Cybersecurity Threats & Risk Management

LeadingAge Michigan ~ 50th Anniversary Annual Conference & Solutions Expo

Cybersecurity Threats & Risk ManagementWHAT YOU NEED TO KNOW

LeadingAge Michigan ~ 50th Anniversary Annual Conference & Solutions ExpoLeadingAge Michigan ~ 50th Anniversary Annual Conference & Solutions Expo


“Top 10” Healthcare Breaches - 2017Commonwealth Health Corporation (697,800)

Airway Oxygen (500,000)

Women’s Healthcare Group of PA (300,000)

Urology Austin, PLLC (279,663)

Pacific Alliance Medical Center (266,123)

Peachtree Neurological Clinic, PC (176,295)

Arkansas Oral & Facial Surgery Center (128,000)

McLaren Medical Group. Mid Michigan Physicians Imaging Center (106,008)

Harrisburg Gastroenterology (93,323)

VisionQuest Eyecare (85,995)

Source: https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/

2,633,207

https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/


LTPAC HIPAA Breach - 2016

Sou

rce: ww

w.h

ealthcareitn

ew

s.com

| Bern

ie Mo

negain

http://www.healthcareitnews.com/


Why is Healthcare a Target?Healthcare information is more valuable than financial informationoPHI contains financially & personally identifiable information

oAbility to commit insurance fraud

oAbility to obtain prescription medications via identity theft

Fewer “Watchdogs”oHealthcare cyber security efforts are behind other industries

oLTPAC is further behind than acute care


Cost of a Data Breach$80,000oCyber Forensics to figure out “what happened”

$120,000oAttorney fees to oversee investigate and litigate

$50,000oMarketing & P/R Response

$360 (per affected individual)oFor credit monitoring / identity theft protection

Fines & Lawsuits


Anatomy of a Cyber Attack

Information Gathering

Intrusion

Malware Deployment

Data Extraction

Clean-up


1 – Information GatheringSpam

Phone Calls

Job Postings / Job Interviews

Google Searches

“Looking for in-depth information, like an

organizational chart…so they can identify privileged

users that would have greater access or decision

making capability.”


2 – Intrusion / InfiltrationPhishing / Spear Phishing

Theft

Negligent Users

Known Software Vulnerabilities

Zero Day Attacks (unknown software vulnerabilities)

Brute Force Attacks


Spear Phishing Example


3 – Malware DeploymentControlling Malware

◦ Trojan Horses execute programs unknowingly by the user◦ Remote Access Trojans (RATs) create “back doors” into the

network◦ Rootkits that allow hackers to full administrative access

Destructive Malware◦ Viruses must be activated by the user, but typically “seek and

destroy” once activated◦ Worms spread throughout the network without user intervention,

spreading payload


4 – Data Extraction

The average amount of time between the detection of infiltration of the network after malware has been deployed is…

2 8 0 Days


Sou

rce: ww

w.h

imm

s.org

http://www.himms.org/


5 – Clean UpUse of “Zombie” botnets – networks of other organizations that have been infiltrated and infected, but not yet detected◦Spam Relay Points◦A “hop” serving as a DMZ or buffer between the hacker and the network

Use of viruses and worms to destroy digital fingerprints and other forensic evidence


“Top 10” Cyber ThreatsThreat Type % Of Orgs Affected

Phishing / Spear Phishing Attack 69%

Negligent Insiders 65%

Advanced Persistent Threat (APT) 63%

Cyber Attacks 59%

Zero Day Attacks 53%

Known Software Vulnerabilities 53%

Malicious Insiders 50%

Social Engineering 49%

Denial of Service Attacks 39%

Brute Force Attacks 34%


What Can You Do?PROTECTING YOUR ORGANIZATIONS DATA AND REPUTATION


Multi-Faceted Cyber Security Campaign

Threat Data vs Threat Intelligence

Network Analysis

Firewall / Access Controls

Internal and External Audits

HIPAA Compliance Training

Policies and Procedures


Policies and ProceduresPolicies and Procedures, Disaster Recovery / Business Continuity Plan

◦ Use of Corporate Standard Group Policies for Security◦ Force password change after 90 days, inactivity timeout, network resource access, etc…

◦ Encryption (E-mail / Hard Drives)

◦ Proper Destruction of Decommissioned Hard Drives

◦ File Integrity Monitoring

◦ Anti-Virus Software, Spam / Mail Filtering

◦ Web Content Management

◦ Encrypted Wireless Standards, Private vs. Public WiFi

◦ Software Patch Management


HIPAA Compliance & TrainingAnnual HIPAA Compliance Audits

◦ Annual Risk Assessment to evaluate administrative, physical and technical safeguards

◦ Annual training of all employees for HIPAA regulations

Educating the End Users◦ Provide IT Security Training and Awareness classes on a regular basis

◦ Teach your managers and your users about security vulnerabilities that they may be exposed to◦ Phishing E-mails

◦ Malware attachments in e-mail


Internal & External AuditsPerform periodic internal audits

◦ Consider “spoofing” an e-mail to see what percentage of your users respond

◦ Keep an audit log of all user access credentials and review annually to ensure it is accurate

External Audits◦ Seek third-party validation of your network security by conducting

an annual penetration test of your network


Firewall Access ControlsReview Firewall Configuration

◦ Periodically (quarterly) review the rules on the firewall to ensure that only the accessibility that is required is enabled

Firewall Capabilities◦ Have you implemented a “next-generation” Firewall with L7 networking and

proactive threat defense capabilities?

Security Incident & Event Management (SIEM)◦ Consider tools to aggregate firewall log information and present in a single

pane of glass


Network AnalysisSecurity Tools to Test:

◦Missing Security Patches

◦ Improperly Shared Drives / Data

◦Weak Passwords

◦Rogue Devices

◦Server Hardening


Threat Data vs. Threat IntelligenceCyber Security Risk Management

◦ “It’s no longer a matter of IF you will be breached, but a matter of WHEN you will be breached

◦ IT Department◦ Identify & Analyze Threats

◦ Defend, Troubleshoot and Remediate the technical aspect

◦ Executive / Board◦ Awareness and Acceptance of Risk Level

◦ Public Relations following a breach

◦ Legal ramifications and insurance claims

Cyber Liability Insurance◦ The application process details what measures are currently in place, so they can base the premium on

the known gaps

◦ Just like every other kind of insurance – if they find negligence on our part, they will try to get out of paying a claim


Taking Action – 3 P’sPrepare

◦ Yourself – Understand Cyber Security & Threats

◦ Your Leadership – Risks associated with Cyber Security

◦ Your Staff – Create a “Security Awareness” culture

◦ Your Organization – Appropriate response to data breaches

Protect◦ Policies & Procedures – HHS Risk Assessments (Physical, Administrative, Technical)

◦ Cyber Liability Insurance

Prevent◦ Intrusion Detection Prevention

◦ Network Penetration Testing


Thank YouJOE VELDERMAN, MCP

[email protected]

mailto:[email protected]

Documents

Cybersecurity Threats & Risk Management