PYA Principal Barry Mathis presented “Hot Topics in Privacy and Security,” at the Florida Hospital Association's 14th Annual Health Care Corporate Compliance Education Retreat. The presentation explored: • Changes in the privacy and security ecosystem. • Emerging technology risks and hot topics. • What happens to hacked data. • How to best protect data.

1. Florida Hospital Association
14th Annual Health Care Corporate Compliance Education Retreat
June 9, 2017
Presented by:
Barry L. Mathis
Principal, Healthcare Consulting
Hot Topics in Privacy and Security

2. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 1
About the Speaker
Barry Mathis, Principal, Healthcare Consulting
Barry has nearly three decades of experience in the information technology (IT)
and healthcare industries as a CIO, CTO, senior IT audit manager, and IT risk
management consultant. He has performed and managed complicated HIPAA
security reviews and audits for some of the most sophisticated hospital systems
in the country. Barry is a creative senior level healthcare executive who is
visionary and results-oriented, with demonstrated experience in planning,
developing, and implementing complex information technology solutions to
address business opportunities while reducing IT risk and exposure. He is
adept at project and crisis management, trouble shooting, problem solving, and
negotiating. Barry has strong technical capabilities combined with outstanding
presentation skills and professional pride. He is a prudent risk taker with
proficiency in IT risk management, physician relations, strategic development,
and employee team building.

3. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 2
Agenda
Changes in the Privacy and Security Ecosystem
What Happens to Hacked Data
Prepare: Take Action
Emerging Technology Risks and Hot Topics
Questions/Answers

4. Changes in the Privacy and
Security Ecosystem
SECTION 1

5. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 4
Organized Adversaries
Nation State
Insiders
Organized Crime
Hacktivists
• Economic, political, and/or
military advantage
• Immediate financial gain
• Collect information for
future financial gain
• Personal advantage,
monetary gain
• Professional revenge
• Patriotism
• Influence political and/or
social change
• Pressure business to
change practices
MotivesAdversary
• Trade secrets
• Business information
• Emerging technologies
• Critical infrastructure
• Financial/Payment
Systems
• PII
• PCI
• PHI
• Sales, deals, market
strategies
• Corporate secrets, IP,
R&D
• Business operations
• Personnel information
• Corporate secrets
• Business information
• Information of key
executives, employees,
customers, partners
Targets
• Loss of competitive
advantage
• Disruption to critical
infrastructure
• Regulatory inquiries
and penalties
• Lawsuits
• Loss of confidence
• Trade secret disclosure
• Operational disruption
• Brand and reputation
• National security impact
• Disruption of business
activities
• Brand and reputation
• Loss of consumer
confidence
Impact

6. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 5
Historical Privacy and
Security Perspectives
Today’s Leading Privacy
and Security Insights
Scope of the Challenge
• Limited to “four walls” and
the extended enterprise
• Spans interconnected global
business ecosystem
Ownership and Accountability
• Security led by IT
• Privacy led by compliance
• Business-aligned and owned;
CEO and board accountable
Adversaries’ Characteristics
• One-off and opportunistic;
motivated by notoriety,
technical challenge, and
individual gain
• Organized, funded and
targeted; motivated by
economic, monetary and
political gain
Information Asset Protection
• One-size-fits-all approach
• Focus on tools, policies &
procedures
• Prioritize and protect your
“crown jewels”
Defense Posture
• Protect the perimeter;
respond if attacked
• Plan, monitor, and rapidly
respond when attacked
Security Intelligence and
Information Sharing
• Keep to yourself
• Public/private partnerships;
collaboration with industry
working groups
Evolving Perspectives

7. Hot Topics
SECTION 2

8. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 7
Biomedical - Risks
 Medical devices with features like wireless connectivity, remote
monitoring, and near-field communication tech allow health
professionals to adjust and fine tune implanted devices without
invasive procedures
 Those conveniences also create potential points of exposure
 In one currently used exploit, known as MedJack, attackers inject
malware into medical devices to fan out across a network; the
medical data discovered in these types of attacks can be used for
tax fraud or identity theft, and can even be used to track active drug
prescriptions, enabling hackers to order medication online to sell on
the dark web
 In 2016, Johnson & Johnson notified 114,000 diabetic patients that
a hacker could exploit one of its insulin pumps; the J&J Animas
OneTouch Ping could be attacked, disabling the device or altering
the dosage
Source https://www.wired.com/2017/03/medical-devices-next-security-nightmare/

9. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 8
Biomedical in the News
 According to HIPAA Journal, a recent study of the pacemaker
ecosystem has uncovered security flaws in devices made by major
manufacturers
 Flaws could potentially be exploited to gain access to sensitive data
and cause devices to malfunction
 Some of the devices stored highly sensitive data, such as medical
histories and Social Security numbers, yet the data was not
encrypted to prevent unauthorized access
 The software used by the pacemaker systems was discovered to
contain more than 8,000 known vulnerabilities in third-party libraries
across all of the devices
Source: http://www.hipaajournal.com/study-uncovers-more-than-8000-security-flaws-in-
pacemakers-from-four-major-manufacturers-8829/

10. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 9
Biomedical – Response
US Department of Veterans Affairs Malware Attack
 Prompted the following U.S. Federal Bureau of
Investigation Cyber Division response:
“Cyber actors will likely increase cyber intrusions against health care
systems – to include medical devices – due to mandatory transition
from paper to electronic health records (EHR), lax cybersecurity
standards, and a higher financial payout for medical records in the
black market.”
 Prompted revisions to:
 International Organization for Standardization (ISO)/IEC 27000-
series “Information security management systems”
 ISO/IEC 80001 “Application of risk management for IT networks
incorporating medical devices”
Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4516335/

11. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 10
Evolving Ransomware
The most recent variants of ransomware have gone into
stealth mode.
 They are fileless and avoid detection by hiding the payload into
memory or the kernel
 They move under the radar of traditional Anti-Malware
 Fileless malware has been used to record administrator credentials
and passwords
 More than 3 billion user credentials and passwords were stolen in
2016
 Now, 8.2 million passwords are stolen every day
 Approximately 95 passwords are stolen every second
 Per the Verizon Data Breach Investigations report threat actors, or
malicious actors, used stolen passwords 95% of the time in the most
common types of attacks
Source: https://www.sailpoint.com/ransomware-goes-stealth-mode-7-things-can-protect/

12. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 11
Reputation Ransomware
“New ransomware variant extorts your reputation rather
than money.”
 “Ransoc,” a new form of desktop locking ransomware, screens
machines, Skype, and social media profiles for potential evidence
of pornography or media files downloaded via Torrents
 Current ransomware tends to be focused on file encryption
(“encrypt, and demand ransom to decrypt”)
 Attackers are discovering that taking files hostage (a.k.a.,
extortionware) is only one method of making easy money
 Attack vectors that are designed to collect sensitive data and
threaten to leak that data could very well be the future of the
malware landscape
Source: https://www.scmagazineuk.com/new-ransomware-variant-extorts-your-reputation-rather-than-money/article/573283/

13. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 12
Drones in Healthcare
 Zipline, launched in 2014, with
support from venture capital firms
such as Sequoia Partners and
Google Ventures, as well as with
funding from Paul Allen, a
Microsoft co-founder
 The company began delivering
medicine and blood in Rwanda in
May 2017 under a government
partnership, and expects to be
operational in half of the country
by the end of June 2017
 The hope is that Zipline's fleet of
drones will help deliver life-saving
materials to remote areas of the
U.S., as it has in Rwanda
Source: http://flyzipline.com
flyzipline.com

14. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 13
“Dronejacking” – Next Big Cyber Threat?
 A report by Intel's McAfee Labs stated
that hackers are expected to start
targeting drones used for deliveries, law
enforcement or camera crews, in
addition to hobbyists
 "Someone looking to 'dronejack'
deliveries could find a location with
regular drone traffic and wait for the
targets to appear," the report said;
"Once a package delivery drone is
overhead, the drone could be sent to
the ground, allowing the criminal to steal
the package"
Source: http://flyzipline.com

15. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 14
Machine Learning (ML)
Artificial Intelligence (AI) vs. Machine Learning (ML)
 AI is the broader concept of machines being able to carry out tasks in
a way that is considered “smart”
 ML is a current application of AI based around the idea that machines
should be given access to data and learn for themselves
Source: http://www.fiercehealthcare.com/analytics/boston-hospitals-use-machine-learning-to-manage-most-expensive-illnesses

16. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 15
Machine Learning Used to Help Protect
 The reality is, in a typical data access environment, anomalies
happen all of the time
 Using ML to gain a deep understanding of data and user access to
data will help identify meaningful indicators of critical data abuse
versus numerous mathematical anomalies that mean more work for
security teams
 A new breed of end-point anti-malware prevention tools using ML to
monitor all activity, learn what is normal and what is a potential
attack, and close the door and capture data can prevent future
attacks
Source: https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/#sthash.Kz0afJig.dpuf
Source: https://www.ensilo.com/company/approach/

17. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 16
Hacked Data : Where does it all go?
Source: http://www.informit.com/blogs/blog.aspx?uk=How-the-Internet-Works-The-Deep-Web
Level 0: Common Web - YouTube, Facebook,
Wikipedia and other famous or easily accessible
websites can be found here.
Level 1: -Surface Web
This level is still accessible through normal
means, but contains “darker” websites.
Level 2: - Bergie Web
This level is the last one normally accessible: all
levels that follow this one have to be accessed
with a proxy.
Level 3: - Deep Web
The first part of this level has to be accessed
with a proxy. It contains hacking, data for
purchase… Here begins the Deep Web.
Level 4: - Charter Web
Things such as drug and human trafficking,
banned movies, books and black markets exist
here.
Level 5: - Marianas Web
It is difficult to find anyone who knows about this
level. It more than likely contains secret
government documentation.
4%
80%
Data
Auctions

18. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 17
The Data Black Market
 Cybercriminals are increasingly using stolen medical records for
other types of identity theft beyond healthcare fraud, including filing
fraudulent tax returns
 "You have experts in different fields. There are those who are great
at obtaining information. And then there are other guys, who will buy
this data and use it to commit fraud," said Etay Maor, an executive
security advisor at IBM Security
 Healthcare records fetch higher prices, as much as 60 times that of
stolen credit card data, because they contain much more information
that a cybercriminal can use
 While a Social Security number can be purchased on the dark Web
for around $15, medical records fetch at least $60 per record
Source: http://www.cnbc.com/2016/03/10/dark-web-is-fertile-ground-for-stolen-medical-records.html

19. Prepared for Florida Hospital Association – 14th Annual Health Care Corporate Compliance Education Retreat Page 18
Take Action
4
Assess cybersecurity of third parties and supply chain partners,
and ensure they adhere to your security policies and practices
Identify your most valuable information assets, and prioritize
protection of this high-value data
1
Ensure that your cybersecurity strategy is aligned with business
objectives and is strategically funded
3
Understand your adversaries, including their motives,
resources, and methods of attack to help reduce the time from
detect to response
5
Collaborate with others to increase awareness of cybersecurity
threats and response tactics
2

20. PERSHING YOAKLEY & ASSOCIATES, P.C.
800.270.9629 | www.pyapc.com
Barry L. Mathis
Principal
bmathis@pyapc.com
Thank you!