Recent Developments



Yüklə 502 b.
tarix14.04.2018
ölçüsü502 b.
#38355



Recent Developments

  • Recent Developments

  • Types of Breaches and Trends

  • Definitions

  • Examples

  • Ransomware

  • Defenses

  • Practical Tips





2015 widely referenced as "Year of the Health Care Hack"

  • 2015 widely referenced as "Year of the Health Care Hack"

    • Anthem, Premera, OPM hacks compromised millions of records
    • FBI report $24 million in payments to hackers
      • 1,000 attacks per day
  • 1st quarter of 2016

    • $209 million in payments to hackers
    • Up to 4,000 attacks per day


The Old-Fashioned Hack

  • The Old-Fashioned Hack

  • The Older-Fashioned Insiders

    • Disgruntled
    • Broke
    • Mistakes
  • Access Attacks:

    • Denial of Service (DoS)
    • Ransomware


Old Fashioned Breaches

    • Old Fashioned Breaches
      • Healthcare Suffers Estimated $6.2 Billion In Data Breaches
      • Nearly 90% of healthcare entities had a breach in last two years averaging $2.2MM in cost.*
      • 35% Increase in Healthcare Breaches over last year**
    • Ransomware
    • Government Actions
      • 25 States Considering Notification Bills
      • SC 39-1-90 (Private Right of Action)


Both targeting health care providers

  • Both targeting health care providers

  • Both exploit human vulnerabilities via phishing

  • Both affect availability and integrity of records, not simply confidentiality



"Phisherman" targets individuals through social media or through company websites

  • "Phisherman" targets individuals through social media or through company websites

  • Example 1 (Magnolia): employee gets e-mail sent by company CEO seeking spreadsheet of all employees' personal info, including SSNs . . .

    • Except it wasn't company CEO
  • Example 2 (Anthem): "The IT department is doing an update, so I need you to go to www.we11point.com and log in using your ID and password . . ."

    • Hackers then gained access to the database


  • A hacker is someone who uses a computer to secretly gain unauthorized access to data in a system

  • Phishing is a fraudulent attempt to steal someone's personal information by pretending to be a trustworthy entity in an electronic communication (usually e-mail)



  • Ransomware is malicious software that denies access to a user's data by encrypting data with a key only known to the hacker who deployed the ransomware, until the ransom is paid

  • Some ransomware also destroys or transfers information to another system



Advocate: 4 Million Individuals, $5.55MM Fine

  • Advocate: 4 Million Individuals, $5.55MM Fine

    • Lack of Risk Assessment
    • Physical Access
    • Business Associate Agreements
    • Encrypt Laptops and Mobile Devices
  • Bon Secours BA, R-C Healthcare Mgmt—655,000 Patients

    • Attack of Business Associate
    • Patient information accessible on the web
    • During adjustment of network settings


University of Washington Medicine:

  • University of Washington Medicine:

    • $750,000 fine
    • Failure to assure that "Affiliated Covered Entities" implement policies and procedures
  • Raleigh Orthopaedic Clinic

    • $750,000 fine
    • Failure to execute Business Associate Agreements
    • $0 loss to patients, no show of breach


Rotech Healthcare (Respiratory/Apnea Facility)

  • Rotech Healthcare (Respiratory/Apnea Facility)

    • June 13—Notified by Police PHI Recovered
    • Copies received July 11 from US Secret Service
    • Forensic Investigators attempt to determine scope


Hollywood Presbyterian

  • Hollywood Presbyterian

  • Methodist Hospital (KY)

  • MedStar Health

  • King's Daughters' Health (IN)

  • Kansas Heart Hospital

    • Sometimes paying the ransom doesn't work
  • As of early August, CryptoLocker ransomware had stolen $27 million from hospitals in 2016



Phishing and Drive-by Downloads

  • Phishing and Drive-by Downloads

    • Malvertisements
  • Multiple variants

    • Some threaten to disclose data ("Exfiltration")
  • Most utilize the same old tools and tricks



OCR Release of Guidance 7/11/16

  • OCR Release of Guidance 7/11/16

    • Presence of ransomware (or any malware) is a security incident
    • Encryption of data resulting from ransomware is a breach because the ePHI was "acquired" (i.e., control of data was taken) by the hacker*
    • Need to show a "low probability that the PHI has been compromised," or report breach
    • Potential exfiltration not the only issue


Six of 10 ransomware victim organizations made changes to security infrastructure after ransomware attack

  • Six of 10 ransomware victim organizations made changes to security infrastructure after ransomware attack

  • Unplanned data center downtime costs hospitals $7,900 per minute*

  • It takes physicians twice as long to perform admin tasks manually (without EHR)

  • *Ponemon Institute survey



DON'T LOOK FOR A PRODUCT

  • DON'T LOOK FOR A PRODUCT

  • . . . CREATE A PROCESS



Keep Patches Up to Date

  • Keep Patches Up to Date

  • Limit Access

  • Training (especially in social engineering)

  • Quick Identification and Response

  • Web Filtering

  • Application Whitelisting

  • Insurance



Plan

  • Plan

    • Written Plan with List of Contacts
    • Tabletop Exercises
    • Bitcoin Account
    • Backups


Respond

  • Respond

    • Initial Analysis (Scope, 4 Ws, Ongoing, etc.)
    • Contain Impact and Propagation
    • Eradicate
    • Recover
    • Post-Incident Review


Compliance, Compliance, Compliance

  • Compliance, Compliance, Compliance

    • Risk Assessment
    • Risk Management
      • Policies and Procedures
      • Education
    • Monitoring/Auditing
      • Benchmark
  • Continuous Cycle of

  • Improvement



Trish Markus

  • Trish Markus

  • (919) 329-3853

  • trish.markus@nelsonmullins.com

  • Roy Wyman

  • (615) 664-5362

  • roy.wyman@nelsonmullins.com



Yüklə 502 b.

Dostları ilə paylaş:




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət

    Ana səhifə