This course has been delivered at Association of Health Underwriters meetings for Continuing Education Credit.
It is a relatively comprehensive look at Cyber Security, the threats we face - some of which we're still just discovering - and what we can do to prevent becoming a victim of an attack.
2. WORD & BROWN GENERAL AGENCY
INTRODUCTION
What is Cyber Security?
How Cyber-Safe is Your Business? / Statistics
Cyber Threats
Relevant Security and Privacy Laws
Consequences of a Breach
Tools to Aid in Cyber Security
3. WORD & BROWN GENERAL AGENCY
COURSE OBJECTIVES
• Understand Cyber Security & Common Threats
• Understand relevant security laws with which we must
comply
• Understand that any Internet-connected system can be
hacked and what to do in the event of a breach
• Obtain tools to aid in the event of a breach and to aid in
preventing a breach
4. WORD & BROWN GENERAL AGENCY
WHAT IS CYBER SECURITY?
• History
– 1988 – The Morris Worm
• Current
– A method of preventative security
measures designed to protect
systems and networks from such
attacks.
5. WORD & BROWN GENERAL AGENCY
FAST FACTS
• What is the cloud?
– This is storage on a centralized
server owned by a hosting company
– Ex: Azure, iCloud, AWS
• Think: “Accessible Anywhere”
• Aug 31, 2014 iCloud Hack – 200
celebrity photos posted to 4chan
6. WORD & BROWN GENERAL AGENCY
WHY IS HACKING SO PREVALENT?
• $$$$
– The TOR Network
• The AlphaBay Market
– Credit Cards for Sale
– RDP Access for Sale
7. WORD & BROWN GENERAL AGENCY
HOW CAN I BE HACKED?
• Implanted Medical Devices (~2006)
• 'Smart" Phone
• Connected Cars
• Communication Infrastructure (P25
Radio)
• Public Recording& Reflections (UNC
Labs)
• SmartPhone Accelerometer
8. WORD & BROWN GENERAL AGENCY
PERMISSIBLE HACKING?
• Advertising
– Ex: Gmail
• You’re being tracked on the
Internet at all times.
9. WORD & BROWN GENERAL AGENCY
PERMISSABLE HACKING?
• Gary Kovacs – Firefox
– Behavioral Tracking
10. WORD & BROWN GENERAL AGENCY
PERMISSABLE HACKING?
Gary Kovacs – Tracking the Trackers:
http://bit.ly/2cfUiWI
11. WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• 2015 Major Breaches
– Experian – 15 Million Records
– Anthem - 80 Million Records
– Target – 50 Million Records
– Home Depot – 15 Million Records
– JP Morgan Chase – 12 Million
Records
12. WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• And healthcare is becoming
increasingly targeted … with very
good reasons ... And results.
13. WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• 2016 Data Breach Category Summary
• Institution Type | # Breaches
• Banking/Credit/Financial: 4
• Business: 82
• Educational: 20
• Government/Military: 8
• Medical/Healthcare: 63
SOURCE: 2016 DATA BREACH CATEGORY SUMMARY | IDENTITY THEFT
RESOURCE CENTER
14. WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• 2016 Data Breach Category Summary
• Institution Type | # Records
• Banking/Credit/Financial: 4,382
• Business: 365,356
• Educational: 307,457
• Government/Military: 102,459
• Medical/Healthcare: 3,828,098
SOURCE: 2016 DATA BREACH CATEGORY SUMMARY | IDENTITY THEFT
RESOURCE CENTER
15. WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• From all the news, you might
assume that only big companies
like these are targets.
16. WORD & BROWN GENERAL AGENCY
HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• WRONG!
• The National Small Business
Association (NSBA) released
statistics showing 68% of their
small business membership
reported being a cyber-victim more
than once.
17. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• 2016 Targets
– Attacks through employees
– The cloud
– Seniors
– Automobiles
– Cloud Services
– Hardware & VMs
– Wearable Tech
– Internet Ads
– Wifi Hotspots
18. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Employee Attacks
– Phishing & Whaling
– Our security is as strong as our
least-informed employee.
– Do you have employee security
awareness training?
19. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• The Clouds
– Microsoft Azure, Yammer
– Amazon Web Services
– Salesforce Cloud
– Cisco & Citrix
– File-Sharing: Box, Dropbox, Cubby
20. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Internet Ads
• Ads when clicked can take you to a
predator site that loads viruses,
malware, adware, spyware and other
harmful code.
• According to the Association of National
Advertisers: ad-fraud has cost global
advertisers more then $6 Billion in 2015.
21. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Malware
• An umbrella term used to refer to a
variety of forms of hostile or intrusive
software, including computer viruses,
worms, trojan horses, ransomware,
spyway, adware, scareware and
other malicious programs. It can
take the form of executable code,
scriprts, active contet and other
software.
22. WORD & BROWN GENERAL AGENCY
CYBER THREATS
Google: Three tips for spotting Malware
http://bit.ly/2ctzzCU
23. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Phishing
• The attempt to acquire sensitive
information such as usernames,
passwords and credit card
details, often for malicious
reasons, by masquerading as a
trustworthy entity in an electronic
communication.
24. WORD & BROWN GENERAL AGENCY
CYBER THREATS
What is Phishing?
http://bit.ly/2bEYUJY
25. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Ransomware
• A type of malware that can be covertly
installed on a computer without
knowledge or intention of the user that
restricts access to the infected computer
system in some way and demads the
user pay a ransom to the operators to
remove restrictions.
• EX: Hollywood Presbyterian
26. WORD & BROWN GENERAL AGENCY
CYBER THREATS
RansomWare – Hollywood Presbyterian Story:
http://bit.ly/2bF06wW
27. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Whaling
• A new phenomenon
• Executive-directed
28. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Social Engineering
– Harvard Study
• Social Engineering
29. WORD & BROWN GENERAL AGENCY
CYBER THREATS
What is your Password?
https://www.youtube.com/watch?v=InTxJIF_bC
o
30. WORD & BROWN GENERAL AGENCY
CYBER THREATS
• Public Wifi
– How many here are connected to the
free “public” wifi?
– Are you sure you’re connected to the
right connection?
• Public Wifi
31. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA
• Stands for?
32. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA
• Enacted in 1996
• Set standards for the protection of
health care information.
• Provides the ability to transfer and
continue health insurance coverage for
workers when they change or lose
their jobs.
• Reduce health care fraud and abuse.
33. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA - Factoid
• The FBI estimates that Health
Care Fraud costs American tax
payers $80 Billion/yr.
• Examples?
34. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• What agency administers HIPAA?
• FBI
• HHS
• CMS
• CDI
35. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA
– Privacy
– Portability
– Accountability
36. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Portability
– Limits the ability for a new employer to
exclude someone from coverage due to a
pre-existing condition.
– Provides additional opportunities to enroll in
a group health plan if you lose coverage.
– Prohibits discrimination based on health
factors such as a prior medical condition.
– Guarantees that certain individuals will
have access to and can renew their
individual health insurance policies.
37. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Portability
– Certificates of Creditable Coverage
• Issued after a loss of coverage, enables
continuation of coverage
• Who was covered
• Start & end dates of coverage
• Details the coverage provided
38. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Portability
– Certificates of Creditable Coverage
• Issued after a loss of coverage, enables
continuation of coverage
• Who was covered
• Start & end dates of coverage
• Details the coverage provided
39. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA + ARRA – Business
Associates
– General Agencies
– Insurance Brokers
– 3rd Party Administrators
40. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HITECH
– Health Information Technology for
Economic & Clinical Health
41. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HITECH
– Strengthened the notification and
penalty requirements for HIPAA
violations
– Business Associates are now subject
to ARRA’s civil and criminal penalty
provisions.
42. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Individually identifiable information
that relates to:
• The past, present or future physical or
mental health or condition of a member
• The provisions of health care to a member
of a plan
• The past, present or future payment for
the provisions of health care to a member
43. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Examples …
• Medical Conditions
• Treatments
• Medications
• Payment Information for Health Care
Services
44. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– PII vs. PHI
45. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– PII vs. PHI
– Personally Identifiable Information
refers to information that can be used
to uniquely identify, contact, locate a
single person or that can be used by
other sources to uniquely identify a
single individual.
46. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Personaly Identifiable Information
• Name
• Phone Number
• E-mail Address
• Address
• SSN
• License Plate #
• Account Number
• City
• Medical Record Number
47. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Protected Health Information (PHI)
• Any information about health status,
provisions of health care or payments of
health care that can be linked to a
specific individual
48. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– Protected Health Information (PHI)
• Medical Condition + SSN = PHI
• Treatments + Phone # = PHI
• Payment Info + E-Mail Address = PHI
49. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– EPHI?
50. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA – Health Information
– EPHI
• Emails which contain PHI.
51. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• PCI DSS
– Payment Card Industry – Data
Security Standards
52. WORD & BROWN GENERAL AGENCY
RELEVANT SECURITY AND PRIVACY
LAWS
• State Laws
– like California SB 1386 & AB 1710
– Security Breech Notification, 2003
– Purchased Data, 2014
53. WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• Identify a breach
– Incorrectly sending PHI to the wrong
email
– Sending email not-encrypted (SSL +
TLS or Encryption Service)
– Intruision
– Improper disclosure
– Los Information
54. WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• Identify a breach
– ITRC defines a breach as, “an
incident in which sensitive,
protected, or confidential data has
potentially been viewed, stolen, or
used by an individual unauthorized
to do so.
55. WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• Fines
– Violations range from $100.00 to
$50,000 per violation per day.
– Ignorance is no excuse!
56. WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• No one can put the consequences
more eloquently than someone
who has suffered a breach.
• Monika Lewinsky
57. WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
Monica Lewinsky – The Price of Shame:
https://www.youtube.com/watch?v=xvSxxpFKJ5
w
58. WORD & BROWN GENERAL AGENCY
CONSEQUENCES OF A BREACH
• HIPAA Violation Fines
• Loss of clients
• Loss of reputation
• Personal liabilities – including
consequences at work
59. WORD & BROWN GENERAL AGENCY
TOOLS TO AID IN CYBER SECURITY
• BE PREPARED
– Identify a procedure for breach
protocol
– Designate someone to understand
compliance
– Have an investigative process in-
place to define a breach
60. WORD & BROWN GENERAL AGENCY
TOOLS TO AID IN CYBER SECURITY
• BE PREPARED
– Use 2-Factor Authentication
– Strong Passwords (get a password
manager for your phone!)
– Avoid unknown Android Apps (20K
apps with Malware)
– Don’t use public Wifi
61. WORD & BROWN GENERAL AGENCY
Thank you!
If you have any questions: sdiehl@wordandbrown.com
Of the 4,607,752 records stolen in 2016, 83.1% of them were in Medical/Healthcare.
https://www.youtube.com/watch?v=nvIXGeB1WgE
https://www.youtube.com/watch?v=9TRR6lHviQc
Hospital Example
Hospital Example
Friend’s story
People in a line waiting at a copy machine
What are effective ways to cut in line?
(Any ideas?)
Option 1: “Excuse me, I have 5 pages. May I use the Xerox machine? - 60% effective
Option 2: “Excuse me, I have 5 pages. May I use the Xerox machine, because I’m in a rush?” – 94% effective
The word “because” was the key – it didn’t matter what was said after that, only the feeling that an explanation was given.
Option 3: “Excuse me, I have 5 pages. May I use the Xerox machine because I have to make some copies?” – 94% effective
Psychological Backdoors:
Liking
Reciprocation
The US Department of Health & Human Services (HHS) implemented the requirements of HIPAA to address the use and disclosure of individuals’ health information by all Covered Entities.
Types of covered entities?
Health Plans, Data Processors, Doctors, Hospitals
The American Recovery & Reinvestment Act of 2009 (ARRA) extends this requirement to Business Associates.
Privacy/Security – set standards for the protection of health care information
Accountability – Reduce health care frauw and abuse
Portability -
Privacy/Security – set standards for the protection of health care information
Accountability – Reduce health care frauw and abuse
Portability -
Privacy/Security – set standards for the protection of health care information
Accountability – Reduce health care frauw and abuse
Portability -
Privacy/Security – set standards for the protection of health care information
Accountability – Reduce health care frauw and abuse
Portability -
Privacy/Security – set standards for the protection of health care information
Accountability – Reduce health care frauw and abuse
Portability -
Year? 2009 – part of ARRA – American Recovery & Reinvestment Act 2009
Electronic Protected Health Information – defined as PHI that is maintained or transmitted via electronic means
SB1386 Amended Civil codes 1798.29, 1798.82 and 1798.84 -> regulates privacy of personal information. Enacted 2003; requires victims of a breach be notified and sets standards for that notification.
There are civil monetary penalties for failure to comply with the Rule. The penalties are ranked on a tiered level based on levels of culpability. If the covered entity or business associate did not know and could not have known of the HIPAA violation, then the penalty range is $100 - $50,000 per incident. If the covered entity or business associate knew, or would have known through reasonable due diligence, that an act or omission would violate the Rule, but did not act with willful intent, then the penalty range is $1,000 - $50,000 per incident. If the covered entity or business associate acted with willful neglect, but corrected its violation within 30 days, then the penalty range is $10,000 - $50,000 per incident. If the covered entity or business associate acted with willful neglect and took no corrective measures within 30 days, then the penalty is $50,000 per incident. There is an annual aggregate cap of $1.5 million for violations of the same provision.
When an organization puts policies in place to follow HIPAA guidelines and allows workforce members to violate them without consequence, that organization is subject to penalties under HIPAA.
Unseen.is <- Anonymous Free Email
Tor Firefox Browser <- Anonymous Browsing
Read Privacy Policies
Use Spam Filters
Unseen.is <- Anonymous Free Email
Tor Firefox Browser <- Anonymous Browsing
Read Privacy Policies
Use Spam Filters