1 / 23

Ransomware, Hack and Breach: The Year of the Healthcare Breach

This article provides an overview of recent developments, types of breaches, and practical tips for defending against ransomware attacks in the healthcare industry. It discusses the increase in healthcare breaches, the impact of phishing attacks, and the encryption of data resulting from ransomware attacks.

christopherdtaylor
Download Presentation

Ransomware, Hack and Breach: The Year of the Healthcare Breach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ransomware, Hack and Breach: The Year of the Healthcare Breach South Carolina Hospital Association Trustee Administrator Physician Conference Trish Markus Roy Wyman September 16, 2016

  2. Overview • Recent Developments • Types of Breaches and Trends • Definitions • Examples • Ransomware • Defenses • Practical Tips

  3. Year of the Health Care Hack

  4. Recent Developments • 2015 widely referenced as "Year of the Health Care Hack" • Anthem, Premera, OPM hacks compromised millions of records • FBI report $24 million in payments to hackers • 1,000 attacks per day • 1st quarter of 2016 • $209 million in payments to hackers • Up to 4,000 attacks per day

  5. Types of Breaches • The Old-Fashioned Hack • 4/5 go undetected a week or more • Some up to a year • The Older-Fashioned Insiders • Disgruntled • Broke • Mistakes • Access Attacks: • Denial of Service (DoS) • Ransomware

  6. An Ugly Year Getting Uglier • Old Fashioned Breaches • Healthcare Suffers Estimated $6.2 Billion In Data Breaches • Nearly 90% of healthcare entities had a breach in last two years averaging $2.2MM in cost.* • 35% Increase in Healthcare Breaches over last year** • Ransomware • Government Actions • 25 States Considering Notification Bills • SC 39-1-90 (Private Right of Action) *Ponemon Institute Sixth Annual Benchmark Study ** Piper Jaffray

  7. Hacking and Ransomware Trends • Both targeting health care providers • Both exploit human vulnerabilities via phishing • 93% of phishing e-mails now deliver ransomware • Both affect availability and integrity of records, not simply confidentiality

  8. Phishing • "Phisherman" targets individuals through social media or through company websites • Example 1 (Magnolia): employee gets e-mail sent by company CEO seeking spreadsheet of all employees' personal info, including SSNs . . . • Except it wasn't company CEO • Example 2 (Anthem): "The IT department is doing an update, so I need you to go to www.we11point.com and log in using your ID and password . . ." • Hackers then gained access to the database

  9. Hacker and Phishing Defined • A hacker is someone who uses a computer to secretly gain unauthorized access to data in a system • Phishing is a fraudulent attempt to steal someone's personal information by pretending to be a trustworthy entity in an electronic communication (usually e-mail)

  10. Ransomware Defined • Ransomware is malicious software that denies access to a user's data by encrypting data with a key only known to the hacker who deployed the ransomware, until the ransom is paid • Some ransomware also destroys or transfers information to another system

  11. Examples • Advocate: 4 Million Individuals, $5.55MM Fine • Lack of Risk Assessment • Physical Access • Business Associate Agreements • Encrypt Laptops and Mobile Devices • Bon Secours BA, R-C Healthcare Mgmt—655,000 Patients • Attack of Business Associate • Patient information accessible on the web • During adjustment of network settings

  12. Examples (Continued) • University of Washington Medicine: • $750,000 fine • Failure to assure that "Affiliated Covered Entities" implement policies and procedures • Raleigh Orthopaedic Clinic • $750,000 fine • Failure to execute Business Associate Agreements • $0 loss to patients, no show of breach

  13. Examples (Continued) • Rotech Healthcare (Respiratory/Apnea Facility) • June 13—Notified by Police PHI Recovered • Copies received July 11 from US Secret Service • Forensic Investigators attempt to determine scope

  14. Ransomware in Health Care • Hollywood Presbyterian • Methodist Hospital (KY) • MedStar Health • King's Daughters' Health (IN) • Kansas Heart Hospital • Sometimes paying the ransom doesn't work • As of early August, CryptoLocker ransomware had stolen $27 million from hospitals in 2016

  15. Ransomware Types • Phishing and Drive-by Downloads • Malvertisements • Multiple variants • Some threaten to disclose data ("Exfiltration") • Most utilize the same old tools and tricks • Bad attachments • Bad links

  16. Ransomware • OCR Release of Guidance 7/11/16 • Presence of ransomware (or any malware) is a security incident • Encryption of data resulting from ransomware is a breach because the ePHI was "acquired" (i.e., control of data was taken) by the hacker* • Need to show a "low probability that the PHI has been compromised," or report breach • Potential exfiltration not the only issue *No, you haven't taken Crazy Pills™, this makes no sense

  17. Ransomware • Six of 10 ransomware victim organizations made changes to security infrastructure after ransomware attack • Unplanned data center downtime costs hospitals $7,900 per minute* • It takes physicians twice as long to perform admin tasks manually (without EHR) *Ponemon Institute survey

  18. Defenses DON'T LOOK FOR A PRODUCT . . . CREATE A PROCESS

  19. Defenses • Keep Patches Up to Date • Limit Access • Training (especially in social engineering) • Quick Identification and Response • Web Filtering • Application Whitelisting • Insurance

  20. Preparation and Response • Plan • Written Plan with List of Contacts • Tabletop Exercises • Bitcoin Account • Backups

  21. Preparation and Response • Respond • Initial Analysis (Scope, 4 Ws, Ongoing, etc.) • Contain Impact and Propagation • Eradicate • Recover • Post-Incident Review

  22. STOP PANICKING! • Compliance, Compliance, Compliance • Risk Assessment • Risk Management • Policies and Procedures • Education • Monitoring/Auditing • Benchmark • Continuous Cycle of Improvement

  23. Questions? Trish Markus (919) 329-3853 trish.markus@nelsonmullins.com Roy Wyman (615) 664-5362 roy.wyman@nelsonmullins.com

More Related