Emerging & Trending Cyber Security Threats to...

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek

Emerging & Trending Cyber Security Threats to Healthcare Presented by: Mac McMillan CEO, CynergisTek

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 2

HIMSS Cyber Security Survey 2015

Limited Disruption to Operations

Loss of Data/Information

Significant Impact on IT Systems

Damage to IT Systems

Other Impact

62%

21%

8%

8%

7%


• Phishing/hacking nets nearly $3M from six healthcare entities

• Vendor sells hospital’s X-rays (films) to third party

• Resident loses track of USB with over 500 orthopedic patients information

• 2200 physicians victims of ID theft/tax fraud

• Stolen laptop from nurse’s home with patient data

• Printers returned to leasing company compromise thousands of patient records

• 400 hospitals billings delayed as clearinghouse hit with ransomware

• Failure to apply fix to router results in compromise and loss of 4.5M records

• Mistake during software upgrade test results in 8000 letters mailed

• Physician held up at gunpoint, turns over passwords for computer and phone

• International hacking group uses phishing then hacking to steal information on 80M

people

• Three hospital networks compromised by medical device hack called MedJack

• New York hospital hacked by Pro-ISIS supporters, website defaced redirected to ISIS

propaganda

• And, on and on it goes…

Accidents, Mistakes & Deliberate Acts


More than 98% of all processes are automated, more than 98% of all devices are

networkable, more than 95% of all patient information is digitized, accountable

care/patient engagement rely on it. The enterprise is critical to delivering

healthcare. Any outage, corruption of data, loss of information risks patient safety

and care.

Increased Reliance

BYOD Physician Alignment

ACOs

Patient Engage-

ment

ICD-10

Tele-medicine

MU

FISMA

BAs

HIEs HIPAA/HI

TECH

Research


• Organized Crime

• Hacktivists

• Cyber Thieves

• Malicious Insiders

• Careless Insiders

• Busy Insiders

• State Actors

• Financial Gain

• Intellectual Property

• Extortion

• ID/Med ID Theft

• Espionage

• Embarrassment

• Good Intentions

Threat Actors & Motivation

5


• 90% of survey respondents

said that their companies

had spent money of

technology scrapped

before, or soon after,

deployment.

• Reasons: complexity, lack of

expertise, inadequate

resources, other factors

Failed Solutions

Most companies buy

technology based on cost, not

security.


• The top four:

• Business Associates taking inadequate

precautions

• Growing proliferation of mobile devices

• Mistakes by staff members

• Hackers attempting to access records

2015: Changing Risk Priorities

Healthcareinfosec.com


• This year billed as “more of everything”

as hacking explodes to more devices

• Pwnie Awards went to Shellshock, OPM &

Thomas Dullen

• Miller & Valasek continue to hack cars

• Hacking long range precision guided rifles,

oops don’t tell DoD

• 11,000 attended this year, 73% said their

organization would be hacked

• Workshops and “capture the flag”

contests

• The Hack Fortress contest

• Rubbing elbows with the Pros

Hacking is an Industry

8

“Some hackers call the weeks of Black Hat USA and Def Con Summer Camp”


• Darknets will be more active, participants will be vetted,

cryptocurrencies will be used, greater anonymity in malware,

more encryption in communications and transactions

• Black markets will help attackers outpace defenders

• Hyperconnectivity will create greater opportunity for

incidents

• Exploitation of social networks and mobile devices will grow

• More hacking for hire, as-a-service, and brokering

Monetizing Cyber Crime

RAND Corporation 2014


Theft & Loss

Nearly half of all breaches involve some form of theft or loss of a device not properly protected.

10

Nearly 15% of breaches in healthcare are carried out by knowledgeable insiders for identity theft or some form of fraud.

Almost 12% of breaches are caused by mistakes or unintentional actions such as improper mailings, errant emails, or facsimiles.

There was almost a doubling of these types of attacks in 2014.

Top Security Risks in Healthcare

Insider Abuse

Unintentional Action

Cyber Attacks

Verizon 2014 Data Breach Investigations Report


• It is estimated that more than half of all security incidents involve internal staff.

• 2010 -2015 witnessed an average 20% increase in medical identity theft year over year.

• Mistakes, snooping, theft, fraud, espionage, extortion, negligence, etc.

Insider Abuse


• Need for risk based approach to

managing third parties

• Need greater due diligence in

vetting vendors

• Security requirements in

contracting should be SLA based

• Particular attention to cloud, SaaS,

infrastructure support, critical

service providers

• Life cycle approach to data

protection

• Detailed breach and termination

provisions

12

Supply Chains That Fail


• 2010/2011 successful hacks

demonstrated.

• DHS tests 300 devices from 40

vendors. ALL failed.

• 2014 multiple variants of a

popular blood pump hacked.

• 2015 MedJack hack exposes

vulnerability of network from

medical devices.

• FBI issues Alert on IoT threats

pose opportunity for cyber crime

Devices Threaten Safety & Information

By 2020 there will be 25

Billion connected devices.

– Gartner Research


• Expectation of cyber compromise doubled in 2015

• 20-40% of recipients in phishing exercises fall for scam/shift to business users

• Shift from URL based attacks to attachment based campaigns

• Social media campaigns targeting big events (Super Bowl/March Madness)

• Unsolicited mail campaigns, mostly foreign based

• DDOS attacks doubled from Q2 2014

• Unsupported systems present real risks

• Hardening, patching, configuration & change management…all critical

• Tools to interrogate entity/source system, filter risky points of origin, etc.

Malware & Advance Persistent Threats

“FBI alert warns

healthcare not prepared”

Various: Symantec, IBM, Solutionary Annual Threat Reports


• Medical staff are turning to their

mobile devices to communicate

because its easier, faster, more

efficient…but it is not secure

• Sharing lab results, locating another

physician for a consult, sharing

radiology images, updating staff on

patient condition, getting direction

for treatment, transmitting trauma

information to EDs, prescribing or

placing orders

• Priority placed on the data first and

the device second

• Restrict physical access where

possible, encrypt the rest

Data On The Move


• ID theft and fraud costs billions each year, affecting everyone

• Identity theft incidents come from many different directions

– Insiders selling information to others

– Hackers exploiting systems

– Malware with directed payloads

– Phishing for the “big” ones

16

ID Theft & Fraud


• More than half of healthcare data breaches due to loss or theft of devices

• 1 in 4 houses is burglarized, a B&E happens every 9 minutes, more than 20,000 laptops left in airports annually

• First rule of security: no one is immune

• 6 – 10%: the average shrinkage rate for mobile devices

Theft & Loss Still Prevalent

“unencrypted laptops and mobile

devices pose significant risk to the

security of patient information.”

– Sue McAndrew, OCR


Targeted Attacks

34%

39%

49%

50%

53%

53%

59%

63%

65%

69%

Brute Force Attacks

Denial of Services (DoS)

Social Engineering Attacks

Malicious Insiders

Exploit Known Software Vulnerabilities

Zero Day Attacks

Cyber Attacks

APT Attacks

Negligent Insiders

Phishing Attacks

HIMSS 2015 Cyber Security Survey


Barriers To Data Security

Barriers to Successful Implementation of Data Security

Percent

Lack of Personnel 64%

Lack of Financial Resources 60%

Too Many Emerging/New Threats 42%

Too Many Endpoints 32%

Not Enough Cyber Threat Intelligence 28%

Too Many Applications 25%

Lack of Tools to Use/Deploy Cyber Threat Intel 20%

HIMSS 2015 Cyber Security Survey


The Cost of Security Grows

Discovery, Notification &

Response

Business Disruption

ID Theft Monitoring

Investigation/Review

Civil Penalties

Federal CAP/RA

State Actions

Law Suit Defense

Criminal Penalties

Insurance

Degradation of Brand/Image

Distraction of Staff

VBP Payments Impacts

HCAPPS Score Impacts

Patient Confidence/Loyalty

Physician Alignment/Nurses

and Staff Agreement


Cybersecurity Insurance?

• Most cybersecurity insurance only covers a fraction of

large breach costs

• Insurance providers are looking to increase premiums

and enhance underwriting provisions to avoid losses

associated with large incidents

• Additional exclusionary language emerges

• Right to investigate independently asserted

• Columbia Casualty vs. Cottage Health System


• Implement continuous program of risk assessment and

management

• Increase knowledge of threat actors

• Maintain a current environment

• Improve detection and reaction capabilities

• Implement data exfiltration controls

• Enhance user education and accountability

• Implement active vendor security management

• Address long term challenges around medical devices

• Plan for incidents

Priorities For Healthcare


“Healthcare security teams must move past

compliance and focus on security.” Forester Research 2015

Healthcare Needs A New Focus


Questions

Mac McMillan

[email protected]

512.405.8555

@mmcmillan07

Questions?

?

Emerging & Trending Cyber Security Threats to...

Documents

Transcript of Emerging & Trending Cyber Security Threats to...