Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
•Download as PPTX, PDF•
2 likes•1,134 views
This document discusses securing electronic protected health information (ePHI) using the SANS Security model and HIPAA compliance best practices. It summarizes trends in healthcare faxing moving from on-premise to cloud-based faxing. The document outlines the six defensive walls of the SANS Security model and provides an overview of common security threats and pitfalls organizations face in securing ePHI. It highlights eFax Secure as a cloud faxing solution that offers encryption of faxes in transit and at rest to enhance security and HIPAA compliance.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
Similar to Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015 (20)
More from eFax Corporate®
More from eFax Corporate® (9)
Recently uploaded
Recently uploaded (20)
Cyber Hacking in Healthcare & The Best Practices for Securing ePHI in 2015
- 1. World Leader in Digital Faxing 1 IN PARTNERSHIP WITH:
- 2. World Leader in Digital Faxing 2 Meet the Speakers Michael Flavin Sr. Product Marketing Manager j2 Cloud Services Michael Pearson Chief Information Security Consultant Health Security Solutions
- 3. World Leader in Digital Faxing 3 Michael Flavin Sr. Product Marketing Manager j2 Cloud Services Michael Pearson CISSP
- 4. World Leader in Digital Faxing 4 Cyber Hacking in Healthcare: Snapshot HHS Office for Civil Rights 1,199 incidents 41.5 million individuals FBI warnings to industry: “The FBI has observed malicious actors targeting healthcare related systems…for the purpose of obtaining Protected Healthcare Information (PHI)” Top 5 Health Data Breaches in 2014 7.4 million individuals affected Data Breaches Year to date 90+ million individuals affected Huge change in scope 1,800%! increase from 2008-2013
- 5. World Leader in Digital Faxing 5 Sources of a Breach ORGANIZED CRIMINAL WELL-MEANING INSIDER MALICIOUS INSIDER
- 6. World Leader in Digital Faxing 6 Stages of a Breach CAPTURE Access data on unprotected systems Install root kits to capture network data 3 DISCOVERY Map organization’s systems Automatically find confidential data 2 INCURSION Attacker breaks in via targeted malware, improper credentials or SQL injection 1 EXFILTRATION Confidential data sent to hacker team in the clear, wrapped in encrypted packets or in zipped files with passwords 4
- 7. World Leader in Digital Faxing 7 Six Best Practices for Securing ePHI Using the SANS Security Model and HIPAA Compliance • SANS Security Model provides a good framework for protecting, storing and transmitting ePHI – focus on security! • HIPAA Compliance does NOT equal a plan secure PHI • IT Executives must balance security, data protection and training with conduct of regular business
- 8. World Leader in Digital Faxing 8 SANS Security Model Defensive Wall 1: Proactive Software Assurance Application Security Skills Assessment & Certification
- 9. World Leader in Digital Faxing 9 SANS Security Model Defensive Wall 2: Blocking Attacks: Network Based IDS/IPS, FW, MSS
- 10. World Leader in Digital Faxing 10 SANS Security Model Defensive Wall 3: Blocking Attacks: Host Based Endpoint Security, NAC
- 11. World Leader in Digital Faxing 11 SANS Security Model Defensive Wall 4: Eliminating Security Vulnerabilities Vulnerability Management, Patch Management, Penetration testing.
- 12. World Leader in Digital Faxing 12 SANS Security Model Defensive Wall 5: Safely Supporting Authorized Users Encryption, VPN, DLP
- 13. World Leader in Digital Faxing 13 SANS Security Model Defensive Wall 6: Tools to Manage Security and Maximize Effectiveness Log Management, SIEM, Training, Forensics
- 14. World Leader in Digital Faxing 14 Firewalls Are Not Enough NIDS Monitoring NIDS Monitoring - Botnet C&C Detection NIDS Monitoring - Watchlist Detection NIDS Monitoring NIDS Monitoring - Botnet C&C Detection NIDS Monitoring - Watchlist Detection Firewall Logs Associated with IDS Alerts NIDS Monitoring NIDS Monitoring - Botnet C&C Detection NIDS Monitoring - Watchlist Detection Firewall Logs Associated with IDS Alerts Firewall Logs - Scan Detection Firewall Logs - Botnet C&C Detection Firewall Logs - Backdoor Detection Firewall Logs - Anomaly Detection Firewall Logs - Watchlist Detection NIDS Monitoring NIDS Monitoring - Botnet C&C Detection NIDS Monitoring - Watchlist Detection Firewall Logs Associated with IDS Alerts Firewall Logs - Scan Detection Firewall Logs - Botnet C&C Detection Firewall Logs - Backdoor Detection Firewall Logs - Anomaly Detection Firewall Logs - Watchlist Detection HIDS Alerts OS / Application / Database Logs Endpoint Protection Alerts Average: NIDS Monitoring ~32% Good: NIDS Monitoring + Core Firewall Monitoring ~50% Better: NIDS Monitoring + Firewall Advanced Analysis ~80% Best: NIDS Monitoring + Firewall Advanced Analysis + HIDS + LMS + MEP Approaching 100%
- 15. World Leader in Digital Faxing 15 What are the Threats? Technology Impacting. Security Architecture – Firewalls, Anti-Virus Unpatched Client Side Software and Applications Advanced Malware and Ransomware Accessing Malicious Website
- 16. World Leader in Digital Faxing 16 What are the Threats? Technology Impacting. Poor Configuration Management Cloud Computing/Storage Unencrypted ePHI and Removable Media Mobile Devices, aka BYOD Botnets Phishing
- 17. World Leader in Digital Faxing 17 What are the Threats? Business Impacting. Marketplace Reputation and Customer Loyalty Liability o Legal costs o Credit assistance for customers o Training, call center triage o Fraudulent charges o Stock price, earnings, etc. o IT Resources
- 18. World Leader in Digital Faxing 18 Most Common Pitfalls Risk Assessment Lack of Accurate Data Inventory/Controls o Audit logs (critical for compliance and root cause) Humans o “Accidents happen” o Social Engineering and o Security Awareness Training
- 19. World Leader in Digital Faxing 19 Most Common Pitfalls Missing Policies and Procedures Incident Response Team and Plan & Audit Trail
- 20. World Leader in Digital Faxing 20 Most Common Pitfalls Password Security (may overlap with 3rd Party vendors) o 40% have a password from the top 100 o 79% have a password from the top 500 o 91% have a password from the top 1000
- 21. World Leader in Digital Faxing 21 Why do Compliance Mandates get More Complicated? Compliance ≠ Security Compliance is the output of post-mortem – Some organization did not secure their data, and now everyone else must deploy solutions, software, policies, and guidelines Compliance will always be a step behind the latest threat
- 22. World Leader in Digital Faxing 22 Faxing in Healthcare Today - Trends Faxing is still a widely used, especially in highly regulated industries such as healthcare, finance, legal (1) Trend is toward cloud faxing from on premise faxing Cloud faxing offers a secure, reliable way to send ePHI and to covered entities or business associates, enhancing HIPAA Compliance
- 23. World Leader in Digital Faxing 23 Email, Secure Browser, Mobile App & eFax Messenger User Interfaces TLS Encrypted in Transit Hosted Fax Service Encrypted Fax Storage via eFax Secure (optional) PSTN Telco Service Inbound/ Outbound Faxes The world’s #1 online fax company – and the industry’s most experienced hosted fax service The most widely deployed online fax service for the Fortune 500 Trusted by more major healthcare, legal, financial and other highly-regulated firms than any other online fax provider to transmit sensitive documents
- 24. World Leader in Digital Faxing 24 Product Spotlight: eFax Secure™ Secure: TLS-encrypted transmission and storage of ePHI data to enhance security and HIPAA compliance – encryption at rest and motion Reduce costs – eliminate cost of physical fax servers, phone lines, and enhance compliance with routing to specific user’s email Improve your overall communications with our highly redundant network delivering 99.5% uptime SLAs and unparalleled transmission security Tier III or IV colocations for servers with high redundancy and failover capabilities
- 25. World Leader in Digital Faxing 25 Helpful Links SANS Security Model DHS HIPAA Security 101 for Covered Entities DHS HIPAA Security: Physical Safeguards enterprise.eFax.com Recorded slides of this presentation Whitepaper: “Is Cloud-based Faxing Right for You?”
- 26. World Leader in Digital Faxing 26 Q&A Visit us at enterprise.eFax.com Visit us at HIMSS Booth #7756 Email: Michael Flavin: michael.flavin@j2.com Mike Pearson: mike@healthsecuritysolutions.com
- 27. World Leader in Digital Faxing 27 Thank You
Editor's Notes
- Good Morning, and welcome to today’s Webinar: “Cyber Hacking in Healthcare and Best Practices for Securing ePHI.” I am Carol Flagg. Before we begin we wanted to cover a few housekeeping items. You should see a Q&A box in the top right area of your screen. At any point during our session today, feel free to submit a question to us in this Q&A area. We will try to answer your questions during the webcast, but if a fuller answer is needed or we run out of time, it will be answered later via email. We do capture all questions. An “On Demand” version of the webcast will be available approximately 1 day after the event, we will share this link with you over email.
- A little housekeeping…
- A little housekeeping…
- According to Databreach Today, the HHS’ Office for Civil Rights has reported that 1,999 incidents involving 41.5 million people have occurred as of January 2015, while the Top 5 data breaches in 2014 totaled 7.4 million people, and this year alone, that number skyrocketed to an astounding 90 million individuals – growing the official federal tally of individuals affected by major breaches reportable under HIPAA since 2009 to 130 million – resulting in a mind-boggling 1,800% increase! Breaches in the last 90 days alone should put all healthcare providers and insurers on notice. As you may already know, the depth of the problem prompted the FBI to issue a flash warning to the healthcare industry that malicious actors are using malware to target ePHI and intellectual property such as device and equipment development data. Michael F: So WHY is all of this happening? Healthcare entities are a veritable treasure trove of information for would-be hackers because the data includes names, birthdates, social security numbers, credit card numbers, claims information and clinical data – all of which can easily be re-sold on the black market by criminals looking to commit identity theft. MikeP: SOURCES **Data hacking has increased 1,800% from 2008 to 2013 (source: NelsonHardiman.com http://www.nelsonhardiman.com/hipaa-security-breaches-raise-bar-for-hipaa-compliance/ OCR reports 1,199 incidents affecting 41.5 million people as of Jan 2015. Databreachtoday: http://www.databreachtoday.com/reporting-hipaa-breaches-new-approach-a-7830?webSyncID=159e0b8a-ade8-a778-135c-5652493c17a3&sessionGUID=5a0ccae7-d23a-bd7b-09e0-decc41a65213 2)7.4 million consumers/Top 5 Breaches: http://www.bankinfosecurity.com/top-healthcare-breaches-2014-a-7756 3) http://www.databreachtoday.com/anthem-hit-by-massive-data-breach-a-7876 4) http://www.reuters.com/article/2014/08/20/us-cybersecurity-healthcare-fbi-idUSKBN0GK24U20140820 4) “FBI warning to healthcare industry:” http://fortune.com/2015/02/05/anthem-suffers-hack/
- MichaelF: So Mike – we’ve talked about WHY, now let’s talk about the WHO of Cyber Crime – what are the sources of these breaches? MIKE P ROLL!! http://www.time.com/time/business/article/0,8599,1917345,00.html Fast Facts: • The 28-year-old lives in Miami • Has operated under the Internet handles "Segvec," "Soupnazi" and "J4guar" • Charged with hacking into retail and card-processing computers to steal 130 million credit- and debit-card numbers from 2006 to 2008. The compromised companies include Heartland Payment Systems, 7-Eleven, two unnamed national retailers and Hannaford Brothers, a regional supermarket chain • Gonzales had previously been indicted — once in May 2008 and again in August of the same year — for allegedly stealing the info of 40 million credit and debit cards from companies including OfficeMax, TJ Maxx, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW and Dave & Buster's • Arrested in New Jersey in 2003 while working as an administrator for the underground, 4,000-member website Shadowcrew.com, on which hackers swapped stolen credit-card information • After his arrest, he began working with Secret Service agents on something called Operation Firewall, in which Gonzalez — operating under the handle "CumbaJohny" — convinced Shadowcrew members to join his virtual private network, which was secretly monitored by federal agents. In October 2004, 28 hackers were arrested through the operation, though federal agents claim Gonzalez tipped off some of the suspects, helping them to sidestep authorities • After the sting, Gonzalez changed his nickname to "Segvec" and moved to Miami, where he allegedly started a new identity-theft ring called Operation Get Rich or Die Tryin' • According to the Aug. 17 indictment, Gonzalez teamed up with two Russian programmers to hack into corporate computer networks and install "malware," or malicious software, that allowed them to steal data • Heartland Payment Systems, which processes credit-card data for more than 250,000 businesses, accounts for most of the 130 million numbers cited in the New Jersey indictment. The company has thus far spent $12.6 million in legal costs and fines associated with the security breach • The government is seeking forfeiture of Gonzalez's Miami condo, his BMW, a firearm, a currency counter and nearly $1.7 million in cash • Gonzalez's lawyer, Rene Palomino Jr., has thus far refused interview requests regarding the matter and has issued no comment
- Organized crime Working for Zev Rosenstein – the Shark – Israeli organized crime Hired 2 guys to do it Kept some of the money, shark killed one other turned himself in
- MIKEP: SANS Security Model, HIPAA Compliance not a plan, and IT leadership has to strike a balance. MichaelF: IT Executives have a daunting challenge…compliance, security and enabling users.. So Mike – what are the best practices for a ‘defense in depth’ approach to security?
- MIKEP: all MikeP Defensive Wall 1: Proactive Software Assurance 1.1 Source Code and Binary Code Testing Tools and Services 1.2 Application Security Scanners (Black Box Scanners) 1.3 Application Security Skills Assessment & Certification
- MIKEP: Defensive Wall 2: Blocking Attacks: Network Based 2.1 Intrusion Prevention (IPS) & Detection (IDS) 2.2 Wireless Intrusion Prevention (WIPS) 2.3 Network Behavior Analysis and DDoS Monitoring 2.4 Firewalls, Enterprise Antivirus and Unified Threat Management 2.5 Secure Web Gateways 2.6 Secure Messaging Gateways and Anti-Spam Tools 2.7 Web Application Firewalls 2.8 Managed Security Services Michael F: So Mike, would any of these technologies have helped to prevent the Target hack, as reported by security blogger Brian Krebs, where reportedly the HVAC vendor’s credentials were used to access the POS system? Brian Krebs article: http://www.computerworld.com/article/2487452/cybercrime-hacking/target-attack-shows-danger-of-remotely-accessible-hvac-systems.html
- MIKEP: Endpoint security walk-through, network access controls Defensive Wall 3: Blocking Attacks: Host Based 3.1 Endpoint Security (michaelF Comment: having spent 3 years in the Managed Service Provider space, it was very common to find new clients who didn’t have updated antivirus & anti-malware programs, or a centralized way to manage them. It’s critical to have visibility into IT inventory and continually update AV and Antimalware programs – just one more important piece of the “layered "approach to defense. 3.2 Network Access Control (NAC) 3.3 System Integrity Checking Tools 3.4 Application Control and Configuration Hardening Tools
- MIKEP: keeping all systems updated and patched, plus penetration testing – common methods used by hackers! 4.1 Network Discovery Tools 4.2 Vulnerability Management 4.3 Penetration Testing and Ethical Hacking. 4.4 Patch and Security Configuration Management and Compliance MICHAELF COMMENT: hackers look to exploit OPEN vulnerabilities from unpatched applications which are lacking critical security updates, such as adobe, browsers, windows apps.
- MIKEP: Defensive Wall 5: Safely Supporting Authorized Users 5.1 Identity and Access Management 5.2 Mobile Data Protection and Storage Encryption 5.3 Storage and Backup Encryption 5.4 Content Monitoring/Data Leak Prevention 5.5 Digital Rights Management 5.6 Virtual Private Networks (VPNs) MICHAELF Comment: When it comes to working with a Business Associate, be sure to have a conversation about their process for protecting ePHI. For example, using updated TLS encryption technology, and encryption of data in motion and in rest, like eFax Corporate’s eFax Secure product utilizes for customers who require the strongest security controls.
- MichaelF: Mike, from your experience, a lot of folks aren’t prepared to have logging & audit logs on their network – what does HIPAA require? MIKEP: Logging, SIEM, Training and Forensics Defensive Wall 6: Tools to Manage Security and Maximize Effectiveness 6.1 Log Management and Security Information and Event Management 6.2 Media Sanitization and Mobile Device Recovery and Erasure 6.3 Security Skills Development 6.4 Security Awareness Training 6.5 Forensics Tools 6.6 Governance, Risk and Compliance Management Tools 6.7 Disaster Recovery and Business Continuity MichaelF: efax corporate has detailed logging capabilities for fax transmissions
- MichaelF: So if I’m a medical group, small practice owner or IT Security Manager at a hospital, is having an expensive firewall in place good preventative measure? What hardware and software should we have in place to defend against sophisticated malware, zero-day attacks and forced intrusions by hackers?
- MikeP: Security Architecture, Unpatched Client Side Software, APTs, Ransomware, Accessing Malicious Website (intro) Michael comments: Ransomware (cryptolocker example) is really nasty. I’ve seen financial firms get cryptolocker, where malware came in on a laptop, for example, and connects to a network shared file server, encrypting entire mission-critical databases and then asking for ransom. This can sink a business. Luckily in this case, the company had a full backup offsite!
- Mike P Comment: Poor Config Mgmt, Cloud computing & storage, unencrypted ePHI, BYOD, Botnets, Phishing. Michael F Comment: Phishing (spearphishing, social engineering). Should be detailed part of end user/employee training. Users can be easily tricked with very realistic emails (e.g. ‘ADP notification’ or your account is expired!’)
- MichaelF comments: having a breach and reportable event (notifying your customers, the public, DHS etc.) can be a massive blow to your businesses’ reputation and financial viability. For example, (as reported by NielsonHardiman) the Home Depot hack cost the company at least $62 million on credit monitoring services and call center staffing. The company then spent an additional $148 million in its second fiscal quarter following the Black Friday attack of 2013. As you may know, penalties for HIPAA violations, which you may know can be $10,000 per violation, with an annual maximum of $250,000 for repeat violations, And when the breach is caused by “willful neglect” and not corrected in the required time period can cost a covered entity $50,000 per violation, with an annual maximum of $1.5 million. *Those costs add up quickly, as evidenced by the Ponemon Institute’s finding that the average per-capita cost of handling a data breach is $359 in the healthcare industry, compared to $201 in other industries. Reference to article: Actual and Hidden Costs of HIPAA Violation: (source: http://www.nelsonhardiman.com/hipaa-security-breaches-raise-bar-for-hipaa-compliance/) Ponemon Institute Study (soft copy)
- MichaelF: So Mike – what are the most common pitfalls that you’ve seen out there? (MIKEP to disccuss Risk Assessment, Lack of data, Humans) Michaelf: You know Social Engineering in the context of information security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. Kevin Mitnick Reformed computer criminal and later security consultant pointed out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.
- Mike P: missing policies and Procedures. Michael Comment on Incident Response Team. Having a response team in place and taking a pro-active approach will greatly enhance a CE’s ability to react quickly and enable faster reporting to the appropriate state and federal authorities This is also critical component for Audit and Compliance activities. Again, eFax corporate support this capability is detailed logs and history for document transmissions, in a central location.
- Open Site http://howsecureismypassword.net/ http://geodsoft.com/cgi-bin/password.pl http://strongpasswordgenerator.com/ Michael: as part of HIPAA / Security Awareness: password management What constitutes ‘strong’ passwords? A. 10,000 Passwords/sec Typical for recovery of Microsoft Office passwords on a Pentium 100 B. 100,000 Passwords/sec Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100 C. 1,000,000 Passwords/sec Typical for recovery of ZIP or ARJ passwords on a Pentium 100 D. 10,000,000 Passwords/sec Fast PC, Dual Processor PC. E. 100,000,000 Passwords/sec Workstation, or multiple PC's working together. F. 1,000,000,000 Passwords/sec Typical for medium to large scale distributed computing, Supercomputers.
- MIKEP: Compliance is not a defense.
- As you may know, faxing is still widely used in the healthcare industry, from the transmission of ePHI from a doctor’s office to a medical device manufacturer, to faxing of claims containing PHI to an insurance provider. In fact, recent research (Davidson Consulting 2012) shows that enterprise growth for fax will be at a healthy 15% for 2015 through 2017 as it remains a primary method of transmitting sensitive data, with the total fax market size increasing from $1.1 Billion in 2012 to $2.3 Billion in 2017 as migration to cloud based faxing continues. Fax technology continues to move to cloud faxing from on-premise faxing. Companies are realizing the benefits of scalability, reliability and security and reduced costs of cloud faxing. As already mentioned, efax corporate has a portfolio of cloud fax solutions that can help healthcare entities have an integrated solution that enhances HIPAA compliance.
- MichaelF: about efax corporate
- MichaelF: Features: eFax Secure provides highly secure, email-driven faxing; with no hardware or software required.
- MichaelF: Before we jump into our Q&A, we wanted to share some Helpful links… Also as carol mentioned recorded slides of our presentation will be shared with you via email, in addition to the Whitepaper “Is Cloud-based Faxing Right for You? For additional information on eFax Corporate, visit Enterprise.Efax.COM Carol – over to you for Q&A!
- All Carol