1 / 60

CYBER THREATS, CYBER ATTACKS AND RANSOMWARE

CYBER THREATS, CYBER ATTACKS AND RANSOMWARE. Jeanne M. Born, RN, JD. jborn@nexsenpruet.com. August 26, 2016 sc ashrm meeting. So, how does information security affect risk managers?.

mmiyashiro
Download Presentation

CYBER THREATS, CYBER ATTACKS AND RANSOMWARE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CYBER THREATS, CYBER ATTACKS AND RANSOMWARE Jeanne M. Born, RN, JD jborn@nexsenpruet.com August 26, 2016 scashrm meeting

  2. So, how does information security affect risk managers? • All of an organization’s operations involve risk: the effect of uncertainty on successfully obtaining objectives. • Risk management is the coordinated activities to direct and control an organization with regard to risk. • Managing information security risks is no different. • The process of risk management involves: • Identifying risk; • Analyzing risk; • Evaluating risk and controls modifying the risk; • Determining if and how risks need to be treated and if controls may be added or further modified. • From: ISO 31000:2009 –risk management – principles & guidelines

  3. How High are the Risks with Information Security? • Data breaches are estimated to cost the healthcare industry a staggering $6.2 Billion. • While criminal attacks remain the leading cause of breaches, internal problems remain significant (unintentional employee mistakes; third party snafus; lost or stolen devices). • Medical records, billing records and insurance records are the records that are most frequently breached and such breaches are increasing. All data on this slide from Ponemon Institute: Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 2016.

  4. What is the cost of a data breach? • Criminal or malicious attacks are the primary cause of data breaches in the U.S. • Criminal or malicious attacks are the most costly. • The more records that are breached, the higher the cost. • The greater the loss of existing patients/clients the greater the cost of the breach. • Costs: • Detection and escalation costs are at an all-time high; • Notification costs have increased slightly; • Post data breach costs have increased; and • Lost business costs have increased. All data from: Ponemon Institute: 2015 Cost of Data Breach Study: United States

  5. What is the cost of a data breach? • Globally, the average cost of a data breach across all industries increased from $145 per record breached in 2014 to $154 in 2015 and from $154 in 2015 to $158 in 2016: • Contributing causes for the increase: • Increased frequency of cyber attack and increased cost to remediate the attack; • Greater impact of loss in business as a result of the data breach; & • Increased costs of detection and escalation. • The U.S. leads the world in the cost of data breaches: $221 / breached record. ($74 = direct costs (investment in technologies/legal fees); $143 = indirect costs (loss of business) • Healthcare has the highest cost per breached record: $363 in 2015 and $355 in 2016. All data from: Ponemon Institute: 2015 Cost of Data Breach Study: Global Analysis & Poneman Institute: 2016 Cost of Data Breach Study: Global Analysis

  6. Selected Privacy & Security Findings • Healthcare organizations & business associates believe they are more vulnerable than other industries to a data breach. • Recent well-publicized data breaches in healthcare have put the industry on alert. • Employee negligence continues to be of concern. • Healthcare organizations & business associates are most concerned about denial of service attacks. • System vulnerabilities are assessed . . . But rarely. • Healthcare organizations & business associates are putting incident response processes in place. All data on this slide from Ponemon Institute: Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 2016.

  7. Selected Privacy & Security Findings • Even though healthcare organizations have concerns about vulnerabilities, “budgets do not budge.” • Healthcare organizations are more likely than business associates to engage a third party for security compliance. • Healthcare organizations believe that most medical identity theft is preventable through employee training. All data on this slide from Ponemon Institute: Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 2016.

  8. What are Cyber Threats and Why Healthcare? • Cyber Threat: The possibility that a malicious attempt to damage or disrupt a computer system or network will occur. • Healthcare systems have valuable information from research to protected health information (“PHI”), including sensitive personal data and financial data, to other proprietary information.

  9. Why Healthcare? • Factors influencing continued threats to healthcare: • Increasing connectivity of systems and medical devices increases attack surfaces which increases vulnerabilities; • Technical innovations increase likelihood of continued attacks that seek to gain access to those innovations for profit; • Foreign countries seeking to improve their healthcare systems through the efforts of attackers; & • Interest in facilitating a group’s involvement in controversial issues (e.g., medical care; research; drug testing), ethical violations, etc. • From: https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/sb-healthcare-and-health-insurance.pdf

  10. Why Healthcare? • Healthcare systems are likely more susceptible to cyberattacks because: • Resources have been devoted to providing healthcare services and have only begun devoting adequate resources to providing for cybersecurity for the past five years. http://icitech.org/wp-content/uploads/2016/01/ICIT-Brief-Hacking-Healthcare-IT-in-2016.pdf. P.2 • Healthcare technology infrastructure is built over multiple technology eras, creating software and hardware vulnerabilities that system administrators find difficult to manage. http://icitech.org/wp-content/uploads/2016/01/ICIT-Brief-Hacking-Healthcare-IT-in-2016.pdf. P.3.

  11. What are Cyber Attacks? • Cyber Attack: The deliberate exploitation of computer systems and networks using malicious code, logic or data resulting in disruptive consequences that may compromise data and lead to cybercrimes. • Cyber attacks can be successful or not successful.

  12. Recent Successful Cyber Attacks • Community Health Systems - 4.5 Million records – Cyber attack exploiting a software bug, Heartbleed • UCLA Health – 4.5 Million records – cyber hack • We still have the “human factor”: • Advocate Health and Hospitals Corp. – 4 Million records – theft of four computers from one physician office • Nemours – 1.6 Million records – lost a storage cabinet containing unencrypted backup tapes during remodeling • The Office for Civil Rights website shows over 1600 breaches involving greater than 500 healthcare records since 9/2009; over 300 in the past year. • https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

  13. What is Ransomware & Why in Healthcare? • Ransomware is a type of malware that works by locking computers to prevent access to data until a ransom is paid. Modern ransomware encrypts certain file types and forces entities to pay a ransom for the decrypt key. • Healthcare entities, particularly hospitals, require immediate up-to-date information to patient records to provide critical care. • Interruptions in access can result in injury and death. • Different than other attacks, because its hallmark is alerting the target of its existence. • Ransomware can also deploy malware that destroys data.

  14. Recent Ransomware Attacks • Hollywood Presbyterian Medical Center, in LA: Attacked with ransomware called Locky in February 2016. • Offline for more than a week, then paid $17K. • Methodist Hospital in Henderson, KY: Attacked with Locky in March 2016. • Offline for less than 3 days and restored their system through backups. • MedStar Health in the Maryland/DC area, hit by a virus that did not allow employees to access their computer systems. • Restored functionality by shutting down portions of their systems and presumably resorted to paper files.

  15. Ransomware • Ransomware is successful because there have been multiple variants of Ransomware: • In 2015 alone, 362,000 new variants were identified. http://www.csoonline.com/article/3091080/security/the-rise-of-ransomware-in-healthcare.html#slide3 • How do we deal with the ever changing landscape of cyber threats/ransomware? • Start by being aware of your legal obligations to maintain the security of protected health information (“PHI”).

  16. Legal Issues Related to Risk Management of Cyber Threats • All covered entities are required under the Security Standards to: • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Standards. • Ensure compliance with the Security Standards by its workforce.

  17. Legal Issues Related to Risk Management of Cyber Threats • Security Standards allow flexibility of approach: • Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. • In deciding which security measures to use, a covered entity or business associate must take into account the following factors: • The size, complexity, and capabilities of the covered entity or business associate; • The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities; • The costs of security measures; and • The probability and criticality of potential risks to electronic protected health information.

  18. Legal Issues Related to Risk Management of Cyber Threats • How do we initiate our risk management strategy? • Conduct a baseline Security Risk Assessment; • Update the assessment periodically; • Update the assessment following a cyber attack, whether it was successful or not.

  19. HIPAA Security Risk Assessment Tool R = Required Standard A= Addressable Standard

  20. HIPAA Security Risk Assessment Tool

  21. HIPAA Security Risk Assessment Tool

  22. HIPAA Security Risk Assessment Tool

  23. HIPAA Security Risk Assessment Tool R = Required Standard A= Addressable Standard

  24. Legal Issues Related to Risk Management of Cyber Threats • Following the Risk Assessment, develop a comprehensive security risk management process: • Implement the required implementation specifications of the Security Standards and, if you determine that the implementation of an addressable implementation specification is not reasonable or appropriate, then document the reasons implementation is not reasonable or appropriate and implement an equivalent alternative measure if reasonable and appropriate.

  25. Legal Issues Related to Risk Management of Cyber Threats • Provide security awareness training for all workforce members and business associates /subcontractors; • Assess general liability insurance, errors and omissions insurance and directors and officers’ liability insurance to determine gaps in coverage and tailor cyber liability insurance to cover the identified gaps (later);

  26. Legal Issues Related to Risk Management of Cyber Threats • Establish a comprehensive security risk management process: • Categorize information and information systems: • Identify Information Systems; • Identify Information Type; • E-PHI; • Paper-based PHI; • Proprietary information; • Financial information; • System Information; • Etc. • Determine the potential impact category (low, moderate or high) for the loss of confidentiality, integrity or availability for each type of information.

  27. Legal Issues Related to Risk Management of Cyber Threats • Select security controls • Management; • Operational; and • Technical. • Implement security controls; • Assess security controls; • Authorize information system (if risk level acceptable); • Monitor security controls.

  28. Legal Issues Related to Risk Management of Cyber Threats • The Office for Civil Rights issued a new Fact Sheet in July 2016 concerning ransomware. • https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf • It states the Security Standards require that covered entities implement policies/procedures to assist with responding to a ransomware attack: • As part of the Contingency Plan, maintaining frequent backups to ensure data recovery. • Recommends periodic restoration tests to verify the integrity of the backed up data; & • Be confident of the capability to recover the data. • Recommends backups be maintained offline and unavailable from networks.

  29. Legal Issues Related to Risk Management of Cyber Threats • Recommends that the Contingency Plan include also: • Disaster recovery planning; • Emergency operations planning; • Analyzing the criticality of applications and data to ensure all necessary applications are accounted for; • Periodic testing to assure organizational readiness. • Recommends activation of the Contingency Plan as well as the Business Continuity Plan.

  30. Legal Issues Related to Risk Management of Cyber Threats • Further recommends that the Security Incident Response Procedures: • detect and conduct an initial analysis of the ransomware; • contain the impact and propagation of the ransomware; • eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation; • recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations; and • conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

  31. Legal Issues Related to Risk Management of Cyber Threats • Recommends providing security awareness training so that workforce members are able to detect and report potential early indications that ransomware is present by: • “A user’s realization that a link that was clicked on, a file attachment opened, or a website visited may have been malicious in nature; • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files); • An inability to access certain files as the ransomware encrypts, deletes and re-names and/or re-locates data; and • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution).” • Once detected, implement Security Incident & Response Procedures.

  32. Legal Issues Related to Risk Management of Cyber Threats • The Security Incident Response should include: • Determining the scope of the incident to identify what networks, systems, or applications are affected; • Determine the origination of the incident (who/what/where/when); • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment; and • Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).

  33. Was the Security Incident a Reportable Breach? • General Rule: • A Covered Entity (“CE”) that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured protected health information shall, in the case of a breach, notify the individual whose unsecured protected health information has been or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach. • Work with your HIPAA Compliance Official.

  34. What is a breach? • “Breach’’ means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Standards which compromises the security or privacy of such information. . .

  35. Breach: Exceptions • Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or Business Associate (“BA”) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under Privacy Standards; • Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at same CE or BA or OHCA in which the CE participates, and the PHI received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Standards; and • A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

  36. Whether a Reportable Breach Occurred: Low Probability Standard • Depends upon a risk assessment of four factors: • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; • The unauthorized person who used the PHI or to whom the disclosure was made; • Whether the PHI was actually acquired or viewed; and • The extent to which the risk to the PHI has been mitigated. • If after the consideration of each of the foregoing factors the CE has determined that there is a low probability that the privacy or security of the PHI has been compromised, then no breach notification is required.

  37. Unsecured PHI: • Unsecured Protected Health Information (“Unsecured PHI”): PHI that is not secured by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized persons and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. • Guidance published April 17, 2009.

  38. Breach Notification not required if the PHI is not “Unsecured PHI” • The technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals are: • Electronic PHI that has been encrypted • Data at rest – NIST Special Publication 800-111 • Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113) • Media on which PHI is stored or recorded has been destroyed: • Paper, film or hard copy: shredded or destroyed such that it cannot be reconstructed • Electronic media: cleared or purged consistent with NIST Special Publication 800-88 • FIPS: www.itl.nist.gov/fipspubs/index.htm • NIST: www.nist.gov/

  39. Breaches Treated as Discovered • A breach is discovered on the first day the breach is known or by exercising reasonable diligence, would have been known by the CE; • Practice Tip: NOTIFY YOUR INSURANCE CARRIER! • A breach is discovered by a BA on the first day the breach is known or by exercising reasonable diligence, would have been known by the BA; • A BA or Subcontractor is required to report the breach to the CE in accordance with the terms of the BA; • A CE will be deemed to have discovered a breach on the first day the breach was discovered by a BA only if the BA is acting as an agent of the CE.

  40. Breach Treated as Discovered • Whether a BA is an agent of the CE is determined by the application of the federal common law of agency: Although there are multiple factors, DHHS found these four (4) to be most important in a “facts and circumstances” test: • (1) The time, place, and purpose of a BA agent's conduct; • (2) whether a BA agent engaged in a course of conduct subject to a CE's control (manner and means by which the product is accomplished); • (3) whether a BA agent's conduct is commonly done by a BA to accomplish the service performed on behalf of a CE; and • (4) whether or not the CE reasonably expected that a BA agent would engage in the conduct in question. • Practice Tip: Don’t create unnecessary agency relationships when negotiating vendor contracts.

  41. Notification of Breach • Notice must be made within 60 days of when the CE knows or should have reasonably known of the breach. • Individuals: notice is provided in writing by first class mail or by e-mail if the individual provided a preference. • If contact information is out of date (including 10 or more such individuals), post a toll free number on the CE’s website where individuals can learn if their unsecured PHI has been breached. • Personal Representatives of deceased individuals are to be contacted. • When contact information is insufficient or out of date: • Fewer than 10: alternative form of written notice, telephone or other means • 10 or greater: conspicuous posting for 90 days on CE’s webpage or in major broadcast media AND contact information

  42. Notification of Breach • If notification is urgent because of possible misuse, may telephone the individual(s) • If 500 or more individuals are involved, notice must be provided to prominent media outlets. • Notice must be provided to the Secretary of DHHS; • If 500 or more individuals are involved, this notice must be given immediately • If less that 500, the CE may keep and log and disclose to the Secretary annually. • The Secretary of DHHS will post the identities of the CEs involved in breaches where more than 500 individuals are involved.

  43. Notification to the Secretary

  44. Notification of Breach

  45. Notification of Breach

  46. Notification of Breach • State law compliance: • S.C. Code Ann. § 39-1-90 • Modify your Notification of Breach Policy to also cover your obligations under State law.

  47. What is included in the cost of a data breach? • After a breach has occurred: • Legal services - compliance; • Legal services – defense; • Consulting and auditing services; • Provision of mitigation services to individual subjects of the breach; • Identity protection services to individual subject of the breach; • Business loss due to the breach; • Costs to reduce additional business loss. See Ponemon Institute: 2015 Cost of Data Breach Study: Impact of BCM, p. 13

  48. Minimizing Costs Due to a Data Breach: Cyber Insurance • Cyber liability protection products are varied; • Should be tailored to cover exposure gaps in your traditional general liability policies, E&O policies & D&O policies. • Suggested areas of consideration: • Exposures covered (ex: fraudulent use or misuse of payment systems; unauthorized use or misuse of electronic data; losses due to computer viruses; risks associated with internet commerce and security or the security of websites; regulatory enforcement; etc.);

  49. Minimizing Costs Due to a Data Breach: Cyber Insurance • Coverage: Look to see if the policy covers: • a. First party losses: Facility losses associated with, for example, physical damage or damage to software or data by viruses or hackers; unlawful computer transfers of assets including, but not limited to money, real property or securities; business interruption or denial of website service as a result of service outage or electronic vandalism; loss control/mitigation costs. • b. Third party losses: Losses of third parties due to the following: loss of data exchange via e-mail or internet; theft or destruction of third party data; denial of service; unauthorized access; slander or libel; privacy rights violations/breaches of unsecured protected health information; misappropriation of intellectual property; unfair competition. • c. Both a & b or a combination of both a & b.

  50. Minimizing Costs Due to a Data Breach: Cyber Insurance • Additional Operational/Remediation Requirements of Cyberrisk Policies: • These policies will likely require you to conduct periodic auditing and monitoring of your operations. • Policies may require you to have such auditing/monitoring performed by an independent technical service provider. • It may require you to conduct a risk analysis in addition to or other than the HIPAA security risk analysis. • There may be other requirements, such as hiring crisis management consulting services when a breach occurs. • The policy will likely require you to use legal counsel from their panel.

More Related