,000

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

Bank robbery vs. Internet fraud

Cybercrime numbers: annual IC3 report on computer fraud cases.Mainly US, mainly those cases referred for investigation.

$ cyber fraudlosses

# of bank robberies

Cybercrime has created an efficient global market for data and tools

Specialization Modularity

Division of labor Standards

Markets

Black market structure

Markets for Cybercrime Tools and Stolen Data (RAND, 2014)

Tools of the trade: malicious code

This is a RAT’s eye view of an infected computer: • Remote Access Tool • As seen in the movie Blackhat• Access to your microphone,

webcam, files, passwords, and everything else…

Card data sold here• Carding sites• Just one example:– McDumpals

• Cards sold in “dumps”– Priced by – Freshness– Balance– Type– Location

Thanks to krebsonsecurity.com for screenshots

Not just credit card data

YOUR NAME, PHYSICAL ADDRESS, PHONE, EMAIL, EMPLOYER

YOUR DATE OF BIRTH,MEDICAL RECORD NUMBER,SOCIAL SECURITY NUMBER,DRIVER’S LICENSE DETAILS

YOUR INSURANCE PROVIDER,PLAN TYPE, PAYMENT INFO,CREDIT CARD, BANK ACCOUNT

PATIENT HISTORY, BLOOD TYPE,ALLERGIES, SYMPTOMS, MEDICAL CONDITIONS, PRESCRIPTIONS, GENETIC DATA

ELECTRONIC HEALTH RECORD L1: Basic personal: stolen to sell to spammers and for data mining, profiling, appending

L2: Non-public identifiers: sold for various kinds of identity theft such as tax ID fraud

L3: Financial data: sold for financial fraud, billing scams, theft of funds

L4: Medical data: sold for use in medical ID fraud, billing fraud, drug and servicetheft and abuse

A Tale of Medical Data Fraud

Nightmare scenario?• Your organization is

identified as the source of information that causes harm

• Tammy Wynette case: Pittsburgh Medical Center employee sold records to newspaper

How to respond?• Make sure everyone in your organization

is taking security seriously• But treat rules like HIPAA as a base line– Liability for breached data does not begin or

end with HIPAA• Negligence claims are heating up– Such claims are decided on the standard of

due care, what is reasonable– An organization may be held liable for actions

of an employee even if it is “HIPAA compliant”

The ABCs of Cybersecurity• Assess your assets, risks, resources• Build your policy• Choose your controls• Deploy controls• Educate employees, execs, vendors• Further assess, audit, test

A B C D E FF E D C B A

The top three strategies#1. Perform and document a risk assessment– It’s the basis of your security program– Your defense in case of a breach– And a hedge against fines!

Meaningful Use optometry clinic audit MN: Failed to perform a proper risk assessment.Failed to follow policies and procedures.Penalty: Initial incentive payments had to be repaid, plus 2 more years of payments totaling more than $40,000 put in doubt (just 3 ODs).

OCR hospital ePHI breach NY: Hospital failed to complete an accurate and thorough risk analysis identifying all systems that access ePHI.Penalty: Fined $4.8 million.

The top three strategies#2. Get an outside review of your security– Even with the best of intentions there can be

security gaps– Real world, healthcare company examples:• “We require passwords to be changed every six months”• The system allowed passwords to remain unchanged• “We delete access for all ex-employees”• Several dozens ex-employees still had access• “We use antivirus on all our endpoints”• But it was turned off in the HR department

Which of the following attack types have exploited your company in 2014?

2015 ISACA and RSA Conference Survey

Top 3 strategies: 4 key controls1. Strong authentication

Defeats many hacking attack strategies2. Encryption

Prevents loss from lost/stolen equipment3. Anti-malware

Stops infections, phishing, and more4. Backup

A strong defense against ransomware,data loss, natural and human disasters

Build your security policy• Security begins with policy• Policy begins with C-level buy-in• High-level commitment to protecting the

privacy and security of data• Then a set of policies that spell out the

protective measures

Choose the controls you will use to enforce your policies

• For example: – Policy: Only authorized employees can access

sensitive data – Controls: • Require identification and authentication of all

employees via unique user name and password• Limit access through application(s) by requiring

authentication• Log all access

Deploy controls and make sure they work

• Put control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam)

• Test control– Does it work technically?– Does it “work” with your work?– Can employees work it?

Educate employees, execs, vendors, partners, patients• Everyone needs to know – What the security policies are, and – How to comply with them through proper use of

controls• Pay attention to any information-sharing

relationships – Vendors, partners, even clients

• Be clear that failure to protect shared data has serious consequences

Further assess, audit, test…This is a process, not a project

• Re-assess security on a periodic basis• Stay up-to-date on emerging threats• Be vigilant around change– New vendor relationships– Employees departing – Hiring practices

Thank You!stephen.cobb@eset.com