1 / 35

Cyber Security to Reduce Cyber Liability

Knowing cyber risks is essential to manage cyber liabilities. Cyber Security to Reduce Cyber Liability. Discover the prevalence of cyber attacks. Realize the monetary penalties attached to breached data. Review steps that a company can take to try to control risks.

kimama
Download Presentation

Cyber Security to Reduce Cyber Liability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Knowing cyber risks is essential to manage cyber liabilities Cyber Security to Reduce Cyber Liability

  2. Discover the prevalence of cyber attacks. Realize the monetary penalties attached to breached data. Review steps that a company can take to try to control risks. Take advantage of web resources to understand how to defend against data breaches. Today we will…

  3. Medical conditions Credit Card numbers Debit Card numbers Family members’ name Work locations Practices acquire and keep highly sensitive data Names Birthdates Social Security Numbers Addresses Medicare Numbers Insurance Numbers

  4. Cyber Security

  5. Cyber Security Hackers have attacked almost every computer system. The government has taken extraordinary steps to protect computerized data. Breaching firewalls and obtaining sensitive data occurs daily. Some cyber attacks go unnoticed for weeks, months and even years by users when hackers attach malware to computers.

  6. Cyber Security Breach Frequency Companies in the computer software, IT and healthcare sectors accounted for 93 percent of the total number of identities stolen in 2011. Theft or loss was the most frequent cause, across all sectors, accounting for 34.3 percent, or approximately 18.5 million identities exposed in 2011. Internet Security Threat Report Volume 17, Symantec, April 2012

  7. Cyber Security Breaches Most data breach victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack; 79 percent of victims were targets of opportunity, and 96 percent of attacks were not highly difficult. 2012 Data Breach Investigations Report (DBIR), Verizon Business, April 2012

  8. By the Numbers In 2012, the Identity Theft Resource Center (ITRC) documented 447 breaches in the United States, exposing 17,317,184 records. In the first half of 2013, there have so far been 255 incidents, exposing 6,207,297records. Thus far in 2013, 48 percent of reported data breaches in the United States have been in the medical/healthcare industry. In 2012, there were 154 breaches in the medical and healthcare sector, accounting for 34.5 percent of all breaches in 2012, and 2,237,873total records lost. ITRC Breach Report, Identity Theft Resource Center, May 2013

  9. Cyber Security “With a little bit of research, some crafty writing and the right technology, crooks make a good living running targeted attacks to steal corporate and government data.” --Trustwave.com “Inside a Hacker’s Playbook”.

  10. Cyber Security As personal devices become more integrated into daily lives, creating “smart homes”, criminals take advantage: According to the Wall Street Journal August 1, 2013: ‘Smart Homes’ Are A Hacking Risk “From his computer Mr. Crowley can disarm a home security system, open a garage door and turn off lights. He just needs those gadgets to be connected to the Internet—a step consumers are increasingly taking to control facets of their lives using smartphones and tablets.”

  11. Cyber Security: Knowing it has happened In 2012: 76% of breached organizations need someone else to tell them they had been compromised. 48% were informed by regulatory bodies. 25% informed by law enforcement. 2% by a third party. 1% by the public.

  12. Cyber Security If sensitive data falls into the wrong hands, it can lead to: Fraud. Identity theft. Financial theft. Public ridicule. Loss of business interest. Loss of trust. Interrupted business. Lawsuits.

  13. The manner in which data is protected can determine the extent of liability in the event of a cyber attack: Manage Passwords. Maintain and confirm activation of firewalls. Control Downloads. Restrict access. Prohibit internet access through unapproved sites. Education. Discipline employees for non-compliance. Data: Practices acquire and keep highly sensitive data

  14. Cyber Safety Steps Always lock cell phones and tablets with password protection, and set them up for a remote wipe if they are lost or stolen. Disable all automatic logins and enable automatic screen locks after a few minutes of inactivity. Never send patient information via text. Text messages are not protected.

  15. Penalties

  16. Penalties Section 160.404 of the HITECH Act refers to the amount of civil monetary penalty as administered under the HITECH (Health Information Technology for Economic and Clinical Health) Act. When data is breached, the company can be fined: Violation Type                        Each Violation         Repeat Violations/year Did Not Know                         $100 – $50,000             $1,500,000 Reasonable Cause                $1,000 – $50,000         $1,500,000 Willful Neglect – Corrected  $10,000 – $50,000       $1,500,000 Willful Neglect – Not Corrected               $50,000                       $1,500,000

  17. Data Breaches are tracked and posted by HHS: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

  18. Reporting Encrypted Data Breach Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information—that is, the information is not considered ‘‘unsecured’’ in such cases.” Federal Register vol. 78 No. 17 January 25, 2013

  19. Called the “Get out of Jail Free Card” Many of the breaches of electronic data would have been avoidable if the data had been encrypted (a ‘Get Out of Jail Free Card’ in the data breach reporting rule). Encryption software, often less then $200.00,can protect data in the event of a cyber attack. In some cases, the software is free.

  20. 5 Principles to Increase Security

  21. 5 Key Principles Know: Know what data is housed on your computer systems. Take stock of the sensitive nature of the data. Knowing what is attractive to cyber criminals will reduce the risk of inadvertently making data available: Credit card numbers Medicare Numbers Birthdates Mother’s Maiden Name Addresses Maiden Name

  22. 5 Key Principles Keep it Small: Keep only the minimumdata necessary to provide services. Determine when data can be eliminated and deleted to reduce the risk of damage in the event of a breach. Set timeframes to delete unnecessary, obsolete and outdated data. Keeping a medical record may not need to include information such as: credit card numbers, maiden names, Medicare numbers, social security numbers. Glean files of sensitive data on discharge.

  23. 5 Key Principles Lock it: Just as you would lock a file cabinet, lock the information stored on computers, disks, CD, videos and servers. Restrict the number of people who have access to the locked room. Lock laptop computers in a locked cabinet. Restrict access to areas where computers are used. Check for new virus threats daily; assign one employee to notify all employees of newly identified threats. Never permit employees to download software. Increase security on e-mails to restrict spam. Run virus scan daily.

  24. 5 Key Principles Lock It: Use passwords that are difficult to break: contain symbols, numbers and upper and lower case letters. Maintain strong firewalls and malware protection. Remember: data can be stored on copiers and electronic fax. NEVER store data on laptop computers, only on servers. Change passwords at least every six months. Monitor the company website for cyber attacks at least weekly.

  25. 5 Security Principles Lock It: Use firewalls to protect computers from hackers. Use network firewalls in addition to station firewalls. Limit wireless access to the network. Encrypt all wireless devices. Apply all security protections on digital copiers.

  26. 5 Key Principles Destroy it properly: Have a plan to destroy computers effectively. Prevent data stored on discarded computers from being accessed. Destroy computers through a commercial destruction company. If in-house computer destruction is conducted, confirm strategic approaches to render all computers completely destroyed by using wipe software. Empty sent e-mails routinely. Empty “trash” files daily.

  27. 5 Key Principles 4. Destroy it properly: Shred all documents containing personal data. Make sure employees accessing information remotely follow the same procedures for disposing sensitive documents and old computers and storage devices. If using credit reports as part of your business, destroy them once the information has been gathered for its purpose.

  28. 5 Key Principles 5. Plan Ahead: Ask what would we do “IF” Have a data recovery plan in the event of lost data, e.g. data breach, virus, flood, tornado, earthquake. Back-up data regularly. Consider off-site secured server storage. Have a plan to replace computers in case of theft, loss or destruction. Use “remote find” services to recover lost computers, phones or tablets.

  29. Training

  30. Training Conduct training at hire and annually. Teach staff to recognize cyber threats. Obtain confidentiality and compliance agreements from every employee. Keep records of who needs updated training as new applications are introduced. Prompt training will go a long way to reduce risks. Limit access to sensitive data by job description; do not train applications that are not “need to know” to perform jobs.

  31. Training Conduct competency testing to determine whether or not staff is compliant with company requirements. Train employees to recognize phishing scams. Teach employees how to handle callers seeking personal data on patients such as social security or credit card numbers.

  32. Training Encourage every employee keep current with security topics at the FTC interactive tutorials, and HIPAA websites at: http://business.ftc.gov/privacy-and-security http://business.ftc.gov/privacy-and-security/data-security http://omnibus.healthcareinfosecurity.com/breach-notification-c-327

  33. References Wall Street Journal, August 1, 2013 Federal Trade Commission: http://www.ftc.gov/bcp/index.shtml Federal Trade Commission: Protecting Personal Information, A Guide for Business: http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business

  34. References Trustwave “Inside a Hacker’s Playbook” http://www2.trustwave.com/rs/trustwave/images/Inside%20a%20Hacker%27s%20Playbook.pdf Zephyr Networks: http://www.zephyrnetworks.com/hipaa-healthcare-data-breaches-financial-penalties/ HHS Data Breach Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

  35. References Federal Register Jan. 25, 2013 http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

More Related