Recent Developments Types of Breaches and Trends Definitions Examples Ransomware Defenses Practical Tips
2015 widely referenced as "Year of the Health Care Hack" 2015 widely referenced as "Year of the Health Care Hack" - Anthem, Premera, OPM hacks compromised millions of records
- FBI report $24 million in payments to hackers
1st quarter of 2016 - $209 million in payments to hackers
- Up to 4,000 attacks per day
The Old-Fashioned Hack The Old-Fashioned Hack The Older-Fashioned Insiders - Disgruntled
- Broke
- Mistakes
Access Attacks: - Denial of Service (DoS)
- Ransomware
Old Fashioned Breaches - Old Fashioned Breaches
- Healthcare Suffers Estimated $6.2 Billion In Data Breaches
- Nearly 90% of healthcare entities had a breach in last two years averaging $2.2MM in cost.*
- 35% Increase in Healthcare Breaches over last year**
- Ransomware
- Government Actions
- 25 States Considering Notification Bills
- SC 39-1-90 (Private Right of Action)
Both targeting health care providers Both targeting health care providers Both exploit human vulnerabilities via phishing Both affect availability and integrity of records, not simply confidentiality
"Phisherman" targets individuals through social media or through company websites "Phisherman" targets individuals through social media or through company websites Example 1 (Magnolia): employee gets e-mail sent by company CEO seeking spreadsheet of all employees' personal info, including SSNs . . . - Except it wasn't company CEO
Example 2 (Anthem): "The IT department is doing an update, so I need you to go to www.we11point.com and log in using your ID and password . . ." - Hackers then gained access to the database
A hacker is someone who uses a computer to secretly gain unauthorized access to data in a system Phishing is a fraudulent attempt to steal someone's personal information by pretending to be a trustworthy entity in an electronic communication (usually e-mail)
Ransomware is malicious software that denies access to a user's data by encrypting data with a key only known to the hacker who deployed the ransomware, until the ransom is paid Some ransomware also destroys or transfers information to another system
Advocate: 4 Million Individuals, $5.55MM Fine Advocate: 4 Million Individuals, $5.55MM Fine - Lack of Risk Assessment
- Physical Access
- Business Associate Agreements
- Encrypt Laptops and Mobile Devices
Bon Secours BA, R-C Healthcare Mgmt—655,000 Patients - Attack of Business Associate
- Patient information accessible on the web
- During adjustment of network settings
University of Washington Medicine: University of Washington Medicine: - $750,000 fine
- Failure to assure that "Affiliated Covered Entities" implement policies and procedures
Raleigh Orthopaedic Clinic - $750,000 fine
- Failure to execute Business Associate Agreements
- $0 loss to patients, no show of breach
Rotech Healthcare (Respiratory/Apnea Facility) Rotech Healthcare (Respiratory/Apnea Facility) - June 13—Notified by Police PHI Recovered
- Copies received July 11 from US Secret Service
- Forensic Investigators attempt to determine scope
Hollywood Presbyterian Hollywood Presbyterian Methodist Hospital (KY) MedStar Health King's Daughters' Health (IN) Kansas Heart Hospital - Sometimes paying the ransom doesn't work
As of early August, CryptoLocker ransomware had stolen $27 million from hospitals in 2016
Phishing and Drive-by Downloads Phishing and Drive-by Downloads Multiple variants - Some threaten to disclose data ("Exfiltration")
Most utilize the same old tools and tricks
OCR Release of Guidance 7/11/16 OCR Release of Guidance 7/11/16 - Presence of ransomware (or any malware) is a security incident
- Encryption of data resulting from ransomware is a breach because the ePHI was "acquired" (i.e., control of data was taken) by the hacker*
- Need to show a "low probability that the PHI has been compromised," or report breach
- Potential exfiltration not the only issue
Six of 10 ransomware victim organizations made changes to security infrastructure after ransomware attack Six of 10 ransomware victim organizations made changes to security infrastructure after ransomware attack Unplanned data center downtime costs hospitals $7,900 per minute* It takes physicians twice as long to perform admin tasks manually (without EHR) *Ponemon Institute survey
DON'T LOOK FOR A PRODUCT . . . CREATE A PROCESS
Keep Patches Up to Date Keep Patches Up to Date Limit Access Training (especially in social engineering) Quick Identification and Response Web Filtering Application Whitelisting Insurance
Plan Plan - Written Plan with List of Contacts
- Tabletop Exercises
- Bitcoin Account
- Backups
Respond Respond - Initial Analysis (Scope, 4 Ws, Ongoing, etc.)
- Contain Impact and Propagation
- Eradicate
- Recover
- Post-Incident Review
Compliance, Compliance, Compliance Compliance, Compliance, Compliance - Risk Assessment
- Risk Management
- Policies and Procedures
- Education
- Monitoring/Auditing
Continuous Cycle of
Trish Markus Trish Markus (919) 329-3853 trish.markus@nelsonmullins.com Roy Wyman (615) 664-5362 roy.wyman@nelsonmullins.com
Dostları ilə paylaş: |