Transcript Anatomy of a Breach - HIMSS Washington Chapter

Anatomy of a Data Breach
Real World Scenarios & Strategies for Avoidance
Chris Bowen, MBA, CISSP, CCPS, CIPP/US, CIPT
Founder, Chief Privacy & Security Officer
Healthcare Data is Under Attack
• According to OCR, in 2015 there were 253
breaches affecting 500 individuals or more w/ a
combined loss of over 112M records
• Top 10 data breaches accounted for just over
111 million records that were lost, stolen or
inappropriately disclosed.
113,000,000
Records Breached in 2015
• (PHI) is worth roughly 50 times more than credit
card or Social Security numbers
• Most profitable type of fraud stemming from
identity theft is now Medicare fraud
• Particularly attractive targets because of
payment data and detailed patient records used
to collect reimbursements
10x More
Than in 2014
• One in 10 Americans has been affected by a
large health data breach
PROPRIETARY & CONFIDENTIAL
2
Attacks Increasing
Number of Breaches Reported to HHS
60
50
40
30
20
10
0
As of
June!
2010
Breaches
2014
2015
2016
Sources: US Dept. of Health and Human Services Office for Civil Rights
http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/
PROPRIETARY & CONFIDENTIAL
3
Value of PHI
2% - Don’t know
Obtain fraudulent – 2%
credit accounts in my name
2% - Credit report was
accessed or modified
My healthcare records - 11%
were accessed or modified
29% - Obtain healthcare services
or treatments
Obtain government benefits - 26%
Including Medicare or Medicaid
28% - Obtain prescription drugs
or medical equipment
PROPRIETARY & CONFIDENTIAL
4
Most Hackers Invest Limited Time
Average Hacker Time Investment
• 70 hours per attack against "typical" IT
security infrastructure
• 147 hours battling "excellent" IT
security infrastructure
• Give up completely after 209 hours.
Cyber Attacks
Average Return
• Make Less Than $15,000 per attack
“If you can delay them by two days, you can deter
60 percent of attacks.”
Scott Simkin, Senior Threat Intelligence Manager at Palo Alto Networks
• Average less that $29,000 per year
CSO Online - Survey: Average successful hack nets less than $15,000
http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-successful-hack-nets-less-than-15-000.html
PROPRIETARY & CONFIDENTIAL
BR
5
 How data is being compromised
Put Another Way
PROPRIETARY & CONFIDENTIAL
BR
6
Top Healthcare Breaches of 2015
O r ganizati on
Rec ords Breac hed
T ype of Breac h
80,000,000
Hacking/IT Incident
11,000,000
Hacking/IT Incident
10,000,000
Hacking/IT Incident
4,500,000
Hacking/IT Incident
3,900,000
Hacking/IT Incident
1,100,000
Hacking/IT Incident
697,586
Hacking/IT Incident
557,779
Hacking/IT Incident
306,789
Hacking/IT Incident
160,000
Laptop Theft
http://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#53059d707fd5
PROPRIETARY & CONFIDENTIAL
7
Number of Breaches in 2016 (Jan-June)
Breaches
4
37
48
44
Unauthorized Access
Hacking / Network / Server
Loss or Theft
Improper Disposal
http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/
PROPRIETARY & CONFIDENTIAL
8
Number of Records Breached in 1st half of 2016
342,748
1,342,125
Records
118,594
15,569,077 records
13,765,610
Hacking
Loss or Theft
Unauthorized Access
Improper Disposal
http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/
PROPRIETARY & CONFIDENTIAL
9
2016 Mid-year Report
• January – June 2016
– 142 healthcare data breaches totalling
11,061,649 patient records
• January – June 2015
– 143 healthcare data breaches totalling
15,569,077 patient records
http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/
PROPRIETARY & CONFIDENTIAL
10
Defense in Depth in IT
DEFENSE IN DEPTH
DEFENSE IN BREADTH
Applied Across Each Use Case to Appropriate Level
Multi-level Security
User, Process, Device
Physical Infrastructure
Network Security
Air-tight - properly configured
System Security
Data & Application Security
APPLYING DEFENSE IN DEPTH & BREADTH
REDUCE
ATTACK SURFACES
DEPLOY
CRYPTO KEYS
PROPRIETARY & CONFIDENTIAL
CREATE SECURE PEOPLE,
PROCESSES & SYSTEMS
11
Ransomware is On the Loose
Ransomware Infections by Month (2015-2016)
Source: https://blog.barkly.com/ransomware-statistics-2016
PROPRIETARY & CONFIDENTIAL
12
Expanding Attacker Resources
State Sponsored
Organized Crime
Hacktivist
Criminal
Recreational
•
•
•
• Vandalism
•
• Limited tech capabilities •
Statement
Relentless
Emotionally committed
Vast networks
Targeted attacks
• Economic gain
• Significant tech
resources and
capabilities
• Established syndicates
• Adware, crimeware, IP
theft
• Cyberwar, state
secrets; industrial
espionage
• Highly sophisticated
• Nearly unlimited
resources
• Advanced persistent
threats
• Fame and notoriety
• Limited tech resources
• Known exploits
http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf
PROPRIETARY & CONFIDENTIAL
13
Ransomware Price Tag
$679
Average cost of a demanded ransomware
payment.
~50%
Number of organizations hit by ransomware
<50%
Less than half of ransomware victims fully recover
their data, even with backup
#1
Email is the #1 delivery vehicle for ransomware,
followed by websites, other than social media
Sources: https://blog.barkly.com/ransomware-statistics-2016
PROPRIETARY & CONFIDENTIAL
14
The Role of the Healthcare Network
Regional Medical Center
Data
Exchange
VOIP
Phone
Health
Collaboration
Patient
Consent
Enterprise
Wireless
Physician Home Office
SMB Wireless
VOIP
Phone
Secondary Care Hospital
Telemedicine
Immersive
Tele-presence
Telemedicine
Enterprise
Wireless
Mobile EMR
Access
VoIP
Conference Phone
Community Health Center
EMR
Integration
Enterprise
Wireless
Telemedicine
SMB
Wireless
EMR
Integration
Affiliate Office
PROPRIETARY & CONFIDENTIAL
Enterprise
Wireless
Remote
Radiology
Remote Monitoring
Military, Prison Health
15
InfoSec Key Concepts
Three elements to protecting information:
Confidentiality
Protecting information from unauthorized
disclosure to people or processes.
Availability
Defending information systems and
resources from malicious, unauthorized
users to ensure accessibility by
authorized users.
Integrity
Assuring the reliability and accuracy of
information and IT resources.
Bank ATM Example
• Imagine if your account was not kept confidential
and someone else was able to access it when they
approached the ATM. How much damage could be
done?
• Imagine if your bank’s ATM was rarely available
when you needed it. Would you continue to use
that bank?
• Imagine if every time you went to the ATM, the
balance it displayed was inaccurate. How could
the poor integrity of your balance information
adversely affect your account management?
PROPRIETARY & CONFIDENTIAL
16
The Attack
Social Engineering
Infrastructure Weakness
Firewall
1
Research
• Attacker looks for weakness to
exploit
• Attacker buys info from a
previous exploit
2
Web Server
Initiate Attack
3
Exfiltration
• Once access is gained info can
be harvested including:
• Social Engineering
• Infrastructure Weakness
• Will stage multiple attacks to
increase odds of success
- PHI
4
Exploit
• Info is sold on Dark Web
• Info is gleaned for additional
targets :
- Credit Cards
- Associated Medical Facilities
- Vendor Info
- Vendors
PROPRIETARY & CONFIDENTIAL
17
The Phishing Process
Big Enterprise
Attacker
172.168.1.1
Attacker Sends
Unsolicited Email
Customer
Big Enterprise.com
Your password will soon
expire. Click here to
reset your password
<172.168.254.254>
Attacker Server
172.168.254.254
PROPRIETARY & CONFIDENTIAL
18
The Bait
PROPRIETARY & CONFIDENTIAL
19
Pharming
Big Enterprise
DNS Poisoning
Attacker
172.168.1.1
Customer
Spoof Server
Hosts file:
Big Enterprise.com = 172.168.254.254
172.168.254.254
PROPRIETARY & CONFIDENTIAL
20
How to Prevent Phishing
• Workforce Perspective
– Early detection is important
– 99.99% of the phishing attacks have an associated
phishing page (report the site page)
– Webserver logs will have the referrer names recorded
– Regularly reviewing the webserver logs will help the
detection in the planning stage of a phishing attack
– Buy variants of your domain name
– Use content filtering
PROPRIETARY & CONFIDENTIAL
21
How to Prevent Phishing
• Security Perspective
– Educate your workforce
– Make sure that anti-malware and anti-spyware is
installed on all workstations
– Learn to Identify Suspected Phishing Emails
– Simulate and test your workforce
– Check the Source of Information From Incoming Mail
PROPRIETARY & CONFIDENTIAL
22
Ransomware
User is redirected
to bad web site
Hacker
Good Web Server
Bad Web Server
Hacker inserts malicious URL
User visits
good web site
Malware installed
without user knowledge
Malware sends private
data to hacker
User
PROPRIETARY & CONFIDENTIAL
23
What Happens When You’re Locked out
Files or Systems
Locked
Pay Up
Become a target for life
Files or Systems
Encrypted
DELETE
Files Threatened
With Destruction or Deletion
Don’t Pay
Tell hackers to pound sand
(But you better have solid backups
and a secure place to restore to)
PROPRIETARY & CONFIDENTIAL
24
Real Cases
1
March 28, 2016 – Medstar Health
Suffered a ransomware attack locked access to systems and files in all 10 hospitals and 250 outpatient centers.
Attackers demanded 45 bitcoins within 10 days. Within one day, systems were once again readable, but not
writeable. The attack involves SAMSAM--a server-side ransomware family that does not rely on malvertising or
social engineering hooks to arrive into a target's system.
2
February 5, 2016 – Hollywood Presbyterian
Suffered a ransomware attack that prevented access to EMR and communications.
The leading suspect suspected cause, according to sources familiar with the investigation, is a phishing attack—
likely a link in an e-mail that was clicked by a hospital employee on a computer with access to the EMR system.
3
January 2015 - Anthem
Suffered an attack affecting 80 million individuals.
Attackers stole the credentials of 5 IT administrators and copied data to a popular cloud storage service.
4
August 2015 - Excellus
Suffered a cyber attack affecting 10.5 million individuals.
Cyber attackers had executed a sophisticated attack to gain unauthorized access for over 18 months before the
discovery.
PROPRIETARY & CONFIDENTIAL
25
MedStar
PROPRIETARY & CONFIDENTIAL
26
Hollywood Presbyterian
PROPRIETARY & CONFIDENTIAL
27
Anthem Breach
• 80,000,000 records stolen via Hack
• Traced to April 2014
• Attackers created a bogus domain name, "we11point.com”
to mimic legitimate domain wellpoint.com.
• Used malware to mimic Citrix VPN software
• Harvested user credentials
• Became aware in December 2014
• That’s 9 months of covert activity inside the network!
PROPRIETARY & CONFIDENTIAL
28
Excellus Breach
• 10,500,000 records accessed via sophisticated cyber attack
• Traced to December 2013
• Access to names, birth dates, Social Security numbers,
mailing addresses, telephone numbers, member
identification numbers, financial account information, and
claims information
• Caused by the failure of legacy security technologies, which
all rely on some form of detection technology to try to
identify and block these attacks.
• Data was encrypted, however hackers gained access to
administrative controls, making the encryption moot
• Lawsuits plentiful
PROPRIETARY & CONFIDENTIAL
29
Security Risk Assessment
1
2
3
4
ID Data
Sources
Classify
Data
Assign Data
Owners
Review
Safeguards
• Inventory ePHI
• By sensitivity
• Identify other data sources
• By type
• Inventory critical Apps
• By criticality
• Inventory what comprises
the system
• Data protection policy
• Determine data flows
• Data classification polity
• Data asset inventory and
maintenance
• Administrative
• Ensure data is protected
• Technical
• Review access to data
• Access Controls
• Regularly review the
• Technical Controls
program
• Physical
PROPRIETARY & CONFIDENTIAL
• Policies & Procedures
30
Shared Cloud Responsibility – With the Right Partner
Customer Data
Client-side Data Encryption & Data Integrity
Authentication
Server-side Encryption Provided by the Platform
Protection of Data at Rest
Network Traffic Protection Provided by the Platform
Production of Data in Transit
Platform & Application Management
Operating System & Network Configuration at Rest
Endpoints
Foundation Services
Compute
Storage
Database
Networking
Global Infrastructure
Regions
Availability Zones
Identity & Access Management (IAM)
Optional
– Opaque
Data OS
and 1S
(in transit
/ at rest)
Your Responsibility
Managed Cloud
Security Provider
Responsibility
Edge Locations
PROPRIETARY & CONFIDENTIAL
31
(602) 635-4002
[email protected]
4900 N. Scottsdale Rd. #4500
Scottsdale, AZ 85251
Chris Bowen, MBA, CISSP, CCPS, CIPP/US, CIPT
Founder, Chief Privacy & Security Officer