Embed Size (px)
Citation preview
Ready or Not Ransomware is Here:How to Handle an Attack
Rick KamPresident and Co-Founder
Melissa VentroneChair Data Breach and Security Practice
Agenda• Cyber attacks on the rise• Is a ransomware attack a breach?• Best practices to mitigate a ransomware attack• Q&A
Growing Cyber Threats & Crime
• Cybercrime costs expected to rise to $2 trillion by 2019, $6 trillion by 2021
• Over one million web attacks against people every day in 2015
• Employees click malware every 81 seconds• Malware attacks nearly doubled to 8.19 billion in 2015• Spear-phishing campaigns targeting employees
increased 55 percent in 2015• Eight-nine percent of all attacks involve financial or
espionage motivations
Sources: Juniper Research, Cybersecurity Ventures, Dell, Symantec, Verizon, CheckPointSecurity
What is a Data Breach?All data breaches start as events, but not all events turn into breaches.
Event = any observable occurrence in a system or a network
Incident = security event that compromises the integrity, confidentiality or availability of an information asset
Breach = acquisition, access, use, or disclosure of PII/PHI [that poses a significant risk of financial, reputational, or other harm]
Sources: NIST, Verizon’s 2016 Data Breach Investigations Report
Top Industries a Cyber TargetIndustries Affected by Data Breaches:
Source:TrendMicro,FollowtheData:AnalyzingBreachesbyIndustry,2015
Why Are Hackers Targeting Health Data?
• Value. Health data on the black market is more valuable than other personal and financial data. FBI says a medical record can fetch $50, compared to $1 for a stolen credit card number
• Vulnerability. Organizations with health data, including third parties, have less mature security postures compared to financial firms, according to Ponemon Institute
• Scale. There is the ability to acquire massive amounts of data Sources: http://www.illuminweb.com/wp-content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf; Ponemon Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data; Raytheon/Websense
Complex Web of Breach LawsOrganizations that hold regulated data must comply with data
breach notification laws.
Data Breach Notification Laws:• 47 state laws• 3 U.S. territories• HIPAA Final
Breach Notification Rule
Skyrocketing Security Incidents and Breaches• One-third of U.S. population has been impacted by a healthcare breach• 529 million records have been breached in 2016…and counting, source:
ITRC• Over half a billion personal records were stolen or lost between 2005
and 2015, according to Identity Theft Resource Center (ITRC) => that’s 2.5 x the U.S. population
• In 2016, 70 organizations across all industries had 79,790 security incidents: 1,140 incidents per organization per year, according to Verizon
The Costs Are Rising…
Average organizational cost of a data breach: $7.01 Million§ Up 130% in 2 years
The cost per record can vary based on root cause of breach:§ Malicious or criminal attack = $236§ System glitch = $213§ Human error = $197
*IBM/Ponemon Institute, 2016 Cost of Data Breach Study
Medical Identity TheftMedical identity theft is the illegal access and use of a patient’s PII
and PHI to obtain medical treatment, services or goods.• Fast growing crime, leaving patients vulnerable• 38 percent of healthcare organizations had cases of medical
identity theft• 64 percent of healthcare organizations don’t offer any
protection services for victims• Majority don’t have a process for correcting errors in victims’
medical records
Sources: FBI, Ponemon Institute
Newest Threat: Cyber Extortion
Source: Symantec, Internet Security Threat Report, April 2016.
• Ransomware is the next new thing• Ransomware increased 35 percent in
2015• Ransomware can be used to target
organizations and individuals• Ransomware families expanding to
include those that lock computers and those that encrypt and/or obfuscate data
Ransomware Explained• Two forms: Crypto ransomware (data) and
Locker ransomware (system)• Sophisticated attacks use:
• New asymmetric keys for each infection• Industrial strength & private/public key
encryption• Privacy enabling services like TOR and bitcoins
for payments• Everyone is a target (home/organization)• 4,000 ransomware attacks per day*
*Source: Symantec
Legal View On Ransomware
“…recentguidancefromtheOfficeofCivilRightsoftheDepartmentofHealthandHumanServices(OCR)indicat(es)thatanyransomwareattackinvolvingprotectedhealthinformationPHI)couldbeadatabreachwithHealthInsurancePortabilityandAccountabilityAct(HIPAA)reportingobligations.”
Source:NationalLawReviewJuly18,2016
Third Parties (BAs) Increase Risks
• 41 percent of healthcare data breaches were caused by third-party snafus
• Business Associates are often negligentin the handling of sensitive data, lacking resources, technology, and processes
• Legal responsibility lies with the covered entity
Source: Ponemon Institute
Strategies for Mitigating Risk: Best Practices
§ Conduct inventory of all hardware and software
§ Use current version of operating systems§ Automate security patching§ Enable intrusion detection & prevention
systems§ Segment network § Control access based on need to know§ Require complex passwords & use multi-
factor authentication
§ Eliminate unnecessary data and processes
§ Protect data § Monitor endpoints§ Conduct due diligence on all third party
service providers§ Conduct risk assessments§ Conduct vulnerability testing§ Develop incident response plan & test
the plan§ Conduct employee training on network
security awareness
Strategies for Mitigating Risk: Response Plan
Purpose§ Improve information security§ Prepare efficient, effective response to
information security incident§ Systematic§ Minimal loss or theft§ Minimal disruption§ Legally compliant§ Preserve reputation
§ Collect evidence of attack§ Coordinate remediation§ Recover and restore information system
Key Team Members§ CISO/IT Lead§ Executive Team Lead§ Legal§ Financial management§ Risk management§ Human resources§ Breach response vendors
§ Outside counsel§ Forensics § Notification § Call center§ Credit monitoring§ Identity restoration§ Public relations/crisis communications
Protect Your Patients, Protect Your Organization
• Ransomware and cyber attacks will continue to be successful in targeting healthcare
• Medical device and wearable hacks will surface soon• Diagnosing incidents is critical• Navigating regulations to meet compliance• Best practices when a breach hits: protect your patients
and your organization
Questions?
Thank You
Rick KamPresident and Co-Founder
Melissa VentroneChair Data Breach and Security Practice
971-242-4705
312-580-2219
