Cyber Security - NAHU Continuing Education Course

CYBER SECURITY
Scott Diehl
Vice President of Product Management
Aka. The Tech Guy

WORD & BROWN GENERAL AGENCY
INTRODUCTION
What is Cyber Security?
How Cyber-Safe is Your Business? / Statistics
Cyber Threats
Relevant Security and Privacy Laws
Consequences of a Breach
Tools to Aid in Cyber Security

COURSE OBJECTIVES
• Understand Cyber Security & Common Threats
• Understand relevant security laws with which we must
comply
• Understand that any Internet-connected system can be
hacked and what to do in the event of a breach
• Obtain tools to aid in the event of a breach and to aid in
preventing a breach

WHAT IS CYBER SECURITY?
• History
– 1988 – The Morris Worm
• Current
– A method of preventative security
measures designed to protect
systems and networks from such
attacks.

FAST FACTS
• What is the cloud?
– This is storage on a centralized
server owned by a hosting company
– Ex: Azure, iCloud, AWS
• Think: “Accessible Anywhere”
• Aug 31, 2014 iCloud Hack – 200
celebrity photos posted to 4chan

WHY IS HACKING SO PREVALENT?
• $$$$
– The TOR Network
• The AlphaBay Market
– Credit Cards for Sale
– RDP Access for Sale

HOW CAN I BE HACKED?
• Implanted Medical Devices (~2006)
• 'Smart" Phone
• Connected Cars
• Communication Infrastructure (P25
Radio)
• Public Recording& Reflections (UNC
Labs)
• SmartPhone Accelerometer

PERMISSIBLE HACKING?
• Advertising
– Ex: Gmail
• You’re being tracked on the
Internet at all times.

PERMISSABLE HACKING?
• Gary Kovacs – Firefox
– Behavioral Tracking

PERMISSABLE HACKING?
Gary Kovacs – Tracking the Trackers:
http://bit.ly/2cfUiWI

HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?
• 2015 Major Breaches
– Experian – 15 Million Records
– Anthem - 80 Million Records
– Target – 50 Million Records
– Home Depot – 15 Million Records
– JP Morgan Chase – 12 Million
Records

• And healthcare is becoming
increasingly targeted … with very
good reasons ... And results.

• 2016 Data Breach Category Summary
• Institution Type | # Breaches
• Banking/Credit/Financial: 4
• Business: 82
• Educational: 20
• Government/Military: 8
• Medical/Healthcare: 63
SOURCE: 2016 DATA BREACH CATEGORY SUMMARY | IDENTITY THEFT
RESOURCE CENTER

• 2016 Data Breach Category Summary
• Institution Type | # Records
• Banking/Credit/Financial: 4,382
• Business: 365,356
• Educational: 307,457
• Government/Military: 102,459
• Medical/Healthcare: 3,828,098
SOURCE: 2016 DATA BREACH CATEGORY SUMMARY | IDENTITY THEFT
RESOURCE CENTER

• From all the news, you might
assume that only big companies
like these are targets.

• WRONG!
• The National Small Business
Association (NSBA) released
statistics showing 68% of their
small business membership
reported being a cyber-victim more
than once.

CYBER THREATS
• 2016 Targets
– Attacks through employees
– The cloud
– Seniors
– Automobiles
– Cloud Services
– Hardware & VMs
– Wearable Tech
– Internet Ads
– Wifi Hotspots

CYBER THREATS
• Employee Attacks
– Phishing & Whaling
– Our security is as strong as our
least-informed employee.
– Do you have employee security
awareness training?

CYBER THREATS
• The Clouds
– Microsoft Azure, Yammer
– Amazon Web Services
– Salesforce Cloud
– Cisco & Citrix
– File-Sharing: Box, Dropbox, Cubby

CYBER THREATS
• Internet Ads
• Ads when clicked can take you to a
predator site that loads viruses,
malware, adware, spyware and other
harmful code.
• According to the Association of National
Advertisers: ad-fraud has cost global
advertisers more then $6 Billion in 2015.

CYBER THREATS
• Malware
• An umbrella term used to refer to a
variety of forms of hostile or intrusive
software, including computer viruses,
worms, trojan horses, ransomware,
spyway, adware, scareware and
other malicious programs. It can
take the form of executable code,
scriprts, active contet and other
software.

CYBER THREATS
Google: Three tips for spotting Malware
http://bit.ly/2ctzzCU

CYBER THREATS
• Phishing
• The attempt to acquire sensitive
information such as usernames,
passwords and credit card
details, often for malicious
reasons, by masquerading as a
trustworthy entity in an electronic
communication.

CYBER THREATS
What is Phishing?
http://bit.ly/2bEYUJY

CYBER THREATS
• Ransomware
• A type of malware that can be covertly
installed on a computer without
knowledge or intention of the user that
restricts access to the infected computer
system in some way and demads the
user pay a ransom to the operators to
remove restrictions.
• EX: Hollywood Presbyterian

CYBER THREATS
RansomWare – Hollywood Presbyterian Story:
http://bit.ly/2bF06wW

CYBER THREATS
• Whaling
• A new phenomenon
• Executive-directed

CYBER THREATS
• Social Engineering
– Harvard Study
• Social Engineering

CYBER THREATS
What is your Password?
https://www.youtube.com/watch?v=InTxJIF_bC
o

CYBER THREATS
• Public Wifi
– How many here are connected to the
free “public” wifi?
– Are you sure you’re connected to the
right connection?
• Public Wifi

RELEVANT SECURITY AND PRIVACY
LAWS
• HIPAA
• Stands for?

LAWS
• HIPAA
• Enacted in 1996
• Set standards for the protection of
health care information.
• Provides the ability to transfer and
continue health insurance coverage for
workers when they change or lose
their jobs.
• Reduce health care fraud and abuse.

LAWS
• HIPAA - Factoid
• The FBI estimates that Health
Care Fraud costs American tax
payers $80 Billion/yr.
• Examples?

LAWS
• What agency administers HIPAA?
• FBI
• HHS
• CMS
• CDI

LAWS
• HIPAA
– Privacy
– Portability
– Accountability

LAWS
• HIPAA – Portability
– Limits the ability for a new employer to
exclude someone from coverage due to a
pre-existing condition.
– Provides additional opportunities to enroll in
a group health plan if you lose coverage.
– Prohibits discrimination based on health
factors such as a prior medical condition.
– Guarantees that certain individuals will
have access to and can renew their
individual health insurance policies.

LAWS
• HIPAA – Portability
– Certificates of Creditable Coverage
• Issued after a loss of coverage, enables
continuation of coverage
• Who was covered
• Start & end dates of coverage
• Details the coverage provided

LAWS
• HIPAA + ARRA – Business
Associates
– General Agencies
– Insurance Brokers
– 3rd Party Administrators

LAWS
• HITECH
– Health Information Technology for
Economic & Clinical Health

LAWS
• HITECH
– Strengthened the notification and
penalty requirements for HIPAA
violations
– Business Associates are now subject
to ARRA’s civil and criminal penalty
provisions.

LAWS
• HIPAA – Health Information
– Individually identifiable information
that relates to:
• The past, present or future physical or
mental health or condition of a member
• The provisions of health care to a member
of a plan
• The past, present or future payment for
the provisions of health care to a member

LAWS
– Examples …
• Medical Conditions
• Treatments
• Medications
• Payment Information for Health Care
Services

LAWS
– PII vs. PHI

LAWS
– PII vs. PHI
– Personally Identifiable Information
refers to information that can be used
to uniquely identify, contact, locate a
single person or that can be used by
other sources to uniquely identify a
single individual.

LAWS
– Personaly Identifiable Information
• Name
• Phone Number
• E-mail Address
• Address
• SSN
• License Plate #
• Account Number
• City
• Medical Record Number

LAWS
– Protected Health Information (PHI)
• Any information about health status,
provisions of health care or payments of
health care that can be linked to a
specific individual

LAWS
– Protected Health Information (PHI)
• Medical Condition + SSN = PHI
• Treatments + Phone # = PHI
• Payment Info + E-Mail Address = PHI

LAWS
– EPHI?

LAWS
– EPHI
• Emails which contain PHI.

LAWS
• PCI DSS
– Payment Card Industry – Data
Security Standards

LAWS
• State Laws
– like California SB 1386 & AB 1710
– Security Breech Notification, 2003
– Purchased Data, 2014

CONSEQUENCES OF A BREACH
• Identify a breach
– Incorrectly sending PHI to the wrong
email
– Sending email not-encrypted (SSL +
TLS or Encryption Service)
– Intruision
– Improper disclosure
– Los Information

• Identify a breach
– ITRC defines a breach as, “an
incident in which sensitive,
protected, or confidential data has
potentially been viewed, stolen, or
used by an individual unauthorized
to do so.

• Fines
– Violations range from $100.00 to
$50,000 per violation per day.
– Ignorance is no excuse!

• No one can put the consequences
more eloquently than someone
who has suffered a breach.
• Monika Lewinsky

Monica Lewinsky – The Price of Shame:
https://www.youtube.com/watch?v=xvSxxpFKJ5
w

• HIPAA Violation Fines
• Loss of clients
• Loss of reputation
• Personal liabilities – including
consequences at work

TOOLS TO AID IN CYBER SECURITY
• BE PREPARED
– Identify a procedure for breach
protocol
– Designate someone to understand
compliance
– Have an investigative process in-
place to define a breach

TOOLS TO AID IN CYBER SECURITY
• BE PREPARED
– Use 2-Factor Authentication
– Strong Passwords (get a password
manager for your phone!)
– Avoid unknown Android Apps (20K
apps with Malware)
– Don’t use public Wifi

Thank you!
If you have any questions: sdiehl@wordandbrown.com

Cyber Security - NAHU Continuing Education Course

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to Cyber Security - NAHU Continuing Education Course

Similar to Cyber Security - NAHU Continuing Education Course (20)

Recently uploaded

Recently uploaded (20)

Cyber Security - NAHU Continuing Education Course

Editor's Notes