Don’t Be the Next Victim!Don’t Be the Next Victim!

Paul Johnson, Senior Manager Risk Advisory Services

Wipfli LLP

Agenda

2

• Threat landscape• Latest attacks & breaches• Recent regulatory activities• NIST cybersecurity framework• Countermeasures• Q&A

Notable Data Breaches & Vulnerabilities

3

Business Has Changed

4

Big DataMobile apps

Compliance

BYOD

Outsourcing

Threats Have Changed$

5

2013 cost of cybercrime Increase in mobile malware

Percentage of investigation due to web application exploit

investigations

Investigations that involved outsourced

provider

400%

63%

48%

+500B

HHS-OCR Data Breach List is Growing…

6

Verizon 2014 Data Breach Report

7

Breach Detection Concerns205 days – Median number of days that hackers were present on a victim’s network before being discovered. Longest presence: 2,982 days.

69% - Victims notified by external entity (e.g. law enforcement)

Source: Mandiant M-Trends 2015

8

How Do Attacks Occur

9

• 52% used some form of hacking

• 76% exploited weak or stolen credentials

• 40% incorporated malware • 35% involved physical attacks • 29% employed social tactics • 13% involve privilege misuse

Ransomware – Manufacturing Company

1. Employee clicked on e-mail from UPS.

2. Network outage – all data was encrypted.

3. President contacted demanding $300 ransom using Bitcoin as payment method.

4. All backups were encrypted because system was not set up properly.

5. Ransom was up to $3,000 after 72 hours passed.

10

- Targeted Hacking Attack

11

Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and obtained personal information from current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

– System administrator’s security credentials were compromised.

– Phishing attacks and malware were likely used in the attack.

– Database was the main target of reconnaissance efforts.

- Targeted Hacking Attack

12

Marking another high-profile data breach, hackers broke into UCLA Health System's computer network and may have accessed sensitive information on as many as 4.5 million patients, hospital officials said..

The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.

The revelation that UCLA hadn't taken the basic step of encrypting this patient data drew swift criticism from security experts and patient advocates, particularly at a time when cybercriminals are targeting so many big players in healthcare, retail and government.

http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html

- Computer Theft

13

Sunglo Home Health Services notified customers/patients of a data breach when their facility was broken into and stole one of their company lap tops. The laptop contained patient information including Social Security Numbers and personal health information.

Currently the company does not know the number of affected patients.

Veterans Affairs Hospital, SD – Insecure Disposal

14

The VA Hot Springs hospital notified patients of a data breach when files containing their Social Security numbers along with additional personal information were thrown in a trash bin without being shredded.

The incident took place in May and the 1,100 patients that were affected were not notified until July 29, 2015. Reportedly, an employee discarded a box of patient files in a dumpster. The box of files was found two days later by another employee who removed them from the trash.

– Insider Breach

15

UC Irvine Medical Center has notified patients of a data breach when an employee reviewed patient records without authorization.

The information this individual may have gained access to included names, dates of birth, gender, medical record numbers, height, weight, Medical Center account number, allergy information, home addresses, medical documentation, diagnoses, test orders/results, medications, employment status, and names of your health plan and employer.

What does all this mean?

16

Threat landscape is changing with the adoption of newer technologies.

Health Information has become a valuable commodity.

Attacks are becoming more numerous and sophisticated.

Healthcare organizations face steep challenges to keep pace with protecting against with emerging threats.

HIPAA – OCR Audits

17

OCR Audit Program FactsBooz Allen Hamilton: Developed audit protocols.KPMG: Performed trial program audits.PWC: Evaluating audit program results and feedback for future improvements.Phase 1 audits occurred between 2011 – 2012.Phase 2 audits have been postponed (starting up this fall).

Phase 2 – OCR Audits

18

Have selected a pool of covered entities eligible for audit. Health care providers selected through National Provider

Identifier (NPI) database. Clearinghouses & Health Plans from external databases

(e.g., AHIP). Random selection used when possible within types. Wide range (e.g., group health plans, physicians and

group practices, behavioral health, dental, hospitals, laboratories).

Phase 2 – Pre-Audit Survey

19

Questions address size measures, location, services, best contacts.

OCR will conduct address verification with entities this spring.

Entities will receive link to on‐line screening “pre‐survey” this summer.

OCR plans to contact 550‐800 entities. OCR will use results of survey to select a projected 350

covered entities and 50 business associates to audit (BA pool determined by audited covered entities).

Important Note: OCR will most likely contact a C-level individual in the organization.

Phase 2 – Projected Entities to be Audited

20

Phase 2 – Audit Expectations

21

Phase 2 – Audit Expectations

22

Covered EntitiesWill target source of a high number of compliance failures in the pilot audits:

• Risk Analysis/Assessments

• Breach notification (content and timeliness of notifications)

• Privacy Rule – patient notice of privacy practices and access to PHI

Business Associates

•Risk Analysis/Assessment and risk management

•Breach reporting to covered entities

OCR isn’t the only one to be concerned with…

23

State Attorney Generals (provided training by OCR). Food and Drug Administration (medical device audits). Centers for Medicare and Medicaid Services (Meaningful

Use audits). Whistleblowers. Class Action Lawsuits. Federal Trade Commission.

Regulatory Landscape – Wrap up

24

Phase 2 - OCR Audits are starting. They will not be friendly audits!

Others are getting into the enforcement game.

As the frequency and severity of healthcare data breaches continue to increase, so will the scrutiny of healthcare organization’s privacy and security practices.

NIST Cybersecurity Framework

25

Executive Order 13636 - February 12, 2013Information Sharing and Collaboration

Develop a baseline framework of cybersecurity standards and best practices - National Institute of Standards and Technology (NIST).Establish consultative process.Identify high priority infrastructure.Incentives for voluntary participation.Review / assess regulatory requirements.Incorporate privacy and civil liberties.

NIST Cybersecurity Framework

26

NIST Cybersecurity Framework

27

Five Key Functions

Identify: Understand digital resources and associated risks.

Protect: Processes & technology designed to reduce risk.

Detect: Enabling rapid detection to reduce exposure to risk.

Respond: Taking action to stop or remediate an attack.

Recover: Ensure business continuity or restoration after security event.

NIST Cybersecurity Framework - Tiers

28

4 Levels of Cyber Risk Management Sophistication

Tier 1 (Partial) Management processes not formalized and ad hoc. Viewed as "something that IT handles,“ little to no collaboration on issues with external organizations.

Tier 2 (Risk Informed) Management is of high-level concern but still mostly in IT department. Initial policy created and considers role in the larger industry response to risk.

Tier 3 (Repeatable) Coherent policies and practices understood and implemented across the organization. Connected to larger industry effort to address risk and benefits from shared information.

Tier 4 (Adaptive) Management is continuously improving by applying lessons learned from personal and 3rd-party experiences. Has made risk management part of corporate culture and actively contributes risk information to larger industry efforts.

NIST Cybersecurity Framework in Action

29

How to Use the NIST Cybersecurity Framework

30

1. Prioritize and Scope – Business mission and priorities.

2. Orient – System and assets, regulatory requirements, risk approach.

3. Create a Current Profile.4. Conduct a Risk Assessment.5. Create a Target Profile.6. Determine, Analyze and Prioritize Gaps.7. Implement Action Plan.

Last Word about the NIST Cybersecurity Framework

31

Framework is quickly being adopted across a variety of industries.

Can serve as a dashboard for communicating with senior management and business partners.

Detailed controls frameworks (e.g., NIST 800-53, HITRUST) map to the NIST Cybersecurity Framework.

Countermeasures

32

Countermeasures will focus on the four (4) categories of threats:

– Physical Theft and Loss.

– Web Attacks & Crimeware.

– Miscellaneous Errors.

– Insider and Privilege Misuse.

Countermeasures – Physical Theft and Loss

33

• Keep track of your assets– Laptops

– Desktops

– Servers

– Portable media

– Other

34

Countermeasures – Physical Theft and Loss

• Use encryption and authentication when possible:– Use strong passwords

that change periodically.

– Use PINs for devices that support it.

– Use AES 256-bit encryption or better.

35

Countermeasures – Physical Theft and Loss• Be aware of

surroundings.

• Keep possession of sensitive devices at all times (e.g., cell phones).

• Lockdown devices in public areas.

• Use tracking software.

36

Countermeasures – Physical Theft and Loss• Review business partner

controls for physical security:

– What do their policies and procedures say?

– What are their safeguards?

– Who reviews them?

– Will they report any losses to you in a timely manner?

37

Countermeasures – Web Attacks & Crimeware• Browser considerations:

– Update browsers regularly.

– Disable Java when possible.

– Update the device OS as well!

38

Countermeasures – Web Attacks & Crimeware• Use these security

programs:– Firewall– Intrusion detection/prevention– Malware detection/prevention– Spam filter– Web content filter

• Keep them current!

39

Countermeasures – Web Attacks & Crimeware

• Use two-factor authentication• Passwords:

– Do not re-use passwords.– Use complex passwords.– Change them regularly.– Use a password keeper.

• Use multiple e-mail accounts. • Social media – don’t overshare.

40

Countermeasures – Web Attacks & Crimeware

• Consider single purpose devices for critical functions (e.g., wire transfer, ACH transactions, Internet banking).

• Consider which mobile devices to use for which activities based on threat targets.

• Monitor key systems and network traffic for suspicious changes in configuration or behavior.

41

Countermeasures – Web Attacks & Crimeware

• Train your staff:

– Latest threats and how to spot them.

– Countermeasures deployed.

– How to report potential incidents.

42

Countermeasures – Miscellaneous Errors• Turn on egress firewall

rules.• Look for data

exfiltration (e.g., data loss prevention tools).

• Lock down ports on your computers.

43

Countermeasures – Miscellaneous Errors• Ensure strong change

controls for web technologies:– Test security controls for

each change.– Periodic search for

sensitive information.– Employ oversight controls

for publishing(verifying data publishedis appropriate).

44

Countermeasures – Miscellaneous Errors• Spot check mailings:

– Does sensitive information show through the mailing envelope address window?

45

Countermeasures – Miscellaneous Errors• Proper disposal of:

– Hard drives.– Portable media.– Paper.– Other devices

(e.g., tablets,mobile phones, printers, scanners,copiers, iPods, others?)

46

Countermeasures – Insider & Privilege Misuse• Keep track of your data:

– Application list.

– Electronic and physical documents/locations.

– Devices storing it.

47

Countermeasures – Insider & Privilege Misuse• Review user access

permissions regularly: – Terminated users.

– Transfers.

– Business partner access.

– Inactive users.

• Consider separation of duties.

48

Countermeasures – Insider & Privilege Misuse

• Watch for suspicious activity:– Review access logs.

– Look for data exfiltration.

– Review privileged access.

• Publish anonymous results of audits.

Last Word about Countermeasures

49

• Consider this list your tool box:– Determine what is appropriate for your unique

environment.

– Consider other controls as well based on threats applicable to you.

– You likely won’t be able to completely eliminate a threat, nor should you.

• This is a risk management process!

– References• http://www.counciloncybersecurity.org/critical-controls

• http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure

Session Wrap-up

50

In this session we discussed…

– Threat landscape.

– Latest attacks & breaches.

– Recent regulatory activities.

– NIST cybersecurity framework.

– Countermeasures.

Questions

51

Contact InformationPaul Johnson

Wipfli LLP651-766-2895

pjohnson@wipfli.com

Disclaimer

52

This information is provided solely for general guidance and informational purposes and does not create a business or professional services relationship. Accordingly, this information is provided with the understanding that the authors and publishers are not herein engaged in rendering legal, accounting, tax, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional accounting, tax, legal, or other competent advisers. Before making any decision or taking any action, you should obtain appropriate professional guidance.