Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 1
Faegre Drinker Biddle & Reath LLP
NABP Cybersecurity Webinar
Presenters
Paul H. Luehr
Doriann H. Cain
August 19, 2020
5.5% Annual increase in US costs(-1.5% globally)
US average cost of a data breach($3.86M globally)
$8.64MUS average cost per record (2019)($146 globally)
$242
Threats: Data Breach Costs
Megabreaches:1 million-10 million records = estimated $50 million50 million records = estimated $392 million
Source: Ponemon/IBM 2020 Cost of Data Breach Report
1
2
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 2
Threats: Data Breach Costs
65%Indirect Costs:Staff hoursLost goodwillCustomer “churn”
35%Direct Costs:Outside counselOutside expertsID theft insuranceNotification costs
Source: Ponemon/IBM 2020 Cost of Data Breach Report
$1.08
$1.53
$1.65
$1.72
$2.01
$2.59
$3.01
$3.58
$3.86
$3.90
$4.08
$4.23
$4.99
$5.04
$5.06
$5.85
$6.39
$7.13
Public sectorResearch
MediaHospitality
RetailConsumer
CommunicationsTransportationGlobal Average
EducationEntertainment
ServicesIndustrial
TechnologyPharmaceuticals
FinancialEnergyHealth
2020 - Global Data Breach Costby Industry (in millions)
Threats: Data Breach Costs
Source: Ponemon/IBM 2020 Cost of Data Breach Report: Global Analysis
+10%
3
4
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 3
Threats
Phishing Emails – Delivery point for 94% of malware
Source: 2019 Data Breach Investigations Report, Verizon, 12th ed. (May 2019)
Threats: Ransomware
Ransomware accounted for more than 70% of malware outbreaks in the health care industry (Verizon)
Source: 2019 Data Breach Investigations Report, Verizon, 12th ed. (May 2019)
5
6
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 4
2020 – New Variations
• Higher monetary demands (e.g., $30M)
• Double threat1) Threat to encrypt files on network2) Threat to reveal already stolen files
E.g., Blackbaud platform for non-profits
Threats: Ransomware
Threats: Compromised Email
$26 billion lost (2016-2019) 166,349 reported complaints
100% increase, May 2018-July 2019
Across 50 states and 177 countries
Average loss: $25K - $90K in the past, now $400K+
Facebook and Google: $123 million in combined losses
Source: FBI Alert Number I-091019-PSA (Sept. 10, 2019); Trend Micro, Fortune
7
8
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 5
Threats: Compromised Email
Sources: Bloomberg News, the Verge, ArsTechnica, DomainTools, Abnormal Security
Potential Impacts of COVID-19
9
10
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 6
Source: FaegerDrinker.com
Potential Impacts of COVID-19
Remote work
• 54% require remote work
• 76% increase in time to identify and contain breaches
• 70% increase in cost of breaches
Source: Ponemon/IBM 2020 Cost of Data Breach Report: Global Analysis
11
12
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 7
Looking Ahead: Authentication Challenges
Authentication
Provider
Patient
Third Parties
Content
Authentication Issues: Patients
13
14
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 8
https://secureandtransparent.org/
Authentication Issues: Organizations
Sources::
“DEEP FAKES”
Authentication Issues: Content
ohadf.com
15
16
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 9
Takeaways: Periodic Data Mapping
Types of Data• PHI• PII• Confidential, trade secrets
Locations of Sensitive Data• Geography• Device or function• Flows
17
18
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 10
Takeaways: Conduct a Risk Assessment
RISK = Vulnerabilities x Threats x Impact x Probability
Likelihood
Remote < 1 %
Most Unlikely1% to 10%
Unlikely10% ‐ 30%
Possible30% ‐ 70%
Likely70% ‐ 90%
Almost Certain90% ‐ 99%
Catastrophic
I
m
p
a
c
t
Critical
Major
Moderate
Minor
Insignificant
Takeaways: Incident Response (IR) Planning
• Multiple Representatives
• Realistic Triggers
• Counsel as Lead
• Contact Sheets for:• Outside counsel• Forensic experts• Crisis communicators• Notification firms• Insurance agent/broker• Law enforcement
• Practice the Plan!
Incident Response
Team
Outside Forensics Experts
Outside Counsel
Client & Media
Relations
In-House Counsel
In-House IT
BusinessUnit
Human Resources
CPO, CSO Compliance
19
20
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 11
Include:• Specific “playbooks”• Escalation paths• Regulatory drivers or triggers• Risk levels• Timing expectations
Unknown Author is licensed under Creative Commons
Takeaways: IR Planning
Data Breach: Mitigating Factors
-$73,196
-$78,054
-$144,940
-$164,386
-$172,817
-$191,618
-$199,148
-$199,677
-$202,874
-$234,351
-$237,176
-$238,019
-$243,184
-$259,354
-$272,786
-$278,697
-$295,267
-$350,000 -$300,000 -$250,000 -$200,000 -$150,000 -$100,000 -$50,000 $0
ID theft protection
Managed security services
CISO appointed
Data loss prevention
Vulnerability testing
DevSecOps approach
Cyber insurance
Board involvement
Threat intel sharing
Use of security analytics
Extensive encryption
Employee training
Red team testing
AI platform
Formation of IR team
Business continuity mgmt
Incident response (IR) testing
Source: Ponemon/IBM 2020 Cost of Data Breach Report: Global Analysis
21
22
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 12
Source: technews.olemiss.edu
Takeaways: Training
When? All the time: new hires, annually, ongoing
How? Seminars, conferences, alerts, “real-world” exercises
Who? Everyone
What?• Technical Training
○ Safe email handling, strong passwords○ Safely work from home○ Safe surfing, safe traveling
• Financial Training○ Fake CEO/CFO messages, domains, invoices, wires○ Clear protocols for “new” payments, and establish monetary thresholds
Takeaways: Training
23
24
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 13
QUESTIONS?
Paul H. LuehrFaegre Drinker
[email protected] 612/766-7195
Doriann H. CainFaegre Drinker
[email protected] 317/569-4837
CybersecurityKeeping your accounts safe during these unprecedented times
25
26
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 14
Topics
We will cover a few important topics aimed to keep your digital footprint safe and secure:
• Working from home
• Password management
• Phishing and social engineering
Keep in mind that your organization’s rules and regulations should take precedence.
Working From Home
The coronavirus disease 2019 (COVID-19) pandemic has altered the operating structure for many businesses and organizations. Working from home has become essential to keeping individuals safe and productive.
An increase in working from home presents a few challenges. Individuals working from home should:
• Physically secure their work devices
• Keep sensitive information out of view
• Monitor personal device security
Work-From-Home Tips
• Follow your IT rules and guidelines
• Only connect to secure and trusted Wi-Fi networks
• Limit personal use of work devices
27
28
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 15
Password Management
Your user credentials are the keys to your online accounts; it is important to keep them safe and secure.
Password recommendations:
• Length > complexity
• Update frequently
• Separate password for each account
• Use a password manager
Multifactor authentication (MFA) is a powerful tool which should be enabled on your sensitive accounts. Be sure to safely store backup MFA codes; you never know when your device may be lost or destroyed.
Password Managers
Simplify and secure your credential lifecycle with popular password management tools:
• Keeper Security
• LastPass
• Dashlane
• 1Password
Phishing and Social Engineering
Bad actors are constantly producing new methods to trick you into giving them your information.
Social engineering attacks target you using various methods:
• Sense of urgency
• Offers something for nothing
• Acts vulnerable/needs help
Be suspicious and pay attention to the details. If a coworker is making an odd request, reach out to them directly to validate.
Security Tips
Do not send sensitive information through insecure channels, such as:
• Insecure
• Avoid opening attachments from unknown senders
Social Media
• Limit the personal information posted to public social media platforms
Web
• Validate the URL and HTTPS icon
29
30
Defending Data in the Digital Age: Understanding Cybercrime in Healthcare
NABP Webinar - August 19, 2020 16
Questions?
31